├── 01.Course-Introduction.md
├── 02.Intermediate-Representation.md
├── 03.Data-Flow-Analysis-I.md
├── 04.Data-Flow-Analysis-II.md
├── 05.Data-Flow-Analysis-Foundations-I.md
├── 06.Data-Flow-Analysis-Foundations-II.md
├── 07.Interprocedural-Analysis.md
├── 08.Pointer-Analysis.md
├── 09.Pointer-Analysis-Foundations-I.md
├── 10.Pointer-Analysis-Foundations-II.md
├── 11.Pointer-Analysis-Context-Sensitivity-I.md
├── 12.Pointer-Analysis-Context-Sensitivity-II.md
├── 13.Static-Analysis-For-Security.md
├── 14.Datalog-Based-Program-Analysis.md
├── 15.IFDS.md
├── 16.Soundiness.md
├── README.md
├── picture
    ├── 1-1.png
    ├── 1-2.png
    ├── 1-3.png
    ├── 1-4.png
    ├── 1-5.png
    ├── 1-6.png
    ├── 1-7.png
    ├── 1-8.png
    ├── 10-1.png
    ├── 10-2.png
    ├── 10-3.png
    ├── 11-1.png
    ├── 11-2.png
    ├── 11-3.png
    ├── 11-4.png
    ├── 11-5.png
    ├── 11-6.png
    ├── 11-7.png
    ├── 12-1.png
    ├── 12-10.png
    ├── 12-11.png
    ├── 12-12.png
    ├── 12-13.png
    ├── 12-14.png
    ├── 12-15.png
    ├── 12-2.png
    ├── 12-3.png
    ├── 12-4.png
    ├── 12-5.png
    ├── 12-6.png
    ├── 12-7.png
    ├── 12-8.png
    ├── 12-9.png
    ├── 13-1.png
    ├── 13-10.png
    ├── 13-11.png
    ├── 13-12.png
    ├── 13-13.png
    ├── 13-14.png
    ├── 13-2.png
    ├── 13-3.png
    ├── 13-4.png
    ├── 13-5.png
    ├── 13-6.png
    ├── 13-7.png
    ├── 13-8.png
    ├── 13-9.png
    ├── 14-1.png
    ├── 14-10.png
    ├── 14-11.png
    ├── 14-12.png
    ├── 14-13.png
    ├── 14-14.png
    ├── 14-15.png
    ├── 14-16.png
    ├── 14-17.png
    ├── 14-18.png
    ├── 14-19.png
    ├── 14-2.png
    ├── 14-20.png
    ├── 14-21.png
    ├── 14-22.png
    ├── 14-3.png
    ├── 14-4.png
    ├── 14-5.png
    ├── 14-6.png
    ├── 14-7.png
    ├── 14-8.png
    ├── 14-9.png
    ├── 15-1.png
    ├── 15-10.png
    ├── 15-11.png
    ├── 15-12.png
    ├── 15-13.png
    ├── 15-14.png
    ├── 15-15.png
    ├── 15-16.png
    ├── 15-2.png
    ├── 15-3.png
    ├── 15-4.png
    ├── 15-5.png
    ├── 15-6.png
    ├── 15-7.png
    ├── 15-8.png
    ├── 15-9.png
    ├── 16-1.png
    ├── 16-10.png
    ├── 16-11.png
    ├── 16-12.png
    ├── 16-13.png
    ├── 16-2.png
    ├── 16-3.png
    ├── 16-4.png
    ├── 16-5.png
    ├── 16-6.png
    ├── 16-7.png
    ├── 16-8.png
    ├── 16-9.png
    ├── 2-1.png
    ├── 2-2.png
    ├── 2-3.png
    ├── 2-4.png
    ├── 2-5.png
    ├── 2-6.png
    ├── 2-7.png
    ├── 2-8.png
    ├── 2-9.png
    ├── 3-1.png
    ├── 3-10.png
    ├── 3-11.png
    ├── 3-12.png
    ├── 3-13.png
    ├── 3-3.png
    ├── 3-4.png
    ├── 3-5.png
    ├── 3-6.png
    ├── 3-8.png
    ├── 3-9.png
    ├── 4-1.png
    ├── 4-2.png
    ├── 4-3.png
    ├── 4-4.png
    ├── 4-5.png
    ├── 4-6.png
    ├── 4-7.png
    ├── 4-8.png
    ├── 5-1.png
    ├── 5-10.png
    ├── 5-11.png
    ├── 5-12.png
    ├── 5-13.png
    ├── 5-14.png
    ├── 5-15.png
    ├── 5-2.png
    ├── 5-3.png
    ├── 5-4.png
    ├── 5-5.png
    ├── 5-6.png
    ├── 5-7.png
    ├── 5-8.png
    ├── 5-9.png
    ├── 6-1.png
    ├── 6-10.png
    ├── 6-11.png
    ├── 6-2.png
    ├── 6-3.png
    ├── 6-4.png
    ├── 6-5.png
    ├── 6-6.png
    ├── 6-7.png
    ├── 6-8.png
    ├── 6-9.png
    ├── 7-1.png
    ├── 7-10.png
    ├── 7-11.png
    ├── 7-12.png
    ├── 7-13.png
    ├── 7-14.png
    ├── 7-2.png
    ├── 7-3.png
    ├── 7-4.png
    ├── 7-5.png
    ├── 7-6.png
    ├── 7-7.png
    ├── 7-8.png
    ├── 8-1.png
    ├── 8-10.png
    ├── 8-11.png
    ├── 8-12.png
    ├── 8-2.png
    ├── 8-3.png
    ├── 8-4.png
    ├── 8-5.png
    ├── 8-6.png
    ├── 8-7.png
    ├── 8-8.png
    ├── 8-9.png
    ├── 9-1.png
    ├── 9-2.png
    ├── 9-3.png
    ├── 9-4.png
    ├── 9-5.png
    ├── 9-6.png
    ├── 9-7.png
    └── 9-8.png
└── thinking.md


/01.Course-Introduction.md:
--------------------------------------------------------------------------------
 1 | - [Course Introduction](#head1)
 2 | 	- [PL and Static Analysis](#head2)
 3 | 	- [Why We Lean Static Analysis](#head3)
 4 | 	- [What is Static Analysis](#head4)
 5 | 	- [Static Analysis Features and Examples](#head5)
 6 | 		- [ soundness](#head6)
 7 | 		- [ 如何实现](#head7)
 8 | 		- [ 一个栗子](#head8)
 9 | 		- [ 精度与速度平衡](#head9)
10 | 	- [Teaching Plan](#head10)
11 | 	- [Evalution Criteria](#head11)
12 | # <span id="head1">Course Introduction</span>
13 | 
14 | 
15 | ## <span id="head2">PL and Static Analysis</span>
16 | 
17 | <img src="./picture/1-1.png"  width="615px" height="365px">
18 | 
19 | ## <span id="head3">Why We Lean Static Analysis</span>
20 | 
21 | 
22 | ## <span id="head4">What is Static Analysis</span>
23 | 
24 | <img src="./picture/1-2.png"  width="615px" height="365px">
25 | 
26 | Rice's theorem表示，静态分析对于一些有意义的分析，不能得出 exact answer  
27 | 
28 | ## <span id="head5">Static Analysis Features and Examples</span>
29 | 
30 | ### <span id="head6"> soundness</span>
31 | <img src="./picture/1-3.png"  width="615px" height="365px">
32 | 
33 | Rice's Theorem对于non-trivial properties不存在精确答案。所以就有了sound、complete两个概念。  
34 | 
35 | <img src="./picture/1-4.png"  width="615px" height="365px">
36 | 
37 | 因为不存在exact answer，所以有两个选择：
38 | - 妥协soundness，存在漏报
39 | - 妥协compeleness，存在误报
40 | 
41 | 静态分析一般的应用是compromise completeness的，及是sound的，可以有误报，但不能漏报。比如做一些bug的检测，宁可信其有，不可信其无，限定可能范围，排查错误。
42 | 
43 | ### <span id="head7"> 如何实现</span>
44 | 在技术上实现 : Abstraction + Over-approximation
45 | - Abstraction   抽象数据域
46 | - Over-approximation   
47 |   - Transfer functions 抽象数据在语句的转换
48 |   - Control flows 抽象数据在控制流上的转换  
49 | 
50 | ### <span id="head8"> 一个栗子</span>
51 | <img src="./picture/1-5.png"  width="615px" height="365px">
52 | <img src="./picture/1-6.png"  width="615px" height="365px">
53 | <img src="./picture/1-7.png"  width="615px" height="365px">
54 | 
55 | ### <span id="head9"> 精度与速度平衡</span>
56 | Static analysis:ensure(or get close to)soundness, while making good trade-offs between analysis precision and analysis speed.
57 | 
58 | 
59 | ## <span id="head10">Teaching Plan</span>
60 | 
61 | 
62 | ## <span id="head11">Evalution Criteria</span>
63 | <img src="./picture/1-8.png"  width="615px" height="365px">


--------------------------------------------------------------------------------
/02.Intermediate-Representation.md:
--------------------------------------------------------------------------------
 1 | - [Intermediate Representation](#head1)
 2 | 	- [Compilers and Static Analyzers](#head2)
 3 | 	- [AST vs. IR](#head3)
 4 | 	- [IR: Three-Address Code (3AC)](#head4)
 5 | 	- [3AC in Real Static Analyzer : Soot](#head5)
 6 | 	- [Static Single Assignment (SSA)](#head6)
 7 | 	- [Basic Blocks (BB)](#head7)
 8 | 	- [Control Flow Graphs (CFG)](#head8)
 9 | # <span id="head1">Intermediate Representation</span>
10 | 
11 | ## <span id="head2">Compilers and Static Analyzers</span>
12 | 
13 | <img src="./picture/2-1.png"  width="615px" height="365px">
14 | 
15 | ## <span id="head3">AST vs. IR</span>
16 | 
17 | <img src="./picture/2-2.png"  width="615px" height="365px">
18 | 
19 | ## <span id="head4">IR: Three-Address Code (3AC)</span>
20 | 
21 | <img src="./picture/2-3.png"  width="615px" height="365px">
22 | 
23 | <img src="./picture/2-4.png"  width="615px" height="365px">
24 | 
25 | ## <span id="head5">3AC in Real Static Analyzer : Soot</span>
26 | 
27 | ```
28 | Jvm中的四种调用，在Jvm中invokespecial对应Jimple中specialinvoke
29 | invokespecial:call constructor, call superclass methods, call private methods
30 | invokevirutal:instance methods (virtual dispatch,找真正执行的函数)
31 | invokeinterface: cannot optimization(不做一些优化), checking interface implementation(检查interface的函数是否实现)
32 | invokestatic:call static methods
33 | 
34 | Java 7:invokedynamic -> Java static typing,dynamic language runs on JVM.
35 | 
36 | clinit函数，类的静态成员的初始化
37 | ```
38 | 
39 | ## <span id="head6">Static Single Assignment (SSA)</span>
40 | 
41 | <img src="./picture/2-5.png"  width="615px" height="365px">
42 | 
43 | <img src="./picture/2-6.png"  width="615px" height="365px">
44 | 
45 | ## <span id="head7">Basic Blocks (BB)</span>
46 | 
47 | BB对于整个指令序列，单指令入口，单指令出口
48 | 
49 | <img src="./picture/2-8.png"  width="615px" height="365px">
50 | 
51 | ## <span id="head8">Control Flow Graphs (CFG)</span>
52 | 
53 | <img src="./picture/2-9.png"  width="615px" height="365px">
54 | 
55 | 再加上函数的Entry和Exit边
56 | 
57 | BB关系:Successor、predecessor
58 | 
59 | 


