|
|
|
(*
|
|
|
|
* Copyright (c) 2009 - 2013 Monoidics ltd.
|
|
|
|
* Copyright (c) 2013 - present Facebook, Inc.
|
|
|
|
* All rights reserved.
|
|
|
|
*
|
|
|
|
* This source code is licensed under the BSD style license found in the
|
|
|
|
* LICENSE file in the root directory of this source tree. An additional grant
|
|
|
|
* of patent rights can be found in the PATENTS file in the same directory.
|
|
|
|
*)
|
|
|
|
|
|
|
|
open! Utils
|
|
|
|
|
|
|
|
(** mutate the cfg/cg to add dynamic dispatch handling *)
|
|
|
|
let add_dispatch_calls pdesc cg tenv ~handle_dynamic_dispatch =
|
|
|
|
let node_add_dispatch_calls caller_pname node =
|
|
|
|
let call_flags_is_dispatch call_flags =
|
|
|
|
(* if sound dispatch is turned off, only consider dispatch for interface calls *)
|
|
|
|
(handle_dynamic_dispatch && call_flags.CallFlags.cf_virtual) ||
|
|
|
|
call_flags.CallFlags.cf_interface in
|
|
|
|
let instr_is_dispatch_call = function
|
|
|
|
| Sil.Call (_, _, _, _, call_flags) -> call_flags_is_dispatch call_flags
|
|
|
|
| _ -> false in
|
|
|
|
let has_dispatch_call instrs =
|
|
|
|
IList.exists instr_is_dispatch_call instrs in
|
|
|
|
let replace_dispatch_calls = function
|
|
|
|
| Sil.Call (ret_id, (Exp.Const (Const.Cfun callee_pname) as call_exp),
|
|
|
|
(((_, receiver_typ) :: _) as args), loc, call_flags) as instr
|
|
|
|
when call_flags_is_dispatch call_flags ->
|
|
|
|
(* the frontend should not populate the list of targets *)
|
|
|
|
assert (call_flags.CallFlags.cf_targets = []);
|
|
|
|
let receiver_typ_no_ptr = match receiver_typ with
|
|
|
|
| Typ.Tptr (typ', _) ->
|
|
|
|
typ'
|
|
|
|
| _ ->
|
|
|
|
receiver_typ in
|
|
|
|
let sorted_overrides =
|
|
|
|
let overrides = Prover.get_overrides_of tenv receiver_typ_no_ptr callee_pname in
|
|
|
|
IList.sort (fun (_, p1) (_, p2) -> Procname.compare p1 p2) overrides in
|
|
|
|
(match sorted_overrides with
|
|
|
|
| ((_, target_pname) :: _) as all_targets ->
|
|
|
|
let targets_to_add =
|
|
|
|
if handle_dynamic_dispatch then
|
|
|
|
IList.map snd all_targets
|
|
|
|
else
|
|
|
|
(* if sound dispatch is turned off, consider only the first target. we do this
|
|
|
|
because choosing all targets is too expensive for everyday use *)
|
|
|
|
[target_pname] in
|
|
|
|
IList.iter
|
|
|
|
(fun target_pname -> Cg.add_edge cg caller_pname target_pname)
|
|
|
|
targets_to_add;
|
|
|
|
let call_flags' = { call_flags with CallFlags.cf_targets = targets_to_add; } in
|
|
|
|
Sil.Call (ret_id, call_exp, args, loc, call_flags')
|
|
|
|
| [] -> instr)
|
|
|
|
|
|
|
|
| instr -> instr in
|
|
|
|
let instrs = Cfg.Node.get_instrs node in
|
|
|
|
if has_dispatch_call instrs then
|
|
|
|
IList.map replace_dispatch_calls instrs
|
|
|
|
|> Cfg.Node.replace_instrs node in
|
|
|
|
let pname = Cfg.Procdesc.get_proc_name pdesc in
|
|
|
