/********************************************************************** * once generated the loop body, verify whether some statement caused * the analyzer to fail during the 2nd iteration of the loop body (in * most case, a null/dead pointer dereference would do it), if so, delete * the statement in which analyzer fails and all subsequent statemets * * also performs effect analysis *********************************************************************/ void Block::post_creation_analysis(CGContext& cg_context, const Effect& pre_effect) { int index; FactMgr* fm = get_fact_mgr(&cg_context); fm->map_visited[this] = true; // compute accumulated effect set_accumulated_effect(cg_context); //fm->print_facts(fm->global_facts); vector<const Fact*> post_facts = fm->global_facts; FactMgr::update_facts_for_oos_vars(local_vars, fm->global_facts); fm->remove_rv_facts(fm->global_facts); fm->set_fact_out(this, fm->global_facts); // find out if fixed-point-searching is required bool is_loop_body = !must_break_or_return() && looping; bool self_back_edge = false; if (is_loop_body || need_revisit || has_edge_in(false, true)) { if (is_loop_body && from_tail_to_head()) { self_back_edge = true; fm->create_cfg_edge(this, this, false, true); } vector<const Fact*> facts_copy = fm->map_facts_in[this]; // reset the accumulative effect cg_context.reset_effect_accum(pre_effect); while (!find_fixed_point(facts_copy, post_facts, cg_context, index, need_revisit)) { size_t i, len; len = stms.size(); for (i=index; i<len; i++) { remove_stmt(stms[i]); i = index-1; len = stms.size(); } // if we delete some statements, next visit must go through statements (no shortcut) need_revisit = true; // clean up in/out map from previous analysis that might include facts caused by deleted statements fm->reset_stm_fact_maps(this); // sometimes a loop would emerge after we delete the "return" statement in body if (!self_back_edge && from_tail_to_head()) { self_back_edge = true; fm->create_cfg_edge(this, this, false, true); } // reset incoming effects cg_context.reset_effect_accum(pre_effect); } fm->global_facts = fm->map_facts_out[this]; } // make sure we add back return statement for blocks that require it and had such statement deleted // only do this for top-level block of a function which requires a return statement if (parent == 0 && func->need_return_stmt() && !must_return()) { fm->global_facts = post_facts; Statement* sr = append_return_stmt(cg_context); fm->set_fact_out(this, fm->map_facts_out[sr]); } }
/*************************************************************************************** * for a given input env, abstract a given statement, generate an output env, and * update both input/output env for this statement * * shortcut: if this input env matches previous input env, use previous output env directly ***************************************************************************************/ bool Statement::validate_and_update_facts(vector<const Fact*>& inputs, CGContext& cg_context) const { FactMgr* fm = get_fact_mgr_for_func(func); int shortcut = shortcut_analysis(inputs, cg_context); if (shortcut==0) { /* mark the goto statements inside this statement as visited this is to fix scenario like the following: lbl: s1 for (...) { goto lbl; } where the "for" statement is bypassed, but the output from "goto lbl" must be feed into s1 in order to achieve a fixed point */ for (size_t i=0; i<fm->cfg_edges.size(); i++) { const Statement* s = fm->cfg_edges[i]->src; if (s->eType == eGoto && contains_stmt(s)) { fm->map_visited[s] = true; } } return true; } if (shortcut==1) return false; vector<const Fact*> inputs_copy = inputs; if (!stm_visit_facts(inputs, cg_context)) { return false; } fm->set_fact_in(this, inputs_copy); fm->set_fact_out(this, inputs); return true; }
/**************************************************************************** * Entry point to pointer analysis and other DFA analysis for newly * created statement. remember some analysis has already been done during the * statement generation, some analysis work is only possible with a complete * statement, we do it here ****************************************************************************/ void Statement::post_creation_analysis(vector<const Fact*>& pre_facts, const Effect& pre_effect, CGContext& cg_context) const { FactMgr* fm = get_fact_mgr_for_func(func); if (eType == eIfElse) { ((const StatementIf*)this)->combine_branch_facts(pre_facts); } else { fm->makeup_new_var_facts(pre_facts, fm->global_facts); } // save the effect for this statement if this is a simple statement // for compound statements, it's effect is saved in make_random if (!is_compound(eType)) { fm->map_stm_effect[this] = cg_context.get_effect_stm(); } bool special_handled = false; // special handling for non-looping statements in func_1, which we never re-visit to // save run-time if (cg_context.get_current_func()->name == "func_1" && !