PIPS
|
#include <stdlib.h>
#include <stdio.h>
#include "genC.h"
#include "linear.h"
#include "ri.h"
#include "ri-util.h"
#include "prettyprint.h"
#include "effects.h"
#include "effects-util.h"
#include "misc.h"
#include "properties.h"
#include "bootstrap.h"
#include "points-to.h"
Go to the source code of this file.
Variables | |
static statement | malloc_statement = statement_undefined |
Heap modelling. More... | |
static int | malloc_counter = 0 |
list application_to_points_to_sinks | ( | application | a, |
type et | __attribute__(unused), | ||
pt_map | in | ||
) |
Definition at line 1388 of file sinks.c.
References ANYWHERE_LOCATION, application_function, CELL, CONS, entity_all_xxx_locations(), entity_all_xxx_locations_typed(), entity_undefined, expression_to_type(), f(), get_bool_property(), make_cell_reference(), make_reference(), NIL, and pips_user_warning.
Referenced by expression_to_points_to_cells().
FI: it might be better to integrate this update in points_to_cell_add_field_dimension() in order to exploit available information directly and to return a consistent cell. Anyway, seems useless here
Already performed elsewhere. The value returned by expression
in | n |
eval_p | val_p |
Definition at line 327 of file sinks.c.
References anywhere_cell_p(), array_type_p(), binary_intrinsic_expression, call_arguments, call_function, CAR, CDR, CELL, cell_any_reference(), cell_gap_p, cell_preference_p, cell_reference, cell_reference_p, cell_tag, cell_typed_anywhere_locations_p(), clear_pt_map, CONS, consistent_points_to_graph_p(), copy_cell(), copy_expression(), ENDP, ENTITY_ASSIGN_P, entity_basic_concrete_type(), ENTITY_CALLOC_SYSTEM_P, ENTITY_FIELD_P, ENTITY_FOPEN_P, ENTITY_MINUS_C_P, ENTITY_MINUS_P, ENTITY_MINUS_UPDATE_P, ENTITY_PLUS_C_P, ENTITY_PLUS_P, ENTITY_PLUS_UPDATE_P, ENTITY_POINT_TO_P, ENTITY_REALLOC_SYSTEM_P, entity_typed_anywhere_locations(), EXPRESSION, expression_syntax, expression_to_points_to_sinks(), expression_to_points_to_sinks_with_offset(), expression_to_points_to_sources(), f(), FindOrCreateTopLevelEntity(), FOREACH, free_cell(), free_expression(), free_reference(), gen_full_copy_list(), gen_full_free_list(), gen_nconc(), heap_cell_p(), make_anywhere_cell(), make_anywhere_reference(), make_cell_reference(), make_null_cell(), make_reference(), make_unbounded_expression(), MakeIoFileArray(), MakeUnaryCall(), malloc_to_points_to_sinks(), MULTIPLY_OPERATOR_NAME, NIL, nowhere_cell_p(), null_cell_p(), pips_assert, pips_internal_error, pips_user_warning, points_to_cell_add_field_dimension(), points_to_cell_add_zero_subscripts(), points_to_context_statement_line_number(), points_to_expression_to_concrete_type(), points_to_graph_bottom, points_to_graph_undefined_p, pt_map_undefined_p, reference_variable, remove_impossible_arcs_to_null(), source_to_sinks(), syntax_reference, UNARY_MINUS_OPERATOR_NAME, and zero_expression_p().
Referenced by intrinsic_call_to_points_to_sinks().
No check, but all elements of sinks should be of a type compatible with type "et".
et | t |
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 112 of file sinks.c.
References call_function, CELL, CONS, constant_int, constant_int_p, constant_p(), entity_initial, entity_name, entity_type, f(), intrinsic_call_to_points_to_sinks(), is_value_code, is_value_constant, is_value_intrinsic, is_value_symbolic, is_value_unknown, make_cell_reference(), make_reference(), NIL, pips_internal_error, points_to_anywhere_sinks(), points_to_null_sinks(), string_type_p(), type_to_returned_type(), user_call_to_points_to_sinks(), value_constant, and value_tag.
Referenced by expression_to_points_to_cells().
