Re: daily report on extending static analyzer project [GSoC]

[David Malcolm <dmalcolm@redhat.com>]

On Mon, 2021-06-28 at 20:23 +0530, Ankur Saini wrote:
> 
> 
> > On 28-Jun-2021, at 12:18 AM, David Malcolm <dmalcolm@redhat.com>
> > wrote:
> > > 
> > > > 
> > > > > 
> > > > > Q. But even if we find out which function to call, how will
> > > > > the
> > > > > analyzer know which snode does that function belong ?
> > > > 
> > > > Use this method of supergraph:
> > > >  supernode *get_node_for_function_entry (function *fun) const;
> > > > to get the supernode for the entrypoint of a given function.
> > > > 
> > > > You can get the function * from a fndecl via
> > > > DECL_STRUCT_FUNCTION.
> > > 
> > > so once we get fndecl, it should be comparatively smooth sailing
> > > from
> > > there. 
> > > 
> > > My attempt to get the value of function pointer from the state :
> > > -
> > > 
> > > - to access the region model of the state, I tried to access
> > > “m_region_model” of that state.
> > > - now I want to access cluster for a function pointer.
> > > - but when looking at the accessible functions to region model
> > > class,
> > > I couldn’t seem to find the fitting one. ( the closest I could
> > > find
> > > was “region_model::get_reachable_svalues()” to get a set of all
> > > the
> > > svalues reachable from that model )
> > 
> > In general you can use:
> >  region_model::get_rvalue
> > to go from a tree to a symbolic value for what the analyzer
> > "thinks"
> > the value of that tree is at that point along the path.
> > 
> > If it "knows" that it's a specific function pointer, then IIRC this
> > will return a region_svalue where region_svalue::get_pointee ()
> > will
> > (hopefully) point at the function_region representing the memory
> > holding the code of the function.  function_region::get_fndecl
> > should
> > then give you the tree for the specific FUNCTION_DECL, from which
> > you
> > can find the supergraph node etc.
> > 
> > It looks like
> >  region_model::get_fndecl_for_call
> > might already do most of what you need, but it looks like it bails
> > out
> > for the "NULL cgraph_node" case.  Maybe that needs fixing, so that
> > it
> > returns the fndecl for that case?  That already gets used in some
> > places, so maybe try putting a breakpoint on that and see if fixing
> > that gets you further?
> 
> shouldn’t the fn_decl should still have a cgraph_node if the function
> is declared in the program itself ? it should just not have an edge
> representing the call.

That would make sense.  I'd suggest verifying that in the debugger.

> Because I was able to find the super-graph node just with the help of
> the function itself.

Great.


> 
> this is how the function looks "exploded_node::on_edge()" right now.
> 
> File: {$SCR_DIR}/gcc/analyzer/engine.cc
> 1305:     bool
> 1306:     exploded_node::on_edge (exploded_graph &eg,
> 1307:                           const superedge *succ,
> 1308:                           program_point *next_point,
> 1309:                           program_state *next_state,
> 1310:                           uncertainty_t *uncertainty)
> 1311:     {
> 1312:       LOG_FUNC (eg.get_logger ());
> 1313: 
> 1314:       if (succ->m_kind == SUPEREDGE_INTRAPROCEDURAL_CALL)
> 1315:       {    
> 1316:         const program_point *this_point = &this->get_point();
> 1317:         const program_state *this_state = &this->get_state ();
> 1318:         const gcall *call = this_point->get_supernode ()-
> >get_final_call ();    
> 1319: 
> 1320:         impl_region_model_context ctxt (eg, 
> 1321:           this, 
> 1322:           this_state, 
> 1323:           next_state, 
> 1324:           uncertainty,
> 1325:           this_point->get_stmt());
> 1326: 
> 1327:         region_model *model = this_state->m_region_model;
> 1328:         tree fn_decl = model->get_fndecl_for_call(call,&ctxt);
> 1329:         if(DECL_STRUCT_FUNCTION(fn_decl))
> 1330:         {
> 1331:           const supergraph *sg = &eg.get_supergraph();
> 1332:           supernode * sn =  sg->get_node_for_function_entry
> (DECL_STRUCT_FUNCTION(fn_decl));
> 1333:           // create enode and eedge ?
> 1334:         }
> 1335:       }
> 1336: 
> 1337:       if (!next_point->on_edge (eg, succ))
> 1338:         return false;
> 1339: 
> 1340:       if (!next_state->on_edge (eg, this, succ, uncertainty))
> 1341:         return false;
> 1342: 
> 1343:       return true;
> 1344:     }

Looks promising.

> 
> for now, it is also detecting calls that already have call_sedge
> connecting them, so I think I also have to filter them out.

Right, I think so too.

Dave