Static program analysis is a central technique to create secure and reliable software. Call graphs are crucial for interprocedural static analyses. Still, no systematic methods exist to assess their quality in terms of precision and soundness. The goal of this project is thus to develop such methods. This will allow developers of call-graph analyses to better understand and improve their analyses. At the same time, it will allow users of call graphs to select the analyses best suited for their respective use cases. The methods developed in this project will be independent of specific programming languages and static analyses and thus be broadly applicable. Major subgoals of the project are: 1. We will develop methods for the systematic assessment of call-graph quality and show their applicability. In order to do so, it will be necessary to collect trustworthy ground-truth data on what method calls occur in real-world programs. Further, we will select measures that can be used to assess call graphs, and we will evaluate how these measures can be interpreted. 2. In order to achieve this independent of specific programming languages and static analyses, we will develop a language-independent representation for call graphs. This will allow for the serialization of call graphs and their subsequent assessment. 3. As part of this project, we will create a framework that allows developers and users of call graphs to compare the quality of different implementations in a manner as automated as possible. The framework will compute and serialize call graphs, calculate selected measures, and allow the study of differences between different call graphs. 4. Based on the insights gained on the quality of call graphs and their challenges, we will propose new approaches to modularly compute call graphs. This will alleviate common problems of existing call-graph analyses, allow for the reuse of components between different call-graph algorithms, and also improve the comparability of different algorithms.

DFG Programme WBP Position