#include <stdlib.h>#include <stdio.h>#include "genC.h"#include "linear.h"#include "ri.h"#include "effects.h"#include "misc.h"#include "properties.h"#include "ri-util.h"#include "effects-util.h"#include "effects-generic.h"#include "pipsdbm.h"#include "prettyprint.h"#include "points-to.h"#include "transformer.h"#include "semantics.h"
Include dependency graph for interprocedural.c:
Go to the source code of this file.
Functions | |
| list | points_to_cells_parameters (list dl) |
| Transform a list of parameters of type "entity" to a list of cells. More... | |
| list | points_to_cells_pointer_arguments (list al) |
| Transform a list of arguments of type "expression" to a list of cells. More... | |
| points_to_graph | user_call_to_points_to (call c, points_to_graph pt_in, list el) |
| FI: limited to the interprocedural option. More... | |
| list | user_call_to_points_to_sinks (call c, type et __attribute__((unused)), pt_map in __attribute__((unused)), bool eval_p) |
| FI: I assume we do not need the eval_p parameter here. More... | |
| void | remove_arcs_from_pt_map (points_to pts, set pt_out) |
| pt_map | user_call_to_points_to_fast_interprocedural (call c, pt_map pt_in, list csel __attribute__((unused))) |
| ompute the points to relations in a fast interprocedural way More... | |
| bool | recursive_filter_formal_context_according_to_actual_context (list fcl, set pt_in, set pt_binded, set binding, set filtered) |
| This function looks for successors of elements of list "fcl" both in points-to relations "pt_in" and "pt_binded". More... | |
| static type | constant_string_type_to_string_type (type t) |
| We have to handle constant strings such as "Hello!" and not to forget functional parameters or other types. More... | |
| set | filter_formal_context_according_to_actual_context (list fpcl, set pt_in, set pt_binded, set binding) |
| Filter "pt_in" according to "pt_binded". More... | |
| static bool | new_recursive_filter_formal_context_according_to_actual_context (cell fc, cell ac, approximation ap, set pt_in, set pt_binded, set binding, set filtered) |
| The code is derived from generic_points_to_cell_to_useful_pointer_cell() with no filtering and a direct processing of the pairs of pointers obtained. More... | |
| static bool | merge_actual_and_formal_sinks (cell fc, list *pfcl, cell ac, list *pacl, set pt_in, set pt_binded, set filtered) |
| Handle constant cells such as NULL and UNDEFINED (nowhere) in "fcl" and "acl". More... | |
| static bool | new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair (cell fc, cell ac, approximation ap, set pt_in, set pt_binded, set binding, set filtered) |
| fc and ac are two pointer cells with same or compatible pointer type More... | |
| set | new_filter_formal_context_according_to_actual_context (list fpcl, set pt_in, set pt_binded, set binding) |
| set | filter_formal_out_context_according_to_formal_in_context (set out, set in, list wpl, entity f) |
| If an address has not been written, i.e. More... | |
| void | points_to_translation_of_struct_formal_parameter (cell fc, cell ac, approximation a, type st, set translation) |
| bool | points_to_translation_mapping_is_typed_p (set translation) |
| void | points_to_translation_of_formal_parameters (list fpcl, list al, pt_map pt_in, set translation) |
| List al and fpcl are assumed consistent, and consistent with the formal parameter ranks. More... | |
| void | add_implicitly_killed_arcs_to_kill_set (set pt_kill, list wpl, set pt_caller, set pt_out_callee_filtered, set binding, entity f) |
| Initial comments: add arcs of set "pt_caller" to set "pt_kill" if their origin cells are not in the list of written pointers "wpl" but is the origin of some exact arc in "pt_out_callee_filtered". More... | |
| list | translation_transitive_closure (cell c, set translation) |
| bool | aliased_translation_p (list fpcl, set translation) |
| See if two cells in "fpcl" point toward the same location via the transitive closure of "translation". More... | |
| static set | lower_points_to_approximations_according_to_write_effects (set pt_end, list wpl) |
| It is partly a kill and partly a gen operation. More... | |
| set | user_call_to_points_to_interprocedural_binding_set (call c, pt_map pt_caller) |
| Compute the binding relations in a complete interprocedural way: be as accurate as possible. More... | |
| pt_map | user_call_to_points_to_interprocedural (call c, pt_map pt_caller) |
| Compute the points-to relations in a complete interprocedural way: be as accurate as possible. More... | |
| pt_map | user_call_to_points_to_intraprocedural (call c, pt_map pt_in, list el __attribute__((unused))) |
| set | compute_points_to_kill_set (list written_must_translated, set pt_caller, set binding __attribute__((unused))) |
| Translate the "out" set into the scope of the caller. More... | |
| list | points_to_cell_translation (cell sr1, set binding, entity f) |
| Compute the list of cells that correspond to cell "sr1" according to the translation mapping "bm" when function "f" is called. More... | |
| list | generic_points_to_cells_translation (list cl, set binding, entity f, bool exact_p) |
| Allocate a new list with the translations of the cells in cl, when their translation make sense. More... | |
| list | points_to_cells_translation (list cl, set binding, entity f) |
| Allocate a new list with the translations of the cells in cl, when their translation make sense. More... | |
| list | points_to_cells_exact_translation (list cl, set binding, entity f) |
| Allocate a new list with the translations of the cells in cl, when their translation make sense and is unique (one-to-one mapping). More... | |
| set | compute_points_to_gen_set (set pt_out, list Written, set binding, entity f) |
| Translate the out set in the scope of the caller using the binding information, but eliminate irrelevant arcs using Written and the type of the source. More... | |
| set | points_to_binding_arguments (cell c1, cell c2, set in, set pt_binded) |
| Recursively find all the arcs, "ai", starting from the argument "c1" using "in", find all the arcs, "aj", starting from the parameter "c2" using "pt_binded", map each node "ai" to its corresponding "aj" and store the "ai->aj" arc in a new set, "bm". More... | |
| static list | generic_written_pointers_set (list eff, bool exact_p) |
| Filter out written effects on pointers. More... | |
| list | written_pointers_set (list eff) |
| Filter out written effects on pointers. More... | |
| list | certainly_written_pointers_set (list eff) |
| Filter out certainly written effects on pointers. More... | |
| set | compute_points_to_binded_set (entity called_func, list real_args, set pt_caller, bool *success_p) |
| For each actual argument "r" and its corresponding formal one "f", create the assignment "f = r;" and then compute the points-to set "s" generated by the assignment. More... | |
| set | points_to_binding (list args, set in, set pt_binded) |
| Apply points_to_binding_arguments() to each pair (, complete the process of binding each element of "in" to its corresponding memory address at the call site. More... | |
| list | generic_points_to_set_to_stub_cell_list (entity f, set s, list osl) |
| Add cells referencing a points-to stub found in parameter "s" are copied and added to list "osl". More... | |
| list | points_to_set_to_stub_cell_list (set s, list osl) |
| list | points_to_set_to_module_stub_cell_list (entity m, set s, list osl) |
| cell | points_to_source_alias (points_to pt, set pt_binded) |
| Let "pt_binded" be the results of assignments of actual arguments to formal arguments (see compute_points_to_binded_set()). More... | |
Function Documentation
◆ add_implicitly_killed_arcs_to_kill_set()
| void add_implicitly_killed_arcs_to_kill_set | ( | set | pt_kill, |
| list | wpl, | ||
| set | pt_caller, | ||
| set | pt_out_callee_filtered, | ||
| set | binding, | ||
| entity | f | ||
| ) |
Initial comments: add arcs of set "pt_caller" to set "pt_kill" if their origin cells are not in the list of written pointers "wpl" but is the origin of some exact arc in "pt_out_callee_filtered".
