PIPS
|
Go to the source code of this file.
Typedefs | |
typedef points_to_graph | pt_map |
Functions | |
int | compare_entities_without_scope (const entity *, const entity *) |
cproto-generated files More... | |
entity | location_entity (cell) |
bool | locations_equal_p (cell, cell) |
eturn true if two acces_path are equals More... | |
int | points_to_equal_p (const void *, const void *) |
returns true if two points-to arcs "vpt1" and "vpt2" are equal. More... | |
_uint | points_to_rank (const void *, size_t) |
create a key which is a concatenation of the source's name, the sink's name and the approximation of their relation(may or exact) More... | |
string | points_to_name (const points_to) |
create a string which is a concatenation of the source's name, the sink's name and the approximation of their relation(may or exact). More... | |
string | points_to_cell_name (cell) |
Create a string which is the cell reference in C syntax. More... | |
set | points_to_set_block_projection (set, list, bool, bool) |
Remove from "pts" arcs based on at least one local entity in list "l" and preserve those based on static and global entities. More... | |
set | points_to_source_projection (set, entity) |
Remove all arcs starting from e because e has been assigned a new value. More... | |
points_to_graph | points_to_cell_source_projection (points_to_graph, cell) |
Remove all arcs in "ptg" starting from "c". More... | |
set | remove_points_to_cell (cell, set) |
All arcs in relation "g" must be removed or updated if they use the node "c". More... | |
set | remove_points_to_cells (list, set) |
All nodes, i.e. More... | |
list | potential_to_effective_memory_leaks (list, set) |
A new list, "emll", is allocated. More... | |
set | points_to_function_projection (set) |
"pts" is the points-to relation existing at the return point of a function. More... | |
bool | cell_out_of_scope_p (cell) |
Return true if a cell is out of scope. More... | |
void | print_or_dump_points_to (const points_to, bool) |
print a points-to arc for debug More... | |
void | print_points_to (const points_to) |
void | dump_points_to (const points_to) |
void | print_or_dump_points_to_set (string, set, bool) |
Print a set of points-to for debug. More... | |
void | print_points_to_set (string, set) |
void | dump_points_to_set (string, set) |
bool | source_in_set_p (cell, set) |
test if a cell appear as a source in a set of points-to More... | |
bool | source_subset_in_set_p (cell, set) |
test if a cell "source" appears as a source in a set of points-to More... | |
bool | source_in_graph_p (cell, points_to_graph) |
bool | sink_in_set_p (cell, set) |
test if a cell appear as a sink in a set of points-to More... | |
points_to | find_arc_in_points_to_set (cell, cell, pt_map) |
The approximation is not taken into account. More... | |
list | anywhere_source_to_sinks (cell, pt_map) |
source is assumed to be either nowhere/undefined or anywhere, it may be typed or not. More... | |
void | print_points_to_path (list) |
For debugging. More... | |
bool | type_compatible_with_points_to_cell_p (type, cell) |
A type "t" is compatible with a cell "c" if any of the enclosing cell "c'" of "c", including "c", is of type "t". More... | |
cell | type_compatible_super_cell (type, cell) |
See if a super-cell of "c" exists witf type "t". More... | |
cell | find_kth_points_to_node_in_points_to_path (list, type, int) |
Find the "k"-th node of type "t" in list "p". More... | |
bool | node_in_points_to_path_p (cell, list) |
points_to | points_to_path_to_k_limited_points_to_path (list, int, type, bool, pt_map) |
"p" is a points-to path ending with a cell that points towards a new cell ot type "t". More... | |
points_to | create_k_limited_stub_points_to (cell, type, bool, pt_map) |
Create a new node "sink" of type "t" and a new arc "pt" starting from node "source", if no path starting from any node and ending in "source", built with arcs in the points-to set "in", contains more than k nodes of type "t" (the type of the sink). More... | |
list | sink_to_sources (cell, set, bool) |
Build a list of possible cell sources for cell "sink" in points-to graph "pts". More... | |
list | stub_source_to_sinks (cell, pt_map, bool) |
list | scalar_stub_source_to_sinks (cell, pt_map, bool) |
list | array_stub_source_to_sinks (cell, pt_map, bool) |
list | generic_stub_source_to_sinks (cell, pt_map, bool, bool) |
list | points_to_cell_null_initialization (cell, pt_map) |
If required according to the property, create a new arc from cell "c" to "null". More... | |
list | nowhere_source_to_sinks (cell, pt_map) |
list | null_source_to_sinks (cell, pt_map) |
list | formal_source_to_sinks (cell, pt_map, bool) |
Creation of a stub for a formal parameter or for a reference based on a formal parameter. More... | |
list | global_source_to_sinks (cell, pt_map, bool) |
list | reference_to_points_to_translations (entity, list, pt_map) |
This function is designed to work properly for the translation of effects at call sites. More... | |
list | points_to_reference_to_translation (reference, list, pt_map, bool) |
FI: easier it fresh_p is true... More... | |
list | points_to_source_to_translations (cell, pt_map, bool) |
Use "ptm" as a translation map. More... | |
list | generic_points_to_source_to_sinks (cell, pt_map, bool, bool, bool, bool) |
Build the sinks of source "source" according to the points-to graphs. More... | |
list | points_to_source_to_sinks (cell, pt_map, bool) |
Build the sinks of source "source" according to the points-to graphs. More... | |
list | points_to_source_to_effective_sinks (cell, pt_map, bool) |
list | points_to_source_to_some_sinks (cell, pt_map, bool) |
May not retrieve all sinks of the source. More... | |
list | points_to_source_to_any_sinks (cell, pt_map, bool) |
Retrieve all possible sinks of the source. More... | |
list | points_to_sink_to_sources (cell, pt_map, bool) |
Build the sources of sink "sink" according to the points-to graphs. More... | |
points_to | points_to_sink_to_points_to (cell, pt_map) |
Return the points-to "fpt" ending in cell "sink" if it exists. More... | |
list | points_to_source_name_to_sinks (string, pt_map, bool) |
Use "sn" as a source name to derive a list of sink cells according to the points-to graph ptm. More... | |
cell | points_to_source_name_to_source_cell (string, pt_map, bool) |
list | generic_points_to_sources_to_sinks (list, pt_map, bool, bool) |
Build the union of the sinks of cells in "sources" according to the points-to graphs "ptm". More... | |
list | points_to_sources_to_sinks (list, pt_map, bool) |
list | points_to_sources_to_effective_sinks (list, pt_map, bool) |
list | points_to_source_to_arcs (cell, pt_map, bool) |
Build the list of arcs whose source is "source" according to the points-to graphs "ptm". More... | |
int | points_to_cell_to_number_of_unbounded_dimensions (cell) |
int | points_to_reference_to_number_of_unbounded_dimensions (reference) |
int | points_to_subscripts_to_number_of_unbounded_dimensions (list) |
bool | sinks_fully_matches_source_p (cell, list) |
Is there at least one cell "sink" in list "sinks" whose subscripts fully match the subscripts in cell "source"? More... | |
list | source_to_sinks (cell, pt_map, bool) |
Return a list of cells, "sinks", that are sink for some arc whose source is "source" or related to "source" in set "pts". More... | |
list | extended_source_to_sinks (cell, pt_map) |
list | extended_sources_to_sinks (list, pt_map) |
Same as extended_source_to_sinks, but for a set of cells, "pointed". More... | |
list | any_source_to_sinks (cell, pt_map, bool) |
Generalization of source_to_sinks(). More... | |
list | pointer_source_to_sinks (cell, pt_map) |
Returns the sinks for a source cell "sc" of type pointer according to the points-to relation "in". More... | |
list | variable_to_sinks (entity, pt_map, bool) |
Return all cells in points-to set "pts" who source is based on entity "e". More... | |
list | null_to_sinks (cell, pt_map) |
Create a list of null sinks and add a new null points-to relation to pts. More... | |
list | sources_to_sinks (list, pt_map, bool) |
Same as source_to_sinks, but for a list of cells. More... | |
list | reference_to_sinks (reference, pt_map, bool) |
set | merge_points_to_set (set, set) |
Merge two points-to sets. More... | |
set | exact_to_may_points_to_set (set) |
Change the all the exact points-to relations to may relations. More... | |
bool | cell_in_list_p (cell, const list) |
bool | cell_in_points_to_set_p (cell, set) |
Check if a cell c appears as source or sink in points-to set pts. More... | |
bool | points_to_in_list_p (points_to, const list) |
bool | points_to_compare_cell (cell, cell) |
bool | points_to_compare_ptr_cell (const void *, const void *) |
int | points_to_compare_location (void *, void *) |
Order the two points-to relations according to the alphabetical order of the underlying variables. More... | |
bool | consistent_points_to_arc_p (points_to, bool) |
bool | store_independent_points_to_arc_p (points_to) |
bool | dereferencing_free_points_to_arc_p (points_to) |
bool | consistent_points_to_set (set) |
make sure that set "s" does not contain redundant or contradictory elements More... | |
bool | points_to_set_sharing_p (set) |
void | upgrade_approximations_in_points_to_set (pt_map) |
When arcs have been removed from a points-to relation, the approximations of remaining arcs may not correspond to the new points-to relation. More... | |
void | remove_points_to_arcs (cell, cell, pt_map) |
void | points_to_cell_list_and (list *, const list) |
Compute A = A inter B: complexity in O(n2) More... | |
void | free_points_to_graph_sets (points_to_graph,...) |
Free several sets in one call. More... | |
pt_map | graph_assign_list (pt_map, list) |
FI: I add functions dealing with points_to_graph variable, i.e. More... | |
pt_map | merge_points_to_graphs (pt_map, pt_map) |
pt_map | points_to_graph_assign (pt_map, pt_map) |
points_to | fuse_points_to_sink_cells (cell, list, pt_map) |
All vertices in "sink_l" are assumed to be sinks of vertex "source" in points-to graph "in". More... | |
int | maximal_out_degree_of_points_to_graph (string *, pt_map) |
returns the cell vertex "mod_cell" with the maximal out_degree in graph "in", and its out-degree. More... | |
pt_map | normalize_points_to_graph (pt_map) |
For the time being, control the out-degree of the vertices in points-to graph "ptg" and fuse the vertex with the maximal out-degree to reduce it if it is greater than an expected limit. More... | |
string | points_to_cell_to_string (cell) |
bool | unreachable_points_to_cell_p (cell, pt_map) |
Can cell c be accessed via another cell? More... | |
pt_map | generic_remove_unreachable_vertices_in_points_to_graph (pt_map, int code, bool) |
Remove arcs in points-to graph "ptg" when they start from a stub cell that is not reachable. More... | |
pt_map | remove_unreachable_stub_vertices_in_points_to_graph (pt_map) |
pt_map | remove_unreachable_heap_vertices_in_points_to_graph (pt_map, bool) |
pt_map | remove_unreachable_vertices_in_points_to_graph (pt_map) |
This function looks pretty dangerous as variables can be reached by their names. More... | |
bool | consistent_points_to_graph_p (points_to_graph) |
void | remove_impossible_arcs_to_null (list *, pt_map) |
You know that null and undefined cells in "*pL" are impossible because of the operation that is going to be performed on it. More... | |
bool | arc_in_points_to_set_p (points_to, set) |
Check if points-to arc "spt" belongs to points-to set "pts". More... | |
pt_map | get_points_to_graph_from_statement (statement) |
void | add_arc_to_pt_map (points_to, pt_map) |
Add a store independent points-to arc: source and destination references include no dereferencing nor varying subscript such as a[i]. More... | |
pt_map | add_arc_to_pt_map_ (points_to, pt_map) |
set | add_arc_to_simple_pt_map (points_to, set) |
set | remove_arc_from_simple_pt_map (points_to, set) |
set | add_subscript_dependent_arc_to_simple_pt_map (points_to, set) |
The source and destination references imply no dereferencing but the subscripts may be any kind of expression, such as a[i]. More... | |
bool | printed_points_to_list_undefined_p (void) |
points_to_prettyprint.c More... | |
void | reset_printed_points_to_list (void) |
void | error_reset_printed_points_to_list (void) |
void | set_printed_points_to_list (statement_points_to) |
statement_points_to | get_printed_points_to_list (void) |
void | init_printed_points_to_list (void) |
void | close_printed_points_to_list (void) |
void | store_printed_points_to_list (statement, points_to_list) |
void | update_printed_points_to_list (statement, points_to_list) |
points_to_list | load_printed_points_to_list (statement) |
points_to_list | delete_printed_points_to_list (statement) |
bool | bound_printed_points_to_list_p (statement) |
void | store_or_update_printed_points_to_list (statement, points_to_list) |
text | text_points_to (entity, int, statement) |
text | text_code_points_to (statement) |
bool | print_code_points_to (const char *, string, string) |
void | print_points_to_list (points_to_list) |
void | print_points_to_graph (points_to_graph) |
bool | print_code_points_to_list (const char *) |
list | words_points_to (points_to) |
text | text_points_to_relation (points_to) |
text text_region(effect reg) input : a region output : a text consisting of several lines of commentaries, representing the region modifies : nothing More... | |
text | text_points_to_relations (points_to_list, string) |
void | print_points_to_relation (points_to) |
print a points-to arc, print_points_to() or print_points_to_arc() More... | |
void | print_points_to_relations (list) |
print a list of points-to arcs More... | |
text | text_pt_to (entity, int, statement) |
void | points_to_forward_translation (void) |
points_to_init_analysis.c More... | |
void | points_to_backward_translation (void) |
set | formal_points_to_parameter (cell) |
We want a recursive descent on the type of the formal parameter, once we found a pointer type we beguin a recursive descent until founding a basic case. More... | |
entity | create_stub_entity (entity, string, type) |
Allocate a stub entity "stub" for entity "e" and with type "t". More... | |
cell | create_scalar_stub_sink_cell (entity, type, type, int, list, string) |
Create a stub entity "se" for entity "v" with type "t" and return a cell based on a reference to the stub entity "se" with "d" unbounded subscripts to account for the dimension of the source and a zero subscript for implicit array. More... | |
int | points_to_indices_to_array_index_number (list) |
Count the number of array indices and ignore the field subscripts. More... | |
void | points_to_indices_to_unbounded_indices (list) |
FI: probably a duplicate... More... | |
list | points_to_indices_to_subscript_indices (list) |
Generate a new subscript list. More... | |
string | reference_to_field_disambiguator (reference) |
Build an ASCII string to disambiguate the different field paths that may exist in similar references. More... | |
points_to | create_stub_points_to (cell, type, bool) |
points_to | create_advanced_stub_points_to (cell, type, bool) |
Take into account the POINTS_TO_STRICT_POINTER_TYPE to allocate a sink cell of type "t" if the strictness is requested and of type "array of t" if not. More... | |
points_to | create_pointer_to_array_stub_points_to (cell, type, bool) |
To create the points-to stub associated to the formal parameter, the sink name is a concatenation of the formal parmater and the POINTS_TO_MODULE_NAME. More... | |
set | pointer_formal_parameter_to_stub_points_to (type, cell) |
Input : a formal parameter which is a pointer and its type. More... | |
set | derived_formal_parameter_to_stub_points_to (type, cell) |
Input : a formal parameter which has a derived type (FI, I guess). More... | |
set | typedef_formal_parameter_to_stub_points_to (type, cell) |
Input : a formal parameter which is a typedef. More... | |
set | array_formal_parameter_to_stub_points_to (type, cell) |
Type "t" is supposed to be a concrete type. More... | |
set | full_copy_simple_pt_map (set) |
statement.c More... | |
pt_map | full_copy_pt_map (pt_map) |
void | init_statement_points_to_context (void) |
void | push_statement_points_to_context (statement, pt_map) |
void | add_arc_to_statement_points_to_context (points_to) |
void | update_statement_points_to_context_with_arc (points_to) |
int | points_to_context_statement_line_number (void) |
pt_map | points_to_context_statement_in (void) |
pt_map | pop_statement_points_to_context (void) |
void | reset_statement_points_to_context (void) |
bool | statement_points_to_context_defined_p (void) |
pt_map | statement_to_points_to (statement, pt_map) |
See points_to_statement() More... | |
pt_map | declaration_statement_to_points_to (statement, pt_map) |
See points_to_init() More... | |
pt_map | instruction_to_points_to (instruction, pt_map) |
See points_to_statement() More... | |
pt_map | sequence_to_points_to (sequence, pt_map) |
void | equalize_points_to_domains (points_to_graph, points_to_graph) |
Make sure that pt_t and pt_f have the same definition domain except if one of them is bottom. More... | |
pt_map | test_to_points_to (test, pt_map) |
Computing the points-to information after a test. More... | |
pt_map | loop_to_points_to (loop, pt_map) |
FI: I assume that pointers and pointer arithmetic cannot appear in a do loop, "do p=q, r, 1" is possible with "p", "q" and "r" pointing towards the same array... More... | |
pt_map | whileloop_to_points_to (whileloop, pt_map) |
pt_map | any_loop_to_points_to (statement, expression, expression, expression, pt_map) |
Perform the same k-limiting scheme for all kinds of loops. More... | |
pt_map | new_any_loop_to_points_to (statement, expression, expression, expression, pt_map) |
Perform the same k-limiting scheme for all kinds of loops. More... | |
pt_map | k_limit_points_to (pt_map, int) |
pt_map | unstructured_to_points_to (unstructured, pt_map) |
pt_map | multitest_to_points_to (multitest, pt_map) |
pt_map | forloop_to_points_to (forloop, pt_map) |
void | subscripted_reference_to_points_to (reference, list, pt_map) |
expression.c More... | |
pt_map | expression_to_points_to (expression, pt_map, bool) |
Update pt_in and pt_out according to expression e. More... | |
pt_map | expressions_to_points_to (list, pt_map, bool) |
Compute the points-to information pt_out that results from the evaluation of a possibly empty list of expression. More... | |
pt_map | reference_to_points_to (reference, pt_map, bool) |
The subscript expressions may impact the points-to information. More... | |
pt_map | range_to_points_to (range, pt_map, bool) |
pt_map | call_to_points_to (call, pt_map, list, bool) |
Three different kinds of calls are distinguished: More... | |
pt_map | constant_call_to_points_to (call, pt_map) |
pt_map | intrinsic_call_to_points_to (call, pt_map, bool) |
pt_map | pointer_arithmetic_to_points_to (expression, expression, pt_map) |
Update the sink locations associated to the source "lhs" under points-to information pt_map by "delta". More... | |
void | offset_array_reference (reference, expression, type) |
Side effect on reference "r". More... | |
void | offset_cells (cell, list, expression, type, pt_map) |
Each cell in sinks is replaced by a cell located "delta" elements further up in the memory. More... | |
points_to | offset_cell (points_to, expression, type) |
Allocate and return a new points-to "npt", copy of "pt", with an offset of "delta" on the sink. More... | |
void | offset_points_to_cells (list, expression, type) |
Each cell in sinks is replaced by a cell located "delta" elements further up in the memory. More... | |
void | offset_points_to_cell (cell, expression, type, bool) |
pt_map | assignment_to_points_to (expression, expression, pt_map) |
void | check_type_of_points_to_cells (list, type, bool) |
Check that all cells in list "sinks" are compatible with type "ct" if "eval_p" is false, and with the type pointed by "st" if eval_p is true. More... | |
void | check_rhs_value_types (expression, expression, list) |
pt_map | internal_pointer_assignment_to_points_to (expression, expression, pt_map) |
Any abstract location of the lhs in L is going to point to any sink of any abstract location of the rhs in R. More... | |
pt_map | pointer_assignment_to_points_to (expression, expression, pt_map) |
list | freeable_points_to_cells (list) |
Remove from points-to cell list R cells that certainly cannot be freed. More... | |
pt_map | freed_list_to_points_to (expression, list, list, pt_map) |
Error detections on "L" and "R" have already been performed. More... | |
pt_map | freed_pointer_to_points_to (expression, pt_map, bool) |
Any abstract location of the lhs in L is going to point to nowhere, maybe. More... | |
cell | reduce_cell_to_pointer_type (cell) |
Remove last subscripts of cell c till its type becomes a scalar pointer. More... | |
list | reduce_cells_to_pointer_type (list) |
Undo the extra eval performed when stubs are generated: 0 subscripts are added when arrays are involved. More... | |
list | points_to_cell_to_pointer_cells (cell) |
list | points_to_cell_to_useful_pointer_cells (cell, set) |
list | points_to_cells_to_pointer_cells (list) |
Convert cells in l into derived pointer cells when possible. More... | |
pt_map | memory_leak_to_more_memory_leaks (cell, pt_map) |
Cell "l" has been memory leaked for sure and is not referenced any more in "in". More... | |
pt_map | list_assignment_to_points_to (list, list, pt_map) |
Update "pt_out" when any element of L can be assigned any element of R. More... | |
pt_map | struct_initialization_to_points_to (expression, expression, pt_map) |
pt_map | struct_assignment_to_points_to (expression, expression, pt_map) |
pt_in is modified by side-effects and returned as pt_out More... | |
pt_map | application_to_points_to (application, pt_map, bool) |
pt_map | condition_to_points_to (expression, pt_map, bool) |
Update points-to set "in" according to the content of the expression using side effects. More... | |
pt_map | reference_condition_to_points_to (reference, pt_map, bool) |
Handle conditions such as "if(p)". More... | |
pt_map | call_condition_to_points_to (call, pt_map, list, bool) |
Handle any condition that is a call such as "if(p!=q)", "if(*p)", "if(foo(p=q))"... More... | |
pt_map | intrinsic_call_condition_to_points_to (call, pt_map, bool) |
We can break down the intrinsics according to their arity or according to their kinds... More... | |
pt_map | user_call_condition_to_points_to (call, pt_map, list, bool) |
pt_map | boolean_intrinsic_call_condition_to_points_to (call, pt_map, bool) |
Deal with "!", "&&", "||" etc. More... | |
bool | cell_is_less_than_or_equal_to_p (cell, cell) |
See if you can decide that the addresses linked to c1 are smaller than the addresses linked to c2. More... | |
bool | cell_is_less_than_p (cell, cell) |
bool | cell_is_greater_than_or_equal_to_p (cell, cell) |
bool | cell_is_greater_than_p (cell, cell) |
pt_map | null_equal_condition_to_points_to (expression, pt_map) |
The condition is e==NULL. More... | |
pt_map | null_non_equal_condition_to_points_to (expression, pt_map) |
The condition is e!=NULL. More... | |
pt_map | equal_condition_to_points_to (list, pt_map) |
The expression list "al" contains exactly two arguments, "lhs" and "rhs". More... | |
pt_map | non_equal_condition_to_points_to (list, pt_map) |
The expression list "al" contains exactly two arguments. More... | |
pt_map | order_condition_to_points_to (entity, list, bool, pt_map) |
The expression list "al" contains exactly two arguments. More... | |
pt_map | relational_intrinsic_call_condition_to_points_to (call, pt_map, bool) |
Update the points-to information "in" according to the validity of the condition. More... | |
void | points_to_storage (set, statement, bool) |
passes.c More... | |
void | fi_points_to_storage (pt_map, statement, bool) |
pt_map | points_to_to_context_points_to (pt_map) |
Return the subset of "in" that is related to formal parameters and stubs. More... | |
void | init_points_to_context (pt_map) |
void | reset_points_to_context (void) |
pt_map | update_points_to_graph_with_arc (points_to, pt_map) |
Instead of simply adding the new arc, make sure the consistency is not broken. More... | |
void | add_arc_to_points_to_context (points_to) |
FI: it should rather work the other way round, with add_arc_to_statement_points_to_context() calling add_arc_to_points_to_context(). More... | |
void | update_points_to_context_with_arc (points_to) |
Same as , but be careful about the arc before adding it to the points-to context. More... | |
pt_map | get_points_to_context (void) |
void | clean_up_points_to_stubs (entity) |
bool | init_points_to_analysis (char *) |
bool | interprocedural_points_to_analysis_p (void) |
bool | fast_interprocedural_points_to_analysis_p (void) |
bool | intraprocedural_points_to_analysis (char *) |
bool | interprocedural_points_to_analysis (char *) |
bool | fast_interprocedural_points_to_analysis (char *) |
bool | initial_points_to (char *) |
Retrieve points-to that are statically initialized, especially in compilation units. More... | |
bool | program_points_to (char *) |
list | entity_to_sinks (entity) |
sinks.c More... | |
cell | entity_to_cell (entity) |
list | points_to_null_sinks (void) |
cell | make_null_cell (void) |
list | points_to_anywhere_sinks (type) |
list | call_to_points_to_sinks (call, type, pt_map, bool, bool) |
list | intrinsic_call_to_points_to_sinks (call, pt_map, bool, bool) |
list | unary_intrinsic_call_to_points_to_sinks (call, pt_map, bool, bool) |
list | binary_intrinsic_call_to_points_to_sinks (call, pt_map, bool) |
list | expression_to_points_to_sinks_with_offset (expression, expression, pt_map) |
list | ternary_intrinsic_call_to_points_to_sinks (call, pt_map, bool, bool) |
list | nary_intrinsic_call_to_points_to_sinks (call, pt_map) |
reference | simplified_reference (reference) |
Return NULL as sink. More... | |
list | pointer_reference_to_points_to_sinks (reference, pt_map, bool) |
What to do when a pointer "p" is dereferenced within a reference "r". More... | |
list | reference_to_points_to_sinks (reference, type, pt_map, bool, bool) |
Returns a list of memory cells "sinks" possibly accessed by the evaluation of reference "r". More... | |
list | cast_to_points_to_sinks (cast, type, pt_map, bool) |
list | sizeofexpression_to_points_to_sinks (sizeofexpression, type, pt_map) |
void | init_heap_model (statement) |
void | reset_heap_model (void) |
statement | get_heap_statement (void) |
int | get_heap_counter (void) |
list | malloc_to_points_to_sinks (expression, pt_map) |
Heap modelling. More... | |
list | unique_malloc_to_points_to_sinks (expression) |
FI->AM: is "unique" multiple when ALIASING_ACROSS_TYPE is set to false? More... | |
list | insensitive_malloc_to_points_to_sinks (expression) |
FI->AM: what's the difference with the previous option? Reference to your dissertation? More... | |
list | flow_sensitive_malloc_to_points_to_sinks (expression) |
list | application_to_points_to_sinks (application, type, pt_map) |
expression | pointer_subscript_to_expression (cell, list) |
Allocate a new expression based on the reference in "c" and the subscript list "csl". More... | |
list | subscript_to_points_to_sinks (subscript, type, pt_map, bool) |
Generate the corresponding points-to reference(s). More... | |
list | range_to_points_to_sinks (range, pt_map) |
list | expression_to_points_to_cells (expression, pt_map, bool, bool) |
Return a possibly empty list of abstract locations whose addresses are possible value of expression "e" evaluated with points-to information "in". More... | |
list | expression_to_points_to_sinks (expression, pt_map) |
The returned list contains cells used in "in". More... | |
list | expression_to_points_to_sources (expression, pt_map) |
expression_to_points_to_sources() does not always work, especially with pointer arithmetic or subscripting because p[3], for instance, is not recognized as a valid source: it is not a constant path More... | |
bool | reference_must_points_to_null_p (reference, pt_map) |
bool | reference_may_points_to_null_p (reference, pt_map) |
bool | control_in_set_p (control, set) |
unstructured.c More... | |
bool | control_equal_p (const void *, const void *) |
_uint | control_rank (const void *, size_t) |
create a key which is the statement number More... | |
bool | Ready_p (control, set, set) |
A node is ready to be processed if its predecessors are not reachable or processed. More... | |
set | ready_to_be_processed_set (control, set, set) |
A set containing all the successors of n that are ready to be processed. More... | |
pt_map | new_points_to_unstructured (unstructured, pt_map, bool) |
list | variable_to_pointer_locations (entity) |
variable.c More... | |
list | struct_variable_to_pointer_locations (entity, entity) |
return list of cells for pointers declared directly or indirecltly in variable "e" of type struct defined by entity "ee" and its type. More... | |
list | struct_variable_to_pointer_subscripts (cell, entity) |
returns a list of cells to reach pointers depending on field f. More... | |
list | points_to_cells_parameters (list) |
interprocedural.c More... | |
list | points_to_cells_pointer_arguments (list) |
Transform a list of arguments of type "expression" to a list of cells. More... | |
points_to_graph | user_call_to_points_to (call, points_to_graph, list) |
FI: limited to the interprocedural option. More... | |
list | user_call_to_points_to_sinks (call, type, pt_map, bool) |
void | remove_arcs_from_pt_map (points_to, set) |
pt_map | user_call_to_points_to_fast_interprocedural (call, pt_map, list) |
bool | recursive_filter_formal_context_according_to_actual_context (list, set, set, set, set) |
This function looks for successors of elements of list "fcl" both in points-to relations "pt_in" and "pt_binded". More... | |
set | filter_formal_context_according_to_actual_context (list, set, set, set) |
Filter "pt_in" according to "pt_binded". More... | |
set | new_filter_formal_context_according_to_actual_context (list, set, set, set) |
set | filter_formal_out_context_according_to_formal_in_context (set, set, list, entity) |
If an address has not been written, i.e. More... | |
void | points_to_translation_of_struct_formal_parameter (cell, cell, approximation, type, set) |
bool | points_to_translation_mapping_is_typed_p (set) |
void | points_to_translation_of_formal_parameters (list, list, pt_map, set) |
List al and fpcl are assumed consistent, and consistent with the formal parameter ranks. More... | |
void | add_implicitly_killed_arcs_to_kill_set (set, list, set, set, set, entity) |
Initial comments: add arcs of set "pt_caller" to set "pt_kill" if their origin cells are not in the list of written pointers "wpl" but is the origin of some exact arc in "pt_out_callee_filtered". More... | |
list | translation_transitive_closure (cell, set) |
bool | aliased_translation_p (list, set) |
See if two cells in "fpcl" point toward the same location via the transitive closure of "translation". More... | |
set | user_call_to_points_to_interprocedural_binding_set (call, pt_map) |
Compute the binding relations in a complete interprocedural way: be as accurate as possible. More... | |
pt_map | user_call_to_points_to_interprocedural (call, pt_map) |
Compute the points-to relations in a complete interprocedural way: be as accurate as possible. More... | |
pt_map | user_call_to_points_to_intraprocedural (call, pt_map, list) |
set | compute_points_to_kill_set (list, set, set) |
list | points_to_cell_translation (cell, set, entity) |
Compute the list of cells that correspond to cell "sr1" according to the translation mapping "bm" when function "f" is called. More... | |
list | generic_points_to_cells_translation (list, set, entity, bool) |
Allocate a new list with the translations of the cells in cl, when their translation make sense. More... | |
list | points_to_cells_translation (list, set, entity) |
Allocate a new list with the translations of the cells in cl, when their translation make sense. More... | |
list | points_to_cells_exact_translation (list, set, entity) |
Allocate a new list with the translations of the cells in cl, when their translation make sense and is unique (one-to-one mapping). More... | |
set | compute_points_to_gen_set (set, list, set, entity) |
Translate the out set in the scope of the caller using the binding information, but eliminate irrelevant arcs using Written and the type of the source. More... | |
set | points_to_binding_arguments (cell, cell, set, set) |
Recursively find all the arcs, "ai", starting from the argument "c1" using "in", find all the arcs, "aj", starting from the parameter "c2" using "pt_binded", map each node "ai" to its corresponding "aj" and store the "ai->aj" arc in a new set, "bm". More... | |
list | written_pointers_set (list) |
Filter out written effects on pointers. More... | |
list | certainly_written_pointers_set (list) |
Filter out certainly written effects on pointers. More... | |
set | compute_points_to_binded_set (entity, list, set, bool *) |
For each actual argument "r" and its corresponding formal one "f", create the assignment "f = r;" and then compute the points-to set "s" generated by the assignment. More... | |
set | points_to_binding (list, set, set) |
Apply points_to_binding_arguments() to each pair (, complete the process of binding each element of "in" to its corresponding memory address at the call site. More... | |
list | generic_points_to_set_to_stub_cell_list (entity, set, list) |
Add cells referencing a points-to stub found in parameter "s" are copied and added to list "osl". More... | |
list | points_to_set_to_stub_cell_list (set, list) |
list | points_to_set_to_module_stub_cell_list (entity, set, list) |
cell | points_to_source_alias (points_to, set) |
Let "pt_binded" be the results of assignments of actual arguments to formal arguments (see compute_points_to_binded_set()). More... | |
pt_map | dereferencing_subscript_to_points_to (subscript, pt_map) |
dereferencing.c More... | |
pt_map | dereferencing_to_points_to (expression, pt_map) |
Make sure that expression p can be dereferenced in points-to graph "in". More... | |
bool | pointer_points_to_reference_p (reference) |
void | pointer_reference_dereferencing_to_points_to (reference, pt_map) |
pt_map | reference_dereferencing_to_points_to (reference, pt_map, bool, bool) |
Can we execute the reference r in points-to context "in" without segfaulting? More... | |
bool | expression_to_points_to_cell_p (expression) |
Can expression e be reduced to a reference, without requiring an evaluation? More... | |
list | dereferencing_to_sinks (expression, pt_map, bool) |
Returns "sinks", the list of cells pointed to by expression "a" according to points-to graph "in". More... | |
cell | make_nowhere_cell (void) |
constant-path-utils.c More... | |
cell | make_typed_nowhere_cell (type) |
cell | cell_to_nowhere_sink (cell) |
assuming source is a reference to a pointer, build the corresponding sink when the pointer is not initialized, i.e. More... | |
set | points_to_anywhere_typed (list, set) |
Already exists in points_to_general_algorithm.c, to be removed later... More... | |
set | points_to_anywhere (list, set) |
list | array_to_constant_paths (expression, set) |
cell | max_module (cell, cell) |
we define operator max fot the lattice Module which has any_module as top and a bottom which is not yet clearly defined (maybe no_module) max_module : Module * Module -> Module Side effects on m1 if we have an anywhere location to return. More... | |
bool | entity_any_module_p (entity) |
operator kill for the dimension Module: More... | |
bool | opkill_may_module (cell, cell) |
bool | opkill_must_module (cell, cell) |
cell | op_gen_module (cell, cell) |
bool | opkill_may_name (cell, cell) |
We define operators for the lattice Name which can be a: -variable of a the program -malloc -NULL /0 -STATIC/STACK/DYNAMIC/HEAP/FORMAL -nowhere/anywhere. More... | |
bool | opkill_must_name (cell, cell) |
type | max_type (type, type) |
bool | opkill_may_type (type, type) |
bool | opkill_must_type (type, type) |
opkill_must_type is the same as op_kill_may_type... More... | |
type | opgen_may_type (type, type) |
type | opgen_must_type (type, type) |
the same as opgen_may_type More... | |
bool | opkill_may_reference (cell, cell) |
bool | opkill_must_reference (cell, cell) |
bool | opkill_may_vreference (cell, cell) |
FI: really weird and unefficient. More... | |
bool | opkill_must_vreference (cell, cell) |
returns true if c2 must kills c1 because of the subscript expressions More... | |
bool | opkill_may_constant_path (cell, cell) |
bool | opkill_must_constant_path (cell, cell) |
returns true if c2 kills c1 More... | |
set | kill_may_set (list, set) |
Compute the set of arcs in the input points-to relation "in" whose approximation must be changed from "exact" to "may". More... | |
set | kill_must_set (list, set) |
Generate the subset of arcs that must be removed from the points-to graph "in". More... | |
set | points_to_may_filter (set) |
returns a set which contains all the MAY points to More... | |
set | points_to_must_filter (set) |
returns a set which contains all the EXACT points to More... | |
bool | address_of_expression_p (expression) |
shoud be moved to expression.c More... | |
bool | subscript_expression_p (expression) |
set | gen_may_set (list, list, set, bool *) |
Should be moved to anywhere_abstract_locations.c. More... | |
set | gen_must_set (list, list, set, bool *) |
bool | unique_location_cell_p (cell) |
Does cell "c" represent a unique memory location or a set of memory locations? More... | |
set | gen_may_constant_paths (cell, list, set, bool *, int) |
set | gen_must_constant_paths (cell, list, set, bool *, int) |
Build a set of arcs from cell l towards cells in list R if *address_p is true, or towards cells pointed by cells in list R if not. More... | |
points_to | opgen_may_constant_path (cell, cell) |
points_to | opgen_must_constant_path (cell, cell) |
bool | opgen_may_module (entity, entity) |
bool | opgen_must_module (entity, entity) |
bool | opgen_may_name (entity, entity) |
bool | opgen_must_name (entity, entity) |
bool | opgen_may_vreference (list, list) |
bool | atomic_constant_path_p (cell) |
Could be replaced by abstract_location_p() but this later don't take into account the null location. More... | |
set | opgen_null_location (set, cell) |
set | points_to_independent_store (set) |
bool | equal_must_vreference (cell, cell) |
set | points_to_nowhere (list, set) |
arg1: list of cells arg2: set of points-to Create a points-to set with elements of lhs_list as source and NOWHERE as sink. More... | |
#define assign_pt_map | ( | x, | |
y | |||
) | ((void) set_assign(points_to_graph_set(x), points_to_graph_set(y)), (x)) |
Definition at line 77 of file points-to.h.
