[GR-62828] Fix the points-to analysis model for reflective/unsafe reads/writes in layered builds.

PullRequest: graal/20248

Author: cstancu

substratevm/src/com.oracle.graal.pointsto/src/com/oracle/graal/pointsto/AnalysisPolicy.java

@@ -69,6 +69,7 @@ public abstract class AnalysisPolicy {
     protected final boolean limitObjectArrayLength;
     protected final int maxObjectSetSize;
     protected final boolean hybridStaticContext;
+    protected final boolean useConservativeUnsafeAccess;
 
     public AnalysisPolicy(OptionValues options) {
         this.options = options;
@@ -82,6 +83,7 @@ public AnalysisPolicy(OptionValues options) {
         limitObjectArrayLength = PointstoOptions.LimitObjectArrayLength.getValue(options);
         maxObjectSetSize = PointstoOptions.MaxObjectSetSize.getValue(options);
         hybridStaticContext = PointstoOptions.HybridStaticContext.getValue(options);
+        useConservativeUnsafeAccess = PointstoOptions.UseConservativeUnsafeAccess.getValue(options);
     }
 
     public abstract boolean isContextSensitiveAnalysis();
@@ -118,6 +120,10 @@ public boolean useHybridStaticContext() {
         return hybridStaticContext;
     }
 
+    public boolean useConservativeUnsafeAccess() {
+        return useConservativeUnsafeAccess;
+    }
+
     public abstract MethodTypeFlow createMethodTypeFlow(PointsToAnalysisMethod method);
 
     /**

substratevm/src/com.oracle.graal.pointsto/src/com/oracle/graal/pointsto/PointsToAnalysis.java

@@ -53,8 +53,8 @@
 import com.oracle.graal.pointsto.flow.MethodFlowsGraphInfo;
 import com.oracle.graal.pointsto.flow.MethodTypeFlow;
 import com.oracle.graal.pointsto.flow.MethodTypeFlowBuilder;
-import com.oracle.graal.pointsto.flow.OffsetLoadTypeFlow.AbstractUnsafeLoadTypeFlow;
-import com.oracle.graal.pointsto.flow.OffsetStoreTypeFlow.AbstractUnsafeStoreTypeFlow;
+import com.oracle.graal.pointsto.flow.OffsetLoadTypeFlow.UnsafeLoadTypeFlow;
+import com.oracle.graal.pointsto.flow.OffsetStoreTypeFlow.UnsafeStoreTypeFlow;
 import com.oracle.graal.pointsto.flow.TypeFlow;
 import com.oracle.graal.pointsto.meta.AnalysisField;
 import com.oracle.graal.pointsto.meta.AnalysisMetaAccess;
@@ -110,8 +110,8 @@ public abstract class PointsToAnalysis extends AbstractAnalysisEngine {
     protected final boolean trackTypeFlowInputs;
     protected final boolean reportAnalysisStatistics;
 
-    private ConcurrentMap<AbstractUnsafeLoadTypeFlow, Boolean> unsafeLoads;
-    private ConcurrentMap<AbstractUnsafeStoreTypeFlow, Boolean> unsafeStores;
+    private ConcurrentMap<UnsafeLoadTypeFlow, Boolean> unsafeLoads;
+    private ConcurrentMap<UnsafeStoreTypeFlow, Boolean> unsafeStores;
 
     public final AtomicLong numParsedGraphs = new AtomicLong();
     private final CompletionExecutor.Timing timing;
@@ -145,8 +145,8 @@ public PointsToAnalysis(OptionValues options, AnalysisUniverse universe, HostVM
             PointsToStats.init(this);
         }
 
-        unsafeLoads = new ConcurrentHashMap<>();
-        unsafeStores = new ConcurrentHashMap<>();
+        unsafeLoads = analysisPolicy.useConservativeUnsafeAccess() ? null : new ConcurrentHashMap<>();
+        unsafeStores = analysisPolicy.useConservativeUnsafeAccess() ? null : new ConcurrentHashMap<>();
 
         timing = PointstoOptions.ProfileAnalysisOperations.getValue(options) ? new AnalysisTiming() : null;
         executor.init(timing);
@@ -200,11 +200,11 @@ public MethodTypeFlowBuilder createMethodTypeFlowBuilder(PointsToAnalysis bb, Po
         return new MethodTypeFlowBuilder(bb, method, flowsGraph, graphKind);
     }
 
