2018-03-13 07:32:44 +03:00
|
|
|
// Copyright 2013 The Go Authors. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style
|
|
|
|
// license that can be found in the LICENSE file.
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
|
|
|
Package pointer implements Andersen's analysis, an inclusion-based
|
|
|
|
pointer analysis algorithm first described in (Andersen, 1994).
|
|
|
|
|
|
|
|
A pointer analysis relates every pointer expression in a whole program
|
|
|
|
to the set of memory locations to which it might point. This
|
|
|
|
information can be used to construct a call graph of the program that
|
|
|
|
precisely represents the destinations of dynamic function and method
|
|
|
|
calls. It can also be used to determine, for example, which pairs of
|
|
|
|
channel operations operate on the same channel.
|
|
|
|
|
|
|
|
The package allows the client to request a set of expressions of
|
|
|
|
interest for which the points-to information will be returned once the
|
|
|
|
analysis is complete. In addition, the client may request that a
|
|
|
|
callgraph is constructed. The example program in example_test.go
|
|
|
|
demonstrates both of these features. Clients should not request more
|
|
|
|
information than they need since it may increase the cost of the
|
|
|
|
analysis significantly.
|
|
|
|
|
|
|
|
|
|
|
|
CLASSIFICATION
|
|
|
|
|
|
|
|
Our algorithm is INCLUSION-BASED: the points-to sets for x and y will
|
|
|
|
be related by pts(y) ⊇ pts(x) if the program contains the statement
|
|
|
|
y = x.
|
|
|
|
|
|
|
|
It is FLOW-INSENSITIVE: it ignores all control flow constructs and the
|
|
|
|
order of statements in a program. It is therefore a "MAY ALIAS"
|
|
|
|
analysis: its facts are of the form "P may/may not point to L",
|
|
|
|
not "P must point to L".
|
|
|
|
|
|
|
|
It is FIELD-SENSITIVE: it builds separate points-to sets for distinct
|
|
|
|
fields, such as x and y in struct { x, y *int }.
|
|
|
|
|
|
|
|
It is mostly CONTEXT-INSENSITIVE: most functions are analyzed once,
|
|
|
|
so values can flow in at one call to the function and return out at
|
|
|
|
another. Only some smaller functions are analyzed with consideration
|
|
|
|
of their calling context.
|
|
|
|
|
|
|
|
It has a CONTEXT-SENSITIVE HEAP: objects are named by both allocation
|
|
|
|
site and context, so the objects returned by two distinct calls to f:
|
|
|
|
func f() *T { return new(T) }
|
|
|
|
are distinguished up to the limits of the calling context.
|
|
|
|
|
|
|
|
It is a WHOLE PROGRAM analysis: it requires SSA-form IR for the
|
|
|
|
complete Go program and summaries for native code.
|
|
|
|
|
|
|
|
See the (Hind, PASTE'01) survey paper for an explanation of these terms.
|
|
|
|
|
|
|
|
|
|
|
|
SOUNDNESS
|
|
|
|
|
|
|
|
The analysis is fully sound when invoked on pure Go programs that do not
|
|
|
|
use reflection or unsafe.Pointer conversions. In other words, if there
|
|
|
|
is any possible execution of the program in which pointer P may point to
|
|
|
|
object O, the analysis will report that fact.
|
|
|
|
|
|
|
|
|
|
|
|
REFLECTION
|
|
|
|
|
|
|
|
By default, the "reflect" library is ignored by the analysis, as if all
|
|
|
|
its functions were no-ops, but if the client enables the Reflection flag,
|
|
|
|
the analysis will make a reasonable attempt to model the effects of
|
|
|
|
calls into this library. However, this comes at a significant
|
|
|
|
performance cost, and not all features of that library are yet
|
|
|
|
implemented. In addition, some simplifying approximations must be made
|
|
|
|
to ensure that the analysis terminates; for example, reflection can be
|
|
|
|
used to construct an infinite set of types and values of those types,
|
|
|
|
but the analysis arbitrarily bounds the depth of such types.
|
|
|
|
|
|
|
|
Most but not all reflection operations are supported.
|
|
|
|
In particular, addressable reflect.Values are not yet implemented, so
|
|
|
|
operations such as (reflect.Value).Set have no analytic effect.
