| blob | 1cb07f5581cee093ec1103ef72a934bf5b05862e |
1 /* Tree based points-to analysis
2 Copyright (C) 2005, 2006, 2007, 2008, 2009 Free Software Foundation, Inc.
3 Contributed by Daniel Berlin <dberlin@dberlin.org>
5 This file is part of GCC.
7 GCC is free software; you can redistribute it and/or modify
8 under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 GCC is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with GCC; see the file COPYING3. If not see
19 <http://www.gnu.org/licenses/>. */
56 /* The idea behind this analyzer is to generate set constraints from the
57 program, then solve the resulting constraints in order to generate the
58 points-to sets.
60 Set constraints are a way of modeling program analysis problems that
61 involve sets. They consist of an inclusion constraint language,
62 describing the variables (each variable is a set) and operations that
63 are involved on the variables, and a set of rules that derive facts
64 from these operations. To solve a system of set constraints, you derive
65 all possible facts under the rules, which gives you the correct sets
66 as a consequence.
68 See "Efficient Field-sensitive pointer analysis for C" by "David
69 J. Pearce and Paul H. J. Kelly and Chris Hankin, at
70 http://citeseer.ist.psu.edu/pearce04efficient.html
72 Also see "Ultra-fast Aliasing Analysis using CLA: A Million Lines
73 of C Code in a Second" by ""Nevin Heintze and Olivier Tardieu" at
74 http://citeseer.ist.psu.edu/heintze01ultrafast.html
76 There are three types of real constraint expressions, DEREF,
77 ADDRESSOF, and SCALAR. Each constraint expression consists
78 of a constraint type, a variable, and an offset.
80 SCALAR is a constraint expression type used to represent x, whether
81 it appears on the LHS or the RHS of a statement.
82 DEREF is a constraint expression type used to represent *x, whether
83 it appears on the LHS or the RHS of a statement.
84 ADDRESSOF is a constraint expression used to represent &x, whether
85 it appears on the LHS or the RHS of a statement.
87 Each pointer variable in the program is assigned an integer id, and
88 each field of a structure variable is assigned an integer id as well.
90 Structure variables are linked to their list of fields through a "next
91 field" in each variable that points to the next field in offset
92 order.
93 Each variable for a structure field has
95 1. "size", that tells the size in bits of that field.
96 2. "fullsize, that tells the size in bits of the entire structure.
97 3. "offset", that tells the offset in bits from the beginning of the
98 structure to this field.
100 Thus,
101 struct f
102 {
103 int a;
104 int b;
105 } foo;
106 int *bar;
108 looks like
110 foo.a -> id 1, size 32, offset 0, fullsize 64, next foo.b
111 foo.b -> id 2, size 32, offset 32, fullsize 64, next NULL
112 bar -> id 3, size 32, offset 0, fullsize 32, next NULL
115 In order to solve the system of set constraints, the following is
116 done:
118 1. Each constraint variable x has a solution set associated with it,
119 Sol(x).
121 2. Constraints are separated into direct, copy, and complex.
122 Direct constraints are ADDRESSOF constraints that require no extra
123 processing, such as P = &Q
124 Copy constraints are those of the form P = Q.
125 Complex constraints are all the constraints involving dereferences
126 and offsets (including offsetted copies).
128 3. All direct constraints of the form P = &Q are processed, such
129 that Q is added to Sol(P)
131 4. All complex constraints for a given constraint variable are stored in a
132 linked list attached to that variable's node.
134 5. A directed graph is built out of the copy constraints. Each
135 constraint variable is a node in the graph, and an edge from
136 Q to P is added for each copy constraint of the form P = Q
138 6. The graph is then walked, and solution sets are
139 propagated along the copy edges, such that an edge from Q to P
140 causes Sol(P) <- Sol(P) union Sol(Q).
142 7. As we visit each node, all complex constraints associated with
143 that node are processed by adding appropriate copy edges to the graph, or the
144 appropriate variables to the solution set.
146 8. The process of walking the graph is iterated until no solution
147 sets change.
149 Prior to walking the graph in steps 6 and 7, We perform static
150 cycle elimination on the constraint graph, as well
151 as off-line variable substitution.
153 TODO: Adding offsets to pointer-to-structures can be handled (IE not punted
154 on and turned into anything), but isn't. You can just see what offset
155 inside the pointed-to struct it's going to access.
157 TODO: Constant bounded arrays can be handled as if they were structs of the
158 same number of elements.
160 TODO: Modeling heap and incoming pointers becomes much better if we
161 add fields to them as we discover them, which we could do.
163 TODO: We could handle unions, but to be honest, it's probably not
164 worth the pain or slowdown. */
167 htab_t heapvar_for_stmt;
172 /* Used for predecessor bitmaps. */
175 /* Used for points-to sets. */
178 /* Used for oldsolution members of variables. */
181 /* Used for per-solver-iteration bitmaps. */
191 #define EXECUTE_IF_IN_NONNULL_BITMAP(a, b, c, d) \
192 if (a) \
193 EXECUTE_IF_SET_IN_BITMAP (a, b, c, d)
195 static struct constraint_stats
196 {
207 struct variable_info
208 {
209 /* ID of this variable */
212 /* True if this is a variable created by the constraint analysis, such as
213 heap variables and constraints we had to break up. */
216 /* True if this is a special variable whose solution set should not be
217 changed. */
220 /* True for variables whose size is not known or variable. */
223 /* True for (sub-)fields that represent a whole variable. */
226 /* True if this is a heap variable. */
229 /* True if we may not use TBAA to prune references to this
230 variable. This is used for C++ placement new. */
233 /* True if this field may contain pointers. */
236 /* Variable id this was collapsed to due to type unsafety. Zero if
237 this variable was not collapsed. This should be unused completely
238 after build_succ_graph, or something is broken. */
241 /* A link to the variable for the next field in this structure. */
244 /* Offset of this variable, in bits, from the base variable */
247 /* Size of the variable, in bits. */
250 /* Full size of the base variable, in bits. */
253 /* Name of this variable */
256 /* Tree that this variable is associated with. */
257 tree decl;
259 /* Points-to set for this variable. */
260 bitmap solution;
262 /* Old points-to set for this variable. */
263 bitmap oldsolution;
264 };
270 /* Pool of variable info structures. */
277 /* Table of variable info structures for constraint variables.
278 Indexed directly by variable info id. */
281 /* Return the varmap element N */
285 {
287 }
289 /* Return the varmap element N, following the collapsed_to link. */
293 {
299 }
301 /* Static IDs for the special variables. */
306 /* Variable that represents the unknown pointer. */
310 /* Variable that represents the NULL pointer. */
314 /* Variable that represents read only memory. */
318 /* Variable that represents escaped memory. */
322 /* Variable that represents nonlocal memory. */
326 /* Variable that represents call-used memory. */
330 /* Variable that represents variables that are stored to anything. */
334 /* Variable that represents integers. This is used for when people do things
335 like &0->a.b. */
339 /* Lookup a heap var for FROM, and return it if we find one. */
341 static tree
343 {
352 }
354 /* Insert a mapping FROM->TO in the heap var for statement
355 hashtable. */
357 static void
359 {
369 }
371 /* Return a new variable info structure consisting for a variable
372 named NAME, and using constraint graph node NODE. */
374 static varinfo_t
376 {
378 tree var;
400 }
404 /* An expression that appears in a constraint. */
406 struct constraint_expr
407 {
408 /* Constraint type. */
409 constraint_expr_type type;
411 /* Variable we are referring to in the constraint. */
414 /* Offset, in bits, of this constraint from the beginning of
415 variables it ends up referring to.
417 IOW, in a deref constraint, we would deref, get the result set,
418 then add OFFSET to each member. */
420 };
429 /* Our set constraints are made up of two constraint expressions, one
430 LHS, and one RHS.
432 As described in the introduction, our set constraints each represent an
433 operation between set valued variables.
