[analyzer] Comparing svalues

[Pierrick Philippe <pierrick.philippe@irisa.fr>]

[-- Attachment #1: Type: text/plain, Size: 3209 bytes --]

Hi David, hi all,

I'm working on a plugin for the analyzer, and basically I've reached a 
point where I need to compare svalues.
For the need of my analysis, I've modified the analyzer to be able to 
track for region in some specific cases, so I modified the 
implementation of the /sm_state_map/.
If anyone want to see my modifications, I would be glad to send it to 
you (not yet on a public repository).

I'm trying to handle all the different (only defined behavior) 
semantically correct ways to manipulate arrays.
To illustrate my words, here is an example:

    int t[4] = 0;
    t[2] = some_var; // valid and represented in GIMPLE by a single
    gassign stmt with LHS being an ARRAY_REF
    *(t+2) = some_var; // valid and represented in GIMPLE by two
    distincts gassign stmt with LHS_1 being a SSA_NAME and LHS_2 being a
    MEM_REF
    int *y = t + 1;
    *(y+1) = some_var; // valid and represented in GIMPLE by two
    distincts gassign stmt with LHS_1 being a SSA_NAME and LHS_2 being a
    MEM_REF

In this example, the same memory is modified and correspond to 't[2]'.
What I'm trying to do is to determine have a correlation between the 
region 't[2]' and the svalue '&t + 2 * sizeof(element)'.

I've manage to pass from the tree '&t + 2 * sizeof(element)' to the 
corresponding region 't[2]' using the 
/ana::region_model_manager::get_element_region/ API.
So that if I have the region corresponding to 't[2]' in the 
/sm_state_map/, it is correctly found within the inner /hash_map//<const 
region *, reg_entry_t>/.

It gets weird when working from going to the tree 't[2]' to the 
corresponding svalue '&t + 2 * sizeof(element)'.
Basically for now, I used several approaches:

    - I tried building the correspond tree using /buildN/ GIMPLE API and
    then the /ana::region_model::get_rvalue/ API, I did had a result
    being dumped as exactly what I needed, but the lookup (through
    /ana::sm_context::get_state/) within the inner /hash_map <const
    svalue *, entry_t>/ of /sm_state_map/ was failing even though the
    same svalue was present in the /hash_map.
    /I tried to understand what was happening, and basically, it seems
    that the two svalues does not have the same address, though the same
    hash, leading to the lookup failure.

    - Right now, I am doing exactly the same to obtain the corresponding
    svalue, but instead of using /ana::sm_context::get_state/, I am
    iterating over all the live_values obtained through
    /ana::region_model::get_reachable_svalues/ until I find the same
    svalue in terms of semantics. Though, this is failing because there
    is currently no way to compare svalue's semantic.

So, basically I'm kind of stuck here and I have no idea how to properly 
go from a tree representation to its svalue/region one.
To explicit as much as possible I'm trying to do this:

    - Pass from 'tree t[2]' to 'svalue &t + 2 * sizeof(element)'; ->
    that part does not work

    - Pass from 'tree t + 2' to 'region t[2]'; -> that part is working

Would you have any idea about an API I would have missed or anything else?
I can definitely share my code if anyone want to have a look at it.

Thanks for reading,
Cheers,

Pierrick