|
|
|
|
|
|
|
|
|
|
|
|
UNSAFE POINTER CONVERSIONS
|
|
|
|
|
|
|
|
The pointer analysis makes no attempt to understand aliasing between the
|
|
|
|
operand x and result y of an unsafe.Pointer conversion:
|
|
|
|
y = (*T)(unsafe.Pointer(x))
|
|
|
|
It is as if the conversion allocated an entirely new object:
|
|
|
|
y = new(T)
|
|
|
|
|
|
|
|
|
|
|
|
NATIVE CODE
|
|
|
|
|
|
|
|
The analysis cannot model the aliasing effects of functions written in
|
|
|
|
languages other than Go, such as runtime intrinsics in C or assembly, or
|
|
|
|
code accessed via cgo. The result is as if such functions are no-ops.
|
|
|
|
However, various important intrinsics are understood by the analysis,
|
|
|
|
along with built-ins such as append.
|
|
|
|
|
|
|
|
The analysis currently provides no way for users to specify the aliasing
|
|
|
|
effects of native code.
|
|
|
|
|
|
|
|
------------------------------------------------------------------------
|
|
|
|
|
|
|
|
IMPLEMENTATION
|
|
|
|
|
|
|
|
The remaining documentation is intended for package maintainers and
|
|
|
|
pointer analysis specialists. Maintainers should have a solid
|
|
|
|
understanding of the referenced papers (especially those by H&L and PKH)
|
|
|
|
before making making significant changes.
|
|
|
|
|
|
|
|
The implementation is similar to that described in (Pearce et al,
|
|
|
|
PASTE'04). Unlike many algorithms which interleave constraint
|
|
|
|
generation and solving, constructing the callgraph as they go, this
|
|
|
|
implementation for the most part observes a phase ordering (generation
|
|
|
|
before solving), with only simple (copy) constraints being generated
|
|
|
|
during solving. (The exception is reflection, which creates various
|
|
|
|
constraints during solving as new types flow to reflect.Value
|
|
|
|
operations.) This improves the traction of presolver optimisations,
|
|
|
|
but imposes certain restrictions, e.g. potential context sensitivity
|
|
|
|
is limited since all variants must be created a priori.
|
|
|
|
|
|
|
|
|
|
|
|
TERMINOLOGY
|
|
|
|
|
|
|
|
A type is said to be "pointer-like" if it is a reference to an object.
|
|
|
|
Pointer-like types include pointers and also interfaces, maps, channels,
|
|
|
|
functions and slices.
|
|
|
|
|
|
|
|
We occasionally use C's x->f notation to distinguish the case where x
|
|
|
|
is a struct pointer from x.f where is a struct value.
|
|
|
|
|
|
|
|
Pointer analysis literature (and our comments) often uses the notation
|
|
|
|
dst=*src+offset to mean something different than what it means in Go.
|
|
|
|
It means: for each node index p in pts(src), the node index p+offset is
|
|
|
|
in pts(dst). Similarly *dst+offset=src is used for store constraints
|
|
|
|
and dst=src+offset for offset-address constraints.
|
|
|
|
|
|
|
|
|
|
|
|
NODES
|
|
|
|
|
|
|
|
Nodes are the key datastructure of the analysis, and have a dual role:
|
|
|
|
they represent both constraint variables (equivalence classes of
|
|
|
|
pointers) and members of points-to sets (things that can be pointed
|
|
|
|
at, i.e. "labels").
|
|
|
|
|
|
|
|
Nodes are naturally numbered. The numbering enables compact
|
|
|
|
representations of sets of nodes such as bitvectors (or BDDs); and the
|
|
|
|
ordering enables a very cheap way to group related nodes together. For
|
|
|
|
example, passing n parameters consists of generating n parallel
|
|
|
|
constraints from caller+i to callee+i for 0<=i<n.
|
|
|
|
|
|
|
|
The zero nodeid means "not a pointer". For simplicity, we generate flow
|
|
|
|
constraints even for non-pointer types such as int. The pointer
|
|
|
|
equivalence (PE) presolver optimization detects which variables cannot
|
|
|
|
point to anything; this includes not only all variables of non-pointer
|
|
|
|
types (such as int) but also variables of pointer-like types if they are
|
|
|
|
always nil, or are parameters to a function that is never called.
|
|
|
|
|
|
|
|
Each node represents a scalar part of a value or object.
