Static Value-Flow Analysis
Loading...
Searching...
No Matches
Functions
AbstractInterpretation.cpp File Reference
#include "AE/Svfexe/AbstractInterpretation.h"
#include "AE/Svfexe/SparseAbstractInterpretation.h"
#include "AE/Svfexe/AbsExtAPI.h"
#include "SVFIR/SVFIR.h"
#include "Util/Options.h"
#include "Util/WorkList.h"
#include "Graphs/CallGraph.h"
#include "WPA/Andersen.h"
#include <cmath>
#include <memory>

Go to the source code of this file.

Functions

static const LoadStmtfindBackingLoad (const SVFVar *var)
 
static IntervalValue computeCmpConstraint (s32_t predicate, s64_t succ, bool isLHS, const IntervalValue &self, const IntervalValue &other)
 

Function Documentation

◆ computeCmpConstraint()

static IntervalValue computeCmpConstraint ( s32_t  predicate,
s64_t  succ,
bool  isLHS,
const IntervalValue self,
const IntervalValue other 
)
static

Compute the interval constraint on one cmp operand given the predicate, branch direction (succ), which side it is on, and the other operand's interval. Returns top if no useful narrowing is possible.

Called from collectBranchRefinement for each non-constant operand that has a backing load. Given a branch condition like:

cmp = icmp sgt a, 5 ; a > 5 br i1 cmp, label T, F

On the true branch (succ=1), operand a (isLHS=true) is constrained to [6, +inf). On the false branch (succ=0), a is constrained to (-inf, 5]. The result is used to narrow the ObjVar behind a's load.

Definition at line 374 of file AbstractInterpretation.cpp.

