Finding Targets of a Function Pointer

Hi all,

I was wondering whether there's any existing code to find all possible targets of a function pointer in LLVM, and, if not, if there were a smarter way to go about writing something to accomplish this than the obvious way of recursively following the def-use chains and creating an aggregate set.

--Patrick

Patrick Alexander Simmons wrote:

Hi all,

I was wondering whether there's any existing code to find all possible targets of a function pointer in LLVM, and, if not, if there were a smarter way to go about writing something to accomplish this than the obvious way of recursively following the def-use chains and creating an aggregate set.

I think the only way to do this is to use an alias analysis to create points-to sets. You can then run the analysis and ask it for may-alias results between function pointers at call sites, and the set of functions that you have available. Clearly you can have trouble if there are functions that aren't currently available.

You should probably look at the DSA stuff in poolalloc as I think that it does some of this, or at least contains infrastructure to do some of this.

One of the main reasons to want to do this is for member function call devirtualization. Unfortunately, the code generated by llvm-g++ isn't great for this task, since it erases all of the types in a vtable. If this is what you are doing then you are likely to run into trouble in moderate sized programs.

Luke

Patrick,

DSA gives you this directly by getting the DS node pointed to by the function pointer and then getting the list of globals in that DS node.

As Luke said, this is incomplete if some functions are not available. But DSA will mark function pointers that "escape" to external code as 'I'ncomplete (and otherwise it guarantees that the fptr doesn't point to any external functions).

--Vikram
Associate Professor, Computer Science
University of Illinois at Urbana-Champaign
http://llvm.org/~vadve