This is beneficial when "pt_out" is more precise than "pt_caller" because of a free or a test. This is detrimental when "pt_caller" is more precise than "pt_out_callee_filtered" because the intraprocedural analysis of the callee had to assume a possible NULL pointer that did not really exist (see Mensi.sub/struct_inter03.c). So it would be better to compute the intersection of "pt_caller" and "translation(pt_out, binding)" and to kill all arcs in "pt_caller" minus this intersection... if they are related in some way to the callee... Some more thinking needed.
Equations retrieved from the C code
K = { c | \exits pt c=source(pt) !\in Written ^ |translation(source(pt), binding, f)|==1 ^ atomic(translation(source(pt), binding, f) }
pt_kill = {pt in pt_caller | \exists c \in K binding(c)==source(pt)}
K is a set of cells defined in the frame of the callee and pt_kill a set of points-to defined in the frame of the caller.
Examples:
Indirect free of a pointed cell
"main() {p = malloc(); * my_free(p);}" with "my_free(int * p) {free(p);}".
p->heap in pt_caller must be removed from pt_end, hence p->heap belongs to pt_kill
Other possibilities must be linked to tests and executions errors.
void foo(int * ap) {bar(ap);}
void bar(int * fp) { *p = 1;}
As a result ap->_ap_1, EXACT because ap->NULL has been killed
void bar(int * fp) {if(fp==NULL) exit(1); return;}
The result should be the same as above.
Arc out_pt has been implicitly obtained
- Parameters
-
pt_kill t_kill wpl pl pt_caller t_caller pt_out_callee_filtered t_out_callee_filtered binding inding
Definition at line 1663 of file interprocedural.c.
References add_arc_to_simple_pt_map, approximation_exact_p, CAR, CELL, cell_undefined, f(), gen_free_list(), gen_length(), generic_atomic_points_to_cell_p(), int, points_to_approximation, points_to_cell_equal_p(), points_to_cell_in_list_p(), points_to_cell_translation(), points_to_source, and SET_FOREACH.
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ aliased_translation_p()
See if two cells in "fpcl" point toward the same location via the transitive closure of "translation".
| must_conflict_p
Print the transitive closures
Clean up the hash-table...
- Parameters
-
fpcl pcl translation ranslation
Definition at line 1735 of file interprocedural.c.
References CAR, CELL, cell_any_reference(), ENDP, entity_user_name(), fprintf(), gen_copy_seq(), gen_free_list(), hash_get(), HASH_MAP, hash_pointer, hash_put(), hash_table_free(), hash_table_make(), pips_user_warning, points_to_cell_lists_may_conflict_p(), points_to_cell_lists_must_conflict_p(), points_to_context_statement_line_number(), POP, print_points_to_cells, reference_variable, statement_points_to_context_defined_p(), and translation_transitive_closure().
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ certainly_written_pointers_set()
Filter out certainly written effects on pointers.
- Parameters
-
eff ff
Definition at line 2614 of file interprocedural.c.
References generic_written_pointers_set().
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ compute_points_to_binded_set()
| set compute_points_to_binded_set | ( | entity | called_func, |
| list | real_args, | ||
| set | pt_caller, | ||
| bool * | success_p | ||
| ) |
For each actual argument "r" and its corresponding formal one "f", create the assignment "f = r;" and then compute the points-to set "s" generated by the assignment.
The result is the union of "pt_caller" and "s".
Be careful with vararags
This is not sufficient to handle varargs. Much more thinking needed. And corect examples.
C does not support array assignments...
This may happen with a constant string as actual parameter and an array, bounded or not, as formal parameter.
A formal array can be called with a dereferencing expression
See Pointers/Mensi.sub/array_pointer_free01: array fp is associated to &p[0] or to p->q or to c.a ...
It would be nice to build an assignment of rhs to fp and to let it deal with the many possible kinds of assignments. But if it is a pure points-to function, the symbolic subscripts are going to be lost. This is fine for points-to translation, but not OK for effects translation.
In the short term, build the assignment...
The assignment failed because the call site is not compatible with the caller.
- Parameters
-
called_func alled_func real_args eal_args pt_caller t_caller success_p uccess_p
Definition at line 2623 of file interprocedural.c.
References add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), anywhere_cell_p(), array_type_p(), array_type_to_element_type(), assignment_to_points_to(), call_function, CAR, CDR, CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), CONS, copy_cell(), copy_points_to(), ENDP, entity_basic_concrete_type(), entity_to_expression(), entity_user_name(), EXPRESSION, expression_call(), expression_call_p(), expression_reference(), expression_reference_p(), expression_string_constant_p(), expression_to_points_to_cells(), f(), find_ith_parameter(), FOREACH, functional_parameters, gen_free_list(), gen_last(), gen_length(), heap_cell_p(), int, make_approximation_exact(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_points_to_graph(), make_reference(), NIL, PARAMETER, parameter_type, pips_internal_error, pointer_type_p(), POINTS_TO, points_to_equal_p(), points_to_graph_bottom, points_to_graph_set, points_to_rank(), points_to_sink, points_to_source, reference_variable, set_assign(), set_del_element(), SET_FOREACH, set_generic_make(), set_private, set_union(), struct_type_p(), stub_entity_of_module_p(), type_functional, and type_varargs_p.
Referenced by user_call_to_points_to_fast_interprocedural(), user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ compute_points_to_gen_set()
Translate the out set in the scope of the caller using the binding information, but eliminate irrelevant arcs using Written and the type of the source.
This is pt_gen_1 in Amira Mensi's dissertation.
Also, pay attention to translation errors because they are related to programming bugs, such as pointer arithmetic applied to pointers to scalar.
Consider all points-to arcs "(sr1, sk1)" in "pt_out"
Keep arcs whose source is:
- an array, because it has certainly not been passed by copy;
- not a scalar formal parameter: again, no copy passing;
- not written by the procedure, because, even if it passed by copy, the actual parameter is aliased.
In other word, get rid of scalar formal parameter that are written.
Translate sr1
Translate sk1 if needed
The translation of pt's sink failed.