Handling of cast: play it safe! Either the cast is partly redundant and can be ignored or anywhere is returned.
Design choice: can we have static aliasing with constant paths? Can we have different types for one constant path? Maybe we could have some static aliasing for stubs, using an offset in the formal context, but we cannot manage static aliasing at the reference level, i.e. at the constant path level.
FI: do we need eval_p? Yes! We may need to produce the source or the sink.
Note: the problem linked to eval_p has not been analyzed properly; the code should be simplified.
Relevant test cases: Rice/test03
FI: we need here to return a list of points-to objects so as to warn the user in case the types are not compatible with the property ALIAS_ACROSS_TYPES or to fix the cells allocated in heap. However, this business if more likely to be performed in sinks.c
Definition at line 1091 of file sinks.c.
References cast_expression, cast_type, compute_basic_concrete_type(), ENDP, expression_to_points_to_sinks(), expression_to_points_to_sources(), gen_free_list(), list_undefined, NIL, pips_internal_error, pointer_type_p(), process_casted_sinks(), and process_casted_sources().
Referenced by expression_to_points_to_cells().
Definition at line 80 of file sinks.c.
References make_cell_reference(), make_reference(), and NIL.
Referenced by make_null_cell().
allocate a new list of sinks with one element, abstract or concrete, e.
No check on e for the time being
Definition at line 72 of file sinks.c.
References CELL, CONS, make_cell_reference(), make_reference(), and NIL.
Referenced by points_to_anywhere_sinks(), points_to_null_sinks(), and user_call_to_points_to_sinks().
list expression_to_points_to_cells | ( | expression | e, |
pt_map | in, | ||
bool | eval_p, | ||
bool | constant_p | ||
) |
Return a possibly empty list of abstract locations whose addresses are possible value of expression "e" evaluated with points-to information "in".
Expression "e" is assumed to evaluate as a lhs, i.e. some memory address. If not, an empty list is returned.
Additional information could be passed in a second pass analysis, e.g. preconditions.
The generated sinks are all constant memory paths. A more advanced analysis could use storage-sentitive information, that would have to be updated with effects and transformers.
The list returned should be fully allocated with no sharing between it and the in points-to set. Hopefully...
reference + range + call + cast + sizeofexpression + subscript + application
This test does not make sense for pointer19.c. Since the sink_cell is saturated with indices, its type is double. e_c_t is a 3-D array of pointers to double, f_e_t is a pointer towards a 2-D array of pointers to double... What could be checked here?
This test does not make sence for pointer22.c either. We only need to check that the sink reference can be modified by dropping a few subscript to match the pointer type.
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 1650 of file sinks.c.
References adapt_reference_to_type(), application_to_points_to_sinks(), array_pointer_string_type_equal_p(), array_type_p(), array_type_to_element_type(), call_to_points_to_sinks(), CAR, cast_to_points_to_sinks(), CDR, CELL, cell_any_reference(), char_star_constant_function_type_p(), char_star_type_p(), compute_basic_concrete_type(), constant_p(), copy_reference(), expression_syntax, expression_to_type(), FOREACH, free_reference(), free_type(), ifdebug, is_syntax_application, is_syntax_call, is_syntax_cast, is_syntax_range, is_syntax_reference, is_syntax_sizeofexpression, is_syntax_subscript, is_syntax_va_arg, NIL, null_cell_p(), pips_internal_error, pointer_type_p(), points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), points_to_expression_to_concrete_type(), range_to_points_to_sinks(), reference_to_points_to_sinks(), SIZEOFEXPRESSION, sizeofexpression_to_points_to_sinks(), string_type_p(), subscript_to_points_to_sinks(), syntax_application, syntax_call, syntax_cast, syntax_range, syntax_reference, syntax_subscript, syntax_tag, syntax_va_arg, and type_to_pointed_type().
Referenced by compute_points_to_binded_set(), expression_to_points_to_sinks(), expression_to_points_to_sources(), ternary_intrinsic_call_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
list expression_to_points_to_sinks | ( | expression | e, |
pt_map | in | ||
) |
The returned list contains cells used in "in".
They should be copied if they must be changed by side effects or "in" will become inconsistent.
