Expand description

A fixpoint algorithm computing parameters of functions and their access patterns.

The fixpoint algorithm tracks the values of registers and the stack, although only stack accesses with known, constant offset are processed. Accesses to potential function parameters are collected together with the type of the access (is the value read, dereferenced for read access or dereferenced for write access). Accesses to constant addresses that may correspond to global variables are also tracked.

For values that are not directly tracked, the algorithm tracks the abstract location that describes how the pointer to that value was computed. This enables tracking of nested parameter objects without actually tracking the memory objects where these objects are located.

Known limitations of the analysis:

  • The analysis is an overapproximation in the sense that it may generate more input parameters than actually exist in some cases.
  • Only registers that are potential parameter registers in the standard calling convention of the CPU architecture are considered as potential parameter registers. For functions that use other registers than those in the standard calling convention for parameter passing the results of this analysis will be wrong.
  • Parameters that are used as input values for variadic functions may be missed. Some variadic functions are stubbed, i.e. parameter recognition should work for these. But not all variadic functions are stubbed.
  • For floating point parameter registers the base register is detected as a parameter, although only a smaller sub-register is the actual parameter in many cases. Also, if a function uses sub-registers of floating point registers as local variables, the registers may be incorrectly flagged as input parameters.
  • Tracking of nested parameters via their abstract locations is an unsound, heuristic approach, as the analysis does not keep track of when such nested pointers might get overwritten. Nevertheless, it should result in an overapproximation of parameters and their access patterns in most cases.
  • The nesting depth for tracked nested parameters is limited to avoid generating infinitely many parameters for recursive types like linked lists.
  • For arrays no parameters should be created for the array elements. However, if only a particular element in an array is accessed without iteration over the array, then a parameter might be generated for that element.

Modules

  • This module contains stubs for frequently used LibC-symbols as well as helper functions for handling the effects of calls to these functions.

Structs

  • Access flags to track different kind of access/usage patterns of a variable.
  • The signature of a function. Currently only contains information on the parameters of a function and their access patterns.

Functions