Note: the piece of code below is replicated
The caller does not have to have counterparts for all hypothetical stubs that may be developped in callee.
The translation of pt's source failed. This may occur because the callee had to assume a pointer points to an array, whereas the call site associates it to a scalar.
See for instance Pointers/formal_parameter01.c
But this may also occur because the formal parameter cannot be translated because the effective argument is an address_of expression. See for instance EffectsWithPointsTO/call01.c.
We have no way to guess here the reason for the translation failure...
Could be a user error, but you may prefer to go on with the points-to analysis to perform some dead code elimination later...
- Parameters
-
pt_out t_out Written ritten binding inding
Definition at line 2342 of file interprocedural.c.
References anywhere_cell_p(), approximation_may_p, approximation_undefined, array_type_p(), atomic_points_to_cell_p(), CAR, CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), CONS, copy_approximation(), copy_cell(), ENDP, entity_basic_concrete_type(), entity_to_module_entity(), f(), FOREACH, formal_parameter_p(), fprintf(), free_approximation(), gen(), gen_free_list(), gen_length(), heap_cell_p(), ifdebug, int, make_approximation_may(), make_descriptor_none(), make_points_to(), new_simple_pt_map, NIL, nowhere_cell_p(), null_cell_p(), pips_user_warning, points_to_approximation, points_to_cell_in_list_p(), points_to_cell_name(), points_to_cell_translation(), points_to_sink, points_to_source, print_points_to_set(), reference_variable, set_add_element(), SET_FOREACH, set_free(), set_undefined, and set_undefined_p.
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ compute_points_to_kill_set()
| set compute_points_to_kill_set | ( | list | written_must_translated, |
| set | pt_caller, | ||
| set binding | __attribute__(unused) | ||
| ) |
Translate the "out" set into the scope of the caller.
Shouldn't it be the "written" list that needs to be translated?
Remove all points-to arc from pt_caller whose origin has been fully written
Definition at line 2146 of file interprocedural.c.
References atomic_points_to_cell_p(), CELL, cell_any_reference(), cell_to_reference(), cell_undefined, CONS, copy_reference(), entity_local_name(), FOREACH, formal_parameter_p(), gen_full_copy_list(), gen_nconc(), heap_cell_p(), make_cell_reference(), new_simple_pt_map, NIL, points_to_cell_equal_p(), points_to_compare_cell(), points_to_sink, points_to_source, reference_indices, reference_variable, same_string_p, set_add_element(), SET_FOREACH, source_in_set_p(), and written.
Referenced by user_call_to_points_to_fast_interprocedural(), and user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ constant_string_type_to_string_type()
We have to handle constant strings such as "Hello!" and not to forget functional parameters or other types.
Basically, type "t" is returned unchanged, unless "t" is a functional type "void->string".
The initial implementation of this function used the cell "ac" and the variable "a" whose type is sought and was safer:
reference ar = cell_any_reference(ac); entity a = reference_variable(ar); if(constant_string_entity_p(a)) nt = ...
Any function of type "void->string" is considered a "string" object. Let's hope it is ok in the points-to environment. Else, an additional parameter must be passed.
This function is located in the points-to library because it is where it is useful. It would be even more useful if it returned a "char *" or a "char[]", but this would imply a type allocation. As it is, no new type is allocated.
To be fully effective, the argument must be a basic concrete type.
Definition at line 543 of file interprocedural.c.
References ENDP, f(), functional_parameters, functional_result, pl, string_type_p(), type_functional, and type_functional_p.
Referenced by filter_formal_context_according_to_actual_context(), new_filter_formal_context_according_to_actual_context(), and points_to_translation_mapping_is_typed_p().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ filter_formal_context_according_to_actual_context()
| set filter_formal_context_according_to_actual_context | ( | list | fpcl, |
| set | pt_in, | ||
| set | pt_binded, | ||
| set | binding | ||
| ) |
Filter "pt_in" according to "pt_binded".
For instance, a formal parameter can point to NULL in "pt_in" only if it also points to NULL in "pt_binded". In the same way, a formal parameter can point to a points-to stub in "pt_in" only if it points to a non-NULL target in "pt_binded". Also, a formal parameter cannot points exactly to UNDEFINED in "pt_binded" as it would be useless (not clear if we can remove such an arc when it is a may arc...). Finally, each formal parameter must still point to something.
The context of the caller may be insufficiently developped because its does not use explictly a pointer that is a formal parameter for it. For instance:
foo(int ***p) {bar(int ***p);}
The formal context of "foo()" must be developped when the formal context of "bar()" is imported. For instance, *p, **p and ***p may be accessed in "bar()", generating points-to stub in "bar". Similar stubs must be generated here for "foo()" before the translation can be performed.
This is also true for global variables. pt_in may contain arcs that should exist in pt_binded, and hence pt_caller. It may also contain arcs that deny the existence of some arcs in pt_caller.
Copy arcs "pt" from "pt_in" into the "filtered" set if they are compatible with "pt_binded". The set "pt_in" is reduced.
Do we have the same arc in pt_binded?
We have to deal recursively with stubs of the formal context and first with the global variables...although they, or their stubs, do not require any translation? Why is the points-to information about q lost in the translation of the call site to call03 in main (PointersWithEffects/call03.c)
FI: I do not understand why I have to do this for EffectsWithPointsTo/pointer_modif04.c. Because the arc "pt" in "pt_in" is more precise than the information available in "pt_caller". For instance, "pt_in" may contain "stderr->_stderr_0[0], Exact", while "pt_caller" may contain "stderr->_stderr_0[0], May", "stderr->NULL, May". Basically, we have not thought about the kill set generated for the global variables.
Useless when called from effects... In fact, it should never be called from effects...
FI: we do not know what we really do here... An arc is not taken into account, but it might be taken into account recursively below.
Compute the binding relation for sinks of the formal arguments and global variables
We have to handle constant strings such as "Hello!" and not to forget functional parameters.
If "fc" is not a pointer, look for pointers in "fc"
Now, we have to call about the same function recursively on the list of formal sinks
Some arcs have been removed, so other arcs may be promoted from "may" to "exact".
- Parameters
-
fpcl pcl pt_in t_in pt_binded t_binded binding inding
Definition at line 582 of file interprocedural.c.
