• Product construction based on push down automata and context-free grammar equivalence
• Reachable pushdown configurations are regular

Reference:

• Reachability Analysis of Pushdown Automata: Application to Model Checking

* Visibly pushdown languages

Reference: * Visibly pushdown languages

• approximate the set of (stack, state) pairs - based on small step semantics
  • call-string approach
  • representing stack as e.g. linked list (see this paper)
• approximate the relation between initial and final state of procedure - based on big step semantics
  • add procedure entry variables, then approximate (consider e.g. linear constraints)
  • functional approach: map entry data flow facts to exit data flow facts

• distributive functions and supergraph
• checking context-free graph reachability

• Precise interprocedural dataflow analysis via graph reachability
• Type-Based Flow Analysis: From Polymorphic Subtyping to CFL-Reachability

Computations on heap can give different result depending on whether in precondition certain references refer to same objects or not. Procedure specifications are therefore important for such programs and automatically inferring them is challenging.

Reference:

• Efficient Context-Sensitive Pointer Analysis for C Programs
• Sophisticated Pointer and Escape Analysis with Procedure Summaries (Alex Salcianu PhD thesis)

• M. Sharir, and A. Pnueli. Two Approaches to Inter-Procedural Data-Flow Analysis. In Jones and Muchnik, editors, Program Flow Analysis: Theory and Applications. Prentice-Hall, 1981.
• The interprocedural coincidence theorem
• F. Nielson, H. R. Nielson, C. Hankin: Principles of program analysis, 2005. Chapter 2.5.