This function computes the possible constant values of a pointer expression.
in | n |
Definition at line 1795 of file sinks.c.
References expression_to_points_to_cells().
Referenced by binary_intrinsic_call_to_points_to_sinks(), cast_to_points_to_sinks(), dereferencing_to_points_to(), dereferencing_to_sinks(), expression_to_points_to_sinks_with_offset(), global_source_to_sinks(), intrinsic_call_to_points_to_sinks(), pointer_reference_to_points_to_sinks(), points_to_translation_of_formal_parameters(), sizeofexpression_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
list expression_to_points_to_sinks_with_offset | ( | expression | a1, |
expression | a2, | ||
pt_map | in | ||
) |
a1 | 1 |
a2 | 2 |
in | n |
Definition at line 546 of file sinks.c.
References array_type_p(), expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_type(), free_type(), gen_free_list(), gen_full_copy_list(), NIL, offset_points_to_cells(), pointer_type_p(), points_to_expression_to_pointed_type(), scalar_integer_type_p(), and unbounded_expression_p().
Referenced by binary_intrinsic_call_to_points_to_sinks().
list expression_to_points_to_sources | ( | expression | e, |
pt_map | in | ||
) |
expression_to_points_to_sources() does not always work, especially with pointer arithmetic or subscripting because p[3], for instance, is not recognized as a valid source: it is not a constant path
Scalar pointers are expected but [0] subscript may have been added
Trouble for fread04... An array element, _line_3[0], is reduced to an array, _line_3, and you want to capture its address
A useless [0] may have been added, but it is supposed to be taken care of above... by callers of this function.
in | n |
Definition at line 1805 of file sinks.c.
References array_element_type_p(), array_pointer_type_equal_p(), CELL, char_star_constant_function_type_p(), char_star_type_p(), compute_basic_concrete_type(), expression_to_points_to_cell_p(), expression_to_points_to_cells(), FOREACH, fprintf(), free_type(), ifdebug, null_cell_p(), pips_debug, pips_internal_error, pointer_type_p(), points_to_cell_to_type(), points_to_expression_to_type(), print_expression(), print_points_to_cell, print_type(), string_type_p(), and type_to_pointed_type().
Referenced by binary_intrinsic_call_to_points_to_sinks(), cast_to_points_to_sinks(), dereferencing_subscript_to_points_to(), dereferencing_to_sinks(), expression_to_points_to_sinks_with_offset(), pointer_reference_to_points_to_sinks(), points_to_translation_of_formal_parameters(), subscript_to_points_to_sinks(), and user_call_to_points_to_intraprocedural().
list flow_sensitive_malloc_to_points_to_sinks | ( | expression | e | ) |
The type of me may en array type because of
int * p = (int *) malloc(nb*sizeof(int))
or int (*p)[nb] = (int (*)[nb]) malloc(sizeof(int[nb]))
In both case the heap object is an array.
We need the heap reference to be compatible with the pointer type. Adding a [0] subscript or not should be decided later, when the points-to arc is built. Or we might be able to guess right in case the first dimension is unbounded...
See Points-to/dereference19.c, line 19 for case 1, and line 17 for case 2.
Definition at line 1321 of file sinks.c.
References CAR, CELL, CONS, DIMENSION, dimension_upper, entity_array_p(), entity_type, EXPRESSION, get_bool_property(), get_current_module_entity(), get_heap_statement(), int_to_expression(), make_cell_reference(), make_null_cell(), make_reference(), make_sensitivity_information(), malloc_to_abstract_location(), NIL, reference_undefined, type_variable, unbounded_expression_p(), and variable_dimensions.
Referenced by insensitive_malloc_to_points_to_sinks(), malloc_to_points_to_sinks(), and unique_malloc_to_points_to_sinks().
int get_heap_counter | ( | void | ) |
statement get_heap_statement | ( | void | ) |
Definition at line 1191 of file sinks.c.
References malloc_statement.
Referenced by flow_sensitive_malloc_to_points_to_sinks().
void init_heap_model | ( | statement | s | ) |
Definition at line 1179 of file sinks.c.
References malloc_counter, and malloc_statement.