#define clear_pt_map | ( | pt | ) | set_clear(points_to_graph_set(pt)) |
Definition at line 78 of file points-to.h.
#define consistent_pt_map_p | ( | s | ) | consistent_points_to_graph_p(s) |
Definition at line 95 of file points-to.h.
#define difference_of_pt_maps | ( | pt1, | |
pt2, | |||
pt3 | |||
) |
Definition at line 88 of file points-to.h.
#define empty_pt_map_p | ( | s | ) | set_empty_p(points_to_graph_set(s)) |
Definition at line 93 of file points-to.h.
#define free_pt_map | ( | pt | ) | free_points_to_graph(pt) |
Definition at line 80 of file points-to.h.
#define free_pt_maps free_points_to_graph_sets |
Definition at line 83 of file points-to.h.
#define new_pt_map | ( | ) | make_points_to_graph(false, set_generic_make(set_private, points_to_equal_p, points_to_rank)) |
Definition at line 75 of file points-to.h.
#define new_simple_pt_map | ( | ) | set_generic_make(set_private, points_to_equal_p, points_to_rank) |
Definition at line 76 of file points-to.h.
#define print_pt_map | ( | pt | ) | print_points_to_set("", points_to_graph_set(pt)); |
Definition at line 81 of file points-to.h.
#define pt_map_undefined points_to_graph_undefined |
Definition at line 73 of file points-to.h.
#define pt_map_undefined_p | ( | pt | ) | ((pt)==points_to_graph_undefined) |
Definition at line 74 of file points-to.h.
#define remove_arc_from_pt_map | ( | a, | |
s | |||
) | (set_del_element((set) points_to_graph_set(s), (set) points_to_graph_set(s), (void *) a)) |
Definition at line 105 of file points-to.h.
#define remove_arc_from_pt_map_ | ( | a, | |
s | |||
) | (remove_arc_from_pt_map(a, s), (s)) |
Definition at line 106 of file points-to.h.
#define SEQUENTIAL_POINTS_TO_SETS_SUFFIX ".pt" |
Warning! Do not modify this file that is automatically generated!
Modify src/Libs/points-to/points-to-local.h instead, to add your own modifications. header file built by cproto points_to-local.h
Definition at line 34 of file points-to.h.
#define source_in_pt_map_p | ( | cell, | |
set | |||
) | source_in_set_p(cell,points_to_graph_set(set)) |
Definition at line 97 of file points-to.h.
#define union_of_pt_maps | ( | pt1, | |
pt2, | |||
pt3 | |||
) |
Definition at line 85 of file points-to.h.
#define USER_POINTS_TO_SETS_SUFFIX ".upt" |
Definition at line 35 of file points-to.h.
typedef points_to_graph pt_map |
Definition at line 72 of file points-to.h.
void add_arc_to_points_to_context | ( | points_to | pt | ) |
FI: it should rather work the other way round, with add_arc_to_statement_points_to_context() calling add_arc_to_points_to_context().
pt | t |
Definition at line 268 of file passes.c.
References add_arc_to_pt_map, add_arc_to_statement_points_to_context(), consistent_pt_map_p, copy_points_to(), pips_assert, points_to_context, and pt_map_undefined_p.
Referenced by dereferencing_subscript_to_points_to(), formal_source_to_sinks(), generic_stub_source_to_sinks(), global_source_to_sinks(), and null_to_sinks().
Add a store independent points-to arc: source and destination references include no dereferencing nor varying subscript such as a[i].
Definition at line 3555 of file points_to_set.c.
References points_to_graph_set, set_add_element(), and store_independent_points_to_arc_p().
Referenced by fuse_points_to_sink_cells(), normalize_points_to_graph(), source_to_sinks(), and upgrade_approximations_in_points_to_set().
Definition at line 3565 of file points_to_set.c.
References points_to_graph_set, set_add_element(), and store_independent_points_to_arc_p().
Referenced by anywhere_source_to_sinks(), assignment_to_points_to(), formal_source_to_sinks(), generic_stub_source_to_sinks(), global_source_to_sinks(), and null_to_sinks().
Definition at line 3576 of file points_to_set.c.
References set_add_element(), and store_independent_points_to_arc_p().
Referenced by points_to_set_block_projection(), and remove_points_to_cell().
void add_arc_to_statement_points_to_context | ( | points_to | pt | ) |
pt | t |
Definition at line 104 of file statement.c.
References add_arc_to_pt_map, consistent_pt_map_p, pips_assert, stack_head(), and statement_points_to_context.
Referenced by add_arc_to_points_to_context(), and dereferencing_subscript_to_points_to().
void add_implicitly_killed_arcs_to_kill_set | ( | set | pt_kill, |
list | wpl, | ||
set | pt_caller, | ||
set | pt_out_callee_filtered, | ||
set | binding, | ||
entity | f | ||
) |
Initial comments: add arcs of set "pt_caller" to set "pt_kill" if their origin cells are not in the list of written pointers "wpl" but is the origin of some exact arc in "pt_out_callee_filtered".
This is beneficial when "pt_out" is more precise than "pt_caller" because of a free or a test. This is detrimental when "pt_caller" is more precise than "pt_out_callee_filtered" because the intraprocedural analysis of the callee had to assume a possible NULL pointer that did not really exist (see Mensi.sub/struct_inter03.c). So it would be better to compute the intersection of "pt_caller" and "translation(pt_out, binding)" and to kill all arcs in "pt_caller" minus this intersection... if they are related in some way to the callee... Some more thinking needed.
Equations retrieved from the C code
K = { c | \exits pt c=source(pt) !\in Written ^ |translation(source(pt), binding, f)|==1 ^ atomic(translation(source(pt), binding, f) }
pt_kill = {pt in pt_caller | \exists c \in K binding(c)==source(pt)}
K is a set of cells defined in the frame of the callee and pt_kill a set of points-to defined in the frame of the caller.
Examples:
Indirect free of a pointed cell
"main() {p = malloc(); * my_free(p);}" with "my_free(int * p) {free(p);}".
p->heap in pt_caller must be removed from pt_end, hence p->heap belongs to pt_kill
Other possibilities must be linked to tests and executions errors.
void foo(int * ap) {bar(ap);}
void bar(int * fp) { *p = 1;}
As a result ap->_ap_1, EXACT because ap->NULL has been killed
void bar(int * fp) {if(fp==NULL) exit(1); return;}
The result should be the same as above.
Arc out_pt has been implicitly obtained
pt_kill | t_kill |
wpl | pl |
pt_caller | t_caller |
pt_out_callee_filtered | t_out_callee_filtered |
binding | inding |
Definition at line 1663 of file interprocedural.c.
References add_arc_to_simple_pt_map, approximation_exact_p, CAR, CELL, cell_undefined, f(), gen_free_list(), gen_length(), generic_atomic_points_to_cell_p(), int, points_to_approximation, points_to_cell_equal_p(), points_to_cell_in_list_p(), points_to_cell_translation(), points_to_source, and SET_FOREACH.
Referenced by user_call_to_points_to_interprocedural().
The source and destination references imply no dereferencing but the subscripts may be any kind of expression, such as a[i].
This is not possible in general, but may be useful at a specific statement level. This used to handle precisely the backward translation at call sites, especially for simple and convex effects backward translation.
Definition at line 3599 of file points_to_set.c.
References dereferencing_free_points_to_arc_p(), and set_add_element().
Referenced by compute_points_to_binded_set(), filter_formal_context_according_to_actual_context(), new_filter_formal_context_according_to_actual_context(), and points_to_translation_of_formal_parameters().
bool address_of_expression_p | ( | expression | e | ) |
shoud be moved to expression.c
Definition at line 741 of file constant-path-utils.c.
References call_function, entity_an_operator_p, expression_syntax, syntax_call, and syntax_call_p.
See if two cells in "fpcl" point toward the same location via the transitive closure of "translation".
| must_conflict_p
Print the transitive closures
Clean up the hash-table...
fpcl | pcl |
translation | ranslation |
Definition at line 1735 of file interprocedural.c.
References CAR, CELL, cell_any_reference(), ENDP, entity_user_name(), fprintf(), gen_copy_seq(), gen_free_list(), hash_get(), HASH_MAP, hash_pointer, hash_put(), hash_table_free(), hash_table_make(), pips_user_warning, points_to_cell_lists_may_conflict_p(), points_to_cell_lists_must_conflict_p(), points_to_context_statement_line_number(), POP, print_points_to_cells, reference_variable, statement_points_to_context_defined_p(), and translation_transitive_closure().
Referenced by user_call_to_points_to_interprocedural().
pt_map any_loop_to_points_to | ( | statement | b, |
expression | init, | ||
expression | c, | ||
expression | inc, | ||
pt_map | pt_in | ||
) |
Perform the same k-limiting scheme for all kinds of loops.
The do while loop must use an external special treatment for the first iteration.
Derived from points_to_forloop() and from Amira's work.
pt_in is modified by side effects.
First, enter or skip the loop: initialization + condition check
Comput pt_out as loop invariant: pt_out holds at the beginning of the loop body.
pt_out(i) = f(pt_out(i-1)) U pt_out(i-1)
prev = pt_out(i-1)
Note: the pt_out variable is also used to carry the loop exit points-to set.
prev receives the current points-to information, pt_out
Depending on the kind of loops, execute the body and then possibly the incrementation and the condition
Merge the previous resut and the current result.
Check convergence
Add the last iteration to obtain the pt_out holding when exiting the loop
FI: I suppose that p[i] is replaced by p[*] and that MAY/MUST information is changed accordingly.
init | nit |
inc | nc |
pt_in | t_in |
Definition at line 653 of file statement.c.
References assign_pt_map, clear_pt_map, condition_to_points_to(), consistent_points_to_graph_p(), expression_to_points_to(), expression_undefined_p, full_copy_pt_map(), get_int_property(), ifdebug, init, merge_points_to_graphs(), new_pt_map, normalize_points_to_graph(), pips_assert, pips_debug, pips_internal_error, points_to_graph_bottom, points_to_graph_set, points_to_independent_store(), print_points_to_set(), remove_unreachable_stub_vertices_in_points_to_graph(), set_equal_p(), statement_to_points_to(), and upgrade_approximations_in_points_to_set().
Referenced by forloop_to_points_to(), loop_to_points_to(), and whileloop_to_points_to().
Generalization of source_to_sinks().
The source does not have to be a pointer.
source | ource |
pts | ts |
fresh_p | resh_p |
Definition at line 2404 of file points_to_set.c.
References any_source_to_sinks(), array_of_pointers_type_p(), array_of_struct_type_p(), compute_basic_concrete_type(), copy_cell(), derived_type_to_fields(), ENTITY, entity_basic_concrete_type(), f(), FOREACH, free_cell(), NIL, pointer_type_p(), points_to_cell_add_field_dimension(), points_to_cell_add_unbounded_subscripts(), points_to_cell_to_type(), source_to_sinks(), and struct_type_p().
Referenced by any_source_to_sinks(), and recursive_filter_formal_context_according_to_actual_context().
source is assumed to be either nowhere/undefined or anywhere, it may be typed or not.
Shouldn't we create NULL pointers if the corresponding property is set? Does it matter for anywhere/nowhere?
pts must be updated with the new arc(s).
FI: we should return an anywhere cell with the proper type
FI: should we add the corresponding arcs in pts?
FI: should we take care of typed anywhere as well?
source | ource |
pts | ts |
Definition at line 718 of file points_to_set.c.
References add_arc_to_pt_map_(), anywhere_source_to_sinks(), array_type_p(), basic_derived, basic_pointer_p, CELL, cell_any_reference(), compute_basic_concrete_type(), CONS, copy_cell(), copy_type(), ENTITY, entity_anywhere_locations(), entity_type, f(), FOREACH, free_type(), make_anywhere_points_to_cell(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_reference(), NIL, overloaded_type_p(), pips_assert, pips_internal_error, pointer_type_p(), points_to_cell_add_field_dimension(), points_to_cell_to_type(), reference_add_zero_subscripts(), struct_type_p(), type_area_p, type_struct, type_struct_p, type_to_pointed_type(), type_variable, type_variable_p, ultimate_type(), and variable_basic.
Referenced by anywhere_source_to_sinks(), nowhere_source_to_sinks(), null_source_to_sinks(), and source_to_sinks().
pt_map application_to_points_to | ( | application | a, |
pt_map | pt_in, | ||
bool | side_effect_p | ||
) |
FI: We should also identify the possibly called functions and update the points-to according to the possible call sites.
pt_in | t_in |
side_effect_p | ide_effect_p |
Definition at line 2490 of file expression.c.
References application_arguments, application_function, expression_to_points_to(), expressions_to_points_to(), f(), and pips_internal_error.
Referenced by expression_to_points_to().
list application_to_points_to_sinks | ( | application | , |
type | , | ||
pt_map | |||
) |
Check if points-to arc "spt" belongs to points-to set "pts".
spt | pt |
pts | ts |
Definition at line 3518 of file points_to_set.c.
References points_to_equal_p(), and SET_FOREACH.
Referenced by filter_formal_context_according_to_actual_context(), and new_filter_formal_context_according_to_actual_context().
Type "t" is supposed to be a concrete type.
Type "t" may be modified: no.
Cell "c" is copied.
The dimensions of type "t" are forgotten. They are retrieved later from the type of the entity references in cell "c".
Add an artificial dimension for pointer arithmetic
Definition at line 1116 of file points_to_init_analysis.c.
References basic_pointer, basic_pointer_p, cell_any_reference(), CONS, copy_type(), create_stub_points_to(), DIMENSION, get_bool_property(), make_cell_reference(), make_dimension(), make_reference(), make_unbounded_expression(), make_zero_expression(), NIL, points_to_equal_p(), points_to_rank(), ref, reference_consistent_p(), reference_variable, scalar_type_p(), set_add_element(), set_generic_make(), set_private, type_variable, variable_basic, and variable_dimensions.
Referenced by formal_points_to_parameter().
source | ource |
pts | ts |
fresh_p | resh_p |
Definition at line 1171 of file points_to_set.c.
References generic_stub_source_to_sinks().
Referenced by stub_source_to_sinks().
list array_to_constant_paths | ( | expression | , |
set | |||
) |
pt_map assignment_to_points_to | ( | expression | lhs, |
expression | rhs, | ||
pt_map | pt_in | ||
) |
It is not obvious that you are allowed to evaluate this before the sink of lhs, but the standard probably forbid stupid side effects.
Can occur in a declaration
When more precision is needed, the BRACE_INTRINSIC arguments will have to be analyzed...
lhs | hs |
rhs | hs |
pt_in | t_in |
Definition at line 1163 of file expression.c.
References add_arc_to_pt_map_(), array_of_pointers_type_p(), array_of_struct_type_p(), basic_pointer, compute_basic_concrete_type(), copy_reference(), ENDP, expression_reference(), expression_reference_p(), free_type(), make_anywhere_points_to_cell(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), pips_assert, pips_internal_error, pointer_assignment_to_points_to(), pointer_type_p(), points_to_cell_add_unbounded_subscripts(), points_to_expression_to_type(), reference_indices, struct_assignment_to_points_to(), struct_type_p(), type_variable, and variable_basic.
Referenced by compute_points_to_binded_set(), declaration_statement_to_points_to(), intrinsic_call_to_points_to(), struct_assignment_to_points_to(), and struct_initialization_to_points_to().
Could be replaced by abstract_location_p() but this later don't take into account the null location.
cp | p |
Definition at line 1243 of file constant-path-utils.c.
References cell_any_reference(), cp, entity_abstract_location_p(), entity_null_locations_p(), and reference_variable.
FI: it might be better to integrate this update in points_to_cell_add_field_dimension() in order to exploit available information directly and to return a consistent cell. Anyway, seems useless here
Already performed elsewhere. The value returned by expression
in | n |
eval_p | val_p |
Definition at line 327 of file sinks.c.
References anywhere_cell_p(), array_type_p(), binary_intrinsic_expression, call_arguments, call_function, CAR, CDR, CELL, cell_any_reference(), cell_gap_p, cell_preference_p, cell_reference, cell_reference_p, cell_tag, cell_typed_anywhere_locations_p(), clear_pt_map, CONS, consistent_points_to_graph_p(), copy_cell(), copy_expression(), ENDP, ENTITY_ASSIGN_P, entity_basic_concrete_type(), ENTITY_CALLOC_SYSTEM_P, ENTITY_FIELD_P, ENTITY_FOPEN_P, ENTITY_MINUS_C_P, ENTITY_MINUS_P, ENTITY_MINUS_UPDATE_P, ENTITY_PLUS_C_P, ENTITY_PLUS_P, ENTITY_PLUS_UPDATE_P, ENTITY_POINT_TO_P, ENTITY_REALLOC_SYSTEM_P, entity_typed_anywhere_locations(), EXPRESSION, expression_syntax, expression_to_points_to_sinks(), expression_to_points_to_sinks_with_offset(), expression_to_points_to_sources(), f(), FindOrCreateTopLevelEntity(), FOREACH, free_cell(), free_expression(), free_reference(), gen_full_copy_list(), gen_full_free_list(), gen_nconc(), heap_cell_p(), make_anywhere_cell(), make_anywhere_reference(), make_cell_reference(), make_null_cell(), make_reference(), make_unbounded_expression(), MakeIoFileArray(), MakeUnaryCall(), malloc_to_points_to_sinks(), MULTIPLY_OPERATOR_NAME, NIL, nowhere_cell_p(), null_cell_p(), pips_assert, pips_internal_error, pips_user_warning, points_to_cell_add_field_dimension(), points_to_cell_add_zero_subscripts(), points_to_context_statement_line_number(), points_to_expression_to_concrete_type(), points_to_graph_bottom, points_to_graph_undefined_p, pt_map_undefined_p, reference_variable, remove_impossible_arcs_to_null(), source_to_sinks(), syntax_reference, UNARY_MINUS_OPERATOR_NAME, and zero_expression_p().
Referenced by intrinsic_call_to_points_to_sinks().
Deal with "!", "&&", "||" etc.
Combine the conditions
Merge the results of the different conditions...
in | n |
true_p | rue_p |
Definition at line 2695 of file expression.c.
References call_arguments, call_function, CAR, CDR, clear_pt_map, condition_to_points_to(), ENTITY_AND_P, entity_local_name(), ENTITY_NOT_P, ENTITY_OR_P, EXPRESSION, f(), free_pt_map, full_copy_pt_map(), merge_points_to_graphs(), out, out2, pips_assert, pips_internal_error, and points_to_graph_consistent_p().
Referenced by intrinsic_call_condition_to_points_to().
Handle any condition that is a call such as "if(p!=q)", "if(*p)", "if(foo(p=q))"...
in | n |
el | l |
true_p | rue_p |
Definition at line 2595 of file expression.c.
References call_function, entity_initial, f(), intrinsic_call_condition_to_points_to(), out, pips_assert, pips_internal_error, points_to_graph_consistent_p(), user_call_condition_to_points_to(), value_code_p, value_constant_p, and value_intrinsic_p.
Referenced by condition_to_points_to().
Three different kinds of calls are distinguished:
"el" is the effect list associated to the call site
points-to updates due to arguments
Must be a pointer to a function
I do not know if nft must be freed later
points-to updates due to arguments
pt_in | t_in |
el | l |
side_effect_p | ide_effect_p |
Definition at line 306 of file expression.c.
References call_arguments, call_function, CAR, ENTITY_CONDITIONAL_P, entity_initial, entity_name, entity_type, EXPRESSION, expression_to_points_to(), expressions_to_points_to(), f(), functional_result, intrinsic_call_to_points_to(), is_value_code, is_value_constant, is_value_expression, is_value_intrinsic, is_value_symbolic, is_value_unknown, pips_assert, pips_internal_error, pointer_type_p(), points_to_graph_bottom, points_to_graph_consistent_p(), points_to_graph_undefined_p, symbolic_expression, type_functional, type_functional_p, type_to_pointed_type(), type_undefined, type_variable_p, type_void_p, user_call_to_points_to(), value_code_p, value_expression, value_symbolic, and value_tag.
Referenced by dereferencing_to_points_to(), expression_to_points_to(), and instruction_to_points_to().
No check, but all elements of sinks should be of a type compatible with type "et".
et | t |
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 112 of file sinks.c.
References call_function, CELL, CONS, constant_int, constant_int_p, constant_p(), entity_initial, entity_name, entity_type, f(), intrinsic_call_to_points_to_sinks(), is_value_code, is_value_constant, is_value_intrinsic, is_value_symbolic, is_value_unknown, make_cell_reference(), make_reference(), NIL, pips_internal_error, points_to_anywhere_sinks(), points_to_null_sinks(), string_type_p(), type_to_returned_type(), user_call_to_points_to_sinks(), value_constant, and value_tag.
Referenced by expression_to_points_to_cells().
found!
else no found
list | x |
Definition at line 2613 of file points_to_set.c.
References CAR, CELL, ENDP, points_to_compare_cell(), and POP.
Referenced by null_equal_condition_to_points_to(), null_non_equal_condition_to_points_to(), and order_condition_to_points_to().
Check if a cell c appears as source or sink in points-to set pts.
If set pts is undefined, it is assumed that cell c is in it.
pts | ts |
Definition at line 2626 of file points_to_set.c.
References points_to_compare_cell(), points_to_sink, points_to_source, SET_FOREACH, and set_undefined_p.
Referenced by generic_points_to_cell_to_useful_pointer_cells().
c1 | 1 |
c2 | 2 |
Definition at line 2830 of file expression.c.
References cell_is_xxx_p(), and GREATER_THAN_OR_EQUAL_TO.
Referenced by order_condition_to_points_to().
c1 | 1 |
c2 | 2 |
Definition at line 2835 of file expression.c.
References cell_is_xxx_p(), and GREATER_THAN.
Referenced by order_condition_to_points_to().
See if you can decide that the addresses linked to c1 are smaller than the addresses linked to c2.
True is returned when a decision can be made.
False is returned when no decision can be made.
c1 | 1 |
c2 | 2 |
Definition at line 2820 of file expression.c.
References cell_is_xxx_p(), and LESS_THAN_OR_EQUAL_TO.
Referenced by order_condition_to_points_to().
c1 | 1 |
c2 | 2 |
Definition at line 2825 of file expression.c.
References cell_is_xxx_p(), and LESS_THAN.
Referenced by order_condition_to_points_to().
Return true if a cell is out of scope.
FI: I add formal parameters as in scope variables...
FI: I remove formal parameters because this function is used to compute the OUT set. The modified or not values of formal parameter are not relevant. If they have not been modified, the useful information is already available in the IN set (oops, see next comment below). If they have been modified, they are no longer reachable and must be projected.
FI: Unfortunately, some information gathered about the input parametrs during the function analysis is lost. For instance, a pointer must be different from NULL (e.g. see argv03.c). But if you do not know if the pointer has been written or not, you do not know if the information is usable or not. This is also an issue for interprocedural analysis: can the result always be trusted for any actual input context?
| formal_parameter_p(e)
Definition at line 560 of file points_to_set.c.
References cell_to_reference(), entity_heap_location_p(), entity_stub_sink_p(), reference_variable, top_level_entity_p(), and variable_static_p().
Referenced by points_to_function_projection().
assuming source is a reference to a pointer, build the corresponding sink when the pointer is not initialized, i.e.
is undefined.
source | ource |
Definition at line 55 of file constant-path-utils.c.
References cell_to_type(), cell_undefined, copy_type(), free_type(), get_bool_property(), make_nowhere_cell(), make_typed_nowhere_cell(), and type_to_pointed_type().
Referenced by declaration_statement_to_points_to(), malloc_to_points_to_sinks(), and user_call_to_points_to_fast_interprocedural().
Filter out certainly written effects on pointers.
eff | ff |
Definition at line 2614 of file interprocedural.c.
References generic_written_pointers_set().
Referenced by user_call_to_points_to_interprocedural().
void check_rhs_value_types | ( | expression | , |
expression | , | ||
list | |||
) |
Check that all cells in list "sinks" are compatible with type "ct" if "eval_p" is false, and with the type pointed by "st" if eval_p is true.
Adding the zero subscripts may muddle the type issue because "&a[0]" has not the same type as "a" although we normalize every cell into "a[0]".
Take care of the constant strings like "hello"
Take care of void
sinks | inks |
ct | t |
eval_p | val_p |
Definition at line 1214 of file expression.c.
References anywhere_cell_p(), array_pointer_type_equal_p(), array_type_p(), array_type_to_sub_array_type(), CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), char_star_constant_function_type_p(), char_type_p(), compute_basic_concrete_type(), copy_type(), effect_reference_to_string(), ENDP, FOREACH, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_internal_error, pips_user_error, pips_user_warning, pointer_type_p(), points_to_cell_to_type(), points_to_context_statement_line_number(), string_of_type(), type_structurally_equal_p(), type_to_pointed_type(), type_undefined, and type_void_p.
Referenced by check_rhs_value_types(), reference_to_points_to_sinks(), and subscript_to_points_to_sinks().
void clean_up_points_to_stubs | ( | entity | module | ) |
Beware of location entities that might depend on the soon to be deleted stub entities.
module | odule |
Definition at line 303 of file passes.c.
References code_declarations, CONS, ENDP, ENTITY, entity_heap_location_p(), entity_initial, entity_name, FOREACH, fprintf(), gen_free_list(), gen_in_list_p(), gen_list_and_not(), GenericCleanEntities(), get_bool_property(), location_entity_of_module_p(), module, NIL, reference_variable, stub_entity_of_module_p(), value_code, and value_reference.
Referenced by generic_points_to_analysis().
void close_printed_points_to_list | ( | void | ) |
cproto-generated files
FI: Which sorting do you want?
pe1 | e1 |
pe2 | e2 |
Definition at line 60 of file points_to_set.c.
References entity_name, and s1.
set compute_points_to_binded_set | ( | entity | called_func, |
list | real_args, | ||
set | pt_caller, | ||
bool * | success_p | ||
) |
For each actual argument "r" and its corresponding formal one "f", create the assignment "f = r;" and then compute the points-to set "s" generated by the assignment.
The result is the union of "pt_caller" and "s".
Be careful with vararags
This is not sufficient to handle varargs. Much more thinking needed. And corect examples.
C does not support array assignments...
This may happen with a constant string as actual parameter and an array, bounded or not, as formal parameter.
A formal array can be called with a dereferencing expression
See Pointers/Mensi.sub/array_pointer_free01: array fp is associated to &p[0] or to p->q or to c.a ...
It would be nice to build an assignment of rhs to fp and to let it deal with the many possible kinds of assignments. But if it is a pure points-to function, the symbolic subscripts are going to be lost. This is fine for points-to translation, but not OK for effects translation.
In the short term, build the assignment...
The assignment failed because the call site is not compatible with the caller.
called_func | alled_func |
real_args | eal_args |
pt_caller | t_caller |
success_p | uccess_p |
Definition at line 2623 of file interprocedural.c.
References add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), anywhere_cell_p(), array_type_p(), array_type_to_element_type(), assignment_to_points_to(), call_function, CAR, CDR, CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), CONS, copy_cell(), copy_points_to(), ENDP, entity_basic_concrete_type(), entity_to_expression(), entity_user_name(), EXPRESSION, expression_call(), expression_call_p(), expression_reference(), expression_reference_p(), expression_string_constant_p(), expression_to_points_to_cells(), f(), find_ith_parameter(), FOREACH, functional_parameters, gen_free_list(), gen_last(), gen_length(), heap_cell_p(), int, make_approximation_exact(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_points_to_graph(), make_reference(), NIL, PARAMETER, parameter_type, pips_internal_error, pointer_type_p(), POINTS_TO, points_to_equal_p(), points_to_graph_bottom, points_to_graph_set, points_to_rank(), points_to_sink, points_to_source, reference_variable, set_assign(), set_del_element(), SET_FOREACH, set_generic_make(), set_private, set_union(), struct_type_p(), stub_entity_of_module_p(), type_functional, and type_varargs_p.
Referenced by user_call_to_points_to_fast_interprocedural(), user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
Translate the out set in the scope of the caller using the binding information, but eliminate irrelevant arcs using Written and the type of the source.
This is pt_gen_1 in Amira Mensi's dissertation.
Also, pay attention to translation errors because they are related to programming bugs, such as pointer arithmetic applied to pointers to scalar.
Consider all points-to arcs "(sr1, sk1)" in "pt_out"
Keep arcs whose source is:
In other word, get rid of scalar formal parameter that are written.
Translate sr1
Translate sk1 if needed
The translation of pt's sink failed.
Note: the piece of code below is replicated
The caller does not have to have counterparts for all hypothetical stubs that may be developped in callee.
The translation of pt's source failed. This may occur because the callee had to assume a pointer points to an array, whereas the call site associates it to a scalar.
See for instance Pointers/formal_parameter01.c
But this may also occur because the formal parameter cannot be translated because the effective argument is an address_of expression. See for instance EffectsWithPointsTO/call01.c.
We have no way to guess here the reason for the translation failure...
Could be a user error, but you may prefer to go on with the points-to analysis to perform some dead code elimination later...
pt_out | t_out |
Written | ritten |
binding | inding |
Definition at line 2342 of file interprocedural.c.
References anywhere_cell_p(), approximation_may_p, approximation_undefined, array_type_p(), atomic_points_to_cell_p(), CAR, CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), CONS, copy_approximation(), copy_cell(), ENDP, entity_basic_concrete_type(), entity_to_module_entity(), f(), FOREACH, formal_parameter_p(), fprintf(), free_approximation(), gen(), gen_free_list(), gen_length(), heap_cell_p(), ifdebug, int, make_approximation_may(), make_descriptor_none(), make_points_to(), new_simple_pt_map, NIL, nowhere_cell_p(), null_cell_p(), pips_user_warning, points_to_approximation, points_to_cell_in_list_p(), points_to_cell_name(), points_to_cell_translation(), points_to_sink, points_to_source, print_points_to_set(), reference_variable, set_add_element(), SET_FOREACH, set_free(), set_undefined, and set_undefined_p.
Referenced by user_call_to_points_to_interprocedural().
pt_map condition_to_points_to | ( | expression | c, |
pt_map | in, | ||
bool | true_p | ||
) |
Update points-to set "in" according to the content of the expression using side effects.
Use "true_p" to know if the condition must be met or not.
FI: the side effects should not be taken into account because this function is often called twice, once for the true branch and once for the false branch of a test.
For instance, C short cut "if(p)" for "if(p!=NULL)"
in | n |
true_p | rue_p |
Definition at line 2512 of file expression.c.
References call_condition_to_points_to(), expression_syntax, NIL, out, pips_assert, pips_internal_error, points_to_graph_bottom, points_to_graph_consistent_p(), reference_condition_to_points_to(), syntax_call, syntax_call_p, syntax_reference, and syntax_reference_p.
Referenced by any_loop_to_points_to(), boolean_intrinsic_call_condition_to_points_to(), intrinsic_call_condition_to_points_to(), intrinsic_call_to_points_to(), new_any_loop_to_points_to(), ternary_intrinsic_call_to_points_to_sinks(), and test_to_points_to().
I: two issue:
constant_subscript_p | onstant_subscript_p |
Definition at line 2822 of file points_to_set.c.
References cell_any_reference(), gen_length(), int, memory_dereferencing_p(), pips_internal_error, points_to_consistent_p(), points_to_reference_to_concrete_type(), points_to_sink, points_to_source, reference_indices, store_independent_points_to_reference_p(), and type_depth().
Referenced by dereferencing_free_points_to_arc_p(), and store_independent_points_to_arc_p().
bool consistent_points_to_graph_p | ( | points_to_graph | ptg | ) |
ptg | tg |
Definition at line 3475 of file points_to_set.c.
References consistent_points_to_set(), pips_internal_error, points_to_graph_bottom, points_to_graph_set, and set_empty_p().
Referenced by any_loop_to_points_to(), binary_intrinsic_call_to_points_to_sinks(), internal_pointer_assignment_to_points_to(), list_assignment_to_points_to(), and whileloop_to_points_to().
make sure that set "s" does not contain redundant or contradictory elements
Check the consistency of each arc
Check the validity of the approximations
Make sure that the element of set "s" belong to "s" (issue with side effects performed on subscript expressions).
Check that no sharing exists between arcs at the cell and reference levels
Definition at line 2900 of file points_to_set.c.
References approximation_exact_p, approximation_tag, fprintf(), locations_equal_p(), points_to_approximation, points_to_set_sharing_p(), points_to_sink, points_to_source, print_points_to(), set_belong_p(), SET_FOREACH, and store_independent_points_to_arc_p().
Referenced by consistent_points_to_graph_p(), list_assignment_to_points_to(), merge_points_to_set(), and user_call_to_points_to_interprocedural().
bool control_equal_p | ( | const void * | vc1, |
const void * | vc2 | ||
) |
vc1 | c1 |
vc2 | c2 |
Definition at line 71 of file unstructured.c.
References control_statement, s1, and statement_ordering.
Referenced by new_points_to_unstructured().
unstructured.c
unstructured.c
Definition at line 61 of file unstructured.c.
References control_statement, SET_FOREACH, and statement_equal_p().
Referenced by new_points_to_unstructured().
create a key which is the statement number
vc | c |
size | ize |
Definition at line 83 of file unstructured.c.
References control_statement, hash_string_rank(), int2a(), statement_ordering, and strdup().
Referenced by new_points_to_unstructured().
Take into account the POINTS_TO_STRICT_POINTER_TYPE to allocate a sink cell of type "t" if the strictness is requested and of type "array of t" if not.
assume that pointers to scalars always points towards an array of unknown dimension.
exact_p | xact_p |
Definition at line 688 of file points_to_init_analysis.c.
References array_type_p(), create_stub_points_to(), get_bool_property(), pips_internal_error, points_to_undefined, and type_to_array_type().
Create a new node "sink" of type "t" and a new arc "pt" starting from node "source", if no path starting from any node and ending in "source", built with arcs in the points-to set "in", contains more than k nodes of type "t" (the type of the sink).
If k nodes of type "t" are already in the path, create a new arc "pt" between the "source" and the k-th node in the path.
Parameter "array_p" indicates if the source is an array or a scalar. Different models can be chosen. For instance, Beatrice Creusillet wants to have an array as target and obtain something like argv[*]->_argv_1[*] although argv[*]->_argv-1 might also be a correct model if _argv_1 is an abstract location representing lots of different physical locations.
Parameter k is defined by a property.
FI: not to clear about what is going to happen when "source" is the final node of several paths.
Also, beware of circular paths.
Efficiency is not yet a goal...