--------------------------------------------------------------------------------
/03.Data-Flow-Analysis-I.md:
--------------------------------------------------------------------------------
 1 | - [Data Flow Analysis I](#head1)
 2 | 	- [Overview of Data Flow Analysis](#head2)
 3 | 	- [Preliminaries of Data Flow Analysis](#head3)
 4 | 	- [Reaching Definitions Analysis](#head4)
 5 | 		- [Reaching Definitions的定义](#head5)
 6 | 		- [用bit vectors去表示是否可达](#head6)
 7 | 		- [Transfer function and Control flow](#head7)
 8 | 		- [ 算法](#head8)
 9 | 		- [ 栗子](#head9)
10 | 		- [ 为什么会最终不变](#head10)
11 | # <span id="head1">Data Flow Analysis I</span>
12 | 
13 | ## <span id="head2">Overview of Data Flow Analysis</span>
14 | <img src="./picture/3-1.png"  width="615px" height="365px">
15 | safe-approximation针对不同应用情况分为may analysis 或 must analysis。
16 | 
17 | ## <span id="head3">Preliminaries of Data Flow Analysis</span>
18 | <img src="./picture/3-3.png"  width="615px" height="365px">
19 | 
20 | 对于merge点进行meet operator，可以是union或intersection等集合操作
21 | 
22 | <img src="./picture/3-4.png"  width="615px" height="365px">
23 | 
24 | 对于数据流分析，可以顺着数据流方向分析，也可以逆向，看具体应用。
25 | 
26 | ## <span id="head4">Reaching Definitions Analysis</span>
27 | 
28 | ### <span id="head5">Reaching Definitions的定义</span>
29 | <img src="./picture/3-5.png"  width="615px" height="365px">
30 | 
31 | ### <span id="head6">用bit vectors去表示是否可达</span>
32 | <img src="./picture/3-6.png"  width="615px" height="365px">
33 | 
34 | ### <span id="head7">Transfer function and Control flow</span>
35 | <img src="./picture/3-9.png"  width="615px" height="365px">
36 | 
37 | - Transfer function
38 |   - gen ，在这表示生成的Def
39 |   - kill  ，在这表示新的定义
40 | - Control flow
41 | 	- 通过union操作，merge操作
42 | 
43 | <img src="./picture/3-8.png"  width="615px" height="365px">
44 | 
45 | 抽象的域是di的集合，是每一个指令是否能到达哪些BB。
46 | 
47 | 我的理解:对于kill，是可以kill掉后面的，这个可以理解为如果后面有一BB能goto当前BB的入口，则kill掉，如果没有，也不会影响。
48 | 
49 | ### <span id="head8"> 算法</span>
50 | 
51 | <img src="./picture/3-10.png"  width="615px" height="365px">
52 | 
53 | 这个迭代算法结构，可以应用到其他的算法中。
54 | 
55 | ### <span id="head9"> 栗子</span>
56 | <img src="./picture/3-11.png"  width="615px" height="365px">
57 | 
58 | - 我理解，一些细节注意的点
59 |    - 多次迭代，是对于for(each basic block B\entry)
60 |    - 对于每一个bb,gen、kill是固定的
61 |    - 为什么会变，因为(1)为前提，比如在B1->B2的merge，第一次是 0000 U OUT[B1]，而第二次的时候，B4的值不再是初始值，所以会变。进而导致OUT[B2]变化，进而影响后面的BB。但观察对于OUT[B4]后面会稳定到一个值(第二到第三次迭代)，IN[B2]稳定，进而，后续的稳定。
62 |    - 这种遍历方式，与编写程序会有一些理解上的差异，比如while的边，B4->B2的边，我不会再一次遍历中，重新更新B2。而是以下次迭代来表示这个循环。
63 | 
64 | <img src="./picture/3-13.png"  width="615px" height="365px">
65 | 
66 | ### <span id="head10"> 为什么会最终不变</span>
67 | <img src="./picture/3-12.png"  width="615px" height="365px">
68 | 对于一个BB，gen、kill是固定的，当有新facts的进入的分支(之前进来的为初始化vector，经过迭代后进来的新的)，对于OUT[S]的vector中1只增不减，是单调的。
69 | 
70 | 当所以fact经过多次迭代，都到达了IN[S]，则OUT[S]不会变了。
71 | 


--------------------------------------------------------------------------------
/04.Data-Flow-Analysis-II.md:
--------------------------------------------------------------------------------
 1 | - [Data Flow Analysis II](#head1)
 2 | 	- [Live Variables Analysis](#head2)
 3 | 		- [ 定义](#head3)
 4 | 		- [transfer func and control flow merge](#head4)
 5 | 		- [ 算法](#head5)
 6 | 		- [ 栗子](#head6)
 7 | 	- [Available Expressons Analysis](#head7)
 8 | 		- [ 定义](#head8)
 9 | 		- [transfer func and control flow merge](#head9)
10 | 		- [ 算法](#head10)
11 | 	- [ 三种算法对比](#head11)
12 | # <span id="head1">Data Flow Analysis II</span>
13 | 
14 | ## <span id="head2">Live Variables Analysis</span>
15 | ### <span id="head3"> 定义</span>
16 | <img src="./picture/4-1.png"  width="615px" height="365px">
17 | 
18 | 应用:determine whether the variable v in some register R is live.
19 | 
20 | ### <span id="head4">transfer func and control flow merge</span>
21 | <img src="./picture/4-2.png"  width="615px" height="365px">
22 | 
23 | ### <span id="head5"> 算法</span>
24 | <img src="./picture/4-3.png"  width="615px" height="365px">
25 | 
26 | 我的一些思考:
27 | - 为什么初始化是 for(each basic block B\exit) {IN[B]=Φ}
28 |   - 逆向求解，对于一个BB，merge是用后继的IN，求OUT[BB]。然后通过Transfer(OUT[BB]) = IN[BB]，所以我们需要的是所有BB的IN，才能获取前驱的OUT，所以初始化的是IN[B] = Φ。
29 | - 对于一个BB，正向与逆向merge位置的区别
30 |   - 对于每个BB，都有自己的IN、OUT。只有两个BB是彼此唯一的前驱或者后继，才会有直接前驱的OUT等于后继的IN。对于一个待求解的BB，当是多对一的时候，是通过merge这个近似操作，来做到前驱的OUT等于后继的IN(正向)。这个细节需要思考。
31 | 
32 | ### <span id="head6"> 栗子</span>
33 | <img src="./picture/4-4.png"  width="615px" height="365px">
34 | 
35 | 
36 | ## <span id="head7">Available Expressons Analysis</span>
37 | ### <span id="head8"> 定义</span>
38 | <img src="./picture/4-5.png"  width="615px" height="365px">
39 | 
40 | ### <span id="head9">transfer func and control flow merge</span>
41 | <img src="./picture/4-6.png"  width="615px" height="365px">
42 | 
43 | 注意右下角这种，对于avaliable expression的需求来说，虽然x被重新赋值，但是在c = ..这点，仍然满足需求，可以用之前该expression，用于该点。
44 | 
45 | ### <span id="head10"> 算法</span>
46 | <img src="./picture/4-7.png"  width="615px" height="365px">
47 | 
48 | must analyse的特点
49 | 
50 | - for(each basic block B\entry) {OUT[B] = U}，初始化为U，全部
51 | - merge 操作是intersection
52 | 
53 | 从需求上理解，对于当前BB，该expression可用，必须保证所有IN[BB]，都可用，才能达到safe-approximation，所以是intersection
54 | 
55 | ## <span id="head11"> 三种算法对比</span>
56 | <img src="./picture/4-8.png"  width="615px" height="365px">
57 | 
58 | 


--------------------------------------------------------------------------------
/05.Data-Flow-Analysis-Foundations-I.md:
--------------------------------------------------------------------------------
  1 | - [Data Flow Analysis - Foundations I](#head1)
  2 | 	- [Iterative Algorithm, Another View](#head2)
  3 | 	- [Partial Order](#head3)
  4 | 		- [ 偏序](#head4)
  5 | 	- [Upper and Lower Bounds](#head5)
  6 | 		- [ 定义](#head6)
  7 | 		- [ poset性质](#head7)
  8 | 	- [Lattice, Semilattce,Complete and Product Lattice](#head8)
  9 | 		- [ Lattice](#head9)
 10 | 		- [Complete Lattice](#head10)
 11 | 		- [Product Lattice](#head11)
 12 | 	- [Data Flow Analysis Framework Via Lattic](#head12)
 13 | 	- [Monotonicity and Fixed Point Theorem](#head13)
 14 | 		- [ 定义](#head14)
 15 | 		- [证明-Existence of fixed point](#head15)
 16 | 		- [证明-The fixed point is the least](#head16)
 17 | 		- [lattice 上数学运算与data analyse ](#head17)
 18 | 
 19 | # <span id="head1">Data Flow Analysis - Foundations I</span>
 20 | 
 21 | ## <span id="head2">Iterative Algorithm, Another View</span>
 22 | 
 23 | <img src="./picture/5-1.png"  width="615px" height="365px">
 24 | 
 25 | k-tuple抽象成每次迭代的输入输出
 26 | 
 27 | <img src="./picture/5-2.png"  width="615px" height="365px">
 28 | 
 29 | <img src="./picture/5-3.png"  width="615px" height="365px">
 30 | 
 31 | 三个问题:
 32 | - 算法迭代是否能停止，是否能有一个解
 33 | - 如果是，是否是唯一解，唯一不动点，是否是最好的
 34 | - 算法什么时候到达不动点，什么时候我们能得到一个解
 35 | 
 36 | 
 37 | ## <span id="head3">Partial Order</span>
 38 | 
 39 | ### <span id="head4"> 偏序</span>
 40 | <img src="./picture/5-4.png"  width="615px" height="365px">
 41 | 
 42 | <img src="./picture/5-5.png"  width="615px" height="365px">
 43 | 
 44 | 偏序关系意义，在集合中的任意一部分不一定需要满足偏序关系，如pin,sin之间并没有偏序关系
 45 | 
 46 | ## <span id="head5">Upper and Lower Bounds</span>
 47 | 
 48 | ### <span id="head6"> 定义</span>
 49 | 
 50 | <img src="./picture/5-6.png"  width="615px" height="365px">
 51 | 
 52 | upper bound不一定是subset S中，也可能是P中的。
 53 | 
 54 | ### <span id="head7"> poset性质</span>
 55 | 
 56 | <img src="./picture/5-7.png"  width="615px" height="365px">
 57 | 
 58 | 
 59 | 
 60 | ## <span id="head8">Lattice, Semilattce,Complete and Product Lattice</span>
 61 | ### <span id="head9"> Lattice</span>
 62 | <img src="./picture/5-8.png"  width="615px" height="365px">
 63 | 
 64 | 拓展:半格
 65 | 
 66 | 
 67 |  - 对于只有join存在, ∪ ，join semilattice
 68 |  - 对于只有meet存在,∩ ， meet semilattice
 69 | 
 70 | ### <span id="head10">Complete Lattice</span>
 71 | <img src="./picture/5-9.png"  width="615px" height="365px">
 72 | 
 73 | - lattice 是任意两个元素，complate lattice是任意subset
 74 | 
 75 | - complete lattice 不一定是finite lattice，比如0-1的之间的实数，存在bound，但是不是finite
 76 | 
 77 | ### <span id="head11">Product Lattice</span>
 78 | 
 79 | <img src="./picture/5-10.png"  width="615px" height="365px">
 80 | 
 81 | 对应迭代算法里的k-tuple
 82 | 
 83 | ## <span id="head12">Data Flow Analysis Framework Via Lattic</span>
 84 | 
 85 | <img src="./picture/5-11.png"  width="615px" height="365px">
 86 | 
 87 | ## <span id="head13">Monotonicity and Fixed Point Theorem</span>
 88 | 
 89 | ### <span id="head14"> 定义</span>
 90 | 
 91 | <img src="./picture/5-12.png"  width="615px" height="365px">
 92 | 
 93 | ### <span id="head15">证明-Existence of fixed point</span>
 94 | 
 95 | <img src="./picture/5-13.png"  width="615px" height="365px">
 96 | 
 97 | 因为是product lattice，所以有last upper bound或greatest lower bound，所以当单调递增到f(last upper bound)时，就会达到fix point。
 98 | 
 99 | ### <span id="head16">证明-The fixed point is the least</span>
100 | <img src="./picture/5-15.png"  width="615px" height="365px">
101 | 
102 | ### <span id="head17">lattice 上数学运算与data analyse </span>
103 | <img src="./picture/5-14.png"  width="615px" height="365px">