434 */
435 struct constraint
436 {
439 };
441 /* List of constraints that we use to build the constraint graph from. */
450 /* The constraint graph is represented as an array of bitmaps
451 containing successor nodes. */
453 struct constraint_graph
454 {
455 /* Size of this graph, which may be different than the number of
456 nodes in the variable map. */
459 /* Explicit successors of each node. */
462 /* Implicit predecessors of each node (Used for variable
463 substitution). */
466 /* Explicit predecessors of each node (Used for variable substitution). */
469 /* Indirect cycle representatives, or -1 if the node has no indirect
470 cycles. */
473 /* Representative node for a node. rep[a] == a unless the node has
474 been unified. */
477 /* Equivalence class representative for a label. This is used for
478 variable substitution. */
481 /* Pointer equivalence label for a node. All nodes with the same
482 pointer equivalence label can be unified together at some point
483 (either during constraint optimization or after the constraint
484 graph is built). */
487 /* Pointer equivalence representative for a label. This is used to
488 handle nodes that are pointer equivalent but not location
489 equivalent. We can unite these once the addressof constraints
490 are transformed into initial points-to sets. */
493 /* Pointer equivalence label for each node, used during variable
494 substitution. */
497 /* Location equivalence label for each node, used during location
498 equivalence finding. */
501 /* Pointed-by set for each node, used during location equivalence
502 finding. This is pointed-by rather than pointed-to, because it
503 is constructed using the predecessor graph. */
506 /* Points to sets for pointer equivalence. This is *not* the actual
507 points-to sets for nodes. */
510 /* Bitmap of nodes where the bit is set if the node is a direct
511 node. Used for variable substitution. */
512 sbitmap direct_nodes;
514 /* Bitmap of nodes where the bit is set if the node is address
515 taken. Used for variable substitution. */
516 bitmap address_taken;
518 /* Vector of complex constraints for each graph node. Complex
519 constraints are those involving dereferences or offsets that are
520 not 0. */
522 };
526 /* During variable substitution and the offline version of indirect
527 cycle finding, we create nodes to represent dereferences and
528 address taken constraints. These represent where these start and
529 end. */
530 #define FIRST_REF_NODE (VEC_length (varinfo_t, varmap))
531 #define LAST_REF_NODE (FIRST_REF_NODE + (FIRST_REF_NODE - 1))
533 /* Return the representative node for NODE, if NODE has been unioned
534 with another NODE.
535 This function performs path compression along the way to finding
536 the representative. */
538 static unsigned int
540 {
545 }
547 /* Union the TO and FROM nodes to the TO nodes.
548 Note that at some point in the future, we may want to do
549 union-by-rank, in which case we are going to have to return the
550 node we unified to. */
552 static bool
554 {
557 {
560 }
562 }
564 /* Create a new constraint consisting of LHS and RHS expressions. */
566 static constraint_t
569 {
574 }
576 /* Print out constraint C to FILE. */
578 void
580 {
597 }
599 /* Print out constraint C to stderr. */
601 void
603 {
605 }
607 /* Print out all constraints to FILE */
609 void
611 {
613 constraint_t c;
616 }
618 /* Print out all constraints to stderr. */
620 void
622 {
624 }
626 /* Print out to FILE the edge in the constraint graph that is created by
627 constraint c. The edge may have a label, depending on the type of
628 constraint that it represents. If complex1, e.g: a = *b, then the label
629 is "=*", if complex2, e.g: *a = b, then the label is "*=", if
630 complex with an offset, e.g: a = b + 8, then the label is "+".
631 Otherwise the edge has no label. */
633 void
635 {
637 {
641 /* Due to preprocessing of constraints, instructions like *a = *b are
642 illegal; thus, we do not have to handle such cases. */
647 else
648 {
649 /* We must check the case where the constraint is an offset.
650 In this case, it is treated as a complex constraint. */
653 else
655 }
656 }
657 }
659 /* Print the constraint graph in dot format. */
661 void
663 {
665 constraint_t c;
667 /* Only print the graph if it has already been initialized: */
671 /* Print the constraints used to produce the constraint graph. The
672 constraints will be printed as comments in the dot file: */
677 /* Prints the header of the dot file: */
684 /* The next lines print the nodes in the graph. In order to get the
685 number of nodes in the graph, we must choose the minimum between the
686 vector VEC (varinfo_t, varmap) and graph->size. If the graph has not
687 yet been initialized, then graph->size == 0, otherwise we must only
688 read nodes that have an entry in VEC (varinfo_t, varmap). */
692 {
695 }
697 /* Go over the list of constraints printing the edges in the constraint
698 graph. */
704 /* Prints the tail of the dot file. By now, only the closing bracket. */
706 }
708 /* Print out the constraint graph to stderr. */
710 void
712 {
714 }
716 /* SOLVER FUNCTIONS
718 The solver is a simple worklist solver, that works on the following
719 algorithm:
721 sbitmap changed_nodes = all zeroes;
722 changed_count = 0;
723 For each node that is not already collapsed:
724 changed_count++;
725 set bit in changed nodes
727 while (changed_count > 0)
728 {
729 compute topological ordering for constraint graph
731 find and collapse cycles in the constraint graph (updating
732 changed if necessary)
734 for each node (n) in the graph in topological order:
735 changed_count--;
737 Process each complex constraint associated with the node,
738 updating changed if necessary.
740 For each outgoing edge from n, propagate the solution from n to
741 the destination of the edge, updating changed as necessary.
743 } */
745 /* Return true if two constraint expressions A and B are equal. */
747 static bool
749 {
751 }
753 /* Return true if constraint expression A is less than constraint expression
754 B. This is just arbitrary, but consistent, in order to give them an
755 ordering. */
757 static bool
759 {
761 {
764 else
766 }
767 else
769 }
771 /* Return true if constraint A is less than constraint B. This is just
772 arbitrary, but consistent, in order to give them an ordering. */
774 static bool
776 {
781 else
783 }
785 /* Return true if two constraints A and B are equal. */
787 static bool
789 {
792 }
795 /* Find a constraint LOOKFOR in the sorted constraint vector VEC */
797 static constraint_t
800 {
802 constraint_t found;
814 }
816 /* Union two constraint vectors, TO and FROM. Put the result in TO. */
818 static void
821 {
823 constraint_t c;
826 {
828 {
830 constraint_less);
832 }
833 }
834 }
836 /* Take a solution set SET, add OFFSET to each member of the set, and
837 overwrite SET with the result when done. */
839 static void
841 {
844 bitmap_iterator bi;
847 {
850 /* If this is a variable with just one field just set its bit
851 in the result. */
856 else
857 {
860 /* If the result is outside of the variable use the last field. */
862 {
866 }
868 /* If the result is not exactly at fieldoffset include the next
869 field as well. See get_constraint_for_ptr_offset for more
870 rationale. */
874 }
875 }
879 }
881 /* Union solution sets TO and FROM, and add INC to each member of FROM in the
882 process. */
884 static bool
886 {
889 else
890 {
891 bitmap tmp;
900 }
901 }
903 /* Insert constraint C into the list of complex constraints for graph
904 node VAR. */
906 static void
909 {
912 constraint_less);
914 /* Only insert constraints that do not already exist. */
918 }
921 /* Condense two variable nodes into a single variable node, by moving
922 all associated info from SRC to TO. */
924 static void
927 {
929 constraint_t c;
933 /* Move all complex constraints from src node into to node */
935 {
936 /* In complex constraints for node src, we may have either
937 a = *src, and *src = a, or an offseted constraint which are
938 always added to the rhs node's constraints. */
944 else
946 }
950 }
953 /* Remove edges involving NODE from GRAPH. */
955 static void
957 {
960 }
962 /* Merge GRAPH nodes FROM and TO into node TO. */
964 static void
967 {
969 {
970 /* If we have indirect cycles with the from node, and we have
971 none on the to node, the to node has indirect cycles from the
972 from node now that they are unified.
973 If indirect cycles exist on both, unify the nodes that they
974 are in a cycle with, since we know they are in a cycle with
975 each other. */
978 }
980 /* Merge all the successor edges. */
982 {
987 }
990 }
993 /* Add an indirect graph edge to GRAPH, going from TO to FROM if
994 it doesn't exist in the graph already. */
996 static void
999 {
1008 }
1010 /* Add a predecessor graph edge to GRAPH, going from TO to FROM if
1011 it doesn't exist in the graph already.
1012 Return false if the edge already existed, true otherwise. */
1014 static void
1017 {
1021 }
1023 /* Add a graph edge to GRAPH, going from FROM to TO if
1024 it doesn't exist in the graph already.