|
|
|
|
Aggregate types (structs, tuples, arrays) are recursively flattened
|
|
|
|
out into a sequential list of scalar component types, and all the
|
|
|
|
elements of an array are represented by a single node. (The
|
|
|
|
flattening of a basic type is a list containing a single node.)
|
|
|
|
|
|
|
|
Nodes are connected into a graph with various kinds of labelled edges:
|
|
|
|
simple edges (or copy constraints) represent value flow. Complex
|
|
|
|
edges (load, store, etc) trigger the creation of new simple edges
|
|
|
|
during the solving phase.
|
|
|
|
|
|
|
|
|
|
|
|
OBJECTS
|
|
|
|
|
|
|
|
Conceptually, an "object" is a contiguous sequence of nodes denoting
|
|
|
|
an addressable location: something that a pointer can point to. The
|
|
|
|
first node of an object has a non-nil obj field containing information
|
|
|
|
about the allocation: its size, context, and ssa.Value.
|
|
|
|
|
|
|
|
Objects include:
|
|
|
|
- functions and globals;
|
|
|
|
- variable allocations in the stack frame or heap;
|
|
|
|
- maps, channels and slices created by calls to make();
|
|
|
|
- allocations to construct an interface;
|
|
|
|
- allocations caused by conversions, e.g. []byte(str).
|
|
|
|
- arrays allocated by calls to append();
|
|
|
|
|
|
|
|
Many objects have no Go types. For example, the func, map and chan type
|
|
|
|
kinds in Go are all varieties of pointers, but their respective objects
|
|
|
|
are actual functions (executable code), maps (hash tables), and channels
|
|
|
|
(synchronized queues). Given the way we model interfaces, they too are
|
|
|
|
pointers to "tagged" objects with no Go type. And an *ssa.Global denotes
|
|
|
|
the address of a global variable, but the object for a Global is the
|
|
|
|
actual data. So, the types of an ssa.Value that creates an object is
|
|
|
|
"off by one indirection": a pointer to the object.
|
|
|
|
|
|
|
|
The individual nodes of an object are sometimes referred to as "labels".
|
|
|
|
|
|
|
|
For uniformity, all objects have a non-zero number of fields, even those
|
|
|
|
of the empty type struct{}. (All arrays are treated as if of length 1,
|
|
|
|
so there are no empty arrays. The empty tuple is never address-taken,
|
|
|
|
so is never an object.)
|
|
|
|
|
|
|
|
|
|
|
|
TAGGED OBJECTS
|
|
|
|
|
|
|
|
An tagged object has the following layout:
|
|
|
|
|
|
|
|
T -- obj.flags ⊇ {otTagged}
|
|
|
|
v
|
|
|
|
...
|
|
|
|
|
|
|
|
The T node's typ field is the dynamic type of the "payload": the value
|
|
|
|
v which follows, flattened out. The T node's obj has the otTagged
|
|
|
|
flag.
|
|
|
|
|
|
|
|
Tagged objects are needed when generalizing across types: interfaces,
|
|
|
|
reflect.Values, reflect.Types. Each of these three types is modelled
|
|
|
|
as a pointer that exclusively points to tagged objects.
|
|
|
|
|
|
|
|
Tagged objects may be indirect (obj.flags ⊇ {otIndirect}) meaning that
|
|
|
|
the value v is not of type T but *T; this is used only for
|
|
|
|
reflect.Values that represent lvalues. (These are not implemented yet.)
|
|
|
|
|
|
|
|
|
|
|
|
ANALYSIS ABSTRACTION OF EACH TYPE
|
|
|
|
|
|
|
|
Variables of the following "scalar" types may be represented by a
|
|
|
|
single node: basic types, pointers, channels, maps, slices, 'func'
|
|
|
|
pointers, interfaces.
|
|
|
|
|
|
|
|
Pointers
|
|
|
|
Nothing to say here, oddly.
|
|
|
|
|
|
|
|
Basic types (bool, string, numbers, unsafe.Pointer)
|
|
|
|
Currently all fields in the flattening of a type, including
|
|
|
|
non-pointer basic types such as int, are represented in objects and
|
|
|
|
values. Though non-pointer nodes within values are uninteresting,
|
|
|
|
non-pointer nodes in objects may be useful (if address-taken)
|
|
|
|
because they permit the analysis to deduce, in this example,
|
|
|
|
|
|
|
|
var s struct{ ...; x int; ... }
|
|
|
|
p := &s.x
|
|
|
|
|
|
|
|
that p points to s.x. If we ignored such object fields, we could only
|
|
|
|
say that p points somewhere within s.