|
if Procname.is_java pname then
|
|
|
|
Cfg.Procdesc.iter_nodes (node_add_dispatch_calls pname) pdesc
|
|
|
|
|
|
|
|
(** add instructions to perform abstraction *)
|
|
|
|
let add_abstraction_instructions pdesc =
|
|
|
|
let open Cfg in
|
|
|
|
(* true if there is a succ node s.t.: it is an exit node, or the succ of >1 nodes *)
|
|
|
|
let converging_node node =
|
|
|
|
let is_exit node = match Node.get_kind node with
|
|
|
|
| Node.Exit_node _ -> true
|
|
|
|
| _ -> false in
|
|
|
|
let succ_nodes = Node.get_succs node in
|
|
|
|
if IList.exists is_exit succ_nodes then true
|
|
|
|
else match succ_nodes with
|
|
|
|
| [] -> false
|
|
|
|
| [h] -> IList.length (Node.get_preds h) > 1
|
|
|
|
| _ -> false in
|
|
|
|
let node_requires_abstraction node =
|
|
|
|
match Node.get_kind node with
|
|
|
|
| Node.Start_node _
|
|
|
|
| Node.Join_node ->
|
|
|
|
false
|
|
|
|
| Node.Exit_node _
|
|
|
|
| Node.Stmt_node _
|
|
|
|
| Node.Prune_node _
|
|
|
|
| Node.Skip_node _ ->
|
|
|
|
converging_node node in
|
|
|
|
let do_node node =
|
|
|
|
let loc = Node.get_last_loc node in
|
|
|
|
if node_requires_abstraction node then Node.append_instrs node [Sil.Abstract loc] in
|
|
|
|
Cfg.Procdesc.iter_nodes do_node pdesc
|
|
|
|
|
|
|
|
module BackwardCfg = ProcCfg.OneInstrPerNode(ProcCfg.Backward(ProcCfg.Exceptional))
|
|
|
|
|
|
|
|
module LivenessAnalysis =
|
|
|
|
AbstractInterpreter.Make
|
|
|
|
(BackwardCfg)
|
|
|
|
(Scheduler.ReversePostorder)
|
|
|
|
(Liveness.TransferFunctions)
|
|
|
|
|
|
|
|
module VarDomain = AbstractDomain.FiniteSet(Var.Set)
|
|
|
|
|
|
|
|
(** computes the non-nullified reaching definitions at the end of each node by building on the
|
|
|
|
results of a liveness analysis to be precise, what we want to compute is:
|
|
|
|
to_nullify := (live_before U non_nullifed_reaching_defs) - live_after
|
|
|
|
non_nullified_reaching_defs := non_nullified_reaching_defs - to_nullify
|
|
|
|
Note that this can't be done with by combining the results of reaching definitions and liveness
|
|
|
|
after the fact, nor can it be done with liveness alone. We will insert nullify instructions for
|
|
|
|
each pvar in to_nullify afer we finish the analysis. Nullify instructions speed up the analysis
|
|
|
|
by enabling it to GC state that will no longer be read. *)
|
|
|
|
module NullifyTransferFunctions = struct
|
|
|
|
(* (reaching non-nullified vars) * (vars to nullify) *)
|
|
|
|
module Domain = AbstractDomain.Pair (VarDomain) (VarDomain)
|
|
|
|
module CFG = ProcCfg.Exceptional
|
|
|
|
type extras = LivenessAnalysis.invariant_map
|
|
|
|
|
|
|
|
let postprocess ((reaching_defs, _) as astate) node { ProcData.extras; } =
|
|
|
|
let node_id = (CFG.underlying_id node), ProcCfg.Node_index in
|
|
|
|
match LivenessAnalysis.extract_state node_id extras with
|
|
|
|
