Enhance function return type recovery in `RemillArgumentRecovery`
surovic opened this issue · comments
Marek Surovič commented
As it is now, the analysis of function return types implemented in RecoverRetType()
in the RemillArgumentRecovery
pass is pretty limited and would benefit from some enhancing.
@pgoodman in #13 proposed the following:
I think you need to look at all paths leading to a
ret
. You might be able to simplify your life using some existing CFG pass that restructures the function. This may need to be applied to a clone of the function.
What I would consider looking into would be an combination inside-out and outside-in approach:
- look for all definitions of return registers that lead to a
ret
, add those tostored_regs[func]
.- for every call to a
func
present instored_regs[func]
, check if the anything fromstored_regs[func]
is used on a path that is reachable from thecall
, then doret_reg[func][reg] += 1
to add confidence to that register.- If one function tail-calls another, then you may want to union together
stored_regs[caller] += stored_regs[callee]
.- In descending order of confidence, type check
ret_regs[func]
for each function.- Some functions in
stored_regs
are never directly called, fall back to an approach like what you have, but expand it so that it looks beyond the terminal blocks.