References adapt_reference_to_type(), add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), approximation_undefined, arc_in_points_to_set_p(), array_pointer_string_type_equal_p(), array_type_p(), CELL, cell_any_reference(), cell_points_to_non_null_sink_in_set_p(), constant_string_entity_p(), constant_string_type_to_string_type(), copy_approximation(), copy_cell(), copy_points_to(), ENDP, FOREACH, free_approximation(), functional_result, gen_free_list(), gen_length(), gen_nconc(), get_bool_property(), global_variable_p(), ifdebug, int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), new_simple_pt_map, NIL, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_assert, pips_debug, pips_internal_error, pips_user_error, points_to_cell_add_zero_subscript(), points_to_cell_complete_with_zero_subscripts(), points_to_cell_to_concrete_type(), points_to_cell_to_useful_pointer_cells(), points_to_context_statement_line_number(), points_to_reference_to_concrete_type(), points_to_sink, points_to_source, points_to_source_to_any_sinks(), points_to_translation_mapping_is_typed_p(), print_points_to_set(), recursive_filter_formal_context_according_to_actual_context(), reference_to_string(), reference_variable, related_points_to_cell_in_list_p(), semantics_user_warning, SET_FOREACH, set_free(), set_undefined, statement_points_to_context_defined_p(), static_global_variable_p(), type_functional, type_functional_p, type_structurally_equal_p(), type_to_full_string_definition(), update_points_to_context_with_arc(), and upgrade_approximations_in_points_to_set().
Here is the call graph for this function:
◆ filter_formal_out_context_according_to_formal_in_context()
| set filter_formal_out_context_according_to_formal_in_context | ( | set | out, |
| set | in, | ||
| list | wpl, | ||
| entity | f | ||
| ) |
If an address has not been written, i.e.
it is not in list "wpl", then the points-to information is the intersection of the in and out information.
The set "in" may be modified by side effect. A new set, "filtered_out" is computed. By definition, they are equivalent for the addresses that are not in list "wpl".
The arcs are shared by the different sets. But I may allocate new ones: yet another potential memory leak...
First, filter out according to in
The source of the arc may not have been modified but the sink probably has been freed: the arc must be preserved
The source of the arc has been modified: the arc must be preserved
the arc defining the return value must be preserved: no!
Is this points-to arc also in set "in"? With or without the same approximation?
Second, filter set "in" with respect to new set "filtered_out".
Is this points-to arc also in set "in"? With or without the same approximation?
- Parameters
-
out ut in n wpl pl
Definition at line 1263 of file interprocedural.c.
References add_arc_to_simple_pt_map, any_function_to_return_value(), approximation_exact_p, approximation_undefined, cell_any_reference(), CONS, copy_approximation(), copy_cell(), f(), FOREACH, make_descriptor_none(), make_points_to(), new_simple_pt_map, NIL, nowhere_cell_p(), out, POINTS_TO, points_to_approximation, points_to_cell_in_list_p(), points_to_sink, points_to_source, reference_variable, remove_arc_from_simple_pt_map, SET_FOREACH, and similar_arc_in_points_to_set_p().
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ generic_points_to_cells_translation()
Allocate a new list with the translations of the cells in cl, when their translation make sense.
Effects on copied parameters are discarded.
If exact_p is required, translate only cells that can be translated exactly.
- Parameters
-
cl l binding inding exact_p xact_p
Definition at line 2286 of file interprocedural.c.
References array_type_p(), CELL, cell_any_reference(), entity_basic_concrete_type(), f(), FOREACH, formal_parameter_p(), gen_free_list(), gen_length(), gen_nconc(), NIL, points_to_cell_translation(), and reference_variable.
Referenced by points_to_cells_exact_translation(), and points_to_cells_translation().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ generic_points_to_set_to_stub_cell_list()
Add cells referencing a points-to stub found in parameter "s" are copied and added to list "osl".
The stubs are returned as cells not as entities.
New cells are allocated. No sharing is created between parameter "s" and result "sl".
- Parameters
-
osl sl
Definition at line 2829 of file interprocedural.c.
References CELL, cell_any_reference(), CONS, copy_cell(), entity_stub_sink_p(), entity_undefined_p, f(), gen_sort_list(), ifdebug, points_to_cell_in_list_p(), points_to_compare_ptr_cell(), points_to_sink, points_to_source, print_points_to_cells, reference_variable, SET_FOREACH, and stub_entity_of_module_p().
Referenced by points_to_set_to_module_stub_cell_list(), and points_to_set_to_stub_cell_list().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ generic_written_pointers_set()
Filter out written effects on pointers.
Definition at line 2590 of file interprocedural.c.
References approximation_exact_p, approximation_must_p, CELL, CONS, debug_off, debug_on, effect_approximation, effect_cell, effect_pointer_type_p(), effects_write_effects(), FOREACH, gen_nconc(), and NIL.
Referenced by certainly_written_pointers_set(), and written_pointers_set().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ lower_points_to_approximations_according_to_write_effects()
|
static |
It is partly a kill and partly a gen operation.
FI: the very same function must exist for pointer assignments I guess
Definition at line 1804 of file interprocedural.c.
References add_arc_to_simple_pt_map, CONS, copy_cell(), FOREACH, make_approximation_may(), make_descriptor_none(), make_points_to(), NIL, POINTS_TO, points_to_cell_in_list_p(), points_to_sink, points_to_source, remove_arc_from_simple_pt_map, and SET_FOREACH.
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ merge_actual_and_formal_sinks()
|
static |
Handle constant cells such as NULL and UNDEFINED (nowhere) in "fcl" and "acl".
Update "fcl" is needed, as well as "pt_binded" and "filtered", a subset of "pt_in".
A points-to arc should be removed from pt_binded and/or added to a pt_kill set...
Definition at line 809 of file interprocedural.c.
References add_arc_to_simple_pt_map, CELL, cell_undefined, copy_points_to(), FOREACH, gen_remove(), nowhere_cell_p(), null_cell_p(), points_to_sink, points_to_source, remove_arc_from_simple_pt_map, and SET_FOREACH.
Referenced by new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ new_filter_formal_context_according_to_actual_context()
| set new_filter_formal_context_according_to_actual_context | ( | list | fpcl, |
| set | pt_in, | ||
| set | pt_binded, | ||
| set | binding | ||
| ) |
Copy arcs "pt" from "pt_in" into the "filtered" set if they are compatible with "pt_binded". The set "filtered" is a subset of "pt_in".
Do we have the same arc in pt_binded?
We have to deal recursively with stubs of the formal context and first with the global variables... although they, or their stubs, do not require any translation? Why is the points-to information about q lost in the translation of the call site to call03 in main (PointersWithEffects/call03.c)
FI: I do not understand why I have to do this for EffectsWithPointsTo/pointer_modif04.c. Because the arc "pt" in "pt_in" is more precise than the information available in "pt_caller". For instance, "pt_in" may contain "stderr->_stderr_0[0], Exact", while "pt_caller" may contain "stderr->_stderr_0[0], May", "stderr->NULL, May". Basically, we have not thought about the kill set generated for the global variables.
Useless when called from effects... In fact, it should never be called from effects...
FI: we do not know what we really do here... An arc is not taken into account, but it might be taken into account recursively below.
Compute the binding relation for sinks of the formal arguments and global variables
We have to handle constant strings such as "Hello!" and not to forget functional parameters.
Some arcs have been removed, so other arcs may be promoted from "may" to "exact".
- Parameters
-
fpcl pcl pt_in t_in pt_binded t_binded binding inding
Definition at line 1039 of file interprocedural.c.
