Lotus: Program Analysis Framework

Lotus is a comprehensive program analysis, verification, and optimization framework built on LLVM. It provides multiple toolkits that can be used individually or in combination for various static analysis tasks.

User Guide

• Major Components Overview
  • Alias Analysis
  • Intermediate Representations
  • Machine Learning Features
  • Abstract Interpretation
  • Utilities and Reachability
• Architecture Overview
  • System Architecture
  • Core Components
  • Analysis Flow
  • Pointer Analysis Architectures
  • Abstract Interpretation Flow (CLAM)
  • Data Structures
  • Performance Considerations
  • Extension Points
• Quick Start Guide
  • Basic Usage
  • Alias Analysis
  • Bug Detection
  • Abstract Interpretation
  • Program Dependence Graph
  • Dynamic Validation
  • Example Analysis
• Installation Guide
  • Prerequisites
  • Building Lotus
  • Configuration Options
  • Z3 Installation
  • Troubleshooting
• Tutorials and Examples
  • Tutorial 1: Basic Alias Analysis
  • Tutorial 2: Detecting Integer Overflow
  • Tutorial 3: Null Pointer Detection
  • Tutorial 4: Taint Analysis
  • Tutorial 5: Abstract Interpretation with CLAM
  • Tutorial 6: Program Dependence Graph Queries
  • Tutorial 7: Dynamic Validation with DynAA
  • Tutorial 8: Interprocedural Analysis
  • Tutorial 9: Concurrency Analysis
  • Best Practices
  • Next Steps
• Bug Detection with Lotus
  • Overview
  • Bug Categories
  • Tool 1: Kint - Integer and Array Analysis
  • Tool 2: Taint Analysis
  • Tool 3: Concurrency Checker
  • Best Practices
  • Output Formats
  • Integration Examples
  • See Also
• PDG Query Language (Cypher)
  • Overview
  • Getting Started
  • Language Reference
  • Security Analysis Examples
  • Query File Format
  • Best Practices
  • Limitations
  • Performance Tips
  • Troubleshooting
  • See Also
• Property-Based Slicing
  • Overview
  • Property Specification Format
  • Supported Property Types
  • Usage
  • Example
  • Integration with Verification
• Verification Backend Abstraction
  • Overview
  • Supported Backends
  • Property Classes
  • Usage
  • Result Format
  • Example Output
  • Programmatic Usage
  • Adding New Backends
• Instrumentation Passes
  • Available Passes
  • Example Workflow
  • All Passes Together
  • Integration with Verification
• Troubleshooting and FAQ
  • Installation Issues
  • Analysis Issues
  • Tool-Specific Issues
  • Performance Tuning
  • Frequently Asked Questions
  • Common Error Messages
  • Getting Help
  • See Also
• Command-Line Tools
  • Tools by Subdirectory