-    public void registerUnsafeLoad(AbstractUnsafeLoadTypeFlow unsafeLoad) {
+    public void registerUnsafeLoad(UnsafeLoadTypeFlow unsafeLoad) {
         unsafeLoads.putIfAbsent(unsafeLoad, true);
     }
 
-    public void registerUnsafeStore(AbstractUnsafeStoreTypeFlow unsafeStore) {
+    public void registerUnsafeStore(UnsafeStoreTypeFlow unsafeStore) {
         unsafeStores.putIfAbsent(unsafeStore, true);
     }
 
@@ -216,13 +216,16 @@ public void registerUnsafeStore(AbstractUnsafeStoreTypeFlow unsafeStore) {
      *            unsafe access flows that need to be updated.
      */
     public void forceUnsafeUpdate(AnalysisField field) {
+        if (analysisPolicy.useConservativeUnsafeAccess()) {
+            return;
+        }
         /*
          * It is cheaper to post the flows of all loads and stores even if they are not related to
          * the provided field.
          */
 
         // force update of the unsafe loads
-        for (AbstractUnsafeLoadTypeFlow unsafeLoad : unsafeLoads.keySet()) {
+        for (UnsafeLoadTypeFlow unsafeLoad : unsafeLoads.keySet()) {
             /* Force update for unsafe accessed static fields. */
             unsafeLoad.forceUpdate(this);
 
@@ -237,7 +240,7 @@ public void forceUnsafeUpdate(AnalysisField field) {
         }
 
         // force update of the unsafe stores
-        for (AbstractUnsafeStoreTypeFlow unsafeStore : unsafeStores.keySet()) {
+        for (UnsafeStoreTypeFlow unsafeStore : unsafeStores.keySet()) {
             /* Force update for unsafe accessed static fields. */
             unsafeStore.forceUpdate(this);
 

substratevm/src/com.oracle.graal.pointsto/src/com/oracle/graal/pointsto/api/PointstoOptions.java

@@ -134,6 +134,15 @@ protected void onValueUpdate(EconomicMap<OptionKey<?>, Object> values, Boolean o
     @Option(help = "Allow a type flow state to contain types not compatible with its declared type.")//
     public static final OptionKey<Boolean> RelaxTypeFlowStateConstraints = new OptionKey<>(true);
 
+    /**
+     * This flag enables conservative modeling of unsafe access during the analysis. First, the type
+     * state of unsafe accessed fields now contains all instantiated subtypes of their declared
+     * type. Second, all unsafe loads are saturated by default; we do this because we assume we
+     * cannot accurately track which fields can be unsafe accessed.
+     */
+    @Option(help = "Conservative unsafe access injects all unsafe accessed fields with the instantiated subtypes of their declared type and saturates all unsafe loads.")//
+    public static final OptionKey<Boolean> UseConservativeUnsafeAccess = new OptionKey<>(false);
+
     @Option(help = "Deprecated, option no longer has any effect.", deprecated = true)//
     static final OptionKey<Boolean> UnresolvedIsError = new OptionKey<>(true);
 

substratevm/src/com.oracle.graal.pointsto/src/com/oracle/graal/pointsto/flow/MethodTypeFlowBuilder.java

@@ -2111,22 +2111,44 @@ protected void processUnsafeLoad(ValueNode node, ValueNode object, TypeFlowsOfNo
         if (node.getStackKind() == JavaKind.Object) {
             TypeFlowBuilder<?> objectBuilder = state.lookup(object);
 