References adapt_reference_to_type(), add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), approximation_undefined, arc_in_points_to_set_p(), array_pointer_string_type_equal_p(), array_type_p(), CELL, cell_any_reference(), cell_points_to_non_null_sink_in_set_p(), constant_string_entity_p(), constant_string_type_to_string_type(), copy_approximation(), copy_cell(), copy_points_to(), FOREACH, free_approximation(), functional_result, gen_length(), get_bool_property(), global_variable_p(), ifdebug, int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), new_recursive_filter_formal_context_according_to_actual_context(), new_simple_pt_map, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_assert, pips_debug, pips_internal_error, pips_user_error, points_to_cell_add_zero_subscript(), points_to_cell_complete_with_zero_subscripts(), points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), points_to_reference_to_concrete_type(), points_to_sink, points_to_source, points_to_source_to_any_sinks(), points_to_translation_mapping_is_typed_p(), print_points_to_set(), reference_to_string(), reference_variable, related_points_to_cell_in_list_p(), semantics_user_warning, SET_FOREACH, set_free(), set_undefined, statement_points_to_context_defined_p(), static_global_variable_p(), type_functional, type_functional_p, type_structurally_equal_p(), type_to_full_string_definition(), update_points_to_context_with_arc(), and upgrade_approximations_in_points_to_set().
Referenced by user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ new_recursive_filter_formal_context_according_to_actual_context()
|
static |
The code is derived from generic_points_to_cell_to_useful_pointer_cell() with no filtering and a direct processing of the pairs of pointers obtained.
cells fc and ac are assumed type compatible.
Look for pointer and struct and array of pointers or struct fields
transformer
Definition at line 971 of file interprocedural.c.
References add_arc_to_simple_pt_map, array_of_pointers_type_p(), array_of_struct_type_p(), char_star_constant_function_type_p(), copy_approximation(), copy_cell(), ENTITY, entity_basic_concrete_type(), f(), FOREACH, make_descriptor_none(), make_points_to(), new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair(), null_cell_p(), overloaded_type_p(), pips_internal_error, pointer_type_p(), points_to_cell_add_field_dimension(), points_to_cell_add_unbounded_subscripts(), points_to_cell_to_concrete_type(), struct_type_p(), struct_type_to_fields(), and type_equal_p().
Referenced by new_filter_formal_context_according_to_actual_context(), and new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair()
|
static |
fc and ac are two pointer cells with same or compatible pointer type
Update binding and filtered according to their sinks.
For instance, if "ac" only points to the undefined cells, the call site is not consistent because "fc" is assumed by the caller to point to a defined cell. "ok_p" is set to false.
if "fc" points to NULL in pt_in, but "ac" does not point to NULL, the corresponding arc is not copied in "filtered".
if "fc" points to "nfc" in "pt_in" and "ac" points to "nac" in "pt_binded", then arc "fc->nfc" is copied in "pt_binded" and arc "nfc->nac" is added in "binding".
No optimization in number of scans for the different sets
pointer fc is not dereferenced, no need to go down
FI: the algorithm seems wrong because a dynamic allocation can occur in the callee and be unknown from pt_binded. See Ancourt3009.sub/call09 and call10. I do not understand why call10 provides a result... and call09 fails utterly.
The caller may not have had yet a need for the corresponding stub
Definition at line 896 of file interprocedural.c.
References add_arc_to_simple_pt_map, approximation_exact_p, CELL, CONS, copy_cell(), create_stub_points_to(), ENDP, FOREACH, gen_length(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), merge_actual_and_formal_sinks(), new_recursive_filter_formal_context_according_to_actual_context(), NIL, nowhere_cell_p(), points_to_cell_to_string(), points_to_sink, points_to_source_to_some_sinks(), semantics_user_warning, type_undefined, and update_points_to_context_with_arc().
Referenced by new_recursive_filter_formal_context_according_to_actual_context().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_binding()
Apply points_to_binding_arguments() to each pair (, complete the process of binding each element of "in" to its corresponding memory address at the call site.
Necessary to translate the fields of structures.
"args": list of formal parameters of some callee
"in": points-to in of the callee
"pt_binded": points-to from formal to actual parameters for a specific call site
A new set is allocated.
Process each formal parameter and look for its actual values in "pt_binded"
- Parameters
-
args rgs in n pt_binded t_binded
Definition at line 2780 of file interprocedural.c.
References CELL, cell_any_reference(), cell_entity_equal_p(), cell_equal_p(), copy_cell(), ENDP, FOREACH, new_simple_pt_map, pips_assert, points_to_binding_arguments(), points_to_source, points_to_source_alias(), reference_indices, set_clear(), SET_FOREACH, set_free(), and set_union().
Referenced by user_call_to_points_to_fast_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_binding_arguments()
Recursively find all the arcs, "ai", starting from the argument "c1" using "in", find all the arcs, "aj", starting from the parameter "c2" using "pt_binded", map each node "ai" to its corresponding "aj" and store the "ai->aj" arc in a new set, "bm".
"pt_binded" contains the correspondance between formal and actual parameters, e.g. "fp->ap", with some information about the possible approximations because one formal parameter can points toward several actual memory locations of the caller.
"in" contains the formal context of the callee, as it stands at its entry point (DBR_POINTS_TO_IN).
"bm" is the binding relationship between references of the formal context of the callees towards addresses of the caller. For instance, when function "void foo(int ** fp)" is called as "ap=&q; foo(ap);", bm = {(_ap_1, q)}.
See Amira Mensi's PhD dissertation, chapter about interprocedural analysis
Recursive call down the different points_to paths
Here we have, for instance, "q[*]" in "c1" for "q[4]" in "in".
FI: I do not see how to handle incompatibility between assumptions...
(!source_in_set_p(c1, in) && !source_subset_in_set_p(c1, in))
c1 is not a pointer: it is simply mapped to c2
- Parameters
-
c1 1 c2 2 in n pt_binded t_binded
Definition at line 2513 of file interprocedural.c.
References add_arc_to_simple_pt_map, approximation_undefined, CELL, copy_cell(), ENDP, FOREACH, gen_full_copy_list(), gen_length(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), new_simple_pt_map, nowhere_cell_p(), null_cell_p(), pips_assert, pips_internal_error, points_to_source_to_some_sinks(), recursive_cell_to_pointer_cells(), s1, set_clear(), set_free(), set_union(), source_in_set_p(), and source_subset_in_set_p().
Referenced by points_to_binding().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_cell_translation()
Compute the list of cells that correspond to cell "sr1" according to the translation mapping "bm" when function "f" is called.
The check with rv may be useless, for instance when a sink cell is checked, as it is impossible (in C at least) to points toward the return value.
Translate sr1 if needed
No translation is needed.
We assume here that the subscript list of sr1, the reference to translate, is longer than the subscript list of sr2, the source of its translation.
- Parameters
-
sr1 r1 binding inding
Definition at line 2211 of file interprocedural.c.