Referenced by statement_to_points_to().
list insensitive_malloc_to_points_to_sinks | ( | expression | e | ) |
FI->AM: what's the difference with the previous option? Reference to your dissertation?
Definition at line 1312 of file sinks.c.
References flow_sensitive_malloc_to_points_to_sinks(), NIL, and pips_internal_error.
Referenced by malloc_to_points_to_sinks().
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 172 of file sinks.c.
References binary_intrinsic_call_to_points_to_sinks(), call_arguments, call_function, CAR, constant_p(), ENTITY_COMMA_P, EXPRESSION, expression_to_points_to_sinks(), f(), gen_last(), gen_length(), int, nary_intrinsic_call_to_points_to_sinks(), NIL, pips_internal_error, ternary_intrinsic_call_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
Referenced by call_to_points_to_sinks().
cell make_null_cell | ( | void | ) |
Definition at line 95 of file sinks.c.
References entity_null_locations(), and entity_to_cell().
Referenced by binary_intrinsic_call_to_points_to_sinks(), declaration_statement_to_points_to(), flow_sensitive_malloc_to_points_to_sinks(), and null_equal_condition_to_points_to().
list malloc_to_points_to_sinks | ( | expression | e, |
pt_map | in | ||
) |
Heap modelling.
FI: lots of issues here; the potential cast is lost...
FI: the high-level switch I have added to understand the management of options is performed at a much much lower level, which may be good or not. I do not think it's good for readbility, but factoring is good. See malloc_to_abstract_location()
e is the arguments of the malloc call...
Basic heap modelling
ABSTRACT_HEAP_LOCATIONS:
"unique": do not generate heap abstract locations for each line number...
"insensitive": control path are not taken into account; all malloc() located in one function are equivalent.
"flow-sensitive": take into account the line number or the occurence number?
"context-sensitive": take into account the call stack; not implemented
ALIASING_ACROSS_TYPE: you should have one heap per type if aliasing across type is forbidden. The impact of its composition with the previous property is not specified...
The C standard specifies that all pointers that are allocated in the heap have the value "indeterminate".
in | n |
Definition at line 1231 of file sinks.c.
References add_arc_to_pt_map, CELL, cell_any_reference(), cell_to_nowhere_sink(), ENDP, flow_sensitive_malloc_to_points_to_sinks(), FOREACH, gen_free_list(), get_string_property(), insensitive_malloc_to_points_to_sinks(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), NIL, pips_user_error, points_to_source_to_sinks(), points_to_undefined, reference_variable, same_string_p, unique_malloc_to_points_to_sinks(), and variable_to_pointer_locations().
Referenced by binary_intrinsic_call_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
in | n |
Definition at line 640 of file sinks.c.
References call_function, ENTITY_COMMA_P, f(), NIL, and pips_internal_error.
Referenced by intrinsic_call_to_points_to_sinks().
What to do when a pointer "p" is dereferenced within a reference "r".
If p is a scalar pointer, p[i] is equivalent to *(p+i) and p[i][j] to *(*(p+i)+j).
If p is a 2-D array of pointers, p[i], p[i][j] do not belong here. But, p[i][j][k] is equivalent to *(p[i][j]+k) and p[i][j][k][l] to *(*(p[i][j]+k)+l).
The equivalent expression is fully allocated to be freed at the end. Which may cause problems if the points-to analysis re-use parts of the internal data structure...
The normalization could have been performed by the parser, but PIPS is source-to-source for the benefit of its human user.
in | n |
eval_p | val_p |
Definition at line 709 of file sinks.c.
References expression_to_points_to_sinks(), expression_to_points_to_sources(), free_expression(), NIL, and pointer_reference_to_expression().
Referenced by reference_to_points_to_sinks().
expression pointer_subscript_to_expression | ( | cell | c, |
list | csl | ||
) |
Allocate a new expression based on the reference in "c" and the subscript list "csl".
No sharing with the arguments. The pointer subscripts are transformed into pointer arithmetic and dereferencements.
csl | sl |
Definition at line 1430 of file sinks.c.
References binary_intrinsic_expression, cell_any_reference(), copy_expression(), copy_reference(), DEREFERENCING_OPERATOR_NAME, EXPRESSION, FOREACH, PLUS_C_OPERATOR_NAME, reference_to_expression(), and unary_intrinsic_expression.