-            /*
-             * Use the Object type as a conservative approximation for both the receiver object type
-             * and the loaded values type.
-             */
-            var loadBuilder = TypeFlowBuilder.create(bb, method, state.getPredicate(), node, UnsafeLoadTypeFlow.class, () -> {
-                UnsafeLoadTypeFlow loadTypeFlow = new UnsafeLoadTypeFlow(AbstractAnalysisEngine.sourcePosition(node), bb.getObjectType(), bb.getObjectType(), objectBuilder.get());
-                flowsGraph.addMiscEntryFlow(loadTypeFlow);
-                return loadTypeFlow;
-            });
+            TypeFlowBuilder<?> loadBuilder;
+            if (bb.analysisPolicy().useConservativeUnsafeAccess()) {
+                /*
+                 * When unsafe loads are modeled conservatively they start as saturated since the
+                 * exact fields that are marked as unsafe accessed are not tracked and cannot be
+                 * used as an input to the UnsafeLoadTypeFlow. Using a pre-saturated flow will
+                 * signal the saturation to any future uses.
+                 */
+                loadBuilder = TypeFlowBuilder.create(bb, method, state.getPredicate(), node, PreSaturatedTypeFlow.class, () -> {
+                    PreSaturatedTypeFlow preSaturated = new PreSaturatedTypeFlow(AbstractAnalysisEngine.sourcePosition(node));
+                    flowsGraph.addMiscEntryFlow(preSaturated);
+                    return preSaturated;
+                });
+            } else {
+                /*
+                 * Use the Object type as a conservative approximation for both the receiver object
+                 * type and the loaded values type.
+                 */
+                loadBuilder = TypeFlowBuilder.create(bb, method, state.getPredicate(), node, UnsafeLoadTypeFlow.class, () -> {
+                    UnsafeLoadTypeFlow loadTypeFlow = new UnsafeLoadTypeFlow(AbstractAnalysisEngine.sourcePosition(node), bb.getObjectType(), bb.getObjectType(), objectBuilder.get());
+                    flowsGraph.addMiscEntryFlow(loadTypeFlow);
+                    return loadTypeFlow;
+                });
+            }
 
             loadBuilder.addObserverDependency(objectBuilder);
             state.add(node, loadBuilder);
         }
     }
 
     protected void processUnsafeStore(ValueNode node, ValueNode object, ValueNode newValue, JavaKind newValueKind, TypeFlowsOfNodes state) {
+        if (bb.analysisPolicy().useConservativeUnsafeAccess()) {
+            /*
+             * When unsafe writes are modeled conservatively all unsafe accessed fields contain all
+             * instantiated subtypes of their declared type, so no need to model the unsafe store.
+             */
+            return;
+        }
         /* All unsafe accessed primitive fields are always saturated. */
         if (newValueKind == JavaKind.Object) {
             TypeFlowBuilder<?> objectBuilder = state.lookup(object);

substratevm/src/com.oracle.graal.pointsto/src/com/oracle/graal/pointsto/flow/OffsetLoadTypeFlow.java

@@ -156,16 +156,26 @@ public String toString() {
 
     }
 
-    public abstract static class AbstractUnsafeLoadTypeFlow extends OffsetLoadTypeFlow {
+    public static class UnsafeLoadTypeFlow extends OffsetLoadTypeFlow {
 
-        AbstractUnsafeLoadTypeFlow(BytecodePosition loadLocation, AnalysisType objectType, AnalysisType componentType, TypeFlow<?> objectFlow) {
+        UnsafeLoadTypeFlow(BytecodePosition loadLocation, AnalysisType objectType, AnalysisType componentType, TypeFlow<?> objectFlow) {
             super(loadLocation, objectType, filterUncheckedInterface(componentType), objectFlow);
         }
 
-        AbstractUnsafeLoadTypeFlow(PointsToAnalysis bb, MethodFlowsGraph methodFlows, AbstractUnsafeLoadTypeFlow original) {
+        UnsafeLoadTypeFlow(PointsToAnalysis bb, MethodFlowsGraph methodFlows, UnsafeLoadTypeFlow original) {
             super(bb, methodFlows, original);
         }
 
+        @Override
+        public UnsafeLoadTypeFlow copy(PointsToAnalysis bb, MethodFlowsGraph methodFlows) {
+            return new UnsafeLoadTypeFlow(bb, methodFlows, this);
+        }
+
+        @Override
+        public boolean needsInitialization() {
+            return true;
+        }
+
         @Override
         public void initFlow(PointsToAnalysis bb) {
             assert !bb.analysisPolicy().isContextSensitiveAnalysis() || this.isClone() : this;
@@ -177,15 +187,10 @@ public void initFlow(PointsToAnalysis bb) {
             forceUpdate(bb);
         }
 
