Keep track of unique projection combinations in Project

Add an index value to Project events to differentiate between
different projections with the same pointer offset, e.g.,
(*p).x and (*p).x.a if a is the first field of the structure.

This is implemented as an IndexSet<Vec<usize>> where each element
is a unique combination of field projections. The Project index
points to an element in this set.

analysis/runtime/Cargo.toml

@@ -19,3 +19,4 @@ enum_dispatch = "0.3"
 fs-err = "2"
 crossbeam-queue = "0.3"
 crossbeam-utils = "0.8"
+indexmap = { version = "1.9", features = ["serde"] }

analysis/runtime/src/events.rs

@@ -31,7 +31,11 @@ pub enum EventKind {
     CopyRef,
 
     /// Projection. Used for operations like `_2 = &(*_1).0`.
-    Project(Pointer, Pointer),
+    /// The third value is a "projection index" that points to an element
+    /// of the projections data structure in the metadata. It is used to
+    /// disambiguate between different projections with the same pointer,
+    /// e.g., `(*p).x` and `(*p).x.a` where `a` is at offset 0.
+    Project(Pointer, Pointer, usize),
 
     Alloc {
         size: usize,
@@ -88,7 +92,7 @@ impl Debug for EventKind {
         use EventKind::*;
         match *self {
             CopyPtr(ptr) => write!(f, "copy(0x{:x})", ptr),
-            Project(ptr, new_ptr) => write!(f, "project(0x{:x}, 0x{:x})", ptr, new_ptr),
+            Project(ptr, new_ptr, idx) => write!(f, "project(0x{:x}, 0x{:x}, [{}])", ptr, new_ptr, idx),
             Alloc { size, ptr } => {
                 write!(f, "malloc({}) -> 0x{:x}", size, ptr)
             }

analysis/runtime/src/handlers.rs

@@ -110,10 +110,10 @@ pub const HOOK_FUNCTIONS: &[&str] = &[
     hook_fn!(offset),
 ];
 
-pub fn ptr_project(mir_loc: MirLocId, ptr: usize, new_ptr: usize) {
+pub fn ptr_project(mir_loc: MirLocId, ptr: usize, new_ptr: usize, proj_idx: usize) {
     RUNTIME.send_event(Event {
         mir_loc,
-        kind: EventKind::Project(ptr, new_ptr),
+        kind: EventKind::Project(ptr, new_ptr, proj_idx),
     });
 }
 

analysis/runtime/src/metadata.rs

@@ -1,3 +1,4 @@
+use indexmap::IndexSet;
 use std::{
     collections::HashMap,
     fmt::{self, Debug, Formatter},
@@ -13,6 +14,7 @@ use crate::mir_loc::{Func, FuncId, MirLoc, MirLocId};
 pub struct Metadata {
     pub locs: Vec<MirLoc>,
     pub functions: HashMap<FuncId, String>,
+    pub projections: IndexSet<Vec<usize>>,
 }
 
 impl Metadata {
@@ -46,11 +48,13 @@ impl FromIterator<Metadata> for Metadata {
     fn from_iter<I: IntoIterator<Item = Metadata>>(iter: I) -> Self {
         let mut locs = Vec::new();
         let mut functions = HashMap::new();
+        let mut projections = IndexSet::new();
         for metadata in iter {
             locs.extend(metadata.locs);
             functions.extend(metadata.functions);
+            projections.extend(metadata.projections);
         }
-        Self { locs, functions }
+        Self { locs, functions, projections }
     }
 }
 

dynamic_instrumentation/src/instrument.rs

@@ -32,12 +32,14 @@ use crate::point::{cast_ptr_to_usize, InstrumentationPriority};
 use crate::point::{
     CollectAddressTakenLocals, CollectInstrumentationPoints, RewriteAddressTakenLocals,
 };
+use crate::point::ProjectionSet;
 use crate::util::Convert;
 
 #[derive(Default)]
 pub struct Instrumenter {
     mir_locs: Mutex<IndexSet<MirLoc>>,
     functions: Mutex<HashMap<FuncId, String>>,
+    projections: Mutex<IndexSet<Vec<usize>>>,
 }
 
 impl Instrumenter {
@@ -72,9 +74,10 @@ impl Instrumenter {
     pub fn finalize(&self, metadata_path: &Path) -> anyhow::Result<()> {
         let mut locs = self.mir_locs.lock().unwrap();
         let mut functions = self.functions.lock().unwrap();
+        let projections = std::mem::take(&mut *self.projections.lock().unwrap());
         let locs = locs.drain(..).collect::<Vec<_>>();
         let functions = functions.drain().collect::<HashMap<_, _>>();
-        let metadata = Metadata { locs, functions };
+        let metadata = Metadata { locs, functions, projections };
         let bytes = bincode::serialize(&metadata).context("Location serialization failed")?;
         let mut file = OpenOptions::new()
             .append(true)
@@ -115,6 +118,12 @@ impl Instrumenter {
     }
 }
 
+impl ProjectionSet for Instrumenter {
+    fn add_proj(&self, proj: Vec<usize>) -> usize {
+        self.projections.lock().unwrap().insert_full(proj).0
+    }
+}
+
 fn is_shared_or_unsafe_ptr(ty: Ty) -> bool {
     ty.is_unsafe_ptr() || (ty.is_region_ptr() && !ty.is_mutable_ptr())
 }
@@ -374,7 +383,14 @@ impl<'tcx> Visitor<'tcx> for CollectInstrumentationPoints<'_, 'tcx> {
 
         while let Some((inner_deref_base, PlaceElem::Deref)) = proj_iter.next() {
             // Find the next Deref or end of projections
+            // Meanwhile, collect all `Field`s into a vector that we
+            // can add to the `projections` IndexSet
+            let mut fields = vec![];
             let (outer_deref_base, have_outer_deref) = loop {
+                if let Some((_, PlaceElem::Field(idx, _))) = proj_iter.peek() {
+                    fields.push(idx.index());
+                }
+
                 match proj_iter.peek() {
                     Some((base, PlaceElem::Deref)) => break (base.clone(), true),
                     // Reached the end, we can use the full place
@@ -387,6 +403,8 @@ impl<'tcx> Visitor<'tcx> for CollectInstrumentationPoints<'_, 'tcx> {
 