& od>=odl
No cycle could be created, the paths can safely be made longer.
source | ource |
array_p | rray_p |
in | n |
Definition at line 1077 of file points_to_set.c.
References CELL, CONS, create_stub_points_to(), gen_free_list(), get_bool_property(), get_int_property(), NIL, pips_assert, points_to_path_to_k_limited_points_to_path(), points_to_undefined, and points_to_undefined_p.
Referenced by formal_source_to_sinks(), generic_stub_source_to_sinks(), and global_source_to_sinks().
To create the points-to stub associated to the formal parameter, the sink name is a concatenation of the formal parmater and the POINTS_TO_MODULE_NAME.
exact_p | xact_p |
Definition at line 709 of file points_to_init_analysis.c.
References base, basic_undefined, cell_any_reference(), concatenate(), CONS, copy_basic(), copy_cell(), copy_type(), DIMENSION, dimension_lower, dimension_upper, entity_kind, ENTITY_POINTER_DUMMY_TARGETS_AREA, entity_storage, entity_undefined_p, entity_user_name(), EXPRESSION, expression_undefined, f(), FindOrCreateEntity(), FOREACH, formal_offset, formal_parameter_p(), gen_find_entity(), gen_length(), gen_nconc(), get_bool_property(), get_current_module_entity(), get_current_module_name(), int2a(), int_to_expression(), make_approximation_exact(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_dimension(), make_entity, make_points_to(), make_ram(), make_reference(), make_storage_ram(), make_type_variable(), make_unbounded_expression(), make_value_unknown(), make_variable(), MODULE_SEP_STRING, NIL, POINTER_DUMMY_TARGETS_AREA_LOCAL_NAME, pointer_index, reference_undefined, reference_variable, storage_formal, strdup(), type_undefined, type_variable, UNKNOWN_RAM_OFFSET, variable_basic, and variable_dimensions.
Referenced by pointer_formal_parameter_to_stub_points_to().
Create a stub entity "se" for entity "v" with type "t" and return a cell based on a reference to the stub entity "se" with "d" unbounded subscripts to account for the dimension of the source and a zero subscript for implicit array.
Type "pt" is the theoretically expected type for the reference "sink_ref" within the returned cell, "sink_cell". We assert "pt==points_to_cell_to_type(sink_cell)".
Type "t" must account for the extra "d" dimensions.
The type strictness is handled by the caller.
The name of the function is misleading. It should be "create_stub_sink_cell"... but in fact is does not handle the struct case because struct can contain may different pointers, directly or indirectly, depending on fields. This function is ok if v a pointer or an array of pointers, but not if v is a struct.
The function is called four times from create_stub_points_to().
When scalars are used, we should have "d==0" and "td==0" and hence "sl==NIL"
FI: use 0 for all proper target dimensions
FI: adding 0 subscripts is similar to a dereferencing. We do not know at this level if the dereferencing has been requested. See pointer_reference02. The handling fo eval_p must be modified correspondingly by adding 0 subscripts when the source is an array. Or evaluation must be skipped.
st | t |
pt | t |
sl | l |
fs | s |
Definition at line 267 of file points_to_init_analysis.c.
References array_pointer_type_equal_p(), array_type_p(), basic_equal_p(), cell_consistent_p(), CONS, copy_type(), create_stub_entity(), entity_local_name(), entity_user_name(), EXPRESSION, fprintf(), free_type(), gen_nconc(), ifdebug, make_cell_reference(), make_reference(), make_zero_expression(), MakeTypeOverloaded(), NIL, overloaded_type_p(), pips_assert, pips_debug, pips_internal_error, points_to_cell_to_concrete_type(), points_to_reference_to_type(), print_points_to_cell, print_type(), reference_indices, reference_undefined, type_functional_p, type_undefined, type_variable, type_variable_p, type_void_p, variable_basic, and variable_dimension_number().
Referenced by create_stub_points_to().
Allocate a stub entity "stub" for entity "e" and with type "t".
Abort if "stub" already exists.
It seems that type "t" could be derived from "e" since it should be the pointed type of "e"'s type, but it is not at all the case in general. Variable e is used to build a reference and the type pointed by the reference may be different when arrays of structs of arrays of structs are involved.
FI: I assume all unknown offsets defined in ri-util-local.h to be strictly negative.
FI: we could use a 0 as default offset for clarity?
FI: we are in deep trouble because the stub entity has already been created... but we have no idea if it is or not the entity we wanted as it depends on field names in the reference. And the reference is not available from this function.
fs | s |
Definition at line 151 of file points_to_init_analysis.c.
References ABSTRACT_LOCATION, add_C_variable_to_area(), AddEntityToDeclarations(), array_pointer_type_equal_p(), concatenate(), copy_type(), DYNAMIC_RAM_OFFSET, entity_basic_concrete_type(), ENTITY_FORMAL_AREA, entity_initial, entity_kind, entity_local_name(), entity_module_name(), entity_storage, entity_stub_sink_p(), entity_type, entity_undefined_p, entity_user_name(), f(), FindOrCreateEntity(), FORMAL_AREA_LOCAL_NAME, formal_offset, formal_parameter_p(), gen_find_entity(), int2a(), is_type_area, is_value_unknown, make_area(), make_entity, make_ram(), make_storage_ram(), make_storage_rom(), make_type(), make_value(), make_value_unknown(), module_name_to_entity(), MODULE_SEP_STRING, NIL, pips_internal_error, ram_offset, static_global_variable_p(), storage_formal, storage_ram, strdup(), string_undefined, top_level_entity_p(), type_undefined_p, and UU.
Referenced by create_scalar_stub_sink_cell().
Referenced by create_k_limited_stub_points_to(), and new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair().
See points_to_init()
pt_in is modified by side-effects and returned
generate points-to due to the initialisation
AM/FI: abnormal sharing (lhs); the reference may be reused in the cel...
free_expression(lhs);
The initialization expression may use pointers, directly or indirectly via struct and arrays.
Take care of expressions in array sizing (see array12.c)
pt_in | t_in |
Definition at line 262 of file statement.c.
References add_arc_to_pt_map, array_of_pointers_type_p(), array_of_struct_type_p(), array_pointer_type_equal_p(), array_type_p(), assignment_to_points_to(), CAR, CELL, cell_to_nowhere_sink(), char_star_type_p(), clear_pt_map, compute_basic_concrete_type(), DIMENSION, dimension_lower, dimension_upper, ENTITY, entity_basic_concrete_type(), entity_initial, entity_storage, entity_to_expression(), entity_user_name(), expression_to_points_to(), expression_to_type(), expression_undefined_p, FOREACH, free_expression(), integer_type_p(), make_approximation_exact(), make_descriptor_none(), make_null_cell(), make_points_to(), NIL, overloaded_type_p(), pips_debug, pips_user_warning, pointer_type_p(), points_to_context_statement_line_number(), points_to_graph_bottom, statement_declarations, storage_rom_p, string_type_p(), struct_type_p(), type_structurally_equal_p(), type_variable, type_void_star_p(), value_expression, value_expression_p, variable_dimensions, variable_initial_expression(), variable_static_p(), and variable_to_pointer_locations().
Referenced by statement_to_points_to().
points_to_list delete_printed_points_to_list | ( | statement | ) |
Definition at line 2893 of file points_to_set.c.
References consistent_points_to_arc_p().
Referenced by add_subscript_dependent_arc_to_simple_pt_map().
But all pointer values must be generated, whether they point to pointers or anything else.
This piece of code is designed to handle pointer19.c, and hence pointer14.c, where arrays of pointers toward arrays of pointers are used.
It generates too many arcs, useless arcs, when the subscript list is broken down into many subscript constructs by PIPS C parser. This shows in Pointers/pointer14, 15 and 19.
a cannot evaluate to null or undefined
FI: we may need a special case for stubs...
We have to take "sel" into account since only the base of the target array is pointed to.
We have to bother with the source if it is an array, not if it is simply a pointer dereferenced by some subscripts as in dereferencing18.c.
Look for points-to arcs that must be duplicated using the subscripts as offsets
We must generate a new source with the offset defined by sel, and a new sink, with or without a an offset
Update the source cell
Is the source cell already known in the points-to relation?
Update the sink cell if necessary
Build the new points-to arc
Do not update set "in" while you are enumerating its elements
Update sets "in" with the new arcs. The arc must pre-exist the reference for the effects to be able to translate a non-constant effect. Thus, it should pre-exist the call site.
FI: I am not sure this is useful...
sub | ub |
in | n |
Definition at line 71 of file dereferencing.c.
References adapt_reference_to_type(), add_arc_to_points_to_context(), add_arc_to_pt_map, add_arc_to_statement_points_to_context(), anywhere_cell_p(), array_type_p(), CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), cell_undefined, cell_undefined_p, complete_points_to_reference_with_zero_subscripts(), CONS, copy_approximation(), copy_cell(), copy_points_to(), dereferencing_to_points_to(), entity_basic_concrete_type(), expression_to_points_to(), expression_to_points_to_sources(), expression_to_type(), expressions_to_points_to(), FOREACH, free_cell(), free_type(), gen_free_list(), gen_full_copy_list(), gen_nconc(), make_descriptor_none(), make_points_to(), NIL, null_cell_p(), pips_internal_error, POINTS_TO, points_to_approximation, points_to_cell_equal_p(), points_to_context_statement_line_number(), points_to_graph_set, points_to_sink, points_to_source, reference_indices, reference_variable, SET_FOREACH, source_in_pt_map_p, subscript_array, subscript_indices, and type_to_pointed_type().
Referenced by dereferencing_to_points_to().
pt_map dereferencing_to_points_to | ( | expression | p, |
pt_map | in | ||
) |
Make sure that expression p can be dereferenced in points-to graph "in".
Handling of NULL pointers according to property.
Handling of undefined pointers according to property.
"in" is modified by side effects. Arcs certainly incompatible with a dereferencing are removed. If dereferencing of p is no longer possible, return an empty points-to "in" as the expression cannot be evaluated.
This is conditional to two properties.
ut =
You must take care of s.tab, which is encoded by a call
EffectsWithPointsTo/struct08.c: ae = (e.champ)[i], fe = p
For side effects on "in"
in | n |
Definition at line 198 of file dereferencing.c.
References array_of_pointers_type_p(), array_of_struct_type_p(), call_arguments, call_function, call_to_points_to(), CAR, CDR, dereferencing_subscript_to_points_to(), entity_basic_concrete_type(), ENTITY_FIELD_P, EXPRESSION, expression_reference(), expression_reference_p(), expression_syntax, expression_to_points_to_sinks(), expressions_to_points_to(), f(), gen_free_list(), get_bool_property(), is_syntax_application, is_syntax_call, is_syntax_cast, is_syntax_range, is_syntax_reference, is_syntax_sizeofexpression, is_syntax_subscript, is_syntax_va_arg, NIL, pips_assert, pointer_type_p(), reference_dereferencing_to_points_to(), reference_variable, struct_type_p(), syntax_call, syntax_reference, syntax_subscript, and syntax_tag.
Referenced by dereferencing_subscript_to_points_to(), expression_to_points_to(), intrinsic_call_condition_to_points_to(), intrinsic_call_to_points_to(), and reference_to_points_to().
list dereferencing_to_sinks | ( | expression | a, |
pt_map | in, | ||
bool | eval_p | ||
) |
Returns "sinks", the list of cells pointed to by expression "a" according to points-to graph "in".
If eval_p is true, perform a second dereferencing on the cells obtained with the first dereferencing.
Manage NULL and undefined (nowhere) cells.
Possibly update the points-to graph when some arcs are incompatible with the request, assuming the analyzed code is correct.
Locate the pointer, no dereferencing yet... unless no pointer can be found as in *(p+2) in which case an evaluation occurs/might occur/used to occur in expression_to_points_to_sources().
lse
Finds what it is pointing to, memory(p)
Do we want to dereference c?
Do not create sharing between elements of "in" and elements of "sinks".
The sinks list is empty, whether eval_p is true or not...
FI: New cells have been allocated by source_to_sinks(): side-effects are OK. In theory... The source code of source_to_sinks() seems to show that fresh_p is not exploited in all situations.
in | n |
eval_p | val_p |
Definition at line 432 of file dereferencing.c.
References array_type_p(), CELL, cell_any_reference(), CONS, ENDP, entity_user_name(), expression_to_points_to_cell_p(), expression_to_points_to_sinks(), expression_to_points_to_sources(), FOREACH, free_type(), gen_free_list(), gen_full_copy_list(), gen_nconc(), get_bool_property(), merge_points_to_cell_lists(), NIL, nowhere_cell_p(), null_cell_p(), pips_internal_error, pips_user_warning, pointer_source_to_sinks(), pointer_type_p(), points_to_cell_to_type(), reference_to_string(), reference_variable, remove_impossible_arcs_to_null(), source_to_sinks(), struct_type_p(), and words_to_string().
Referenced by unary_intrinsic_call_to_points_to_sinks().
Input : a formal parameter which has a derived type (FI, I guess).
output : a set of points-to where sinks are stub points-to.
FI: a lot of rewrite needed to simplify. Also, do not forget that NULL maybe the received value.
maybe should be removed if we have already called ultimate type in formal_points_to_parameter()
We ignore dimensions for the time being, descriptors are not implemented yet...Amira Mensi
ultimate_type() returns a wrong type for arrays. For example for type int*[10] it returns int*[10] instead of int[10].
In fact, there should be a FOREACH to scan all elements of l_ef
free the spine
pt | t |
Definition at line 952 of file points_to_init_analysis.c.
References array_entity_p(), basic_derived, basic_derived_p, CAR, cell_any_reference(), compute_basic_concrete_type(), create_stub_points_to(), EFFECT, effect_any_reference, effect_undefined, effects_free(), ENTITY, entity_intrinsic(), entity_to_expression(), entity_type, entity_undefined, expression_pointer_p(), FIELD_OPERATOR_NAME, FOREACH, gen_free_list(), generic_effects_reset_all_methods(), generic_proper_effects_of_complex_address_expression(), get_bool_property(), make_cell_reference(), MakeBinaryCall(), NIL, points_to_equal_p(), points_to_rank(), points_to_undefined, reference_undefined, reference_variable, set_add_element(), set_generic_make(), set_methods_for_proper_simple_effects(), set_private, type_struct, type_struct_p, type_to_pointed_type(), type_variable, type_variable_p, ultimate_type(), and variable_basic.
Referenced by formal_points_to_parameter().
void dump_points_to | ( | const | points_to | ) |
points_to | t |
Definition at line 609 of file points_to_set.c.
References print_or_dump_points_to().
Referenced by points_to_set_sharing_p(), and print_or_dump_points_to_set().
what | hat |
Definition at line 640 of file points_to_set.c.
References print_or_dump_points_to_set().
operator kill for the dimension Module:
Definition at line 234 of file constant-path-utils.c.
References ANY_MODULE_NAME, entity_module_name(), and same_string_p.
Referenced by opgen_may_module(), opgen_must_module(), opkill_may_module(), and opkill_must_module().
Definition at line 80 of file sinks.c.
References make_cell_reference(), make_reference(), and NIL.
Referenced by make_null_cell().
No check on e for the time being
Definition at line 72 of file sinks.c.
References CELL, CONS, make_cell_reference(), make_reference(), and NIL.
Referenced by points_to_anywhere_sinks(), points_to_null_sinks(), and user_call_to_points_to_sinks().
The expression list "al" contains exactly two arguments, "lhs" and "rhs".
Check if "lhs==rhs" may return true.
If these expressions are pointers, "in" is modified by removing arcs that are not compatible with the equality. If no arc is left, a bottom "out" is returned.
If one of these two expressions cannot be evaluated according to the C standard, i.e. its value is undefined, a bottom graph is returned.
"out" is "in", modified by side-effects.
This function has many commonalities with non_equal_condition_to_points_to(). They were developped independently to avoid mistakes when dealing with negations of quantifiers. They could now be unified.
Is it impossible to evaluate lhs?
The check is too low. The message will be emitted twice because conditions are often evaluated as true and false.
Is it impossible to evaluate rhs?
Is the condition feasible?
al | l |
in | n |
Definition at line 2986 of file expression.c.
References add_arc_to_pt_map, atomic_points_to_cell_p(), CAR, CDR, CELL, cell_undefined, cell_undefined_p, clear_pt_map, copy_cell(), EXPRESSION, expression_null_p(), expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_string(), expression_to_type(), FOREACH, free_type(), gen_length(), int, list_undefined, make_approximation_exact(), make_descriptor_none(), make_points_to(), nowhere_cell_p(), null_equal_condition_to_points_to(), out, pips_user_warning, pointer_type_p(), points_to_cell_source_projection(), points_to_cells_intersect_p(), points_to_context_statement_line_number(), and points_to_graph_bottom.
Referenced by relational_intrinsic_call_condition_to_points_to().
c1 | 1 |
c2 | 2 |
Definition at line 1292 of file constant-path-utils.c.
References CAR, cell_any_reference(), ENDP, entity_minimal_user_name(), EXPRESSION, expression_constant_p(), expression_to_int(), expression_to_string(), gen_length(), generic_effects_reset_all_methods(), NIL, POP, reference_indices, reference_variable, s1, set_methods_for_proper_simple_effects(), simple_cell_to_store_independent_cell(), and unbounded_expression_p().
Referenced by gen_may_constant_paths(), and gen_must_constant_paths().
void equalize_points_to_domains | ( | points_to_graph | pt_t, |
points_to_graph | pt_f | ||
) |
Make sure that pt_t and pt_f have the same definition domain except if one of them is bottom.
pt_t | t_t |
pt_f | t_f |
Definition at line 479 of file statement.c.
References expand_points_to_domain(), and points_to_graph_bottom.
Referenced by test_to_points_to().
void error_reset_printed_points_to_list | ( | void | ) |
Change the all the exact points-to relations to may relations.
Definition at line 2603 of file points_to_set.c.
References approximation_exact_p, make_approximation_may(), points_to_approximation, and SET_FOREACH.
pt_map expression_to_points_to | ( | expression | e, |
pt_map | pt_in, | ||
bool | side_effect_p | ||
) |
Update pt_in and pt_out according to expression e.
Ignore side effects due to pointer arithmetic and assignment and function calls if side_effet_p is not set. This may be useful when conditions are evaluated twice, once for true and once for false.
Some idea, but points-to information should rather be used
list el = expression_to_proper_constant_path_effects(e);
Also, this would be computed before we know if it is useful because we need an expression and not a call to have a function to compute effects. And we do not know if we want an inter or an intraprocedural points-to analysis.
The alternative is too always compute points-to information interprocedurally, which makes sense as it is done for for memory effects and since points-to information is at a lower level than memory effects...
a cannot evaluate to null or undefined
FI: we may need a special case for stubs...
pt_in | t_in |
side_effect_p | ide_effect_p |
Definition at line 115 of file expression.c.
References application_to_points_to(), array_of_pointers_type_p(), call_to_points_to(), CAR, cast_expression, dereferencing_to_points_to(), ENDP, entity_basic_concrete_type(), expression_syntax, expressions_to_points_to(), gen_full_free_list(), gen_length(), int, is_syntax_application, is_syntax_call, is_syntax_cast, is_syntax_range, is_syntax_reference, is_syntax_sizeofexpression, is_syntax_subscript, is_syntax_va_arg, make_reference(), NIL, pips_assert, pips_internal_error, pointer_type_p(), points_to_graph_bottom, points_to_graph_consistent_p(), points_to_graph_undefined_p, range_to_points_to(), reference_indices, reference_to_points_to(), reference_variable, SIZEOFEXPRESSION, sizeofexpression_expression, sizeofexpression_type_p, subscript_array, subscript_indices, subscripted_reference_to_points_to(), syntax_application, syntax_call, syntax_cast, syntax_range, syntax_reference, syntax_sizeofexpression, syntax_subscript, syntax_tag, syntax_va_arg, and type_depth().
Referenced by any_loop_to_points_to(), application_to_points_to(), call_to_points_to(), declaration_statement_to_points_to(), dereferencing_subscript_to_points_to(), expressions_to_points_to(), freed_pointer_to_points_to(), instruction_to_points_to(), intrinsic_call_to_points_to(), loop_to_points_to(), new_any_loop_to_points_to(), pointer_reference_dereferencing_to_points_to(), range_to_points_to(), test_to_points_to(), and whileloop_to_points_to().
bool expression_to_points_to_cell_p | ( | expression | e | ) |
Can expression e be reduced to a reference, without requiring an evaluation?
For instance expression "p" can be reduced to reference "p".
Expression "p+i" cannot be reduced to a source reference, unless i==0.
Ad'hoc development for dereferencing_to_sinks.
Definition at line 406 of file dereferencing.c.
References call_function, ENTITY_PLUS_C_P, expression_syntax, f(), syntax_call, syntax_call_p, and syntax_reference_p.
Referenced by dereferencing_to_sinks(), and expression_to_points_to_sources().
list expression_to_points_to_cells | ( | expression | e, |
pt_map | in, | ||
bool | eval_p, | ||
bool | constant_p | ||
) |
Return a possibly empty list of abstract locations whose addresses are possible value of expression "e" evaluated with points-to information "in".
Expression "e" is assumed to evaluate as a lhs, i.e. some memory address. If not, an empty list is returned.
Additional information could be passed in a second pass analysis, e.g. preconditions.
The generated sinks are all constant memory paths. A more advanced analysis could use storage-sentitive information, that would have to be updated with effects and transformers.
The list returned should be fully allocated with no sharing between it and the in points-to set. Hopefully...
reference + range + call + cast + sizeofexpression + subscript + application
This test does not make sense for pointer19.c. Since the sink_cell is saturated with indices, its type is double. e_c_t is a 3-D array of pointers to double, f_e_t is a pointer towards a 2-D array of pointers to double... What could be checked here?
This test does not make sence for pointer22.c either. We only need to check that the sink reference can be modified by dropping a few subscript to match the pointer type.
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 1650 of file sinks.c.
References adapt_reference_to_type(), application_to_points_to_sinks(), array_pointer_string_type_equal_p(), array_type_p(), array_type_to_element_type(), call_to_points_to_sinks(), CAR, cast_to_points_to_sinks(), CDR, CELL, cell_any_reference(), char_star_constant_function_type_p(), char_star_type_p(), compute_basic_concrete_type(), constant_p(), copy_reference(), expression_syntax, expression_to_type(), FOREACH, free_reference(), free_type(), ifdebug, is_syntax_application, is_syntax_call, is_syntax_cast, is_syntax_range, is_syntax_reference, is_syntax_sizeofexpression, is_syntax_subscript, is_syntax_va_arg, NIL, null_cell_p(), pips_internal_error, pointer_type_p(), points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), points_to_expression_to_concrete_type(), range_to_points_to_sinks(), reference_to_points_to_sinks(), SIZEOFEXPRESSION, sizeofexpression_to_points_to_sinks(), string_type_p(), subscript_to_points_to_sinks(), syntax_application, syntax_call, syntax_cast, syntax_range, syntax_reference, syntax_subscript, syntax_tag, syntax_va_arg, and type_to_pointed_type().
Referenced by compute_points_to_binded_set(), expression_to_points_to_sinks(), expression_to_points_to_sources(), ternary_intrinsic_call_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
list expression_to_points_to_sinks | ( | expression | e, |
pt_map | in | ||
) |
The returned list contains cells used in "in".
They should be copied if they must be changed by side effects or "in" will become inconsistent.
This function computes the possible constant values of a pointer expression.
in | n |
Definition at line 1795 of file sinks.c.
References expression_to_points_to_cells().
Referenced by binary_intrinsic_call_to_points_to_sinks(), cast_to_points_to_sinks(), dereferencing_to_points_to(), dereferencing_to_sinks(), expression_to_points_to_sinks_with_offset(), global_source_to_sinks(), intrinsic_call_to_points_to_sinks(), pointer_reference_to_points_to_sinks(), points_to_translation_of_formal_parameters(), sizeofexpression_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
list expression_to_points_to_sinks_with_offset | ( | expression | a1, |
expression | a2, | ||
pt_map | in | ||
) |
a1 | 1 |
a2 | 2 |
in | n |
Definition at line 546 of file sinks.c.
References array_type_p(), expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_type(), free_type(), gen_free_list(), gen_full_copy_list(), NIL, offset_points_to_cells(), pointer_type_p(), points_to_expression_to_pointed_type(), scalar_integer_type_p(), and unbounded_expression_p().
Referenced by binary_intrinsic_call_to_points_to_sinks().
list expression_to_points_to_sources | ( | expression | e, |
pt_map | in | ||
) |
expression_to_points_to_sources() does not always work, especially with pointer arithmetic or subscripting because p[3], for instance, is not recognized as a valid source: it is not a constant path
Scalar pointers are expected but [0] subscript may have been added
Trouble for fread04... An array element, _line_3[0], is reduced to an array, _line_3, and you want to capture its address
A useless [0] may have been added, but it is supposed to be taken care of above... by callers of this function.
in | n |
Definition at line 1805 of file sinks.c.
References array_element_type_p(), array_pointer_type_equal_p(), CELL, char_star_constant_function_type_p(), char_star_type_p(), compute_basic_concrete_type(), expression_to_points_to_cell_p(), expression_to_points_to_cells(), FOREACH, fprintf(), free_type(), ifdebug, null_cell_p(), pips_debug, pips_internal_error, pointer_type_p(), points_to_cell_to_type(), points_to_expression_to_type(), print_expression(), print_points_to_cell, print_type(), string_type_p(), and type_to_pointed_type().
Referenced by binary_intrinsic_call_to_points_to_sinks(), cast_to_points_to_sinks(), dereferencing_subscript_to_points_to(), dereferencing_to_sinks(), expression_to_points_to_sinks_with_offset(), pointer_reference_to_points_to_sinks(), points_to_translation_of_formal_parameters(), subscript_to_points_to_sinks(), and user_call_to_points_to_intraprocedural().
Compute the points-to information pt_out that results from the evaluation of a possibly empty list of expression.
A new data structure is allocated.
Ignore side-effects unless side_effect_p is set to true.
The result is correct only if you are sure that all expressions in "el" are always evaluated.
el | l |
pt_in | t_in |
side_effect_p | ide_effect_p |
Definition at line 243 of file expression.c.
References EXPRESSION, expression_to_points_to(), FOREACH, and points_to_graph_bottom.
Referenced by application_to_points_to(), call_to_points_to(), dereferencing_subscript_to_points_to(), dereferencing_to_points_to(), expression_to_points_to(), reference_condition_to_points_to(), and reference_to_points_to().
Do not create sharing between elements of "in" and elements of "sinks".
sc | c |
in | n |
Definition at line 2359 of file points_to_set.c.
References cell_any_reference(), copy_cell(), ENDP, entity_user_name(), free_cell(), gen_nconc(), get_bool_property(), NIL, nowhere_cell_p(), null_cell_p(), pips_internal_error, reference_to_string(), reference_variable, source_to_sinks(), and words_to_string().
Referenced by extended_sources_to_sinks(), and pointer_source_to_sinks().
Same as extended_source_to_sinks, but for a set of cells, "pointed".
Dereference the pointer(s) to find the sinks, memory(memory(p))
pointed | ointed |
in | n |
Definition at line 2391 of file points_to_set.c.
References CELL, extended_source_to_sinks(), FOREACH, gen_nconc(), and NIL.
bool fast_interprocedural_points_to_analysis | ( | char * | module_name | ) |
module_name | odule_name |
Definition at line 574 of file passes.c.
References fast_interprocedural_points_to_p, generic_points_to_analysis(), interprocedural_points_to_p, and module_name().
bool fast_interprocedural_points_to_analysis_p | ( | void | ) |
Definition at line 555 of file passes.c.
References fast_interprocedural_points_to_p.
Referenced by user_call_to_points_to(), and user_call_to_points_to_sinks().
ptm | tm |
store | tore |
Definition at line 97 of file passes.c.
References gen_free_list(), gen_full_copy_list(), make_points_to_list(), NIL, points_to_compare_cells(), points_to_graph_bottom, points_to_graph_set, points_to_list_consistent_p(), points_to_list_undefined, set_empty_p(), set_to_sorted_list(), and store_or_update_pt_to_list().
Referenced by statement_to_points_to().
set filter_formal_context_according_to_actual_context | ( | list | fpcl, |
set | pt_in, | ||
set | pt_binded, | ||
set | binding | ||
) |
Filter "pt_in" according to "pt_binded".
For instance, a formal parameter can point to NULL in "pt_in" only if it also points to NULL in "pt_binded". In the same way, a formal parameter can point to a points-to stub in "pt_in" only if it points to a non-NULL target in "pt_binded". Also, a formal parameter cannot points exactly to UNDEFINED in "pt_binded" as it would be useless (not clear if we can remove such an arc when it is a may arc...). Finally, each formal parameter must still point to something.
The context of the caller may be insufficiently developped because its does not use explictly a pointer that is a formal parameter for it. For instance:
foo(int ***p) {bar(int ***p);}
The formal context of "foo()" must be developped when the formal context of "bar()" is imported. For instance, *p, **p and ***p may be accessed in "bar()", generating points-to stub in "bar". Similar stubs must be generated here for "foo()" before the translation can be performed.
This is also true for global variables. pt_in may contain arcs that should exist in pt_binded, and hence pt_caller. It may also contain arcs that deny the existence of some arcs in pt_caller.
Copy arcs "pt" from "pt_in" into the "filtered" set if they are compatible with "pt_binded". The set "pt_in" is reduced.
Do we have the same arc in pt_binded?
We have to deal recursively with stubs of the formal context and first with the global variables...although they, or their stubs, do not require any translation? Why is the points-to information about q lost in the translation of the call site to call03 in main (PointersWithEffects/call03.c)
FI: I do not understand why I have to do this for EffectsWithPointsTo/pointer_modif04.c. Because the arc "pt" in "pt_in" is more precise than the information available in "pt_caller". For instance, "pt_in" may contain "stderr->_stderr_0[0], Exact", while "pt_caller" may contain "stderr->_stderr_0[0], May", "stderr->NULL, May". Basically, we have not thought about the kill set generated for the global variables.
Useless when called from effects... In fact, it should never be called from effects...
FI: we do not know what we really do here... An arc is not taken into account, but it might be taken into account recursively below.
Compute the binding relation for sinks of the formal arguments and global variables
We have to handle constant strings such as "Hello!" and not to forget functional parameters.
If "fc" is not a pointer, look for pointers in "fc"
Now, we have to call about the same function recursively on the list of formal sinks
Some arcs have been removed, so other arcs may be promoted from "may" to "exact".
fpcl | pcl |
pt_in | t_in |
pt_binded | t_binded |
binding | inding |
Definition at line 582 of file interprocedural.c.
References adapt_reference_to_type(), add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), approximation_undefined, arc_in_points_to_set_p(), array_pointer_string_type_equal_p(), array_type_p(), CELL, cell_any_reference(), cell_points_to_non_null_sink_in_set_p(), constant_string_entity_p(), constant_string_type_to_string_type(), copy_approximation(), copy_cell(), copy_points_to(), ENDP, FOREACH, free_approximation(), functional_result, gen_free_list(), gen_length(), gen_nconc(), get_bool_property(), global_variable_p(), ifdebug, int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), new_simple_pt_map, NIL, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_assert, pips_debug, pips_internal_error, pips_user_error, points_to_cell_add_zero_subscript(), points_to_cell_complete_with_zero_subscripts(), points_to_cell_to_concrete_type(), points_to_cell_to_useful_pointer_cells(), points_to_context_statement_line_number(), points_to_reference_to_concrete_type(), points_to_sink, points_to_source, points_to_source_to_any_sinks(), points_to_translation_mapping_is_typed_p(), print_points_to_set(), recursive_filter_formal_context_according_to_actual_context(), reference_to_string(), reference_variable, related_points_to_cell_in_list_p(), semantics_user_warning, SET_FOREACH, set_free(), set_undefined, statement_points_to_context_defined_p(), static_global_variable_p(), type_functional, type_functional_p, type_structurally_equal_p(), type_to_full_string_definition(), update_points_to_context_with_arc(), and upgrade_approximations_in_points_to_set().
set filter_formal_out_context_according_to_formal_in_context | ( | set | out, |
set | in, | ||
list | wpl, | ||
entity | f | ||
) |
If an address has not been written, i.e.
it is not in list "wpl", then the points-to information is the intersection of the in and out information.
The set "in" may be modified by side effect. A new set, "filtered_out" is computed. By definition, they are equivalent for the addresses that are not in list "wpl".
The arcs are shared by the different sets. But I may allocate new ones: yet another potential memory leak...
First, filter out according to in
The source of the arc may not have been modified but the sink probably has been freed: the arc must be preserved
The source of the arc has been modified: the arc must be preserved
the arc defining the return value must be preserved: no!
Is this points-to arc also in set "in"? With or without the same approximation?
Second, filter set "in" with respect to new set "filtered_out".
Is this points-to arc also in set "in"? With or without the same approximation?
out | ut |
in | n |
wpl | pl |
Definition at line 1263 of file interprocedural.c.
References add_arc_to_simple_pt_map, any_function_to_return_value(), approximation_exact_p, approximation_undefined, cell_any_reference(), CONS, copy_approximation(), copy_cell(), f(), FOREACH, make_descriptor_none(), make_points_to(), new_simple_pt_map, NIL, nowhere_cell_p(), out, POINTS_TO, points_to_approximation, points_to_cell_in_list_p(), points_to_sink, points_to_source, reference_variable, remove_arc_from_simple_pt_map, SET_FOREACH, and similar_arc_in_points_to_set_p().
Referenced by user_call_to_points_to_interprocedural().
The approximation is not taken into account.
It might be faster to look up the different points-to arcs that can be made with source, sink and any approximation.
source | ource |
sink | ink |
ptm | tm |
Definition at line 695 of file points_to_set.c.
References cell_equal_p(), points_to_graph_set, points_to_sink, points_to_source, points_to_undefined, and SET_FOREACH.
Referenced by offset_cells().
Find the "k"-th node of type "t" in list "p".
Beware of cycles? No reason since "p" is bounded... The problem must be addressed when "p" is built.
An issue with "t": the nodes are references and they carry multiple types, one for each number of subscripts or fields they have. So for instance, s1 and s1.next denote the same location.
Definition at line 960 of file points_to_set.c.
References CELL, cell_undefined, count, FOREACH, fprintf(), ifdebug, pips_debug, print_points_to_path(), type_compatible_super_cell(), type_compatible_with_points_to_cell_p(), and type_to_full_string_definition().
Referenced by points_to_path_to_k_limited_points_to_path().
list flow_sensitive_malloc_to_points_to_sinks | ( | expression | e | ) |
The type of me may en array type because of
int * p = (int *) malloc(nb*sizeof(int))
or int (*p)[nb] = (int (*)[nb]) malloc(sizeof(int[nb]))
In both case the heap object is an array.
We need the heap reference to be compatible with the pointer type. Adding a [0] subscript or not should be decided later, when the points-to arc is built. Or we might be able to guess right in case the first dimension is unbounded...
See Points-to/dereference19.c, line 19 for case 1, and line 17 for case 2.
Definition at line 1321 of file sinks.c.
References CAR, CELL, CONS, DIMENSION, dimension_upper, entity_array_p(), entity_type, EXPRESSION, get_bool_property(), get_current_module_entity(), get_heap_statement(), int_to_expression(), make_cell_reference(), make_null_cell(), make_reference(), make_sensitivity_information(), malloc_to_abstract_location(), NIL, reference_undefined, type_variable, unbounded_expression_p(), and variable_dimensions.
Referenced by insensitive_malloc_to_points_to_sinks(), malloc_to_points_to_sinks(), and unique_malloc_to_points_to_sinks().
fl | l |
pt_in | t_in |
Definition at line 974 of file statement.c.
References any_loop_to_points_to(), forloop_body, forloop_condition, forloop_increment, forloop_initialization, and init.
Referenced by instruction_to_points_to().