(* note: because the analysis is backward, post and pre are reversed *)
|
|
|
|
| Some { AbstractInterpreter.post = live_before; pre = live_after; } ->
|
|
|
|
let to_nullify = VarDomain.diff (VarDomain.union live_before reaching_defs) live_after in
|
|
|
|
let reaching_defs' = VarDomain.diff reaching_defs to_nullify in
|
|
|
|
(reaching_defs', to_nullify)
|
|
|
|
| None -> astate
|
|
|
|
|
|
|
|
let is_last_instr_in_node instr node =
|
|
|
|
let rec is_last_instr instr = function
|
|
|
|
| [] -> true
|
|
|
|
| last_instr :: [] -> Sil.instr_compare instr last_instr = 0
|
|
|
|
| _ :: instrs -> is_last_instr instr instrs in
|
|
|
|
is_last_instr instr (CFG.instrs node)
|
|
|
|
|
|
|
|
let exec_instr ((active_defs, to_nullify) as astate) extras node instr =
|
|
|
|
let astate' = match instr with
|
|
|
|
| Sil.Load (lhs_id, _, _, _) ->
|
|
|
|
VarDomain.add (Var.of_id lhs_id) active_defs, to_nullify
|
|
|
|
| Sil.Call (lhs_id, _, _, _, _) ->
|
|
|
|
let active_defs' =
|
|
|
|
Option.map_default
|
|
|
|
(fun (id, _) -> VarDomain.add (Var.of_id id) active_defs)
|
|
|
|
active_defs
|
|
|
|
lhs_id in
|
|
|
|
active_defs', to_nullify
|
|
|
|
| Sil.Store (Exp.Lvar lhs_pvar, _, _, _) ->
|
|
|
|
VarDomain.add (Var.of_pvar lhs_pvar) active_defs, to_nullify
|
|
|
|
| Sil.Store _ | Prune _ | Declare_locals _ | Remove_temps _ | Abstract _ ->
|
|
|
|
astate
|
|
|
|
| Sil.Nullify _ ->
|
|
|
|
failwith "Should not add nullify instructions before running nullify analysis!" in
|
|
|
|
if is_last_instr_in_node instr node
|
|
|
|
then postprocess astate' node extras
|
|
|
|
else astate'
|
|
|
|
end
|
|
|
|
|
|
|
|
module NullifyAnalysis =
|
|
|
|
AbstractInterpreter.MakeNoCFG
|
|
|
|
(Scheduler.ReversePostorder (ProcCfg.Exceptional))
|
|
|
|
(NullifyTransferFunctions)
|
|
|
|
|
|
|
|
(** remove dead stores whose lhs is a frontend-created temporary variable. these dead stores are
|
|
|
|
created by copy-propagation *)
|
|
|
|
let remove_dead_frontend_stores pdesc liveness_inv_map =
|
|
|
|
let is_live var instr_id liveness_inv_map =
|
|
|
|
match LivenessAnalysis.extract_pre instr_id liveness_inv_map with
|
|
|
|
| Some pre -> VarDomain.mem var pre
|
|
|
|
| None -> true in
|
|
|
|
let is_used_store (instr, instr_id_opt) =
|
|
|
|
match instr, instr_id_opt with
|
|
|
|
| Sil.Load (id, _, _, _), Some instr_id when not (Ident.is_none id) ->
|
|
|
|
is_live (Var.of_id id) instr_id liveness_inv_map
|
|
|
|
| _ -> true in
|
|
|
|
let node_remove_dead_stores node =
|
|
|
|
let instr_nodes = BackwardCfg.instr_ids node in
|
|
|
|
let instr_nodes' = IList.filter_changed is_used_store instr_nodes in
|
|
|
|
if instr_nodes' != instr_nodes
|
|
|
|
then
|
|
|
|
Cfg.Node.replace_instrs node (IList.rev_map fst instr_nodes') in
|
|
|
|
Cfg.Procdesc.iter_nodes node_remove_dead_stores pdesc
|
|
|
|
|
|
|
|
