Christian Convey
2015-Jun-15 14:25 UTC
[LLVMdev] Expressing ambiguous points-to info in AliasAnalysis::alias(...) results?
On Mon, Jun 15, 2015 at 9:31 AM, Daniel Berlin <dberlin at dberlin.org> wrote:> >> I tried to find some subset i felt was worthwhile and where it was > >> okay, but gave up after a while. > > > > > > I'm not quite sure which things you're referring to in that statement. > > Would you mind clarifying? > > You can try to ameliorate it by doing things like say "well, we > believe code patterns that look like this generate valid pointers, > but patterns that look like this can be ignored". It is very hard to > find a set of patterns you allow that gives you anything meaningfully >Interesting. So do you know of a decent alternative? Or do you think that may-point-to analysis in something as general as LLVM IR is basically a dead end? Also, can you share a few examples of code constructs which produce pointers used in correct programs, but which are hard to recognize statically? It's probably my inexperience talking, but the only examples I can think of involve interfacing with hardware. I did look at the LLVM IR for calling a virtual function in C++, since you mentioned that as an example earlier. From manual inspection, I thought I could spot the value flow of the virtual function pointer from where the function was defined, into the vtable constant for that class, and then into the class instance's vtable pointer.> As for your statement on authors putting a lot of thought into > published algorithms - they do, but honestly, published algorithms > should generally be treated like a starting point. They are often > vastly simplified for publication, or otherwise in need of significant > *engineering* work. >Thanks for the warning. Yes, I'm feeling that pain in spades :) -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150615/019f20a6/attachment.html>
Daniel Berlin
2015-Jun-15 15:02 UTC
[LLVMdev] Expressing ambiguous points-to info in AliasAnalysis::alias(...) results?
On Mon, Jun 15, 2015 at 7:25 AM, Christian Convey <christian.convey at gmail.com> wrote:> On Mon, Jun 15, 2015 at 9:31 AM, Daniel Berlin <dberlin at dberlin.org> wrote: >> >> >> I tried to find some subset i felt was worthwhile and where it was >> >> okay, but gave up after a while. >> > >> > >> > I'm not quite sure which things you're referring to in that statement. >> > Would you mind clarifying? >> >> You can try to ameliorate it by doing things like say "well, we >> believe code patterns that look like this generate valid pointers, >> but patterns that look like this can be ignored". It is very hard to >> find a set of patterns you allow that gives you anything meaningfully > > > Interesting. So do you know of a decent alternative? Or do you think that > may-point-to analysis in something as general as LLVM IR is basically a dead > end?Points-to analysis on LLVM-IR itself is fine (see the current CFL-AA, or the old deleted andersen's implementations), and giving may-alias and no-alias results also works. Giving must-alias answers, however, is difficult. In particular, i would not simply ignore some types of constructs and expect to produce valid answers.> > Also, can you share a few examples of code constructs which produce pointers > used in correct programs, but which are hard to recognize statically?There are plenty of things that are illegal in C but legal in LLVM IR. For example, the following is legal LLVM IR (sorry for c style, it's early) bar(int64 a) { int64 * foo = inttoptr(a); baz = load *foo; } This is not illegal, and will produce a valid result. Same with stuff like: bar(int64 *a) { int64 foo = ptrtoint(a); baz = foo + 5; int64 *b = inttoptr(baz); c = load *b; } Again, not illegal, and produces a valid result. You can pretty much do what you want. Things like "c pointer aliasing rules" exist only as metadata. So in general, you can't expect "invalid pointers" to buy you very much.> > I did look at the LLVM IR for calling a virtual function in C++, since you > mentioned that as an example earlier. From manual inspection, I thought I > could spot the value flow of the virtual function pointer from where the > function was defined, into the vtable constant for that class, and then into > the class instance's vtable pointer.This depends on the frontend generating the llvm IR :)
Christian Convey
2015-Jun-15 17:33 UTC
[LLVMdev] Expressing ambiguous points-to info in AliasAnalysis::alias(...) results?
On Mon, Jun 15, 2015 at 11:02 AM, Daniel Berlin <dberlin at dberlin.org> wrote:> Points-to analysis on LLVM-IR itself is fine (see the current CFL-AA, > or the old deleted andersen's implementations), and giving may-alias > and no-alias results also works. Giving must-alias answers, however, > is difficult. > > In particular, i would not simply ignore some types of constructs and > expect to produce valid answers. >Makes sense. Thanks for the advice.> > There are plenty of things that are illegal in C but legal in LLVM IR. > > For example, the following is legal LLVM IR (sorry for c style, it's early) > > bar(int64 a) { > int64 * foo = inttoptr(a); > baz = load *foo; > } > > This is not illegal, and will produce a valid result. > > Same with stuff like: > bar(int64 *a) { > int64 foo = ptrtoint(a); > baz = foo + 5; > int64 *b = inttoptr(baz); > c = load *b; > } > > Again, not illegal, and produces a valid result. > You can pretty much do what you want. > > Things like "c pointer aliasing rules" exist only as metadata. > So in general, you can't expect "invalid pointers" to buy you very much. >I see, thanks for clarifying. The AA algorithm I've been working with assumes that the type system is going to lie, since C allows type punning. I'm pretty sure I can port that distrust to the LLVM IR version of the algorithm. It sounds like that would cover the examples you gave above, if I'm also appropriately pessimistic about the behavior of unknown / unanalyzed callers and callees. Maybe what I'll try is to add a flag to each vertex in the may-point-to graph, indicating whether or not the vertex's memory might hold additional, poorly understood pointers. Then I can let an appropriate amount of hell break loose in the analysis, if a piece of memory with that flag is used in various ways. That way, if over time I can make the algorithm better at detecting and making sense of code which generates new pointer values, I can just gradually reduce the cases where I need to set that flag.> > I did look at the LLVM IR for calling a virtual function in C++, since > you > > mentioned that as an example earlier. From manual inspection, I thought > I > > could spot the value flow of the virtual function pointer from where the > > function was defined, into the vtable constant for that class, and then > into > > the class instance's vtable pointer. > This depends on the frontend generating the llvm IR :)Touche. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20150615/aa41a3ae/attachment.html>