We want a recursive descent on the type of the formal parameter, once we found a pointer type we beguin a recursive descent until founding a basic case.
Then we beguin the ascent and the creation gradually of the points_to_stub by calling pointer_formal_parameter_to_stub_points_to().
FI->AM: as I would rather work on-demand, this function should be useless. I fixed it nevertheless because it seems better for EffectsWithPointsTo, which does not seem to allocate the new points-to stubs it needs.
fpt = entity_basic_concrete_type(e);
We ignor dimensions for the time being, descriptors are not implemented yet...Amira Mensi
what about storage
Definition at line 85 of file points_to_init_analysis.c.
References array_formal_parameter_to_stub_points_to(), array_type_p(), basic_tag, cell_reference_to_type(), cell_to_reference(), derived_formal_parameter_to_stub_points_to(), free_type(), is_basic_bit, is_basic_complex, is_basic_derived, is_basic_float, is_basic_int, is_basic_logical, is_basic_overloaded, is_basic_pointer, is_basic_string, is_basic_typedef, pips_internal_error, pointer_formal_parameter_to_stub_points_to(), points_to_equal_p(), points_to_rank(), reference_undefined, set_generic_make(), set_private, set_union(), type_undefined, type_variable, type_variable_p, typedef_formal_parameter_to_stub_points_to(), and variable_basic.
Referenced by init_points_to_analysis().
Creation of a stub for a formal parameter or for a reference based on a formal parameter.
The formal parameter may be a pointer, an array of something or a struct of something and so on recursively.
New dimensions may have to be added to the sink type if the source entity type is an array or if the types are assumed not strict for pointer arithmetic. This is a general issue for stub generation and dealt with at a lower level.
Because references must be considered, it is not clear that formal parameters must be handled differently from stubs or global variables. The initial decision was made, I believe, because they were assumed references in a very simple way, for instance as simple direct references.
Test cases: argv03.c
source | ource |
pts | ts |
fresh_p | resh_p |
Definition at line 1380 of file points_to_set.c.
References add_arc_to_points_to_context(), add_arc_to_pt_map_(), array_type_p(), C_pointer_type_p(), cell_any_reference(), compute_basic_concrete_type(), copy_points_to(), create_k_limited_stub_points_to(), entity_basic_concrete_type(), free_approximation(), gen_nconc(), get_bool_property(), make_approximation_may(), NIL, null_to_sinks(), pips_assert, points_to_approximation, points_to_cell_to_concrete_type(), reference_variable, source_to_sinks(), and type_to_pointed_type().
Referenced by source_to_sinks().
void free_points_to_graph_sets | ( | points_to_graph | s, |
... | |||
) |
Free several sets in one call.
Useful when many sets are used simultaneously.
Analyze in args the variadic arguments that may be after t:
Since a variadic function in C must have at least 1 non variadic argument (here the s), just skew the varargs analysis:
Get the next argument
Release the variadic analysis
Definition at line 3150 of file points_to_set.c.
References free_points_to_graph().
Remove from points-to cell list R cells that certainly cannot be freed.
if c is a heap location with indices other than zero then we have bumped into a non-legal free
Definition at line 1457 of file expression.c.
References CAR, CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), CONS, ENDP, EXPRESSION, expression_null_p(), FOREACH, gen_free_list(), gen_list_and_not(), heap_cell_p(), NIL, reference_indices, and stub_points_to_cell_p().
Referenced by freed_pointer_to_points_to().
pt_map freed_list_to_points_to | ( | expression | lhs, |
list | L, | ||
list | R, | ||
pt_map | pt_in | ||
) |
Error detections on "L" and "R" have already been performed.
R only contains heap locations or stub locations, i.e. potential heap locations. Neither L nor R are empty. "lhs" is provided for other error messages.
First level memory leaks
Build a nowhere cell - Should we check a property to type it or not?
Remove Kill_1 if it is not empty by definition
Memory leak detection... Must be computed early, before pt_out has been (too?) modified. Transitive closure not performed... If one cell has been freed and if it has become unreachable, then arcs starting from it have become useless and other cells that were pointed by it may also have become unreachable.
Add Gen_2, which is not conditionned by gen_length(R) or atomicity.
Compute and add Gen_2
Do not notify the user that the source of the new nowhere points to relation is a dangling pointer because it is only a may information. Exact alias information or a more precise heap model would be necessary to have exact information about dangling pointers.
Remove Kill_2 if it is not empty by definition... which it is if heap(r) is true, but not if stub(r). Has to be done after Gen_2, or modification of pt_out should be delayed, which would avoid the internal modification of pt_out_s and make the code easier to understand...
Remove Kill_3 if it is not empty by definition: with the current heap model, it is always empty. Unreachable cells are dealt somewhere else. They can be tested with points_to_sink_to_sources().
FI: Must be placed after gen_1 in case the assignment makes the cell reachable? Nonsense?
Add Gen_1 - Not too late since pt_out has aready been modified?
Add Gen_2: useless, already performed by Kill_2
More memory leaks?
Clean up the resulting graph
lhs | hs |
pt_in | t_in |
Definition at line 1489 of file expression.c.
References add_arc_to_pt_map, anywhere_cell_p(), array_of_pointers_type_p(), array_of_struct_type_p(), atomic_points_to_cell_p(), CAR, CELL, cell_any_reference(), compute_basic_concrete_type(), CONS, copy_approximation(), copy_cell(), ENDP, entity_name, entity_user_name(), FOREACH, gen_free_list(), gen_length(), generic_atomic_points_to_cell_p(), heap_cell_p(), list_assignment_to_points_to(), make_descriptor_none(), make_points_to(), make_typed_nowhere_cell(), memory_leak_to_more_memory_leaks(), NIL, nowhere_cell_p(), null_cell_p(), pips_assert, pips_user_warning, pointer_type_p(), points_to_approximation, points_to_cell_equal_p(), points_to_cell_in_list_p(), points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), points_to_expression_to_concrete_type(), points_to_graph_set, points_to_sink, points_to_sink_to_sources(), points_to_source, reference_variable, related_points_to_cell_in_list_p(), remove_arc_from_pt_map, SET_FOREACH, struct_type_p(), stub_points_to_cell_p(), type_to_pointed_type(), unreachable_points_to_cell_p(), and variable_to_sinks().
Referenced by freed_pointer_to_points_to().
pt_map freed_pointer_to_points_to | ( | expression | lhs, |
pt_map | pt_in, | ||
bool | side_effect_p | ||
) |
Any abstract location of the lhs in L is going to point to nowhere, maybe.
Any source in pt_in pointing towards any location in lhs may or Must now points towards nowhere (malloc07).
New points-to information must be added when a formal parameter is dereferenced.
Equations for "free(e);":
Let L = expression_to_sources(e,in)
and R_1 = (expression_to_sinks(e,in) ^ (HEAP U STUBS)) - {undefined}
where ^ denotes the set intersection.
If R_1 is empty, an execution error must occur.
If R_1={NULL}, nothing happens. Let R=R_1-{NULL}.
Any location "l" corresponding to "e" can now point to nowhere/undefined:
Gen_1 = {pts=(l,nowhere,a) | l in L}
Any location source that pointed to a location r in the heap, pointed to by some l by definition, can now point to nowhere/undefined also:
Gen_2 = {pts=(source,nowhere,a) | exists r in R && r in Heap or Stubs && exists pts'=(source,r,a') in in}
If e corresponds to a unique (non-abstract?) location l, any arc starting from l can be removed:
Kill_1 = {pts=(l,r,a) in in | l in L && |L|=1 && atomic(l)}
If the freed location r is precisely known, any arc pointing towards it can be removed:
Kill_2 = {pts=(l,r,a) in in | r in R && |R|=1 && atomic(r)}
If the freed location r is precisely known or if it can no longer be reached, any arc pointing from it can be removed:
Kill_3 = {pts=(r,d,a) in in | r in R && |R|=1 && (atomic(r) v unreachable_p(r, in)}
Then the set PML = { d | heap(d) ^ (r,d,a) in Kill_3} becomes a set of potential meory leaks. They are leaked if they become unreachable in the new points-to relation out (see below) and they generate recursively new potential memory leaks and an updated points-to relation.
Since our current heap model only use abstract locations and since we do not keep any alias information, the predicate atomic should always return false and the sets Kill_2 and Kill_3 should always be empty, except if a stub is freed: locally the stub is atomic.
So, after the execution of "free(e);", the points-to relation is:
out = (in - Kill_1 - Kill_2 - Kill_3) U Gen_1 U Gen_2
Warnings for potential dangling pointers:
DP = {r|exists pts=(r,l,a) in Gen_2} // To be checked
No warning is issued as those are only potential.
Memory leaks: the freed bucket may be the only bucket containing pointers towards another bucket:
PML = {source_to_sinks(r)|r in R} ML = {m|m in PML && heap_cell_p(m) && !reachable(m, out)}
Note: for DP and ML, we could compute may and must/exact sets. We only compute must/exact sets to avoid swamping the log file with false alarms.
FI->FC: it might be better to split the problem according to |R|. If |R|=1, you know which bucket is destroyed, unless it is an abstract bucket... which we do not really know even at the intraprocedural level. In that case, you could remove all edges starting from r and then substitute r by nowhere/undefined.
If |R| is greater than 1, then a new node nowhere/undefined must be added and any arc ending up in R must be duplicated with a similar arc ending up in the new node.
The cardinal of |L| does not seem to have an impact: it does, see Kill_1
Remove cells from R_1 that do not belong to Heap: they cannot be freed
A execution error is certain
Free(NULL) has no effect
Remove from R locations that cannot be freed
We have bumped into a non-legal free such as free(p[10]). See test case malloc10.c
lhs | hs |
pt_in | t_in |
side_effect_p | ide_effect_p |
Definition at line 1741 of file expression.c.
References anywhere_cell_p(), CAR, CELL, cell_typed_anywhere_locations_p(), clear_pt_map, CONS, ENDP, expression_to_points_to(), expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_string(), FOREACH, freeable_points_to_cells(), freed_list_to_points_to(), gen_free_list(), gen_full_free_list(), gen_length(), heap_cell_p(), NIL, null_cell_p(), pips_assert, pips_user_warning, points_to_context_statement_line_number(), points_to_graph_bottom, and stub_points_to_cell_p().
Referenced by intrinsic_call_to_points_to().
in | n |
Definition at line 67 of file statement.c.
References copy_points_to(), new_pt_map, out, pips_assert, points_to_graph_bottom, points_to_graph_domain, points_to_graph_domain_number, points_to_graph_set, set_add_element(), and SET_FOREACH.
Referenced by any_loop_to_points_to(), boolean_intrinsic_call_condition_to_points_to(), init_points_to_context(), intrinsic_call_to_points_to(), new_any_loop_to_points_to(), new_points_to_unstructured(), statement_to_points_to(), ternary_intrinsic_call_to_points_to_sinks(), and test_to_points_to().
statement.c
statement.c
If elements are shared, it quickly becomes impossible to deep free any set.
Definition at line 50 of file statement.c.
References copy_points_to(), new_simple_pt_map, out, set_add_element(), and SET_FOREACH.
All vertices in "sink_l" are assumed to be sinks of vertex "source" in points-to graph "in".
These vertices must be replaced by a unique vertex, their minimum upper bound in the abstract address lattice. And their own out-going arcs must also be rearranged.
Clearly, some abstract addresses high in the lattice should be allowed large out-degree numbers.
A newly allocated points-to arc is returned. It could be integrated directly in "in", but the integration is performed by a caller.
Find the minimal upper bound of "sink_l"
Compute the sinks of the vertex "mupc" as the union of the sinks of cells in "sink_l" and add the corresponding arcs to "out".
Find the incoming arcs on cells of "sink_l" and replace them by arcs towards copies of mupc.
Finds it sources
Find the set of points-to arcs to destroy and remove them from the points-to graph "in".
Create an arc from "source" to "mupc"
source | ource |
sink_l | ink_l |
in | n |
Definition at line 3214 of file points_to_set.c.
References add_arc_to_pt_map(), CELL, CONS, consistent_pt_map_p, copy_cell(), FOREACH, gen_free_list(), make_approximation_may(), make_descriptor_none(), make_points_to(), NIL, nowhere_cell_p(), null_cell_p(), out, pips_assert, POINTS_TO, points_to_cell_equal_p(), points_to_cells_minimal_upper_bound(), points_to_graph_set, points_to_sink, points_to_source, points_to_source_to_arcs(), points_to_sources_to_sinks(), remove_arc_from_pt_map, and SET_FOREACH.
Referenced by normalize_points_to_graph().
here we have x = y, then we generate (x,y1,a)|(y,y1,a) as points to relation
locations_equal_p
&& !entity_abstract_location_p(el)
Should be replaced by opgen_constant_path(l,r)
if(reference_unbounded_indices_p(ref))
Make sure the types are compatible...
in_may | n_may |
address_of_p | ddress_of_p |
Lc | c |
Definition at line 1003 of file constant-path-utils.c.
References array_entity_p(), cell_any_reference(), copy_cell(), equal_must_vreference(), FOREACH, free_type(), gen_length(), int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), pips_internal_error, pointer_type_p(), points_to_cell_types_compatibility(), points_to_equal_p(), points_to_rank(), points_to_reference_to_type(), points_to_sink, points_to_source, points_to_undefined, points_to_undefined_p, ref, reference_variable, set_add_element(), SET_FOREACH, set_generic_make(), set_private, and unique_location_cell_p().
Referenced by gen_may_set().
Should be moved to anywhere_abstract_locations.c.
**If the source is not precisely known */
It is easier not to have to maintain the consistency between gen_may1 and kill_may.
in_may | n_may |
address_of_p | ddress_of_p |
Definition at line 813 of file constant-path-utils.c.
References approximation_exact_p, cell_any_reference(), cells_may_conflict_p(), copy_cell(), entity_nowhere_locations_p(), entity_null_locations_p(), entity_type, entity_typed_nowhere_locations_p(), FOREACH, gen_length(), gen_may_constant_paths(), get_bool_property(), int, make_anywhere_points_to_cell(), make_approximation_may(), make_descriptor_none(), make_points_to(), pips_user_error, pips_user_warning, points_to_approximation, points_to_equal_p(), points_to_rank(), points_to_sink, points_to_source, reference_variable, set_add_element(), SET_FOREACH, set_generic_make(), set_private, and set_union().
Referenced by list_assignment_to_points_to().
Build a set of arcs from cell l towards cells in list R if *address_p is true, or towards cells pointed by cells in list R if not.
Approximation is must if Lc==1. Lc is the cardinal of L, a set containing l.
FI->AM: I do not understand why the cardinal of R is not used too when deciding if the approximation is may or must. I decide to change the semantics of this function although it is used by the initial analysis.
FI: since *address_of_p is not modified, I do not understand why a pointer is passed.
FI->AM: sharing of a... A new approximation must be generated for each new arc
if we have x = &y then we generate (x,y,a) as points to relation
Should be replaced by opgen_constant_path(l,r)
if(reference_unbounded_indices_p(ref))
here we have x = y, then we generate (x,y1,a)|(y,y1,a) as points to relation
locations_equal_p
&& !entity_abstract_location_p(el)
if(array_entity_p(reference_variable(cell_any_reference(r)))){
reference ref = cell_any_reference(r);
expression ex = reference_to_expression(ref);
if(!expression_pointer_p(ex))
pt = make_points_to(l, r, a, make_descriptor_none());
else
pt = make_points_to(l, points_to_sink(i), a, make_descriptor_none());
}
if(!points_to_undefined_p(pt))
set_add_element(gen_must_cps, gen_must_cps, (void*) pt);
if(reference_unbounded_indices_p(ref))
in_must | n_must |
address_of_p | ddress_of_p |
Lc | c |
Definition at line 1088 of file constant-path-utils.c.
References array_entity_p(), cell_any_reference(), equal_must_vreference(), FOREACH, free_type(), gen_length(), generic_effects_reset_all_methods(), int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), pointer_type_p(), points_to_equal_p(), points_to_rank(), points_to_reference_to_type(), points_to_sink, points_to_source, points_to_undefined, points_to_undefined_p, ref, reference_variable, set_add_element(), SET_FOREACH, set_generic_make(), set_methods_for_proper_simple_effects(), set_private, simple_cell_to_store_independent_cell(), and unique_location_cell_p().
Referenced by gen_must_set().
if len > 1 we must iterate over in_must and change all points-to relations having L as lhs into may relations
in_must | n_must |
address_of_p | ddress_of_p |
Definition at line 908 of file constant-path-utils.c.
References cell_any_reference(), entity_nowhere_locations_p(), entity_null_locations_p(), entity_type, entity_typed_nowhere_locations_p(), FOREACH, gen_length(), gen_must_constant_paths(), int, make_anywhere_points_to_cell(), make_approximation_may(), make_descriptor_none(), make_points_to(), pips_user_error, pips_user_warning, points_to_compare_cell(), points_to_equal_p(), points_to_rank(), points_to_sink, points_to_source, reference_variable, set_add_element(), SET_FOREACH, set_generic_make(), set_private, and set_union().
Allocate a new list with the translations of the cells in cl, when their translation make sense.
Effects on copied parameters are discarded.
If exact_p is required, translate only cells that can be translated exactly.
cl | l |
binding | inding |
exact_p | xact_p |
Definition at line 2286 of file interprocedural.c.
References array_type_p(), CELL, cell_any_reference(), entity_basic_concrete_type(), f(), FOREACH, formal_parameter_p(), gen_free_list(), gen_length(), gen_nconc(), NIL, points_to_cell_translation(), and reference_variable.
Referenced by points_to_cells_exact_translation(), and points_to_cells_translation().
Add cells referencing a points-to stub found in parameter "s" are copied and added to list "osl".
The stubs are returned as cells not as entities.
New cells are allocated. No sharing is created between parameter "s" and result "sl".
osl | sl |
Definition at line 2829 of file interprocedural.c.
References CELL, cell_any_reference(), CONS, copy_cell(), entity_stub_sink_p(), entity_undefined_p, f(), gen_sort_list(), ifdebug, points_to_cell_in_list_p(), points_to_compare_ptr_cell(), points_to_sink, points_to_source, print_points_to_cells, reference_variable, SET_FOREACH, and stub_entity_of_module_p().
Referenced by points_to_set_to_module_stub_cell_list(), and points_to_set_to_stub_cell_list().
list generic_points_to_source_to_sinks | ( | cell | source, |
pt_map | ptm, | ||
bool | fresh_p, | ||
bool | strict_p, | ||
bool | all_p, | ||
bool | effective_p | ||
) |
Build the sinks of source "source" according to the points-to graphs.
If "source" is not found in the graph, return an empty list "sinks". If "fresh_p", allocate copies. If not, return pointers to the destination vertices in "ptm".
It is not clear how much the abstract address lattice must be used to retrieve sinks... If source = a[34], clearly a[*] is an OK equivalent source if a[34] is not a vertex of "ptm".
If !strict_p, "a[34]" is considered a source for "a[*]". This should always be the case. So strict_p should always be false.
If all_p, look for all possible sinks. For instance, if a[34] and a[*] have different sinks, return their union. If !all_p, stop the search if a[34] has sinks. This should now be obsolete thanks to exact_p. So all_p should always be true.
effective_p: you only want sinks that are not NULL and not UNDEFINED/NOWHERE. For instance, because you know you will dereference it.
Note: we must also take into account the approximations of the arcs...
This is a key point of Amira's dissertation, but it has not been handled properly yet...
source | ource |
ptm | tm |
fresh_p | resh_p |
strict_p | trict_p |
all_p | ll_p |
effective_p | ffective_p |
Definition at line 1823 of file points_to_set.c.
References approximation_exact_p, approximation_must_p, CELL, cell_equal_p(), cell_included_p(), CONS, copy_cell(), ENDP, NIL, nowhere_cell_p(), null_cell_p(), pips_internal_error, points_to_approximation, points_to_cell_in_list_p(), points_to_graph_set, points_to_sink, points_to_source, refine_points_to_cell_subscripts(), and SET_FOREACH.
Referenced by generic_points_to_sources_to_sinks(), points_to_source_to_any_sinks(), points_to_source_to_effective_sinks(), points_to_source_to_sinks(), and points_to_source_to_some_sinks().
list generic_points_to_sources_to_sinks | ( | list | sources, |
pt_map | ptm, | ||
bool | fresh_p, | ||
bool | effective_p | ||
) |
Build the union of the sinks of cells in "sources" according to the points-to graphs "ptm".
Allocate new cells if "fresh_p". No specific order in the returned list.
If effective_p, eliminate NULL and NOWHERE/UNDEFINED as targets
sources | ources |
ptm | tm |
fresh_p | resh_p |
effective_p | ffective_p |
Definition at line 2050 of file points_to_set.c.
References CELL, FOREACH, gen_nconc(), generic_points_to_source_to_sinks(), and NIL.
Referenced by points_to_sources_to_effective_sinks(), and points_to_sources_to_sinks().
pt_map generic_remove_unreachable_vertices_in_points_to_graph | ( | pt_map | ptg, |
int | code, | ||
bool | verbose_p | ||
) |
Remove arcs in points-to graph "ptg" when they start from a stub cell that is not reachable.
Points-to graph "ptg" is modified by side-effects and returned.
This clean-up should be performed each time a projection is performed, and even potentially, each time an arc is removed.
Note: see also freed_pointer_to_points_to() for a recursive implementation of the arc elimination. The current clean-up is not recursive. This function should be called repeatedly till the results converge to a fix point...
Find arcs whose origin vertex is an unreachable stub.
Remove arcs in ual.
ptg | tg |
verbose_p | erbose_p |
Definition at line 3414 of file points_to_set.c.
References cell_any_reference(), CONS, consistent_pt_map_p, ENDP, entity_heap_location_p(), entity_stub_sink_p(), FOREACH, gen_free_list(), NIL, pips_assert, pips_user_warning, POINTS_TO, points_to_cell_to_string(), points_to_graph_set, points_to_sink_to_sources(), points_to_source, reference_variable, remove_arc_from_pt_map, and SET_FOREACH.
Referenced by remove_unreachable_heap_vertices_in_points_to_graph(), remove_unreachable_stub_vertices_in_points_to_graph(), and remove_unreachable_vertices_in_points_to_graph().
The source type cannot contain a pointer field: for instance, int or char
source | ource |
pts | ts |
array_p | rray_p |
fresh_p | resh_p |
Definition at line 1177 of file points_to_set.c.
References add_arc_to_points_to_context(), add_arc_to_pt_map_(), array_of_pointers_type_p(), array_type_p(), basic_derived, cell_any_reference(), cell_to_type(), copy_basic(), copy_cell(), copy_points_to(), create_k_limited_stub_points_to(), ENTITY, entity_local_name(), entity_type, f(), FOREACH, fprintf(), gen_nconc(), get_bool_property(), make_type_variable(), make_variable(), NIL, null_to_sinks(), pips_assert, pips_internal_error, pointer_type_p(), points_to_cell_add_unbounded_subscripts(), points_to_cell_add_zero_subscripts(), points_to_cell_null_initialization(), print_type(), printf(), reference_variable, source_to_sinks(), struct_type_p(), type_struct, type_struct_p, type_to_pointed_type(), type_variable, ultimate_type(), and variable_basic.
Referenced by array_stub_source_to_sinks(), and scalar_stub_source_to_sinks().
int get_heap_counter | ( | void | ) |
statement get_heap_statement | ( | void | ) |
Definition at line 1191 of file sinks.c.
References malloc_statement.
Referenced by flow_sensitive_malloc_to_points_to_sinks().
pt_map get_points_to_context | ( | void | ) |
Definition at line 298 of file passes.c.
References points_to_context.
Referenced by generic_points_to_analysis().
st | t |
Definition at line 3530 of file points_to_set.c.
References graph_assign_list(), ifdebug, load_pt_to_list(), new_pt_map, pips_debug, points_to_graph_undefined, points_to_list_bottom, points_to_list_list, print_points_to_graph, print_statement(), and statement_unstructured_p().
statement_points_to get_printed_points_to_list | ( | void | ) |
Add an implicit dimension for pointer arithmetic
Add these new arcs to the context
Do we have to ignore an initialization?
source | ource |
pts | ts |
fresh_p | resh_p |
Definition at line 1438 of file points_to_set.c.
References add_arc_to_points_to_context(), add_arc_to_pt_map_(), array_type_p(), CELL, cell_any_reference(), const_variable_p(), copy_cell(), copy_points_to(), copy_type(), create_k_limited_stub_points_to(), entity_basic_concrete_type(), entity_initial, entity_type, entity_user_name(), expression_to_points_to_sinks(), FOREACH, free_approximation(), free_expression(), gen_length(), gen_nconc(), get_bool_property(), init, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), NIL, null_to_sinks(), pips_user_warning, points_to_approximation, points_to_undefined, reference_variable, scalar_type_p(), source_to_sinks(), type_to_array_type(), type_to_pointed_type(), type_undefined, value_unknown_p, and variable_initial_expression().
Referenced by source_to_sinks().
FI: I add functions dealing with points_to_graph variable, i.e.
pt_map
ptm | tm |
Definition at line 3170 of file points_to_set.c.
References pips_debug, pips_internal_error, points_to_graph_bottom, points_to_graph_set, and set_assign_list().
Referenced by generic_points_to_analysis(), get_points_to_graph_from_statement(), and statement_to_points_to().
void init_heap_model | ( | statement | s | ) |
Definition at line 1179 of file sinks.c.
References malloc_counter, and malloc_statement.
Referenced by statement_to_points_to().
bool init_points_to_analysis | ( | char * | module_name | ) |
Properties
module_name | odule_name |
Definition at line 483 of file passes.c.
References code_declarations, DB_PUT_MEMORY_RESOURCE, debug_off, debug_on, ENTITY, entity_initial, entity_type, FOREACH, formal_parameter_p(), formal_points_to_parameter(), get_bool_property(), get_current_module_entity(), make_cell_reference(), make_points_to_list(), make_reference(), module, module_name(), module_name_to_entity(), NIL, pips_debug, pips_user_error, pips_user_warning, points_to_compare_cells(), points_to_equal_p(), points_to_list_consistent_p(), points_to_rank(), reset_current_module_entity(), set_clear(), set_current_module_entity(), set_free(), set_generic_make(), set_private, set_to_sorted_list(), set_union(), type_functional_p, and value_code.
void init_points_to_context | ( | pt_map | init | ) |
init | nit |
Definition at line 151 of file passes.c.
References full_copy_pt_map(), init, pips_assert, points_to_context, and pt_map_undefined_p.
Referenced by generic_points_to_analysis().
void init_printed_points_to_list | ( | void | ) |
void init_statement_points_to_context | ( | void | ) |
Definition at line 90 of file statement.c.
References current_statement_points_to_context, pips_assert, points_to_graph_domain, stack_make(), stack_undefined_p, statement_domain, and statement_points_to_context.
Referenced by generic_points_to_analysis().
bool initial_points_to | ( | char * | name | ) |
Retrieve points-to that are statically initialized, especially in compilation units.
At least, useful for debugging
Could we retrieve initializations of static variables?
name | ame |
Definition at line 582 of file passes.c.
References compilation_unit_p(), copy_points_to_list(), db_get_memory_resource(), DB_PUT_MEMORY_RESOURCE, debug_off, debug_on, make_points_to_list(), module, module_name_to_entity(), NIL, points_to_list_undefined, reset_current_module_entity(), set_current_module_entity(), and strdup().
list insensitive_malloc_to_points_to_sinks | ( | expression | e | ) |
FI->AM: what's the difference with the previous option? Reference to your dissertation?
Definition at line 1312 of file sinks.c.
References flow_sensitive_malloc_to_points_to_sinks(), NIL, and pips_internal_error.
Referenced by malloc_to_points_to_sinks().
pt_map instruction_to_points_to | ( | instruction | i, |
pt_map | pt_in | ||
) |
See points_to_statement()
pt_in is modified by side-effects and returned
pt_in | t_in |
Definition at line 370 of file statement.c.
References call_to_points_to(), expression_to_points_to(), forloop_to_points_to(), instruction_call, instruction_expression, instruction_forloop, instruction_loop, instruction_sequence, instruction_tag, instruction_test, instruction_unstructured, instruction_whileloop, is_instruction_call, is_instruction_expression, is_instruction_forloop, is_instruction_goto, is_instruction_loop, is_instruction_multitest, is_instruction_sequence, is_instruction_test, is_instruction_unstructured, is_instruction_whileloop, loop_to_points_to(), NIL, pips_internal_error, points_to_graph_bottom, sequence_to_points_to(), test_to_points_to(), unstructured_to_points_to(), and whileloop_to_points_to().
Referenced by statement_to_points_to().
pt_map internal_pointer_assignment_to_points_to | ( | expression | lhs, |
expression | rhs, | ||
pt_map | pt_in | ||
) |
Any abstract location of the lhs in L is going to point to any sink of any abstract location of the rhs in R.
New points-to information must be added when a formal parameter is dereferenced.
Store independence must be checked.
Beware of points-to cell lattice: e.g. add a[*] to a[1]
This is not the right place to take the lattice into account. As a result, a[1] woud not kill a[1] anymore. The problem must be taken care of by the equations used in list_assignment_to_points_to().
Make sure all cells in L are pointers: l may be an array of pointers
FI: I am not sure it is useful here because the conversion to an array due to property POINTS_TO_STRICT_POINTER_TYPES may not have occured yet
Retrieve the memory locations that might be reached by the rhs
Update the real "pt_in", the calling context, and "pt_out" by adding new stubs linked directly or indirectly to the formal parameters and global variables if necessary.
We must be in a dead-code portion. If not pleased, adjust properties...
The C99 standard does not preclude the propagation of indeterminate values. It is often used in our test cases when structs are assigned.
clear_pt_map(pt_out); points_to_graph_bottom(pt_out) = true;
lhs | hs |
rhs | hs |
pt_in | t_in |
Definition at line 1315 of file expression.c.
References array_type_p(), CAR, CELL, check_rhs_value_types(), clear_pt_map, CONS, consistent_points_to_graph_p(), copy_cell(), ENDP, expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_string(), FOREACH, free_type(), gen_free_list(), gen_length(), int, list_assignment_to_points_to(), NIL, nowhere_cell_p(), pips_assert, pips_user_warning, points_to_cell_add_unbounded_subscripts(), points_to_cell_add_zero_subscripts(), points_to_cell_to_type(), points_to_context_statement_line_number(), points_to_graph_bottom, source_to_sinks(), and statement_points_to_context_defined_p().
Referenced by pointer_assignment_to_points_to().
bool interprocedural_points_to_analysis | ( | char * | module_name | ) |
module_name | odule_name |
Definition at line 567 of file passes.c.
References fast_interprocedural_points_to_p, generic_points_to_analysis(), interprocedural_points_to_p, and module_name().
bool interprocedural_points_to_analysis_p | ( | void | ) |
Definition at line 550 of file passes.c.
References interprocedural_points_to_p.
Referenced by user_call_to_points_to(), and user_call_to_points_to_sinks().
bool intraprocedural_points_to_analysis | ( | char * | module_name | ) |
module_name | odule_name |
Definition at line 560 of file passes.c.
References fast_interprocedural_points_to_p, generic_points_to_analysis(), interprocedural_points_to_p, and module_name().
We can break down the intrinsics according to their arity or according to their kinds...
or according to both conditions...
Make sure that all dereferencements are possible? Might be included in intrinsic_call_to_points_to()...
in | n |
true_p | rue_p |
Definition at line 2618 of file expression.c.
References boolean_intrinsic_call_condition_to_points_to(), call_arguments, call_function, CAR, CDR, cells_may_not_point_to_null_p(), cells_must_point_to_null_p(), clear_pt_map, condition_to_points_to(), dereferencing_to_points_to(), ENTITY_ASSIGN_P, ENTITY_DEREFERENCING_P, ENTITY_LOGICAL_OPERATOR_P, ENTITY_POINT_TO_P, ENTITY_POST_DECREMENT_P, ENTITY_POST_INCREMENT_P, ENTITY_PRE_DECREMENT_P, ENTITY_PRE_INCREMENT_P, ENTITY_RELATIONAL_OPERATOR_P, EXPRESSION, expression_to_points_to_sinks(), f(), gen_free_list(), intrinsic_call_to_points_to(), out, pips_assert, pips_user_warning, pointer_type_p(), points_to_expression_to_concrete_type(), points_to_graph_bottom, points_to_graph_consistent_p(), and relational_intrinsic_call_condition_to_points_to().
Referenced by call_condition_to_points_to().
Is the dereferenced pointer null or undefined?
Is the dereferenced pointer null or undefined?
|| ENTITY_ASSERT_FAIL_SYSTEM_P(f)
Check the FILE * parameter, when it exists, and the char * format parameter, as well as the char * other actual arguments since they may be dereferenced or not, depending on the format content. With a p, the pointer is not referenced, with a s, it is.
attempt at using an undefined value
Expression a may be dereferenced or not depending on the corresponding format specification, s or p.
We could try to analyze the format when it is available to decide if a dereferencing must occur with s or not.
possible attempt at using an undefined value
it is assumed that only one return is present in any module code because internal returns are replaced by gotos
pt_in | t_in |
side_effect_p | ide_effect_p |
Definition at line 411 of file expression.c.
References assignment_to_points_to(), C_pointer_type_p(), call_arguments, call_function, CAR, CDR, CELL, char_star_type_p(), clear_pt_map, condition_to_points_to(), CONS, copy_expression(), copy_points_to_graph(), DEREFERENCING_OPERATOR_NAME, dereferencing_to_points_to(), ENDP, ENTITY_ABORT_SYSTEM_P, ENTITY_ASSERT_FAIL_SYSTEM_P, ENTITY_ASSIGN_P, ENTITY_C_RETURN_P, ENTITY_CLEARERR_P, ENTITY_CONDITIONAL_P, ENTITY_DEREFERENCING_P, ENTITY_EXIT_SYSTEM_P, ENTITY_FCLOSE_P, ENTITY_FDOPEN_P, ENTITY_FEOF_P, ENTITY_FERROR_P, ENTITY_FILENO_P, ENTITY_FOPEN_P, ENTITY_FPRINTF_P, ENTITY_FREAD_P, ENTITY_FREE_SYSTEM_P, ENTITY_FREOPEN_P, ENTITY_FSCANF_P, ENTITY_FWRITE_P, ENTITY_ISOC99_FSCANF_P, ENTITY_ISOC99_SCANF_P, ENTITY_ISOC99_SSCANF_P, ENTITY_MINUS_C_P, ENTITY_MINUS_UPDATE_P, entity_name, ENTITY_PLUS_C_P, ENTITY_PLUS_UPDATE_P, ENTITY_POINT_TO_P, ENTITY_POST_DECREMENT_P, ENTITY_POST_INCREMENT_P, ENTITY_PRE_DECREMENT_P, ENTITY_PRE_INCREMENT_P, ENTITY_PRINTF_P, ENTITY_SCANF_P, ENTITY_SPRINTF_P, ENTITY_SSCANF_P, ENTITY_STOP_P, ENTITY_STRCAT_SYSTEM_P, ENTITY_STRCMP_SYSTEM_P, ENTITY_STRNCAT_SYSTEM_P, ENTITY_STRNCMP_SYSTEM_P, entity_to_expression(), entity_user_name(), EXPRESSION, expression_reference_p(), expression_to_points_to(), expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_string(), expression_to_type(), f(), FindOrCreateTopLevelEntity(), FOREACH, free_expression(), free_pt_map, free_type(), freed_pointer_to_points_to(), full_copy_pt_map(), function_to_return_value(), gen_free_list(), gen_length(), get_current_module_entity(), int_to_expression(), list_assignment_to_points_to(), make_nowhere_cell(), MakeUnaryCall(), merge_points_to_graphs(), NIL, nowhere_cell_p(), pips_assert, pips_debug, pips_user_error, pips_user_warning, pointer_arithmetic_to_points_to(), pointer_type_p(), points_to_context_statement_line_number(), points_to_expression_to_concrete_type(), points_to_graph_bottom, points_to_graph_consistent_p(), points_to_graph_set, points_to_graph_undefined_p, pt_map_undefined, set_clear(), struct_type_p(), type_to_full_string_definition(), unary_intrinsic_expression, and UNARY_MINUS_OPERATOR_NAME.
