Implementation

Abstract

The building blocks of a static analyser for a programming language resemble those of an interpreter or virtual machine, except that the operations performed for each program statement are expressed in terms of the abstract domain rather than the concrete store. While implementing the semantics of a program statement in the context of an interpreter is a clear-cut task, implementing the semantics in the context of a static analysis provides a plethora of possibilities, partly because it involves a trade-off between precision, efficiency, and simplicity of implementation, the latter possibly affecting the correctness. The design of the analysis presented in the last chapter is the result of trying several approaches, including a staged approach in which an off-the-shelf points-to analysis is run on the code [99] before a constraint system is deduced, which is then solved using polyhedral operations. This approach is similar to that of Wagner [184] and shares the inability to generate precise constraints for pointer dereferences since the offset of a pointer is not known until the constraint system is solved. The idea behind the analysis presented is therefore to generate the operations that manipulate polyhedra by determining which fields a pointer may access. Thus, manipulating polyhedra is interleaved with querying the range of certain variables in the polyhedron in order to derive the next polyhedral operation. While this approach leads to more complex transfer functions, it seems like the only viable approach to a precise analysis.