ARCH3.md (1232B)
1 # ARCH3: Call Handling and Inter-Procedural Boundaries 2 3 ## Problem 4 5 The tool claims "no inter-procedural analysis," but the CFG currently 6 adds successor edges for `bl` targets when the label is resolvable in 7 the same assembly file. This causes taint to flow into callee blocks as 8 if they were intra-procedural, which can under-report violations or 9 smear caller taint across unrelated code. 10 11 ## Goal 12 13 Enforce a clear intra-procedural boundary for calls: 14 - Calls should not create CFG edges to callee blocks. 15 - Taint effects of calls should be modeled conservatively at the call 16 site (caller-saved invalidation only, or a configurable summary). 17 18 ## Approach 19 20 - Treat `bl`/`blr` as terminators for intra-procedural CFG purposes 21 (no explicit successor labels). 22 - Preserve fallthrough after calls within the same block sequence. 23 - Keep the call-site taint model (invalidate caller-saved) as the sole 24 effect of calls. 25 26 ## Rationale 27 28 This aligns behavior with the stated limitation and avoids accidental 29 inter-procedural propagation when the callee label is present in the 30 same asm file. 31 32 ## Future Extension 33 34 Introduce optional call summaries to model callee effects (e.g. JSON 35 summary per symbol), but keep it explicit and opt-in.