Referenced by subscript_to_points_to_sinks().
Definition at line 102 of file sinks.c.
References entity_all_locations(), entity_to_sinks(), entity_typed_anywhere_locations(), and type_undefined_p.
Referenced by call_to_points_to_sinks().
list points_to_null_sinks | ( | void | ) |
The null location is not typed. The impact on dependence test is not clear.
Definition at line 87 of file sinks.c.
References entity_null_locations(), and entity_to_sinks().
Referenced by call_to_points_to_sinks().
The types are really incompatible, let's use the type lattice, max_type(cct, mct)... if it were implemented
Could we do better for a cast to (void *)? See cast03.
Definition at line 979 of file sinks.c.
References adapt_reference_to_type(), anywhere_cell_p(), array_pointer_type_equal_p(), array_type_p(), array_type_to_element_type(), CELL, cell_any_reference(), complete_points_to_reference_with_zero_subscripts(), compute_basic_concrete_type(), CONS, FOREACH, make_anywhere_points_to_cell(), make_scalar_overloaded_type(), NIL, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_internal_error, points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), type_to_pointed_type(), and type_void_p.
Referenced by cast_to_points_to_sinks().
FI: I am not sure that process_casted_sources() is nor should be different from process_casted_sinks()
Cell c is OK if it points towards cells of type compatible with the type pointed to by type t
Update "sinks" with "dsl" and "nsl"
Definition at line 1035 of file sinks.c.
References adapt_reference_to_type(), anywhere_cell_p(), array_pointer_type_equal_p(), array_type_p(), CELL, cell_any_reference(), complete_points_to_reference_with_zero_subscripts(), CONS, FOREACH, make_anywhere_points_to_cell(), make_scalar_overloaded_type(), NIL, nowhere_cell_p(), null_cell_p(), pips_internal_error, pointer_type_p(), points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), and type_void_p.
Referenced by cast_to_points_to_sinks().
in | n |
Definition at line 1626 of file sinks.c.
References NIL, and pips_user_warning.
Referenced by expression_to_points_to_cells().
in | n |
Definition at line 1873 of file sinks.c.
References CELL, FOREACH, gen_free_list(), null_cell_p(), and reference_to_sinks().
Referenced by reference_condition_to_points_to().
in | n |
Definition at line 1859 of file sinks.c.
References CAR, CELL, gen_free_list(), gen_length(), null_cell_p(), and reference_to_sinks().
Referenced by reference_condition_to_points_to().
Returns a list of memory cells "sinks" possibly accessed by the evaluation of reference "r".
No sharing between the returned list "sinks" and the reference "r" or the points-to set "in".
Examples if eval_p==false: x->x, t[1]->t[1], t[1][2]->t[1][2], p->p...
Examples if eval_p==true: x->error, t[1]->t[1][0], t[1][2]->t[1][2][0], p->p[0]...
If constant_p, stored-dependent subscript expressions are replaced by "*" and store-independent expressions are replaced by their values, e.g. x[3+4]->x[7]. Else, subscript expressions are left unchanged. Motivation: constant_p==true for points-to computation, and false for the translation of effects. In the latter case, the transformation into a constant reference is postponed.
Issue: let's assume "t" to be an array "int t[10][10[10];". The C language is (too) flexible. If "p" is an "int ***p;", the impact of assignment "p=t;" leads to "p points-to t" or "p points-to t[0]" or "p points-to t[0][0][0]". Two different criteria can be used: the compatibiliy of the pointer type and the pointed cell type, or the equality of the pointer value and of the pointed cell address.
In the first case, t->t[0]->t[0][0]->t[0][0][0].
In the second case, t->t[0][0][0], t[0]->t[0][0][0], t[0][0]->t[0][0][0].
FI: I do not trust this function. It is already too long. And I am not confident the case disjunction is correct/well chosen.
Two proper possibilities: an array of pointers fully subscribed or any other kind of array partially subscribed. And an unsuitable one: an integer value...