References any_function_to_return_value(), CAR, CELL, cell_any_reference(), cell_to_reference(), compatible_points_to_subscripts_p(), CONS, copy_cell(), copy_reference(), ENDP, entity_anywhere_locations_p(), entity_local_name(), entity_to_module_entity(), entity_typed_anywhere_locations_p(), EXPRESSION, f(), gen_length(), gen_nconc(), heap_cell_p(), make_cell_reference(), NIL, pips_assert, points_to_compare_cell(), points_to_sink, points_to_source, POP, reference_indices, reference_variable, s1, same_string_p, SET_FOREACH, and source_in_set_p().
Referenced by add_implicitly_killed_arcs_to_kill_set(), compute_points_to_gen_set(), and generic_points_to_cells_translation().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_cells_exact_translation()
Allocate a new list with the translations of the cells in cl, when their translation make sense and is unique (one-to-one mapping).
Effects on copied parameters are discarded.
- Parameters
-
cl l binding inding
Definition at line 2327 of file interprocedural.c.
References f(), and generic_points_to_cells_translation().
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_cells_parameters()
Transform a list of parameters of type "entity" to a list of cells.
interprocedural.c
The list is not sorted. It is probably a reversed list.
- Parameters
-
dl l
Definition at line 68 of file interprocedural.c.
References array_type_p(), CELL, CONS, ENTITY, entity_basic_concrete_type(), FOREACH, formal_parameter_p(), gen_nconc(), location_entity_p(), make_cell_reference(), make_reference(), NIL, pointer_type_p(), and struct_type_p().
Referenced by user_call_to_points_to(), user_call_to_points_to_fast_interprocedural(), user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_cells_pointer_arguments()
Transform a list of arguments of type "expression" to a list of cells.
The list is not sorted. It is probably a reversed list.
- Parameters
-
al l
Definition at line 90 of file interprocedural.c.
References CELL, CONS, EXPRESSION, expression_pointer_p(), expression_reference(), expression_reference_p(), FOREACH, gen_nconc(), make_cell_reference(), and NIL.
Referenced by user_call_to_points_to_fast_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_cells_translation()
Allocate a new list with the translations of the cells in cl, when their translation make sense.
Effects on copied parameters are discarded.
- Parameters
-
cl l binding inding
Definition at line 2318 of file interprocedural.c.
References f(), and generic_points_to_cells_translation().
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_set_to_module_stub_cell_list()
- Parameters
-
osl sl
Definition at line 2860 of file interprocedural.c.
References generic_points_to_set_to_stub_cell_list().
Referenced by user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_set_to_stub_cell_list()
- Parameters
-
osl sl
Definition at line 2855 of file interprocedural.c.
References entity_undefined, and generic_points_to_set_to_stub_cell_list().
Here is the call graph for this function:
◆ points_to_source_alias()
Let "pt_binded" be the results of assignments of actual arguments to formal arguments (see compute_points_to_binded_set()).
Let "pt" be a points-to arc in "pt_binded".
Find for the source of p its corresponding alias, which means finding another source that points to the same location.
- Parameters
-
pt t pt_binded t_binded
Definition at line 2873 of file interprocedural.c.
References cell_equal_p(), cell_undefined, cell_undefined_p, pips_internal_error, points_to_sink, points_to_source, and SET_FOREACH.
Referenced by points_to_binding().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_translation_mapping_is_typed_p()
FI: for some reason, the translation was built wrongly to express the fact that the source points to any element of the sink as in Semantics-New/Ancourt3009/memcpy09c where pointer arithmetic is used in the actual argument expression.
out -> buffer_out[*]
out cannot be replaced by buffer_out, because out[i] would result in buffer_out[i] instead of buffer_out[*].
- Parameters
-
translation ranslation
Definition at line 1433 of file interprocedural.c.
References array_pointer_string_type_equal_p(), cell_any_reference(), char_star_constant_function_type_p(), char_type_p(), constant_string_entity_p(), constant_string_type_to_string_type(), overloaded_type_p(), pips_internal_error, points_to_cell_to_concrete_type(), points_to_sink, points_to_source, reference_variable, SET_FOREACH, type_functional_p, and type_to_pointed_type().
Referenced by filter_formal_context_according_to_actual_context(), new_filter_formal_context_according_to_actual_context(), points_to_translation_of_formal_parameters(), and recursive_filter_formal_context_according_to_actual_context().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_translation_of_formal_parameters()
| void points_to_translation_of_formal_parameters | ( | list | fpcl, |
| list | al, | ||
| pt_map | pt_in, | ||
| set | translation | ||
| ) |
List al and fpcl are assumed consistent, and consistent with the formal parameter ranks.
assumption about fpcl
This function does not return constant memory paths... This could fixed below with calls to points_to_indices_to_unbounded_indices(), but it could/should also be fixed later in the processing, at callees level. See EffectsWithPointsTo.sub/call05.c
See also EffectsWithPointsTo.sub/call08.c: &y[i][1] You need expression_to_points_to_sinks() on such a lhs expression...
This occurs with actual argument "&e": when the address-of operator is used, the relation between the formal parameter, let say "p", and "e" cannot be expressed unless we build a location entity with name "&e".
Beware of constant character strings
Likely to be wrong whe the formal parameter is a pointer and the actual parameter is a simple pointer, or a pointer to an array with fewer dimensions.
- Parameters
-
fpcl pcl al l pt_in t_in translation ranslation
Definition at line 1483 of file interprocedural.c.
References add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), array_of_pointers_type_p(), array_of_struct_type_p(), array_pointer_string_type_equal_p(), array_type_p(), CAR, CELL, cell_any_reference(), copy_approximation(), copy_cell(), ENDP, ENTITY, entity_basic_concrete_type(), entity_storage, EXPRESSION, expression_to_points_to_sinks(), expression_to_points_to_sources(), f(), FOREACH, formal_offset, free_approximation(), functional_parameters, functional_result, gen_last(), gen_length(), gen_nth(), gen_remove_once(), int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), pips_assert, pips_internal_error, pointer_type_p(), points_to_cell_add_zero_subscript(), points_to_cell_to_concrete_type(), points_to_translation_mapping_is_typed_p(), points_to_translation_of_struct_formal_parameter(), reference_indices, reference_variable, scalar_type_p(), storage_formal, struct_type_p(), struct_type_to_fields(), type_equal_p(), type_functional, type_functional_p, and zero_expression_p().
Referenced by user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ points_to_translation_of_struct_formal_parameter()
| void points_to_translation_of_struct_formal_parameter | ( | cell | fc, |
| cell | ac, | ||
| approximation | a, | ||
| type | st, | ||
| set | translation | ||
| ) |
We assume that cell fc and cell ac are of type st and that st is a struct type.
- Parameters
-
fc c ac c st t translation ranslation
Definition at line 1365 of file interprocedural.c.