|
|
|
|
|
|
|
|
All other basic types are ignored. Expressions of these types have
|
|
|
|
zero nodeid, and fields of these types within aggregate other types
|
|
|
|
are omitted.
|
|
|
|
|
|
|
|
unsafe.Pointers are not modelled as pointers, so a conversion of an
|
|
|
|
unsafe.Pointer to *T is (unsoundly) treated equivalent to new(T).
|
|
|
|
|
|
|
|
Channels
|
|
|
|
An expression of type 'chan T' is a kind of pointer that points
|
|
|
|
exclusively to channel objects, i.e. objects created by MakeChan (or
|
|
|
|
reflection).
|
|
|
|
|
|
|
|
'chan T' is treated like *T.
|
|
|
|
*ssa.MakeChan is treated as equivalent to new(T).
|
|
|
|
*ssa.Send and receive (*ssa.UnOp(ARROW)) and are equivalent to store
|
|
|
|
and load.
|
|
|
|
|
|
|
|
Maps
|
|
|
|
An expression of type 'map[K]V' is a kind of pointer that points
|
|
|
|
exclusively to map objects, i.e. objects created by MakeMap (or
|
|
|
|
reflection).
|
|
|
|
|
|
|
|
map K[V] is treated like *M where M = struct{k K; v V}.
|
|
|
|
*ssa.MakeMap is equivalent to new(M).
|
|
|
|
*ssa.MapUpdate is equivalent to *y=x where *y and x have type M.
|
|
|
|
*ssa.Lookup is equivalent to y=x.v where x has type *M.
|
|
|
|
|
|
|
|
Slices
|
|
|
|
A slice []T, which dynamically resembles a struct{array *T, len, cap int},
|
|
|
|
is treated as if it were just a *T pointer; the len and cap fields are
|
|
|
|
ignored.
|
|
|
|
|
|
|
|
*ssa.MakeSlice is treated like new([1]T): an allocation of a
|
|
|
|
singleton array.
|
|
|
|
*ssa.Index on a slice is equivalent to a load.
|
|
|
|
*ssa.IndexAddr on a slice returns the address of the sole element of the
|
|
|
|
slice, i.e. the same address.
|
|
|
|
*ssa.Slice is treated as a simple copy.
|
|
|
|
|
|
|
|
Functions
|
|
|
|
An expression of type 'func...' is a kind of pointer that points
|
|
|
|
exclusively to function objects.
|
|
|
|
|
|
|
|
A function object has the following layout:
|
|
|
|
|
|
|
|
identity -- typ:*types.Signature; obj.flags ⊇ {otFunction}
|
|
|
|
params_0 -- (the receiver, if a method)
|
|
|
|
...
|
|
|
|
params_n-1
|
|
|
|
results_0
|
|
|
|
...
|
|
|
|
results_m-1
|
|
|
|
|
|
|
|
There may be multiple function objects for the same *ssa.Function
|
|
|
|
due to context-sensitive treatment of some functions.
|
|
|
|
|
|
|
|
The first node is the function's identity node.
|
|
|
|
Associated with every callsite is a special "targets" variable,
|
|
|
|
whose pts() contains the identity node of each function to which
|
|
|
|
the call may dispatch. Identity words are not otherwise used during
|
|
|
|
the analysis, but we construct the call graph from the pts()
|
|
|
|
solution for such nodes.
|
|
|
|
|
|
|
|
The following block of contiguous nodes represents the flattened-out
|
|
|
|
types of the parameters ("P-block") and results ("R-block") of the
|
|
|
|
function object.
|
|
|
|
|
|
|
|
The treatment of free variables of closures (*ssa.FreeVar) is like
|
|
|
|
that of global variables; it is not context-sensitive.
|
|
|
|
*ssa.MakeClosure instructions create copy edges to Captures.
|
|
|
|
|
|
|
|
A Go value of type 'func' (i.e. a pointer to one or more functions)
|
|
|
|
is a pointer whose pts() contains function objects. The valueNode()
|
|
|
|
for an *ssa.Function returns a singleton for that function.