let add_nullify_instrs pdesc tenv liveness_inv_map =
|
|
|
|
let address_taken_vars =
|
|
|
|
if Procname.is_java (Cfg.Procdesc.get_proc_name pdesc)
|
|
|
|
then AddressTaken.Domain.empty (* can't take the address of a variable in Java *)
|
|
|
|
else
|
|
|
|
match AddressTaken.Analyzer.compute_post (ProcData.make_default pdesc tenv) with
|
|
|
|
| Some post -> post
|
|
|
|
| None -> AddressTaken.Domain.empty in
|
|
|
|
|
|
|
|
let nullify_proc_cfg = ProcCfg.Exceptional.from_pdesc pdesc in
|
|
|
|
let nullify_proc_data = ProcData.make pdesc tenv liveness_inv_map in
|
|
|
|
let nullify_inv_map = NullifyAnalysis.exec_cfg nullify_proc_cfg nullify_proc_data in
|
|
|
|
|
|
|
|
(* only nullify pvars that are local; don't nullify those that can escape *)
|
|
|
|
let is_local pvar =
|
|
|
|
not (Pvar.is_return pvar || Pvar.is_global pvar) in
|
|
|
|
|
|
|
|
let node_add_nullify_instructions node pvars =
|
|
|
|
let loc = Cfg.Node.get_last_loc node in
|
|
|
|
let nullify_instrs =
|
|
|
|
IList.filter is_local pvars
|
|
|
|
|> IList.map (fun pvar -> Sil.Nullify (pvar, loc)) in
|
|
|
|
if nullify_instrs <> []
|
|
|
|
then Cfg.Node.append_instrs node (IList.rev nullify_instrs) in
|
|
|
|
|
|
|
|
let node_add_removetmps_instructions node ids =
|
|
|
|
if ids <> [] then
|
|
|
|
let loc = Cfg.Node.get_last_loc node in
|
|
|
|
Cfg.Node.append_instrs node [Sil.Remove_temps (IList.rev ids, loc)] in
|
|
|
|
|
|
|
|
IList.iter
|
|
|
|
(fun node ->
|
|
|
|
match NullifyAnalysis.extract_post (ProcCfg.Exceptional.id node) nullify_inv_map with
|
|
|
|
| Some (_, to_nullify) ->
|
|
|
|
let pvars_to_nullify, ids_to_remove =
|
|
|
|
Var.Set.fold
|
|
|
|
(fun var (pvars_acc, ids_acc) -> match Var.to_exp var with
|
|
|
|
(* we nullify all address taken variables at the end of the procedure *)
|
|
|
|
| Exp.Lvar pvar when not (AddressTaken.Domain.mem pvar address_taken_vars) ->
|
|
|
|
pvar :: pvars_acc, ids_acc
|
|
|
|
| Exp.Var id ->
|
|
|
|
pvars_acc, id :: ids_acc
|
|
|
|
| _ -> pvars_acc, ids_acc)
|
|
|
|
to_nullify
|
|
|
|
([], []) in
|
|
|
|
node_add_removetmps_instructions node ids_to_remove;
|
|
|
|
node_add_nullify_instructions node pvars_to_nullify
|
|
|
|
| None -> ())
|
|
|
|
(ProcCfg.Exceptional.nodes nullify_proc_cfg);
|
|
|
|
(* nullify all address taken variables *)
|
|
|
|
if not (AddressTaken.Domain.is_empty address_taken_vars)
|
|
|
|
then
|
|
|
|
let exit_node = ProcCfg.Exceptional.exit_node nullify_proc_cfg in
|
|
|
|
node_add_nullify_instructions exit_node (AddressTaken.Domain.elements address_taken_vars)
|
|
|
|
|
|
|
|
module ExceptionalOneInstrPerNodeCfg = ProcCfg.OneInstrPerNode(ProcCfg.Exceptional)
|
|
|
|
|
|
|
|
module CopyProp =
|
|
|
|
AbstractInterpreter.Make
|
|
|
|
(ExceptionalOneInstrPerNodeCfg)
|
|
|
|
(Scheduler.ReversePostorder)
|
|
|
|