References add_arc_to_simple_pt_map, array_of_pointers_type_p(), array_of_struct_type_p(), array_type_to_element_type(), compute_basic_concrete_type(), copy_approximation(), copy_cell(), ENTITY, entity_basic_concrete_type(), f(), FOREACH, free_cell(), make_descriptor_none(), make_points_to(), pointer_type_p(), points_to_cell_add_field_dimension(), points_to_cell_add_unbounded_subscripts(), struct_type_p(), and struct_type_to_fields().
Referenced by points_to_translation_of_formal_parameters().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ recursive_filter_formal_context_according_to_actual_context()
| bool recursive_filter_formal_context_according_to_actual_context | ( | list | fcl, |
| set | pt_in, | ||
| set | pt_binded, | ||
| set | binding, | ||
| set | filtered | ||
| ) |
This function looks for successors of elements of list "fcl" both in points-to relations "pt_in" and "pt_binded".
Update the formal context defined by "pt_binded" on demand as necessary according to "pt_in", update the translation mapping "binding" according to the new pairs found, and go down recursively with a new list of constant paths, "nfcl", the possible successors in the formal context of the callee of elements in "fcl" when possible. In fact, the elements in "nfcl" must be pointers and are not necessarily the successors of elements of "fcl", but pointers contained in them.
This function is very similar to filter_formal_context_according_to_actual_context(), but a little bit more tricky. Amira Mensi unified both in her own version, but the unification makes the maintenance more difficult.
Copy only possible arcs "pt" from "pt_in" into the "filtered" set
FI: this assert may be too strong FI: This assert is too strong for Pointers/formal_parameter01 and its message is misleading because "source" is not an element of "fcl". Elements of "fcl" must be translated, but related elements may not be translatable because the effective context is not as rich as the formal context. For instance, the formal context may expect an array for each formal scalar pointer, but the effective target may be a scalar. And an error must be raised if pointer arithmetic is used in the callee.
Make sure pt_binded is large enough: the pointer may be initialized before the call to the caller and used only in the callee. Because of the on-demand approach, pt_binded does not contain enough elements.
Do we have a similar arc in pt_binded?
Compute the binding relation for sinks of the formal context list "fcl"
If "fc" is not a pointer, look for pointers in "fc"
Now, we have to call about the same function recursively on the list of formal sinks
- Parameters
-
fcl cl pt_in t_in pt_binded t_binded binding inding filtered iltered
Definition at line 362 of file interprocedural.c.
References add_arc_to_simple_pt_map, any_source_to_sinks(), approximation_undefined, CELL, cell_must_point_to_nowhere_sink_in_set_p(), cell_points_to_non_null_sink_in_set_p(), cell_points_to_nowhere_sink_in_set_p(), cell_points_to_null_sink_in_set_p(), copy_approximation(), copy_cell(), copy_points_to(), ENDP, FOREACH, free_approximation(), gen_free_list(), gen_length(), gen_nconc(), int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), NIL, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_assert, pips_internal_error, points_to_cell_add_zero_subscript(), points_to_cell_in_list_p(), points_to_cell_to_concrete_type(), points_to_cell_to_string(), points_to_cell_to_useful_pointer_cells(), points_to_cells_to_pointer_cells(), points_to_sink, points_to_source, points_to_source_to_sinks(), points_to_source_to_some_sinks(), points_to_translation_mapping_is_typed_p(), related_points_to_cell_in_list_p(), semantics_user_warning, SET_FOREACH, tc, and type_equal_p().
Referenced by filter_formal_context_according_to_actual_context().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ remove_arcs_from_pt_map()
- Parameters
-
pts ts pt_out t_out
Definition at line 231 of file interprocedural.c.
References add_arc_to_simple_pt_map, cell_equal_p(), copy_cell(), entity_anywhere_locations(), make_approximation_exact(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_reference(), NIL, points_to_sink, points_to_source, remove_arc_from_simple_pt_map, and SET_FOREACH.
Referenced by user_call_to_points_to_intraprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ translation_transitive_closure()
We are done
- Parameters
-
translation ranslation
Definition at line 1702 of file interprocedural.c.
References CELL, CONS, ENDP, FOREACH, gen_copy_seq(), gen_free_list(), gen_nconc(), make_points_to_graph(), NIL, points_to_cell_in_list_p(), and points_to_sources_to_effective_sinks().
Referenced by aliased_translation_p().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ user_call_to_points_to()
| points_to_graph user_call_to_points_to | ( | call | c, |
| points_to_graph | pt_in, | ||
| list | el | ||
| ) |
FI: limited to the interprocedural option.
pcl =
Using memory effects does not simplify the points-to analysis, which is a preliminary analusis wrt memory effects
- Parameters
-
pt_in t_in el l
Definition at line 106 of file interprocedural.c.
References call_function, code_declarations, entity_basic_concrete_type(), entity_initial, f(), fast_interprocedural_points_to_analysis_p(), interprocedural_points_to_analysis_p(), pips_internal_error, points_to_cells_parameters(), points_to_graph_bottom, type_functional_p, user_call_to_points_to_fast_interprocedural(), user_call_to_points_to_interprocedural(), user_call_to_points_to_intraprocedural(), and value_code.
Referenced by call_to_points_to(), and user_call_condition_to_points_to().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ user_call_to_points_to_fast_interprocedural()
| pt_map user_call_to_points_to_fast_interprocedural | ( | call | c, |
| pt_map | pt_in, | ||
| list csel | __attribute__(unused) | ||
| ) |
ompute the points to relations in a fast interprocedural way
"c" is the call site
"pt_in" is the points-to information available before the call site is executed.
"csel" is the call site effect list
Compute kill_1 = effective parameters of pointer type should point to nowhere in case the function call the free routine.
Definition at line 262 of file interprocedural.c.
References add_arc_to_simple_pt_map, call_arguments, call_function, CELL, cell_to_nowhere_sink(), code_declarations, compute_points_to_binded_set(), compute_points_to_kill_set(), copy_cell(), copy_points_to(), db_get_memory_resource(), entity_initial, f(), FOREACH, gen_full_copy_list(), ifdebug, load_summary_effects(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), module_local_name(), new_simple_pt_map, points_to_binding(), points_to_cell_equal_p(), points_to_cells_parameters(), points_to_cells_pointer_arguments(), points_to_equal_p(), points_to_graph_set, points_to_list_list, points_to_rank(), points_to_sink, points_to_source, print_points_to_set(), set_assign_list(), set_difference(), SET_FOREACH, set_generic_make(), set_private, set_union(), value_code, and written_pointers_set().
Referenced by user_call_to_points_to().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ user_call_to_points_to_interprocedural()
Compute the points-to relations in a complete interprocedural way: be as accurate as possible.
Not much to do if both IN and OUT are empty, except if OUT is bottom (see below)
This used to be only useful when a free occurs with the callee, since information about formal parameters used to be normally projected out.