|
|
|
|
|
|
|
|
Interfaces
|
|
|
|
An expression of type 'interface{...}' is a kind of pointer that
|
|
|
|
points exclusively to tagged objects. All tagged objects pointed to
|
|
|
|
by an interface are direct (the otIndirect flag is clear) and
|
|
|
|
concrete (the tag type T is not itself an interface type). The
|
|
|
|
associated ssa.Value for an interface's tagged objects may be an
|
|
|
|
*ssa.MakeInterface instruction, or nil if the tagged object was
|
|
|
|
created by an instrinsic (e.g. reflection).
|
|
|
|
|
|
|
|
Constructing an interface value causes generation of constraints for
|
|
|
|
all of the concrete type's methods; we can't tell a priori which
|
|
|
|
ones may be called.
|
|
|
|
|
|
|
|
TypeAssert y = x.(T) is implemented by a dynamic constraint
|
|
|
|
triggered by each tagged object O added to pts(x): a typeFilter
|
|
|
|
constraint if T is an interface type, or an untag constraint if T is
|
|
|
|
a concrete type. A typeFilter tests whether O.typ implements T; if
|
|
|
|
so, O is added to pts(y). An untagFilter tests whether O.typ is
|
|
|
|
assignable to T,and if so, a copy edge O.v -> y is added.
|
|
|
|
|
|
|
|
ChangeInterface is a simple copy because the representation of
|
|
|
|
tagged objects is independent of the interface type (in contrast
|
|
|
|
to the "method tables" approach used by the gc runtime).
|
|
|
|
|
|
|
|
y := Invoke x.m(...) is implemented by allocating contiguous P/R
|
|
|
|
blocks for the callsite and adding a dynamic rule triggered by each
|
|
|
|
tagged object added to pts(x). The rule adds param/results copy
|
|
|
|
edges to/from each discovered concrete method.
|
|
|
|
|
|
|
|
(Q. Why do we model an interface as a pointer to a pair of type and
|
|
|
|
value, rather than as a pair of a pointer to type and a pointer to
|
|
|
|
value?
|
|
|
|
A. Control-flow joins would merge interfaces ({T1}, {V1}) and ({T2},
|
|
|
|
{V2}) to make ({T1,T2}, {V1,V2}), leading to the infeasible and
|
|
|
|
type-unsafe combination (T1,V2). Treating the value and its concrete
|
|
|
|
type as inseparable makes the analysis type-safe.)
|
|
|
|
|
|
|
|
reflect.Value
|
|
|
|
A reflect.Value is modelled very similar to an interface{}, i.e. as
|
|
|
|
a pointer exclusively to tagged objects, but with two generalizations.
|
|
|
|
|
|
|
|
1) a reflect.Value that represents an lvalue points to an indirect
|
|
|
|
(obj.flags ⊇ {otIndirect}) tagged object, which has a similar
|
|
|
|
layout to an tagged object except that the value is a pointer to
|
|
|
|
the dynamic type. Indirect tagged objects preserve the correct
|
|
|
|
aliasing so that mutations made by (reflect.Value).Set can be
|
|
|
|
observed.
|
|
|
|
|
|
|
|
Indirect objects only arise when an lvalue is derived from an
|
|
|
|
rvalue by indirection, e.g. the following code:
|
|
|
|
|
|
|
|
type S struct { X T }
|
|
|
|
var s S
|
|
|
|
var i interface{} = &s // i points to a *S-tagged object (from MakeInterface)
|
|
|
|
v1 := reflect.ValueOf(i) // v1 points to same *S-tagged object as i
|
|
|
|
v2 := v1.Elem() // v2 points to an indirect S-tagged object, pointing to s
|
|
|
|
v3 := v2.FieldByName("X") // v3 points to an indirect int-tagged object, pointing to s.X
|
|
|
|
v3.Set(y) // pts(s.X) ⊇ pts(y)
|
|
|
|
|
|
|
|
Whether indirect or not, the concrete type of the tagged object
|
|
|
|
corresponds to the user-visible dynamic type, and the existence
|
|
|
|
of a pointer is an implementation detail.
|
|
|
|
|
|
|
|
(NB: indirect tagged objects are not yet implemented)
|
|
|
|
|
|
|
|
2) The dynamic type tag of a tagged object pointed to by a
|
|
|
|
reflect.Value may be an interface type; it need not be concrete.