1025 Return false if the edge already existed, true otherwise. */
1027 static bool
1030 {
1032 {
1034 }
1035 else
1036 {
1042 {
1046 }
1048 }
1049 }
1052 /* Return true if {DEST.SRC} is an existing graph edge in GRAPH. */
1054 static bool
1057 {
1060 }
1062 /* Initialize the constraint graph structure to contain SIZE nodes. */
1064 static void
1066 {
1079 {
1083 }
1084 }
1086 /* Build the constraint graph, adding only predecessor edges right now. */
1088 static void
1090 {
1092 constraint_t c;
1107 {
1110 }
1119 {
1126 {
1127 /* *x = y. */
1130 }
1132 {
1133 /* x = *y */
1136 else
1138 }
1140 {
1141 varinfo_t v;
1143 /* x = &y */
1152 /* Implicitly, *x = y */
1155 /* All related variables are no longer direct nodes. */
1159 {
1161 do
1162 {
1165 }
1167 }
1169 }
1172 {
1173 /* x = y */
1175 /* Implicitly, *x = *y */
1178 }
1180 {
1185 }
1186 }
1187 }
1189 /* Build the constraint graph, adding successor edges. */
1191 static void
1193 {
1195 constraint_t c;
1198 {
1213 {
1216 }
1218 {
1221 }
1223 {
1224 /* x = &y */
1228 }
1231 {
1233 }
1234 }
1236 /* Add edges from STOREDANYTHING to all non-direct nodes. */
1239 {
1242 }
1243 }
1246 /* Changed variables on the last iteration. */
1254 /* Strongly Connected Component visitation info. */
1256 struct scc_info
1257 {
1258 sbitmap visited;
1259 sbitmap deleted;
1264 };
1267 /* Recursive routine to find strongly connected components in GRAPH.
1268 SI is the SCC info to store the information in, and N is the id of current
1269 graph node we are processing.
1271 This is Tarjan's strongly connected component finding algorithm, as
1272 modified by Nuutila to keep only non-root nodes on the stack.
1273 The algorithm can be found in "On finding the strongly connected
1274 connected components in a directed graph" by Esko Nuutila and Eljas
1275 Soisalon-Soininen, in Information Processing Letters volume 49,
1276 number 1, pages 9-14. */
1278 static void
1280 {
1282 bitmap_iterator bi;
1289 /* Visit all the successors. */
1291 {
1303 {
1310 }
1311 }
1313 /* See if any components have been identified. */
1315 {
1318 {
1322 bitmap_iterator bi;
1328 {
1334 }
1339 /* Collapse the SCC nodes into a single node, and mark the
1340 indirect cycles. */
1342 {
1344 {
1347 }
1348 else
1349 {
1352 }
1353 }
1354 }
1356 }
1357 else
1359 }
1361 /* Unify node FROM into node TO, updating the changed count if
1362 necessary when UPDATE_CHANGED is true. */
1364 static void
1367 {
1377 else
1386 /* Mark TO as changed if FROM was changed. If TO was already marked
1387 as changed, decrease the changed count. */
1390 {
1394 else
1395 {
1397 changed_count--;
1398 }
1399 }
1401 {
1402 /* If the solution changes because of the merging, we need to mark
1403 the variable as changed. */
1406 {
1408 {
1410 changed_count++;
1411 }
1412 }
1418 {
1421 }
1422 }
1424 {
1427 }
1428 }
1430 /* Information needed to compute the topological ordering of a graph. */
1432 struct topo_info
1433 {
1434 /* sbitmap of visited nodes. */
1435 sbitmap visited;
1436 /* Array that stores the topological order of the graph, *in
1437 reverse*. */
1439 };
1442 /* Initialize and return a topological info structure. */
1446 {
1453 }
1456 /* Free the topological sort info pointed to by TI. */
1458 static void
1460 {
1464 }
1466 /* Visit the graph in topological order, and store the order in the
1467 topo_info structure. */
1469 static void
1472 {
1473 bitmap_iterator bi;
1480 {
1483 }
1486 }
1488 /* Return true if variable N + OFFSET is a legal field of N. */
1490 static bool
1492 {
1495 /* For things we've globbed to single variables, any offset into the
1496 variable acts like the entire variable, so that it becomes offset
1497 0. */
1502 {
1505 }
1507 }
1509 /* Process a constraint C that represents x = *y, using DELTA as the
1510 starting solution. */
1512 static void
1514 bitmap delta)
1515 {
1520 bitmap_iterator bi;
1522 /* For x = *ESCAPED and x = *CALLUSED we want to compute the
1523 reachability set of the rhs var. As a pointer to a sub-field
1524 of a variable can also reach all other fields of the variable
1525 we simply have to expand the solution to contain all sub-fields
1526 if one sub-field is contained. */
1529 {
1531 /* In a first pass record all variables we need to add all
1532 sub-fields off. This avoids quadratic behavior. */
1534 {
1541 {
1545 }
1546 }
1547 /* In the second pass now do the addition to the solution and
1548 to speed up solving add it to the delta as well. */
1550 {
1552 {
1555 {
1557 {
1560 }
1561 }
1562 }
1564 }
1565 }
1568 {
1571 }
1573 /* For each variable j in delta (Sol(y)), add
1574 an edge in the graph from j to x, and union Sol(j) into Sol(x). */
1576 {
1579 {
1580 varinfo_t v;
1585 /* If the access is outside of the variable we can ignore it. */
1590 /* Adding edges from the special vars is pointless.
1591 They don't have sets that can change. */
1594 /* Merging the solution from ESCAPED needlessly increases
1595 the set. Use ESCAPED as representative instead. */
1600 }
1601 }
1603 done:
1604 /* If the LHS solution changed, mark the var as changed. */
1606 {
1609 {
1611 changed_count++;
1612 }
1613 }
1614 }
1616 /* Process a constraint C that represents *x = y. */
1618 static void
1620 {
1624 bitmap_iterator bi;
1626 /* Our IL does not allow this. */
1629 /* If the solution of y contains ANYTHING simply use the ANYTHING
1630 solution. This avoids needlessly increasing the points-to sets. */
1634 /* If the solution for x contains ANYTHING we have to merge the
1635 solution of y into all pointer variables which we do via
1636 STOREDANYTHING. */
1638 {
1641 {
1643 {
1645 {
1647 changed_count++;
1648 }
1649 }
1650 }
1652 }
1654 /* For each member j of delta (Sol(x)), add an edge from y to j and
1655 union Sol(y) into Sol(j) */
1657 {
1660 {
1661 varinfo_t v;
1666 /* If the access is outside of the variable we can ignore it. */
1671 {
1674 {
1676 {
1680 {
1682 changed_count++;
1683 }
1684 }
1685 }
1686 }
1687 }
1688 }
1689 }
1691 /* Handle a non-simple (simple meaning requires no iteration),
1692 constraint (IE *x = &y, x = *y, *x = y, and x = y with offsets involved). */
1694 static void
1696 {
1698 {
1700 {
1702 }
1703 else
1704 {
1705 /* *x = y */
1707 }
1708 }
1710 {
1711 /* x = *y */
1714 }
1715 else
1716 {
1717 bitmap tmp;
1718 bitmap solution;
1728 {
1731 {
1733 changed_count++;
1734 }
1735 }
1736 }
1737 }
1739 /* Initialize and return a new SCC info structure. */
1743 {
1760 }
1762 /* Free an SCC info structure pointed to by SI */
1764 static void
1766 {
1773 }
1776 /* Find indirect cycles in GRAPH that occur, using strongly connected
1777 components, and note them in the indirect cycles map.
1779 This technique comes from Ben Hardekopf and Calvin Lin,
1780 "It Pays to be Lazy: Fast and Accurate Pointer Analysis for Millions of
1781 Lines of Code", submitted to PLDI 2007. */
1783 static void
1785 {
1795 }
1797 /* Compute a topological ordering for GRAPH, and store the result in the
1798 topo_info structure TI. */
1800 static void
1803 {
1810 }
1812 /* Structure used to for hash value numbering of pointer equivalence
1813 classes. */
1816 {
1817 hashval_t hashcode;
1819 bitmap labels;
1823 /* A hashtable for mapping a bitmap of labels->pointer equivalence
1824 classes. */
1827 /* A hashtable for mapping a bitmap of labels->location equivalence
1828 classes. */
1831 /* Hash function for a equiv_class_label_t */
1833 static hashval_t
1835 {
1838 }
1840 /* Equality function for two equiv_class_label_t's. */
1842 static int
1844 {
1848 }
1850 /* Lookup a equivalence class in TABLE by the bitmap of LABELS it
1851 contains. */
1853 static unsigned int
1855 {
1866 else
1868 }
1871 /* Add an equivalence class named EQUIVALENCE_CLASS with labels LABELS
1872 to TABLE. */
1874 static void
1876 bitmap labels)
1877 {
1889 }
1891 /* Perform offline variable substitution.
