github.com/powerman/golang-tools@v0.1.11-0.20220410185822-5ad214d8d803/go/callgraph/vta/vta.go (about) 1 // Copyright 2021 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package vta computes the call graph of a Go program using the Variable 6 // Type Analysis (VTA) algorithm originally described in ``Practical Virtual 7 // Method Call Resolution for Java," Vijay Sundaresan, Laurie Hendren, 8 // Chrislain Razafimahefa, Raja Vallée-Rai, Patrick Lam, Etienne Gagnon, and 9 // Charles Godin. 10 // 11 // Note: this package is in experimental phase and its interface is 12 // subject to change. 13 // TODO(zpavlinovic): reiterate on documentation. 14 // 15 // The VTA algorithm overapproximates the set of types (and function literals) 16 // a variable can take during runtime by building a global type propagation 17 // graph and propagating types (and function literals) through the graph. 18 // 19 // A type propagation is a directed, labeled graph. A node can represent 20 // one of the following: 21 // - A field of a struct type. 22 // - A local (SSA) variable of a method/function. 23 // - All pointers to a non-interface type. 24 // - The return value of a method. 25 // - All elements in an array. 26 // - All elements in a slice. 27 // - All elements in a map. 28 // - All elements in a channel. 29 // - A global variable. 30 // In addition, the implementation used in this package introduces 31 // a few Go specific kinds of nodes: 32 // - (De)references of nested pointers to interfaces are modeled 33 // as a unique nestedPtrInterface node in the type propagation graph. 34 // - Each function literal is represented as a function node whose 35 // internal value is the (SSA) representation of the function. This 36 // is done to precisely infer flow of higher-order functions. 37 // 38 // Edges in the graph represent flow of types (and function literals) through 39 // the program. That is, the model 1) typing constraints that are induced by 40 // assignment statements or function and method calls and 2) higher-order flow 41 // of functions in the program. 42 // 43 // The labeling function maps each node to a set of types and functions that 44 // can intuitively reach the program construct the node represents. Initially, 45 // every node is assigned a type corresponding to the program construct it 46 // represents. Function nodes are also assigned the function they represent. 47 // The labeling function then propagates types and function through the graph. 48 // 49 // The result of VTA is a type propagation graph in which each node is labeled 50 // with a conservative overapproximation of the set of types (and functions) 51 // it may have. This information is then used to construct the call graph. 52 // For each unresolved call site, vta uses the set of types and functions 53 // reaching the node representing the call site to create a set of callees. 54 package vta 55 56 import ( 57 "go/types" 58 59 "github.com/powerman/golang-tools/go/callgraph" 60 "github.com/powerman/golang-tools/go/ssa" 61 ) 62 63 // CallGraph uses the VTA algorithm to compute call graph for all functions 64 // f:true in funcs. VTA refines the results of initial call graph and uses it 65 // to establish interprocedural type flow. The resulting graph does not have 66 // a root node. 67 // 68 // CallGraph does not make any assumptions on initial types global variables 69 // and function/method inputs can have. CallGraph is then sound, modulo use of 70 // reflection and unsafe, if the initial call graph is sound. 71 func CallGraph(funcs map[*ssa.Function]bool, initial *callgraph.Graph) *callgraph.Graph { 72 vtaG, canon := typePropGraph(funcs, initial) 73 types := propagate(vtaG, canon) 74 75 c := &constructor{types: types, initial: initial, cache: make(methodCache)} 76 return c.construct(funcs) 77 } 78 79 // constructor type linearly traverses the input program 80 // and constructs a callgraph based on the results of the 81 // VTA type propagation phase. 82 type constructor struct { 83 types propTypeMap 84 cache methodCache 85 initial *callgraph.Graph 86 } 87 88 func (c *constructor) construct(funcs map[*ssa.Function]bool) *callgraph.Graph { 89 cg := &callgraph.Graph{Nodes: make(map[*ssa.Function]*callgraph.Node)} 90 for f, in := range funcs { 91 if in { 92 c.constrct(cg, f) 93 } 94 } 95 return cg 96 } 97 98 func (c *constructor) constrct(g *callgraph.Graph, f *ssa.Function) { 99 caller := g.CreateNode(f) 100 for _, call := range calls(f) { 101 for _, c := range c.callees(call) { 102 callgraph.AddEdge(caller, call, g.CreateNode(c)) 103 } 104 } 105 } 106 107 // callees computes the set of functions to which VTA resolves `c`. The resolved 108 // functions are intersected with functions to which `initial` resolves `c`. 109 func (c *constructor) callees(call ssa.CallInstruction) []*ssa.Function { 110 cc := call.Common() 111 if cc.StaticCallee() != nil { 112 return []*ssa.Function{cc.StaticCallee()} 113 } 114 115 // Skip builtins as they are not *ssa.Function. 116 if _, ok := cc.Value.(*ssa.Builtin); ok { 117 return nil 118 } 119 120 // Cover the case of dynamic higher-order and interface calls. 121 return intersect(resolve(call, c.types, c.cache), siteCallees(call, c.initial)) 122 } 123 124 // resolve returns a set of functions `c` resolves to based on the 125 // type propagation results in `types`. 126 func resolve(c ssa.CallInstruction, types propTypeMap, cache methodCache) []*ssa.Function { 127 n := local{val: c.Common().Value} 128 var funcs []*ssa.Function 129 for _, p := range types.propTypes(n) { 130 funcs = append(funcs, propFunc(p, c, cache)...) 131 } 132 return funcs 133 } 134 135 // propFunc returns the functions modeled with the propagation type `p` 136 // assigned to call site `c`. If no such function exists, nil is returned. 137 func propFunc(p propType, c ssa.CallInstruction, cache methodCache) []*ssa.Function { 138 if p.f != nil { 139 return []*ssa.Function{p.f} 140 } 141 142 if c.Common().Method == nil { 143 return nil 144 } 145 146 return cache.methods(p.typ, c.Common().Method.Name(), c.Parent().Prog) 147 } 148 149 // methodCache serves as a type -> method name -> methods 150 // cache when computing methods of a type using the 151 // ssa.Program.MethodSets and ssa.Program.MethodValue 152 // APIs. The cache is used to speed up querying of 153 // methods of a type as the mentioned APIs are expensive. 154 type methodCache map[types.Type]map[string][]*ssa.Function 155 156 // methods returns methods of a type `t` named `name`. First consults 157 // `mc` and otherwise queries `prog` for the method. If no such method 158 // exists, nil is returned. 159 func (mc methodCache) methods(t types.Type, name string, prog *ssa.Program) []*ssa.Function { 160 if ms, ok := mc[t]; ok { 161 return ms[name] 162 } 163 164 ms := make(map[string][]*ssa.Function) 165 mset := prog.MethodSets.MethodSet(t) 166 for i, n := 0, mset.Len(); i < n; i++ { 167 // f can be nil when t is an interface or some 168 // other type without any runtime methods. 169 if f := prog.MethodValue(mset.At(i)); f != nil { 170 ms[f.Name()] = append(ms[f.Name()], f) 171 } 172 } 173 mc[t] = ms 174 return ms[name] 175 }