--------------------------------------------------------------------------------
/06.Data-Flow-Analysis-Foundations-II.md:
--------------------------------------------------------------------------------
  1 | - [Data Flow Analysis Foundations II](#head1)
  2 | 	- [Relate Iterative Algorithm to Fixed Point Theorem](#head2)
  3 | 		- [ 格与迭代算法对应](#head3)
  4 | 		- [ 证明迭代算法中F的monotonic](#head4)
  5 | 		- [ 什么时候到达fixed-point](#head5)
  6 | 	- [May/Must Analysis, A Lattice View](#head6)
  7 | 	- [Mop and Distributivity](#head7)
  8 | 		- [ mop定义](#head8)
  9 | 		- [ mop与迭代算法区别](#head9)
 10 | 	- [Constant Propagation](#head10)
 11 | 		- [非distributive的问题，must analysis](#head11)
 12 | 		- [ 问题映射到lattice上](#head12)
 13 | 	- [Worklist Algorithm](#head13)
 14 | # <span id="head1">Data Flow Analysis Foundations II</span>
 15 | 
 16 | ## <span id="head2">Relate Iterative Algorithm to Fixed Point Theorem</span>
 17 | 
 18 | ### <span id="head3"> 格与迭代算法对应</span>
 19 | 
 20 | <img src="./picture/6-1.png"  width="615px" height="365px">
 21 | 
 22 | 对应关系主要关注，对应fixed-point theorem：
 23 | - finite lattice( complete lattice)
 24 | - monotonic
 25 | 
 26 | 迭代算法的抽象:
 27 | - 由k个cfg中node对应的k-tuple生成格
 28 | - 对于迭代的F，分为
 29 |   - transfer function
 30 |   - control flow上的 merge操作
 31 | 
 32 | ### <span id="head4"> 证明迭代算法中F的monotonic</span>
 33 | <img src="./picture/6-2.png"  width="615px" height="365px">
 34 | 
 35 | - gen/kill fun是monotonic
 36 | 
 37 | - merge 的join是monotonic。(meet没证明)
 38 | 
 39 | ### <span id="head5"> 什么时候到达fixed-point</span>
 40 | 
 41 | <img src="./picture/6-3.png"  width="615px" height="365px">
 42 | 
 43 | 每一个node上的格，最多是该格的高度h。再加上k-tuple的k。生成格上为h*k
 44 | 
 45 | ## <span id="head6">May/Must Analysis, A Lattice View</span>
 46 | 
 47 | <img src="./picture/6-4.png"  width="615px" height="365px">
 48 | 
 49 | 通过Reaching Definition来理解may analysis，may analysis从bottom到top，对应从unsafe result到safe result，对与Reaching Definition来说unsafe result就是 no definitons can reach，这样的开始对于应用来说是不安全的(没有任何一个definitions可达，导致所有的变量都被提前释放)。然后向safe result(所有的都不释放)，approximate。
 50 | 
 51 | <img src="./picture/6-5.png"  width="615px" height="365px">
 52 | 
 53 | safe的范围，也就是sound的范围。
 54 | 
 55 | <img src="./picture/6-6.png"  width="615px" height="365px">
 56 | 
 57 | 用于理解may/must在格上
 58 | 
 59 | ## <span id="head7">Mop and Distributivity</span>
 60 | 
 61 | ### <span id="head8"> mop定义</span>
 62 | 
 63 | <img src="./picture/6-7.png"  width="615px" height="365px">
 64 | 
 65 | 
 66 | 
 67 | ### <span id="head9"> mop与迭代算法区别</span>
 68 | <img src="./picture/6-8.png"  width="615px" height="365px">
 69 | 
 70 | - 迭代算法精度小于mop
 71 | - F为可分配，则精度相同
 72 | - Bit-vector or Gen/Kill problems(set union/intersection for join/meet) are distributive
 73 | 
 74 | ## <span id="head10">Constant Propagation</span>
 75 | 
 76 | ### <span id="head11">非distributive的问题，must analysis</span>
 77 | 
 78 | ### <span id="head12"> 问题映射到lattice上</span>
 79 | 
 80 | <img src="./picture/6-9.png"  width="615px" height="365px">
 81 | 
 82 | 问题(围绕怎么把这个问题映射到lattice上的数学问题，且需要脱离之前讲的bit vector上与该问题的迁移的思想):
 83 | 
 84 | - finite lattice
 85 |   - UNDEF -∞ ... -1 0 1 ... +∞，这个是finite的吗？还是lattice的高度是finite的就可以?
 86 | - monotonic
 87 |   - transfer func、merge是单调的吗？
 88 | 
 89 | - UNDEF ∩ v = v 怎么理解?
 90 | - node上的vector数据结构表示，可以是{{V1:Z1},{V2:Z2},....{Vn:Zn}}，z ∈ { -∞ ... -1 0 1 ... +∞}吗？
 91 | 
 92 | <img src="./picture/6-10.png"  width="615px" height="365px">
 93 | 
 94 | - 不可分配
 95 | - mop更准
 96 | 
 97 | ## <span id="head13">Worklist Algorithm</span>
 98 | 
 99 | <img src="./picture/6-11.png"  width="615px" height="365px">
100 | 
101 | 优化掉迭代算法中没有input变化的BB


--------------------------------------------------------------------------------
/07.Interprocedural-Analysis.md:
--------------------------------------------------------------------------------
 1 | - [Interprocedural Analysis](#head1)
 2 | 	- [ Motivation](#head2)
 3 | 		- [Call Graph](#head3)
 4 | 	- [Call Graph Construction(CHA)](#head4)
 5 | 		- [Call Graph算法对比](#head5)
 6 | 		- [ Dispatch](#head6)
 7 | 			- [Java中的method invoke](#head7)
 8 | 			- [method signature](#head8)
 9 | 			- [virtual call dispatch](#head9)
10 | 		- [ CHA](#head10)
11 | 			- [ 定义](#head11)
12 | 			- [ Resolve](#head12)
13 | 			- [ 全程序算法](#head13)
14 | 	- [Interprocedural Control-Flow Graph](#head14)
15 | 		- [ 定义](#head15)
16 | 	- [Interprocedural Data-Flow Analysis](#head16)
17 | 		- [ 过程间分析组成](#head17)
18 | 		- [Interprocedural Constant Propagation](#head18)
19 | 			- [ 组成](#head19)
20 | 			- [ 栗子](#head20)
21 | # <span id="head1">Interprocedural Analysis</span>
22 | 
23 | ## <span id="head2"> Motivation</span>
24 | 
25 | ### <span id="head3">Call Graph</span>
26 | 
27 | <img src="./picture/7-2.png"  width="615px" height="365px">
28 | 
29 | 为了表达过程间分析，我们需要call graph
30 | 
31 | ## <span id="head4">Call Graph Construction(CHA)</span>
32 | 
33 | ### <span id="head5">Call Graph算法对比</span>
34 | <img src="./picture/7-3.png"  width="615px" height="365px">
35 | 
36 | ### <span id="head6"> Dispatch</span>
37 | 
38 | #### <span id="head7">Java中的method invoke</span>
39 | <img src="./picture/7-4.png"  width="615px" height="365px">
40 | 
41 | #### <span id="head8">method signature</span>
42 | <img src="./picture/7-5.png"  width="615px" height="365px">
43 | 
44 | #### <span id="head9">virtual call dispatch</span>
45 | <img src="./picture/7-6.png"  width="615px" height="365px">
46 | 
47 | ### <span id="head10"> CHA</span>
48 | 
49 | #### <span id="head11"> 定义</span>
50 | <img src="./picture/7-7.png"  width="615px" height="365px">
51 | 
52 | #### <span id="head12"> Resolve</span>
53 | <img src="./picture/7-8.png"  width="615px" height="365px">
54 | 
55 | 问题:
56 | - 对于special call，private instance method和constructor直接找到当前类的调用, superclass instance method 直接可以通过dispatch 当前类父。不太清楚为什么constructor是直接在当前类中调用的，应该是涉及到java构造函数的底层原理。
57 | - 对于virtual call是dispatch当前receiver类型及其后代类。
58 | ```
59 | 这部分如何去思考?
60 | C c = new XX()
61 | c可能是哪些类?
62 | (1)xx可能是c
63 |    1)m可能在当前类C中
64 |    2)m可能在当前类C的父类中
65 | (2)xx可能是c的子类
66 |    1)可能在子类X中
67 |    2)可能在子类X的父类中。
68 | 因为不考虑receiver接收的具体类，所以要考虑receiver的类，及其所有子类。
69 | ```
70 | 
71 | #### <span id="head13"> 全程序算法</span>
72 | <img src="./picture/7-10.png"  width="615px" height="365px">
73 | 
74 | ## <span id="head14">Interprocedural Control-Flow Graph</span>
75 | 
76 | ### <span id="head15"> 定义</span>
77 | <img src="./picture/7-11.png"  width="615px" height="365px">
78 | 
79 | 
80 | ## <span id="head16">Interprocedural Data-Flow Analysis</span>
81 | ### <span id="head17"> 过程间分析组成</span>
82 | <img src="./picture/7-12.png"  width="615px" height="365px">
83 | 
84 | ### <span id="head18">Interprocedural Constant Propagation</span>
85 | #### <span id="head19"> 组成</span>
86 | <img src="./picture/7-13.png"  width="615px" height="365px">
87 | 
88 | #### <span id="head20"> 栗子</span>
89 | <img src="./picture/7-14.png"  width="615px" height="365px">
90 | 问题:
91 | 
92 | - 为什保留call set到下条语句的边
93 |   - 是因为这条边用于传播当前函数的常量，免去当前函数中的local var 也通过control flow传递到不必要的函数调用中
94 | - 为什么先要kill掉函数调用的左值
95 |   - 如栗子中b = ten()，如果调用位置通过向下的边传递了b = 7，则与ten函数返回结果进行merge，变成了NAC，错误结果。
96 | 


--------------------------------------------------------------------------------
/08.Pointer-Analysis.md:
--------------------------------------------------------------------------------
 1 | - [Pointer Analysis](#head1)
 2 | 	- [ Motivation](#head2)
 3 | 	- [Introduction to Pointer Analysis](#head3)
 4 | 		- [Pointer Analysis 简述](#head4)
 5 | 		- [Pointer Analysis 和 Alias Analysis 的区别](#head5)
 6 | 		- [ 指针分析在静态分析地位](#head6)
 7 | 	- [Key Factors of Pointer Analysis](#head7)
 8 | 		- [Pointer Analysis的四个取舍要素](#head8)
 9 | 		- [Heap Abstraction](#head9)
10 | 			- [ 为什么堆抽象](#head10)
11 | 			- [Allocation-Site Abstraction](#head11)
12 | 		- [Context Sensitivity](#head12)
13 | 		- [Flow Sensitivity](#head13)
14 | 		- [Analysis Scope](#head14)
15 | 		- [ 课程涉及的特性](#head15)
16 | 	- [Concerned Statements](#head16)
17 | 		- [Pointer Analysis面向的指针类型](#head17)
18 | 		- [ Pointer Analysis面向的语句](#head18)
19 | # <span id="head1">Pointer Analysis</span>
20 | 
21 | ## <span id="head2"> Motivation</span>
22 | 
23 | <img src="./picture/8-1.png"  width="615px" height="365px">
24 | 
25 | 指针分析可以解决之前通过CHA导致的过多误报问题，因为我们可以通过指针分析的值n真正指向的对象。
26 | 
27 | ## <span id="head3">Introduction to Pointer Analysis</span>
28 | 
29 | ### <span id="head4">Pointer Analysis 简述</span>
30 | <img src="./picture/8-2.png"  width="615px" height="365px">
31 | 
32 | ### <span id="head5">Pointer Analysis 和 Alias Analysis 的区别</span>
33 | <img src="./picture/8-3.png"  width="615px" height="365px">
34 | 两者可以理解为两个域之间的映射关系，分为两个域：指针域、对象域。
35 | 
36 | -  Pointer Analysis问题为指针域指向对象域的问题，同一个指针指向了哪些对象。
37 | - Alias Analysis问题是对象域指向指针域的问题，同一个对象指向了哪些指针。
38 | 
39 | ### <span id="head6"> 指针分析在静态分析地位</span>
40 | Pointer analysis is one of the most fundamenal static program analyses, on which virtually others are built.
41 | 
42 | ## <span id="head7">Key Factors of Pointer Analysis</span>
43 | ### <span id="head8">Pointer Analysis的四个取舍要素</span>
44 | <img src="./picture/8-4.png"  width="615px" height="365px">
45 | 
46 | ### <span id="head9">Heap Abstraction</span>
47 | #### <span id="head10"> 为什么堆抽象</span>
48 | <img src="./picture/8-5.png"  width="615px" height="365px">
49 | 
50 | #### <span id="head11">Allocation-Site Abstraction</span>
51 | <img src="./picture/8-6.png"  width="615px" height="365px">
52 | 
53 | ### <span id="head12">Context Sensitivity</span>
54 | <img src="./picture/8-7.png"  width="615px" height="365px">
55 | 
56 | ### <span id="head13">Flow Sensitivity</span>
57 | <img src="./picture/8-8.png"  width="615px" height="365px">
58 | 
59 | ### <span id="head14">Analysis Scope</span>
60 | <img src="./picture/8-9.png"  width="615px" height="365px">
61 | 
62 | ### <span id="head15"> 课程涉及的特性</span>
63 | <img src="./picture/8-10.png"  width="615px" height="365px">
64 | 从这里可以大概感觉到对于多数静态分析，更贴近于工程中的问题，对于实现中的细节，没有一个完美统一的解决方案，都是在于各个要素的取舍
65 | 
66 | ## <span id="head16">Concerned Statements</span>
67 | 
68 | ### <span id="head17">Pointer Analysis面向的指针类型</span>
69 | <img src="./picture/8-11.png"  width="615px" height="365px">
70 | 对于array我们直接抽象成Instance field，不区分index
71 | 
72 | ### <span id="head18"> Pointer Analysis面向的语句</span>
73 | <img src="./picture/8-12.png"  width="615px" height="365px">
74 | 我们学习的时候，主要学习virtual call的分析，static call、special call比较简单。