1893 This is a worst case quadratic time way of identifying variables
1894 that must have equivalent points-to sets, including those caused by
1895 static cycles, and single entry subgraphs, in the constraint graph.
1897 The technique is described in "Exploiting Pointer and Location
1898 Equivalence to Optimize Pointer Analysis. In the 14th International
1899 Static Analysis Symposium (SAS), August 2007." It is known as the
1900 "HU" algorithm, and is equivalent to value numbering the collapsed
1901 constraint graph including evaluating unions.
1903 The general method of finding equivalence classes is as follows:
1904 Add fake nodes (REF nodes) and edges for *a = b and a = *b constraints.
1905 Initialize all non-REF nodes to be direct nodes.
1906 For each constraint a = a U {b}, we set pts(a) = pts(a) u {fresh
1907 variable}
1908 For each constraint containing the dereference, we also do the same
1909 thing.
1911 We then compute SCC's in the graph and unify nodes in the same SCC,
1912 including pts sets.
1914 For each non-collapsed node x:
1915 Visit all unvisited explicit incoming edges.
1916 Ignoring all non-pointers, set pts(x) = Union of pts(a) for y
1917 where y->x.
1918 Lookup the equivalence class for pts(x).
1919 If we found one, equivalence_class(x) = found class.
1920 Otherwise, equivalence_class(x) = new class, and new_class is
1921 added to the lookup table.
1923 All direct nodes with the same equivalence class can be replaced
1924 with a single representative node.
1925 All unlabeled nodes (label == 0) are not pointers and all edges
1926 involving them can be eliminated.
1927 We perform these optimizations during rewrite_constraints
1929 In addition to pointer equivalence class finding, we also perform
1930 location equivalence class finding. This is the set of variables
1931 that always appear together in points-to sets. We use this to
1932 compress the size of the points-to sets. */
1934 /* Current maximum pointer equivalence class id. */
1937 /* Current maximum location equivalence class id. */
1940 /* Recursive routine to find strongly connected components in GRAPH,
1941 and label it's nodes with DFS numbers. */
1943 static void
1945 {
1947 bitmap_iterator bi;
1955 /* Visit all the successors. */
1957 {
1965 {
1972 }
1973 }
1975 /* Visit all the implicit predecessors. */
1977 {
1985 {
1992 }
1993 }
1995 /* See if any components have been identified. */
1997 {
2000 {
2007 /* Unify our nodes. */
2009 {
2013 }
2015 {
2020 }
2022 {
2027 }
2028 }
2030 }
2031 else
2033 }
2035 /* Label pointer equivalences. */
2037 static void
2039 {
2041 bitmap_iterator bi;
2047 /* Label and union our incoming edges's points to sets. */
2049 {
2054 /* Skip unused edges */
2060 }
2061 /* Indirect nodes get fresh variables. */
2066 {
2070 {
2074 }
2076 }
2077 }
2079 /* Perform offline variable substitution, discovering equivalence
2080 classes, and eliminating non-pointer variables. */
2084 {
2097 /* Condense the nodes, which means to find SCC's, count incoming
2098 predecessors, and unite nodes in SCC's. */
2104 /* Actually the label the nodes for pointer equivalences */
2109 /* Calculate location equivalence labels. */
2111 {
2112 bitmap pointed_by;
2113 bitmap_iterator bi;
2121 /* Translate the pointed-by mapping for pointer equivalence
2122 labels. */
2124 {
2127 }
2128 /* The original pointed_by is now dead. */
2131 /* Look up the location equivalence label if one exists, or make
2132 one otherwise. */
2134 pointed_by);
2136 {
2140 }
2141 else
2142 {
2147 }
2150 }
2154 {
2157 "Equivalence classes for %s node id %d:%s are pointer: %d"
2163 }
2165 /* Quickly eliminate our non-pointer variables. */
2168 {
2172 {
2179 }
2180 }
2183 }
2185 /* Free information that was only necessary for variable
2186 substitution. */
2188 static void
2190 {
2201 }
2203 /* Return an existing node that is equivalent to NODE, which has
2204 equivalence class LABEL, if one exists. Return NODE otherwise. */
2206 static unsigned int
2209 {
2210 /* If the address version of this variable is unused, we can
2211 substitute it for anything else with the same label.
2212 Otherwise, we know the pointers are equivalent, but not the
2213 locations, and we can unite them later. */
2216 {
2220 {
2221 /* Unify the two variables since we know they are equivalent. */
2225 }
2226 else
2227 {
2230 }
2231 }
2232 else
2233 {
2238 }
2241 }
2243 /* Unite pointer equivalent but not location equivalent nodes in
2244 GRAPH. This may only be performed once variable substitution is
2245 finished. */
2247 static void
2249 {
2252 /* Go through the pointer equivalences and unite them to their
2253 representative, if they aren't already. */
2255 {
2258 {
2267 }
2268 }
2269 }
2271 /* Move complex constraints to the GRAPH nodes they belong to. */
2273 static void
2275 {
2277 constraint_t c;
2280 {
2282 {
2287 {
2289 }
2291 {
2294 }
2297 {
2299 }
2300 }
2301 }
2302 }
2305 /* Optimize and rewrite complex constraints while performing
2306 collapsing of equivalent nodes. SI is the SCC_INFO that is the
2307 result of perform_variable_substitution. */
2309 static void
2312 {
2315 constraint_t c;
2321 {
2334 /* See if it is really a non-pointer variable, and if so, ignore
2335 the constraint. */
2337 {
2339 {
2345 }
2348 }
2351 {
2353 {
2359 }
2362 }
2369 }
2370 }
2372 /* Eliminate indirect cycles involving NODE. Return true if NODE was
2373 part of an SCC, false otherwise. */
2375 static bool
2377 {
2380 {
2385 bitmap_iterator bi;
2387 /* We can't touch the solution set and call unify_nodes
2388 at the same time, because unify_nodes is going to do
2389 bitmap unions into it. */
2392 {
2394 {
2397 }
2398 }
2402 queuepos++)
2403 {
2405 }
2408 }
2410 }
2412 /* Solve the constraint graph GRAPH using our worklist solver.
2413 This is based on the PW* family of solvers from the "Efficient Field
2414 Sensitive Pointer Analysis for C" paper.
2415 It works by iterating over all the graph nodes, processing the complex
2416 constraints and propagating the copy constraints, until everything stops
2417 changed. This corresponds to steps 6-8 in the solving list given above. */
2419 static void
2421 {
2424 bitmap pts;
2430 /* Mark all initial non-collapsed nodes as changed. */
2432 {
2437 {
2439 changed_count++;
2440 }
2441 }
2443 /* Allocate a bitmap to be used to store the changed bits. */
2447 {
2457 {
2461 /* If this variable is not a representative, skip it. */
2465 /* In certain indirect cycle cases, we may merge this
2466 variable to another. */
2470 /* If the node has changed, we need to process the
2471 complex constraints and outgoing edges again. */
2473 {
2475 constraint_t c;
2476 bitmap solution;
2481 changed_count--;
2483 /* Compute the changed set of solution bits. */
2495 /* Process the complex constraints */
2497 {
2498 /* XXX: This is going to unsort the constraints in
2499 some cases, which will occasionally add duplicate
2500 constraints during unification. This does not
2501 affect correctness. */
2505 /* The only complex constraint that can change our
2506 solution to non-empty, given an empty solution,
2507 is a constraint where the lhs side is receiving
2508 some set from elsewhere. */
2511 }
2516 /* Do not propagate the ESCAPED solutions. */
2518 {
2519 bitmap_iterator bi;
2521 /* Propagate solution to all successors. */
2524 {
2525 bitmap tmp;
2532 /* Don't try to propagate to ourselves. */
2539 {
2542 {
2544 changed_count++;
2545 }
2546 }
2547 }
2548 }
2549 }
2550 }
2553 }
2558 }
2560 /* Map from trees to variable infos. */
2564 /* Insert ID as the variable id for tree T in the vi_for_tree map. */
2566 static void
2568 {
2573 }
2575 /* Find the variable info for tree T in VI_FOR_TREE. If T does not
2576 exist in the map, return NULL, otherwise, return the varinfo we found. */
2578 static varinfo_t
2580 {
2586 }
2588 /* Return a printable name for DECL */
2592 {
2605 {
2609 }
2611 {
2613 }
2615 {
2618 }
2620 }
2622 /* Find the variable id for tree T in the map.
