github.com/jhump/golang-x-tools@v0.0.0-20220218190644-4958d6d39439/go/callgraph/vta/vta.go (about) 1 // Copyright 2021 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package vta computes the call graph of a Go program using the Variable 6 // Type Analysis (VTA) algorithm originally described in ``Practical Virtual 7 // Method Call Resolution for Java," Vijay Sundaresan, Laurie Hendren, 8 // Chrislain Razafimahefa, Raja Vallée-Rai, Patrick Lam, Etienne Gagnon, and 9 // Charles Godin. 10 // 11 // Note: this package is in experimental phase and its interface is 12 // subject to change. 13 // TODO(zpavlinovic): reiterate on documentation. 14 // 15 // The VTA algorithm overapproximates the set of types (and function literals) 16 // a variable can take during runtime by building a global type propagation 17 // graph and propagating types (and function literals) through the graph. 18 // 19 // A type propagation is a directed, labeled graph. A node can represent 20 // one of the following: 21 // - A field of a struct type. 22 // - A local (SSA) variable of a method/function. 23 // - All pointers to a non-interface type. 24 // - The return value of a method. 25 // - All elements in an array. 26 // - All elements in a slice. 27 // - All elements in a map. 28 // - All elements in a channel. 29 // - A global variable. 30 // In addition, the implementation used in this package introduces 31 // a few Go specific kinds of nodes: 32 // - (De)references of nested pointers to interfaces are modeled 33 // as a unique nestedPtrInterface node in the type propagation graph. 34 // - Each function literal is represented as a function node whose 35 // internal value is the (SSA) representation of the function. This 36 // is done to precisely infer flow of higher-order functions. 37 // 38 // Edges in the graph represent flow of types (and function literals) through 39 // the program. That is, the model 1) typing constraints that are induced by 40 // assignment statements or function and method calls and 2) higher-order flow 41 // of functions in the program. 42 // 43 // The labeling function maps each node to a set of types and functions that 44 // can intuitively reach the program construct the node represents. Initially, 45 // every node is assigned a type corresponding to the program construct it 46 // represents. Function nodes are also assigned the function they represent. 47 // The labeling function then propagates types and function through the graph. 48 // 49 // The result of VTA is a type propagation graph in which each node is labeled 50 // with a conservative overapproximation of the set of types (and functions) 51 // it may have. This information is then used to construct the call graph. 52 // For each unresolved call site, vta uses the set of types and functions 53 // reaching the node representing the call site to create a set of callees. 54 55 package vta 56 57 import ( 58 "go/types" 59 60 "github.com/jhump/golang-x-tools/go/callgraph" 61 "github.com/jhump/golang-x-tools/go/ssa" 62 ) 63 64 // CallGraph uses the VTA algorithm to compute call graph for all functions 65 // f:true in funcs. VTA refines the results of initial call graph and uses it 66 // to establish interprocedural type flow. The resulting graph does not have 67 // a root node. 68 // 69 // CallGraph does not make any assumptions on initial types global variables 70 // and function/method inputs can have. CallGraph is then sound, modulo use of 71 // reflection and unsafe, if the initial call graph is sound. 72 func CallGraph(funcs map[*ssa.Function]bool, initial *callgraph.Graph) *callgraph.Graph { 73 vtaG, canon := typePropGraph(funcs, initial) 74 types := propagate(vtaG, canon) 75 76 c := &constructor{types: types, initial: initial, cache: make(methodCache)} 77 return c.construct(funcs) 78 } 79 80 // constructor type linearly traverses the input program 81 // and constructs a callgraph based on the results of the 82 // VTA type propagation phase. 83 type constructor struct { 84 types propTypeMap 85 cache methodCache 86 initial *callgraph.Graph 87 } 88 89 func (c *constructor) construct(funcs map[*ssa.Function]bool) *callgraph.Graph { 90 cg := &callgraph.Graph{Nodes: make(map[*ssa.Function]*callgraph.Node)} 91 for f, in := range funcs { 92 if in { 93 c.constrct(cg, f) 94 } 95 } 96 return cg 97 } 98 99 func (c *constructor) constrct(g *callgraph.Graph, f *ssa.Function) { 100 caller := g.CreateNode(f) 101 for _, call := range calls(f) { 102 for _, c := range c.callees(call) { 103 callgraph.AddEdge(caller, call, g.CreateNode(c)) 104 } 105 } 106 } 107 108 // callees computes the set of functions to which VTA resolves `c`. The resolved 109 // functions are intersected with functions to which `initial` resolves `c`. 110 func (c *constructor) callees(call ssa.CallInstruction) []*ssa.Function { 111 cc := call.Common() 112 if cc.StaticCallee() != nil { 113 return []*ssa.Function{cc.StaticCallee()} 114 } 115 116 // Skip builtins as they are not *ssa.Function. 117 if _, ok := cc.Value.(*ssa.Builtin); ok { 118 return nil 119 } 120 121 // Cover the case of dynamic higher-order and interface calls. 122 return intersect(resolve(call, c.types, c.cache), siteCallees(call, c.initial)) 123 } 124 125 // resolve returns a set of functions `c` resolves to based on the 126 // type propagation results in `types`. 127 func resolve(c ssa.CallInstruction, types propTypeMap, cache methodCache) []*ssa.Function { 128 n := local{val: c.Common().Value} 129 var funcs []*ssa.Function 130 for _, p := range types.propTypes(n) { 131 funcs = append(funcs, propFunc(p, c, cache)...) 132 } 133 return funcs 134 } 135 136 // propFunc returns the functions modeled with the propagation type `p` 137 // assigned to call site `c`. If no such funciton exists, nil is returned. 138 func propFunc(p propType, c ssa.CallInstruction, cache methodCache) []*ssa.Function { 139 if p.f != nil { 140 return []*ssa.Function{p.f} 141 } 142 143 if c.Common().Method == nil { 144 return nil 145 } 146 147 return cache.methods(p.typ, c.Common().Method.Name(), c.Parent().Prog) 148 } 149 150 // methodCache serves as a type -> method name -> methods 151 // cache when computing methods of a type using the 152 // ssa.Program.MethodSets and ssa.Program.MethodValue 153 // APIs. The cache is used to speed up querying of 154 // methods of a type as the mentioned APIs are expensive. 155 type methodCache map[types.Type]map[string][]*ssa.Function 156 157 // methods returns methods of a type `t` named `name`. First consults 158 // `mc` and otherwise queries `prog` for the method. If no such method 159 // exists, nil is returned. 160 func (mc methodCache) methods(t types.Type, name string, prog *ssa.Program) []*ssa.Function { 161 if ms, ok := mc[t]; ok { 162 return ms[name] 163 } 164 165 ms := make(map[string][]*ssa.Function) 166 mset := prog.MethodSets.MethodSet(t) 167 for i, n := 0, mset.Len(); i < n; i++ { 168 // f can be nil when t is an interface or some 169 // other type without any runtime methods. 170 if f := prog.MethodValue(mset.At(i)); f != nil { 171 ms[f.Name()] = append(ms[f.Name()], f) 172 } 173 } 174 mc[t] = ms 175 return ms[name] 176 }