No matter what, the target is obtained by adding a 0 subscript
FI: I do not know if the subscript removal impact the handling of loops by the points-to analysis; see Points-to/array07.c
What is the value of the subscript expression?
scalar case, rhs is already a lvalue
An array name can be used as pointer constant
We should add null indices according to its number of dimensions
This function may be called from the effect library via backward_translation_of_points_to_formal_context()
ips_assert("The expected type and the reference type are equal", array_pointer_type_equal_p(et, rt));
ips_assert("The expected type and the reference type are compatible", concrete_type_equal_p(et, rt));
et | t |
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 755 of file sinks.c.
References array_of_pointers_type_p(), array_type_p(), CELL, check_type_of_points_to_cells(), clear_pt_map, CONS, constant_p(), copy_reference(), effect_reference_to_string(), ENDP, entity_basic_concrete_type(), entity_type, EXPRESSION, FOREACH, fprintf(), free_cell(), gen_in_list_p(), gen_length(), gen_nconc(), ifdebug, int, int_to_expression(), make_cell_reference(), make_reference(), NIL, NumberOfDimension(), pips_assert, pips_debug, pips_internal_error, pips_user_error, pips_user_warning, pointer_reference_to_points_to_sinks(), pointer_type_p(), points_to_cell_add_zero_subscripts(), points_to_context_statement_line_number(), points_to_graph_bottom, points_to_reference_to_concrete_type(), print_points_to_cells, print_reference(), reference_indices, reference_variable, reference_with_store_independent_indices(), scalar_type_p(), simplified_reference(), source_to_sinks(), statement_points_to_context_defined_p(), struct_type_p(), type_structurally_equal_p(), type_variable, ultimate_type(), and variable_dimension_number().
Referenced by expression_to_points_to_cells(), and subscripted_reference_to_points_to().
void reset_heap_model | ( | void | ) |
Definition at line 1185 of file sinks.c.
References malloc_counter, malloc_statement, and statement_undefined.
Referenced by statement_to_points_to().
Return NULL as sink.
Double definition... list points_to_null_sinks() { entity ne = entity_null_locations(); reference nr = make_reference(ne, NIL); cell nc = make_cell_reference(nr); list sinks = CONS(CELL, nc, NIL); return sinks; } Points-to cannot used any kind of reference, just constant references.
For instance, "x[i]" is transformed into "x[*]" because the value of "i" is unknown. x[3+4] may be transformed into x[7].
A new referencec is allocated. Reference "r" is unchanged.
Definition at line 670 of file sinks.c.
References CONS, constant_int, constant_int_p, EvalExpression(), EXPRESSION, expression_undefined, FOREACH, gen_nconc(), int_to_expression(), make_reference(), make_unbounded_expression(), NIL, reference_indices, reference_variable, value_constant, and value_constant_p.
Referenced by reference_to_points_to_sinks().
list sizeofexpression_to_points_to_sinks | ( | sizeofexpression | soe, |
type et | __attribute__(unused), | ||
pt_map | in | ||
) |
Definition at line 1139 of file sinks.c.
References CELL, compute_basic_concrete_type(), CONS, expression_to_points_to_sinks(), make_anywhere_cell(), NIL, pips_internal_error, pointer_type_p(), sizeofexpression_expression, sizeofexpression_expression_p, sizeofexpression_type, sizeofexpression_type_p, and type_to_pointed_type().
Referenced by expression_to_points_to_cells().
Generate the corresponding points-to reference(s).
All access operators such as ., ->, * are replaced by subscripts.
See Strict_typing.sub/assigment11.c: the index is not put back at the right place. It would be easy (?) to fix it in this specific case, not forgetting the field subscripts..., but I do not see how to handle general stubs with artificial dimensions...
FI: In many cases, you do need the source. However, you have different kind of sources because "x" and "&x[0]" are synonyms and because you sometimes need "x" and some other times "&x[0]".
If the first dimension is unbounded, it has (probably) be added because of a pointer. A zero subscript is also added.
Add a zero subscript
Add subscript when possible. For typing reason, typed anywhere cell should be subscripted.
Add the subscripts
The reference "p[i][j]" is transformed into an expression "*(*(p+i)+j)" if "p" is really a pointer expression, not a partial array reference.
et | t |
in | n |
eval_p | val_p |
Definition at line 1451 of file sinks.c.