--------------------------------------------------------------------------------
/09.Pointer-Analysis-Foundations-I.md:
--------------------------------------------------------------------------------
 1 | - [Pointer Analysis - Foundations I](#head1)
 2 | 	- [Pointer Analysis:Rules](#head2)
 3 | 		- [ 影响指针的statements](#head3)
 4 | 		- [Domains and Notations](#head4)
 5 | 		- [ Rule](#head5)
 6 | 	- [How to implement Pointer Analysis](#head6)
 7 | 		- [ PFG](#head7)
 8 | 		- [实现Pointer Analysis](#head8)
 9 | 	- [Pointer Analysis:Algorithms](#head9)
10 | # <span id="head1">Pointer Analysis - Foundations I</span>
11 | 
12 | ## <span id="head2">Pointer Analysis:Rules</span>
13 | 
14 | ### <span id="head3"> 影响指针的statements</span>
15 | <img src="./picture/9-1.png"  width="615px" height="365px">
16 | 
17 | ### <span id="head4">Domains and Notations</span>
18 | <img src="./picture/9-2.png"  width="615px" height="365px">
19 | 
20 | powerset of O，就是所有对象的所有子集组成的集合
21 | 
22 | ### <span id="head5"> Rule</span>
23 | <img src="./picture/9-3.png"  width="615px" height="365px">
24 | 
25 | 
26 | 
27 | ## <span id="head6">How to implement Pointer Analysis</span>
28 | 
29 | ### <span id="head7"> PFG</span>
30 | <img src="./picture/9-5.png"  width="615px" height="365px">
31 | 
32 | ### <span id="head8">实现Pointer Analysis</span>
33 | <img src="./picture/9-6.png"  width="615px" height="365px">
34 | 
35 | ## <span id="head9">Pointer Analysis:Algorithms</span>
36 | <img src="./picture/9-7.png"  width="615px" height="365px">
37 | 
38 | 


--------------------------------------------------------------------------------
/10.Pointer-Analysis-Foundations-II.md:
--------------------------------------------------------------------------------
 1 | - [Pointer Analysis with Method Calls](#head1)
 2 | 	- [call rule](#head2)
 3 | 	- [ 不加x到this](#head3)
 4 | 	- [Interprocedure Pointer Anaylsis Algorithm](#head4)
 5 | # <span id="head1">Pointer Analysis with Method Calls</span>
 6 | 
 7 | ## <span id="head2">call rule</span>
 8 | <img src="./picture/10-1.png"  width="615px" height="365px">
 9 | 
10 | ## <span id="head3"> 不加x到this</span>
11 | <img src="./picture/10-2.png"  width="615px" height="365px">
12 | 
13 | ## <span id="head4">Interprocedure Pointer Anaylsis Algorithm</span>
14 | ```
15 | AddEdge(s,t)
16 |    if s-> t ∉ PFG then
17 |        add s->t to PFG
18 |        if pt(s) is not empty then 
19 |            add<t,pt(s)> to WL
20 | ```
21 | <img src="./picture/10-3.png"  width="615px" height="365px">
22 | 


--------------------------------------------------------------------------------
/11.Pointer-Analysis-Context-Sensitivity-I.md:
--------------------------------------------------------------------------------
 1 | - [Pointer Analysis Context Sensitivity](#head1)
 2 | 	- [ Introduction](#head2)
 3 | 		- [Why Context Sensitivity](#head3)
 4 | 		- [Cloning-Based Context Sensitivity](#head4)
 5 | 		- [Why  Context-Sensitive Heap](#head5)
 6 | 		- [Context-Sensitive Heap](#head6)
 7 | 	- [Context Sensitive Pointer Analysis:Rules](#head7)
 8 | 		- [Domains and Notations](#head8)
 9 | 	- [ Rules](#head9)
10 | # <span id="head1">Pointer Analysis Context Sensitivity</span>
11 | 
12 | ## <span id="head2"> Introduction</span>
13 | 
14 | ### <span id="head3">Why Context Sensitivity</span>
15 | 
16 | <img src="./picture/11-1.png"  width="615px" height="365px">
17 | 
18 | ### <span id="head4">Cloning-Based Context Sensitivity</span>
19 | <img src="./picture/11-2.png"  width="615px" height="365px">
20 | 
21 | ### <span id="head5">Why  Context-Sensitive Heap</span>
22 | <img src="./picture/11-3.png"  width="615px" height="365px">
23 | 
24 | ### <span id="head6">Context-Sensitive Heap</span>
25 | <img src="./picture/11-4.png"  width="615px" height="365px">
26 | 
27 | ## <span id="head7">Context Sensitive Pointer Analysis:Rules</span>
28 | 
29 | ### <span id="head8">Domains and Notations</span>
30 | <img src="./picture/11-5.png"  width="615px" height="365px">
31 | 
32 | ## <span id="head9"> Rules</span>
33 | <img src="./picture/11-6.png"  width="615px" height="365px">
34 | <img src="./picture/11-7.png"  width="615px" height="365px">


--------------------------------------------------------------------------------
/12.Pointer-Analysis-Context-Sensitivity-II.md:
--------------------------------------------------------------------------------
 1 | - [Pointer Analysis Context Sensitivity II](#head1)
 2 | 	- [Context Sensitive Pointer Analysis : Algorithms](#head2)
 3 | 		- [ 定义](#head3)
 4 | 		- [ algorithms](#head4)
 5 | 	- [Context Sensitivity Variants](#head5)
 6 | 		- [Call-Site Sensitivity](#head6)
 7 | 			- [ 栗子](#head7)
 8 | 		- [Object Sensitivity](#head8)
 9 | 			- [ 栗子](#head9)
10 | 		- [Type Sensitivity](#head10)
11 | 		- [ 对比](#head11)
12 | 
13 | # <span id="head1">Pointer Analysis Context Sensitivity II</span>
14 | 
15 | ## <span id="head2">Context Sensitive Pointer Analysis : Algorithms</span>
16 | 
17 | ### <span id="head3"> 定义</span>
18 | <img src="./picture/12-1.png"  width="615px" height="365px">
19 | 
20 | ### <span id="head4"> algorithms</span>
21 | <img src="./picture/12-2.png"  width="615px" height="365px">
22 | 
23 | ```
24 | AddEdge(s,t)
25 |     if s -> t ∉ PFG then
26 |         add s -> t to PFG
27 |         if pt(s) is not empty then
28 |             add<t,pt(s)> to WL
29 | Propagate(n,pts)
30 |     if pts is not empty then
31 |         pt(n) ∪= pts
32 |        	foreach n->s ∈ PFG do
33 |        	    add <s,pts> to WL
34 | ```
35 | 
36 | 
37 | 
38 | ## <span id="head5">Context Sensitivity Variants</span>
39 | 
40 | <img src="./picture/12-3.png"  width="615px" height="365px">
41 | 
42 | ```
43 | context insensitivity可以看作是context sensitivity的特殊情况:
44 |  Select(c,l,c':oi,m) = [], 即所有的上下文都相等
45 | ```
46 | 
47 | ### <span id="head6">Call-Site Sensitivity</span>
48 | <img src="./picture/12-4.png"  width="615px" height="365px">
49 | <img src="./picture/12-5.png"  width="615px" height="365px">
50 | 对于Call-Site Sensitivity来说，如果存在递归，会导致上下文无穷长，无穷多，所以要限制上下文长度。
51 | 
52 | #### <span id="head7"> 栗子</span>
53 | <img src="./picture/12-6.png"  width="615px" height="365px">
54 | <img src="./picture/12-7.png"  width="615px" height="365px">
55 | <img src="./picture/12-8.png"  width="615px" height="365px">
56 | 从这个栗子里面，可以思考到一些点，其实context的有与无，其实就是该函数调用，被抽象成了相同的path还是不同的path。就是一个把path数据合并与分开的操作。
57 | 再比如对于for循环，每一次迭代，都可以分成不同的path，但是我们仍然可以选择合并、或是分开。
58 | 合并意味着牺牲精度，来满足速度，或是抽象无穷多的path来达到可以完成计算。
59 | 
60 | ### <span id="head8">Object Sensitivity</span>
61 | <img src="./picture/12-9.png"  width="615px" height="365px">
62 | 
63 | #### <span id="head9"> 栗子</span>
64 | <img src="./picture/12-10.png"  width="615px" height="365px">
65 | 
66 | 对于这个栗子，1 call-site context没办法区分两个调用
67 | 
68 | <img src="./picture/12-11.png"  width="615px" height="365px">
69 | 
70 | 从CG上来看
71 | 
72 | <img src="./picture/12-12.png"  width="615px" height="365px">
73 | 
74 | 对与这个栗子，1 object sensitivity不能区分
75 | 
76 | ### <span id="head10">Type Sensitivity</span>
77 | <img src="./picture/12-13.png"  width="615px" height="365px">
78 | <img src="./picture/12-14.png"  width="615px" height="365px">
79 | 对于与Object Sensitivity，性价比较高
80 | 
81 | ### <span id="head11"> 对比</span>
82 | <img src="./picture/12-15.png"  width="615px" height="365px">
83 | call-graph-edge越少，表示越精确(误报的边少)。
84 | may-fail-cast越高，精度越低。
85 | 有些调用并不需要cs，可以ci既能满足需求，具体读老师论文


--------------------------------------------------------------------------------
/13.Static-Analysis-For-Security.md:
--------------------------------------------------------------------------------
 1 | - [Static Analysis for Security](#head1)
 2 | 	- [Information Flow Security](#head2)
 3 | 		- [Access Control vs. Information Flow Security](#head3)
 4 | 		- [Security Levels](#head4)
 5 | 		- [Information Flow Policy](#head5)
 6 | 	- [Confidentiality and Integrity](#head6)
 7 | 		- [Confidentiality vs. Integrity](#head7)
 8 | 		- [Integrity, Broad Definition](#head8)
 9 | 	- [Explicit Flows and Covert Channels](#head9)
10 | 		- [Implicit Flow](#head10)
11 | 		- [Covert Channels](#head11)
12 | 	- [Taint Analysis](#head12)
13 | 		- [ 定义](#head13)
14 | 		- [ 解决confidentiality、Integrity](#head14)
15 | 		- [Taint 与Pointer Analysis结合](#head15)
16 | 		- [Domains and Notations](#head16)
17 | 		- [Taint Analysis Input & Output](#head17)
18 | 		- [Taint analysis:rule](#head18)
19 | 	- [ 其他](#head19)
20 | # <span id="head1">Static Analysis for Security</span>
21 | 
22 | ## <span id="head2">Information Flow Security</span>
23 | 
24 | ### <span id="head3">Access Control vs. Information Flow Security</span>
25 | <img src="./picture/13-1.png"  width="615px" height="365px">
26 | 通过两个行为，控制程序的安全性：对数据标记访问控制等级、通过信息流控制信息流动。点与端到端的控制。
27 | 
28 | ### <span id="head4">Security Levels</span>
29 | <img src="./picture/13-2.png"  width="615px" height="365px">
30 | 可以通过格来描述安全等级之间的关系
31 | 
32 | ### <span id="head5">Information Flow Policy</span>
33 | <img src="./picture/13-3.png"  width="615px" height="365px">
34 | 
35 | ## <span id="head6">Confidentiality and Integrity</span>
36 | 
37 | ### <span id="head7">Confidentiality vs. Integrity</span>
38 | <img src="./picture/13-4.png"  width="615px" height="365px">
39 | confidentiality，防止h数据流向l，防止h数据被窥。Integrity，防止l数据流向h数据，h数据被污染。
40 | <img src="./picture/13-5.png"  width="615px" height="365px">
41 | 两者在格上的关系是对称的。
42 | 
43 | ### <span id="head8">Integrity, Broad Definition</span>
44 | <img src="./picture/13-6.png"  width="615px" height="365px">
45 | 
46 | ## <span id="head9">Explicit Flows and Covert Channels</span>
47 | 
48 | ### <span id="head10">Implicit Flow</span>
49 | <img src="./picture/13-7.png"  width="615px" height="365px">
50 | 
51 | ### <span id="head11">Covert Channels</span>
52 | <img src="./picture/13-8.png"  width="615px" height="365px">
53 | 
54 | Blind Time Base SQLI 
55 | 
56 | ## <span id="head12">Taint Analysis</span>
57 | 
58 | ### <span id="head13"> 定义</span>
59 | <img src="./picture/13-9.png"  width="615px" height="365px">
60 | 
61 | ### <span id="head14"> 解决confidentiality、Integrity</span>
62 | <img src="./picture/13-10.png"  width="615px" height="365px">
63 | 
64 | ### <span id="head15">Taint 与Pointer Analysis结合</span>
65 | <img src="./picture/13-11.png"  width="615px" height="365px">
66 | 
67 | ### <span id="head16">Domains and Notations</span>
68 | <img src="./picture/13-12.png"  width="615px" height="365px">
69 | 对于普通的对象oi集合，添加了一种taint类型的对象，在指针间传播。
70 | 
71 | ### <span id="head17">Taint Analysis Input & Output</span>
72 | <img src="./picture/13-13.png"  width="615px" height="365px">
73 | 
74 | ### <span id="head18">Taint analysis:rule</span>
75 | <img src="./picture/13-14.png"  width="615px" height="365px">
76 | 确认sources和sink的两种rule，可以看出对于taint的对象，就是一种特殊的指针传播。
77 | 对于一些string的加法，concat的函数。可以直接定义一些污点传播规则，套入指针分析。
78 | 
79 | ## <span id="head19"> 其他</span>
80 | doop static ananlysis