2623 If T doesn't exist in the map, create an entry for it and return it. */
2625 static varinfo_t
2627 {
2633 }
2635 /* Get a constraint expression for a new temporary variable. */
2637 static struct constraint_expr
2639 {
2649 }
2651 /* Get a constraint expression vector from an SSA_VAR_P node.
2652 If address_p is true, the result will be taken its address of. */
2654 static void
2656 {
2658 varinfo_t vi;
2660 /* We allow FUNCTION_DECLs here even though it doesn't make much sense. */
2663 /* For parameters, get at the points-to set for the actual parm
2664 decl. */
2668 {
2671 }
2677 /* If we determine the result is "anything", and we know this is readonly,
2678 say it points to readonly memory instead. */
2680 {
2684 }
2686 /* If we are not taking the address of the constraint expr, add all
2687 sub-fiels of the variable as well. */
2689 {
2691 {
2694 }
2696 }
2699 }
2701 /* Process constraint T, performing various simplifications and then
2702 adding it to our list of overall constraints. */
2704 static void
2706 {
2713 /* ANYTHING == ANYTHING is pointless. */
2717 /* If we have &ANYTHING = something, convert to SOMETHING = &ANYTHING) */
2719 {
2724 }
2725 /* This can happen in our IR with things like n->a = *p */
2727 {
2728 /* Split into tmp = *rhs, *lhs = tmp */
2737 }
2739 {
2740 /* Split into tmp = &rhs, *lhs = tmp */
2748 }
2749 else
2750 {
2753 }
2754 }
2756 /* Return true if T is a type that could contain pointers. */
2758 static bool
2760 {
2768 }
2770 /* Return true if T is a variable of a type that could contain
2771 pointers. */
2773 static bool
2775 {
2777 }
2779 /* Return the position, in bits, of FIELD_DECL from the beginning of its
2780 structure. */
2782 static HOST_WIDE_INT
2784 {
2792 }
2795 /* Get constraint expressions for offsetting PTR by OFFSET. Stores the
2796 resulting constraint expressions in *RESULTS. */
2798 static void
2801 {
2806 /* If we do not do field-sensitive PTA adding offsets to pointers
2807 does not change the points-to solution. */
2809 {
2812 }
2814 /* If the offset is not a non-negative integer constant that fits
2815 in a HOST_WIDE_INT, we have to fall back to a conservative
2816 solution which includes all sub-fields of all pointed-to
2817 variables of ptr.
2818 ??? As we do not have the ability to express this, fall back
2819 to anything. */
2821 {
2828 }
2830 /* Make sure the bit-offset also fits. */
2834 {
2841 }
2847 /* As we are eventually appending to the solution do not use
2848 VEC_iterate here. */
2851 {
2852 varinfo_t curr;
2858 {
2861 /* Search the sub-field which overlaps with the
2862 pointed-to offset. As we deal with positive offsets
2863 only, we can start the search from the current variable. */
2866 /* If the result is outside of the variable we have to provide
2867 a conservative result, as the variable is still reachable
2868 from the resulting pointer (even though it technically
2869 cannot point to anything). The last sub-field is such
2870 a conservative result.
2871 ??? If we always had a sub-field for &object + 1 then
2872 we could represent this in a more precise way. */
2874 {
2879 }
2881 /* If the found variable is not exactly at the pointed to
2882 result, we have to include the next variable in the
2883 solution as well. Otherwise two increments by offset / 2
2884 do not result in the same or a conservative superset
2885 solution. */
2888 {
2894 }
2897 }
2899 /* If this varinfo represents a full variable just use it. */
2902 else
2904 }
2905 }
2908 /* Given a COMPONENT_REF T, return the constraint_expr vector for it.
2909 If address_p is true the result will be taken its address of. */
2911 static void
2914 {
2918 HOST_WIDE_INT bitpos;
2919 tree forzero;
2922 /* Some people like to do cute things like take the address of
2923 &0->a.b */
2929 {
2937 }
2941 /* Pretend to take the address of the base, we'll take care of
2942 adding the required subset of sub-fields below. */
2947 /* This can also happen due to weird offsetof type macros. */
2953 /* For single-field vars do not bother about the offset. */
2956 {
2957 /* In languages like C, you can access one past the end of an
2958 array. You aren't allowed to dereference it, so we can
2959 ignore this constraint. When we handle pointer subtraction,
2960 we may have to do something cute here. */
2964 {
2965 /* It's also not true that the constraint will actually start at the
2966 right offset, it may start in some padding. We only care about
2967 setting the constraint to the first actual field it touches, so
2968 walk to find it. */
2970 varinfo_t curr;
2974 {
2977 {
2982 }
2983 }
2984 /* If we are going to take the address of this field then
2985 to be able to compute reachability correctly add at least
2986 the last field of the variable. */
2989 {
2995 }
2996 else
2997 /* Assert that we found *some* field there. The user couldn't be
2998 accessing *only* padding. */
2999 /* Still the user could access one past the end of an array
3000 embedded in a struct resulting in accessing *only* padding. */
3003 }
3005 {
3009 }
3010 else
3013 }
3015 {
3016 /* We can't handle DEREF constraints with unknown size, we'll
3017 get the wrong answer. Punt and return anything. */
3020 }
3021 else
3023 }
3026 /* Dereference the constraint expression CONS, and return the result.
3027 DEREF (ADDRESSOF) = SCALAR
3028 DEREF (SCALAR) = DEREF
3029 DEREF (DEREF) = (temp = DEREF1; result = DEREF(temp))
3030 This is needed so that we can handle dereferencing DEREF constraints. */
3032 static void
3034 {
3039 {
3045 {
3050 }
3051 else
3053 }
3054 }
3056 /* Given a tree T, return the constraint expression for it. */
3058 static void
3060 {
3063 /* x = integer is all glommed to a single variable, which doesn't
3064 point to anything by itself. That is, of course, unless it is an
3065 integer constant being treated as a pointer, in which case, we
3066 will return that this is really the addressof anything. This
3067 happens below, since it will fall into the default case. The only
3068 case we know something about an integer treated like a pointer is
3069 when it is the NULL pointer, and then we just say it points to
3070 NULL.
3072 Do not do that if -fno-delete-null-pointer-checks though, because
3073 in that case *NULL does not fail, so it _should_ alias *anything.
3074 It is not worth adding a new option or renaming the existing one,
3075 since this case is relatively obscure. */
3079 {
3085 }
3087 /* String constants are read-only. */
3089 {
3095 }
3098 {
3100 {
3102 {
3104 {
3112 {
3115 else
3117 }
3119 }
3122 }
3124 }
3126 {
3128 {
3130 {
3134 }
3141 }
3143 }
3145 {
3147 {
3149 {
3152 }
3154 }
3156 }
3158 {
3161 }
3163 }
3165 /* The default fallback is a constraint from anything. */
3170 }
3172 /* Given a gimple tree T, return the constraint expression vector for it. */
3174 static void
3176 {
3180 }
3182 /* Handle the structure copy case where we have a simple structure copy
3183 between LHS and RHS that is of SIZE (in bits)
3185 For each field of the lhs variable (lhsfield)
3186 For each field of the rhs variable at lhsfield.offset (rhsfield)
3187 add the constraint lhsfield = rhsfield
3189 If we fail due to some kind of type unsafety or other thing we
3190 can't handle, return false. We expect the caller to collapse the
3191 variable in that case. */
3193 static bool
3197 {
3203 {
3204 varinfo_t q;
3217 }
3219 }
3222 /* Handle the structure copy case where we have a structure copy between a
3223 aggregate on the LHS and a dereference of a pointer on the RHS
3224 that is of SIZE (in bits)
3226 For each field of the lhs variable (lhsfield)
3227 rhs.offset = lhsfield->offset
3228 add the constraint lhsfield = rhs
3229 */
3231 static void
3235 {
3242 {
3243 varinfo_t q;
3251 else
3258 }
3259 }
3261 /* Handle the structure copy case where we have a structure copy
3262 between an aggregate on the RHS and a dereference of a pointer on
3263 the LHS that is of SIZE (in bits)
3265 For each field of the rhs variable (rhsfield)
3266 lhs.offset = rhsfield->offset
3267 add the constraint lhs = rhsfield
3268 */
3270 static void
3274 {
3281 {
3282 varinfo_t q;
3290 else
3297 }
3298 }
3300 /* Sometimes, frontends like to give us bad type information. This
3301 function will collapse all the fields from VAR to the end of VAR,
3302 into VAR, so that we treat those fields as a single variable.