Core Components

• Alias Analysis
  • Alias Analysis Components
  • AllocAA — Allocation-Based AA
  • Sparrow Pointer Analysis — Inclusion AA
  • AserPTA — Pointer Analysis
  • CclyzerAA
  • DDA
  • DFPA
  • DyckAA — Dyck-CFL Analysis
  • Sea-DSA — Memory Graph AA
  • FPA — Function Pointer Analyses (FLTA/MLTA/MLTADF/KELP)
  • LotusAA — Lotus AA Engine
  • UnderApproxAA — Must-Alias Analysis
  • DynAA — Dynamic Alias AA
  • Strict Relations Alias Analysis — Algorithm
  • 1. vSSA / SSI Transformation
  • 2. Symbolic Range Analysis
  • 3. Strict-Inequality Construction
  • 4. Constraint Propagation Solver
  • 5. Alias Disambiguation (Final Decision)
  • 6. PDG Memory-Node Reduction (Applicability)
  • Summary of Properties
  • End of document.
  • Pointer Analysis Metrics
  • Points-To Set Backends
  • Alias Specification Manager
  • TPA: Flow- and Contex-Sensitive Pointer Analysis
  • TypeQualifier
• Analysis Framework
  • Overview
• Annotations
  • Annotation Framework
  • ModRef Function Effect Specifications
  • Pointer Effect Specifications
  • Taint Configuration Format and API
• Applications
  • Components
• Context-Free Language Analysis
  • CFL Reachability Components
  • CSIndex: Indexed Context-Sensitive CFL Reachability
  • Interleaved Dyck Graph Reduction
  • Mutual Refinement for CFL Reachability
• Data Flow Analysis
  • Algebraic Program Analysis (APA)
  • Control Flow Support
  • Monotone Dataflow Engine
  • Overview
  • Core Idea
  • Example Analyses
  • IFDS / IDE Engine
  • Overview
  • IFDS: Set-Valued Problems
  • IDE: Value-Enriched Problems
  • Usage
  • Command-Line Tool: lotus-taint
  • WPDS Dataflow Engine
  • Overview
  • Core Idea
  • Example Analyses
  • Newtonian Program Analysis (NPA)
  • Overview
  • Conceptual Background
  • Mathematical Foundation
  • Examples and Applications
  • Distributive vs. Non-Distributive Analyses
  • Core Implementation (include/Dataflow/NPA/Core)
  • Usage Notes
  • Practical notes for numeric domains
  • References
• Intermediate Representations
  • ICFG — Interprocedural Control Flow Graph
  • Overview
  • Key Features
  • Components
  • Usage
  • Integration
  • PDG — Program Dependence Graph
  • Overview
  • Core Passes
  • Unified Query API
  • High-Level Usage
  • pdg-query Analysis Mode
  • SSI — Static Single Information
  • Overview
  • Key Features
  • SSI Formalism
  • Components
  • SSI Instructions
  • Algorithm
  • Usage
  • Integration
  • vSSA — Variable Static Single Assignment
  • Overview
  • Key Features
  • vSSA Instructions
  • Algorithm
  • Components
  • Usage
  • Integration with SRAA
  • Example
  • References
  • SVFG — Sparse Value-Flow Graph
  • Overview
  • Key Features
  • Node Types
  • Edge Types
  • Architecture
  • Usage
  • Integration
  • Components
  • References
  • GVFG
  • GSA — Gated SSA
  • Overview
  • Key Features
  • Core Types
  • Passes
  • Usage
  • Command-Line Options
  • Behavior Notes
  • MemorySSA — Memory Static Single Assignment
  • Overview
  • Key Features
  • Shadow Memory Instructions
  • Components
  • Usage
  • Integration
• Overview
• MemoryMLFeaturesPass
• Features Extracted
• Feature Output
• Analysis Dependencies
• Integration Notes
• Related Components
• Optimization
  • ModuleOptimizer
  • AInliner (Aggressive Inliner)
  • LICM (Loop Invariant Code Motion)
  • SWPrefetching (Software Prefetching)
  • MemorySSA Optimizations
  • Integration with Analysis
• Solvers
  • CUDD (Binary Decision Diagrams)
  • SMT (Satisfiability Modulo Theories)
  • WPDS (Weighted Pushdown Systems)
  • SMT Samplers
  • SMT Formula Abstraction (SymAbs)
  • SMT-LIB to LLVM Translation (SLOT)
  • SMT Theory Arbitrage (STAUB)
  • E-Graph Quantifier Simplification (EGraphsSimp)
• Transforms
  • Transform Passes
  • Nisse
• Utilities
  • Utility Libraries
  • Utility ADTs and Worklists
  • Path Expression Algorithms
  • Microbenchmark Helpers
  • Parsing and Serialization Utilities
  • LLVM Utility Layer
  • Parallel Execution Infrastructure
  • Platform and Console Utilities
  • Random Number Utilities
  • Core Utility Types
• Verification
  • Verification Support Analyses
  • Verification Backend API
  • CLAM – Abstract Interpretation Framework
  • Sifa
  • SymAbsAI – Symbolic Abstraction + Abstract Interpretation
  • SeaHorn Verification Framework
  • Failure-Directed Trimming
  • Verification Transformation Passes
• Checker Framework
  • Overview
  • Components
  • Build Targets
  • Usage
  • Programmatic Usage
  • Bug Types
  • Integration Points
  • See Also

Developer Documentation

• API Reference
  • Alias Analysis APIs
  • Intermediate Representation APIs
  • Data Flow Analysis APIs
  • Abstract Interpretation APIs
  • Constraint Solving APIs
  • Bug Detection APIs
  • Utility APIs
  • Example: Complete Analysis Tool
  • See Also
• Developer Guide
  • Development Environment Setup
  • Code Organization
  • Adding a New Alias Analysis
  • Adding a New Bug Checker
  • Adding a New Abstract Domain
  • Adding a Data Flow Analysis
  • Testing and Debugging
  • Performance Optimization
  • Contributing to Lotus
  • Common Pitfalls
  • Resources
  • Community
  • See Also

Features

• Multiple Alias Analysis Algorithms: DyckAA, Sea-DSA, SparrowAA, AserPTA, FPA, OriginAA (CFL via LLVM)

• Dynamic Analysis Validation: DynAA for validating static analysis results

• Intermediate Representations: PDG, SVFG, DyckVFG

• Constraint Solving: SMT (Z3), BDD (CUDD), WPDS

• Data Flow Analysis: IFDS/IDE framework, taint analysis

• Bug Detection: Integer overflow, null pointer, buffer overflow detection

• LLVM Integration: Built on LLVM 14 with comprehensive IR support

Supported Platforms

• x86 Linux

• ARM Mac

• LLVM 14.0.0

• Z3 4.11

Publications

• ISSTA 2025: Program Analysis Combining Generalized Bit-Level and Word-Level Abstractions Guangsheng Fan, Liqian Chen, Banghu Yin, Wenyu Zhang, Peisen Yao, and Ji Wang. The ACM SIGSOFT International Symposium on Software Testing and Analysis.

• S&P 2024: Titan: Efficient Multi-target Directed Greybox Fuzzing Heqing Huang, Peisen Yao, Hung-Chun Chiu, Yiyuan Guo, and Charles Zhang.

• USENIX Security 2024: Unleashing the Power of Type-Based Call Graph Construction by Using Regional Pointer Information Yuandao Cai, Yibo Jin, and Charles Zhang.

• TSE 2024: Fast and Precise Static Null Exception Analysis with Synergistic Preprocessing Yi Sun, Chengpeng Wang, Gang Fan, Qingkai Shi, and Xiangyu Zhang.

• OOPSLA 2022: Indexing the Extended Dyck-CFL Reachability for Context-Sensitive Program Analysis Qingkai Shi, Yongchao Wang, Peisen Yao, and Charles Zhang.

Indices and tables

• Index

• Module Index

• Search Page