--------------------------------------------------------------------------------
/14.Datalog-Based-Program-Analysis.md:
--------------------------------------------------------------------------------
 1 | - [Datalog-Based Program Analysis](#head1)
 2 | 	- [ Motivation](#head2)
 3 | 		- [命令式 vs 声明示](#head3)
 4 | 	- [Introduction to Datalog](#head4)
 5 | 		- [Datalog 的 data](#head5)
 6 | 			- [predicates ](#head6)
 7 | 			- [ 通过Atoms表示predicates](#head7)
 8 | 		- [Datalog 的 rule](#head8)
 9 | 		- [EDB and IDB](#head9)
10 | 		- [ Logical](#head10)
11 | 			- [Logical Or](#head11)
12 | 			- [ Negation](#head12)
13 | 		- [ Recursion](#head13)
14 | 		- [Rule safety](#head14)
15 | 		- [Excution of Datalog Programs](#head15)
16 | 	- [Pointer Analysis via Datalog](#head16)
17 | 		- [EDB/IDB Model](#head17)
18 | 		- [Rule TO Datalog](#head18)
19 | 		- [Example without method call](#head19)
20 | 	- [Taint Analysis via Datalog](#head20)
21 | 	- [Datalog Pros vs Cons](#head21)
22 | # <span id="head1">Datalog-Based Program Analysis</span>
23 | 
24 | ## <span id="head2"> Motivation</span>
25 | 
26 | ### <span id="head3">命令式 vs 声明示</span>
27 | <img src="./picture/14-1.png"  width="615px" height="365px">
28 | Declarative的特征:
29 | - Succint
30 | - Readable(logic-based specification)
31 | - Easy to implement
32 | 
33 | ## <span id="head4">Introduction to Datalog</span>
34 | <img src="./picture/14-2.png"  width="615px" height="365px">
35 | Datalog is a declarative logic programming language that is a subset of Prolog
36 | - No side-effects : 比如，不会有赋值操作，不能改变值，进而不会导致的副作用。
37 | 
38 | ### <span id="head5">Datalog 的 data</span>
39 | #### <span id="head6">predicates </span>
40 | <img src="./picture/14-3.png"  width="615px" height="365px">
41 | 
42 | #### <span id="head7"> 通过Atoms表示predicates</span>
43 | <img src="./picture/14-4.png"  width="615px" height="365px">
44 | Atoms分类:
45 | - relational atom : P(X1,X2,X3)，如Age("Alan",23)
46 | - arithmetic atoms : 如 age >= 18
47 | 
48 | ### <span id="head8">Datalog 的 rule</span>
49 | <img src="./picture/14-5.png"  width="615px" height="365px">
50 | H <- B1,B2,B3
51 | <img src="./picture/14-6.png"  width="615px" height="365px">
52 | Datalog program = Facts + Rules
53 | 
54 | ### <span id="head9">EDB and IDB</span>
55 | <img src="./picture/14-7.png"  width="615px" height="365px">
56 | H头部，只能是IDB，不能是推出来的。
57 | 
58 | ### <span id="head10"> Logical</span>
59 | #### <span id="head11">Logical Or</span>
60 | <img src="./picture/14-8.png"  width="615px" height="365px">
61 | 
62 | #### <span id="head12"> Negation</span>
63 | <img src="./picture/14-9.png"  width="615px" height="365px">
64 | 
65 | ### <span id="head13"> Recursion</span>
66 | <img src="./picture/14-10.png"  width="615px" height="365px">
67 | 可以递归定义
68 | <img src="./picture/14-11.png"  width="615px" height="365px">
69 | 
70 | ### <span id="head14">Rule safety</span>
71 | <img src="./picture/14-12.png"  width="615px" height="365px">
72 | 对于一个变量，必须出现在一个非negated relational atom中。如果值出现在一个negated relations中，则表示不满足该relations，则是无穷多。如果值出现在一个negated arithmetic atoms中，同理无穷多。
73 | 
74 | ### <span id="head15">Excution of Datalog Programs</span>
75 | <img src="./picture/14-13.png"  width="615px" height="365px">
76 | 
77 | 
78 | ## <span id="head16">Pointer Analysis via Datalog</span>
79 | <img src="./picture/14-14.png"  width="615px" height="365px">
80 | 
81 | ### <span id="head17">EDB/IDB Model</span>
82 | <img src="./picture/14-15.png"  width="615px" height="365px">
83 | 
84 | ### <span id="head18">Rule TO Datalog</span>
85 | <img src="./picture/14-16.png"  width="615px" height="365px">
86 | <img src="./picture/14-17.png"  width="615px" height="365px">
87 | <img src="./picture/14-18.png"  width="615px" height="365px">
88 | 
89 | ### <span id="head19">Example without method call</span>
90 | <img src="./picture/14-19.png"  width="615px" height="365px">
91 | 
92 | ## <span id="head20">Taint Analysis via Datalog</span>
93 | <img src="./picture/14-20.png"  width="615px" height="365px">
94 | <img src="./picture/14-21.png"  width="615px" height="365px">
95 | 
96 | ## <span id="head21">Datalog Pros vs Cons</span>
97 | <img src="./picture/14-22.png"  width="615px" height="365px">


--------------------------------------------------------------------------------
/15.IFDS.md:
--------------------------------------------------------------------------------
 1 | - [IFDS & CFL](#head1)
 2 | 	- [Feasible and Realizable Paths](#head2)
 3 | 	- [ CFL-Reachability](#head3)
 4 | 	- [Overview of IFDS](#head4)
 5 | 		- [MOP & MRP](#head5)
 6 | 		- [ overview](#head6)
 7 | 	- [Supergraph and Flow Funcations](#head7)
 8 | 		- [ supergraph](#head8)
 9 | 		- [flow functions](#head9)
10 | 	- [Exploded Supergraph and Tabulation Algorithm](#head10)
11 | 		- [exploded supegraph](#head11)
12 | 		- [0 -> 0](#head12)
13 | 		- [exploded supegraph example](#head13)
14 | 		- [tabulation algorithm](#head14)
15 | 	- [Understanding the Distributivity of IFDS](#head15)
16 | 		- [Can we do constant propagation using IFDS](#head16)
17 | 		- [Can we do pointer analysis useing IFDS](#head17)
18 | 	- [ 待解决问题](#head18)
19 | # <span id="head1">IFDS & CFL</span>
20 | 
21 | 
22 | ## <span id="head2">Feasible and Realizable Paths</span>
23 | <img src="./picture/15-1.png"  width="615px" height="365px">
24 | Infeasible Path : Paths in CFG that do not correspond to actual executions.
25 | 比如上图中Call foo(30)对应的Return 到 Call foo(18)处。（非上下问敏感）
26 | 
27 | ## <span id="head3"> CFL-Reachability</span>
28 | <img src="./picture/15-2.png"  width="615px" height="365px">
29 | 通过 context-free language来描述可执行的路径。
30 | <img src="./picture/15-3.png"  width="615px" height="365px">
31 | 通过（i、)i，表示调用以及返回，来描述调用和返回，)i必须有（i对应，组成合法的label。感觉这个就是（i、)i，描述调用关系，其实也类似于一种上下文。
32 | 
33 | ## <span id="head4">Overview of IFDS</span>
34 | <img src="./picture/15-4.png"  width="615px" height="365px">
35 | - 过程间
36 | - 域有限
37 | - 可分配
38 | - 子集问题
39 | ### <span id="head5">MOP & MRP</span>
40 | <img src="./picture/15-5.png"  width="615px" height="365px">
41 | 相对于 MOP，MRP是realizable-path
42 | ### <span id="head6"> overview</span>
43 | <img src="./picture/15-6.png"  width="615px" height="365px">
44 | program P，problem Q -> supergraph G* -> exploded supergraph G# -> reachability problems 
45 | 
46 | ## <span id="head7">Supergraph and Flow Funcations</span>
47 | 
48 | ### <span id="head8"> supergraph</span>
49 | <img src="./picture/15-7.png"  width="615px" height="365px">
50 | 
51 | ### <span id="head9">flow functions</span>
52 | <img src="./picture/15-8.png"  width="615px" height="365px">
53 | - main函数中的，Callp -> Retp，为什么需要 lambda S.S-{g} ? 因为g是全局变量，会跟随p的调用，进入p，并在Retp处返回。如果不去掉，在Retp处，会导致误报。
54 | - 一开始，我理解Sp的调用为引用传递，然后我考虑函数p的参数x/a，需要在Callp -> Retp处去掉x。该处为值传递，所以不需要去掉。所以java这处只考虑值传递，是因为java只有值传递吗？
55 | - a = a - g 中，transfer func 是 lambda S.if (a∈S) or (g ∈ S) than S  ∪ {a} else S - {a}，其实从从这个函数可以看出，是distribute的，我只需要a或g中的一个fact，即可决定输出。
56 | 
57 | ## <span id="head10">Exploded Supergraph and Tabulation Algorithm</span>
58 | 
59 | ### <span id="head11">exploded supegraph</span>
60 | <img src="./picture/15-9.png"  width="615px" height="365px">
61 | 
62 | ### <span id="head12">0 -> 0</span>
63 | <img src="./picture/15-10.png"  width="615px" height="365px">
64 | 
65 | ### <span id="head13">exploded supegraph example</span>
66 | <img src="./picture/15-11.png"  width="615px" height="365px">
67 | 
68 | ### <span id="head14">tabulation algorithm</span>
69 | <img src="./picture/15-12.png"  width="615px" height="365px">
70 | <img src="./picture/15-13.png"  width="615px" height="365px">
71 | <img src="./picture/15-14.png"  width="615px" height="365px">
72 | 
73 | ## <span id="head15">Understanding the Distributivity of IFDS</span>
74 | 
75 | ### <span id="head16">Can we do constant propagation using IFDS</span>
76 | <img src="./picture/15-14.png"  width="615px" height="365px">
77 | 如果我们把constant propagation的域假设为finite，我们仍然不能用IFDS，因为无法解决tranfer func单输入的问题(distribute)。
78 | 
79 | ### <span id="head17">Can we do pointer analysis useing IFDS</span>
80 | <img src="./picture/15-15.png"  width="615px" height="365px">
81 | 上图求解的问题，是new T 对象，能到达哪些变量。对于上面的传播，缺少alias信息，使结果不sound了，而alias是多输入的函数，所以满足IFDS的distributivtiy。
82 | 
83 | ## <span id="head18"> 待解决问题</span>
84 | - 找上面实际例子，结合transfer func来理解一下传递的意义，transfer func怎么转换成的representation relations.这些点与点之间的关系的意义
85 | - 对于transfer func转换的规则: f(空集)= {y},为什么y就不能出现在其他的被指向的点上了？
86 | - 仔细研究一下tabulation algorithm细节