3303 We return the variable they were collapsed into. */
3305 static unsigned int
3307 {
3309 varinfo_t field;
3312 {
3319 }
3325 }
3327 /* Handle aggregate copies by expanding into copies of the respective
3328 fields of the structures. */
3330 static void
3332 {
3335 varinfo_t p;
3339 /* Pretend we are taking the address of the constraint exprs.
3340 We deal with walking the sub-fields ourselves. */
3351 /* If we have special var = x, swap it around. */
3353 {
3357 }
3359 /* This is fairly conservative for the RHS == ADDRESSOF case, in that it's
3360 possible it's something we could handle. However, most cases falling
3361 into this are dealing with transparent unions, which are slightly
3362 weird. */
3364 {
3367 }
3369 /* If the RHS is a special var, or an addressof, set all the LHS fields to
3370 that special var. */
3372 {
3374 {
3380 else
3383 }
3384 }
3385 else
3386 {
3389 tree rhstypesize;
3390 tree lhstypesize;
3395 /* If we have a variably sized types on the rhs or lhs, and a deref
3396 constraint, add the constraint, lhsconstraint = &ANYTHING.
3397 This is conservatively correct because either the lhs is an unknown
3398 sized var (if the constraint is SCALAR), or the lhs is a DEREF
3399 constraint, and every variable it can point to must be unknown sized
3400 anyway, so we don't need to worry about fields at all. */
3403 {
3409 }
3411 /* The size only really matters insofar as we don't set more or less of
3412 the variable. If we hit an unknown size var, the size should be the
3413 whole darn thing. */
3416 else
3421 else
3426 {
3428 {
3436 }
3437 }
3442 else
3443 {
3445 tree tmpvar;
3451 }
3452 }
3453 }
3455 /* Create a constraint ID = OP. */
3457 static void
3459 {
3473 }
3475 /* Make constraints necessary to make OP escape. */
3477 static void
3479 {
3481 }
3483 /* For non-IPA mode, generate constraints necessary for a call on the
3484 RHS. */
3486 static void
3488 {
3493 {
3496 /* Find those pointers being passed, and make sure they end up
3497 pointing to anything. */
3500 }
3502 /* The static chain escapes as well. */
3506 /* Regular functions return escaped addresses. */
3511 }
3513 /* For non-IPA mode, generate constraints necessary for a call
3514 that returns a pointer and assigns it to LHS. This simply makes
3515 the LHS point to global and escaped variables. */
3517 static void
3519 {
3527 {
3530 varinfo_t vi;
3533 {
3540 }
3554 }
3556 {
3559 /* If the store is to a global decl make sure to
3560 add proper escape constraints. */
3565 {
3571 }
3575 }
3577 }
3579 /* For non-IPA mode, generate constraints necessary for a call of a
3580 const function that returns a pointer in the statement STMT. */
3582 static void
3584 {
3589 /* Treat nested const functions the same as pure functions as far
3590 as the static chain is concerned. */
3592 {
3598 }
3600 /* May return arguments. */
3602 {
3606 {
3611 /* We always use a temporary here, otherwise we end up with
3612 a quadratic amount of constraints for
3613 large_struct = const_call (large_struct);
3614 with field-sensitive PTA. */
3616 {
3619 }
3625 }
3626 }
3630 /* May return addresses of globals. */
3635 }
3637 /* For non-IPA mode, generate constraints necessary for a call to a
3638 pure function in statement STMT. */
3640 static void
3642 {
3647 /* Memory reached from pointer arguments is call-used. */
3649 {
3653 {
3656 }
3657 }
3659 /* The static chain is used as well. */
3661 {
3664 }
3666 /* Pure functions may return callused and escaped memory. */
3668 {
3673 }
3678 }
3680 /* Walk statement T setting up aliasing constraints according to the
3681 references found in T. This function is the main part of the
3682 constraint builder. AI points to auxiliary alias information used
3683 when building alias sets and computing alias grouping heuristics. */
3685 static void
3687 {
3694 /* Now build constraints expressions. */
3696 {
3699 /* Only care about pointers and structures containing
3700 pointers. */
3702 {
3706 /* For a phi node, assign all the arguments to
3707 the result. */
3710 {
3711 tree rhstype;
3719 {
3722 {
3726 }
3727 }
3728 }
3729 }
3730 }
3731 /* In IPA mode, we need to generate constraints to pass call
3732 arguments through their calls. There are two cases,
3733 either a GIMPLE_CALL returning a value, or just a plain
3734 GIMPLE_CALL when we are not.
3736 In non-ipa mode, we need to generate constraints for each
3737 pointer passed by address. */
3739 {
3741 {
3745 /* Const functions can return their arguments and addresses
3746 of global memory but not of escaped memory. */
3748 {
3752 }
3753 /* Pure functions can return addresses in and of memory
3754 reachable from their arguments, but they are not an escape
3755 point for reachable memory of their arguments. */
3758 else
3764 }
3765 else
3766 {
3767 tree lhsop;
3768 varinfo_t fi;
3771 tree decl;
3776 /* If we can directly resolve the function being called, do so.
3777 Otherwise, it must be some sort of indirect expression that
3778 we should still be able to handle. */
3781 else
3782 {
3785 }
3787 /* Assign all the passed arguments to the appropriate incoming
3788 parameters of the function. */
3790 {
3797 {
3801 }
3802 else
3803 {
3807 }
3809 {
3813 }
3814 i++;
3815 }
3817 /* If we are returning a value, assign it to the result. */
3819 {
3826 {
3830 }
3831 else
3832 {
3836 }
3839 }
3840 }
3841 }
3842 /* Otherwise, just a regular assignment statement. Only care about
3843 operations with pointer result, others are dealt with as escape
3844 points if they have pointer operands. */
3847 {
3848 /* Otherwise, just a regular assignment statement. */
3854 else
3855 {
3868 else
3869 {
3874 }
3876 {
3882 }
3883 }
3884 }
3886 {
3892 }
3896 {
3899 {
3906 }
3909 {
3912 }
3913 else
3915 }
3917 {
3922 }
3924 {
3927 {
3930 /* Strictly we'd only need the constraints from ESCAPED and
3931 NONLOCAL. */
3933 }
3935 {
3938 /* Strictly we'd only need the constraint to ESCAPED. */
3940 }
3941 }
3943 /* After promoting variables and computing aliasing we will
3944 need to re-scan most statements. FIXME: Try to minimize the
3945 number of statements re-scanned. It's not really necessary to
3946 re-scan *all* statements. */
3951 }
3954 /* Find the first varinfo in the same variable as START that overlaps with
3955 OFFSET.
3956 Effectively, walk the chain of fields for the variable START to find the
3957 first field that overlaps with OFFSET.
3958 Return NULL if we can't find one. */
3960 static varinfo_t
3962 {
3965 {
3966 /* We may not find a variable in the field list with the actual
3967 offset when when we have glommed a structure to a variable.