Referenced by call_to_points_to(), and intrinsic_call_condition_to_points_to().
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 172 of file sinks.c.
References binary_intrinsic_call_to_points_to_sinks(), call_arguments, call_function, CAR, constant_p(), ENTITY_COMMA_P, EXPRESSION, expression_to_points_to_sinks(), f(), gen_last(), gen_length(), int, nary_intrinsic_call_to_points_to_sinks(), NIL, pips_internal_error, ternary_intrinsic_call_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
Referenced by call_to_points_to_sinks().
pt_out | t_out |
Definition at line 912 of file statement.c.
References cell_any_reference(), cell_to_type(), copy_approximation(), free_type(), gen_length(), make_anywhere_cell(), make_descriptor_none(), make_points_to(), points_to_approximation, points_to_equal_p(), points_to_graph_set, points_to_sink, points_to_source, reference_indices, remove_arc_from_pt_map_, and SET_FOREACH.
Compute the set of arcs in the input points-to relation "in" whose approximation must be changed from "exact" to "may".
This set is linked to set "gen_may1", although consistency would be easier to maintain if only "kill_may" were used to generate the new arcs...
kill_may = { pt in "in"| exact(pt) ^ \exists l in L conflict(l, source(pt))}
The restriction to !atomic does not seem useful.
in_may | n_may |
Definition at line 668 of file constant-path-utils.c.
References FOREACH, make_approximation_exact(), make_descriptor_none(), make_points_to(), opkill_may_constant_path(), points_to_equal_p(), points_to_rank(), points_to_sink, points_to_source, set_add_element(), SET_FOREACH, set_generic_make(), and set_private.
Referenced by list_assignment_to_points_to().
Generate the subset of arcs that must be removed from the points-to graph "in".
Set "in_must" is the subset of set "in" with exact points-to arcs only.
kill_1 = kill_must = {pt in "in" | source(pt) in L ^ |L|=1 ^ atomic(L) }
where "atomic(L)" is a short cut for "atomic(l) forall l in L"
Here, correctly, the atomicity is not checked directly, but properly, using an operator of the lattice.
in | n |
Definition at line 700 of file constant-path-utils.c.
References CAR, CELL, gen_length(), int, new_simple_pt_map, opkill_must_constant_path(), points_to_source, set_add_element(), and SET_FOREACH.
Referenced by list_assignment_to_points_to().
Update "pt_out" when any element of L can be assigned any element of R.
FI->AM: Potential and sure memory leaks are not (yet) detected.
FI->AM: the distinction between may and must sets used in the implementation seem useless.
Old description by Amira:
KILL_MAY = kill_may_set() KILL_MUST= kill_must_set()
GEN_MAY = gen_may_set() GEN_MUST= gen_must_set()
KILL = KILL_MAY U KILL_MUST GEN = GEN_MAY U GEN_MUST PT_OUT = (PT_OUT - KILL) U GEN
This function is used to model a C pointer assignment "e1 = e2;"
Let L = expression_to_sources(e1) and R = expression_to_sinks(e2).
Let "in" be the points-to relation before executing the assignment.
Gen(L,R) = {pts| exist l in L exists r in R s.t. pts=(l,r,|L|=1)
Kill(L,in) = {pts=(l,sink,must)| l in L}
Let K=Kill(L,in) and out = (in-K) U gen(L,R)
For memory leaks, let
ML(K,out) = {c in Heap | exists pts=(l,c,a) in K && !(exists pts'=(l',c,a') in out)}
For error dereferencing, such as nowhere/undefined and NULL, check the content of L.
This function is described in Amira Mensi's dissertation.
Test cases designed to check the behavior of this function: ?!?
Check possible dereferencing errors
For arrays, an extra eval has been applied by adding 0 subscripts
What do we want to do when the left hand side is NULL or UNDEFINED?
The code cannot be executed
Compute the data-flow equation for the may and the must edges...
out = (in - kill) U gen ?
Extract MAY/MUST points to relations from the input set "pt_out"
Check kill_must for potential memory leaks
FI: this error message may be wrong in case of a call to realloc(); see Pointers/hyantes02.c, hyantes03.c
FI: this error message may deal with a bucket that does not really exist because its allocation was conditional.
To make things worse, the warning is emitted in an iterative loop analysis.
Look for a chain of memory leaks. Since they are also "related" to "d", this must be done before the next step.
Look for related lost arcs. See Pointers/malloc18.c
en_must,
kill,
pt_out | t_out |
Definition at line 2029 of file expression.c.
References add_arc_to_pt_map, approximation_exact_p, C_pointer_type_p(), CAR, CELL, cell_any_reference(), clear_pt_map, CONS, consistent_points_to_graph_p(), consistent_points_to_set(), copy_cell(), copy_descriptor(), effect_reference_to_string(), ENDP, entity_type, FOREACH, fprintf(), free_cell(), gen(), gen_free_list(), gen_length(), gen_list_and_not(), gen_may_set(), generic_atomic_points_to_cell_p(), get_bool_property(), heap_cell_p(), kill_may_set(), kill_must_set(), make_anywhere_points_to_cell(), make_approximation_may(), make_points_to(), memory_leak_to_more_memory_leaks(), new_simple_pt_map, NIL, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_assert, pips_internal_error, pips_user_warning, POINTS_TO, points_to_anywhere(), points_to_anywhere_typed(), points_to_approximation, points_to_cell_to_concrete_type(), points_to_cell_to_string(), points_to_context_statement_line_number(), points_to_descriptor, points_to_graph_bottom, points_to_graph_set, points_to_may_filter(), points_to_must_filter(), points_to_sink, points_to_source, print_points_to_cell, reduce_cell_to_pointer_type(), reference_variable, remove_arc_from_pt_map, set_assign(), set_difference(), set_empty_p(), SET_FOREACH, set_size(), set_union(), sets_free(), and unreachable_points_to_cell_p().
Referenced by freed_list_to_points_to(), internal_pointer_assignment_to_points_to(), and intrinsic_call_to_points_to().
points_to_list load_printed_points_to_list | ( | statement | ) |
Definition at line 78 of file points_to_set.c.
References cell_to_reference(), and reference_variable.
eturn true if two acces_path are equals
acc1 | cc1 |
acc2 | cc2 |
Definition at line 89 of file points_to_set.c.
References cell_equal_p().
Referenced by consistent_points_to_set(), and points_to_equal_p().
FI: I assume that pointers and pointer arithmetic cannot appear in a do loop, "do p=q, r, 1" is possible with "p", "q" and "r" pointing towards the same array...
Let's hope the do loop conversion does not catch such cases.
loop range expressions may require some points-to information See for instance Pointers/Mensi.sub/array_init02.c
Side effects might have to be taken into account... But side effects should also prevent PIPS from transforming a for loop into a do loop.
pt_in | t_in |
Definition at line 573 of file statement.c.
References any_loop_to_points_to(), expression_to_points_to(), expression_undefined, init, loop_body, loop_range, range_increment, range_lower, and range_upper.
Referenced by instruction_to_points_to().
cell make_nowhere_cell | ( | void | ) |
CP = Mdodule * Name * Type *Vref. To calculate the lattice PC operators we define these operators first on each of its dimensions. Each dimension represents a lattice with a bottom and a top.
Definition at line 35 of file constant-path-utils.c.
References entity_all_xxx_locations(), make_cell_reference(), make_reference(), NIL, and NOWHERE_LOCATION.
Referenced by cell_to_nowhere_sink(), intrinsic_call_to_points_to(), points_to_nowhere(), remove_points_to_cell(), and unary_intrinsic_call_to_points_to_sinks().
cell make_null_cell | ( | void | ) |
Definition at line 95 of file sinks.c.
References entity_null_locations(), and entity_to_cell().
Referenced by binary_intrinsic_call_to_points_to_sinks(), declaration_statement_to_points_to(), flow_sensitive_malloc_to_points_to_sinks(), and null_equal_condition_to_points_to().
Definition at line 43 of file constant-path-utils.c.
References entity_all_xxx_locations_typed(), make_cell_reference(), make_reference(), NIL, and NOWHERE_LOCATION.
Referenced by cell_to_nowhere_sink(), freed_list_to_points_to(), points_to_set_block_projection(), and remove_points_to_cell().
list malloc_to_points_to_sinks | ( | expression | e, |
pt_map | in | ||
) |
Heap modelling.
FI: lots of issues here; the potential cast is lost...
FI: the high-level switch I have added to understand the management of options is performed at a much much lower level, which may be good or not. I do not think it's good for readbility, but factoring is good. See malloc_to_abstract_location()
e is the arguments of the malloc call...
Basic heap modelling
ABSTRACT_HEAP_LOCATIONS:
"unique": do not generate heap abstract locations for each line number...
"insensitive": control path are not taken into account; all malloc() located in one function are equivalent.
"flow-sensitive": take into account the line number or the occurence number?
"context-sensitive": take into account the call stack; not implemented
ALIASING_ACROSS_TYPE: you should have one heap per type if aliasing across type is forbidden. The impact of its composition with the previous property is not specified...
The C standard specifies that all pointers that are allocated in the heap have the value "indeterminate".
in | n |
Definition at line 1231 of file sinks.c.
References add_arc_to_pt_map, CELL, cell_any_reference(), cell_to_nowhere_sink(), ENDP, flow_sensitive_malloc_to_points_to_sinks(), FOREACH, gen_free_list(), get_string_property(), insensitive_malloc_to_points_to_sinks(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), NIL, pips_user_error, points_to_source_to_sinks(), points_to_undefined, reference_variable, same_string_p, unique_malloc_to_points_to_sinks(), and variable_to_pointer_locations().
Referenced by binary_intrinsic_call_to_points_to_sinks(), and unary_intrinsic_call_to_points_to_sinks().
we define operator max fot the lattice Module which has any_module as top and a bottom which is not yet clearly defined (maybe no_module) max_module : Module * Module -> Module Side effects on m1 if we have an anywhere location to return.
m1 | 1 |
m2 | 2 |
Definition at line 207 of file constant-path-utils.c.
References cell_any_reference(), entity_all_locations(), entity_name, make_cell_reference(), make_reference(), NIL, reference_variable, and same_string_p.
t1 | 1 |
t2 | 2 |
Definition at line 411 of file constant-path-utils.c.
References MakeTypeUnknown(), type_equal_p(), and type_unknown_p.
returns the cell vertex "mod_cell" with the maximal out_degree in graph "in", and its out-degree.
When several cells have the same maximal out-degree, return any of them.
mod_cell | od_cell |
in | n |
Definition at line 3293 of file points_to_set.c.
References hash_get(), HASH_MAP, hash_put(), hash_string, hash_table_free(), hash_table_make(), HASH_UNDEFINED_VALUE, hash_update(), int, points_to_cell_name(), points_to_graph_set, points_to_source, SET_FOREACH, and strdup().
Referenced by normalize_points_to_graph().
Cell "l" has been memory leaked for sure and is not referenced any more in "in".
Its successors may be leaked too.
Remove useless unreachable arcs
Look for a chain of memory leaks
in | n |
Definition at line 1929 of file expression.c.
References CELL, CONS, FOREACH, gen_free_list(), heap_cell_p(), NIL, out, pips_user_warning, POINTS_TO, points_to_cell_equal_p(), points_to_cell_to_pointer_cells(), points_to_cell_to_string(), points_to_context_statement_line_number(), points_to_graph_set, points_to_sink, points_to_source, remove_arc_from_pt_map, SET_FOREACH, and unreachable_points_to_cell_p().
Referenced by freed_list_to_points_to(), list_assignment_to_points_to(), and points_to_set_block_projection().
s1 | 1 |
s2 | 2 |
Definition at line 3183 of file points_to_set.c.
References merge_points_to_set(), new_pt_map, points_to_graph_bottom, points_to_graph_set, and s1.
Referenced by any_loop_to_points_to(), boolean_intrinsic_call_condition_to_points_to(), control_to_points_to(), intrinsic_call_to_points_to(), new_any_loop_to_points_to(), new_points_to_unstructured(), statement_to_points_to(), and test_to_points_to().
Merge two points-to sets.
This function is required to compute the points-to set resulting of an if control statements.
A new set is allocated but it reuses the elements of "s1" and "s2".
s1 | 1 |
s2 | 2 |
Definition at line 2544 of file points_to_set.c.
References approximation_exact_p, approximation_must_p, consistent_points_to_set(), make_approximation_may(), make_descriptor_none(), make_points_to(), pips_assert, points_to_approximation, points_to_equal_p(), points_to_rank(), points_to_sink, points_to_source, s1, set_add_element(), set_assign(), set_belong_p(), set_clear(), set_empty_p(), SET_FOREACH, set_free(), set_generic_make(), set_intersection(), set_private, and set_union().
Referenced by merge_points_to_graphs(), and ternary_intrinsic_call_to_points_to_sinks().
mt | t |
pt_in | t_in |
Definition at line 967 of file statement.c.
References pips_internal_error.
in | n |
Definition at line 640 of file sinks.c.
References call_function, ENTITY_COMMA_P, f(), NIL, and pips_internal_error.
Referenced by intrinsic_call_to_points_to_sinks().
pt_map new_any_loop_to_points_to | ( | statement | b, |
expression | init, | ||
expression | c, | ||
expression | inc, | ||
pt_map | pt_in | ||
) |
Perform the same k-limiting scheme for all kinds of loops.
The do while loop must use an external special treatment for the first iteration.
Derived from the initial any_loop_to_points_to(): the iteration scheme is slighlty different but we end up with the same final iteration with all unioned states. Seems problematic at least in the presence of calls to free() because iter() is never normalized and always introduces new vertices and arcs in "pt_out". See list05.c.
pt_in is modified by side effects.
First, enter or skip the loop: initialization + condition check
Compute pt_out as loop invariant: pt_out holds at the beginning of the loop body.
pt_out(i) = pt_out(i-1) U pt_iter(i)
pt_iter(i) = f(pt_iter(i-1))
pt_prev == pt_iter(i-1), pt_out_prev == pt_out(i-1)
Note: the pt_out variable is also used to carry the loop exit points-to set.
prev receives the current points-to information, pt_iter
Depending on the kind of loop, execute the body and then possibly the incrementation and the condition
Merge the previous resut and the current result.
Check convergence
Add the last iteration to obtain the pt_out holding when exiting the loop
FI: I suppose that p[i] is replaced by p[*] and that MAY/MUST information is changed accordingly.
init | nit |
inc | nc |
pt_in | t_in |
Definition at line 792 of file statement.c.
References assign_pt_map, clear_pt_map, condition_to_points_to(), expression_to_points_to(), expression_undefined_p, full_copy_pt_map(), get_int_property(), init, merge_points_to_graphs(), new_pt_map, normalize_points_to_graph(), pips_debug, pips_internal_error, points_to_graph_bottom, points_to_graph_set, points_to_independent_store(), print_points_to_set(), set_equal_p(), and statement_to_points_to().
set new_filter_formal_context_according_to_actual_context | ( | list | fpcl, |
set | pt_in, | ||
set | pt_binded, | ||
set | binding | ||
) |
Copy arcs "pt" from "pt_in" into the "filtered" set if they are compatible with "pt_binded". The set "filtered" is a subset of "pt_in".
Do we have the same arc in pt_binded?
We have to deal recursively with stubs of the formal context and first with the global variables... although they, or their stubs, do not require any translation? Why is the points-to information about q lost in the translation of the call site to call03 in main (PointersWithEffects/call03.c)
FI: I do not understand why I have to do this for EffectsWithPointsTo/pointer_modif04.c. Because the arc "pt" in "pt_in" is more precise than the information available in "pt_caller". For instance, "pt_in" may contain "stderr->_stderr_0[0], Exact", while "pt_caller" may contain "stderr->_stderr_0[0], May", "stderr->NULL, May". Basically, we have not thought about the kill set generated for the global variables.
Useless when called from effects... In fact, it should never be called from effects...
FI: we do not know what we really do here... An arc is not taken into account, but it might be taken into account recursively below.
Compute the binding relation for sinks of the formal arguments and global variables
We have to handle constant strings such as "Hello!" and not to forget functional parameters.
Some arcs have been removed, so other arcs may be promoted from "may" to "exact".
fpcl | pcl |
pt_in | t_in |
pt_binded | t_binded |
binding | inding |
Definition at line 1039 of file interprocedural.c.
References adapt_reference_to_type(), add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), approximation_undefined, arc_in_points_to_set_p(), array_pointer_string_type_equal_p(), array_type_p(), CELL, cell_any_reference(), cell_points_to_non_null_sink_in_set_p(), constant_string_entity_p(), constant_string_type_to_string_type(), copy_approximation(), copy_cell(), copy_points_to(), FOREACH, free_approximation(), functional_result, gen_length(), get_bool_property(), global_variable_p(), ifdebug, int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), new_recursive_filter_formal_context_according_to_actual_context(), new_simple_pt_map, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_assert, pips_debug, pips_internal_error, pips_user_error, points_to_cell_add_zero_subscript(), points_to_cell_complete_with_zero_subscripts(), points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), points_to_reference_to_concrete_type(), points_to_sink, points_to_source, points_to_source_to_any_sinks(), points_to_translation_mapping_is_typed_p(), print_points_to_set(), reference_to_string(), reference_variable, related_points_to_cell_in_list_p(), semantics_user_warning, SET_FOREACH, set_free(), set_undefined, statement_points_to_context_defined_p(), static_global_variable_p(), type_functional, type_functional_p, type_structurally_equal_p(), type_to_full_string_definition(), update_points_to_context_with_arc(), and upgrade_approximations_in_points_to_set().
Referenced by user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
pt_map new_points_to_unstructured | ( | unstructured | , |
pt_map | , | ||
bool | |||
) |
Definition at line 985 of file points_to_set.c.
References CELL, cell_equal_p(), and FOREACH.
Referenced by points_to_path_to_k_limited_points_to_path().
The expression list "al" contains exactly two arguments.
If these expressions are pointers, "in" is modified by removing arcs that are not compatible with the equality. If no arc is left, a bottom "in" is returned.
"out" is "in", modified by side-effects.
Is the condition lhs!=rhs certainly impossible to evaluate? If not, is it always false?
al | l |
in | n |
Definition at line 3086 of file expression.c.
References atomic_points_to_cell_p(), CAR, CDR, CELL, cell_undefined, cell_undefined_p, clear_pt_map, copy_cell(), EXPRESSION, expression_null_p(), expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_string(), expression_to_type(), free_type(), gen_length(), int, list_undefined, make_approximation_may(), make_descriptor_none(), make_points_to(), nowhere_cell_p(), null_non_equal_condition_to_points_to(), out, pips_assert, pips_user_warning, pointer_type_p(), points_to_cell_equal_p(), points_to_context_statement_line_number(), points_to_graph_bottom, and remove_arc_from_pt_map.
Referenced by relational_intrinsic_call_condition_to_points_to().
For the time being, control the out-degree of the vertices in points-to graph "ptg" and fuse the vertex with the maximal out-degree to reduce it if it is greater than an expected limit.
Points-to graph "ptg" i modified by side-effects and returned.
The out-degree limit must take the subscript limit sl into account as well as possible NULL and NOWHERE values (+2). The unbounded susbcript must also be added because it does not necessarily subsume all integer subscripts (+1). The subscript limit will kick in anyway later. Subscripts are limited to the range [-sl,sl], which contains 2*sl+1 values.
ptg | tg |
Definition at line 3329 of file points_to_set.c.
References add_arc_to_pt_map(), cell_undefined_p, fuse_points_to_sink_cells(), get_int_property(), ifdebug, maximal_out_degree_of_points_to_graph(), pips_assert, pips_debug, pips_internal_error, points_to_graph_set, points_to_source_name_to_sinks(), points_to_source_name_to_source_cell(), print_points_to_set(), and string_undefined.
Referenced by any_loop_to_points_to(), and new_any_loop_to_points_to().
source | ource |
pts | ts |
Definition at line 1329 of file points_to_set.c.
References anywhere_source_to_sinks(), cell_any_reference(), entity_local_name(), get_bool_property(), NIL, pips_user_warning, and reference_variable.
Referenced by source_to_sinks().
pt_map null_equal_condition_to_points_to | ( | expression | e, |
pt_map | in | ||
) |
The condition is e==NULL.
e==NULL may be true if exists c in sinks(e) s.t. {NULL} is included in c. else e==NULL must be false.
Some arcs in in may be removed: forall c in sources(e):
out = in - {pt=(a,b) in in | a in sources(e) and b=NULL}
May the condition be true under "in"?
If NULL initialization is not performed, a stub can represent a NULL.
Remove arcs incompatible with the condition e==NULL and add the arc e->NULL
All arcs starting from fc can be removed and replaced by one arc from fc to NULL.
in | n |
Definition at line 2849 of file expression.c.
References add_arc_to_pt_map, anywhere_cell_p(), atomic_points_to_cell_p(), CAR, CELL, cell_in_list_p(), cell_typed_anywhere_locations_p(), clear_pt_map, copy_cell(), ENDP, expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_type(), FOREACH, gen_free_list(), gen_length(), get_bool_property(), int, make_approximation_exact(), make_descriptor_none(), make_null_cell(), make_points_to(), null_cell_p(), out, pips_assert, pips_internal_error, pointer_type_p(), points_to_cell_source_projection(), points_to_graph_bottom, points_to_graph_set, points_to_sink, points_to_source, remove_arc_from_pt_map_, SET_FOREACH, and stub_points_to_cell_p().
Referenced by equal_condition_to_points_to().
pt_map null_non_equal_condition_to_points_to | ( | expression | e, |
pt_map | in | ||
) |
The condition is e!=NULL.
e!=NULL may be true if exists c in sinks(e) s.t. c != {NULL}
e!=NULL is false if forall c in sinks(e) c is included in {NULL}
Arcs that can be removed:
FI: I decided not to merge this function with the previous one till they are both fully defined and tested.
May the condition be true under "in"?
Remove arcs incompatible with the condition e!=NULL
in | n |
Definition at line 2927 of file expression.c.
References CELL, cell_in_list_p(), clear_pt_map, ENDP, expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_type(), FOREACH, null_cell_p(), out, pips_internal_error, pointer_type_p(), points_to_graph_bottom, points_to_graph_set, points_to_sink, points_to_source, remove_arc_from_pt_map_, and SET_FOREACH.
Referenced by non_equal_condition_to_points_to().
source | ource |
pts | ts |
Definition at line 1346 of file points_to_set.c.
References anywhere_source_to_sinks(), cell_any_reference(), entity_local_name(), get_bool_property(), NIL, pips_user_warning, and reference_variable.
Referenced by source_to_sinks().
Create a list of null sinks and add a new null points-to relation to pts.
pts is modified by side effect.
source | ource |
ptm | tm |
Definition at line 2505 of file points_to_set.c.
References add_arc_to_points_to_context(), add_arc_to_pt_map_(), CELL, CONS, copy_cell(), copy_points_to(), make_approximation_may(), make_descriptor_none(), make_null_pointer_value_cell(), make_points_to(), and NIL.
Referenced by formal_source_to_sinks(), generic_stub_source_to_sinks(), global_source_to_sinks(), and points_to_cell_null_initialization().
void offset_array_reference | ( | reference | r, |
expression | delta, | ||
type | et | ||
) |
Side effect on reference "r".
r is assumed to be a reference to an array.
The offset is applied to the last suscript.
delta | elta |
et | t |
Definition at line 802 of file expression.c.
References CAR, CONS, constant_int, constant_int_p, ENDP, EvalExpression(), EXPRESSION, EXPRESSION_, free_expression(), get_int_property(), int_to_expression(), make_unbounded_expression(), NIL, points_to_reference_to_typed_index(), reference_indices, value_constant, and value_constant_p.
Referenced by offset_cell().
points_to offset_cell | ( | points_to | pt, |
expression | delta, | ||
type | et | ||
) |
Allocate and return a new points-to "npt", copy of "pt", with an offset of "delta" on the sink.
"et" is used to determine which index should be offseted.
Some kind of k-limiting should be performed here to avoid creating too many new nodes in the points-to graph, such as t[0], t[1],... A fix point t[*] should be used when too may nodes already exist.
Since "sink" is used to compute the key in the hash table used to represent set "in", it is not possible to perform a side effect on "sink" without removing and reinserting the corresponding arc.
FI: I am not sure we have the necessary information to know which subscript must be updated when more than one is available. This is bad for multidimensional arrays and worse for references to stub that may include fields (or not) as subscript as well as lots of articificial dimensions due to the source.
I assumed gen_last() to start with, but it is unlikely in general!
"&a[i]" should be transformed into "&a[i+eval(delta)]" when "delta" can be statically evaluated
| !get_bool_property("POINTS_TO_STRICT_POINTER_TYPES")
pt | t |
delta | elta |
et | t |
Definition at line 937 of file expression.c.
References anywhere_cell_p(), array_pointer_type_equal_p(), array_type_p(), cell_any_reference(), char_star_constant_function_type_p(), compute_basic_concrete_type(), copy_points_to(), effect_reference_to_string(), entity_basic_concrete_type(), entity_user_name(), free_type(), get_bool_property(), nowhere_cell_p(), null_cell_p(), offset_array_reference(), pips_user_error, points_to_cell_to_type(), points_to_context_statement_line_number(), points_to_sink, points_to_source, reference_variable, struct_type_p(), and type_to_pointed_type().
Referenced by offset_cells().
void offset_cells | ( | cell | source, |
list | sinks, | ||
expression | delta, | ||
type | et, | ||
pt_map | in | ||
) |
Each cell in sinks is replaced by a cell located "delta" elements further up in the memory.
In some cases, the same points-to are removed and added. For instance, t[0],t[1] -> t[1],t[2] because of a p++, and t[1] is removed and added.
If the source may point to null, the corresponding arc is removed. If the source points only to null, the resulting graph is bottom.
This procedure must be used when cells in "sinks" are components of points-to arcs stored in a points-to set.
source | ource |
sinks | inks |
delta | elta |
et | t |
in | n |
Definition at line 869 of file expression.c.
References add_arc_to_pt_map, anywhere_cell_p(), CELL, cell_typed_anywhere_locations_p(), copy_cell(), difference_of_pt_maps, find_arc_in_points_to_set(), FOREACH, gen_length(), make_approximation_may(), make_descriptor_none(), make_points_to(), new_pt_map, null_cell_p(), offset_cell(), points_to_cell_to_string(), points_to_graph_bottom, points_to_undefined_p, semantics_user_warning, and union_of_pt_maps.
Referenced by pointer_arithmetic_to_points_to().
void offset_points_to_cell | ( | cell | , |
expression | , | ||
type | , | ||
bool | |||
) |
void offset_points_to_cells | ( | list | sinks, |
expression | delta, | ||
type | t | ||
) |
Each cell in sinks is replaced by a cell located "delta" elements further up in the memory.
Similar to offset_cells(), but, in spite of the name, cannot be used with points-to cells that are part of a points-to belonging to a points-to set.
sinks | inks |
delta | elta |
Definition at line 1020 of file expression.c.
References CDR, CELL, ENDP, FOREACH, and offset_points_to_cell().
Referenced by expression_to_points_to_sinks_with_offset(), and unary_intrinsic_call_to_points_to_sinks().
e1 | 1 |
e2 | 2 |
Definition at line 1179 of file constant-path-utils.c.
References entity_any_module_p(), entity_module_name(), and same_string_p.
e1 | 1 |
e2 | 2 |
Definition at line 1201 of file constant-path-utils.c.
References entity_abstract_location_p(), entity_name, and same_string_p.
t1 | 1 |
t2 | 2 |
Definition at line 437 of file constant-path-utils.c.
References MakeTypeUnknown(), and type_unknown_p.
Referenced by opgen_must_type().
vr1 | r1 |
vr2 | r2 |
Definition at line 1223 of file constant-path-utils.c.
References ENDP, extended_integer_constant_expression_p(), and FOREACH.
e1 | 1 |
e2 | 2 |
Definition at line 1190 of file constant-path-utils.c.
References entity_any_module_p(), entity_module_name(), and same_string_p.
e1 | 1 |
e2 | 2 |
Definition at line 1212 of file constant-path-utils.c.
References entity_abstract_location_p(), entity_name, and same_string_p.
the same as opgen_may_type
t1 | 1 |
t2 | 2 |
Definition at line 448 of file constant-path-utils.c.
References opgen_may_type().
Definition at line 1254 of file constant-path-utils.c.
References gen_null(), make_approximation_exact(), make_descriptor_none(), make_points_to(), points_to_equal_p(), points_to_rank(), set_add_element(), SET_FOREACH, set_generic_make(), and set_private.
c1 | 1 |
c2 | 2 |
Definition at line 601 of file constant-path-utils.c.
References cell_any_reference(), entity_type, free_type(), opkill_may_module(), opkill_may_name(), opkill_may_type(), opkill_may_vreference(), points_to_reference_to_type(), reference_variable, type_area_p, type_equal_p(), and type_undefined.
Referenced by kill_may_set().
if the lhs or the rhs is a nowhere location or a null/0 value we generate a pips_user_warning
m1 | 1 |
m2 | 2 |
Definition at line 242 of file constant-path-utils.c.
References cell_any_reference(), entity_any_module_p(), entity_name, reference_variable, and same_string_p.
Referenced by opkill_may_constant_path().
We define operators for the lattice Name which can be a: -variable of a the program -malloc -NULL /0 -STATIC/STACK/DYNAMIC/HEAP/FORMAL -nowhere/anywhere.
We define the max between 2 names according to the order established by the lattice Name, already done by entity_locations_max() but we have to add a new abstract location for Formal area opkill for the lattice Name tests if 2 names are : -variables of the program then we return the result of the comparison their names. -abstract locations so we return FALSE. Name * Name-> Bool
if(entity_malloc_p(e2)) kill_may_p = false// function entity_malloc_p() have to be defined and different from entity_heap_location_p()
if(entity_malloc_p(e1)) kill_may_p = true// function entity_malloc_p() have to be defined and different from entity_heap_location_p()
n1 | 1 |
n2 | 2 |
Definition at line 310 of file constant-path-utils.c.
References cell_any_reference(), entity_abstract_location_p(), entity_all_locations_p(), entity_name, entity_nowhere_locations_p(), entity_null_locations_p(), make_cell_reference(), make_reference(), NIL, pips_user_error, reference_variable, same_string_p, and variable_to_abstract_location().
Referenced by opkill_may_constant_path(), and opkill_must_name().
c1 | 1 |
c2 | 2 |
Definition at line 454 of file constant-path-utils.c.
References cell_preference, cell_reference, cell_reference_p, preference_reference, reference_equal_p(), reference_undefined, and store_independent_reference_p().
t1 | 1 |
t2 | 2 |
Definition at line 422 of file constant-path-utils.c.
References type_equal_p(), and type_unknown_p.
Referenced by opkill_may_constant_path(), and opkill_must_type().
FI: really weird and unefficient.
Also I asummed that vreference was limited to the subscript list... FI->AM: to be checked wrt your dissertation.
c1 | 1 |
c2 | 2 |
Definition at line 496 of file constant-path-utils.c.
References CAR, cell_any_reference(), ENDP, entity_minimal_user_name(), EXPRESSION, expression_constant_p(), expression_equal_p(), expression_to_int(), expression_to_string(), field_expression_p(), NIL, POP, reference_indices, reference_variable, s1, and unbounded_expression_p().
Referenced by opkill_may_constant_path().
returns true if c2 kills c1
if (! type_area_p(entity_type(v1)) && !type_area_p(entity_type(v2))){
if (entity_abstract_location_p(v1))
t1 = entity_type(v1);
else
t1 = simple_effect_reference_type(r1);
if (entity_abstract_location_p(v2))
t2 = entity_type(v2);
else
t2 = simple_effect_reference_type(r2);
type_equal_p = opkill_must_type(t1,t2);
}
c1 | 1 |
c2 | 2 |
Definition at line 627 of file constant-path-utils.c.
References cell_any_reference(), opkill_must_module(), opkill_must_name(), opkill_must_vreference(), points_to_reference_to_type(), type_equal_p(), and type_undefined.
Referenced by kill_must_set().
m1 | 1 |
m2 | 2 |
Definition at line 260 of file constant-path-utils.c.
References cell_any_reference(), entity_any_module_p(), entity_name, reference_variable, and same_string_p.
Referenced by opkill_must_constant_path().
if(entity_malloc_p(e2)) kill_may_p = false// function entity_malloc_p() have to be defined and different from entity_heap_location_p()
if(entity_malloc_p(e1)) kill_may_p = true// function entity_malloc_p() have to be defined and different from entity_heap_location_p()
n1 | 1 |
n2 | 2 |
Definition at line 361 of file constant-path-utils.c.
References cell_any_reference(), entity_abstract_location_p(), entity_all_locations_p(), entity_name, entity_nowhere_locations_p(), entity_null_locations_p(), make_cell_reference(), make_reference(), NIL, opkill_may_name(), pips_user_error, reference_variable, same_string_p, and variable_to_abstract_location().
Referenced by opkill_must_constant_path().
c1 | 1 |
c2 | 2 |
Definition at line 478 of file constant-path-utils.c.
References cell_any_reference(), reference_equal_p(), and store_independent_reference_p().
opkill_must_type is the same as op_kill_may_type...
t1 | 1 |
t2 | 2 |
Definition at line 432 of file constant-path-utils.c.
References opkill_may_type().
returns true if c2 must kills c1 because of the subscript expressions
This function should be rewritten from scratch, with a defined semantics for "*" as a subscript and possibly a larger use of expression_equal_p(). Also, we need to specify if the scopes for each rereference are equal or not.
c1 | 1 |
c2 | 2 |
Definition at line 546 of file constant-path-utils.c.
References CAR, cell_any_reference(), ENDP, entity_minimal_user_name(), EXPRESSION, expression_constant_p(), expression_equal_p(), expression_to_int(), expression_to_string(), NIL, POP, reference_indices, reference_variable, s1, and unbounded_expression_p().
Referenced by opkill_must_constant_path().
The expression list "al" contains exactly two arguments.
If these expressions are pointers, "in" is modified by removing arcs that are not compatible with the equality. If no arc is left, a bottom "in" is returned.
"out" is "in", modified by side-effects.
The condition cannot violate an exact arc.
The condition cannot violate an exact arc.
al | l |
true_p | rue_p |
in | n |
Definition at line 3176 of file expression.c.
References approximation_exact_p, CAR, CDR, CELL, cell_in_list_p(), cell_is_greater_than_or_equal_to_p(), cell_is_greater_than_p(), cell_is_less_than_or_equal_to_p(), cell_is_less_than_p(), ENTITY_GREATER_OR_EQUAL_P, ENTITY_GREATER_THAN_P, ENTITY_LESS_OR_EQUAL_P, ENTITY_LESS_THAN_P, EXPRESSION, expression_to_points_to_sinks(), expression_to_points_to_sources(), expression_to_type(), f(), free_type(), gen_length(), out, pips_internal_error, pointer_type_p(), points_to_approximation, points_to_graph_bottom, points_to_graph_set, points_to_sink, points_to_source, remove_arc_from_pt_map, RR, set_clear(), and SET_FOREACH.
Referenced by relational_intrinsic_call_condition_to_points_to().
pt_map pointer_arithmetic_to_points_to | ( | expression | lhs, |
expression | delta, | ||
pt_map | pt_in | ||
) |
Update the sink locations associated to the source "lhs" under points-to information pt_map by "delta".
C standard guarantees that the sink objects is unchanged by pointer arithmetic.