--------------------------------------------------------------------------------
/16.Soundiness.md:
--------------------------------------------------------------------------------
 1 | - [ Soundiness](#head1)
 2 | 	- [Soundness and Soundiness](#head2)
 3 | 		- [ Soundness](#head3)
 4 | 		- [常见Hardness Feature](#head4)
 5 | 		- [ 提出Soundiness](#head5)
 6 | 		- [ Soundness,soundiness,Unsoundness](#head6)
 7 | 	- [Hard Language Feature : Java Reflection](#head7)
 8 | 		- [ 反射难论文](#head8)
 9 | 		- [ 解决反射](#head9)
10 | 			- [String Constant analysis](#head10)
11 | 			- [ 通过调用处的信息查找](#head11)
12 | 			- [Assisted By Dynamic Analysis](#head12)
13 | 	- [Hard Language Feature : Native Code](#head13)
14 | 		- [Native code 原理](#head14)
15 | 		- [ 解决方案](#head15)
16 | # <span id="head1"> Soundiness</span>
17 | 
18 | ## <span id="head2">Soundness and Soundiness</span>
19 | 
20 | ### <span id="head3"> Soundness</span>
21 | <img src="./picture/16-1.png"  width="615px" height="365px">
22 | 不论学术界、工业界都没有达到一个真正的soundness，因为Hard Language Feature
23 | ### <span id="head4">常见Hardness Feature</span>
24 | <img src="./picture/16-2.png"  width="615px" height="365px">
25 | 
26 | ### <span id="head5"> 提出Soundiness</span>
27 | <img src="./picture/16-3.png"  width="615px" height="365px">
28 | 
29 | ### <span id="head6"> Soundness,soundiness,Unsoundness</span>
30 | <img src="./picture/16-4.png"  width="615px" height="365px">
31 | 
32 | - sound 完全捕获所有的动态行为
33 | - soundy 捕获所有的动态行为，为unsoundly 的处理给予原因或解决策略
34 | - unsound 忽略动态特性
35 | 
36 | ## <span id="head7">Hard Language Feature : Java Reflection</span>
37 | 
38 | ### <span id="head8"> 反射难论文</span>
39 | <img src="./picture/16-5.png"  width="615px" height="365px">
40 | 反射存在的意义：Run-time特性，在spring等框架中，用于解耦
41 | 
42 | ### <span id="head9"> 解决反射</span>
43 | #### <span id="head10">String Constant analysis</span>
44 | <img src="./picture/16-6.png"  width="615px" height="365px">
45 | 如果存在反射代码中，如果反射中的参数都是字符串，则可以通过字符串，根据程序语义来确定，反射的具体是哪些类、方法、field等。但是实际应用中，这种参数可能存在于任何不可确定的输入中。
46 | 
47 | #### <span id="head11"> 通过调用处的信息查找</span>
48 | <img src="./picture/16-7.png"  width="615px" height="365px">
49 | When string arguments cannot be resolved statically, infer the reflective targes at their usage points.
50 | <img src="./picture/16-8.png"  width="615px" height="365px">
51 | 通过parameters参数指针，所指向的所有对象的类型，去推断有这样参数特征的函数
52 | 
53 | #### <span id="head12">Assisted By Dynamic Analysis</span>
54 | <img src="./picture/16-9.png"  width="615px" height="365px">
55 | 最后一个，通过运行test case，来做到运行中分析。dynamic analysis的缺点：不soundiness，有多少test case，有多少覆盖。
56 | 
57 | ## <span id="head13">Hard Language Feature : Native Code</span>
58 | 
59 | ### <span id="head14">Native code 原理</span>
60 | <img src="./picture/16-10.png"  width="615px" height="365px">
61 | <img src="./picture/16-11.png"  width="615px" height="365px">
62 | <img src="./picture/16-12.png"  width="615px" height="365px">
63 | 通过java代码调用本地连接库，c可调用Java的一些逻辑。
64 | 
65 | ### <span id="head15"> 解决方案</span>
66 | <img src="./picture/16-13.png"  width="615px" height="365px">
67 | 通过java代码实现native功能。