(CopyPropagation.TransferFunctions)
|
|
|
|
|
|
|
|
let do_copy_propagation pdesc tenv =
|
|
|
|
let proc_cfg = ExceptionalOneInstrPerNodeCfg.from_pdesc pdesc in
|
|
|
|
let copy_prop_inv_map = CopyProp.exec_cfg proc_cfg (ProcData.make_default pdesc tenv) in
|
|
|
|
(* [var_map] represents a chain of variable. copies v_0 -> v_1 ... -> v_n. starting from some
|
|
|
|
ident v_j, we want to walk backward through the chain to find the lowest v_i that is also an
|
|
|
|
ident. *)
|
|
|
|
let id_sub var_map id =
|
|
|
|
(* [last_id] is the highest identifier in the chain that we've seen so far *)
|
|
|
|
let rec id_sub_inner var_map var last_id =
|
|
|
|
try
|
|
|
|
let var' = CopyPropagation.Domain.find var var_map in
|
|
|
|
let last_id' = match var' with
|
|
|
|
| Var.LogicalVar id -> id
|
|
|
|
| _ -> last_id in
|
|
|
|
id_sub_inner var_map var' last_id'
|
|
|
|
with Not_found ->
|
|
|
|
Exp.Var last_id in
|
|
|
|
id_sub_inner var_map (Var.of_id id) id in
|
|
|
|
|
|
|
|
(* perform copy-propagation on each instruction in [node] *)
|
|
|
|
let rev_transform_node_instrs node =
|
|
|
|
IList.fold_left
|
|
|
|
(fun (instrs, changed) (instr, id_opt) ->
|
|
|
|
match id_opt with
|
|
|
|
| Some id ->
|
|
|
|
begin
|
|
|
|
match CopyProp.extract_pre id copy_prop_inv_map with
|
|
|
|
| Some pre when not (CopyPropagation.Domain.is_empty pre) ->
|
|
|
|
let instr' = Sil.instr_sub_ids ~sub_id_binders:false (id_sub pre) instr in
|
|
|
|
instr' :: instrs, changed || instr' != instr
|
|
|
|
| _ ->
|
|
|
|
instr :: instrs, changed
|
|
|
|
end
|
|
|
|
| None -> instr :: instrs, changed)
|
|
|
|
([], false)
|
|
|
|
(ExceptionalOneInstrPerNodeCfg.instr_ids node) in
|
|
|
|
|
|
|
|
IList.iter
|
|
|
|
(fun node ->
|
|
|
|
let instrs, changed = rev_transform_node_instrs node in
|
|
|
|
if changed
|
|
|
|
then Cfg.Node.replace_instrs node (IList.rev instrs))
|
|
|
|
(Cfg.Procdesc.get_nodes pdesc)
|
|
|
|
|
|
|
|
let do_liveness pdesc tenv =
|
|
|
|
let liveness_proc_cfg = BackwardCfg.from_pdesc pdesc in
|
|
|
|
LivenessAnalysis.exec_cfg liveness_proc_cfg (ProcData.make_default pdesc tenv)
|
|
|
|
|
|
|
|
let doit ?(handle_dynamic_dispatch=Config.sound_dynamic_dispatch) pdesc cg tenv =
|
|
|
|
if not (Cfg.Procdesc.did_preanalysis pdesc)
|
|
|
|
then
|
|
|
|
begin
|
|
|
|
Cfg.Procdesc.signal_did_preanalysis pdesc;
|
|
|
|
if Config.copy_propagation then do_copy_propagation pdesc tenv;
|
|
|
|
let liveness_inv_map = do_liveness pdesc tenv in
|
|
|
|
if not (Config.lazy_dynamic_dispatch) && Config.copy_propagation
|
|
|
|
then remove_dead_frontend_stores pdesc liveness_inv_map;
|
|
|
|
add_nullify_instrs pdesc tenv liveness_inv_map;
|
|
|
|
if not Config.lazy_dynamic_dispatch
|
|
|
|
then add_dispatch_calls ~handle_dynamic_dispatch pdesc cg tenv;
|
|
|
|
add_abstraction_instructions pdesc;
|
|
|
|
end
|