Static program analysis for bug detection in industrial
C/C++ code has many challenges. One of them is to analyze
pointer and pointer structures efficiently. While there has been
much research into various aspects of pointer analysis either
for compiler optimization or for verification tasks, both classical
categories are not optimized for bug detection, where speed and
precision are important, but soundness (no missed bugs) and
completeness (no false positives) do not necessarily need to be
guaranteed.
In this work we present a new pointer analysis tool for
C/C++ code. The tool introduces the notion of heap graphs
that are inspired by shape analysis without the computational
overhead, but also without the verification soundness guarantees.
We explain the underlying ideas and that it lends itself to a fast,
modular and incremental analysis, features that are essential for
large code bases.
To demonstrate the practicality of the solution we integrate
the pointer analyzer into the C/C++ bug checking tool Goanna.
We show that run-times of the new analyzer are close to compile
times on large code bases and, most importantly, that the new
solution is able to reduce false positives as well as to detect
previously unknown pointer bugs in the Git source code.