-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Simple constant propagation AST-based analysis #852
base: main
Are you sure you want to change the base?
Conversation
…hod. It also supports variable tracing in structs.
… did not show it. This was due to partial evaluator making use of dummySrcInfo.
- forgot to change initialSctx in foreach statement to foreachSctx
Added negative tests.
The main idea of the approach is to keep a map from variable names to either a value or undefined:
This map is stored in the statement context, and it is used to track the value that variables have so far in the program. We say that a variable is "undetermined" if either:
The approach keeps track of the value of each variable so far. For example, in this program snippet:
After line During this trace analysis, a variable can become undetermined mainly because of the following reasons:
I'll explain each case now. Case 1Consider this function:
After line
Because this makes the process of merging different branches in the code easier (as will be explained in Case 3). After line Case 2Consider this program:
After line Case 3If control flow branches and then joins, then the binding maps of each branch will merge at the joint point using the following rule:
This is better exemplified with an example. Consider this function:
Control flow at We would compute the map at Hence, at Sometimes the analyzer is able to determine that a particular branch will always be taken. In those cases, instead of merging the binding maps at the joint point, the analyzer simply takes the map of the executed branch, by using the following rule:
For example, in the above program, condition
Then, the bindings map at One last important note. Observe that the rules always start by stating:
variables Handling loopsSo far, I haven't talked about how loops are handled by the analyzer. Consider the following function:
There are two possible branches at If we follow branch So, in the above example, the map at If instead, we have the program:
Then, the map at The above examples suggest a general procedure to handle the branch inside the loop:
As was the case with conditionals, sometimes the analyzer is able to determine if a loop will execute or not. In that case, it will take the binding map of the corresponding branch. For example, consider this function:
In this case, the condition Some pointers to the code
|
Issue
Closes #716.
The solution is able to detect not only division by zero problems, but any kind of problem that depends on variable tracing, like null dereferencings, number overflows. Although, I need to add testing for all the other possibilities.
Checklist