             // We have some other elements between the two projections
             if outer_deref_base.projection.len() - inner_deref_base.projection.len() > 1 {
+                let proj_idx = self.projections.add_proj(fields);
+
                 // There are non-deref projection elements between the two derefs.
                 // Add a Project event between the start pointer of those field/index
                 // projections and their final address.
@@ -400,6 +418,7 @@ impl<'tcx> Visitor<'tcx> for CollectInstrumentationPoints<'_, 'tcx> {
                 self.loc(location, location, project_fn)
                     .arg_var(inner_deref_base)
                     .arg_addr_of(outer_deref_base.clone())
+                    .arg_var(proj_idx)
                     .add_to(self);
             }
 
@@ -749,7 +768,7 @@ fn instrument_body<'a, 'tcx>(
 
     // collect instrumentation points
     let points = {
-        let mut collector = CollectInstrumentationPoints::new(tcx, hooks, body, local_to_address);
+        let mut collector = CollectInstrumentationPoints::new(tcx, hooks, body, local_to_address, state);
         collector.visit_body(body);
         collector.into_instrumentation_points()
     };

dynamic_instrumentation/src/into_operand.rs

@@ -31,6 +31,20 @@ impl<'tcx> IntoOperand<'tcx> for u32 {
     }
 }
 
+impl<'tcx> IntoOperand<'tcx> for usize {
+    fn op(self, tcx: TyCtxt<'tcx>) -> Operand<'tcx> {
+        Operand::Constant(Box::new(Constant {
+            span: DUMMY_SP,
+            user_ty: None,
+            literal: ConstantKind::Ty(ty::Const::from_bits(
+                tcx,
+                self.try_into().unwrap(),
+                ParamEnv::empty().and(tcx.types.usize),
+            )),
+        }))
+    }
+}
+
 impl<'tcx> IntoOperand<'tcx> for Local {
     fn op(self, tcx: TyCtxt<'tcx>) -> Operand<'tcx> {
         Place::from(self).op(tcx)

dynamic_instrumentation/src/point/mod.rs

@@ -112,13 +112,18 @@ impl<'tcx> RewriteAddressTakenLocals<'tcx> {
     }
 }
 
+pub trait ProjectionSet {
+    fn add_proj(&self, proj: Vec<usize>) -> usize;
+}
+
 pub struct CollectInstrumentationPoints<'a, 'tcx: 'a> {
     tcx: TyCtxt<'tcx>,
     hooks: Hooks<'tcx>,
     pub body: &'a Body<'tcx>,
     pub instrumentation_points: Vec<InstrumentationPoint<'tcx>>,
     assignment: Option<(Place<'tcx>, Rvalue<'tcx>)>,
     pub addr_taken_local_addresses: IndexMap<Local, Local>,
+    pub projections: &'a dyn ProjectionSet,
 }
 
 impl<'a, 'tcx: 'a> CollectInstrumentationPoints<'a, 'tcx> {
@@ -127,6 +132,7 @@ impl<'a, 'tcx: 'a> CollectInstrumentationPoints<'a, 'tcx> {
         hooks: Hooks<'tcx>,
         body: &'a Body<'tcx>,
         addr_taken_local_addresses: IndexMap<Local, Local>,
+        projections: &'a dyn ProjectionSet,
     ) -> Self {
         Self {
             tcx,
@@ -135,6 +141,7 @@ impl<'a, 'tcx: 'a> CollectInstrumentationPoints<'a, 'tcx> {
             instrumentation_points: Default::default(),
             assignment: Default::default(),
             addr_taken_local_addresses,
+            projections,
         }
     }
 

pdg/src/builder.rs

@@ -70,7 +70,7 @@ impl EventKindExt for EventKind {
             Realloc { .. } => NodeKind::Alloc(1),
             Free { .. } => NodeKind::Free,
             CopyPtr(..) | CopyRef => NodeKind::Copy,
-            Project(base_ptr, new_ptr) => NodeKind::Project(new_ptr - base_ptr),
+            Project(base_ptr, new_ptr, idx) => NodeKind::Project(new_ptr - base_ptr, idx),
             LoadAddr(..) => NodeKind::LoadAddr,
             StoreAddr(..) => NodeKind::StoreAddr,
             StoreAddrTaken(..) => NodeKind::StoreAddr,

pdg/src/graph.rs

@@ -25,7 +25,7 @@ pub enum NodeKind {
     /// [`Field`] projection.
     ///
     /// Used for operations like `_2 = &(*_1).0`.
-    Project(usize),
+    Project(usize, usize),
 
     /// Pointer arithmetic.
     ///
@@ -119,7 +119,7 @@ impl Display for NodeKind {
         use NodeKind::*;
         match self {
             Copy => write!(f, "copy"),
-            Project(offset) => write!(f, "project.{offset}"),
+            Project(offset, idx) => write!(f, "project.{offset}[{idx}]"),
             Offset(offset) => write!(f, "offset[{offset}]"),
             AddrOfLocal(local) => write!(f, "&{local:?}"),
             _AddrOfStatic(static_) => write!(f, "&'static {static_:?}"),