Property POINTS_TO_STRICT_POINTER_TYPES is used to be more or less flexible about formal parameters and local variables such as "int * p"
lhs | hs |
delta | elta |
pt_in | t_in |
Definition at line 760 of file expression.c.
References CELL, cell_any_reference(), clear_pt_map, ENDP, entity_user_name(), expression_to_points_to_sources(), FOREACH, gen_length(), nowhere_cell_p(), null_cell_p(), offset_cells(), pips_user_warning, points_to_expression_to_type(), reference_variable, remove_points_to_arcs(), and source_to_sinks().
Referenced by intrinsic_call_to_points_to().
pt_map pointer_assignment_to_points_to | ( | expression | lhs, |
expression | rhs, | ||
pt_map | pt_in | ||
) |
FI: this is a crazy idea to avoid problems in balancing test branches. It should only be useful when the formal context has to be expanded by this assignment. lhs = lhs;
Of course, it is a catastrophy when expression lhs has side effects...
And it does not work because the current "in" of the test is modified by side-effect no seen when the false branch is analyzed.
lhs | hs |
rhs | hs |
pt_in | t_in |
Definition at line 1437 of file expression.c.
References internal_pointer_assignment_to_points_to().
Referenced by assignment_to_points_to(), and expand_points_to_domain().
Input : a formal parameter which is a pointer and its type.
Output : a set of points-to where sinks are stub points-to. we descent recursively until reaching a basic type, then we call create_stub_points_to()to generate the adequate points-to.
FI: I do not know if I want to keep using this function because stubs are not created on demand and because some are certainly not useful for the points-to analysis. But they may be useful for client analysis... However, client analyses will have to create more such stubs...
maybe should be removed if we have already called ultimate type in formal_points_to_parameter()
The pointer may be NULL or undefined. We neglect undefined/nowhere
The pointer may points towards another object (or set of object)
Recursive descent for pointers: the new sink becomes the new source... FI: I do not think this is useful because they will be created on demand...
what about storage
Create a target of unknown type
pt | t |
Definition at line 810 of file points_to_init_analysis.c.
References add_arc_to_simple_pt_map, array_type_p(), basic_tag, copy_cell(), create_pointer_to_array_stub_points_to(), create_stub_points_to(), get_bool_property(), is_basic_bit, is_basic_complex, is_basic_derived, is_basic_float, is_basic_int, is_basic_logical, is_basic_overloaded, is_basic_pointer, is_basic_string, is_basic_typedef, make_approximation_may(), make_descriptor_none(), make_null_pointer_value_cell(), make_points_to(), pips_internal_error, pointer_formal_parameter_to_stub_points_to(), points_to_equal_p(), points_to_rank(), points_to_sink, points_to_undefined, set_add_element(), set_free(), set_generic_make(), set_private, set_union(), type_functional_p, type_to_pointed_type(), type_variable, type_variable_p, type_void_p, and variable_basic.
Referenced by formal_points_to_parameter(), and pointer_formal_parameter_to_stub_points_to().
in | n |
Definition at line 318 of file dereferencing.c.
References expression_to_points_to(), free_expression(), and pointer_reference_to_expression().
Referenced by reference_dereferencing_to_points_to().
What to do when a pointer "p" is dereferenced within a reference "r".
If p is a scalar pointer, p[i] is equivalent to *(p+i) and p[i][j] to *(*(p+i)+j).
If p is a 2-D array of pointers, p[i], p[i][j] do not belong here. But, p[i][j][k] is equivalent to *(p[i][j]+k) and p[i][j][k][l] to *(*(p[i][j]+k)+l).
The equivalent expression is fully allocated to be freed at the end. Which may cause problems if the points-to analysis re-use parts of the internal data structure...
The normalization could have been performed by the parser, but PIPS is source-to-source for the benefit of its human user.
in | n |
eval_p | val_p |
Definition at line 709 of file sinks.c.
References expression_to_points_to_sinks(), expression_to_points_to_sources(), free_expression(), NIL, and pointer_reference_to_expression().
Referenced by reference_to_points_to_sinks().
Returns the sinks for a source cell "sc" of type pointer according to the points-to relation "in".
This is an extension of extended_source_to_sinks() that also take into account partially subscribed arrays. Such references end up with a pointer type, but "in" is not involved in the dereferencing... since no dereferencing is necessary. An extra 0 subscript must be added.
FI: This issue is also dealt elsewhere, but I do not know where nor how often.
sc | c |
in | n |
Definition at line 2455 of file points_to_set.c.
References array_type_p(), CELL, cell_any_reference(), CONS, copy_cell(), ENDP, entity_basic_concrete_type(), EXPRESSION, extended_source_to_sinks(), gen_length(), gen_nconc(), int, make_zero_expression(), NIL, reference_indices, reference_variable, type_variable, and variable_dimensions.
Referenced by dereferencing_to_sinks().
expression pointer_subscript_to_expression | ( | cell | c, |
list | csl | ||
) |
Allocate a new expression based on the reference in "c" and the subscript list "csl".
No sharing with the arguments. The pointer subscripts are transformed into pointer arithmetic and dereferencements.
csl | sl |
Definition at line 1430 of file sinks.c.
References binary_intrinsic_expression, cell_any_reference(), copy_expression(), copy_reference(), DEREFERENCING_OPERATOR_NAME, EXPRESSION, FOREACH, PLUS_C_OPERATOR_NAME, reference_to_expression(), and unary_intrinsic_expression.
Referenced by subscript_to_points_to_sinks().
lhs_path matches the kill set.
input - kill
if the lhs_set or the rhs set contains more than an element, we set the approximation to MAY.
Computing the gen set
create a new points to with as source the current element of lhs_set and sink the null value .
gen + input_kill_diff
lhs_list | hs_list |
input | nput |
Definition at line 122 of file constant-path-utils.c.
References ANYWHERE_LOCATION, entity_all_xxx_locations(), FOREACH, gen(), gen_length(), input(), make_approximation_exact(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_reference(), NIL, points_to_compare_cell(), points_to_equal_p(), points_to_rank(), points_to_source, set_add_element(), set_difference(), SET_FOREACH, set_generic_make(), set_private, and set_union().
Referenced by list_assignment_to_points_to().
Definition at line 102 of file sinks.c.
References entity_all_locations(), entity_to_sinks(), entity_typed_anywhere_locations(), and type_undefined_p.
Referenced by call_to_points_to_sinks().
Already exists in points_to_general_algorithm.c, to be removed later...
iterate over the lhs_set, if it contains more than an element approximations are set to MAY, otherwise it's set to EXACT Set the sink to anywhere .
input - kill
if the lhs_set or the rhs set contains more than an element, we set the approximation to MAY.
Computing the gen set
create a new points to with as source the current element of lhs_set and sink the null value .
lhs_list | hs_list |
input | nput |
Definition at line 75 of file constant-path-utils.c.
References ANYWHERE_LOCATION, cell_any_reference(), entity_all_xxx_locations_typed(), entity_type, FOREACH, gen(), gen_length(), input(), make_approximation_exact(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_reference(), NIL, points_to_compare_cell(), points_to_equal_p(), points_to_rank(), points_to_source, reference_variable, set_add_element(), set_difference(), SET_FOREACH, set_generic_make(), set_private, and set_union().
Referenced by list_assignment_to_points_to().
void points_to_backward_translation | ( | void | ) |
Definition at line 71 of file points_to_init_analysis.c.
Apply points_to_binding_arguments() to each pair (, complete the process of binding each element of "in" to its corresponding memory address at the call site.
Necessary to translate the fields of structures.
"args": list of formal parameters of some callee
"in": points-to in of the callee
"pt_binded": points-to from formal to actual parameters for a specific call site
A new set is allocated.
Process each formal parameter and look for its actual values in "pt_binded"
args | rgs |
in | n |
pt_binded | t_binded |
Definition at line 2780 of file interprocedural.c.
References CELL, cell_any_reference(), cell_entity_equal_p(), cell_equal_p(), copy_cell(), ENDP, FOREACH, new_simple_pt_map, pips_assert, points_to_binding_arguments(), points_to_source, points_to_source_alias(), reference_indices, set_clear(), SET_FOREACH, set_free(), and set_union().
Referenced by user_call_to_points_to_fast_interprocedural().
Recursively find all the arcs, "ai", starting from the argument "c1" using "in", find all the arcs, "aj", starting from the parameter "c2" using "pt_binded", map each node "ai" to its corresponding "aj" and store the "ai->aj" arc in a new set, "bm".
"pt_binded" contains the correspondance between formal and actual parameters, e.g. "fp->ap", with some information about the possible approximations because one formal parameter can points toward several actual memory locations of the caller.
"in" contains the formal context of the callee, as it stands at its entry point (DBR_POINTS_TO_IN).
"bm" is the binding relationship between references of the formal context of the callees towards addresses of the caller. For instance, when function "void foo(int ** fp)" is called as "ap=&q; foo(ap);", bm = {(_ap_1, q)}.
See Amira Mensi's PhD dissertation, chapter about interprocedural analysis
Recursive call down the different points_to paths
Here we have, for instance, "q[*]" in "c1" for "q[4]" in "in".
FI: I do not see how to handle incompatibility between assumptions...
(!source_in_set_p(c1, in) && !source_subset_in_set_p(c1, in))
c1 is not a pointer: it is simply mapped to c2
c1 | 1 |
c2 | 2 |
in | n |
pt_binded | t_binded |
Definition at line 2513 of file interprocedural.c.
References add_arc_to_simple_pt_map, approximation_undefined, CELL, copy_cell(), ENDP, FOREACH, gen_full_copy_list(), gen_length(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), new_simple_pt_map, nowhere_cell_p(), null_cell_p(), pips_assert, pips_internal_error, points_to_source_to_some_sinks(), recursive_cell_to_pointer_cells(), s1, set_clear(), set_free(), set_union(), source_in_set_p(), and source_subset_in_set_p().
Referenced by points_to_binding().
void points_to_cell_list_and | ( | list * | a, |
const | list | ||
) |
Compute A = A inter B: complexity in O(n2)
This element of a is not in list b: delete it:
Definition at line 3133 of file points_to_set.c.
References aux, CAR, CDR, CELL, ENDP, free(), points_to_cell_in_list_p(), points_to_cell_list_and(), and return().
Referenced by points_to_cell_list_and().
Create a string which is the cell reference in C syntax.
A new string is allocated.
source | ource |
Definition at line 186 of file points_to_set.c.
References cell_to_reference(), reference_to_string(), and strdup().
Referenced by compute_points_to_gen_set(), maximal_out_degree_of_points_to_graph(), points_to_source_name_to_sinks(), and points_to_source_name_to_source_cell().
If required according to the property, create a new arc from cell "c" to "null".
Cell "c" is absorbed not by the points_to created and added to set "pts".
pts | ts |
Definition at line 1318 of file points_to_set.c.
References get_bool_property(), NIL, and null_to_sinks().
Referenced by generic_stub_source_to_sinks().
points_to_graph points_to_cell_source_projection | ( | points_to_graph | ptg, |
cell | c | ||
) |
Remove all arcs in "ptg" starting from "c".
ptg | tg |
Definition at line 330 of file points_to_set.c.
References cell_equal_p(), points_to_graph_set, points_to_source, set_del_element(), and SET_FOREACH.
Referenced by equal_condition_to_points_to(), and null_equal_condition_to_points_to().
Definition at line 2097 of file points_to_set.c.
References cell_any_reference(), and points_to_reference_to_number_of_unbounded_dimensions().
Definition at line 1900 of file expression.c.
References generic_points_to_cell_to_useful_pointer_cells(), and set_undefined.
Referenced by memory_leak_to_more_memory_leaks(), and points_to_cells_to_pointer_cells().
Definition at line 3367 of file points_to_set.c.
References cell_any_reference(), and effect_reference_to_string().
Referenced by generic_remove_unreachable_vertices_in_points_to_graph(), list_assignment_to_points_to(), memory_leak_to_more_memory_leaks(), new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair(), offset_cells(), and recursive_filter_formal_context_according_to_actual_context().
pts | ts |
Definition at line 1905 of file expression.c.
References generic_points_to_cell_to_useful_pointer_cells().
Referenced by filter_formal_context_according_to_actual_context(), and recursive_filter_formal_context_according_to_actual_context().
Compute the list of cells that correspond to cell "sr1" according to the translation mapping "bm" when function "f" is called.
The check with rv may be useless, for instance when a sink cell is checked, as it is impossible (in C at least) to points toward the return value.
Translate sr1 if needed
No translation is needed.
We assume here that the subscript list of sr1, the reference to translate, is longer than the subscript list of sr2, the source of its translation.
sr1 | r1 |
binding | inding |
Definition at line 2211 of file interprocedural.c.
References any_function_to_return_value(), CAR, CELL, cell_any_reference(), cell_to_reference(), compatible_points_to_subscripts_p(), CONS, copy_cell(), copy_reference(), ENDP, entity_anywhere_locations_p(), entity_local_name(), entity_to_module_entity(), entity_typed_anywhere_locations_p(), EXPRESSION, f(), gen_length(), gen_nconc(), heap_cell_p(), make_cell_reference(), NIL, pips_assert, points_to_compare_cell(), points_to_sink, points_to_source, POP, reference_indices, reference_variable, s1, same_string_p, SET_FOREACH, and source_in_set_p().
Referenced by add_implicitly_killed_arcs_to_kill_set(), compute_points_to_gen_set(), and generic_points_to_cells_translation().
Allocate a new list with the translations of the cells in cl, when their translation make sense and is unique (one-to-one mapping).
Effects on copied parameters are discarded.
cl | l |
binding | inding |
Definition at line 2327 of file interprocedural.c.
References f(), and generic_points_to_cells_translation().
Referenced by user_call_to_points_to_interprocedural().
interprocedural.c
interprocedural.c
The list is not sorted. It is probably a reversed list.
dl | l |
Definition at line 68 of file interprocedural.c.
References array_type_p(), CELL, CONS, ENTITY, entity_basic_concrete_type(), FOREACH, formal_parameter_p(), gen_nconc(), location_entity_p(), make_cell_reference(), make_reference(), NIL, pointer_type_p(), and struct_type_p().
Referenced by user_call_to_points_to(), user_call_to_points_to_fast_interprocedural(), user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
Transform a list of arguments of type "expression" to a list of cells.
The list is not sorted. It is probably a reversed list.
al | l |
Definition at line 90 of file interprocedural.c.
References CELL, CONS, EXPRESSION, expression_pointer_p(), expression_reference(), expression_reference_p(), FOREACH, gen_nconc(), make_cell_reference(), and NIL.
Referenced by user_call_to_points_to_fast_interprocedural().
Convert cells in l into derived pointer cells when possible.
The elements of list pl are reused in list l
pl | l |
Definition at line 1917 of file expression.c.
References CELL, FOREACH, gen_nconc(), NIL, pl, and points_to_cell_to_pointer_cells().
Referenced by recursive_filter_formal_context_according_to_actual_context().
Allocate a new list with the translations of the cells in cl, when their translation make sense.
Effects on copied parameters are discarded.
cl | l |
binding | inding |
Definition at line 2318 of file interprocedural.c.
References f(), and generic_points_to_cells_translation().
Referenced by user_call_to_points_to_interprocedural().
c1 | 1 |
c2 | 2 |
Definition at line 2657 of file points_to_set.c.
References CAR, cell_to_reference(), ENDP, entity_minimal_user_name(), EXPRESSION, expression_constant_p(), expression_to_int(), expression_to_string(), gen_length(), NIL, POP, reference_indices, reference_variable, and s1.
Referenced by cell_in_list_p(), cell_in_points_to_set_p(), compute_points_to_kill_set(), gen_must_set(), points_to_anywhere(), points_to_anywhere_typed(), and points_to_cell_translation().
int points_to_compare_location | ( | void * | vpt1, |
void * | vpt2 | ||
) |
Order the two points-to relations according to the alphabetical order of the underlying variables.
Return -1, 0, or 1.
vpt1 | pt1 |
vpt2 | pt2 |
Definition at line 2744 of file points_to_set.c.
References CAR, cell_to_reference(), ENDP, entity_minimal_user_name(), EXPRESSION, expression_constant_p(), expression_to_int(), expression_to_string(), gen_length(), NIL, points_to_sink, points_to_source, POP, reference_indices, reference_variable, and s1.
bool points_to_compare_ptr_cell | ( | const void * | vcel1, |
const void * | vcel2 | ||
) |
vcel1 | cel1 |
vcel2 | cel2 |
Definition at line 2698 of file points_to_set.c.
References CAR, cell_to_reference(), ENDP, entity_abstract_location_p(), entity_local_name(), entity_minimal_user_name(), EXPRESSION, expression_constant_p(), expression_to_int(), expression_to_string(), gen_length(), NIL, POP, reference_indices, reference_variable, and s1.
Referenced by generic_points_to_set_to_stub_cell_list().
pt_map points_to_context_statement_in | ( | void | ) |
Definition at line 127 of file statement.c.
References stack_head(), and statement_points_to_context.
Referenced by user_call_to_points_to_interprocedural().
int points_to_context_statement_line_number | ( | void | ) |
Definition at line 120 of file statement.c.
References get_current_statement_from_statement_global_stack(), and statement_number.
Referenced by aliased_translation_p(), binary_intrinsic_call_to_points_to_sinks(), check_type_of_points_to_cells(), declaration_statement_to_points_to(), dereferencing_subscript_to_points_to(), equal_condition_to_points_to(), expression_to_points_to_cells(), filter_formal_context_according_to_actual_context(), freed_list_to_points_to(), freed_pointer_to_points_to(), internal_pointer_assignment_to_points_to(), intrinsic_call_to_points_to(), list_assignment_to_points_to(), memory_leak_to_more_memory_leaks(), new_filter_formal_context_according_to_actual_context(), non_equal_condition_to_points_to(), offset_cell(), offset_points_to_cell(), process_casted_sinks(), process_casted_sources(), reference_dereferencing_to_points_to(), reference_to_points_to_sinks(), source_to_sinks(), subscript_to_points_to_sinks(), subscripted_reference_to_points_to(), and user_call_to_points_to_interprocedural().
int points_to_equal_p | ( | const void * | vpt1, |
const void * | vpt2 | ||
) |
returns true if two points-to arcs "vpt1" and "vpt2" are equal.
Used to build sets of points-to using the set library of Newgen
vpt1 | pt1 |
vpt2 | pt2 |
Definition at line 98 of file points_to_set.c.
References approximation_tag, bool_to_string(), ifdebug, locations_equal_p(), points_to_approximation, points_to_sink, points_to_source, print_points_to(), and printf().
Referenced by arc_in_points_to_set_p(), array_formal_parameter_to_stub_points_to(), compute_points_to_binded_set(), derived_formal_parameter_to_stub_points_to(), formal_points_to_parameter(), gen_may_constant_paths(), gen_may_set(), gen_must_constant_paths(), gen_must_set(), init_points_to_analysis(), k_limit_points_to(), kill_may_set(), merge_points_to_set(), new_points_to_unstructured(), opgen_null_location(), pointer_formal_parameter_to_stub_points_to(), points_to_anywhere(), points_to_anywhere_typed(), points_to_function_projection(), points_to_in_list_p(), points_to_independent_store(), points_to_may_filter(), points_to_must_filter(), points_to_nowhere(), typedef_formal_parameter_to_stub_points_to(), and user_call_to_points_to_fast_interprocedural().
void points_to_forward_translation | ( | void | ) |
This package computes the points-to interprocedurally.
See Chapter ? in Amira Mensi's PhD dissertation.
Definition at line 66 of file points_to_init_analysis.c.
"pts" is the points-to relation existing at the return point of a function.
Meaningless arcs in an interprocedural context must be eliminated.
The concept of "meaningless" arc has changed. Formal parameters are no longer "projected" although some of them are copies because, when they are not written, they are aliases of the actual parameters and carry useful information.
Unfortunately, we do not compute the information about may/must be written pointers.
As a consequence, some memory leaks cannot be detected here. The problem could be spotted when handling a call site, but then the memory leak will be indicated at each call site. This is not implemented, but we have a test case, Pointers/Mensi.sub/conditional_free01.c.
FI: side-effects to be used explicitly in this function For the time being a new set is allocated
Do we have a useful return value?
Preserve the return value. And indexed formal parameters such as s.tab? No, because struct are passed by copy. But not arrays... Except that copies are perfect alias of the actual argument when they are not modified. Since we do not have information about modified formal parameter, the Written set, we should provisionally preserve all formal parameters, no matter what they points to. See EffectsWithPointsTo/modif_pointer0a4.c
Also preserve nowhere generated by free although the pointer itself is not written. Beware that a formal pointer may be written... FI: we should be able to check is the source has been written or not in the current function... See Pointers/array10.c. However, it is still transiently true and not a bug.
Detect memory leaks
Look recursively for more memory leaks: cells in "emll" are no longer reachable
pts | ts |
Definition at line 477 of file points_to_set.c.
References all_heap_locations_cell_p(), array_type_p(), atomic_points_to_cell_p(), CELL, cell_any_reference(), cell_out_of_scope_p(), compute_basic_concrete_type(), CONS, entity_basic_concrete_type(), entity_undefined, formal_parameter_p(), function_to_return_value(), functional_result, gen_free_list(), get_current_module_entity(), heap_cell_p(), NIL, nowhere_cell_p(), pointer_type_p(), points_to_equal_p(), points_to_rank(), points_to_sink, points_to_source, potential_to_effective_memory_leaks(), reference_variable, remove_points_to_cells(), set_assign(), set_del_element(), SET_FOREACH, set_generic_make(), set_private, struct_type_p(), and type_functional.
Referenced by generic_points_to_analysis().
out | ut |
in | n |
Definition at line 3194 of file points_to_set.c.
References out, points_to_graph_set, and set_assign().
Referenced by control_to_points_to(), and cyclic_graph_to_points_to().
found!
else no found
pt | t |
list | x |
Definition at line 2647 of file points_to_set.c.
References CAR, ENDP, POINTS_TO, points_to_equal_p(), and POP.
Definition at line 1273 of file constant-path-utils.c.
References make_points_to(), points_to_approximation, points_to_descriptor, points_to_equal_p(), points_to_rank(), points_to_sink, points_to_source, set_add_element(), SET_FOREACH, set_generic_make(), set_private, and simple_cell_to_store_independent_cell().
Referenced by any_loop_to_points_to(), and new_any_loop_to_points_to().
Count the number of array indices and ignore the field subscripts.
sl | l |
Definition at line 384 of file points_to_init_analysis.c.
References EXPRESSION, expression_reference_p(), and FOREACH.
Referenced by create_stub_points_to().
Generate a new subscript list.
References to fields are ignored, constant and unbounded expressions are preserved, non-constant expressions are replaced by unbounded expressions.
ptsl | tsl |
Definition at line 425 of file points_to_init_analysis.c.
References CAR, CONS, copy_expression(), ENDP, entity_field_p(), EXPRESSION, expression_reference(), expression_reference_p(), extended_integer_constant_expression_p(), gen_nreverse(), make_unbounded_expression(), NIL, POP, reference_variable, and unbounded_expression_p().
Referenced by create_stub_points_to().
void points_to_indices_to_unbounded_indices | ( | list | sl | ) |
FI: probably a duplicate...
sl | l |
Definition at line 395 of file points_to_init_analysis.c.
References CAR, ENDP, entity_field_p(), EXPRESSION, EXPRESSION_, expression_is_constant_p(), expression_reference(), expression_reference_p(), free_expression(), make_unbounded_expression(), NIL, POP, reference_variable, and unbounded_expression_p().
returns a set which contains all the MAY points to
in | n |
Definition at line 716 of file constant-path-utils.c.
References approximation_may_p, points_to_approximation, points_to_equal_p(), points_to_rank(), set_add_element(), SET_FOREACH, set_generic_make(), and set_private.
Referenced by list_assignment_to_points_to().
returns a set which contains all the EXACT points to
in | n |
Definition at line 729 of file constant-path-utils.c.
References approximation_exact_p, points_to_approximation, points_to_equal_p(), points_to_rank(), set_add_element(), SET_FOREACH, set_generic_make(), and set_private.
Referenced by list_assignment_to_points_to().
create a string which is a concatenation of the source's name, the sink's name and the approximation of their relation(may or exact).
The same string is used by the function points_to_rank()
pt | t |
Definition at line 163 of file points_to_set.c.
References approximation_tag, cell_to_reference(), concatenate(), int2a(), points_to_approximation, points_to_sink, points_to_source, reference_to_string(), s1, and strdup().
arg1: list of cells arg2: set of points-to Create a points-to set with elements of lhs_list as source and NOWHERE as sink.
Iterate over input and kill all points-to relations where sinks are elements of lhs_list.
if the lhs_set or the rhs set contains more than an element, we set the approximation to MAY.
Computing the gen set
lhs_list | hs_list |
input | nput |
Definition at line 1351 of file constant-path-utils.c.
References copy_approximation(), FOREACH, free_approximation(), gen(), gen_length(), input(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_nowhere_cell(), make_points_to(), points_to_equal_p(), points_to_rank(), points_to_source, set_add_element(), set_difference(), SET_FOREACH, set_generic_make(), set_private, and set_union().
list points_to_null_sinks | ( | void | ) |
The null location is not typed. The impact on dependence test is not clear.
Definition at line 87 of file sinks.c.
References entity_null_locations(), and entity_to_sinks().
Referenced by call_to_points_to_sinks().
points_to points_to_path_to_k_limited_points_to_path | ( | list | p, |
int | k, | ||
type | t, | ||
bool | array_p, | ||
pt_map | in | ||
) |
"p" is a points-to path ending with a cell that points towards a new cell ot type "t".
To avoid creating infinite/unbounded path, no more than k nodes of type "t" can be present in path "p". If k are found, a cycle is created to represent longer paths. The corresponding arc is returned. If the creation condition is not met, do not create a new arc.
The current path cannot be made any longer
Find the k-th node of type "t" if it exists
Skip sources that are already in the path "p" so as to avoid infinite path due to cycles in points-to graph "in".
array_p | rray_p |
in | n |
Definition at line 1004 of file points_to_set.c.
References CAR, CDR, CELL, cell_undefined_p, CONS, copy_cell(), ENDP, find_kth_points_to_node_in_points_to_path(), FOREACH, gen_free_list(), gen_last(), make_approximation_may(), make_descriptor_none(), make_points_to(), NIL, node_in_points_to_path_p(), pips_assert, points_to_graph_set, points_to_path_to_k_limited_points_to_path(), points_to_undefined, points_to_undefined_p, and sink_to_sources().
Referenced by create_k_limited_stub_points_to(), and points_to_path_to_k_limited_points_to_path().
create a key which is a concatenation of the source's name, the sink's name and the approximation of their relation(may or exact)
vpt | pt |
size | ize |
Definition at line 135 of file points_to_set.c.
References approximation_tag, cell_to_reference(), concatenate(), free(), hash_string_rank(), int2a(), points_to_approximation, points_to_sink, points_to_source, rank, reference_to_string(), s1, and strdup().
Referenced by array_formal_parameter_to_stub_points_to(), compute_points_to_binded_set(), derived_formal_parameter_to_stub_points_to(), formal_points_to_parameter(), gen_may_constant_paths(), gen_may_set(), gen_must_constant_paths(), gen_must_set(), init_points_to_analysis(), kill_may_set(), merge_points_to_set(), new_points_to_unstructured(), opgen_null_location(), pointer_formal_parameter_to_stub_points_to(), points_to_anywhere(), points_to_anywhere_typed(), points_to_function_projection(), points_to_independent_store(), points_to_may_filter(), points_to_must_filter(), points_to_nowhere(), typedef_formal_parameter_to_stub_points_to(), and user_call_to_points_to_fast_interprocedural().
Definition at line 2104 of file points_to_set.c.
References points_to_subscripts_to_number_of_unbounded_dimensions(), and reference_indices.
Referenced by points_to_cell_to_number_of_unbounded_dimensions().
FI: easier it fresh_p is true...
Try to use an extra subscript
We've got one translation at least. Now, we must update the subscripts.
We assume that c has at least as many subscripts as n_r
Update the last subscripts. E.g. _x_3[*] and _x_3[0] ->y[i][0] leads to y[i]*
Update the last subscripts. E.g. _q_2[0][one] and _q_2[0] ->s leads to sone
n_r | _r |
sl | l |
ptm | tm |
fresh_p | resh_p |
Definition at line 1682 of file points_to_set.c.
References CAR, CDR, CELL, cell_any_reference(), CONS, copy_expression(), ENDP, EXPRESSION, FOREACH, gen_full_copy_list(), gen_length(), gen_nconc(), gen_nthcdr(), int, NIL, nowhere_cell_p(), null_cell_p(), pips_assert, pips_internal_error, points_to_reference_to_translation(), reference_indices, reference_to_points_to_translations(), and reference_variable.
Referenced by points_to_reference_to_translation(), and points_to_source_to_translations().
Remove from "pts" arcs based on at least one local entity in list "l" and preserve those based on static and global entities.
This function is called when exiting a statement block.
Detection of dangling pointers.
Detection of memory leaks. Could be skipped when dealing with the "main" module, but the information would have to be passed down thru an extra parameter.
Side-effects on argument "pts" which is returned.
Check for memory leaks
Both the sink and the source disappear: the arc is removed
Any memory leak?
pts | ts |
main_p | ain_p |
body_p | ody_p |
Definition at line 206 of file points_to_set.c.
References add_arc_to_simple_pt_map(), any_function_to_return_value(), approximation_exact_p, array_of_pointers_type_p(), array_of_struct_type_p(), CELL, cell_any_reference(), cell_to_reference(), CONS, copy_approximation(), copy_cell(), copy_type(), ENTITY, entity_basic_concrete_type(), entity_name, entity_user_name(), FOREACH, formal_parameter_p(), free_points_to_graph(), free_type(), gen_free_list(), gen_in_list_p(), get_current_module_entity(), heap_cell_p(), make_descriptor_none(), make_points_to(), make_points_to_graph(), make_typed_nowhere_cell(), memory_leak_to_more_memory_leaks(), NIL, pips_user_warning, pointer_type_p(), POINTS_TO, points_to_approximation, points_to_cell_to_type(), points_to_graph_set, points_to_sink, points_to_source, reference_variable, remove_arc_from_simple_pt_map(), set_del_element(), SET_FOREACH, set_undefined, sink_in_set_p(), struct_type_p(), top_level_entity_p(), and variable_static_p().
Referenced by statement_to_points_to().
Sharing of cells
Sharing of references
Definition at line 2978 of file points_to_set.c.
References cell_any_reference(), dump_points_to(), fprintf(), points_to_sink, points_to_source, and SET_FOREACH.
Referenced by consistent_points_to_set().
osl | sl |
Definition at line 2860 of file interprocedural.c.
References generic_points_to_set_to_stub_cell_list().
Referenced by user_call_to_points_to_interprocedural().
osl | sl |
Definition at line 2855 of file interprocedural.c.
References entity_undefined, and generic_points_to_set_to_stub_cell_list().
Return the points-to "fpt" ending in cell "sink" if it exists.
Return points-to_undefined otherwise.
sink | ink |
ptm | tm |
Definition at line 1988 of file points_to_set.c.
References cell_equal_p(), points_to_graph_set, points_to_sink, points_to_undefined, and SET_FOREACH.
Referenced by remove_impossible_arcs_to_null().
Build the sources of sink "sink" according to the points-to graphs.
If "sink" is not found in the graph, return an empty list "sources". If "fresh_p", allocate copies. If not, return pointers to the destination vertices in "ptm".
It is not clear how much the abstract address lattice must be used to retrieve sources... If source = a[34], clearly a[*] is an OK equivalent source if a[34] is not a vertex of "ptm".
FI: I am not sure that using pointer arithmetics to declare equivalence is a good idea.
sink | ink |
ptm | tm |
fresh_p | resh_p |
Definition at line 1947 of file points_to_set.c.
References CELL, cell_equal_p(), cell_equivalent_p(), cell_included_p(), CONS, copy_cell(), ENDP, NIL, points_to_graph_set, points_to_sink, points_to_source, and SET_FOREACH.
Referenced by freed_list_to_points_to(), and generic_remove_unreachable_vertices_in_points_to_graph().
Let "pt_binded" be the results of assignments of actual arguments to formal arguments (see compute_points_to_binded_set()).
Let "pt" be a points-to arc in "pt_binded".
Find for the source of p its corresponding alias, which means finding another source that points to the same location.
pt | t |
pt_binded | t_binded |
Definition at line 2873 of file interprocedural.c.
References cell_equal_p(), cell_undefined, cell_undefined_p, pips_internal_error, points_to_sink, points_to_source, and SET_FOREACH.
Referenced by points_to_binding().
Use "sn" as a source name to derive a list of sink cells according to the points-to graph ptm.
Allocate copies of the sink cells if "fresh_p".
sn | n |
ptm | tm |
fresh_p | resh_p |
Definition at line 2008 of file points_to_set.c.
References CELL, CONS, copy_cell(), free(), NIL, points_to_cell_name(), points_to_graph_set, points_to_sink, points_to_source, and SET_FOREACH.
Referenced by normalize_points_to_graph().
sn | n |
ptm | tm |
fresh_p | resh_p |
Definition at line 2026 of file points_to_set.c.
References cell_undefined, copy_cell(), free(), points_to_cell_name(), points_to_graph_set, points_to_source, and SET_FOREACH.
Referenced by normalize_points_to_graph().
Remove all arcs starting from e because e has been assigned a new value.
Check for memory leaks
Any memory leak?
pts | ts |
Definition at line 298 of file points_to_set.c.
References CELL, cell_any_reference(), cell_to_reference(), CONS, entity_name, FOREACH, heap_cell_p(), NIL, pips_user_warning, points_to_sink, points_to_source, reference_variable, set_del_element(), SET_FOREACH, and sink_in_set_p().
Referenced by reference_condition_to_points_to().
Retrieve all possible sinks of the source.
source | ource |
ptm | tm |
fresh_p | resh_p |
Definition at line 1933 of file points_to_set.c.
References generic_points_to_source_to_sinks().
Referenced by filter_formal_context_according_to_actual_context(), new_filter_formal_context_according_to_actual_context(), and upgrade_approximations_in_points_to_set().
Build the list of arcs whose source is "source" according to the points-to graphs "ptm".
If "source" is not found in the graph, return an empty list "sinks". If "fresh_p", allocate copies. If not, return pointers to the arcs in "ptm".
It is not clear how much the abstract address lattice must be used to retrieve sinks... If source = a[34], clearly a[*] is an OK equivalent source if a[34] is not a vertex of "ptm". Currently, we assume that the origin vertex must be exactly "source".
See when the cell "source" is the starting vertex of a points-to arc.
source | ource |
ptm | tm |
fresh_p | resh_p |
Definition at line 2081 of file points_to_set.c.
References cell_equal_p(), CONS, copy_points_to(), NIL, POINTS_TO, points_to_graph_set, points_to_source, and SET_FOREACH.
Referenced by fuse_points_to_sink_cells(), and struct_assignment_to_points_to().
source | ource |
ptm | tm |
fresh_p | resh_p |
Definition at line 1915 of file points_to_set.c.
References generic_points_to_source_to_sinks().
Build the sinks of source "source" according to the points-to graphs.
If "source" is not found in the graph, return an empty list "sinks". If "fresh_p", allocate copies. If not, return pointers to the destination vertices in "ptm".
It is not clear how much the abstract address lattice must be used to retrieve sinks... If source = a[34], clearly a[*] is an OK equivalent source if a[34] is not a vertex of "ptm".
source | ource |
ptm | tm |
fresh_p | resh_p |
Definition at line 1909 of file points_to_set.c.
References generic_points_to_source_to_sinks().
Referenced by malloc_to_points_to_sinks(), recursive_filter_formal_context_according_to_actual_context(), and source_to_sinks().
May not retrieve all sinks of the source.
