Call graph explained

A call graph (also known as a call multigraph[1] [2]) is a control-flow graph,[3] which represents calling relationships between subroutines in a computer program. Each node represents a procedure and each edge (f, g) indicates that procedure f calls procedure g. Thus, a cycle in the graph indicates recursive procedure calls.

Basic concepts

Call graphs can be dynamic or static.[4] A dynamic call graph is a record of an execution of the program, for example as output by a profiler. Thus, a dynamic call graph can be exact, but only describes one run of the program. A static call graph is a call graph intended to represent every possible run of the program. The exact static call graph is an undecidable problem, so static call graph algorithms are generally overapproximations. That is, every call relationship that occurs is represented in the graph, and possibly also some call relationships that would never occur in actual runs of the program.

Call graphs can be defined to represent varying degrees of precision. A more precise call graph more precisely approximates the behavior of the real program, at the cost of taking longer to compute and more memory to store. The most precise call graph is fully context-sensitive, which means that for each procedure, the graph contains a separate node for each call stack that procedure can be activated with. A fully context-sensitive call graph is called a calling context tree. This can be computed dynamically easily, although it may take up a large amount of memory. Calling context trees are usually not computed statically, because it would take too long for a large program. The least precise call graph is context-insensitive, which means that there is only one node for each procedure.

With languages that feature dynamic dispatch (i.e. Java or C++),[5] first-class functions (i.e. Python or Racket), or function pointers (i.e. C), computing a static call graph precisely requires alias analysis results. Conversely, computing precise aliasing requires a call graph. Many static analysis systems solve the apparent infinite regress by computing both simultaneously.

Usages

Call graphs can be used in different ways. One simple application of call graphs is finding procedures that are never called. Call graphs can act as documentation for humans to understand programs.[6] Call graphs can also be used to detect anomalies of program execution or code injection attacks.[7]

Software

Free software call graph generators

Run-time call graph (most of tools listed are profilers with call graph functionality)

Static for getting call graphs without running application

C/C++
Go
Multi-language
.NET
PHP, Perl and Python
XQuery

Proprietary call graph generators

LDRA Testbed : Static and dynamic analysis engines for both host and embedded software, with a myriad of reports including call graphs.
  • Project Analyzer : Static code analyzer and call graph generator for Visual Basic code
  • Visual Expert : Static code analyzer and call graph generator for Oracle PL/SQL, SQLServer Transact-SQL, C# and PowerBuilder code
  • Intel VTune Performance Analyzer : Instrumenting profiler to show call graph and execution statistics
  • DMS Software Reengineering Toolkit : Customizable program analysis tool with static whole-program global call graph extraction for C, Java and COBOL
  • Other, related tools

    Graphviz : Turns a text representation of any graph (including a call graph) into a picture.
  • tsort : Command-line utility that performs a topological sort.
  • Sample graph

    A sample call graph generated from gprof analyzing itself:

    index    called     name                              |index    called     name
          72384/72384       sym_id_parse [54]             |       1508/1508        cg_dfn [15]
    [3]   72384             match [3]                     |[13]   1508             pre_visit [13]
    ----------------------                                |----------------------
              4/9052        cg_tally [32]                 |       1508/1508        cg_assemble [38]
           3016/9052        hist_print [49]               |[14]   1508             propagate_time [14]
           6032/9052        propagate_flags [52]          |----------------------
    [4]    9052             sym_lookup [4]                |          2             cg_dfn [15]
    ----------------------                                |       1507/1507        cg_assemble [38]
           5766/5766        core_create_function_syms [41]|[15]   1507+2           cg_dfn [15]
    [5]    5766             core_sym_class [5]            |       1509/1509        is_numbered [9]
    ----------------------                                |       1508/1508        is_busy [11]
             24/1537        parse_spec [19]               |       1508/1508        pre_visit [13]
           1513/1537        core_create_function_syms [41]|       1508/1508        post_visit [12]
    [6]    1537             sym_init [6]                  |          2             cg_dfn [15]
    ----------------------                                |----------------------
           1511/1511        core_create_function_syms [41]|       1505/1505        hist_print [49]
    [7]    1511             get_src_info [7]              |[16]   1505             print_line [16]
    ----------------------                                |          2/9           print_name_only [25]
              2/1510        arc_add [31]                  |----------------------
           1508/1510        cg_assemble [38]              |       1430/1430        core_create_function_syms [41]
    [8]    1510             arc_lookup [8]                |[17]   1430             source_file_lookup_path [17]
    ----------------------                                |----------------------
           1509/1509        cg_dfn [15]                   |         24/24          sym_id_parse [54]
    [9]    1509             is_numbered [9]               |[18]     24             parse_id [18]
    ----------------------                                |         24/24          parse_spec [19]
           1508/1508        propagate_flags [52]          |----------------------
    [10]   1508             inherit_flags [10]            |         24/24          parse_id [18]
    ----------------------                                |[19]     24             parse_spec [19]
           1508/1508        cg_dfn [15]                   |         24/1537        sym_init [6]
    [11]   1508             is_busy [11]                  |----------------------
    ----------------------                                |         24/24          main [1210]
           1508/1508        cg_dfn [15]                   |[20]     24             sym_id_add [20]
    [12]   1508             post_visit [12]               |
    

    See also

    Notes and References

    1. Callahan . D. . Carle . A. . Hall . M. W.. Mary Hall (computer scientist) . Kennedy . K. . Constructing the procedure call multigraph . IEEE Transactions on Software Engineering . April 1990 . 16 . 4 . 483–487 . 10.1109/32.54302.
    2. Book: Uday Khedker. Amitabha Sanyal. Bageshri Sathe. Data Flow Analysis: Theory and Practice. 2009. CRC Press. 978-0-8493-3251-7. 234.
    3. Book: Pankaj Jalote. An Integrated Approach to Software Engineering. 1997. Springer Science & Business Media. 978-0-387-94899-7. 372. registration.
    4. Ryder . B.G. . Constructing the Call Graph of a Program . IEEE Transactions on Software Engineering . May 1979 . SE-5 . 3 . 216–226 . 10.1109/tse.1979.234183. 16527042 .
    5. Grove . David . DeFouw . Greg . Dean . Jeffrey . Chambers . Craig . Grove . David . DeFouw . Greg . Dean . Jeffrey . Chambers . Craig . 9 October 1997 . Call graph construction in object-oriented languages . ACM SIGPLAN Notices . ACM . 32 . 10 . 108, 108–124, 124 . 10.1145/263700.264352. free .
    6. Book: Eisenbarth . T. . Koschke . R. . Simon . D. . Proceedings IEEE International Conference on Software Maintenance. ICSM 2001 . Aiding program comprehension by static and dynamic feature analysis . 602–611 . 10.1109/icsm.2001.972777. 2001 . 0-7695-1189-9 . 5934718 .
    7. Book: Gao . Debin . Proceedings of the 11th ACM conference on Computer and communications security - CCS '04 . Reiter . Michael K. . Song . Dawn . Gray-box extraction of execution graphs for anomaly detection . 25 October 2004 . 318–329 . 10.1145/1030083.1030126. ACM. 1581139616 . 1189805 .