3968 In that case, however, offset should still be within the size
3969 of the variable. */
3973 }
3975 }
3978 /* Insert the varinfo FIELD into the field list for BASE, at the front
3979 of the list. */
3981 static void
3983 {
3989 }
3991 /* Insert the varinfo FIELD into the field list for BASE, ordered by
3992 offset. */
3994 static void
3996 {
4001 {
4004 }
4005 else
4006 {
4008 {
4013 }
4016 }
4017 }
4019 /* This structure is used during pushing fields onto the fieldstack
4020 to track the offset of the field, since bitpos_of_field gives it
4021 relative to its immediate containing type, and we want it relative
4022 to the ultimate containing object. */
4024 struct fieldoff
4025 {
4026 /* Offset from the base of the base containing object to this field. */
4027 HOST_WIDE_INT offset;
4029 /* Size, in bits, of the field. */
4035 };
4041 /* qsort comparison function for two fieldoff's PA and PB */
4043 static int
4045 {
4062 }
4064 /* Sort a fieldstack according to the field offset and sizes. */
4065 static void
4067 {
4071 fieldoff_compare);
4072 }
4074 /* Return true if V is a tree that we can have subvars for.
4075 Normally, this is any aggregate type. Also complex
4076 types which are not gimple registers can have subvars. */
4080 {
4081 /* Volatile variables should never have subvars. */
4085 /* Non decls or memory tags can never have subvars. */
4089 /* Aggregates without overlapping fields can have subvars. */
4094 }
4096 /* Given a TYPE, and a vector of field offsets FIELDSTACK, push all
4097 the fields of TYPE onto fieldstack, recording their offsets along
4098 the way.
4100 OFFSET is used to keep track of the offset in this entire
4101 structure, rather than just the immediately containing structure.
4102 Returns the number of fields pushed. */
4104 static int
4106 HOST_WIDE_INT offset)
4107 {
4108 tree field;
4114 /* If the vector of fields is growing too big, bail out early.
4115 Callers check for VEC_length <= MAX_FIELDS_FOR_FIELD_SENSITIVE, make
4116 sure this fails. */
4122 {
4135 /* Empty structures may have actual size, like in C++. So
4136 see if we didn't push any subfields and the size is
4137 nonzero, push the field onto the stack. */
4141 {
4152 /* If adjacent fields do not contain pointers merge them. */
4157 && !has_unknown_size
4159 {
4162 }
4163 else
4164 {
4170 else
4173 count++;
4174 }
4175 }
4176 else
4178 }
4181 }
4183 /* Create a constraint ID = &FROM. */
4185 static void
4187 {
4198 }
4200 /* Count the number of arguments DECL has, and set IS_VARARGS to true
4201 if it is a varargs function. */
4203 static unsigned int
4205 {
4207 tree t;
4210 t;
4212 {
4215 i++;
4216 }
4221 }
4223 /* Creation function node for DECL, using NAME, and return the index
4224 of the variable we've created for the function. */
4226 static unsigned int
4228 {
4230 varinfo_t vi;
4231 tree arg;
4235 /* Create the variable info. */
4247 /* If it's varargs, we don't know how many arguments it has, so we
4248 can't do much. */
4250 {
4255 }
4260 /* Set up variables for each argument. */
4262 {
4263 varinfo_t argvi;
4287 {
4290 }
4291 }
4293 /* Create a variable for the return var. */
4296 {
4297 varinfo_t resultvi;
4324 }
4326 }
4329 /* Return true if FIELDSTACK contains fields that overlap.
4330 FIELDSTACK is assumed to be sorted by offset. */
4332 static bool
4334 {
4340 {
4344 }
4346 }
4348 /* Create a varinfo structure for NAME and DECL, and add it to VARMAP.
4349 This will also create any varinfo structures necessary for fields
4350 of DECL. */
4352 static unsigned int
4354 {
4356 varinfo_t vi;
4372 /* If the variable doesn't have subvars, we may end up needing to
4373 sort the field list and create fake variables for all the
4374 fields. */
4381 {
4385 }
4386 else
4387 {
4390 }
4396 {
4400 else
4402 }
4410 {
4417 {
4420 {
4423 }
4424 }
4426 /* We can't sort them if we have a field with a variable sized type,
4427 which will make notokay = true. In that case, we are going to return
4428 without creating varinfos for the fields anyway, so sorting them is a
4429 waste to boot. */
4431 {
4433 /* Due to some C++ FE issues, like PR 22488, we might end up
4434 what appear to be overlapping fields even though they,
4435 in reality, do not overlap. Until the C++ FE is fixed,
4436 we will simply disable field-sensitivity for these cases. */
4438 }
4445 {
4452 }
4459 i--)
4460 {
4461 varinfo_t newvi;
4467 {
4473 }
4486 }
4487 }
4488 else
4494 }
4496 /* Print out the points-to solution for VAR to FILE. */
4498 void
4500 {
4503 bitmap_iterator bi;
4506 {
4509 }
4510 else
4511 {
4514 {
4516 }
4521 }
4522 }
4524 /* Print the points-to solution for VAR to stdout. */
4526 void
4528 {
4530 }
4532 /* Create varinfo structures for all of the variables in the
4533 function for intraprocedural mode. */
4535 static void
4537 {
4538 tree t;
4541 /* For each incoming pointer argument arg, create the constraint ARG
4542 = NONLOCAL or a dummy variable if flag_argument_noalias is set. */
4544 {
4545 varinfo_t p;
4550 /* If flag_argument_noalias is set, then function pointer
4551 arguments are guaranteed not to point to each other. In that
4552 case, create an artificial variable PARM_NOALIAS and the
4553 constraint ARG = &PARM_NOALIAS. */
4555 {
4556 varinfo_t vi;
4564 {
4565 var_ann_t ann;
4582 else
4584 }
4596 {
4600 }
4601 }
4602 else
4603 {
4608 }
4609 }
4611 /* Add a constraint for a result decl that is passed by reference. */
4614 {
4619 }
4621 /* Add a constraint for the incoming static chain parameter. */
4623 {
4628 }
4629 }
4631 /* Structure used to put solution bitmaps in a hashtable so they can
4632 be shared among variables with the same points-to set. */
4635 {
4636 bitmap pt_vars;
4637 hashval_t hashcode;
4643 /* Hash function for a shared_bitmap_info_t */
4645 static hashval_t
4647 {
4650 }
4652 /* Equality function for two shared_bitmap_info_t's. */
4654 static int
4656 {
4660 }
4662 /* Lookup a bitmap in the shared bitmap hashtable, and return an already
4663 existing instance if there is one, NULL otherwise. */
4665 static bitmap
4667 {
4678 else
4680 }
4683 /* Add a bitmap to the shared bitmap hashtable. */
4685 static void
4687 {
4698 }
4701 /* Set bits in INTO corresponding to the variable uids in solution set
4702 FROM, which came from variable PTR.
4703 For variables that are actually dereferenced, we also use type
4704 based alias analysis to prune the points-to sets.
4705 IS_DEREFED is true if PTR was directly dereferenced, which we use to
4706 help determine whether we are we are allowed to prune using TBAA.
4707 If NO_TBAA_PRUNING is true, we do not perform any TBAA pruning of
4708 the from set. Returns the number of pruned variables. */
4710 static unsigned
4713 {
4715 bitmap_iterator bi;
4721 {
4724 /* The only artificial variables that are allowed in a may-alias
4725 set are heap variables. */
4732 {
4733 /* Just add VI->DECL to the alias set.
4734 Don't type prune artificial vars or points-to sets
4735 for pointers that have not been dereferenced or with
4736 type-based pruning disabled. */
4738 || !is_derefed
4739 || no_tbaa_pruning
4742 else
4743 {
4750 else
4752 }
4753 }
4754 }
4757 }
4762 /* Emit a note for the pointer initialization point DEF. */
4764 static void
4766 {
4769 {
4770 use_operand_p argp;
4771 ssa_op_iter oi;
4774 {
4777 {
4780 }
4781 else
4783 }
4784 }
4787 }
4789 /* Emit a strict aliasing warning for dereferencing the pointer PTR. */
4791 static void
4793 {
4794 gimple use;
4795 imm_use_iterator ui;
4799 {
4803 {
4809 }
4811 {
4817 }
4819 {
4822 {
4828 }
4829 }
4832 {
4835 "dereferencing pointer %qD does break "
4837 }
4838 }
4840 {
4844 }
4845 }
4847 /* Given a pointer variable P, fill in its points-to set, or return
4848 false if we can't.