This happens with arrays of pointers. See EffectsWithPointers/call22.c
source | ource |
ptm | tm |
fresh_p | resh_p |
Definition at line 1924 of file points_to_set.c.
References generic_points_to_source_to_sinks().
Referenced by new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair(), points_to_binding_arguments(), and recursive_filter_formal_context_according_to_actual_context().
Use "ptm" as a translation map.
Must be similar to a function written by Beatrice to evaluate a complex reference according to points-to information. In her case, it is not a translation, but an evaluation of the possibly many dereferencements contained in the reference.
Try to translate a prefix of the source reference and substitue it when a translation is found. No need to translate further down, unlike Beatrice's function.
fresh_p might be useless because new cells always must be generated.
Outdated comment: The cell source is not a source in ptm, but a related cell may be the source
Beware of constant strings...
source | ource |
ptm | tm |
fresh_p | resh_p |
Definition at line 1760 of file points_to_set.c.
References anywhere_cell_p(), CELL, cell_any_reference(), compute_basic_concrete_type(), ENDP, FOREACH, free_type(), ifdebug, make_reference(), NIL, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_internal_error, points_to_cell_to_type(), points_to_reference_to_translation(), reference_indices, reference_variable, type_equal_p(), and type_functional_p.
sources | ources |
ptm | tm |
fresh_p | resh_p |
Definition at line 2066 of file points_to_set.c.
References generic_points_to_sources_to_sinks().
Referenced by translation_transitive_closure().
sources | ources |
ptm | tm |
fresh_p | resh_p |
Definition at line 2061 of file points_to_set.c.
References generic_points_to_sources_to_sinks().
Referenced by fuse_points_to_sink_cells().
In case s is a loop, do, while or for, the parameter "store" is set to false to prevent key redefinitions in the underlying points-to hash-table. This entry condition is not checked.
In case s is a sequence, the sorted copy pts_to_set is associated to each substatement and shared by s and all its substatement.
Note: the function is called with store==true from points_to_whileloop(). And the hash-table can be updated (hash_update()).
pts_to_set | ts_to_set |
store | tore |
Definition at line 67 of file passes.c.
References FOREACH, gen_free_list(), gen_full_copy_list(), instruction_sequence, instruction_sequence_p, make_points_to_list(), NIL, points_to_compare_cells(), points_to_list_consistent_p(), points_to_list_undefined, sequence_statements, set_empty_p(), set_to_sorted_list(), statement_instruction, and store_or_update_pt_to_list().
sl | l |
Definition at line 2111 of file points_to_set.c.
References count, EXPRESSION, FOREACH, and unbounded_expression_p().
Referenced by points_to_reference_to_number_of_unbounded_dimensions(), and sinks_fully_matches_source_p().
Return the subset of "in" that is related to formal parameters and stubs.
More care should be taken about formal parameter modifications. Dummy initial variables should be allocated to preserve the values of formal parameters on entry.
in | n |
Definition at line 127 of file passes.c.
References add_arc_to_simple_pt_map, copy_points_to(), formal_parameter_points_to_cell_p(), new_pt_map, out, points_to_graph_set, points_to_sink, points_to_source, SET_FOREACH, and stub_points_to_cell_p().
FI: for some reason, the translation was built wrongly to express the fact that the source points to any element of the sink as in Semantics-New/Ancourt3009/memcpy09c where pointer arithmetic is used in the actual argument expression.
out -> buffer_out[*]
out cannot be replaced by buffer_out, because out[i] would result in buffer_out[i] instead of buffer_out[*].
translation | ranslation |
Definition at line 1433 of file interprocedural.c.
References array_pointer_string_type_equal_p(), cell_any_reference(), char_star_constant_function_type_p(), char_type_p(), constant_string_entity_p(), constant_string_type_to_string_type(), overloaded_type_p(), pips_internal_error, points_to_cell_to_concrete_type(), points_to_sink, points_to_source, reference_variable, SET_FOREACH, type_functional_p, and type_to_pointed_type().
Referenced by filter_formal_context_according_to_actual_context(), new_filter_formal_context_according_to_actual_context(), points_to_translation_of_formal_parameters(), and recursive_filter_formal_context_according_to_actual_context().
void points_to_translation_of_formal_parameters | ( | list | fpcl, |
list | al, | ||
pt_map | pt_in, | ||
set | translation | ||
) |
List al and fpcl are assumed consistent, and consistent with the formal parameter ranks.
assumption about fpcl
This function does not return constant memory paths... This could fixed below with calls to points_to_indices_to_unbounded_indices(), but it could/should also be fixed later in the processing, at callees level. See EffectsWithPointsTo.sub/call05.c
See also EffectsWithPointsTo.sub/call08.c: &y[i][1] You need expression_to_points_to_sinks() on such a lhs expression...
This occurs with actual argument "&e": when the address-of operator is used, the relation between the formal parameter, let say "p", and "e" cannot be expressed unless we build a location entity with name "&e".
Beware of constant character strings
Likely to be wrong whe the formal parameter is a pointer and the actual parameter is a simple pointer, or a pointer to an array with fewer dimensions.
fpcl | pcl |
al | l |
pt_in | t_in |
translation | ranslation |
Definition at line 1483 of file interprocedural.c.
References add_arc_to_simple_pt_map, add_subscript_dependent_arc_to_simple_pt_map(), array_of_pointers_type_p(), array_of_struct_type_p(), array_pointer_string_type_equal_p(), array_type_p(), CAR, CELL, cell_any_reference(), copy_approximation(), copy_cell(), ENDP, ENTITY, entity_basic_concrete_type(), entity_storage, EXPRESSION, expression_to_points_to_sinks(), expression_to_points_to_sources(), f(), FOREACH, formal_offset, free_approximation(), functional_parameters, functional_result, gen_last(), gen_length(), gen_nth(), gen_remove_once(), int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), pips_assert, pips_internal_error, pointer_type_p(), points_to_cell_add_zero_subscript(), points_to_cell_to_concrete_type(), points_to_translation_mapping_is_typed_p(), points_to_translation_of_struct_formal_parameter(), reference_indices, reference_variable, scalar_type_p(), storage_formal, struct_type_p(), struct_type_to_fields(), type_equal_p(), type_functional, type_functional_p, and zero_expression_p().
Referenced by user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
void points_to_translation_of_struct_formal_parameter | ( | cell | fc, |
cell | ac, | ||
approximation | a, | ||
type | st, | ||
set | translation | ||
) |
We assume that cell fc and cell ac are of type st and that st is a struct type.
fc | c |
ac | c |
st | t |
translation | ranslation |
Definition at line 1365 of file interprocedural.c.
References add_arc_to_simple_pt_map, array_of_pointers_type_p(), array_of_struct_type_p(), array_type_to_element_type(), compute_basic_concrete_type(), copy_approximation(), copy_cell(), ENTITY, entity_basic_concrete_type(), f(), FOREACH, free_cell(), make_descriptor_none(), make_points_to(), pointer_type_p(), points_to_cell_add_field_dimension(), points_to_cell_add_unbounded_subscripts(), struct_type_p(), and struct_type_to_fields().
Referenced by points_to_translation_of_formal_parameters().
pt_map pop_statement_points_to_context | ( | void | ) |
Definition at line 133 of file statement.c.
References current_statement_points_to_context, stack_pop(), and statement_points_to_context.
Referenced by statement_to_points_to().
A new list, "emll", is allocated.
It contains the cells in the potential memory leak list that are unreachable in set/relation "res". Relation "res" is unchanged. List "pmll" is unchanged.
FI: This is not a sufficient implementation. It fails with strongly connected components (SCC) in "res". The fixed point algorithms are likely to generate SCCs.
pmll | mll |
res | es |
Definition at line 431 of file points_to_set.c.
References CELL, cell_any_reference(), CONS, FOREACH, NIL, pips_user_warning, points_to_cell_equal_p(), points_to_sink, reference_to_string(), and SET_FOREACH.
Referenced by points_to_function_projection(), and remove_points_to_cell().
bool print_code_points_to_list | ( | const char * | module_name | ) |
module_name | odule_name |
Definition at line 202 of file points_to_prettyprint.c.
References module_name(), print_code_points_to(), and PT_TO_SUFFIX.
void print_or_dump_points_to | ( | const | points_to, |
bool | print_p | ||
) |
print a points-to arc for debug
points_to | t |
print_p | rint_p |
Definition at line 568 of file points_to_set.c.
References anywhere_cell_p(), approximation_to_string(), cell_to_reference(), cell_typed_anywhere_locations_p(), entity_local_name(), entity_module_name(), fprintf(), get_current_module_entity(), module_name_to_entity(), MODULE_SEP_STRING, nowhere_cell_p(), null_cell_p(), points_to_approximation, points_to_domain, points_to_domain_number, points_to_sink, points_to_source, points_to_undefined_p, print_reference(), and reference_variable.
Referenced by dump_points_to(), and print_points_to().
Print a set of points-to for debug.
what | hat |
print_p | rint_p |
Definition at line 615 of file points_to_set.c.
References dump_points_to(), fprintf(), print_points_to(), SET_MAP, set_size(), and set_undefined_p.
Referenced by dump_points_to_set(), and print_points_to_set().
void print_points_to | ( | const | points_to | ) |
points_to | t |
Definition at line 604 of file points_to_set.c.
References print_or_dump_points_to().
Referenced by consistent_points_to_set(), points_to_equal_p(), and print_or_dump_points_to_set().
void print_points_to_graph | ( | points_to_graph | ptg | ) |
ptg | tg |
Definition at line 190 of file points_to_prettyprint.c.
References fprintf(), ok, points_to_graph_bottom, points_to_graph_set, and print_points_to_set().
void print_points_to_list | ( | points_to_list | ptl | ) |
ptl | tl |
Definition at line 183 of file points_to_prettyprint.c.
References free_text(), print_text(), and text_points_to_relations().
void print_points_to_path | ( | list | p | ) |
For debugging.
Definition at line 837 of file points_to_set.c.
References CAR, CELL, ENDP, FOREACH, fprintf(), and print_points_to_cell.
Referenced by find_kth_points_to_node_in_points_to_path().
void print_points_to_relation | ( | points_to | pt_to | ) |
print a points-to arc, print_points_to() or print_points_to_arc()
pt_to | t_to |
Definition at line 399 of file points_to_prettyprint.c.
References free_text(), print_text(), and text_points_to_relation().
Referenced by print_points_to_relations().
void print_points_to_relations | ( | list | l_pt_to | ) |
print a list of points-to arcs
l_pt_to | _pt_to |
Definition at line 407 of file points_to_prettyprint.c.
References ENDP, FOREACH, fprintf(), POINTS_TO, and print_points_to_relation().
what | hat |
Definition at line 635 of file points_to_set.c.
References print_or_dump_points_to_set().
Referenced by any_loop_to_points_to(), compute_points_to_gen_set(), filter_formal_context_according_to_actual_context(), new_any_loop_to_points_to(), new_filter_formal_context_according_to_actual_context(), normalize_points_to_graph(), print_points_to_graph(), user_call_to_points_to_fast_interprocedural(), user_call_to_points_to_interprocedural(), and user_call_to_points_to_interprocedural_binding_set().
bool printed_points_to_list_undefined_p | ( | void | ) |
bool program_points_to | ( | char * | name | ) |
name | ame |
Definition at line 613 of file passes.c.
References copy_points_to_list(), db_get_memory_resource(), db_get_module_list(), DB_PUT_MEMORY_RESOURCE, debug_off, debug_on, entity_undefined, gen_array_full_free(), gen_array_item(), gen_array_nitems(), gen_nconc(), get_main_entity_name(), make_points_to_list(), module_local_name(), module_name_to_entity(), NIL, pips_assert, pips_debug, points_to_list_bottom, points_to_list_list, reset_current_module_entity(), reset_current_module_statement(), set_current_module_entity(), and set_current_module_statement().
in | n |
Definition at line 98 of file statement.c.
References current_statement_points_to_context, stack_push(), and statement_points_to_context.
Referenced by statement_to_points_to().
pt_in | t_in |
side_effect_p | ide_effect_p |
Definition at line 284 of file expression.c.
References expression_to_points_to(), range_increment, range_lower, and range_upper.
Referenced by expression_to_points_to().
in | n |
Definition at line 1626 of file sinks.c.
References NIL, and pips_user_warning.
Referenced by expression_to_points_to_cells().
A node is ready to be processed if its predecessors are not reachable or processed.
Pred = set_assign_list(Pred,gen_full_copy_list( Pred_l));
Processed | rocessed |
Reachable | eachable |
Definition at line 97 of file unstructured.c.
References control_predecessors, FOREACH, set_add_element(), set_belong_p(), SET_FOREACH, set_make(), and set_pointer.
Referenced by ready_to_be_processed_set().
A set containing all the successors of n that are ready to be processed.
Succ = set_assign_list(Succ, gen_full_copy_list(Succ_l));
Processed | rocessed |
Reachable | eachable |
Definition at line 114 of file unstructured.c.
References control_successors, FOREACH, Ready_p(), set_add_element(), SET_FOREACH, set_make(), and set_pointer.
Referenced by new_points_to_unstructured().
bool recursive_filter_formal_context_according_to_actual_context | ( | list | fcl, |
set | pt_in, | ||
set | pt_binded, | ||
set | binding, | ||
set | filtered | ||
) |
This function looks for successors of elements of list "fcl" both in points-to relations "pt_in" and "pt_binded".
Update the formal context defined by "pt_binded" on demand as necessary according to "pt_in", update the translation mapping "binding" according to the new pairs found, and go down recursively with a new list of constant paths, "nfcl", the possible successors in the formal context of the callee of elements in "fcl" when possible. In fact, the elements in "nfcl" must be pointers and are not necessarily the successors of elements of "fcl", but pointers contained in them.
This function is very similar to filter_formal_context_according_to_actual_context(), but a little bit more tricky. Amira Mensi unified both in her own version, but the unification makes the maintenance more difficult.
Copy only possible arcs "pt" from "pt_in" into the "filtered" set
FI: this assert may be too strong FI: This assert is too strong for Pointers/formal_parameter01 and its message is misleading because "source" is not an element of "fcl". Elements of "fcl" must be translated, but related elements may not be translatable because the effective context is not as rich as the formal context. For instance, the formal context may expect an array for each formal scalar pointer, but the effective target may be a scalar. And an error must be raised if pointer arithmetic is used in the callee.
Make sure pt_binded is large enough: the pointer may be initialized before the call to the caller and used only in the callee. Because of the on-demand approach, pt_binded does not contain enough elements.
Do we have a similar arc in pt_binded?
Compute the binding relation for sinks of the formal context list "fcl"
If "fc" is not a pointer, look for pointers in "fc"
Now, we have to call about the same function recursively on the list of formal sinks
fcl | cl |
pt_in | t_in |
pt_binded | t_binded |
binding | inding |
filtered | iltered |
Definition at line 362 of file interprocedural.c.
References add_arc_to_simple_pt_map, any_source_to_sinks(), approximation_undefined, CELL, cell_must_point_to_nowhere_sink_in_set_p(), cell_points_to_non_null_sink_in_set_p(), cell_points_to_nowhere_sink_in_set_p(), cell_points_to_null_sink_in_set_p(), copy_approximation(), copy_cell(), copy_points_to(), ENDP, FOREACH, free_approximation(), gen_free_list(), gen_length(), gen_nconc(), int, make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), make_points_to_graph(), NIL, nowhere_cell_p(), null_cell_p(), overloaded_type_p(), pips_assert, pips_internal_error, points_to_cell_add_zero_subscript(), points_to_cell_in_list_p(), points_to_cell_to_concrete_type(), points_to_cell_to_string(), points_to_cell_to_useful_pointer_cells(), points_to_cells_to_pointer_cells(), points_to_sink, points_to_source, points_to_source_to_sinks(), points_to_source_to_some_sinks(), points_to_translation_mapping_is_typed_p(), related_points_to_cell_in_list_p(), semantics_user_warning, SET_FOREACH, tc, and type_equal_p().
Referenced by filter_formal_context_according_to_actual_context().
Remove last subscripts of cell c till its type becomes a scalar pointer.
This of course may fail.
Remove the last subscript, hopefully 0
Definition at line 1809 of file expression.c.
References C_pointer_type_p(), CAR, cell_any_reference(), ENDP, EXPRESSION, field_reference_expression_p(), free_type(), gen_last(), gen_list_and_not(), pointer_type_p(), points_to_cell_to_type(), and reference_indices.
Referenced by list_assignment_to_points_to(), and reduce_cells_to_pointer_type().
Undo the extra eval performed when stubs are generated: 0 subscripts are added when arrays are involved.
cl | l |
Definition at line 1844 of file expression.c.
References CELL, FOREACH, null_cell_p(), and reduce_cell_to_pointer_type().
Handle conditions such as "if(p)".
Do not take care of side effects in references...
are we dealing with a pointer?
if p points to NULL, the condition is not feasible. If not, remove any arc from p to NULL
Make a points-to NULL and remove the arc from the current out
remove any arc from v to anything and add an arc from p to NULL
Make a points-to NULL and remove the arc from the current out
This condition is always false
in | n |
true_p | rue_p |
Definition at line 2538 of file expression.c.
References add_arc_to_pt_map, clear_pt_map, copy_reference(), entity_basic_concrete_type(), expressions_to_points_to(), free_points_to(), make_approximation_exact(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_null_pointer_value_cell(), make_points_to(), out, pips_user_warning, pointer_type_p(), points_to_graph_bottom, points_to_graph_set, points_to_source_projection(), reference_indices, reference_may_points_to_null_p(), reference_must_points_to_null_p(), reference_variable, and remove_arc_from_pt_map.
Referenced by condition_to_points_to().
pt_map reference_dereferencing_to_points_to | ( | reference | r, |
pt_map | in, | ||
bool | nowhere_dereferencing_p, | ||
bool | null_dereferencing_p | ||
) |
Can we execute the reference r in points-to context "in" without segfaulting?
Do not go down in subscript expressions.
See also reference_to_points_to_sinks(). Unfortunate cut-and-paste.
Does the reference implies some dereferencing itself?
C syntactic sugar: *a is equivalent to a[0] when a is an array. No real dereferencing needed.
Remove store-dependent indices
in | n |
nowhere_dereferencing_p | owhere_dereferencing_p |
null_dereferencing_p | ull_dereferencing_p |
Definition at line 333 of file dereferencing.c.
References array_of_pointers_type_p(), array_type_p(), CELL, clear_pt_map, copy_reference(), effect_reference_to_string(), ENDP, entity_basic_concrete_type(), FOREACH, gen_free_list(), gen_length(), int, make_cell_reference(), nowhere_cell_p(), null_cell_p(), pointer_points_to_reference_p(), pointer_reference_dereferencing_to_points_to(), pointer_type_p(), points_to_context_statement_line_number(), points_to_graph_bottom, reference_indices, reference_variable, remove_points_to_arcs(), semantics_user_warning, source_to_sinks(), statement_points_to_context_defined_p(), subscript_expressions_to_constant_subscript_expressions(), type_variable, and variable_dimension_number().
Referenced by dereferencing_to_points_to().
in | n |
Definition at line 1873 of file sinks.c.
References CELL, FOREACH, gen_free_list(), null_cell_p(), and reference_to_sinks().
Referenced by reference_condition_to_points_to().
in | n |
Definition at line 1859 of file sinks.c.
References CAR, CELL, gen_free_list(), gen_length(), null_cell_p(), and reference_to_sinks().
Referenced by reference_condition_to_points_to().
Build an ASCII string to disambiguate the different field paths that may exist in similar references.
If the variable referenced by "r" is not a struct, returns the empty string.
If it is a struct, derive a string that is unique to a particular combination of fields and subfields.
Definition at line 468 of file points_to_init_analysis.c.
References asprintf, entity_field_p(), entity_field_rank(), EXPRESSION, expression_reference(), expression_reference_p(), f(), FOREACH, free(), reference_indices, reference_variable, strdup(), string_undefined, and string_undefined_p.
Referenced by create_stub_points_to().
The subscript expressions may impact the points-to information.
E.g. a[*(p++)]
FI: I'm surprised that pointers can be indexed instead of being subscripted... This is linked to the parser in expression_to_points_to().
pt_in | t_in |
side_effect_p | ide_effect_p |
Definition at line 262 of file expression.c.
References dereferencing_to_points_to(), ENDP, entity_basic_concrete_type(), entity_stub_sink_p(), entity_to_expression(), expressions_to_points_to(), formal_parameter_p(), free_expression(), pointer_type_p(), points_to_graph_bottom, reference_indices, and reference_variable.
Referenced by expression_to_points_to().
Returns a list of memory cells "sinks" possibly accessed by the evaluation of reference "r".
No sharing between the returned list "sinks" and the reference "r" or the points-to set "in".
Examples if eval_p==false: x->x, t[1]->t[1], t[1][2]->t[1][2], p->p...
Examples if eval_p==true: x->error, t[1]->t[1][0], t[1][2]->t[1][2][0], p->p[0]...
If constant_p, stored-dependent subscript expressions are replaced by "*" and store-independent expressions are replaced by their values, e.g. x[3+4]->x[7]. Else, subscript expressions are left unchanged. Motivation: constant_p==true for points-to computation, and false for the translation of effects. In the latter case, the transformation into a constant reference is postponed.
Issue: let's assume "t" to be an array "int t[10][10[10];". The C language is (too) flexible. If "p" is an "int ***p;", the impact of assignment "p=t;" leads to "p points-to t" or "p points-to t[0]" or "p points-to t[0][0][0]". Two different criteria can be used: the compatibiliy of the pointer type and the pointed cell type, or the equality of the pointer value and of the pointed cell address.
In the first case, t->t[0]->t[0][0]->t[0][0][0].
In the second case, t->t[0][0][0], t[0]->t[0][0][0], t[0][0]->t[0][0][0].
FI: I do not trust this function. It is already too long. And I am not confident the case disjunction is correct/well chosen.
Two proper possibilities: an array of pointers fully subscribed or any other kind of array partially subscribed. And an unsuitable one: an integer value...
No matter what, the target is obtained by adding a 0 subscript
FI: I do not know if the subscript removal impact the handling of loops by the points-to analysis; see Points-to/array07.c
What is the value of the subscript expression?
scalar case, rhs is already a lvalue
An array name can be used as pointer constant
We should add null indices according to its number of dimensions
This function may be called from the effect library via backward_translation_of_points_to_formal_context()
ips_assert("The expected type and the reference type are equal", array_pointer_type_equal_p(et, rt));
ips_assert("The expected type and the reference type are compatible", concrete_type_equal_p(et, rt));
et | t |
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 755 of file sinks.c.
References array_of_pointers_type_p(), array_type_p(), CELL, check_type_of_points_to_cells(), clear_pt_map, CONS, constant_p(), copy_reference(), effect_reference_to_string(), ENDP, entity_basic_concrete_type(), entity_type, EXPRESSION, FOREACH, fprintf(), free_cell(), gen_in_list_p(), gen_length(), gen_nconc(), ifdebug, int, int_to_expression(), make_cell_reference(), make_reference(), NIL, NumberOfDimension(), pips_assert, pips_debug, pips_internal_error, pips_user_error, pips_user_warning, pointer_reference_to_points_to_sinks(), pointer_type_p(), points_to_cell_add_zero_subscripts(), points_to_context_statement_line_number(), points_to_graph_bottom, points_to_reference_to_concrete_type(), print_points_to_cells, print_reference(), reference_indices, reference_variable, reference_with_store_independent_indices(), scalar_type_p(), simplified_reference(), source_to_sinks(), statement_points_to_context_defined_p(), struct_type_p(), type_structurally_equal_p(), type_variable, ultimate_type(), and variable_dimension_number().
Referenced by expression_to_points_to_cells(), and subscripted_reference_to_points_to().
This function is designed to work properly for the translation of effects at call sites.
ptm is assumed to be a translation mapping.
Knowing that v(o_sl) is translated into w(d_sl), what is the translation of v(sl), w[tsl], assuming that o_sl, d_sl and sl are all subscript lists?
We assume that |o_sl|<|sl| because otherwise v[o_sl] would not be a constant memory location (?). We assume that |o_sl|<|d_sl| because we do not modelize sharing.
tsl is the result of the concatenation of three subscripts lists: a prefix made of the first subscripts of d_sl that are not covered by sl, the other subscripts of d_sl, updated according to the subscript values in sl, and a suffix, the subscripts in sl that have not equivalent in o_sl.
Update the last subscripts. E.g. _x_3[*] and _x_3[0] -> y[i][0] leads to y[i]*.
Update the last subscripts. E.g. _q_2[0][one] and _q_2[0] -> s leads to sone.
Update the last subscripts. E.g. x_3[4] and _x_3[0] -> y[*][1] leads to y[*][5]... A proof is needed to justify the subscript addition... if only to show that _x_3[0] is acceptable to claim something about _x[4]... (see EffectsWithPointsTo.sub/call08,c).
Same thing with _x_3[i] and _x_3[0] -> y[*][j]?
This functions is similar to what must be done to compute the sink or the source of an expression, but here both the subscript list sl and the sinks of the points-to arcs in ptm do not have to be constant paths.
null and undefined targets are not possible
Are the subscript lists compatible?
Offset to be applied...
We have an equality between the effect and the origin
The subscripts left in csl must be appended to the new sink
Build the prefix
Build the body: depending on the subscripts in sl and o_sl, update or not the susbcripts in cd_sl
Skip subscripts not reproduced in the destination
Build the suffix
Check the resulting length
Do no index constant character strings
sl | l |
ptm | tm |
Definition at line 1540 of file points_to_set.c.
References binary_intrinsic_expression, CAR, CELL, cell_any_reference(), CONS, constant_int, constant_int_p, copy_cell(), copy_expression(), ENDP, entity_basic_concrete_type(), EvalExpression(), EXPRESSION, expression_equal_p(), expression_lists_equal_p(), expression_undefined, expression_undefined_p, extended_integer_constant_expression_p(), free_cell(), gen_free_list(), gen_length(), gen_nreverse(), int, int_to_expression(), make_cell_reference(), make_reference(), NIL, nowhere_cell_p(), null_cell_p(), pips_assert, PLUS_OPERATOR_NAME, points_to_cell_in_list_p(), points_to_graph_set, points_to_sink, points_to_source, POP, reference_indices, reference_undefined, reference_variable, SET_FOREACH, tc, type_functional_p, unbounded_expression_p(), value_constant, value_constant_p, and zero_expression_p().
Referenced by points_to_reference_to_translation(), and substitute_stubs_in_transformer_with_translation_binding().
in | n |
fresh_p | resh_p |
Definition at line 2529 of file points_to_set.c.
References copy_reference(), free_cell(), make_cell_reference(), and source_to_sinks().
Referenced by reference_may_points_to_null_p(), and reference_must_points_to_null_p().
Update the points-to information "in" according to the validity of the condition.
We can remove the arcs that violate the condition or decide that the condition cannot be true.
in | n |
true_p | rue_p |
Definition at line 3274 of file expression.c.
References call_arguments, call_function, ENTITY_EQUAL_P, ENTITY_GREATER_OR_EQUAL_P, ENTITY_GREATER_THAN_P, ENTITY_LESS_OR_EQUAL_P, ENTITY_LESS_THAN_P, ENTITY_NON_EQUAL_P, equal_condition_to_points_to(), f(), non_equal_condition_to_points_to(), order_condition_to_points_to(), out, pips_assert, pips_internal_error, and points_to_graph_consistent_p().
Referenced by intrinsic_call_condition_to_points_to().
Definition at line 3585 of file points_to_set.c.
References set_del_element().
Referenced by points_to_set_block_projection(), and remove_points_to_cell().
pts | ts |
pt_out | t_out |
Definition at line 231 of file interprocedural.c.
References add_arc_to_simple_pt_map, cell_equal_p(), copy_cell(), entity_anywhere_locations(), make_approximation_exact(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_reference(), NIL, points_to_sink, points_to_source, remove_arc_from_simple_pt_map, and SET_FOREACH.
Referenced by user_call_to_points_to_intraprocedural().
You know that null and undefined cells in "*pL" are impossible because of the operation that is going to be performed on it.
Remove the corresponding arcs in points-to graph "in". Remove the corresponding cells from "*pL".
The search uses pointers. So "*pL" must contain sink cells of arcs of "in".
pL | L |
in | n |
Definition at line 3498 of file points_to_set.c.
References CELL, CONS, FOREACH, gen_free_list(), gen_list_and_not(), get_bool_property(), NIL, nowhere_cell_p(), null_cell_p(), pips_internal_error, points_to_sink_to_points_to(), points_to_undefined_p, and remove_arc_from_pt_map.
Referenced by binary_intrinsic_call_to_points_to_sinks(), dereferencing_to_sinks(), and subscripted_reference_to_points_to().
source | ource |
sink | ink |
pt | t |
Definition at line 3114 of file points_to_set.c.
References copy_cell(), free_points_to(), make_approximation_exact(), make_approximation_may(), make_descriptor_none(), make_points_to(), and remove_arc_from_pt_map.
Referenced by pointer_arithmetic_to_points_to(), and reference_dereferencing_to_points_to().
All arcs in relation "g" must be removed or updated if they use the node "c".
If "c" is the source of an arc, the arc must be removed and the sink is a new potential leak.
If "c" is the sink of an arc, NOWHERE, i.e. UNDEFINED is the new sink. The approximation is unchanged.
Since the heap model does not support a precise analysis, this is not sure. For the time being, all buckets allocated by the same statement have a unique name. So arcs pointing to one cannot be removed when another one is freed. However, since we check that no arc points to an abstract bucket before we declare a sure memory leak, this should be OK in the context of memory leaks...
&& atomic_points_to_cell_p(c)
Apply the arc removals
Apply the arc additions
Look for effective memory leaks induced by the removal
Go down recursively...
Definition at line 361 of file points_to_set.c.
References add_arc_to_simple_pt_map(), CELL, CONS, copy_approximation(), copy_cell(), ENDP, FOREACH, get_bool_property(), heap_cell_p(), make_descriptor_none(), make_nowhere_cell(), make_points_to(), make_typed_nowhere_cell(), NIL, POINTS_TO, points_to_approximation, points_to_cell_equal_p(), points_to_cell_to_concrete_type(), points_to_sink, points_to_source, potential_to_effective_memory_leaks(), remove_arc_from_simple_pt_map(), remove_points_to_cells(), and SET_FOREACH.
Referenced by remove_points_to_cells().
All nodes, i.e.
cells, in "cl" must be removed from graph "g".
graph "g" is updated by side-effects and returned.
cl | l |
Definition at line 416 of file points_to_set.c.
References CELL, FOREACH, and remove_points_to_cell().
Referenced by points_to_function_projection(), and remove_points_to_cell().
in | n |
verbose_p | erbose_p |
Definition at line 3461 of file points_to_set.c.
References generic_remove_unreachable_vertices_in_points_to_graph(), and out.
in | n |
Definition at line 3455 of file points_to_set.c.
References generic_remove_unreachable_vertices_in_points_to_graph(), and out.
Referenced by any_loop_to_points_to().
This function looks pretty dangerous as variables can be reached by their names.
in | n |
Definition at line 3469 of file points_to_set.c.
References generic_remove_unreachable_vertices_in_points_to_graph(), and out.
void reset_heap_model | ( | void | ) |
Definition at line 1185 of file sinks.c.
References malloc_counter, malloc_statement, and statement_undefined.
Referenced by statement_to_points_to().
void reset_points_to_context | ( | void | ) |
Definition at line 158 of file passes.c.
References pips_assert, points_to_context, pt_map_undefined, and pt_map_undefined_p.
Referenced by generic_points_to_analysis().
void reset_printed_points_to_list | ( | void | ) |
void reset_statement_points_to_context | ( | void | ) |
Definition at line 139 of file statement.c.
References stack_free(), stack_undefined, and statement_points_to_context.
Referenced by generic_points_to_analysis().
source | ource |
pts | ts |
fresh_p | resh_p |
Definition at line 1165 of file points_to_set.c.
References generic_stub_source_to_sinks().
Referenced by stub_source_to_sinks().
seq | eq |
pt_in | t_in |
Definition at line 436 of file statement.c.
References FOREACH, sequence_statements, and statement_to_points_to().
Referenced by instruction_to_points_to().
void set_printed_points_to_list | ( | statement_points_to | ) |
Return NULL as sink.
Double definition... list points_to_null_sinks() { entity ne = entity_null_locations(); reference nr = make_reference(ne, NIL); cell nc = make_cell_reference(nr); list sinks = CONS(CELL, nc, NIL); return sinks; } Points-to cannot used any kind of reference, just constant references.
For instance, "x[i]" is transformed into "x[*]" because the value of "i" is unknown. x[3+4] may be transformed into x[7].
A new referencec is allocated. Reference "r" is unchanged.
Definition at line 670 of file sinks.c.
References CONS, constant_int, constant_int_p, EvalExpression(), EXPRESSION, expression_undefined, FOREACH, gen_nconc(), int_to_expression(), make_reference(), make_unbounded_expression(), NIL, reference_indices, reference_variable, value_constant, and value_constant_p.
Referenced by reference_to_points_to_sinks().
test if a cell appear as a sink in a set of points-to
sink | ink |
Definition at line 680 of file points_to_set.c.
References cell_equal_p(), points_to_sink, and SET_FOREACH.
Referenced by points_to_set_block_projection(), and points_to_source_projection().
Build a list of possible cell sources for cell "sink" in points-to graph "pts".
If fresh_p is set, allocate new cells, if not just build the spine of the list.
Get rid of the constant subscripts since they are not direclty part of the points-to scheme on the sink side
sink | ink |
pts | ts |
fresh_p | resh_p |
Definition at line 1123 of file points_to_set.c.
References CELL, CONS, copy_cell(), NIL, points_to_sink, points_to_source, related_points_to_cells_p(), and SET_FOREACH.
Referenced by points_to_path_to_k_limited_points_to_path().
Is there at least one cell "sink" in list "sinks" whose subscripts fully match the subscripts in cell "source"?
It is easy in a one-D setting. If "p" is an array or a presumed array and if the source is "p[*]" then sinks "{a[1], a[2]}" are not sufficient. Something else is needed such as "a[*]" or "b[*]" or "undefined".
FI: As a first cut, the numbers of unbounded subscripts in references are counted and compared.
source | ource |
sinks | inks |
Definition at line 2132 of file points_to_set.c.
References CELL, cell_any_reference(), ENDP, FOREACH, points_to_subscripts_to_number_of_unbounded_dimensions(), and reference_indices.
Referenced by source_to_sinks().
list sizeofexpression_to_points_to_sinks | ( | sizeofexpression | , |
type | , | ||
pt_map | |||
) |
bool source_in_graph_p | ( | cell | source, |
points_to_graph | s | ||
) |
source | ource |
Definition at line 674 of file points_to_set.c.
References points_to_graph_set, and source_in_set_p().
Referenced by user_call_to_points_to_intraprocedural().
test if a cell appear as a source in a set of points-to
if( opkill_may_vreference(source, points_to_source(pt) ))
source | ource |
Definition at line 646 of file points_to_set.c.
References cell_equal_p(), points_to_source, and SET_FOREACH.
Referenced by compute_points_to_kill_set(), points_to_binding_arguments(), points_to_cell_translation(), and source_in_graph_p().
test if a cell "source" appears as a source in a set of points-to
if( opkill_may_vreference(source, points_to_source(pt) ))
source | ource |
Definition at line 657 of file points_to_set.c.
References cell_equal_p(), cell_included_p(), points_to_source, and SET_FOREACH.
Referenced by points_to_binding_arguments().
Return a list of cells, "sinks", that are sink for some arc whose source is "source" or related to "source" in set "pts".
If no such arc is found, add new points-to stubs and new arcs in "pts" when global, formal or virtual variables are used in "source". Manage fix point detection to avoid creating an infinite number of such points-to stubs when recursive data structures are accessed in loops.
