Points to analysis overlapping access #278
Conversation
…cess added functionality to track overlapping accesses
fixes to Global Function sizes
|
This seems to have fixed the issues (I'm surprised it was that simple) I was having yesterday but I'm going to test it with some more complex cases to make sure there aren't still any underlying problems. |
Did your issue's program include function pointers? |
|
Yes, it seemed to be that incorrect sizes were causing some weird problems. |
…ng accesses approach
|
I've added a test which demonstrates the remaining issue - if two pointers are loaded together into a single 128-bit register, then it is not correct to merge their pointees as if they are contiguous - the cells should always be collapsed. |
|
You've misunderstood the problem, the "overlapping access" test was fine before. |
|
Although I guess it doesn't make a difference right now since it would never be possible for the cells to point to different things |
|
I agree it doesn't make a lot of difference with the current approach, it's simpler and definitely sound to grow the size of the pointer cell to equal the size of the access, it will then merge with it's adjacent cells that are also getting accessed which then in turn also unifies their pointees. Keeping the multiple pointer cells getting dereferenced as separate is trickier. Currently the pointer cells are kept separate and their pointees are merged and also collapsed. I'm fine with either specially if we want to be able to get more precision out of overlapping accesses, we will need to consider the pointer cells separate, so it's good to keep them that way and pick up on any issues if they still exist |
|
For now it's we just get clearer results if we do merge & collapse the cells like that I think, but it's good that you've figured out how to make the more precise version work because we'll likely want to build on that in the future. Sorry for the confusion. |
|
I tried to merge this in but I can't merge this in without breaking things so I will leave it for another time. |
|
will have a look after the workshop |
# Conflicts: # src/main/scala/analysis/data_structure_analysis/Graph.scala # src/main/scala/analysis/data_structure_analysis/LocalPhase.scala # src/main/scala/analysis/data_structure_analysis/SymbolicAddressAnalysis.scala # src/main/scala/analysis/data_structure_analysis/Utility.scala
|
I'm not sure about why some examples (secret_write and basic_function_call_caller for gtirb and basic_lock_read as well as the other two for bap ) fail verification now |
| val index: Expr = unwrapPaddingAndSlicing(ind) | ||
| assert(size % 8 == 0) | ||
| val byteSize = size / 8 | ||
| val global = isGlobal(index, n, byteSize) | ||
| val stack = isStack(index, n) | ||
| val indexCell = graph.adjust(graph.accessIndexToSlice(store)) | ||
| assert(!indexCell.node.get.flags.merged) // check index cell is a placeholder | ||
| val addressPointee: Cell = if (global.isDefined) { | ||
| graph.mergeCells(graph.find(global.get), indexCell) | ||
| graph.adjust(graph.find(global.get).getPointee) | ||
| } else if (stack.isDefined) { | ||
| graph.mergeCells(graph.find(stack.get), indexCell) | ||
| graph.adjust(graph.find(stack.get).getPointee) | ||
| } else { | ||
| index match { | ||
| case BinaryExpr(op, arg1: Variable, arg2) if op.equals(BVADD) => | ||
| evaluateExpression(arg2, constProp(n)) match { | ||
| case Some(v) => | ||
| // assert(varToSym(n).contains(arg1)) | ||
| val offset = v.value | ||
| visitPointerArithmeticOperation(n, indexCell, arg1, byteSize, false, offset) | ||
| visitPointerArithmeticOperation(n, Node(Some(graph)).cells(0), arg1, byteSize, true, offset) | ||
| case None => | ||
| // assert(varToSym(n).contains(arg1)) | ||
| // collapse the results | ||
| // visitPointerArithmeticOperation(n, DSN(Some(graph)).cells(0), arg1, byteSize, true, 0, true) | ||
| unsupportedPointerArithmeticOperation(n, index, Node(Some(graph)).cells(0)) | ||
| } | ||
| case arg: Variable => | ||
| // assert(varToSym(n).contains(arg)) | ||
| visitPointerArithmeticOperation(n, indexCell, arg, byteSize, false) | ||
| visitPointerArithmeticOperation(n, Node(Some(graph)).cells(0), arg, byteSize, true) | ||
| case _ => | ||
| ??? | ||
| } | ||
| } |
There was a problem hiding this comment.
The tests fail because you didn't keep the changed structure here which was important for correctly identifying the access indices, but when I've tried to keep this changed structure, then the DataStructureTests start failing and I'm not sure why that is.
| graph.mergeCells(graph.adjust(slice), c) | ||
| } | ||
|
|
||
| if global.isDefined then | ||
| graph.mergeCells(graph.find(global.get), indexCell) |
There was a problem hiding this comment.
Is this not doing the same exact merges with indexCell that the other structure is doing? I think the only thing that is changes is that first we merge all the possible valueCells with each other and then merging them with the addressPointee instead of getting the address pointee and then merging it with value cells
There was a problem hiding this comment.
I don't really remember why I figured out that change in order was necessary but it made a clear difference.
https://github.com/UQ-PAC/BASIL/tree/points_to_analysis_overlapping_access_merge_test
This branch has been merged to maintain that structure and with that all the memory region tests pass but it makes some of the tests in DataStructureAnalysisTest fail - can you have a look at that?
There was a problem hiding this comment.
Could you please take a look at this branch. I have reordered the merging operations to match the old way and now all the DSAMemoryREgionSystemTestsBAP pass but some of the gtirb ones throw an error where accessesEndian is empty
There was a problem hiding this comment.
Ah thanks, great work. I should be able to fix that, I ran into a similar bug before.
There was a problem hiding this comment.
There are memory sections getting created with size 0 because the largestaccessed size of them are 0
There was a problem hiding this comment.
Okay I think the problem was that if a literal is assigned that DSA knows is not an address to a global, it ignored it but now it grows the memory region it was assigned to that size
There was a problem hiding this comment.
It should grow the cell but it doesn't, I think?
There was a problem hiding this comment.
I don't know why it worked for the adt version without that tho
There was a problem hiding this comment.
It should grow the cell but it doesn't, I think?
Yeah this def was the case
There was a problem hiding this comment.
That seems to have fixed it, great! I don't know why there was a difference either, I'll give it a closer look next week to see if there's anything obvious there.
Overlapping accesses functionality for DSA.
Addresses overlapping accesses to Stack and Global Memory Locations through Addresses, Input/Output Parameters and Indirect Accesses