4849 Rather than return false for variables that point-to anything, we
4850 instead find the corresponding SMT, and merge in its aliases. In
4851 addition to these aliases, we also set the bits for the SMT's
4852 themselves and their subsets, as SMT's are still in use by
4853 non-SSA_NAME's, and pruning may eliminate every one of their
4854 aliases. In such a case, if we did not include the right set of
4855 SMT's in the points-to set of the variable, we'd end up with
4856 statements that do not conflict but should. */
4858 bool
4860 {
4862 varinfo_t vi;
4867 /* For parameters, get at the points-to set for the actual parm
4868 decl. */
4876 {
4880 /* See if this is a field or a structure. */
4882 {
4883 /* Nothing currently asks about structure fields directly,
4884 but when they do, we need code here to hand back the
4885 points-to set. */
4887 }
4888 else
4889 {
4892 bitmap_iterator bi;
4894 bitmap finished_solution;
4895 bitmap result;
4900 /* This variable may have been collapsed, let's get the real
4901 variable. */
4904 /* Translate artificial variables into SSA_NAME_PTR_INFO
4905 attributes. */
4907 {
4911 {
4912 /* FIXME. READONLY should be handled better so that
4913 flow insensitive aliasing can disregard writable
4914 aliases. */
4929 }
4930 }
4932 /* Instead of doing extra work, simply do not create
4933 points-to information for pt_anything pointers. This
4934 will cause the operand scanner to fall back to the
4935 type-based SMT and its aliases. Which is the best
4936 we could do here for the points-to set as well. */
4940 /* Share the final set of variables when possible. */
4950 {
4953 }
4954 else
4955 {
4958 }
4961 {
4968 {
4970 {
4974 }
4976 }
4977 }
4980 }
4981 }
4984 }
4986 /* Mark the ESCAPED solution as call clobbered. Returns false if
4987 pt_anything escaped which needs all locals that have their address
4988 taken marked call clobbered as well. */
4990 bool
4992 {
4993 varinfo_t vi;
4995 bitmap_iterator bi;
5000 /* This variable may have been collapsed, let's get the real
5001 variable for escaped_id. */
5004 /* If call-used memory escapes we need to include it in the
5005 set of escaped variables. This can happen if a pure
5006 function returns a pointer and this pointer escapes. */
5008 {
5011 }
5013 /* Mark variables in the solution call-clobbered. */
5015 {
5019 {
5020 /* nothing_id and readonly_id do not cause any
5021 call clobber ops. For anything_id and integer_id
5022 we need to clobber all addressable vars. */
5026 }
5028 /* Only artificial heap-vars are further interesting. */
5037 }
5040 }
5042 /* Compute the call-used variables. */
5044 void
5046 {
5047 varinfo_t vi;
5049 bitmap_iterator bi;
5055 /* This variable may have been collapsed, let's get the real
5056 variable for escaped_id. */
5059 /* Mark variables in the solution call-clobbered. */
5061 {
5065 {
5066 /* For anything_id and integer_id we need to make
5067 all local addressable vars call-used. */
5071 }
5073 /* Only artificial heap-vars are further interesting. */
5082 }
5084 /* If anything is call-used, add all addressable locals to the set. */
5088 }
5091 /* Dump points-to information to OUTFILE. */
5093 void
5095 {
5101 {
5114 }
5118 }
5121 /* Debug points-to information to stderr. */
5123 void
5125 {
5127 }
5130 /* Initialize the always-existing constraint variables for NULL
5131 ANYTHING, READONLY, and INTEGER */
5133 static void
5135 {
5138 /* Create the NULL variable, used to represent that a variable points
5139 to NULL. */
5150 /* Create the ANYTHING variable, used to represent that a variable
5151 points to some unknown piece of memory. */
5162 /* Anything points to anything. This makes deref constraints just
5163 work in the presence of linked list and other p = *p type loops,
5164 by saying that *ANYTHING = ANYTHING. */
5173 /* This specifically does not use process_constraint because
5174 process_constraint ignores all anything = anything constraints, since all
5175 but this one are redundant. */
5178 /* Create the READONLY variable, used to represent that a variable
5179 points to readonly memory. */
5191 /* readonly memory points to anything, in order to make deref
5192 easier. In reality, it points to anything the particular
5193 readonly variable can point to, but we don't track this
5194 separately. */
5203 /* Create the ESCAPED variable, used to represent the set of escaped
5204 memory. */
5216 /* ESCAPED = *ESCAPED, because escaped is may-deref'd at calls, etc. */
5225 /* Create the NONLOCAL variable, used to represent the set of nonlocal
5226 memory. */
5237 /* Nonlocal memory points to escaped (which includes nonlocal),
5238 in order to make deref easier. */
5247 /* Create the CALLUSED variable, used to represent the set of call-used
5248 memory. */
5259 /* CALLUSED = *CALLUSED, because call-used is may-deref'd at calls, etc. */
5268 /* Create the STOREDANYTHING variable, used to represent the set of
5269 variables stored to *ANYTHING. */
5281 /* Create the INTEGER variable, used to represent that a variable points
5282 to an INTEGER. */
5294 /* INTEGER = ANYTHING, because we don't know where a dereference of
5295 a random integer will point to. */
5304 /* *ESCAPED = &ESCAPED. This is true because we have to assume
5305 everything pointed to by escaped can also point to escaped. */
5314 /* *ESCAPED = &NONLOCAL. This is true because we have to assume
5315 everything pointed to by escaped can also point to nonlocal. */
5323 }
5325 /* Initialize things necessary to perform PTA */
5327 static void
5329 {
5348 }
5350 /* Remove the REF and ADDRESS edges from GRAPH, as well as all the
5351 predecessor edges. */
5353 static void
5355 {
5358 /* Clear the implicit ref and address nodes from the successor
5359 lists. */
5361 {
5365 }
5367 /* Free the successor list for the non-ref nodes. */
5369 {
5372 }
5374 /* Now reallocate the size of the successor list as, and blow away
5375 the predecessor bitmaps. */
5384 }
5386 /* Compute the set of variables we can't TBAA prune. */
5388 static void
5390 {
5399 /* Mark all initial no_tbaa_pruning nodes as changed. */
5402 {
5406 {
5410 {
5413 }
5414 }
5415 }
5418 {
5425 {
5426 bitmap_iterator bi;
5430 /* If this variable is not a representative, skip it. */
5434 /* If the node has changed, we need to process the complex
5435 constraints and outgoing edges again. */
5437 {
5439 constraint_t c;
5445 /* Process the complex copy constraints. */
5447 {
5449 {
5453 {
5456 {
5459 }
5460 }
5461 }
5462 }
5464 /* Propagate to all successors. */
5466 {
5470 /* Don't propagate to ourselves. */
5475 {
5478 {
5481 }
5482 }
5483 }
5484 }
5485 }
5488 }
5493 {
5495 {
5500 {
5507 {
5510 /* Tell the RTL layer that this pointer can alias
5511 anything. */
5513 }
5514 }
5515 }
5516 }
5517 }
5519 /* Create points-to sets for the current function. See the comments
5520 at the start of the file for an algorithmic overview. */
5522 void
5524 {
5526 basic_block bb;
5535 /* Now walk all statements and derive aliases. */
5537 {
5538 gimple_stmt_iterator gsi;
5541 {
5546 }
5550 }
5554 {
5557 }
5597 /* Implicit nodes and predecessors are no longer necessary at this
5598 point. */
5614 }
5617 /* Delete created points-to sets. */
5619 void
5621 {
5648 }
5650 /* Return true if we should execute IPA PTA. */
5651 static bool
5653 {
5655 /* Don't bother doing anything if the program has errors. */
5657 }
5659 /* Execute the driver for IPA PTA. */
5660 static unsigned int
5662 {
5671 {
5677 {
5681 }
5682 }
5684 {
5686 {
5688 basic_block bb;
5698 {
5699 gimple_stmt_iterator gsi;
5703 {
5708 }
5712 }
5715 }
5716 else
5717 {
5718 /* Make point to anything. */
5719 }
5720 }
5723 {
5726 }
5744 /* Implicit nodes and predecessors are no longer necessary at this
5745 point. */
5760 }
5763 {
5764 {
5765 SIMPLE_IPA_PASS,
5777 TODO_update_ssa /* todo_flags_finish */
5778 }
5779 };
5781 /* Initialize the heapvar for statement mapping. */
5782 void
5784 {
5787 NULL);
5788 }
5790 void
5792 {
5795 }