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # NJU-static-program-analysis-node
  2 | 
  3 | 快速的过了一遍课程视频，大体了解了一下，打算看第二遍，并记下笔记。🙏感谢南大两位老师
  4 | 
  5 | [课程地址](https://pascal-group.bitbucket.io/teaching.html)
  6 | # 我的一些思考
  7 | [thinking.md](./thinking.md)
  8 | 
  9 | # 笔记目录
 10 | 
 11 | [01.Course Introduction](./001.Course-Introduction.md)
 12 | 
 13 | - [Course Introduction](./01.Course-Introduction.md#head1)
 14 | 	- [PL and Static Analysis](./01.Course-Introduction.md#head2)
 15 | 	- [Why We Lean Static Analysis](./01.Course-Introduction.md#head3)
 16 | 	- [What is Static Analysis](./01.Course-Introduction.md#head4)
 17 | 	- [Static Analysis Features and Examples](./01.Course-Introduction.md#head5)
 18 | 		- [ soundness](./01.Course-Introduction.md#head6)
 19 | 		- [ 如何实现](./01.Course-Introduction.md#head7)
 20 | 		- [ 一个栗子](./01.Course-Introduction.md#head8)
 21 | 		- [ 精度与速度平衡](./01.Course-Introduction.md#head9)
 22 | 	- [Teaching Plan](./01.Course-Introduction.md#head10)
 23 | 	- [Evalution Criteria](./01.Course-Introduction.md#head11)
 24 | 
 25 | 
 26 | [02.Intermediate-Representation.md](./02.Intermediate-Representation.md)
 27 | 
 28 | - [Intermediate Representation](./02.Intermediate-Representation.md#head1)
 29 | 	- [Compilers and Static Analyzers](./02.Intermediate-Representation.md#head2)
 30 | 	- [AST vs. IR](./02.Intermediate-Representation.md#head3)
 31 | 	- [IR: Three-Address Code (3AC)](./02.Intermediate-Representation.md#head4)
 32 | 	- [3AC in Real Static Analyzer : Soot](./02.Intermediate-Representation.md#head5)
 33 | 	- [Static Single Assignment (SSA)](./02.Intermediate-Representation.md#head6)
 34 | 	- [Basic Blocks (BB)](./02.Intermediate-Representation.md#head7)
 35 | 	- [Control Flow Graphs (CFG)](./02.Intermediate-Representation.md#head8)
 36 | 
 37 | [03.Data-Flow-Analysis-I.md](./03.Data-Flow-Analysis-I.md)
 38 | 
 39 | - [Data Flow Analysis I](./03.Data-Flow-Analysis-I.md#head1)
 40 | 	- [Overview of Data Flow Analysis](./03.Data-Flow-Analysis-I.md#head2)
 41 | 	- [Preliminaries of Data Flow Analysis](./03.Data-Flow-Analysis-I.md#head3)
 42 | 	- [Reaching Definitions Analysis](./03.Data-Flow-Analysis-I.md#head4)
 43 | 		- [Reaching Definitions的定义](./03.Data-Flow-Analysis-I.md#head5)
 44 | 		- [用bit vectors去表示是否可达](./03.Data-Flow-Analysis-I.md#head6)
 45 | 		- [Transfer function and Control flow](./03.Data-Flow-Analysis-I.md#head7)
 46 | 		- [ 算法](./03.Data-Flow-Analysis-I.md#head8)
 47 | 		- [ 栗子](./03.Data-Flow-Analysis-I.md#head9)
 48 | 		- [ 为什么会最终不变](./03.Data-Flow-Analysis-I.md#head10)
 49 | 
 50 | [04.Data-Flow-Analysis-II.md](./04.Data-Flow-Analysis-II.md)
 51 | 
 52 | - [Data Flow Analysis II](./04.Data-Flow-Analysis-II.md#head1)
 53 | 	- [Live Variables Analysis](./04.Data-Flow-Analysis-II.md#head2)
 54 | 		- [ 定义](./04.Data-Flow-Analysis-II.md#head3)
 55 | 		- [transfer func and control flow merge](./04.Data-Flow-Analysis-II.md#head4)
 56 | 		- [ 算法](./04.Data-Flow-Analysis-II.md#head5)
 57 | 		- [ 栗子](./04.Data-Flow-Analysis-II.md#head6)
 58 | 	- [Available Expressons Analysis](./04.Data-Flow-Analysis-II.md#head7)
 59 | 		- [ 定义](./04.Data-Flow-Analysis-II.md#head8)
 60 | 		- [transfer func and control flow merge](./04.Data-Flow-Analysis-II.md#head9)
 61 | 		- [ 算法](./04.Data-Flow-Analysis-II.md#head10)
 62 | 	- [ 三种算法对比](./04.Data-Flow-Analysis-II.md#head11)
 63 | 
 64 | [05.Data-Flow-Analysis-Foundations-I.md](./05.Data-Flow-Analysis-Foundations-I.md)
 65 | 
 66 | - [Data Flow Analysis - Foundations I](./05.Data-Flow-Analysis-Foundations-I.md#head1)
 67 | 	- [Iterative Algorithm, Another View](./05.Data-Flow-Analysis-Foundations-I.md#head2)
 68 | 	- [Partial Order](./05.Data-Flow-Analysis-Foundations-I.md#head3)
 69 | 		- [ 偏序](./05.Data-Flow-Analysis-Foundations-I.md#head4)
 70 | 	- [Upper and Lower Bounds](./05.Data-Flow-Analysis-Foundations-I.md#head5)
 71 | 		- [ 定义](./05.Data-Flow-Analysis-Foundations-I.md#head6)
 72 | 		- [ poset性质](./05.Data-Flow-Analysis-Foundations-I.md#head7)
 73 | 	- [Lattice, Semilattce,Complete and Product Lattice](./05.Data-Flow-Analysis-Foundations-I.md#head8)
 74 | 		- [ Lattice](./05.Data-Flow-Analysis-Foundations-I.md#head9)
 75 | 		- [Complete Lattice](./05.Data-Flow-Analysis-Foundations-I.md#head10)
 76 | 		- [Product Lattice](./05.Data-Flow-Analysis-Foundations-I.md#head11)
 77 | 	- [Data Flow Analysis Framework Via Lattic](./05.Data-Flow-Analysis-Foundations-I.md#head12)
 78 | 	- [Monotonicity and Fixed Point Theorem](./05.Data-Flow-Analysis-Foundations-I.md#head13)
 79 | 		- [ 定义](./05.Data-Flow-Analysis-Foundations-I.md#head14)
 80 | 		- [证明-Existence of fixed point](./05.Data-Flow-Analysis-Foundations-I.md#head15)
 81 | 		- [证明-The fixed point is the least](./05.Data-Flow-Analysis-Foundations-I.md#head16)
 82 | 		- [lattice 上数学运算与data analyse ](./05.Data-Flow-Analysis-Foundations-I.md#head17)
 83 | 
 84 | [06.Data-Flow-Analysis-Foundations-II.md](./06.Data-Flow-Analysis-Foundations-II.md)
 85 | 
 86 | - [Data Flow Analysis Foundations II](./06.Data-Flow-Analysis-Foundations-II.md#head1)
 87 | 	- [Relate Iterative Algorithm to Fixed Point Theorem](./06.Data-Flow-Analysis-Foundations-II.md#head2)
 88 | 		- [ 格与迭代算法对应](./06.Data-Flow-Analysis-Foundations-II.md#head3)
 89 | 		- [ 证明迭代算法中F的monotonic](./06.Data-Flow-Analysis-Foundations-II.md#head4)
 90 | 		- [ 什么时候到达fixed-point](./06.Data-Flow-Analysis-Foundations-II.md#head5)
 91 | 	- [May/Must Analysis, A Lattice View](./06.Data-Flow-Analysis-Foundations-II.md#head6)
 92 | 	- [Mop and Distributivity](./06.Data-Flow-Analysis-Foundations-II.md#head7)
 93 | 		- [ mop定义](./06.Data-Flow-Analysis-Foundations-II.md#head8)
 94 | 		- [ mop与迭代算法区别](./06.Data-Flow-Analysis-Foundations-II.md#head9)
 95 | 	- [Constant Propagation](./06.Data-Flow-Analysis-Foundations-II.md#head10)
 96 | 		- [非distributive的问题，must analysis](./06.Data-Flow-Analysis-Foundations-II.md#head11)
 97 | 		- [ 问题映射到lattice上](./06.Data-Flow-Analysis-Foundations-II.md#head12)
 98 | 	- [Worklist Algorithm](./06.Data-Flow-Analysis-Foundations-II.md#head13)
 99 | 
100 | [07.Interprocedural-Analysis.md](./07.Interprocedural-Analysis.md)
101 | 
102 | - [Interprocedural Analysis](./07.Interprocedural-Analysis.md#head1)
103 | 	- [ Motivation](./07.Interprocedural-Analysis.md#head2)
104 | 		- [Call Graph](./07.Interprocedural-Analysis.md#head3)
105 | 	- [Call Graph Construction(CHA)](./07.Interprocedural-Analysis.md#head4)
106 | 		- [Call Graph算法对比](./07.Interprocedural-Analysis.md#head5)
107 | 		- [ Dispatch](./07.Interprocedural-Analysis.md#head6)
108 | 			- [Java中的method invoke](./07.Interprocedural-Analysis.md#head7)
109 | 			- [method signature](./07.Interprocedural-Analysis.md#head8)
110 | 			- [virtual call dispatch](./07.Interprocedural-Analysis.md#head9)
111 | 		- [ CHA](./07.Interprocedural-Analysis.md#head10)
112 | 			- [ 定义](./07.Interprocedural-Analysis.md#head11)
113 | 			- [ Resolve](./07.Interprocedural-Analysis.md#head12)
114 | 			- [ 全程序算法](./07.Interprocedural-Analysis.md#head13)
115 | 	- [Interprocedural Control-Flow Graph](./07.Interprocedural-Analysis.md#head14)
116 | 		- [ 定义](./07.Interprocedural-Analysis.md#head15)
117 | 	- [Interprocedural Data-Flow Analysis](./07.Interprocedural-Analysis.md#head16)
118 | 		- [ 过程间分析组成](./07.Interprocedural-Analysis.md#head17)
119 | 		- [Interprocedural Constant Propagation](./07.Interprocedural-Analysis.md#head18)
120 | 			- [ 组成](./07.Interprocedural-Analysis.md#head19)
121 | 			- [ 栗子](./07.Interprocedural-Analysis.md#head20)
122 | 
123 | [08.Pointer-Analysis.md](./08.Pointer-Analysis.md)
124 | 
125 | - [Pointer Analysis](./08.Pointer-Analysis.md#head1)
126 | 	- [ Motivation](./08.Pointer-Analysis.md#head2)
127 | 	- [Introduction to Pointer Analysis](./08.Pointer-Analysis.md#head3)
128 | 		- [Pointer Analysis 简述](./08.Pointer-Analysis.md#head4)
129 | 		- [/Pointer Analysis 和 Alias Analysis 的区别](./08.Pointer-Analysis.md#head5)
130 | 		- [ 指针分析在静态分析地位](./08.Pointer-Analysis.md#head6)
131 | 	- [Key Factors of Pointer Analysis](./08.Pointer-Analysis.md#head7)
132 | 		- [Pointer Analysis的四个取舍要素](./08.Pointer-Analysis.md#head8)
133 | 		- [Heap Abstraction](./08.Pointer-Analysis.md#head9)
134 | 			- [ 为什么堆抽象](./08.Pointer-Analysis.md#head10)
135 | 			- [Allocation-Site Abstraction](./08.Pointer-Analysis.md#head11)
136 | 		- [Context Sensitivity](./08.Pointer-Analysis.md#head12)
137 | 		- [Flow Sensitivity](./08.Pointer-Analysis.md#head13)
138 | 		- [Analysis Scope](./08.Pointer-Analysis.md#head14)
139 | 		- [ 课程涉及的特性](./08.Pointer-Analysis.md#head15)
140 | 	- [Concerned Statements](./08.Pointer-Analysis.md#head16)
141 | 		- [Pointer Analysis面向的指针类型](./08.Pointer-Analysis.md#head17)
142 | 		- [ Pointer Analysis面向的语句](./08.Pointer-Analysis.md#head18)
143 | 
144 | [09.Pointer-Analysis-Foundations-I.md](./09.Pointer-Analysis-Foundations-I.md)
145 | 
146 | - [Pointer Analysis - Foundations I](./09.Pointer-Analysis-Foundations-I.md#head1)
147 | 	- [Pointer Analysis:Rules](./09.Pointer-Analysis-Foundations-I.md#head2)
148 | 		- [ 影响指针的statements](./09.Pointer-Analysis-Foundations-I.md#head3)
149 | 		- [Domains and Notations](./09.Pointer-Analysis-Foundations-I.md#head4)
150 | 		- [ Rule](./09.Pointer-Analysis-Foundations-I.md#head5)
151 | 	- [How to implement Pointer Analysis](./09.Pointer-Analysis-Foundations-I.md#head6)
152 | 		- [ PFG](./09.Pointer-Analysis-Foundations-I.md#head7)
153 | 		- [实现Pointer Analysis](./09.Pointer-Analysis-Foundations-I.md#head8)
154 | 	- [Pointer Analysis:Algorithms](./09.Pointer-Analysis-Foundations-I.md#head9)
155 | 
156 | [10.Pointer-Analysis-Foundations-II.md](./10.Pointer-Analysis-Foundations-II.md)
157 | 
158 | - [Pointer Analysis with Method Calls](./10.Pointer-Analysis-Foundations-II.md#head1)
159 | 	- [call rule](./10.Pointer-Analysis-Foundations-II.md#head2)
160 | 	- [ 不加x到this](./10.Pointer-Analysis-Foundations-II.md#head3)
161 | 	- [Interprocedure Pointer Anaylsis Algorithm](./10.Pointer-Analysis-Foundations-II.md#head4)
162 | 
163 | [11.Pointer-Analysis-Context-Sensitivity-I.md](./11.Pointer-Analysis-Context-Sensitivity-I.md)
164 | 
165 | - [Pointer Analysis Context Sensitivity](./11.Pointer-Analysis-Context-Sensitivity-I.md#head1)
166 | 	- [ Introduction](./11.Pointer-Analysis-Context-Sensitivity-I.md#head2)
167 | 		- [Why Context Sensitivity](./11.Pointer-Analysis-Context-Sensitivity-I.md#head3)
168 | 		- [Cloning-Based Context Sensitivity](./11.Pointer-Analysis-Context-Sensitivity-I.md#head4)
169 | 		- [Why  Context-Sensitive Heap](./11.Pointer-Analysis-Context-Sensitivity-I.md#head5)
170 | 		- [Context-Sensitive Heap](./11.Pointer-Analysis-Context-Sensitivity-I.md#head6)
171 | 	- [Context Sensitive Pointer Analysis:Rules](./11.Pointer-Analysis-Context-Sensitivity-I.md#head7)
172 | 		- [Domains and Notations](./11.Pointer-Analysis-Context-Sensitivity-I.md#head8)
173 | 	- [ Rules](./11.Pointer-Analysis-Context-Sensitivity-I.md#head9)
174 | 
175 | [12.Pointer Analysis Context Sensitivity II](./12.Pointer-Analysis-Context-Sensitivity-II.md#head1)
176 | 	
177 | - [Context Sensitive Pointer Analysis : Algorithms](./12.Pointer-Analysis-Context-Sensitivity-II.md#head2)
178 | 	- [ 定义](./12.Pointer-Analysis-Context-Sensitivity-II.md#head3)
179 | 	- [ algorithms](./12.Pointer-Analysis-Context-Sensitivity-II.md#head4)
180 | - [Context Sensitivity Variants](./12.Pointer-Analysis-Context-Sensitivity-II.md#head5)
181 | 	- [Call-Site Sensitivity](./12.Pointer-Analysis-Context-Sensitivity-II.md#head6)
182 | 		- [ 栗子](./12.Pointer-Analysis-Context-Sensitivity-II.md#head7)
183 | 	- [Object Sensitivity](./12.Pointer-Analysis-Context-Sensitivity-II.md#head8)
184 | 		- [ 栗子](./12.Pointer-Analysis-Context-Sensitivity-II.md#head9)
185 | 	- [Type Sensitivity](./12.Pointer-Analysis-Context-Sensitivity-II.md#head10)
186 | 	- [ 对比](./12.Pointer-Analysis-Context-Sensitivity-II.md#head11)
187 | 
188 | [13.Static Analysis for Security](./13.Static-Analysis-For-Security.md#head1)
189 | 
190 | - [Information Flow Security](./13.Static-Analysis-For-Security.md#head2)
191 | 	- [Access Control vs. Information Flow Security](./13.Static-Analysis-For-Security.md#head3)
192 | 	- [Security Levels](./13.Static-Analysis-For-Security.md#head4)
193 | 	- [Information Flow Policy](./13.Static-Analysis-For-Security.md#head5)
194 | - [Confidentiality and Integrity](./13.Static-Analysis-For-Security.md#head6)
195 | 	- [Confidentiality vs. Integrity](./13.Static-Analysis-For-Security.md#head7)
196 | 	- [Integrity, Broad Definition](./13.Static-Analysis-For-Security.md#head8)
197 | - [Explicit Flows and Covert Channels](./13.Static-Analysis-For-Security.md#head9)
198 | 	- [Implicit Flow](./13.Static-Analysis-For-Security.md#head10)
199 | 	- [Covert Channels](./13.Static-Analysis-For-Security.md#head11)
200 | - [Taint Analysis](./13.Static-Analysis-For-Security.md#head12)
201 | 	- [ 定义](./13.Static-Analysis-For-Security.md#head13)
202 | 	- [ 解决confidentiality、Integrity](./13.Static-Analysis-For-Security.md#head14)
203 | 	- [Taint 与Pointer Analysis结合](./13.Static-Analysis-For-Security.md#head15)
204 | 	- [Domains and Notations](./13.Static-Analysis-For-Security.md#head16)
205 | 	- [Taint Analysis Input & Output](./13.Static-Analysis-For-Security.md#head17)
206 | 	- [Taint analysis:rule](./13.Static-Analysis-For-Security.md#head18)
207 | - [ 其他](./13.Static-Analysis-For-Security.md#head19)
208 | 
209 | [14.Datalog-Based-Program-Analysis.md](./14.Datalog-Based-Program-Analysis.md)
210 | 
211 | - [ Motivation](./14.Datalog-Based-Program-Analysis.md#head2)
212 | 	- [命令式 vs 声明示](./14.Datalog-Based-Program-Analysis.md#head3)
213 | - [Introduction to Datalog](./14.Datalog-Based-Program-Analysis.md#head4)
214 | 	- [Datalog 的 data](./14.Datalog-Based-Program-Analysis.md#head5)
215 | 		- [predicates ](./14.Datalog-Based-Program-Analysis.md#head6)
216 | 		- [ 通过Atoms表示predicates](./14.Datalog-Based-Program-Analysis.md#head7)
217 | 	- [Datalog 的 rule](./14.Datalog-Based-Program-Analysis.md#head8)
218 | 	- [EDB and IDB](./14.Datalog-Based-Program-Analysis.md#head9)
219 | 	- [ Logical](./14.Datalog-Based-Program-Analysis.md#head10)
220 | 		- [Logical Or](./14.Datalog-Based-Program-Analysis.md#head11)
221 | 		- [ Negation](./14.Datalog-Based-Program-Analysis.md#head12)
222 | 	- [ Recursion](./14.Datalog-Based-Program-Analysis.md#head13)
223 | 	- [Rule safety](./14.Datalog-Based-Program-Analysis.md#head14)
224 | 	- [Excution of Datalog Programs](./14.Datalog-Based-Program-Analysis.md#head15)
225 | - [Pointer Analysis via Datalog](./14.Datalog-Based-Program-Analysis.md#head16)
226 | 	- [EDB/IDB Model](./14.Datalog-Based-Program-Analysis.md#head17)
227 | 	- [Rule TO Datalog](./14.Datalog-Based-Program-Analysis.md#head18)
228 | 	- [Example without method call](./14.Datalog-Based-Program-Analysis.md#head19)
229 | - [Taint Analysis via Datalog](./14.Datalog-Based-Program-Analysis.md#head20)
230 | - [Datalog Pros vs Cons](./14.Datalog-Based-Program-Analysis.md#head21)
231 | 
232 | [15.IFDS.md](./15.IFDS.md)
233 | 
234 | - [Feasible and Realizable Paths](./15.IFDS.md#head2)
235 | - [ CFL-Reachability](./15.IFDS.md#head3)
236 | - [Overview of IFDS](./15.IFDS.md#head4)
237 | 	- [MOP & MRP](./15.IFDS.md#head5)
238 | 	- [ overview](./15.IFDS.md#head6)
239 | - [Supergraph and Flow Funcations](./15.IFDS.md#head7)
240 | 	- [ supergraph](./15.IFDS.md#head8)
241 | 	- [flow functions](./15.IFDS.md#head9)
242 | - [Exploded Supergraph and Tabulation Algorithm](./15.IFDS.md#head10)
243 | 	- [exploded supegraph](./15.IFDS.md#head11)
244 | 	- [0 -> 0](./15.IFDS.md#head12)
245 | 	- [exploded supegraph example](./15.IFDS.md#head13)
246 | 	- [tabulation algorithm](./15.IFDS.md#head14)
247 | - [Understanding the Distributivity of IFDS](./15.IFDS.md#head15)
248 | 	- [Can we do constant propagation using IFDS](./15.IFDS.md#head16)
249 | 	- [Can we do pointer analysis useing IFDS](./15.IFDS.md#head17)
250 | - [ 待解决问题](./15.IFDS.md#head18)
251 | 
252 | [16.Soundiness.md](./16.Soundiness.md)
253 | 
254 | - [Soundness and Soundiness](./16.Soundiness.md#head2)
255 | 	- [ Soundness](./16.Soundiness.md#head3)
256 | 	- [常见Hardness Feature](./16.Soundiness.md#head4)
257 | 	- [ 提出Soundiness](./16.Soundiness.md#head5)
258 | 	- [ Soundness,soundiness,Unsoundness](./16.Soundiness.md#head6)
259 | - [Hard Language Feature : Java Reflection](./16.Soundiness.md#head7)
260 | 	- [ 反射难论文](./16.Soundiness.md#head8)
261 | 	- [ 解决反射](./16.Soundiness.md#head9)
262 | 		- [String Constant analysis](./16.Soundiness.md#head10)
263 | 		- [ 通过调用处的信息查找](./16.Soundiness.md#head11)
264 | 		- [Assisted By Dynamic Analysis](./16.Soundiness.md#head12)
265 | - [Hard Language Feature : Native Code](./16.Soundiness.md#head13)
266 | 	- [Native code 原理](./16.Soundiness.md#head14)
267 | 	- [ 解决方案](./16.Soundiness.md#head15)


--------------------------------------------------------------------------------
/picture/1-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-1.png


--------------------------------------------------------------------------------
/picture/1-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-2.png


--------------------------------------------------------------------------------
/picture/1-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-3.png


--------------------------------------------------------------------------------
/picture/1-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-4.png


--------------------------------------------------------------------------------
/picture/1-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-5.png


--------------------------------------------------------------------------------
/picture/1-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-6.png


--------------------------------------------------------------------------------
/picture/1-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-7.png


--------------------------------------------------------------------------------
/picture/1-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/1-8.png


--------------------------------------------------------------------------------
/picture/10-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/10-1.png


--------------------------------------------------------------------------------
/picture/10-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/10-2.png


--------------------------------------------------------------------------------
/picture/10-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/10-3.png


