From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=NBZ8=BV=irisa.fr=pierrick.philippe@sourceware.org>
Received: from mail3-relais-sop.national.inria.fr (mail3-relais-sop.national.inria.fr [192.134.164.104])
	by sourceware.org (Postfix) with ESMTPS id 15F633857730
	for <gcc@gcc.gnu.org>; Thu,  1 Jun 2023 12:48:39 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 15F633857730
Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=irisa.fr
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=irisa.fr
Authentication-Results: mail3-relais-sop.national.inria.fr; dkim=none (message not signed) header.i=none
X-Ironport-Dmarc-Check-Result: validskip
X-IronPort-AV: E=Sophos;i="6.00,210,1681164000"; 
   d="scan'208,217";a="57569025"
Received: from ptb-5cg22835fs.irisa.fr (HELO [131.254.21.198]) ([131.254.21.198])
  by mail3-relais-sop.national.inria.fr with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 01 Jun 2023 14:48:37 +0200
Content-Type: multipart/alternative;
 boundary="------------NUJz0ZGE7QBfqgwrzEN8sMZg"
Message-ID: <5190c901-bd17-750f-8713-75f51635ab49@irisa.fr>
Date: Thu, 1 Jun 2023 14:48:36 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
 Thunderbird/102.11.0
To: gcc@gcc.gnu.org, David Malcolm <dmalcolm@redhat.com>
Content-Language: fr, en-US
From: Pierrick Philippe <pierrick.philippe@irisa.fr>
Subject: [analyzer] Comparing svalues
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,HTML_MESSAGE,KAM_DMARC_STATUS,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS,TXREP,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <gcc.gcc.gnu.org>

This is a multi-part message in MIME format.
--------------NUJz0ZGE7QBfqgwrzEN8sMZg
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit

Hi David, hi all,

I'm working on a plugin for the analyzer, and basically I've reached a 
point where I need to compare svalues.
For the need of my analysis, I've modified the analyzer to be able to 
track for region in some specific cases, so I modified the 
implementation of the /sm_state_map/.
If anyone want to see my modifications, I would be glad to send it to 
you (not yet on a public repository).

I'm trying to handle all the different (only defined behavior) 
semantically correct ways to manipulate arrays.
To illustrate my words, here is an example:

    int t[4] = 0;
    t[2] = some_var; // valid and represented in GIMPLE by a single
    gassign stmt with LHS being an ARRAY_REF
    *(t+2) = some_var; // valid and represented in GIMPLE by two
    distincts gassign stmt with LHS_1 being a SSA_NAME and LHS_2 being a
    MEM_REF
    int *y = t + 1;
    *(y+1) = some_var; // valid and represented in GIMPLE by two
    distincts gassign stmt with LHS_1 being a SSA_NAME and LHS_2 being a
    MEM_REF

In this example, the same memory is modified and correspond to 't[2]'.
What I'm trying to do is to determine have a correlation between the 
region 't[2]' and the svalue '&t + 2 * sizeof(element)'.

I've manage to pass from the tree '&t + 2 * sizeof(element)' to the 
corresponding region 't[2]' using the 
/ana::region_model_manager::get_element_region/ API.
So that if I have the region corresponding to 't[2]' in the 
/sm_state_map/, it is correctly found within the inner /hash_map//<const 
region *, reg_entry_t>/.

It gets weird when working from going to the tree 't[2]' to the 
corresponding svalue '&t + 2 * sizeof(element)'.
Basically for now, I used several approaches:

    - I tried building the correspond tree using /buildN/ GIMPLE API and
    then the /ana::region_model::get_rvalue/ API, I did had a result
    being dumped as exactly what I needed, but the lookup (through
    /ana::sm_context::get_state/) within the inner /hash_map <const
    svalue *, entry_t>/ of /sm_state_map/ was failing even though the
    same svalue was present in the /hash_map.
    /I tried to understand what was happening, and basically, it seems
    that the two svalues does not have the same address, though the same
    hash, leading to the lookup failure.

    - Right now, I am doing exactly the same to obtain the corresponding
    svalue, but instead of using /ana::sm_context::get_state/, I am
    iterating over all the live_values obtained through
    /ana::region_model::get_reachable_svalues/ until I find the same
    svalue in terms of semantics. Though, this is failing because there
    is currently no way to compare svalue's semantic.

So, basically I'm kind of stuck here and I have no idea how to properly 
go from a tree representation to its svalue/region one.
To explicit as much as possible I'm trying to do this:

    - Pass from 'tree t[2]' to 'svalue &t + 2 * sizeof(element)'; ->
    that part does not work

    - Pass from 'tree t + 2' to 'region t[2]'; -> that part is working

Would you have any idea about an API I would have missed or anything else?
I can definitely share my code if anyone want to have a look at it.

Thanks for reading,
Cheers,

Pierrick

--------------NUJz0ZGE7QBfqgwrzEN8sMZg--