If "fresh_p" is set to true, no sharing is created between list "sinks" and reference "source" or points-to set "pts". Else, the cells in list "sinks" are the cells in arcs of the points-to set.
FI: I am not sure the above paragraph is properly implemented.
This function is based on several other simpler functions:
This function should never return an empty list. The caller should handle it as a bug in the analyzed code.
Function added by FI. It is recursive via...
Can we expect a sink?
0. Is the source a pointer? You would expect a yes, but C pointer arithmetics requires some strange typing. We assume it is an array of pointers.
We may need a stub even if sinks is not empty when the source contains "*" subscript(s) and when none of the sinks contains such a subscript, or, more precisely when star subscripts do not match, matching being not yet clearly defined.
Must be checked before globals because stubs for global variables are themselves global.
FI: it seems easier to maintain the consistency between the sinks and the arcs for the global consistency of the points-to processing. Otherwise, we may have to check for special cases like undefined or anywhere.
A bug somewhere up...
source | ource |
pts | ts |
fresh_p | resh_p |
Definition at line 2214 of file points_to_set.c.
References add_arc_to_pt_map(), anywhere_cell_p(), anywhere_source_to_sinks(), array_type_p(), basic_pointer_p, C_pointer_type_p(), CELL, cell_any_reference(), cell_typed_anywhere_locations_p(), clear_pt_map, CONS, copy_cell(), ENDP, entity_anywhere_locations(), entity_basic_concrete_type(), entity_stub_sink_p(), entity_typed_anywhere_locations_p(), entity_user_name(), FOREACH, formal_parameter_p(), formal_source_to_sinks(), free_cell(), gen_nconc(), get_bool_property(), global_source_to_sinks(), make_anywhere_cell(), make_anywhere_points_to_cell(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_reference(), NIL, nowhere_cell_p(), nowhere_source_to_sinks(), null_cell_p(), null_pointer_value_cell_p(), null_source_to_sinks(), overloaded_type_p(), pips_internal_error, pips_user_warning, points_to_cell_to_concrete_type(), points_to_context_statement_line_number(), points_to_graph_bottom, points_to_source_to_sinks(), print_reference(), pt_map_undefined_p, reference_variable, sinks_fully_matches_source_p(), static_global_variable_p(), stub_source_to_sinks(), top_level_entity_p(), type_to_pointed_type(), type_variable, and variable_basic.
Referenced by any_source_to_sinks(), binary_intrinsic_call_to_points_to_sinks(), dereferencing_to_sinks(), extended_source_to_sinks(), formal_source_to_sinks(), generic_stub_source_to_sinks(), global_source_to_sinks(), internal_pointer_assignment_to_points_to(), pointer_arithmetic_to_points_to(), reference_dereferencing_to_points_to(), reference_to_points_to_sinks(), reference_to_sinks(), sources_to_sinks(), and subscript_to_points_to_sinks().
Same as source_to_sinks, but for a list of cells.
sources | ources |
ptm | tm |
fresh_p | resh_p |
Definition at line 2519 of file points_to_set.c.
References CELL, FOREACH, gen_nconc(), NIL, and source_to_sinks().
bool statement_points_to_context_defined_p | ( | void | ) |
Definition at line 145 of file statement.c.
References stack_undefined, and statement_points_to_context.
Referenced by aliased_translation_p(), filter_formal_context_according_to_actual_context(), internal_pointer_assignment_to_points_to(), new_filter_formal_context_according_to_actual_context(), reference_dereferencing_to_points_to(), and reference_to_points_to_sinks().
See points_to_statement()
Process the declarations
Go down recursively, although it is currently useless since a declaration statement is a call to CONTINUE
Get the current version of pt_in, updated by the analysis of s.
Either pt_in or pt_out should be stored in the hash_table
But it might be smarter (or not) to require or not the storage.
Eliminate local information if you exit a block
The statement context is know unknown: it has been popped above. No precise error message in points_to_set_block_projection()
Because arc removals do not update the approximations of the remaining arcs, let's upgrade approximations before the information is passed. Useful for arithmetic02.
Really dangerous here: if pt_map "in" is empty, then pt_map "out" must be empty to...
FI: we have a problem to denote unreachable statement. To associate an empty set to them woud be a way to avoid problems when merging points-to along different control paths. But you might also wish to start with an empty set... And anyway, you can find declarations in dead code...
pt_in | t_in |
Definition at line 154 of file statement.c.
References bound_pt_to_list_p(), consistent_pt_map_p, declaration_statement_p(), declaration_statement_to_points_to(), entity_main_module_p(), fi_points_to_storage(), full_copy_pt_map(), gen_free_list(), gen_full_copy_list(), get_current_module_entity(), get_current_module_statement(), graph_assign_list(), init_heap_model(), instruction_to_points_to(), load_pt_to_list(), merge_points_to_graphs(), new_pt_map, pips_assert, points_to_graph_bottom, points_to_graph_set, points_to_list_list, points_to_set_block_projection(), pop_statement_global_stack(), pop_statement_points_to_context(), push_statement_on_statement_global_stack(), push_statement_points_to_context(), reset_heap_model(), statement_declarations, statement_instruction, statement_sequence_p(), and upgrade_approximations_in_points_to_set().
Referenced by any_loop_to_points_to(), control_to_points_to(), cyclic_graph_to_points_to(), generic_points_to_analysis(), new_any_loop_to_points_to(), new_points_to_unstructured(), sequence_to_points_to(), test_to_points_to(), and whileloop_to_points_to().
Definition at line 2888 of file points_to_set.c.
References consistent_points_to_arc_p().
Referenced by add_arc_to_pt_map(), add_arc_to_pt_map_(), add_arc_to_simple_pt_map(), and consistent_points_to_set().
void store_or_update_printed_points_to_list | ( | statement | , |
points_to_list | |||
) |
void store_printed_points_to_list | ( | statement | , |
points_to_list | |||
) |
pt_map struct_assignment_to_points_to | ( | expression | lhs, |
expression | rhs, | ||
pt_map | pt_in | ||
) |
pt_in is modified by side-effects and returned as pt_out
This function is also used for declarations, although the syntax for declarations is reacher than the syntax for assignments which can use BRACE_INTRINSIC.
Current arc list (cal): the new arc may be conflicting with an existing must arc
We may have an implicit array of struct in the right or left hand side
rray_type_p(ft) ||
FI: conditionally add zero subscripts necessary to move from an array "a" to its first element, e.g. a[0][0][0]
lhs | hs |
rhs | hs |
pt_in | t_in |
Definition at line 2319 of file expression.c.
References add_arc_to_pt_map, approximation_exact_p, array_of_pointers_type_p(), array_of_struct_type_p(), array_type_p(), assignment_to_points_to(), basic_derived, basic_equal_p(), C_initialization_expression_p(), CELL, cell_any_reference(), cell_to_type(), CONS, copy_cell(), copy_reference(), ENTITY, entity_abstract_location_p(), entity_basic_concrete_type(), entity_type, EXPRESSION, expression_to_points_to_sources(), f(), FOREACH, gen_free_list(), gen_nconc(), make_anywhere_cell(), make_approximation_may(), make_cell_reference(), make_descriptor_none(), make_points_to(), make_unbounded_expression(), NIL, pips_assert, pips_internal_error, pointer_type_p(), POINTS_TO, points_to_approximation, points_to_sink, points_to_source, points_to_source_to_arcs(), reference_add_field_dimension(), reference_add_zero_subscripts(), reference_indices, reference_to_expression(), reference_variable, remove_arc_from_pt_map, simple_reference_add_field_dimension(), struct_initialization_to_points_to(), struct_type_p(), type_struct, type_to_pointed_type(), type_variable, and variable_basic.
Referenced by assignment_to_points_to().
pt_map struct_initialization_to_points_to | ( | expression | lhs, |
expression | rhs, | ||
pt_map | in | ||
) |
Temporary implementation: use anywhere as default initialization
We must assign to each relevant field its initial value
lhs | hs |
rhs | hs |
in | n |
Definition at line 2262 of file expression.c.
References add_arc_to_pt_map, assignment_to_points_to(), CAR, CELL, cell_any_reference(), compute_basic_concrete_type(), CONS, ENDP, ENTITY, entity_to_expression(), EXPRESSION, expression_to_points_to_sources(), f(), FOREACH, free_type(), gen_length(), make_anywhere_cell(), make_approximation_exact(), make_descriptor_none(), make_points_to(), make_reference(), NIL, out, pips_assert, points_to_cell_to_type(), POP, reference_indices, reference_to_expression(), reference_variable, struct_initialization_expression_to_expressions(), struct_variable_to_fields(), type_to_pointed_type(), and variable_to_pointer_locations().
Referenced by struct_assignment_to_points_to().
return list of cells for pointers declared directly or indirecltly in variable "e" of type struct defined by entity "ee" and its type.
Typedefs have already been taken care of by the caller (?).
Signature with e and ee inherited from Amira Mensi.
Find pointers downwards and build a list of cells.
ee | e |
Definition at line 115 of file variable.c.
References array_entity_p(), array_of_pointers_type_p(), array_of_struct_type_p(), array_type_p(), CELL, CONS, ENTITY, entity_to_expression(), entity_type, EXPRESSION, f(), FOREACH, free_cell(), gen_full_copy_list(), gen_full_free_list(), gen_nconc(), make_cell_reference(), make_reference(), make_unbounded_expression(), NIL, pips_assert, pointer_type_p(), struct_type_p(), struct_variable_to_pointer_subscripts(), type_struct, type_struct_p, ultimate_type(), and variable_entity_dimension().
Referenced by variable_to_pointer_locations().
returns a list of cells to reach pointers depending on field f.
Cell c is the current prefix.
In case we are dealing with an array of structs, add subscript expressions in mc, a modified copy of parameter c
Take care of each field in the structure.
copy cell c and add a subscript for f
copy cell c and add a subscript for f
Definition at line 183 of file variable.c.
References array_entity_p(), array_of_pointers_type_p(), array_of_struct_type_p(), basic_derived, CELL, cell_any_reference(), CONS, copy_cell(), ENTITY, entity_to_expression(), entity_type, EXPRESSION, f(), FOREACH, free_cell(), gen_nconc(), make_unbounded_expression(), NIL, pips_assert, pointer_type_p(), reference_indices, struct_type_p(), struct_variable_to_pointer_subscripts(), type_struct, type_variable, ultimate_type(), and variable_basic.
Referenced by struct_variable_to_pointer_locations(), and struct_variable_to_pointer_subscripts().
source | ource |
pts | ts |
fresh_p | resh_p |
Definition at line 1153 of file points_to_set.c.
References array_stub_source_to_sinks(), cell_any_reference(), ENDP, NIL, reference_indices, and scalar_stub_source_to_sinks().
Referenced by source_to_sinks().
bool subscript_expression_p | ( | expression | e | ) |
Definition at line 752 of file constant-path-utils.c.
References expression_syntax, and syntax_subscript_p.
Generate the corresponding points-to reference(s).
All access operators such as ., ->, * are replaced by subscripts.
See Strict_typing.sub/assigment11.c: the index is not put back at the right place. It would be easy (?) to fix it in this specific case, not forgetting the field subscripts..., but I do not see how to handle general stubs with artificial dimensions...
FI: In many cases, you do need the source. However, you have different kind of sources because "x" and "&x[0]" are synonyms and because you sometimes need "x" and some other times "&x[0]".
If the first dimension is unbounded, it has (probably) be added because of a pointer. A zero subscript is also added.
Add a zero subscript
Add subscript when possible. For typing reason, typed anywhere cell should be subscripted.
Add the subscripts
The reference "p[i][j]" is transformed into an expression "*(*(p+i)+j)" if "p" is really a pointer expression, not a partial array reference.
et | t |
in | n |
eval_p | val_p |
Definition at line 1451 of file sinks.c.
References adapt_reference_to_type(), all_heap_locations_cell_p(), anywhere_cell_p(), array_type_p(), CAR, CELL, cell_any_reference(), check_type_of_points_to_cells(), clear_pt_map, complete_points_to_reference_with_zero_subscripts(), CONS, DIMENSION, ENDP, entity_stub_sink_p(), EXPRESSION, expression_to_points_to_sources(), FOREACH, free_expression(), free_type(), gen_free_list(), gen_full_copy_list(), gen_full_free_list(), gen_nconc(), get_bool_property(), make_zero_expression(), NIL, nowhere_cell_p(), null_cell_p(), pips_internal_error, pips_user_warning, pointer_subscript_to_expression(), pointer_type_p(), points_to_array_reference_p(), points_to_cell_to_type(), points_to_context_statement_line_number(), points_to_expression_to_type(), points_to_graph_bottom, points_to_reference_update_final_subscripts(), reference_indices, reference_variable, source_to_sinks(), struct_type_p(), subscript_array, subscript_expressions_to_constant_subscript_expressions(), subscript_indices, type_variable, unbounded_dimension_p(), and variable_dimensions.
Referenced by expression_to_points_to_cells().
expression.c
expression.c
FI: we have to find the right location for the subscript to update. Some dimensions are due to the dimension of the source in pt_in, one dimension is due to the fact that we are dealing with a pointer, some dimensions are due to the fact that an array is pointed. The dimension to update may be the first one, the last one, or one in the middle.
This also depends on strict typing...
See for instance, Pointers/pointer20.c
sl | l |
pt_in | t_in |
Definition at line 57 of file expression.c.
References adapt_reference_to_type(), array_of_pointers_type_p(), CAR, CDR, CELL, cell_any_reference(), CONS, copy_expression(), ENDP, EXPRESSION, FOREACH, NIL, pips_internal_error, pointer_type_p(), points_to_cell_update_last_subscript(), points_to_context_statement_line_number(), points_to_reference_to_concrete_type(), reference_indices, reference_to_points_to_sinks(), and remove_impossible_arcs_to_null().
Referenced by expression_to_points_to().
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 594 of file sinks.c.
References call_arguments, call_function, CAR, CDR, clear_pt_map, condition_to_points_to(), consistent_pt_map_p, constant_p(), ENTITY_CONDITIONAL_P, EXPRESSION, expression_to_points_to_cells(), f(), free_pt_map, full_copy_pt_map(), gen_nconc(), merge_points_to_set(), NIL, pips_assert, points_to_graph_bottom, and points_to_graph_set.
Referenced by intrinsic_call_to_points_to_sinks().
Computing the points-to information after a test.
All the relationships are of type MAY, even if the same arc is defined, e.g. "if(c) p = &i; else p=&i;".
Might be refined later by using preconditions.
Make sure the condition is exploited, either because of side effects or simply because of dereferencements.
This cannot be done here because of side-effects.
FI: because the conditions must be evaluated for true and false?
condition's side effect and information are taked into account, e.g.:
"if(p=q)" or "if(*p++)" or "if(p)" which implies p->NULL in the else branch. FI: to be checked with test cases
We must use a common definition domain for both relations in order to obatin a really consistent points-to relation after the merge. This is similar to what is done in semantics for scalar preconditions.
pt_in | t_in |
Definition at line 496 of file statement.c.
References condition_to_points_to(), equalize_points_to_domains(), expression_to_points_to(), free_pt_map, full_copy_pt_map(), merge_points_to_graphs(), pips_assert, points_to_graph_bottom, points_to_graph_consistent_p(), points_to_graph_set, pt_map_undefined, set_clear(), statement_to_points_to(), test_condition, test_false, and test_true.
Referenced by instruction_to_points_to().
Definition at line 84 of file points_to_prettyprint.c.
References close_prettyprint(), debug_off, debug_on, get_current_module_entity(), init_prettyprint(), text_module(), and text_points_to().
text text_region(effect reg) input : a region output : a text consisting of several lines of commentaries, representing the region modifies : nothing
of string
PREFIX
REFERENCES
Change nowhere cells into undefined to comply with the C standard
if (points_to_second_address_of_p(pt_to))
append("&");
DESCRIPTOR
sorts in such a way that constraints with phi variables come first.
APPROXIMATION
CLOSE
pt_to | t_to |
Definition at line 253 of file points_to_prettyprint.c.
References append, approximation_may_p, cell_gap_p, cell_preference_p, cell_reference, close_current_line(), concatenate(), CONS, descriptor_convex, descriptor_none_p, effect_words_reference(), entity_typed_nowhere_locations_p(), FOREACH, gen_free_string_list(), get_comment_continuation(), get_comment_sentinel(), ifdebug, is_inferior_cell_descriptor_pvarval(), is_sentence_formatted, line_buffer, make_sentence(), make_text(), MAX_LINE_LENGTH, NIL, pips_assert, pips_region_user_name(), pips_user_warning, points_to_approximation, points_to_descriptor, points_to_sink, points_to_source, points_to_undefined_p, reference_variable, sc_copy(), sc_lexicographic_sort(), sc_rm(), SENTENCE, strdup(), STRING, system_sorted_text_format(), text_undefined, and vect_contains_phi_p().
Referenced by print_points_to_relation(), and text_points_to_relations().
text text_points_to_relations | ( | points_to_list | ptl, |
string | header | ||
) |
in case of loose_prettyprint, at least one region to print?
GO: No redundant test anymore, see text_statement_array_regions
header first
ptl | tl |
header | eader |
Definition at line 349 of file points_to_prettyprint.c.
References ADD_SENTENCE_TO_TEXT, append, ENDP, FOREACH, get_bool_property(), get_comment_continuation(), get_comment_sentinel(), HASH_UNDEFINED_VALUE, is_sentence_formatted, line_buffer, list_undefined, make_sentence(), make_text(), MAX_LINE_LENGTH, MERGE_TEXTS, NIL, points_to_list_bottom, points_to_list_list, points_to_list_sort(), strdup(), and text_points_to_relation().
Referenced by print_code_points_to(), print_points_to_list(), and text_pt_to().
We are done
translation | ranslation |
Definition at line 1702 of file interprocedural.c.
References CELL, CONS, ENDP, FOREACH, gen_copy_seq(), gen_free_list(), gen_nconc(), make_points_to_graph(), NIL, points_to_cell_in_list_p(), and points_to_sources_to_effective_sinks().
Referenced by aliased_translation_p().
See if a super-cell of "c" exists witf type "t".
A supercell is a cell "nc" equals to cell "c" but with a shorter subscript list.
This function is almost identical to the previous one.
A new cell is allocated and returned.
Remove the last subscript
Definition at line 906 of file points_to_set.c.
References CAR, cell_any_reference(), cell_to_type(), copy_cell(), ENDP, EXPRESSION, fprintf(), free_type(), gen_last(), gen_remove(), ifdebug, pips_debug, print_points_to_cell, reference_indices, type_equal_p(), and type_to_full_string_definition().
Referenced by find_kth_points_to_node_in_points_to_path().
A type "t" is compatible with a cell "c" if any of the enclosing cell "c'" of "c", including "c", is of type "t".
For instance, "a.next" is included in "a". It is compatible with both the type of "a" and the type of "a.next".
Remove the last subscript
Definition at line 857 of file points_to_set.c.
References CAR, cell_any_reference(), cell_to_type(), concrete_array_pointer_type_equal_p(), copy_cell(), ENDP, EXPRESSION, free_cell(), free_type(), gen_last(), gen_remove(), ifdebug, pips_debug, reference_indices, and type_to_full_string_definition().
Referenced by find_kth_points_to_node_in_points_to_path().
Input : a formal parameter which is a typedef.
FI: a formal parameter cannot be a typedef, but it can be typed with a typedefined type.
maybe should be removed if we have already called ultimate type in formal_points_to_parameter()
We ignor dimensions for the being, descriptors are not implemented yet...Amira Mensi
ultimate_type() returns a wrong type for arrays. For example for type int*[10] it returns int*[10] instead of int[10].
l = points_to_init_derived(e, e2);
In fact, there should be a FOREACH to scan all elements of l_ef
free the spine
pt | t |
Definition at line 1033 of file points_to_init_analysis.c.
References array_entity_p(), b2, basic_derived, basic_derived_p, basic_typedef, basic_typedef_p, CAR, cell_any_reference(), create_stub_points_to(), EFFECT, effect_any_reference, effect_undefined, effects_free(), ENTITY, entity_intrinsic(), entity_to_expression(), entity_type, entity_undefined, entity_variable_p, expression_pointer_p(), FIELD_OPERATOR_NAME, FOREACH, gen_free_list(), generic_effects_reset_all_methods(), generic_proper_effects_of_complex_address_expression(), get_bool_property(), make_cell_reference(), MakeBinaryCall(), NIL, points_to_equal_p(), points_to_rank(), points_to_undefined, reference_undefined, reference_variable, set_add_element(), set_generic_make(), set_methods_for_proper_simple_effects(), set_private, type_struct, type_struct_p, type_to_pointed_type(), type_variable, type_variable_p, and variable_basic.
Referenced by formal_points_to_parameter().
We have to undo the impact of side effects performed when the arguments were analyzed for points-to information
Needed for dereferencing17.c, but not for properties03 because in the second case the dereferencing is delayed...
There is an issue with eval_p: since we are looking for sinks, we always have to dereference "a" at least once.
We have to undo the impact of side effects performed when the arguments were analyzed for points-to information
in | n |
eval_p | val_p |
constant_p | onstant_p |
Definition at line 216 of file sinks.c.
References call_arguments, call_function, CAR, CELL, CONS, constant_p(), dereferencing_to_sinks(), ENTITY_ADDRESS_OF_P, ENTITY_DEREFERENCING_P, ENTITY_FREE_SYSTEM_P, ENTITY_MALLOC_SYSTEM_P, ENTITY_POST_DECREMENT_P, ENTITY_POST_INCREMENT_P, ENTITY_PRE_DECREMENT_P, ENTITY_PRE_INCREMENT_P, EXPRESSION, expression_to_points_to_cells(), expression_to_points_to_sinks(), expression_undefined, f(), free_expression(), gen_length(), int_to_expression(), make_anywhere_cell(), make_nowhere_cell(), malloc_to_points_to_sinks(), NIL, offset_points_to_cells(), pips_assert, pips_internal_error, points_to_expression_to_concrete_type(), points_to_expression_to_pointed_type(), and pt_map_undefined_p.
Referenced by intrinsic_call_to_points_to_sinks().
Does cell "c" represent a unique memory location or a set of memory locations?
This is key to decide if a points-to arc is a must or a may arc.
Is it always possible to decide when heap abstract locations are concerned?
See also cell_abstract_location_p()
Definition at line 980 of file constant-path-utils.c.
References anywhere_cell_p(), cell_any_reference(), cell_typed_anywhere_locations_p(), EXPRESSION, FOREACH, heap_cell_p(), reference_indices, and unbounded_expression_p().
Referenced by gen_may_constant_paths(), and gen_must_constant_paths().
list unique_malloc_to_points_to_sinks | ( | expression | e | ) |
FI->AM: is "unique" multiple when ALIASING_ACROSS_TYPE is set to false?
FI->AM: the comments in pipsmake-rc.tex are not sufficient to understand what the choices are.
If ALIASING_ACROSS_TYPES, return an overloaded unique heap entity
We need only one HEAP abstract location: Pointers/assign03
We need one HEAP abstract location per type: Pointers/assign02
Note: we must be careful about dereferencing and fields...
Definition at line 1292 of file sinks.c.
References flow_sensitive_malloc_to_points_to_sinks(), get_bool_property(), and NIL.
Referenced by malloc_to_points_to_sinks().
Can cell c be accessed via another cell?
FI: the CP lattice should be used instead
If "c" is somehow included into "sink", "c" is reachable. For instance, if c[*] is reachable than c[1] is reachable too.
But the opposite may be true: if c[1] is reachable, then c[*] is reachable.
However, if "struct s" is reachable, then so "s[next]" . But if "s[next]" is reachable does not imply that "s" is reachable.
ptg | tg |
Definition at line 3373 of file points_to_set.c.
References points_to_graph_set, points_to_sink, related_points_to_cells_p(), and SET_FOREACH.
Referenced by freed_list_to_points_to(), list_assignment_to_points_to(), and memory_leak_to_more_memory_leaks().
pt_map unstructured_to_points_to | ( | unstructured | u, |
pt_map | pt_in | ||
) |
pt_in | t_in |
Definition at line 958 of file statement.c.
References new_points_to_unstructured().
Referenced by instruction_to_points_to().
void update_points_to_context_with_arc | ( | points_to | pt | ) |
Same as , but be careful about the arc before adding it to the points-to context.
This function is used to update the contexts when dealing with global variables at a call site.
pt | t |
Definition at line 285 of file passes.c.
References consistent_pt_map_p, copy_points_to(), pips_assert, points_to_context, pt_map_undefined_p, update_points_to_graph_with_arc(), and update_statement_points_to_context_with_arc().
Referenced by filter_formal_context_according_to_actual_context(), new_filter_formal_context_according_to_actual_context(), and new_recursive_filter_formal_context_according_to_actual_context_for_pointer_pair().
Instead of simply adding the new arc, make sure the consistency is not broken.
If "a" is an exact arc starting from source "s_a" and pointing to destination "d_a" and if "pt" contains may arcs or an exact arc s->d, these arcs must be removed. Vice-versa, if "a=(s_a,d_a)" is a may arc and if "pt" contain an exact arc (s,d)...
FI: I am cheating and doing exactly what I need to deal with global variables at call sites...
FI: issue with the commented out free() below: the caller doesn't know that the object may be freed and may reuse it later, for instance to make a copy of it...
Argument a is either included in pt or freed. it cannot be used after the call.
Arc a is already in relation pt
ap_b must be exact
Same source, different destinations
We are in trouble if both arcs carry approximation exact...
Arc b is less precise and mut be removed to avoid a conflict
Two may arcs: they are compatible but this may be invalidated later by another arc in pt, for isntance making a redundant.
The sources are different
pt | t |
Definition at line 183 of file passes.c.
References add_arc_to_pt_map, approximation_exact_p, approximation_may_p, approximation_tag, CONS, FOREACH, NIL, pips_internal_error, POINTS_TO, points_to_approximation, points_to_cell_equal_p(), points_to_graph_set, points_to_sink, points_to_source, remove_arc_from_pt_map, and SET_FOREACH.
Referenced by update_points_to_context_with_arc(), and update_statement_points_to_context_with_arc().
void update_printed_points_to_list | ( | statement | , |
points_to_list | |||
) |
void update_statement_points_to_context_with_arc | ( | points_to | pt | ) |
pt | t |
Definition at line 112 of file statement.c.
References consistent_pt_map_p, pips_assert, stack_head(), statement_points_to_context, and update_points_to_graph_with_arc().
Referenced by update_points_to_context_with_arc().
void upgrade_approximations_in_points_to_set | ( | pt_map | ptm | ) |
When arcs have been removed from a points-to relation, the approximations of remaining arcs may not correspond to the new points-to relation.
A may approximation may have become an exact approximation.
The semantics of the approximation and its many constraints must be taken into account. But they are not (yet) well formaly defined... The conditions here are:
Another question: is it OK to fix a lack of precision later or wouldn't it ne better to maintain the proper approximation on the fly, when more information is available?
Note about the implementation: Because of points-to set implementation, you cannot change approximations by side effects.
&& !stub_points_to_cell_p(source)
ptm | tm |
Definition at line 3085 of file points_to_set.c.
References add_arc_to_pt_map(), approximation_exact_p, cell_abstract_location_p(), copy_cell(), gen_free_list(), gen_length(), generic_atomic_points_to_cell_p(), make_approximation_exact(), make_descriptor_none(), make_points_to(), points_to_approximation, points_to_graph_set, points_to_sink, points_to_source, points_to_source_to_any_sinks(), remove_arc_from_pt_map, and SET_FOREACH.
Referenced by any_loop_to_points_to(), filter_formal_context_according_to_actual_context(), new_filter_formal_context_according_to_actual_context(), and statement_to_points_to().
in | n |
el | l |
true_p | rue_p |
Definition at line 2679 of file expression.c.
References out, and user_call_to_points_to().
Referenced by call_condition_to_points_to().
points_to_graph user_call_to_points_to | ( | call | c, |
points_to_graph | pt_in, | ||
list | el | ||
) |
FI: limited to the interprocedural option.
pcl =
Using memory effects does not simplify the points-to analysis, which is a preliminary analusis wrt memory effects
pt_in | t_in |
el | l |
Definition at line 106 of file interprocedural.c.
References call_function, code_declarations, entity_basic_concrete_type(), entity_initial, f(), fast_interprocedural_points_to_analysis_p(), interprocedural_points_to_analysis_p(), pips_internal_error, points_to_cells_parameters(), points_to_graph_bottom, type_functional_p, user_call_to_points_to_fast_interprocedural(), user_call_to_points_to_interprocedural(), user_call_to_points_to_intraprocedural(), and value_code.
Referenced by call_to_points_to(), and user_call_condition_to_points_to().
Compute the points-to relations in a complete interprocedural way: be as accurate as possible.
Not much to do if both IN and OUT are empty, except if OUT is bottom (see below)
This used to be only useful when a free occurs with the callee, since information about formal parameters used to be normally projected out.
Global variables do not require any translation in C, but it might more convenient to apply translation uniformly, without checking for global variables... Or the other way round?
Filter "pt_in" according to "pt_binded". For instance, a formal parameter can point to NULL in "pt_in" only if it also points to NULL in pt_binded. In the same way, a formal parameter can point to a points-to stub in "pt_in" only if it points to a non-NULL target in pt_binded. Also, a formal parameter cannot points exactly to UNDEFINED in "pt_binded" as it would be useless (not clear if we can remove such an arc when it is a may arc...). Finally, each formal parameter must still point to something. The mapping "binding" is augmented as needed. as well as "pt_caller" because of the on-demand approach. But "pt_binded" is not updated accordingly (?).
set pt_in_filtered =
filter_formal_context_according_to_actual_context(fpcl,
pt_in,
pt_binded,
binding);
We have to test if pt_binded is compatible with pt_in_callee
We have to start by computing all the elements of E (stubs)
See if two formal parameters can reach the same memory cell, i.e. transitive closure of binding map. We should take care of global variables too...
If no pointer is written, aliasing is not an issue
Explicitly written pointers imply some arc removals; pointer assignments directly or indirectly in the callee.
FI: pt_caller_s may have been modified implictly because the formal context has been increased according to the needs of the callee. But pt_caller_s may also have been updated by what has happened prevously when analyzing the current statement. See for instance Pointers/sort01.c.
Compute pt_kill_2
Implicitly written pointers imply some arc removals: free(), tests and exits. These are the elements of pt_kill_1, although the equations do not seem to fit at all since pt_in_filtered is not an argument...
Translation failure, incompatibility between the call site and the callee.
Some check
Use written/wpl to reduce the precision of exact arcs in pt_end. This is equivalent to pt_kill_3 and pt_gen_3.
FI: I do not understand why the precision of the write is not exploited. We may need to use mwpl instead of wpl
Some check
This cannot be performed earlier because the points-to precondition of the caller may have to be enriched according to the formal context of the callee, or the effect computation is going to fail.
pt_caller | t_caller |
Definition at line 1892 of file interprocedural.c.
References add_implicitly_killed_arcs_to_kill_set(), aliased_translation_p(), call_arguments, call_function, certainly_written_pointers_set(), clear_pt_map, code_declarations, compute_points_to_binded_set(), compute_points_to_gen_set(), compute_points_to_kill_set(), consistent_points_to_set(), consistent_pt_map_p, db_get_memory_resource(), ENDP, entity_initial, entity_user_name(), f(), filter_formal_out_context_according_to_formal_in_context(), gen_full_copy_list(), ifdebug, load_body_effects(), lower_points_to_approximations_according_to_write_effects(), module_local_name(), new_filter_formal_context_according_to_actual_context(), new_simple_pt_map, NIL, pips_assert, pips_internal_error, pips_user_warning, points_to_cells_exact_translation(), points_to_cells_parameters(), points_to_cells_translation(), points_to_context_statement_in(), points_to_context_statement_line_number(), points_to_graph_bottom, points_to_graph_set, points_to_list_bottom, points_to_list_list, points_to_set_to_module_stub_cell_list(), points_to_translation_of_formal_parameters(), print_points_to_set(), set_assign_list(), set_difference(), set_undefined_p, set_union(), user_call_to_points_to_intraprocedural(), value_code, and written_pointers_set().
Referenced by user_call_to_points_to().
Compute the binding relations in a complete interprocedural way: be as accurate as possible.
This piece of code has been copied from user_call_to_points_to_interprocedural(), which should be modularized...
Not much to do if both IN and OUT are empty, except if OUT is bottom (see below)
For the side effect on binding
set pt_in_filtered =
filter_formal_context_according_to_actual_context(fpcl,
pt_in,
pt_binded,
binding);
pt_caller | t_caller |
Definition at line 1835 of file interprocedural.c.
References call_arguments, call_function, code_declarations, compute_points_to_binded_set(), consistent_pt_map_p, db_get_memory_resource(), ENDP, entity_initial, entity_user_name(), f(), gen_full_copy_list(), get_current_module_entity(), ifdebug, module_local_name(), new_filter_formal_context_according_to_actual_context(), new_simple_pt_map, NIL, pips_assert, pips_internal_error, points_to_cells_parameters(), points_to_graph_bottom, points_to_graph_set, points_to_list_list, points_to_translation_of_formal_parameters(), print_points_to_set(), semantics_user_warning, set_assign_list(), set_free(), set_undefined_p, and value_code.
Referenced by new_substitute_stubs_in_transformer(), and substitute_stubs_in_transformer().
variable.c
variable.c
We distinguish between scalar pointers, array of pointers and struct containing pointers and struct. Return a list of cells each containing a reference to aa pointer. These cells are used later as sources to build a points-to data structure pointing to nowhere/undefined.
M: missing recursive descent on variable_dimensions. int a[*(q=p)]
variable v = type_variable(t);
int d = (int) gen_length(variable_dimensions(v));
list sl = NIL;
int i;
for(i=0;i<d;i++) {
expression ind = make_unbounded_expression();
sl = CONS(EXPRESSION, ind, sl);
}
reference r = make_reference(e, sl);
Definition at line 66 of file variable.c.
References array_of_pointers_type_p(), array_of_struct_type_p(), basic_derived, CELL, CONS, entity_array_p(), entity_basic_concrete_type(), entity_variable_p, make_cell_reference(), make_reference(), NIL, pointer_type_p(), points_to_cell_add_unbounded_subscripts(), struct_type_p(), struct_variable_to_pointer_locations(), type_variable, and variable_basic.
Referenced by declaration_statement_to_points_to(), malloc_to_points_to_sinks(), and struct_initialization_to_points_to().
Return all cells in points-to set "pts" who source is based on entity "e".
Similar to points_to_source_to_sinks, but much easier and shorter.
ptm | tm |
fresh_p | resh_p |
Definition at line 2485 of file points_to_set.c.
References CELL, cell_any_reference(), CONS, copy_cell(), NIL, points_to_graph_set, points_to_sink, points_to_source, reference_variable, and SET_FOREACH.
Referenced by freed_list_to_points_to().
Execute the first iteration
wl | l |
pt_in | t_in |
Definition at line 604 of file statement.c.
References any_loop_to_points_to(), consistent_points_to_graph_p(), evaluation_before_p, expression_to_points_to(), expression_undefined, pips_assert, statement_to_points_to(), whileloop_body, whileloop_condition, and whileloop_evaluation.
Referenced by instruction_to_points_to().
pt | t |
Definition at line 210 of file points_to_prettyprint.c.
References approximation_exact_p, approximation_may_p, cell_gap_p, cell_preference_p, cell_reference, CHAIN_SWORD, CONS, effect_words_reference(), gen_nconc(), NIL, nowhere_cell_p(), pips_assert, points_to_approximation, points_to_sink, points_to_source, and STRING.
Filter out written effects on pointers.
eff | ff |
Definition at line 2609 of file interprocedural.c.
References generic_written_pointers_set().
Referenced by user_call_to_points_to_fast_interprocedural(), and user_call_to_points_to_interprocedural().