SVF Design
The SVF framework is developed on top of LLVM compiler. As shown in the following figure, the source code of a program is first compiled using clang into bit-code files, which are then merged together using LLVM Gold Plugin at link time stage (LTO) to produce a whole-program bc file. Then interprocedural pointer analysis is performed to produce the points-to information required for constructing a memory SSA form so that the def-use chains for both top-level and address-taken variables are identified. The generated value-flow information can be used to support a range of application clients, such as memory leak detection and null pointer detection. The value-flows can also be used to bootstrap more precise pointer analysis so that their precision can be both improved in an iterative manner.
Our design separates a pointer analysis implementation into three loosely coupled components i.e. graph, rule, and solver as shown in the figure. graph is a higher-level abstraction extracted from LLVM IR, indicating where the pointer analysis algorithm should be performed; rule defines how to derive each constraint on the graph; solver determines in what processing order those constraints are resolved. SVF provides clean and reusable interfaces for users to write their own pointer analysis implementation by combining the three components in a flexible way.
##Value-Flow Construction Based on the points-to information, we first perform a light-weight Mod-Ref Analysis to capture inter-procedural reference and modification side-effects of program variables. Given the mod-ref results and points-to information, the indirect uses and defs at stores, loads and callsites in each procedure are annotated using alias set, which represents a set of abstract memory objects may be indirectly accessed. Unlike intra memory SSA in Open64 and GCC, which compute alias sets of local variables according to intra-procedural pointer analysis and group non-local variables into a single alias set. Mem Region Partition module in SVF provides a flexible ways to allow users to write their own algorithms for partitioning alias sets with inter-procedural side-effects being considered, so that efficiency and precision trade-offs can be made for analyzing large programs.