-        @Override
-        public boolean needsInitialization() {
-            return true;
-        }
-
         public void forceUpdate(PointsToAnalysis bb) {
             /*
              * Unsafe load type flow models unsafe reads from both instance and static fields. From
-             * an analysis stand point for static fields the base doesn't matter. An unsafe load can
+             * an analysis standpoint for static fields the base doesn't matter. An unsafe load can
              * read from any of the static fields marked for unsafe access.
              */
             for (AnalysisField field : bb.getUniverse().getUnsafeAccessedStaticFields()) {
@@ -200,29 +205,6 @@ public void forceUpdate(PointsToAnalysis bb) {
             }
         }
 
-        protected void processField(PointsToAnalysis bb, AnalysisObject object, AnalysisField field) {
-            if (field.getStorageKind().isObject()) {
-                TypeFlow<?> fieldFlow = object.getInstanceFieldFlow(bb, objectFlow, source, field, false);
-                fieldFlow.addUse(bb, this);
-            }
-        }
-    }
-
-    public static class UnsafeLoadTypeFlow extends AbstractUnsafeLoadTypeFlow {
-
-        public UnsafeLoadTypeFlow(BytecodePosition loadLocation, AnalysisType objectType, AnalysisType componentType, TypeFlow<?> arrayFlow) {
-            super(loadLocation, objectType, componentType, arrayFlow);
-        }
-
-        private UnsafeLoadTypeFlow(PointsToAnalysis bb, MethodFlowsGraph methodFlows, UnsafeLoadTypeFlow original) {
-            super(bb, methodFlows, original);
-        }
-
-        @Override
-        public AbstractUnsafeLoadTypeFlow copy(PointsToAnalysis bb, MethodFlowsGraph methodFlows) {
-            return new UnsafeLoadTypeFlow(bb, methodFlows, this);
-        }
-
         @Override
         public void onObservedUpdate(PointsToAnalysis bb) {
             TypeState objectState = getObjectState();
@@ -244,8 +226,10 @@ public void onObservedUpdate(PointsToAnalysis bb) {
                     elementsFlow.addUse(bb, this);
                 } else {
                     for (AnalysisField field : objectType.unsafeAccessedFields()) {
-                        assert field != null;
-                        processField(bb, object, field);
+                        if (field.getStorageKind().isObject()) {
+                            TypeFlow<?> fieldFlow = object.getInstanceFieldFlow(bb, objectFlow, source, field, false);
+                            fieldFlow.addUse(bb, this);
+                        }
                     }
                 }
             }

substratevm/src/com.oracle.graal.pointsto/src/com/oracle/graal/pointsto/flow/OffsetStoreTypeFlow.java

@@ -24,8 +24,6 @@
  */
 package com.oracle.graal.pointsto.flow;
 
-import java.util.Collection;
-
 import com.oracle.graal.pointsto.PointsToAnalysis;
 import com.oracle.graal.pointsto.flow.context.object.AnalysisObject;
 import com.oracle.graal.pointsto.meta.AnalysisField;
@@ -49,7 +47,7 @@ public abstract class OffsetStoreTypeFlow extends TypeFlow<BytecodePosition> {
 
     /*
      * The type of the receiver object of the offset store operation. Can be approximated by Object
-     * or Object[] when it cannot be infered from stamps.
+     * or Object[] when it cannot be inferred from stamps.
      */
     protected final AnalysisType objectType;
 
@@ -177,22 +175,25 @@ public String toString() {
         }
     }
 
-    public abstract static class AbstractUnsafeStoreTypeFlow extends OffsetStoreTypeFlow {
+    public static class UnsafeStoreTypeFlow extends OffsetStoreTypeFlow {
 
-        AbstractUnsafeStoreTypeFlow(BytecodePosition storeLocation, AnalysisType objectType, AnalysisType componentType, TypeFlow<?> objectFlow, TypeFlow<?> valueFlow) {
+        public UnsafeStoreTypeFlow(BytecodePosition storeLocation, AnalysisType objectType, AnalysisType componentType, TypeFlow<?> objectFlow, TypeFlow<?> valueFlow) {
             super(storeLocation, objectType, filterUncheckedInterface(componentType), objectFlow, valueFlow);
         }
 