|
|
|
|
|
|
|
|
This arises in code such as this:
|
|
|
|
tEface := reflect.TypeOf(new(interface{}).Elem() // interface{}
|
|
|
|
eface := reflect.Zero(tEface)
|
|
|
|
pts(eface) is a singleton containing an interface{}-tagged
|
|
|
|
object. That tagged object's payload is an interface{} value,
|
|
|
|
i.e. the pts of the payload contains only concrete-tagged
|
|
|
|
objects, although in this example it's the zero interface{} value,
|
|
|
|
so its pts is empty.
|
|
|
|
|
|
|
|
reflect.Type
|
|
|
|
Just as in the real "reflect" library, we represent a reflect.Type
|
|
|
|
as an interface whose sole implementation is the concrete type,
|
|
|
|
*reflect.rtype. (This choice is forced on us by go/types: clients
|
|
|
|
cannot fabricate types with arbitrary method sets.)
|
|
|
|
|
|
|
|
rtype instances are canonical: there is at most one per dynamic
|
|
|
|
type. (rtypes are in fact large structs but since identity is all
|
|
|
|
that matters, we represent them by a single node.)
|
|
|
|
|
|
|
|
The payload of each *rtype-tagged object is an *rtype pointer that
|
|
|
|
points to exactly one such canonical rtype object. We exploit this
|
|
|
|
by setting the node.typ of the payload to the dynamic type, not
|
|
|
|
'*rtype'. This saves us an indirection in each resolution rule. As
|
|
|
|
an optimisation, *rtype-tagged objects are canonicalized too.
|
|
|
|
|
|
|
|
|
|
|
|
Aggregate types:
|
|
|
|
|
|
|
|
Aggregate types are treated as if all directly contained
|
|
|
|
aggregates are recursively flattened out.
|
|
|
|
|
|
|
|
Structs
|
|
|
|
*ssa.Field y = x.f creates a simple edge to y from x's node at f's offset.
|
|
|
|
|
|
|
|
*ssa.FieldAddr y = &x->f requires a dynamic closure rule to create
|
|
|
|
simple edges for each struct discovered in pts(x).
|
|
|
|
|
|
|
|
The nodes of a struct consist of a special 'identity' node (whose
|
|
|
|
type is that of the struct itself), followed by the nodes for all
|
|
|
|
the struct's fields, recursively flattened out. A pointer to the
|
|
|
|
struct is a pointer to its identity node. That node allows us to
|
|
|
|
distinguish a pointer to a struct from a pointer to its first field.
|
|
|
|
|
|
|
|
Field offsets are logical field offsets (plus one for the identity
|
|
|
|
node), so the sizes of the fields can be ignored by the analysis.
|
|
|
|
|
2018-03-13 08:24:04 +03:00
|
|
|
(The identity node is non-traditional but enables the distinction
|
2018-03-13 07:32:44 +03:00
|
|
|
described above, which is valuable for code comprehension tools.
|
|
|
|
Typical pointer analyses for C, whose purpose is compiler
|
|
|
|
optimization, must soundly model unsafe.Pointer (void*) conversions,
|
|
|
|
and this requires fidelity to the actual memory layout using physical
|
|
|
|
field offsets.)
|
|
|
|
|
|
|
|
*ssa.Field y = x.f creates a simple edge to y from x's node at f's offset.
|
|
|
|
|
|
|
|
*ssa.FieldAddr y = &x->f requires a dynamic closure rule to create
|
|
|
|
simple edges for each struct discovered in pts(x).
|
|
|
|
|
|
|
|
Arrays
|
|
|
|
We model an array by an identity node (whose type is that of the
|
|
|
|
array itself) followed by a node representing all the elements of
|
|
|
|
the array; the analysis does not distinguish elements with different
|
|
|
|
indices. Effectively, an array is treated like struct{elem T}, a
|
|
|
|
load y=x[i] like y=x.elem, and a store x[i]=y like x.elem=y; the
|
|
|
|
index i is ignored.
|
|
|
|
|
|
|
|
A pointer to an array is pointer to its identity node. (A slice is
|
|
|
|
also a pointer to an array's identity node.) The identity node
|
|
|
|
allows us to distinguish a pointer to an array from a pointer to one
|
|
|
|
of its elements, but it is rather costly because it introduces more
|
|
|
|
offset constraints into the system. Furthermore, sound treatment of
|
|
|
|
unsafe.Pointer would require us to dispense with this node.
