CG-FSPTA: Flow-Sensitive Pointer Analysis

• The paper introduces CG-FSPTA, a scalable, flow-sensitive pointer analysis approach that reformulates traditional CFG methods into a constraint graph with variable nodes.
• It employs selective versioning for address-taken variables and annotates edges with control-flow indices to maintain def-use chains and support strong update semantics.
• Empirical results show a 33% reduction in memory usage and a 7× speedup in analysis time compared to conventional techniques, ensuring efficiency without sacrificing precision.

CG-FSPTA (Constraint Graph–based Flow-Sensitive Pointer Analysis) is an efficient Andersen-style approach to flow-sensitive pointer analysis designed to overcome the computational inefficiencies of traditional control-flow-graph-based methods. CG-FSPTA introduces a Flow-Sensitive Constraint Graph (FSConsG) that combines the precision of program-point-specific information with the scalability of set-constraint resolution, significantly improving both memory usage and execution time while maintaining analytic precision in large software systems.

1. Foundations and Motivation

Conventional flow-sensitive pointer analyses utilize control flow graphs (CFGs) or specialized value-flow graphs (SVFGs) to maintain accurate points-to information that varies at each program location. While precise, these frameworks suffer from high computational overhead—particularly in memory consumption and constraint propagation—due to the replication of statements and control flow meta-data across graph nodes and edges. CG-FSPTA addresses these limitations by reformulating the analysis problem as a constraint graph whose nodes represent individual variables (rather than CFG statements) and whose edges encode flow-sensitive pointer operations. This approach retains the flow sensitivity needed for applications such as alias analysis, taint tracking, and advanced compiler optimizations, while making the analysis scalable to large codebases.

2. Technical Formulation and Graph Construction

2.1 Flow-Sensitive Constraint Graph Structure

FSConsG is constructed as a directed graph where each node corresponds to one variable. Variable categories include:

• SSA-form top-level pointer variables: These require no versioning.
• Address-taken variables: Not in SSA form and require program-point-based versioning for preservation of flow sensitivity.

Edges denote pointer operations, translated from LLVM-IR instructions via conversion rules:

Instruction Type	Edge Construction	Annotation
Addr (p = &o)	o → p	None
Copy (q = p)	p → q	None
Gep (q = &p.fld)	p → q	Field information
Store (*p = q)	q → version(o)	CFG index ℓᵢ
Load (q = *p)	version(o) → q	CFG index ℓᵢ

Versioned nodes for address-taken variables are constructed when an indirect def-use chain is detected between store/load pairs in the program. Edges are annotated with control-flow indices, so each propagation of points-to information reflects def-use ordering, fully encoding the data-flow semantics without requiring the explicit traversal of a CFG.

2.2 Solver Algorithms

The resolution procedure applies Andersen-style rules directly over FSConsG:

• For Addr edges: $\text{pts}(p) \leftarrow \text{pts}(p) \cup \{o\}$
• For Copy edges: $$\text{pts}(q) \leftarrow \text{pts}(q) \cup \text{pts}(p)$$
• For Gep edges: $$\text{pts}(q) \leftarrow \text{pts}(q) \cup \{o.\text{fld} \mid o \in \text{pts}(p)\}$$

Store and load edges are processed using the relevant versioned node, determined by the CFG index. On encountering a store at program point $\ell_i$, for each $o \in \text{pts}(v)$, the algorithm locates $o_{\ell_i}$ and adds a Copy edge from $u$ to $o_{\ell_i}$. Corresponding load operations propagate information similarly.

Graph simplification procedures such as cycle elimination (Nuutila/Tarjan) and folding minimize redundant propagation, optimizing both storage and solve time.

3. Efficiency and Precision Guarantees

CG-FSPTA maintains full flow-sensitive precision. Every versioned address-taken variable in FSConsG exactly reproduces the def-use chains—and therefore the points-to sets—present in SVFG-based analyses. Strong update semantics are respected: points-to sets are emptied under strong update conditions, and edge annotations ensure that propagation advances in control-flow order.

Efficiency stems from two factors:

• The FSConsG avoids the redundant bundle of statements/edges present in CFG and SVFG representations, operating on atomic variables only.
• Selective versioning is restricted to address-taken variables with observed def-use chains, rather than versioning all variables or statements.

Empirical results indicate an average reduction of 33.05% in memory usage and an acceleration of 7.27× in overall analysis time compared to state-of-the-art (VSFS-based) flow-sensitive pointer analysis methods. The reduction in constraint count (by 33.91%) confirms that graph compactness is achieved without loss of analytical fidelity.

4. Application Domains

CG-FSPTA’s design enables its use in diverse static analysis and optimization contexts:

• Program Analysis and Verification: Accurate resolution of aliasing and propagation paths for security analyses and correctness proofs.
• Compiler Optimization: Efficient computation of points-to sets integrates with code motion, dead code elimination, and similar transformations.
• Software Security and Reliability: Detection of pointer hazards, use-after-free vulnerabilities, and memory leak risks is improved by the combination of strong update and granular flow sensitivity.

By recasting flow-sensitive analyses as a graph constraint problem, CG-FSPTA enables the development of future scalable frameworks that are both robust and precise for very large codebases.

5. Conclusions and Research Directions

CG-FSPTA demonstrates that flow-sensitive pointer analysis can attain efficiency and scalability comparable to flow-insensitive, set-constraint techniques, without loss of program-point precision. Its FSConsG construction, selective variable versioning, and edge-centric propagation enable tight control over computational costs. Memory usage and runtime improvements, validated by empirical benchmarks, indicate its suitability for modern analysis pipelines.

Potential areas for further development include:

• Generalization to other languages and intermediate representations.
• Integration with advanced graph simplification and dynamic update scheduling.
• Application of machine learning to prioritize high-impact edges or nodes.
• Extension to interprocedural and lazy (on-demand) analysis modalities for massive software projects.

CG-FSPTA establishes a theoretical and practical foundation for efficient yet precise flow-sensitive pointer analysis, facilitating scalable static analysis and security verification for next-generation programming languages and compilers (Zhang et al., 4 Aug 2025).