References adapt_reference_to_type(), all_heap_locations_cell_p(), anywhere_cell_p(), array_type_p(), CAR, CELL, cell_any_reference(), check_type_of_points_to_cells(), clear_pt_map, complete_points_to_reference_with_zero_subscripts(), CONS, DIMENSION, ENDP, entity_stub_sink_p(), EXPRESSION, expression_to_points_to_sources(), FOREACH, free_expression(), free_type(), gen_free_list(), gen_full_copy_list(), gen_full_free_list(), gen_nconc(), get_bool_property(), make_zero_expression(), NIL, nowhere_cell_p(), null_cell_p(), pips_internal_error, pips_user_warning, pointer_subscript_to_expression(), pointer_type_p(), points_to_array_reference_p(), points_to_cell_to_type(), points_to_context_statement_line_number(), points_to_expression_to_type(), points_to_graph_bottom, points_to_reference_update_final_subscripts(), reference_indices, reference_variable, source_to_sinks(), struct_type_p(), subscript_array, subscript_expressions_to_constant_subscript_expressions(), subscript_indices, type_variable, unbounded_dimension_p(), and variable_dimensions.
Referenced by expression_to_points_to_cells().
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 594 of file sinks.c.
References call_arguments, call_function, CAR, CDR, clear_pt_map, condition_to_points_to(), consistent_pt_map_p, constant_p(), ENTITY_CONDITIONAL_P, EXPRESSION, expression_to_points_to_cells(), f(), free_pt_map, full_copy_pt_map(), gen_nconc(), merge_points_to_set(), NIL, pips_assert, points_to_graph_bottom, and points_to_graph_set.
Referenced by intrinsic_call_to_points_to_sinks().
We have to undo the impact of side effects performed when the arguments were analyzed for points-to information
Needed for dereferencing17.c, but not for properties03 because in the second case the dereferencing is delayed...
There is an issue with eval_p: since we are looking for sinks, we always have to dereference "a" at least once.
We have to undo the impact of side effects performed when the arguments were analyzed for points-to information
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 216 of file sinks.c.
References call_arguments, call_function, CAR, CELL, CONS, constant_p(), dereferencing_to_sinks(), ENTITY_ADDRESS_OF_P, ENTITY_DEREFERENCING_P, ENTITY_FREE_SYSTEM_P, ENTITY_MALLOC_SYSTEM_P, ENTITY_POST_DECREMENT_P, ENTITY_POST_INCREMENT_P, ENTITY_PRE_DECREMENT_P, ENTITY_PRE_INCREMENT_P, EXPRESSION, expression_to_points_to_cells(), expression_to_points_to_sinks(), expression_undefined, f(), free_expression(), gen_length(), int_to_expression(), make_anywhere_cell(), make_nowhere_cell(), malloc_to_points_to_sinks(), NIL, offset_points_to_cells(), pips_assert, pips_internal_error, points_to_expression_to_concrete_type(), points_to_expression_to_pointed_type(), and pt_map_undefined_p.
Referenced by intrinsic_call_to_points_to_sinks().
list unique_malloc_to_points_to_sinks | ( | expression | e | ) |
FI->AM: is "unique" multiple when ALIASING_ACROSS_TYPE is set to false?
FI->AM: the comments in pipsmake-rc.tex are not sufficient to understand what the choices are.
If ALIASING_ACROSS_TYPES, return an overloaded unique heap entity
We need only one HEAP abstract location: Pointers/assign03
We need one HEAP abstract location per type: Pointers/assign02
Note: we must be careful about dereferencing and fields...
Definition at line 1292 of file sinks.c.
References flow_sensitive_malloc_to_points_to_sinks(), get_bool_property(), and NIL.
Referenced by malloc_to_points_to_sinks().
|
static |
Definition at line 1177 of file sinks.c.
Referenced by get_heap_counter(), init_heap_model(), and reset_heap_model().
|
static |
Heap modelling.
Rather than passing many arguments, keep a heap_context. May not be a good idea for cast information...
The API should contain renaming function(s) to move the effects up the call graph....
Definition at line 1175 of file sinks.c.
Referenced by get_heap_statement(), init_heap_model(), and reset_heap_model().