|
|
|
|
|
|
|
|
Arrays may be allocated by Alloc, by make([]T), by calls to append,
|
|
|
|
and via reflection.
|
|
|
|
|
|
|
|
Tuples (T, ...)
|
|
|
|
Tuples are treated like structs with naturally numbered fields.
|
|
|
|
*ssa.Extract is analogous to *ssa.Field.
|
|
|
|
|
|
|
|
However, tuples have no identity field since by construction, they
|
|
|
|
cannot be address-taken.
|
|
|
|
|
|
|
|
|
|
|
|
FUNCTION CALLS
|
|
|
|
|
|
|
|
There are three kinds of function call:
|
|
|
|
(1) static "call"-mode calls of functions.
|
|
|
|
(2) dynamic "call"-mode calls of functions.
|
|
|
|
(3) dynamic "invoke"-mode calls of interface methods.
|
|
|
|
Cases 1 and 2 apply equally to methods and standalone functions.
|
|
|
|
|
|
|
|
Static calls.
|
|
|
|
A static call consists three steps:
|
|
|
|
- finding the function object of the callee;
|
|
|
|
- creating copy edges from the actual parameter value nodes to the
|
|
|
|
P-block in the function object (this includes the receiver if
|
|
|
|
the callee is a method);
|
|
|
|
- creating copy edges from the R-block in the function object to
|
|
|
|
the value nodes for the result of the call.
|
|
|
|
|
|
|
|
A static function call is little more than two struct value copies
|
|
|
|
between the P/R blocks of caller and callee:
|
|
|
|
|
|
|
|
callee.P = caller.P
|
|
|
|
caller.R = callee.R
|
|
|
|
|
|
|
|
Context sensitivity
|
|
|
|
|
|
|
|
Static calls (alone) may be treated context sensitively,
|
|
|
|
i.e. each callsite may cause a distinct re-analysis of the
|
|
|
|
callee, improving precision. Our current context-sensitivity
|
|
|
|
policy treats all intrinsics and getter/setter methods in this
|
|
|
|
manner since such functions are small and seem like an obvious
|
|
|
|
source of spurious confluences, though this has not yet been
|
|
|
|
evaluated.
|
|
|
|
|
|
|
|
Dynamic function calls
|
|
|
|
|
|
|
|
Dynamic calls work in a similar manner except that the creation of
|
|
|
|
copy edges occurs dynamically, in a similar fashion to a pair of
|
|
|
|
struct copies in which the callee is indirect:
|
|
|
|
|
|
|
|
callee->P = caller.P
|
|
|
|
caller.R = callee->R
|
|
|
|
|
|
|
|
(Recall that the function object's P- and R-blocks are contiguous.)
|
|
|
|
|
|
|
|
Interface method invocation
|
|
|
|
|
|
|
|
For invoke-mode calls, we create a params/results block for the
|
|
|
|
callsite and attach a dynamic closure rule to the interface. For
|
|
|
|
each new tagged object that flows to the interface, we look up
|
|
|
|
the concrete method, find its function object, and connect its P/R
|
|
|
|
blocks to the callsite's P/R blocks, adding copy edges to the graph
|
|
|
|
during solving.
|
|
|
|
|
|
|
|
Recording call targets
|
|
|
|
|
|
|
|
The analysis notifies its clients of each callsite it encounters,
|
|
|
|
passing a CallSite interface. Among other things, the CallSite
|
|
|
|
contains a synthetic constraint variable ("targets") whose
|
|
|
|
points-to solution includes the set of all function objects to
|
|
|
|
which the call may dispatch.
|
|
|
|
|
|
|
|
It is via this mechanism that the callgraph is made available.
|
|
|
|
Clients may also elect to be notified of callgraph edges directly;
|
|
|
|
internally this just iterates all "targets" variables' pts(·)s.
|
|
|
|
|
|
|
|
|
|
|
|
PRESOLVER
|
|
|
|
|
|
|
|
We implement Hash-Value Numbering (HVN), a pre-solver constraint
|
|
|
|
optimization described in Hardekopf & Lin, SAS'07. This is documented
|
|
|
|
in more detail in hvn.go. We intend to add its cousins HR and HU in
|
|
|
|
future.
