The analyses currently seem to overapproximate stack accesses that should be possible to distinguish.
The following is from the indirect_call/clang test .bir file. I've annotated it with the values for relevant variables given by the points-to analysis result at relevant points.
According to the analysis, stack_13 contains a pointer to 'greet', stack_24's contents is empty/unknown, and stack_6 contains the value 0bv32.
The analysis can't distinguish between accesses to stack_13 and stack_24, even though there shouldn't be any ambiguity. The analysis only resolves the indirect call to greet correctly at 000003b6 because it doesn't know what stack_24 points to and ignores it as a result.
This sort of issue is common across many different test cases.
The analyses currently seem to overapproximate stack accesses that should be possible to distinguish.
The following is from the indirect_call/clang test .bir file. I've annotated it with the values for relevant variables given by the points-to analysis result at relevant points.
According to the analysis, stack_13 contains a pointer to 'greet', stack_24's contents is empty/unknown, and stack_6 contains the value 0bv32.
The analysis can't distinguish between accesses to stack_13 and stack_24, even though there shouldn't be any ambiguity. The analysis only resolves the indirect call to greet correctly at 000003b6 because it doesn't know what stack_24 points to and ignores it as a result.
This sort of issue is common across many different test cases.