Abstract:An important dimension of pointer analysis is field-Sensitive, which has been proven to effectively enhance the accuracy of pointer analysis results. A crucial area of research within field-Sensitive is Structure-Sensitive. Structure-Sensitive has been shown to further enhance the precision of pointer analysis. However, existing structure-sensitive methods cannot handle cases where an object possesses multiple structures, even though it's common for an object to have multiple structures throughout its lifecycle. This paper introduces MTO-SS, a flow-sensitive pointer analysis method for objects with multiple structures. Our observation is that it's common for an object to possess multiple structures throughout its lifecycle. The novelty of MTO-SS lies in: MTO-SS introduces Structure-Flow-Sensitive. An object has different structure information at different locations in the program. To ensure the completeness of an object's structure information, MTO-SS always performs weak updates on the object's type. This means that once an object possesses a structure, this structure will accompany the object throughout its lifecycle. We evaluated our method of multi-structured object pointer analysis using the 12 largest programs in GNU Coreutils and compared the experimental results with sparse flow-sensitive method and another method, TYPECLONE, which only allows an object to have one structure information. Our experimental results confirm that MTO-SS is more precise than both sparse flow-sensitive pointer analysis and TYPECLONE, being able to answer, on average, over 22\% more alias queries with a no-alias result compared to the former, and over 3\% more compared to the latter. Additionally, the time overhead introduced by our method is very low.

What problem does this paper attempt to address?

### What problem does this paper attempt to solve? This paper aims to solve the problem that existing structure - sensitive pointer analysis methods are unable to handle objects with multiple structures. Specifically: 1. **Pointer analysis of multi - structure objects**: - Existing structure - sensitive methods can only handle the situation where an object has one structure during its lifetime. In fact, an object often has multiple structures during its lifetime. For example, in C/C++, an object can change its structure through type conversion (such as `dynamic_cast`). - This limitation leads to inaccurate results when existing methods handle complex programs, especially in cases involving dynamic type conversion. 2. **Support for dynamic type conversion**: - Existing methods usually regard dynamic type conversion as a simple assignment operation, ignoring the impact of type conversion on pointer pointing. This will lead to incorrect pointer analysis results. - For example, when using `dynamic_cast` for type conversion, existing methods cannot correctly handle the change of pointer pointing, thus affecting the accuracy of the analysis. 3. **Improving the precision of pointer analysis**: - By introducing structure - flow - sensitivity, the paper proposes a new pointer analysis method MTO - SS, which can maintain the accuracy and integrity of object structure information at different program locations. - MTO - SS can not only handle static type conversion, but also handle dynamic type conversion caused by `dynamic_cast` in C++, thus improving the precision of pointer analysis. ### Specific improvements - **Weak update mechanism**: MTO - SS adopts a weak update mechanism to ensure that once an object has a certain structure, this structure will accompany the object throughout its lifetime and will not be easily deleted or overwritten. - **Structure - flow - sensitivity**: MTO - SS introduces structure - flow - sensitivity to ensure that the structure information of an object at different program locations is always accurate and complete. - **Experimental verification**: By evaluating on 12 large - scale programs in GNU Coreutils, compared with the fully sparse flow - sensitive method SPARSE and the TYPECLONE method that only allows an object to have a single type, MTO - SS can answer more no - alias alias queries on average, and the time cost is very low. ### Summary The main contribution of the paper is to propose a new pointer analysis method MTO - SS, which solves the limitations of existing methods in handling multi - structure objects and dynamic type conversion, and significantly improves the precision of pointer analysis.

Multi-structure Objects Points-to Analysis

Necessity and Capability of Flow, Context, Field and Quasi Path Sensitive Points-to Analysis

Points to analysis for partial call graph construction

Probabilistic pointer analysis for multithreaded programs

Making k-Object-Sensitive Pointer Analysis More Precise with Still k-Limiting.

Efficient and Precise Points-to Analysis: Modeling the Heap by Merging Equivalent Automata

Kcpa: Towards Sensitive Pointer Full Life Cycle Authentication for OS Kernels

TsmartGP: a tool for finding memory defects with pointer analysis

Precise and Efficient Points-to Analysis via New Context-Sensitivity and Heap Abstraction.

Unification-based Pointer Analysis without Oversharing

The ART of Sharing Points-to Analysis (Extended Abstract)

Goshawk: Hunting Memory Corruptions Via Structure-Aware and Object-Centric Memory Operation Synopsis

Detecting Memory-Related Bugs by Tracking Heap Memory Management of C++ Smart Pointers

Scalable and Extensible Static Memory Safety Analysis with Summary over Access Path

Precision-guided Context Sensitivity for Pointer Analysis

Unifying Pointer Analyses for Polyglot Inter-operations through Summary Specialization

Making Pointer Analysis More Precise by Unleashing the Power of Selective Context Sensitivity.

Multi-sensitive static method of detecting null pointer dereference bug

A Principled Approach to Selective Context Sensitivity for Pointer Analysis

Thread-Sensitive Pointer Analysis for Inter-Thread Dataflow Detection.

Correlating Effectiveness of Pointer Analysis Techniques with Patterns in Embedded System Code