cclyzer++

cclyzer++ is a precise and scalable global pointer analysis for LLVM code. The output of cclyzer++ can be used for a variety of program analysis tasks, including:

• Creation of callgraphs with precise handling of indirect function calls and virtual method calls

• Precise inter-procedural control- and data-flow analysis

• Answering may-alias and must-not-alias queries

See the design documentation for further explanation and examples of the output of cclyzer++.

cclyzer++ is field- and array-sensitive, performs on-the-fly callgraph construction, and supports many different configurations of context-sensitivity including k-callsite sensitivity. It has subset-based (Andersen style) and unification-based (Steensgaard style) analyses. cclyzer++ is written in Soufflé Datalog, and so is highly parallel. cclyzer++ was derived from cclyzer.

Documentation is also available online.

cclyzer++ is actively developed and maintained by Galois, Inc.

Note

You may also want to peruse the Release Announcement and Visual Guide to Pointer Analysis blog posts.

Table of Contents

User Documentation

• Architecture
  • The Fact Generator
  • C++ Interface
• Changelog
  • next
  • v0.7.0 - 2022-11-02
  • v0.6.0 - 2022-10-27
  • v0.5.0 - 2022-10-21
  • v0.4.0 - 2022-10-21
  • v0.3 - 2022-10-12
  • v0.2 - 2022-10-07
  • v0.1 - 2022-10-04
• Analysis Design
  • Purpose
  • Introduction
  • Abstraction
  • An Aside on Assignments, Loads, and Stores
  • Array- and Field-Sensitivity
  • Context-Sensitivity
  • Heap Cloning
  • Type Back-Propagation
  • Undefined Behavior
• Docker
  • Obtaining Images
  • Rationale
• Analysis Implementation
  • Context-Sensitivity via Records
  • Unification-Based Analysis via Subsumption and Choice
  • Shared Code via Components
  • Project Files
  • Assertions
• Installation
• Overview
  • Notable Features
  • Language Support
  • Bibliography
  • Comparison to cclyzer
  • Project Status
  • Versioning
• Signatures
  • Kinds of Signatures
  • Examples
• Sources of Unsoundness
  • Suballocations and Type Back-Propagation
  • Language Coverage
  • Type-Based Heuristics
  • External Functions
• Usage
  • Configuring the Analysis
  • Running the Analysis

Developer Documentation

• Building
  • Build Dependencies
  • Configuring the Build
  • Building the Fact Generator
  • Building the C++ Interface
• Development
  • Running Tests
  • Cutting a Release
  • Naming Conventions
  • Debugging Regressions
  • Performance Tuning
• Legal

Indices and tables

• Index

• Module Index

• Search Page

Acknowledgments

This material is based upon work supported by the United States Air Force and Defense Advanced Research Project Agency (DARPA) under Contract No. FA8750-19-C-0004. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force or DARPA. Approved for Public Release, Distribution Unlimited.