-        AbstractUnsafeStoreTypeFlow(PointsToAnalysis bb, MethodFlowsGraph methodFlows, OffsetStoreTypeFlow original) {
+        public UnsafeStoreTypeFlow(PointsToAnalysis bb, MethodFlowsGraph methodFlows, UnsafeStoreTypeFlow original) {
             super(bb, methodFlows, original);
         }
 
         @Override
-        public final AbstractUnsafeStoreTypeFlow copy(PointsToAnalysis bb, MethodFlowsGraph methodFlows) {
-            return makeCopy(bb, methodFlows);
+        public final UnsafeStoreTypeFlow copy(PointsToAnalysis bb, MethodFlowsGraph methodFlows) {
+            return new UnsafeStoreTypeFlow(bb, methodFlows, this);
         }
 
-        protected abstract AbstractUnsafeStoreTypeFlow makeCopy(PointsToAnalysis bb, MethodFlowsGraph methodFlows);
+        @Override
+        public boolean needsInitialization() {
+            return true;
+        }
 
         @Override
         public void initFlow(PointsToAnalysis bb) {
@@ -205,11 +206,6 @@ public void initFlow(PointsToAnalysis bb) {
             forceUpdate(bb);
         }
 
-        @Override
-        public boolean needsInitialization() {
-            return true;
-        }
-
         public void forceUpdate(PointsToAnalysis bb) {
             /*
              * Unsafe store type flow models unsafe writes to both instance and static fields. From
@@ -221,32 +217,6 @@ public void forceUpdate(PointsToAnalysis bb) {
             }
         }
 
-        void handleUnsafeAccessedFields(PointsToAnalysis bb, Collection<AnalysisField> unsafeAccessedFields, AnalysisObject object) {
-            for (AnalysisField field : unsafeAccessedFields) {
-                /* Write through the field filter flow. */
-                addUse(bb, object.getInstanceFieldFilterFlow(bb, objectFlow, source, field));
-            }
-        }
-    }
-
-    /**
-     * Implements an unsafe store operation type flow.
-     */
-    public static class UnsafeStoreTypeFlow extends AbstractUnsafeStoreTypeFlow {
-
-        public UnsafeStoreTypeFlow(BytecodePosition storeLocation, AnalysisType objectType, AnalysisType componentType, TypeFlow<?> objectFlow, TypeFlow<?> valueFlow) {
-            super(storeLocation, objectType, componentType, objectFlow, valueFlow);
-        }
-
-        public UnsafeStoreTypeFlow(PointsToAnalysis bb, MethodFlowsGraph methodFlows, UnsafeStoreTypeFlow original) {
-            super(bb, methodFlows, original);
-        }
-
-        @Override
-        public UnsafeStoreTypeFlow makeCopy(PointsToAnalysis bb, MethodFlowsGraph methodFlows) {
-            return new UnsafeStoreTypeFlow(bb, methodFlows, this);
-        }
-
         @Override
         public void onObservedUpdate(PointsToAnalysis bb) {
             TypeState objectState = objectFlow.getState();
@@ -267,7 +237,10 @@ public void onObservedUpdate(PointsToAnalysis bb) {
                     TypeFlow<?> elementsFlow = object.getArrayElementsFlow(bb, true);
                     this.addUse(bb, elementsFlow);
                 } else {
-                    handleUnsafeAccessedFields(bb, type.unsafeAccessedFields(), object);
+                    for (AnalysisField field : type.unsafeAccessedFields()) {
+                        /* Write through the field filter flow. */
+                        this.addUse(bb, object.getInstanceFieldFilterFlow(bb, objectFlow, source, field));
+                    }
                 }
             }
         }
@@ -292,7 +265,7 @@ public void onObservedSaturated(PointsToAnalysis bb, TypeFlow<?> observed) {
             valueFlow.removeUse(this);
 
             /* Link the saturated store. */
-            AbstractUnsafeStoreTypeFlow contextInsensitiveStore = ((PointsToAnalysisType) objectType).initAndGetContextInsensitiveUnsafeStore(bb, source);
+            UnsafeStoreTypeFlow contextInsensitiveStore = ((PointsToAnalysisType) objectType).initAndGetContextInsensitiveUnsafeStore(bb, source);
             /*
              * Link the value flow to the saturated store. The receiver is already set in the
              * saturated store.