Global variables do not require any translation in C, but it might more convenient to apply translation uniformly, without checking for global variables... Or the other way round?
Filter "pt_in" according to "pt_binded". For instance, a formal parameter can point to NULL in "pt_in" only if it also points to NULL in pt_binded. In the same way, a formal parameter can point to a points-to stub in "pt_in" only if it points to a non-NULL target in pt_binded. Also, a formal parameter cannot points exactly to UNDEFINED in "pt_binded" as it would be useless (not clear if we can remove such an arc when it is a may arc...). Finally, each formal parameter must still point to something. The mapping "binding" is augmented as needed. as well as "pt_caller" because of the on-demand approach. But "pt_binded" is not updated accordingly (?).
set pt_in_filtered =
filter_formal_context_according_to_actual_context(fpcl,
pt_in,
pt_binded,
binding);
We have to test if pt_binded is compatible with pt_in_callee
We have to start by computing all the elements of E (stubs)
See if two formal parameters can reach the same memory cell, i.e. transitive closure of binding map. We should take care of global variables too...
If no pointer is written, aliasing is not an issue
Explicitly written pointers imply some arc removals; pointer assignments directly or indirectly in the callee.
FI: pt_caller_s may have been modified implictly because the formal context has been increased according to the needs of the callee. But pt_caller_s may also have been updated by what has happened prevously when analyzing the current statement. See for instance Pointers/sort01.c.
Compute pt_kill_2
Implicitly written pointers imply some arc removals: free(), tests and exits. These are the elements of pt_kill_1, although the equations do not seem to fit at all since pt_in_filtered is not an argument...
Translation failure, incompatibility between the call site and the callee.
Some check
Use written/wpl to reduce the precision of exact arcs in pt_end. This is equivalent to pt_kill_3 and pt_gen_3.
FI: I do not understand why the precision of the write is not exploited. We may need to use mwpl instead of wpl
Some check
This cannot be performed earlier because the points-to precondition of the caller may have to be enriched according to the formal context of the callee, or the effect computation is going to fail.
- Parameters
-
pt_caller t_caller
Definition at line 1892 of file interprocedural.c.
References add_implicitly_killed_arcs_to_kill_set(), aliased_translation_p(), call_arguments, call_function, certainly_written_pointers_set(), clear_pt_map, code_declarations, compute_points_to_binded_set(), compute_points_to_gen_set(), compute_points_to_kill_set(), consistent_points_to_set(), consistent_pt_map_p, db_get_memory_resource(), ENDP, entity_initial, entity_user_name(), f(), filter_formal_out_context_according_to_formal_in_context(), gen_full_copy_list(), ifdebug, load_body_effects(), lower_points_to_approximations_according_to_write_effects(), module_local_name(), new_filter_formal_context_according_to_actual_context(), new_simple_pt_map, NIL, pips_assert, pips_internal_error, pips_user_warning, points_to_cells_exact_translation(), points_to_cells_parameters(), points_to_cells_translation(), points_to_context_statement_in(), points_to_context_statement_line_number(), points_to_graph_bottom, points_to_graph_set, points_to_list_bottom, points_to_list_list, points_to_set_to_module_stub_cell_list(), points_to_translation_of_formal_parameters(), print_points_to_set(), set_assign_list(), set_difference(), set_undefined_p, set_union(), user_call_to_points_to_intraprocedural(), value_code, and written_pointers_set().
Referenced by user_call_to_points_to().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ user_call_to_points_to_interprocedural_binding_set()
Compute the binding relations in a complete interprocedural way: be as accurate as possible.
This piece of code has been copied from user_call_to_points_to_interprocedural(), which should be modularized...
Not much to do if both IN and OUT are empty, except if OUT is bottom (see below)
For the side effect on binding
set pt_in_filtered =
filter_formal_context_according_to_actual_context(fpcl,
pt_in,
pt_binded,
binding);
- Parameters
-
pt_caller t_caller
Definition at line 1835 of file interprocedural.c.
References call_arguments, call_function, code_declarations, compute_points_to_binded_set(), consistent_pt_map_p, db_get_memory_resource(), ENDP, entity_initial, entity_user_name(), f(), gen_full_copy_list(), get_current_module_entity(), ifdebug, module_local_name(), new_filter_formal_context_according_to_actual_context(), new_simple_pt_map, pips_assert, points_to_cells_parameters(), points_to_graph_bottom, points_to_graph_set, points_to_list_list, points_to_translation_of_formal_parameters(), print_points_to_set(), semantics_user_warning, set_assign_list(), set_free(), set_undefined_p, and value_code.
Here is the call graph for this function:
◆ user_call_to_points_to_intraprocedural()
| pt_map user_call_to_points_to_intraprocedural | ( | call | c, |
| pt_map | pt_in, | ||
| list el | __attribute__(unused) | ||
| ) |
Definition at line 2117 of file interprocedural.c.
References call_arguments, cell_equal_p(), expression_to_points_to_sources(), FOREACH, points_to_graph_set, points_to_sink, points_to_source, remove_arcs_from_pt_map(), SET_FOREACH, and source_in_graph_p().
Referenced by user_call_to_points_to(), and user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ user_call_to_points_to_sinks()
| list user_call_to_points_to_sinks | ( | call | c, |
| type et | __attribute__(unused), | ||
| pt_map in | __attribute__(unused), | ||
| bool | eval_p | ||
| ) |
FI: I assume we do not need the eval_p parameter here.
No, we return either the return value, or the cells pointed by the return value.
This is a very convoluted way to return the return value...
Remove all arcs related to the return value of the callee. This never happens when eval_p is false because rvptl is NIL
FI: definitely the intraprocedural version
Definition at line 150 of file interprocedural.c.
References ANYWHERE_LOCATION, call_function, CELL, cell_any_reference(), compute_basic_concrete_type(), CONS, copy_cell(), entity_all_xxx_locations(), entity_all_xxx_locations_typed(), entity_basic_concrete_type(), entity_local_name(), entity_to_sinks(), entity_undefined, f(), fast_interprocedural_points_to_analysis_p(), FOREACH, free_expressions(), function_to_return_value(), functional_result, gen_free_list(), gen_nconc(), get_bool_property(), interprocedural_points_to_analysis_p(), make_cell_reference(), make_reference(), NIL, POINTS_TO, points_to_graph_set, points_to_sink, points_to_source, reference_indices, reference_variable, remove_arc_from_simple_pt_map, SET_FOREACH, type_functional, type_to_pointed_type(), and ultimate_type().
Referenced by call_to_points_to_sinks().
Here is the call graph for this function:
Here is the caller graph for this function:
◆ written_pointers_set()
Filter out written effects on pointers.
- Parameters
-
eff ff
Definition at line 2609 of file interprocedural.c.
References generic_written_pointers_set().
Referenced by user_call_to_points_to_fast_interprocedural(), and user_call_to_points_to_interprocedural().
Here is the call graph for this function:
Here is the caller graph for this function:
