search

mchalupa / dg

[LLVM Static Slicer] Various program analyses, construction of dependence graphs and program slicing of LLVM bitcode.
MIT License
474 stars 131 forks source link

Inaccurate slicing. #428

Closed jiachunpeng closed 2 years ago

jiachunpeng commented 2 years ago

Code

void *malloc(unsigned long size);
void free(void *ptr);

void swap(void **a, void **b) {
  void *c = *a;
  *a = *b;
  *b = c;
}

int main() {
  void *a = 0;
  void *b = 0;
  void *c = 0;
  a = malloc(5);
  b = malloc(5);
  swap(&a, &c);
  swap(&a, &c);
  swap(&b, &c);
  free(a);
  free(b);
}

Command

clang -emit-llvm -g test.c -c
llvm-slicer test.bc -c free -dump-dg

Output

image

Issue

b = malloc(5) and swap(&b, &c) can be sliced away, but the llvm-slicer retains them.

mchalupa commented 2 years ago

This is because our pointer analysis is context insensitive and therefore by calling swap like this merges the knowledge about pointers. Check the output from llvm-pta-dump test.bc

[...]
main::  %6 = load i8*, i8** %1, align 8, !dbg !30
  -> main::  %4 = call align 16 i8* @malloc(i64 5), !dbg !23
  -> main::  %5 = call align 16 i8* @malloc(i64 5), !dbg !25
  -> null
main::  %7 = load i8*, i8** %2, align 8, !dbg !32
  -> main::  %4 = call align 16 i8* @malloc(i64 5), !dbg !23
  -> main::  %5 = call align 16 i8* @malloc(i64 5), !dbg !25
  -> null

The point-to analysis says that the value of a and b may be either null or any of the two allocations.

I'm closing this issue as it is not a bug. If you want to take this rather as a "feature request", we can rename and re-open it.