cclyzer++: Scalable and Precise Pointer Analysis for LLVM

We are pleased to announce that Galois is open-sourcing cclyzer++, a new pointer analysis for languages that compile to LLVM, including C and C++. 

Pointer analysis is a foundational static analysis with applications to the problems of program optimization, verification, bug finding, and many others. At Galois, we designed cclyzer++ with two main use cases in mind. The first one is integration into higher-level program analysis tools that require the kind of precise reasoning about interprocedural data flows that can only be achieved through pointer analysis. In fact, cclyzer++ has already been integrated into Galois’ MATE tool.  The second use case is a basis for research into innovative pointer analysis techniques. cclyzer++ is written in the high-level, declarative, open-source Soufflé language, and has fairly significant engineering effort behind it, including broad LLVM language support, tests, and documentation. We hope this effort will enable researchers to focus on conceptual advances and spend less time on infrastructure.

Notable features of cclyzer++ include:

  • Field- and array-sensitivity, flow-insensitivity
  • On-the-fly callgraph construction
  • Configurable context-sensitivity, including k-callsite, with configurable heap cloning
  • Both subset-based (Andersen style) and unification-based (Steensgaard style) analyses
  • Support for models of external/library functions
  • Online documentation, including documentation of the analysis design
  • Parallel evaluation due to implementation in Soufflé
  • C++ interface using native LLVM types
  • Tested on LLVM code up to LLVM 10

To learn more about cclyzer++, check out this blog post which uses examples to visually illustrate the essence of cclyzer++. More information about cclyzer++ is available in the project documentation.

Note: cclyzer++ is licensed under the BSD 3-clause license and is based on the cclyzer project, which was authored by George Balatsouras and Yannis Smaragdakis and is MIT licensed. You can find a comparison between the two in the cclyzer++ documentation.