Global Analysis

In bottom-up analysis, since we take individual functions as analysis boundaries and do not consider the program execution order, we cannot resolve the states of variables from outside the function (such as external variables and function parameters), which we abstract as "anything". As mentioned above, we mark some key "anything" states, and the goal of the global analysis stage is to resolve the states of these key "anything" values.

The global analysis stage starts from the program's entry point and re-analyzes each function along the call chain according to the program's execution order. This stage basically reuses the code from the bottom-up analysis phase, with the only difference being that we do not analyze all statements but only those containing key "anything" states (e.g., "call anything()"). The function summaries generated in the bottom-up phase can also be reused. When analyzing a method, we check if its function summary contains marked key States. If not, we directly end the analysis of the method; if yes, we only re-analyze the statements where the key States are located. If the output State of a statement changes after re-analysis, we will also analyze subsequent statements affected by this change.

During the global analysis stage, we maintain a call stack that pushes functions onto the stack in the order of program execution calls. When analyzing a key "anything" state, we search layer by layer up the call stack until we can associate the "anything" with a specific State.