Does alias analysis take escaping pointers into account?

Beginners
1

I am a PL beginner, and a little confused about how precise an alias analysis is. For example:

__attribute__((noinline)) void func(void *p) {
          ...
          free(p);
          ...
}
int main(int argc, char **argv) {
  int *p = (int *)malloc(sizeof(int));
  *p = 0; // store
  func(p);
  return *p; // load
}

a function takes p as an argument and modifies it, but alias analysis (e.g. basic AA) still consider the pointer of the store MustAlias the one of the load. Should the result be MayAlias? Or it is imprecise due to the intraprocedural nature?

2

In general, AliasAnalysis is trying to answer the question of whether two pointers point to the same memory location. In the example above, the address p doesn’t change, regardless of whether you call free with it or not. This might become clear if you inspect the equivalent program in an SSA representation (like LLVM’s IR), for example this. Notice how the SSA value for the load and store is the same (and recall SSA values are defined exactly once)

Consider a program that could actually change the address contained in p:

__attribute__((noinline)) void func(void **p) {
          ...
          free(*p);
          *p = NULL;
          ...
}
int main(int argc, char **argv) {
  int *p = (int *)malloc(sizeof(int));
  *p = 0; // store
  func(&p);
  return *p; // load
}

Try running alias analysis on this program, I suspect you’ll get a different result.

1 Like