--------------------------------------------------------------------------------
/picture/11-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/11-1.png


--------------------------------------------------------------------------------
/picture/11-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/11-2.png


--------------------------------------------------------------------------------
/picture/11-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/11-3.png


--------------------------------------------------------------------------------
/picture/11-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/11-4.png


--------------------------------------------------------------------------------
/picture/11-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/11-5.png


--------------------------------------------------------------------------------
/picture/11-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/11-6.png


--------------------------------------------------------------------------------
/picture/11-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/11-7.png


--------------------------------------------------------------------------------
/picture/12-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-1.png


--------------------------------------------------------------------------------
/picture/12-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-10.png


--------------------------------------------------------------------------------
/picture/12-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-11.png


--------------------------------------------------------------------------------
/picture/12-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-12.png


--------------------------------------------------------------------------------
/picture/12-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-13.png


--------------------------------------------------------------------------------
/picture/12-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-14.png


--------------------------------------------------------------------------------
/picture/12-15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-15.png


--------------------------------------------------------------------------------
/picture/12-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-2.png


--------------------------------------------------------------------------------
/picture/12-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-3.png


--------------------------------------------------------------------------------
/picture/12-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-4.png


--------------------------------------------------------------------------------
/picture/12-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-5.png


--------------------------------------------------------------------------------
/picture/12-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-6.png


--------------------------------------------------------------------------------
/picture/12-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-7.png


--------------------------------------------------------------------------------
/picture/12-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-8.png


--------------------------------------------------------------------------------
/picture/12-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/12-9.png


--------------------------------------------------------------------------------
/picture/13-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-1.png


--------------------------------------------------------------------------------
/picture/13-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-10.png


--------------------------------------------------------------------------------
/picture/13-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-11.png


--------------------------------------------------------------------------------
/picture/13-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-12.png


--------------------------------------------------------------------------------
/picture/13-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-13.png


--------------------------------------------------------------------------------
/picture/13-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-14.png


--------------------------------------------------------------------------------
/picture/13-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-2.png


--------------------------------------------------------------------------------
/picture/13-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-3.png


--------------------------------------------------------------------------------
/picture/13-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-4.png


--------------------------------------------------------------------------------
/picture/13-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-5.png


--------------------------------------------------------------------------------
/picture/13-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-6.png


--------------------------------------------------------------------------------
/picture/13-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-7.png


--------------------------------------------------------------------------------
/picture/13-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-8.png


--------------------------------------------------------------------------------
/picture/13-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/13-9.png


--------------------------------------------------------------------------------
/picture/14-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-1.png


--------------------------------------------------------------------------------
/picture/14-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-10.png


--------------------------------------------------------------------------------
/picture/14-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-11.png


--------------------------------------------------------------------------------
/picture/14-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-12.png


--------------------------------------------------------------------------------
/picture/14-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-13.png


--------------------------------------------------------------------------------
/picture/14-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-14.png


--------------------------------------------------------------------------------
/picture/14-15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-15.png


--------------------------------------------------------------------------------
/picture/14-16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-16.png


--------------------------------------------------------------------------------
/picture/14-17.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-17.png


--------------------------------------------------------------------------------
/picture/14-18.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-18.png


--------------------------------------------------------------------------------
/picture/14-19.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-19.png


--------------------------------------------------------------------------------
/picture/14-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-2.png


--------------------------------------------------------------------------------
/picture/14-20.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-20.png


--------------------------------------------------------------------------------
/picture/14-21.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-21.png


--------------------------------------------------------------------------------
/picture/14-22.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-22.png


--------------------------------------------------------------------------------
/picture/14-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-3.png


--------------------------------------------------------------------------------
/picture/14-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-4.png


--------------------------------------------------------------------------------
/picture/14-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-5.png


--------------------------------------------------------------------------------
/picture/14-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-6.png


--------------------------------------------------------------------------------
/picture/14-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-7.png


--------------------------------------------------------------------------------
/picture/14-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-8.png


--------------------------------------------------------------------------------
/picture/14-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/14-9.png


--------------------------------------------------------------------------------
/picture/15-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-1.png


--------------------------------------------------------------------------------
/picture/15-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-10.png


--------------------------------------------------------------------------------
/picture/15-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-11.png


--------------------------------------------------------------------------------
/picture/15-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-12.png


--------------------------------------------------------------------------------
/picture/15-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-13.png


--------------------------------------------------------------------------------
/picture/15-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-14.png


--------------------------------------------------------------------------------
/picture/15-15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-15.png


--------------------------------------------------------------------------------
/picture/15-16.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-16.png


--------------------------------------------------------------------------------
/picture/15-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-2.png


--------------------------------------------------------------------------------
/picture/15-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-3.png


--------------------------------------------------------------------------------
/picture/15-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-4.png


--------------------------------------------------------------------------------
/picture/15-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-5.png


--------------------------------------------------------------------------------
/picture/15-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-6.png


--------------------------------------------------------------------------------
/picture/15-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-7.png


--------------------------------------------------------------------------------
/picture/15-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-8.png


--------------------------------------------------------------------------------
/picture/15-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/15-9.png


--------------------------------------------------------------------------------
/picture/16-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-1.png


--------------------------------------------------------------------------------
/picture/16-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-10.png


--------------------------------------------------------------------------------
/picture/16-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-11.png


--------------------------------------------------------------------------------
/picture/16-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-12.png


--------------------------------------------------------------------------------
/picture/16-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-13.png


--------------------------------------------------------------------------------
/picture/16-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-2.png


--------------------------------------------------------------------------------
/picture/16-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-3.png


--------------------------------------------------------------------------------
/picture/16-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-4.png


--------------------------------------------------------------------------------
/picture/16-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-5.png


--------------------------------------------------------------------------------
/picture/16-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-6.png


--------------------------------------------------------------------------------
/picture/16-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-7.png


--------------------------------------------------------------------------------
/picture/16-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-8.png


--------------------------------------------------------------------------------
/picture/16-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/16-9.png


--------------------------------------------------------------------------------
/picture/2-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-1.png


--------------------------------------------------------------------------------
/picture/2-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-2.png


--------------------------------------------------------------------------------
/picture/2-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-3.png


--------------------------------------------------------------------------------
/picture/2-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-4.png


--------------------------------------------------------------------------------
/picture/2-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-5.png


--------------------------------------------------------------------------------
/picture/2-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-6.png


--------------------------------------------------------------------------------
/picture/2-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-7.png


--------------------------------------------------------------------------------
/picture/2-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-8.png


--------------------------------------------------------------------------------
/picture/2-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/2-9.png


--------------------------------------------------------------------------------
/picture/3-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-1.png


--------------------------------------------------------------------------------
/picture/3-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-10.png


--------------------------------------------------------------------------------
/picture/3-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-11.png


--------------------------------------------------------------------------------
/picture/3-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-12.png


--------------------------------------------------------------------------------
/picture/3-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-13.png


--------------------------------------------------------------------------------
/picture/3-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-3.png


--------------------------------------------------------------------------------
/picture/3-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-4.png


--------------------------------------------------------------------------------
/picture/3-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-5.png


--------------------------------------------------------------------------------
/picture/3-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-6.png


--------------------------------------------------------------------------------
/picture/3-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-8.png


--------------------------------------------------------------------------------
/picture/3-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/3-9.png


--------------------------------------------------------------------------------
/picture/4-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-1.png


--------------------------------------------------------------------------------
/picture/4-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-2.png


--------------------------------------------------------------------------------
/picture/4-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-3.png


--------------------------------------------------------------------------------
/picture/4-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-4.png


--------------------------------------------------------------------------------
/picture/4-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-5.png


--------------------------------------------------------------------------------
/picture/4-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-6.png


--------------------------------------------------------------------------------
/picture/4-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-7.png


--------------------------------------------------------------------------------
/picture/4-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/4-8.png


--------------------------------------------------------------------------------
/picture/5-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-1.png


--------------------------------------------------------------------------------
/picture/5-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-10.png


--------------------------------------------------------------------------------
/picture/5-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-11.png


--------------------------------------------------------------------------------
/picture/5-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-12.png


--------------------------------------------------------------------------------
/picture/5-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-13.png


--------------------------------------------------------------------------------
/picture/5-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-14.png


--------------------------------------------------------------------------------
/picture/5-15.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-15.png


--------------------------------------------------------------------------------
/picture/5-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-2.png


--------------------------------------------------------------------------------
/picture/5-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-3.png


--------------------------------------------------------------------------------
/picture/5-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-4.png


--------------------------------------------------------------------------------
/picture/5-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-5.png


--------------------------------------------------------------------------------
/picture/5-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-6.png


--------------------------------------------------------------------------------
/picture/5-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-7.png


--------------------------------------------------------------------------------
/picture/5-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-8.png


--------------------------------------------------------------------------------
/picture/5-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/5-9.png


--------------------------------------------------------------------------------
/picture/6-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-1.png


--------------------------------------------------------------------------------
/picture/6-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-10.png


--------------------------------------------------------------------------------
/picture/6-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-11.png


--------------------------------------------------------------------------------
/picture/6-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-2.png


--------------------------------------------------------------------------------
/picture/6-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-3.png


--------------------------------------------------------------------------------
/picture/6-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-4.png


--------------------------------------------------------------------------------
/picture/6-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-5.png


--------------------------------------------------------------------------------
/picture/6-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-6.png


--------------------------------------------------------------------------------
/picture/6-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-7.png


--------------------------------------------------------------------------------
/picture/6-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-8.png


--------------------------------------------------------------------------------
/picture/6-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/6-9.png


--------------------------------------------------------------------------------
/picture/7-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-1.png


--------------------------------------------------------------------------------
/picture/7-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-10.png


--------------------------------------------------------------------------------
/picture/7-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-11.png


--------------------------------------------------------------------------------
/picture/7-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-12.png


--------------------------------------------------------------------------------
/picture/7-13.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-13.png


--------------------------------------------------------------------------------
/picture/7-14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-14.png


--------------------------------------------------------------------------------
/picture/7-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-2.png


--------------------------------------------------------------------------------
/picture/7-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-3.png


--------------------------------------------------------------------------------
/picture/7-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-4.png


--------------------------------------------------------------------------------
/picture/7-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-5.png


--------------------------------------------------------------------------------
/picture/7-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-6.png


--------------------------------------------------------------------------------
/picture/7-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-7.png


--------------------------------------------------------------------------------
/picture/7-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/7-8.png


--------------------------------------------------------------------------------
/picture/8-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-1.png


--------------------------------------------------------------------------------
/picture/8-10.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-10.png


--------------------------------------------------------------------------------
/picture/8-11.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-11.png


--------------------------------------------------------------------------------
/picture/8-12.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-12.png


--------------------------------------------------------------------------------
/picture/8-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-2.png


--------------------------------------------------------------------------------
/picture/8-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-3.png


--------------------------------------------------------------------------------
/picture/8-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-4.png


--------------------------------------------------------------------------------
/picture/8-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-5.png


--------------------------------------------------------------------------------
/picture/8-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-6.png


--------------------------------------------------------------------------------
/picture/8-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-7.png


--------------------------------------------------------------------------------
/picture/8-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-8.png


--------------------------------------------------------------------------------
/picture/8-9.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/8-9.png


--------------------------------------------------------------------------------
/picture/9-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-1.png


--------------------------------------------------------------------------------
/picture/9-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-2.png


--------------------------------------------------------------------------------
/picture/9-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-3.png


--------------------------------------------------------------------------------
/picture/9-4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-4.png


--------------------------------------------------------------------------------
/picture/9-5.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-5.png


--------------------------------------------------------------------------------
/picture/9-6.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-6.png


--------------------------------------------------------------------------------
/picture/9-7.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-7.png


--------------------------------------------------------------------------------
/picture/9-8.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/k6ymaker/NJU-static-program-analysis-node/46752c55d97de6725cd9a73563ba32de7337c4c7/picture/9-8.png


--------------------------------------------------------------------------------
/thinking.md:
--------------------------------------------------------------------------------
1 | 记录我自己的一些思考
2 | 
3 | ## 上下文的意义是什么，时空的合并于拆解
4 | 函数的上下文，记录的函数的某一次调用，因为一个函数可以出现整个程序执行的任意时空，时可以理解为通过callsite做的上下文，空可以理为用object做的上下文，通过callsite、object list来记录特定的某一次的函数调用，对应于没有上下文的函数的传播，就把合并到一起的数据流分开了，在数据传播图或指针传播图中，把函数调用的上下文与变量相结合，进而把数据流动中的变量在不同时空下拆开了。反过来的在对抽象中，在一个循环中多次new的对象，如果都进行分析，那么程序分析的成本就急剧升高，那么我们通过堆抽象把它合并。对于数组引发的传播，不考虑index，同样是一个合并操作。整个分析中，在出现时空的取舍的时候，针对性的进行拆分和合并。
5 | 
6 | ## 指针传播可不可以翻过来传播？
7 | 
8 | 


--------------------------------------------------------------------------------