(cg_context.flags & IN_LOOP) ) { if (has_uncertain_call_recursive()) { FactVec outputs = pre_facts; cg_context.reset_effect_accum(pre_effect); //if (stm_id == 573) /*if (this->eType == eAssign) { ((const StatementAssign*)this)->get_rhs()->indented_output(cout, 0); } cout << endl; Output(cout, fm);*/ //} if (!validate_and_update_facts(outputs, cg_context)) { assert(0); } fm->global_facts = outputs; special_handled = true; } } if (!special_handled) { // for if...else..., we don't want to walk through the true branch and false branch again // compute the output with consideration of return statement(s) in both branches if (eType == eAssign) { const StatementAssign* sa = (const StatementAssign*)this; // abstract fact for assignment itself. No analysis on function calls // on RHS since they are already handled during statement generation FactMgr::update_fact_for_assign(sa, fm->global_facts); } else if (eType == eReturn) { const StatementReturn* sr = (const StatementReturn*)this; FactMgr::update_fact_for_return(sr, fm->global_facts); } } fm->remove_rv_facts(fm->global_facts); fm->set_fact_in(this, pre_facts); fm->set_fact_out(this, fm->global_facts); fm->map_accum_effect[this] = *(cg_context.get_effect_accum()); fm->map_visited[this] = true; }
/************************************************************************************************** * DFA analysis for a block: * * we must considers all kinds of blocks: block for for-loops; block for if-true and if-false; block for * function body; block that loops; block has jump destination insdie; block being a jump destination itself * (in the case of "continue" in for-loops). All of them must be taken care in this function. * * params: * inputs: the inputs env before entering block * cg_context: code generation context * fail_index: records which statement in this block caused analyzer to fail * visit_one: when is true, the statements in this block must be visited at least once ****************************************************************************************************/ bool Block::find_fixed_point(vector<const Fact*> inputs, vector<const Fact*>& post_facts, CGContext& cg_context, int& fail_index, bool visit_once) const { FactMgr* fm = get_fact_mgr(&cg_context); // include outputs from all back edges leading to this block size_t i; static int g = 0; vector<const CFGEdge*> edges; int cnt = 0; do { // if we have never visited the block, force the visitor to go through all statements at least once if (fm->map_visited[this]) { if (cnt++ > 7) { // takes too many iterations to reach a fixed point, must be something wrong assert(0); } find_edges_in(edges, false, true); for (i=0; i<edges.size(); i++) { const Statement* src = edges[i]->src; //assert(fm->map_visited[src]); merge_facts(inputs, fm->map_facts_out[src]); } } if (!visit_once) { int shortcut = shortcut_analysis(inputs, cg_context); if (shortcut == 0) return true; } //if (shortcut == 1) return false; FactVec outputs = inputs; // add facts for locals for (i=0; i<local_vars.size(); i++) { const Variable* v = local_vars[i]; FactMgr::add_new_var_fact(v, outputs); } // revisit statements with new inputs for (i=0; i<stms.size(); i++) { int h = g++; if (h == 2585) BREAK_NOP; // for debugging if (!stms[i]->analyze_with_edges_in(outputs, cg_context)) { fail_index = i; return false; } } fm->set_fact_in(this, inputs); post_facts = outputs; FactMgr::update_facts_for_oos_vars(local_vars, outputs); fm->set_fact_out(this, outputs); fm->map_visited[this] = true; // compute accumulated effect set_accumulated_effect(cg_context); visit_once = false; } while (true); return true; }
void FactMgr::update_fact_for_return(const StatementReturn* sr, FactVec& inputs) { size_t i, j; for (i=0; i<FactMgr::meta_facts.size(); i++) { std::vector<const Fact*> facts = FactMgr::meta_facts[i]->abstract_fact_for_return(inputs, sr->get_var(), sr->func); for (j=0; j<facts.size(); j++) { // merge with other return statements if (merge_fact(inputs, facts[j])) { sr->func->fact_changed = true; } } } // incorporate current facts into return facts FactMgr* fm = get_fact_mgr_for_func(sr->func); fm->set_fact_out(sr, inputs); }
Statement* Block::append_return_stmt(CGContext& cg_context) { FactMgr* fm = get_fact_mgr_for_func(func); FactVec pre_facts = fm->global_facts; cg_context.get_effect_stm().clear(); Statement* sr = Statement::make_random(cg_context, eReturn); ERROR_GUARD(NULL); stms.push_back(sr); fm->makeup_new_var_facts(pre_facts, fm->global_facts); assert(sr->visit_facts(fm->global_facts, cg_context)); fm->set_fact_in(sr, pre_facts); fm->set_fact_out(sr, fm->global_facts); fm->map_accum_effect[sr] = *(cg_context.get_effect_accum()); fm->map_visited[sr] = true; //sr->post_creation_analysis(pre_facts, cg_context); fm->map_accum_effect[this] = *(cg_context.get_effect_accum()); fm->map_stm_effect[this].add_effect(fm->map_stm_effect[sr]); return sr; }
Statement* Block::append_nested_loop(CGContext& cg_context) { FactMgr* fm = get_fact_mgr_for_func(func); FactVec pre_facts = fm->global_facts; cg_context.get_effect_stm().clear(); Statement* sf = HYPOTHESIS_DRAW(Statement, cg_context, eFor); ERROR_GUARD(NULL); stms.push_back(sf); fm->makeup_new_var_facts(pre_facts, fm->global_facts); //assert(sf->visit_facts(fm->global_facts, cg_context)); fm->set_fact_in(sf, pre_facts); fm->set_fact_out(sf, fm->global_facts); fm->map_accum_effect[sf] = *(cg_context.get_effect_accum()); fm->map_visited[sf] = true; //sf->post_creation_analysis(pre_facts, cg_context); fm->map_accum_effect[this] = *(cg_context.get_effect_accum()); fm->map_stm_effect[this].add_effect(fm->map_stm_effect[sf]); return sf; }