|
|
|
|
|
|
|
|
|
|
|
|
SOLVER
|
|
|
|
|
|
|
|
The solver is currently a naive Andersen-style implementation; it does
|
|
|
|
not perform online cycle detection, though we plan to add solver
|
|
|
|
optimisations such as Hybrid- and Lazy- Cycle Detection from (Hardekopf
|
|
|
|
& Lin, PLDI'07).
|
|
|
|
|
|
|
|
It uses difference propagation (Pearce et al, SQC'04) to avoid
|
|
|
|
redundant re-triggering of closure rules for values already seen.
|
|
|
|
|
|
|
|
Points-to sets are represented using sparse bit vectors (similar to
|
|
|
|
those used in LLVM and gcc), which are more space- and time-efficient
|
|
|
|
than sets based on Go's built-in map type or dense bit vectors.
|
|
|
|
|
|
|
|
Nodes are permuted prior to solving so that object nodes (which may
|
|
|
|
appear in points-to sets) are lower numbered than non-object (var)
|
|
|
|
nodes. This improves the density of the set over which the PTSs
|
|
|
|
range, and thus the efficiency of the representation.
|
|
|
|
|
|
|
|
Partly thanks to avoiding map iteration, the execution of the solver is
|
|
|
|
100% deterministic, a great help during debugging.
|
|
|
|
|
|
|
|
|
|
|
|
FURTHER READING
|
|
|
|
|
|
|
|
Andersen, L. O. 1994. Program analysis and specialization for the C
|
|
|
|
programming language. Ph.D. dissertation. DIKU, University of
|
|
|
|
Copenhagen.
|
|
|
|
|
|
|
|
David J. Pearce, Paul H. J. Kelly, and Chris Hankin. 2004. Efficient
|
|
|
|
field-sensitive pointer analysis for C. In Proceedings of the 5th ACM
|
|
|
|
SIGPLAN-SIGSOFT workshop on Program analysis for software tools and
|
|
|
|
engineering (PASTE '04). ACM, New York, NY, USA, 37-42.
|
|
|
|
http://doi.acm.org/10.1145/996821.996835
|
|
|
|
|
|
|
|
David J. Pearce, Paul H. J. Kelly, and Chris Hankin. 2004. Online
|
|
|
|
Cycle Detection and Difference Propagation: Applications to Pointer
|
|
|
|
Analysis. Software Quality Control 12, 4 (December 2004), 311-337.
|
|
|
|
http://dx.doi.org/10.1023/B:SQJO.0000039791.93071.a2
|
|
|
|
|
|
|
|
David Grove and Craig Chambers. 2001. A framework for call graph
|
|
|
|
construction algorithms. ACM Trans. Program. Lang. Syst. 23, 6
|
|
|
|
(November 2001), 685-746.
|
|
|
|
http://doi.acm.org/10.1145/506315.506316
|
|
|
|
|
|
|
|
Ben Hardekopf and Calvin Lin. 2007. The ant and the grasshopper: fast
|
|
|
|
and accurate pointer analysis for millions of lines of code. In
|
|
|
|
Proceedings of the 2007 ACM SIGPLAN conference on Programming language
|
|
|
|
design and implementation (PLDI '07). ACM, New York, NY, USA, 290-299.
|
|
|
|
http://doi.acm.org/10.1145/1250734.1250767
|
|
|
|
|
|
|
|
Ben Hardekopf and Calvin Lin. 2007. Exploiting pointer and location
|
|
|
|
equivalence to optimize pointer analysis. In Proceedings of the 14th
|
|
|
|
international conference on Static Analysis (SAS'07), Hanne Riis
|
|
|
|
Nielson and Gilberto Filé (Eds.). Springer-Verlag, Berlin, Heidelberg,
|
|
|
|
265-280.
|
|
|
|
|
|
|
|
Atanas Rountev and Satish Chandra. 2000. Off-line variable substitution
|
|
|
|
for scaling points-to analysis. In Proceedings of the ACM SIGPLAN 2000
|
|
|
|
conference on Programming language design and implementation (PLDI '00).
|
|
|
|
ACM, New York, NY, USA, 47-56. DOI=10.1145/349299.349310
|
|
|
|
http://doi.acm.org/10.1145/349299.349310
|
|
|
|
|
|
|
|
*/
|
|
|
|
package pointer // import "golang.org/x/tools/go/pointer"
|