dead code does not propagate through previously live loops? #233
Comments
I think this It calls the analyzer/src/framework/constraints.ml Lines 599 to 601 in 8a74107 It is called for SelfLoop edges:analyzer/src/framework/constraints.ml Line 718 in 8a74107 These should correspond to interrupts: analyzer/src/framework/myCFG.ml Lines 39 to 40 in 8a74107 But this doesn't really matter if this issue cannot actually happen. Although it might still be worth renaming some of those things to make it very clear they're just about interrupts. |
|
Ah, ok, good to know, so it's just @michael-schwarz and @jerhard came up with an example that fails for solvers that work in phases (for the whole program): //PARAM: --disable ana.int.def_exc --enable ana.int.interval --sets solver slr3tp
int g = 0;
int main() {
int x;
for(x=0; x < 50; x++){
g = 1;
}
// x = [50, 50] after narrow
if(x>50){ // live after widen, but dead after narrow
// node after Pos(x>50) is marked dead at the end
// but the loop is not with x = [51,2147483647]
for(int i=0; i<=0; i--){
g = 57;
}
}
}This is not a problem with |
@michael-schwarz and I further discussed this with Helmut. We came up with the potential issue that there might be labels in the loop, and there might be jumps into the loop from outside that could make it live. One would therefore have to exclude that there are jumps into the loop body from outside code, to do this. |
|
Yes, he mentioned it to me as well.
What I wrote above should be sufficient and make these cases precise as well, no?
I.e. every edge going into the loop that does not come from the loop is an initial edge and at the head all of them have to be bot to propagate it. |
I guess that should work, yes. |
This sounds like a very non-local property though. I guess at the loop head Maybe one shouldn't speak of the head of such loop anyway and all target nodes of initial edges should be loop heads in this sense. One could construct loops with just gotos where there's no real head anyway. These initial edges and loop heads should be identifiable by some graph traversal (possibly very similar to the one already there are at the end of CFG construction). |
All transitions should be strict, no? So checking if the start node of an edge is bottom should be fine.
I thought the loop head is the node which has at least an initial and a back edge incoming. This would also apply to gotos.
Agree, that would be more precise. |
There's a theoretical issue with our constraints for loops that Helmut mentioned which might be worth thinking about.
The problem is that we just join all incoming edges at the loop head which may be a problem if there is some value > bot from the back-edge from inside the loop and bot from the initial edge.
If a loop is first live, but then after narrowing the initial edge to the nested loop becomes dead, it won't propagate bot, but join it with the back-edge.
The rhs for a loop should be strict for the initial edge
a, i.e.,if is_bot a then a else join a bwherebis the value of the back edge.The question is whether this can happen at all.
I tried to come up with an example for loops but couldn't find one -- maybe because
Base.invariantalways limits the values.If it can occur, the other question is how to improve it.
Constraints.FromSpec().tf_loopwould have to consider a loop head with two incoming edges and make the join left-strict.Problem: currently these generate a constraint for each edge of a node which are only afterwards joined into equations by
Generic.SimpleSysConverter.Also, one would have to think about loops that have jumps into them with goto (I guess you'd have to also identify all incoming edges into the loop body as initial).
The text was updated successfully, but these errors were encountered: