Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Scalable and Precise Application-Centered Call Graph Construction for Python

Kaifeng Huang, Yixuan Yan, Bihuan Chen, Zixin Tao, Xin Peng

TL;DR

The paper tackles the challenge of scalable, precise call graph construction for Python by introducing Jarvis, an application-centered CGC framework that uses per-function flow-sensitive type graphs ($\mathcal{FTG}$) and on-the-fly CG construction. Jarvis combines an AST-based representation with intra- and inter-procedural analyses to resolve calls efficiently, while maintaining modular summaries ($\mathcal{F}$, $\mathcal{C}$, $\mathcal{I}$) and a global call graph $\mathcal{CG}$ built during analysis. The approach demonstrates significant improvements over the state-of-the-art PyCG in both time and precision, particularly on large real-world programs, and shows practical benefits for dependency management and security analysis. Overall, Jarvis provides a scalable, more precise mechanism for Python CGC that can support large ecosystems and downstream tasks such as debloating and vulnerability reachability analysis.

Abstract

Call graph construction is the foundation of inter-procedural static analysis. PYCG is the state-of-the-art approach for constructing call graphs for Python programs. Unfortunately, PyCG does not scale to large programs when adapted to whole-program analysis where application and dependent libraries are both analyzed. Moreover, PyCG is flow-insensitive and does not fully support Python's features, hindering its accuracy. To overcome these drawbacks, we propose a scalable and precise approach for constructing application-centered call graphs for Python programs, and implement it as a prototype tool JARVIS. JARVIS maintains a type graph (i.e., type relations of program identifiers) for each function in a program to allow type inference. Taking one function as an input, JARVIS generates the call graph on-the-fly, where flow-sensitive intra-procedural analysis and inter-procedural analysis are conducted in turn and strong updates are conducted. Our evaluation on a micro-benchmark of 135 small Python programs and a macro-benchmark of 6 real-world Python applications has demonstrated that JARVIS can significantly improve PYCG by at least 67% faster in time, 84% higher in precision, and at least 20% higher in recall.

Scalable and Precise Application-Centered Call Graph Construction for Python

TL;DR

The paper tackles the challenge of scalable, precise call graph construction for Python by introducing Jarvis, an application-centered CGC framework that uses per-function flow-sensitive type graphs () and on-the-fly CG construction. Jarvis combines an AST-based representation with intra- and inter-procedural analyses to resolve calls efficiently, while maintaining modular summaries (, , ) and a global call graph built during analysis. The approach demonstrates significant improvements over the state-of-the-art PyCG in both time and precision, particularly on large real-world programs, and shows practical benefits for dependency management and security analysis. Overall, Jarvis provides a scalable, more precise mechanism for Python CGC that can support large ecosystems and downstream tasks such as debloating and vulnerability reachability analysis.

Abstract

Call graph construction is the foundation of inter-procedural static analysis. PYCG is the state-of-the-art approach for constructing call graphs for Python programs. Unfortunately, PyCG does not scale to large programs when adapted to whole-program analysis where application and dependent libraries are both analyzed. Moreover, PyCG is flow-insensitive and does not fully support Python's features, hindering its accuracy. To overcome these drawbacks, we propose a scalable and precise approach for constructing application-centered call graphs for Python programs, and implement it as a prototype tool JARVIS. JARVIS maintains a type graph (i.e., type relations of program identifiers) for each function in a program to allow type inference. Taking one function as an input, JARVIS generates the call graph on-the-fly, where flow-sensitive intra-procedural analysis and inter-procedural analysis are conducted in turn and strong updates are conducted. Our evaluation on a micro-benchmark of 135 small Python programs and a macro-benchmark of 6 real-world Python applications has demonstrated that JARVIS can significantly improve PYCG by at least 67% faster in time, 84% higher in precision, and at least 20% higher in recall.
Paper Structure (22 sections, 3 equations, 6 figures, 5 tables, 2 algorithms)

This paper contains 22 sections, 3 equations, 6 figures, 5 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Motivating Example
  3. Approach
  4. Notions and Domains
  5. Overview of Jarvis
  6. Intra-Procedural Analysis
  7. Initialize FTG
  8. Reuse FTG
  9. Update FTG
  10. Compute Output FTG
  11. Inter-Procedural Analysis
  12. Type Inference for CGC
  13. Compute $\theta_{call^{\prime}}$
  14. Compute $\Delta_{call^{\prime}}$
  15. Evaluation
  16. ...and 7 more sections

Figures (6)

  • Figure 1: Motivating Example Code and Call Graphs generated byPyCG and Jarvis
  • Figure 2: Notions of Our Analysis
  • Figure 3: Approach Overview of Jarvis
  • Figure 4: Transfer Rules of Our Analysis
  • Figure 5: The Size and Changed Proportion of the Assignment Graph (AG) in PyCG w.r.t the Number of Iterations
  • ...and 1 more figures

Theorems & Definitions (2)

  • Example 3.1
  • Example 3.2