------- Comment #2 from rguenth at gcc dot gnu dot org 2008-05-30 11:38 -------
It shows really that points-to analysis and call-clobber analysis cannot be
done separately. We try to "connect" them at a single point, in handle_rhs
call where we add constraints from anything to dereferenced pointer arguments.
But this is obviously not enough as we are not transitively closing the
points-to
solution.
extern void abort (void);
int j;
void __attribute__((noinline))
bar (int ***q)
{
j = 1;
**q = &j;
}
int main()
{
int i;
int *p = &i;
int **q = &p;
int ***r = &q;
i = 0;
bar (r);
if (*p != 1)
abort ();
return 0;
}
while this doesn't abort in its current form, it shows that points-to
analysis thinks that p points to i, which is not true, as it points to j
after the call to bar:
<bb 2>:
# p_7 = VDEF <p_6(D)>
p = &i;
# q_9 = VDEF <q_8(D)>
q = &p;
# i_11 = VDEF <i_10(D)>
i = 0;
# i_13 = VDEF <i_11>
# p_14 = VDEF <p_7>
# q_15 = VDEF <q_9>
# SMT.28_16 = VDEF <SMT.28_12(D)>
bar (&q);
# VUSE <p_14>
p.0_2 = p;
# VUSE <i_13>
D.1569_3 = *p.0_2;
if (D.1569_3 != 1)
goto <bb 3>;
else
goto <bb 4>;
Pointed-to sets for pointers in main
p.0_2, name memory tag: NMT.29, is dereferenced, points-to vars: { i }
if we would do a pointer-equivalence test here and use PTA for its
disambiguation things would go wrong. The lame hack in handle_rhs_call
only saves us for double-indirection (and only because &q is invariant
and substituted in the call argument).
Now - I'd really like to hear what the "theory" says to this (handling of
escape points). I guess they simply only handle IPA-PTA for whole-programs,
thus the "academic" case.
--
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=36387