377{
378 // Normalize: always reason from the LHS perspective.
379 // If we are the RHS operand, swap the predicate direction.
380 if (!isLHS)
381 {
382 // a > b from b's perspective: b < a
383 static const Map<s32_t, s32_t> swapPred =
384 {
385 {CmpStmt::ICMP_EQ, CmpStmt::ICMP_EQ},
386 {CmpStmt::ICMP_NE, CmpStmt::ICMP_NE},
387 {CmpStmt::ICMP_SGT, CmpStmt::ICMP_SLT},
388 {CmpStmt::ICMP_SGE, CmpStmt::ICMP_SLE},
389 {CmpStmt::ICMP_SLT, CmpStmt::ICMP_SGT},
390 {CmpStmt::ICMP_SLE, CmpStmt::ICMP_SGE},
391 {CmpStmt::ICMP_UGT, CmpStmt::ICMP_ULT},
392 {CmpStmt::ICMP_UGE, CmpStmt::ICMP_ULE},
393 {CmpStmt::ICMP_ULT, CmpStmt::ICMP_UGT},
394 {CmpStmt::ICMP_ULE, CmpStmt::ICMP_UGE},
395 {CmpStmt::FCMP_OEQ, CmpStmt::FCMP_OEQ},
396 {CmpStmt::FCMP_UEQ, CmpStmt::FCMP_UEQ},
397 {CmpStmt::FCMP_OGT, CmpStmt::FCMP_OLT},
398 {CmpStmt::FCMP_OGE, CmpStmt::FCMP_OLE},
399 {CmpStmt::FCMP_OLT, CmpStmt::FCMP_OGT},
400 {CmpStmt::FCMP_OLE, CmpStmt::FCMP_OGE},
401 {CmpStmt::FCMP_UGT, CmpStmt::FCMP_ULT},
402 {CmpStmt::FCMP_UGE, CmpStmt::FCMP_ULE},
403 {CmpStmt::FCMP_ULT, CmpStmt::FCMP_UGT},
404 {CmpStmt::FCMP_ULE, CmpStmt::FCMP_UGE},
405 {CmpStmt::FCMP_ONE, CmpStmt::FCMP_ONE},
406 {CmpStmt::FCMP_UNE, CmpStmt::FCMP_UNE},
407 };
408 auto it = swapPred.find(predicate);
409 if (it == swapPred.end()) return IntervalValue::top();
410 predicate = it->second;
411 }
412
413 // If false branch, negate the predicate.
414 if (succ == 0)
415 {
416 static const Map<s32_t, s32_t> negPred =
417 {
418 {CmpStmt::ICMP_EQ, CmpStmt::ICMP_NE},
419 {CmpStmt::ICMP_NE, CmpStmt::ICMP_EQ},
420 {CmpStmt::ICMP_SGT, CmpStmt::ICMP_SLE},
421 {CmpStmt::ICMP_SGE, CmpStmt::ICMP_SLT},
422 {CmpStmt::ICMP_SLT, CmpStmt::ICMP_SGE},
423 {CmpStmt::ICMP_SLE, CmpStmt::ICMP_SGT},
424 {CmpStmt::ICMP_UGT, CmpStmt::ICMP_ULE},
425 {CmpStmt::ICMP_UGE, CmpStmt::ICMP_ULT},
426 {CmpStmt::ICMP_ULT, CmpStmt::ICMP_UGE},
427 {CmpStmt::ICMP_ULE, CmpStmt::ICMP_UGT},
428 {CmpStmt::FCMP_OEQ, CmpStmt::FCMP_ONE},
429 {CmpStmt::FCMP_UEQ, CmpStmt::FCMP_UNE},
430 {CmpStmt::FCMP_OGT, CmpStmt::FCMP_OLE},
431 {CmpStmt::FCMP_OGE, CmpStmt::FCMP_OLT},
432 {CmpStmt::FCMP_OLT, CmpStmt::FCMP_OGE},
433 {CmpStmt::FCMP_OLE, CmpStmt::FCMP_OGT},
434 {CmpStmt::FCMP_UGT, CmpStmt::FCMP_ULE},
435 {CmpStmt::FCMP_UGE, CmpStmt::FCMP_ULT},
436 {CmpStmt::FCMP_ULT, CmpStmt::FCMP_UGE},
437 {CmpStmt::FCMP_ULE, CmpStmt::FCMP_UGT},
438 {CmpStmt::FCMP_ONE, CmpStmt::FCMP_OEQ},
439 {CmpStmt::FCMP_UNE, CmpStmt::FCMP_UEQ},
440 };
441 auto it = negPred.find(predicate);
442 if (it == negPred.end()) return IntervalValue::top();
443 predicate = it->second;
444 }
445
446 // Now compute the constraint on LHS given: LHS <predicate> other
447 IntervalValue result = self;
448 switch (predicate)
449 {
450 case CmpStmt::ICMP_EQ:
451 case CmpStmt::FCMP_OEQ:
452 case CmpStmt::FCMP_UEQ:
453 result.meet_with(other);
454 break;
455 case CmpStmt::ICMP_NE:
456 case CmpStmt::FCMP_ONE:
457 case CmpStmt::FCMP_UNE:
458 case CmpStmt::FCMP_FALSE:
459 case CmpStmt::FCMP_TRUE:
460 return IntervalValue::top(); // no useful narrowing
461 case CmpStmt::ICMP_UGT:
462 case CmpStmt::ICMP_SGT:
463 case CmpStmt::FCMP_OGT:
464 case CmpStmt::FCMP_UGT:
465 result.meet_with(IntervalValue(other.lb() + 1, IntervalValue::plus_infinity()));
466 break;
467 case CmpStmt::ICMP_UGE:
468 case CmpStmt::ICMP_SGE:
469 case CmpStmt::FCMP_OGE:
470 case CmpStmt::FCMP_UGE:
471 result.meet_with(IntervalValue(other.lb(), IntervalValue::plus_infinity()));
472 break;
473 case CmpStmt::ICMP_ULT:
474 case CmpStmt::ICMP_SLT:
475 case CmpStmt::FCMP_OLT:
476 case CmpStmt::FCMP_ULT:
477 result.meet_with(IntervalValue(IntervalValue::minus_infinity(), other.ub() - 1));
478 break;
479 case CmpStmt::ICMP_ULE:
480 case CmpStmt::ICMP_SLE:
481 case CmpStmt::FCMP_OLE:
482 case CmpStmt::FCMP_ULE:
483 result.meet_with(IntervalValue(IntervalValue::minus_infinity(), other.ub()));
484 break;
485 default:
486 return IntervalValue::top();
487 }
488 return result;
489}
SVF::CmpStmt::ICMP_SGT
@ ICMP_SGT
signed greater than
Definition SVFStatements.h:1078
SVF::CmpStmt::FCMP_UEQ
@ FCMP_UEQ
1 0 0 1 True if unordered or equal
Definition SVFStatements.h:1062
SVF::CmpStmt::FCMP_ONE
@ FCMP_ONE
0 1 1 0 True if ordered and operands are unequal
Definition SVFStatements.h:1059
SVF::CmpStmt::ICMP_UGE
@ ICMP_UGE
unsigned greater or equal
Definition SVFStatements.h:1075
SVF::CmpStmt::FCMP_UGT
@ FCMP_UGT
1 0 1 0 True if unordered or greater than
Definition SVFStatements.h:1063
SVF::CmpStmt::ICMP_ULE
@ ICMP_ULE
unsigned less or equal
Definition SVFStatements.h:1077
SVF::CmpStmt::FCMP_OGE
@ FCMP_OGE
0 0 1 1 True if ordered and greater than or equal
Definition SVFStatements.h:1056
SVF::CmpStmt::FCMP_OLT
@ FCMP_OLT
0 1 0 0 True if ordered and less than
Definition SVFStatements.h:1057
SVF::CmpStmt::FCMP_OGT
@ FCMP_OGT
0 0 1 0 True if ordered and greater than
Definition SVFStatements.h:1055
SVF::CmpStmt::ICMP_NE
@ ICMP_NE
not equal
Definition SVFStatements.h:1073
SVF::CmpStmt::FCMP_TRUE
@ FCMP_TRUE
1 1 1 1 Always true (always folded)
Definition SVFStatements.h:1068
SVF::CmpStmt::ICMP_ULT
@ ICMP_ULT
unsigned less than
Definition SVFStatements.h:1076
SVF::CmpStmt::FCMP_ULE
@ FCMP_ULE
1 1 0 1 True if unordered, less than, or equal
Definition SVFStatements.h:1066
SVF::CmpStmt::ICMP_SLT
@ ICMP_SLT
signed less than
Definition SVFStatements.h:1080
SVF::CmpStmt::ICMP_UGT
@ ICMP_UGT
unsigned greater than
Definition SVFStatements.h:1074
SVF::CmpStmt::FCMP_OEQ
@ FCMP_OEQ
0 0 0 1 True if ordered and equal
Definition SVFStatements.h:1054
SVF::CmpStmt::FCMP_OLE
@ FCMP_OLE
0 1 0 1 True if ordered and less than or equal
Definition SVFStatements.h:1058
SVF::CmpStmt::FCMP_FALSE
@ FCMP_FALSE
0 0 0 0 Always false (always folded)
Definition SVFStatements.h:1053
SVF::CmpStmt::FCMP_ULT
@ FCMP_ULT
1 1 0 0 True if unordered or less than
Definition SVFStatements.h:1065
SVF::CmpStmt::FCMP_UGE
@ FCMP_UGE
1 0 1 1 True if unordered, greater than, or equal
Definition SVFStatements.h:1064
SVF::CmpStmt::ICMP_SGE
@ ICMP_SGE
signed greater or equal
Definition SVFStatements.h:1079
SVF::CmpStmt::FCMP_UNE
@ FCMP_UNE
1 1 1 0 True if unordered or not equal
Definition SVFStatements.h:1067
SVF::CmpStmt::ICMP_SLE
@ ICMP_SLE
signed less or equal
Definition SVFStatements.h:1081
SVF::IntervalValue::meet_with
void meet_with(const IntervalValue &other)
Return a intersected IntervalValue.
Definition IntervalValue.h:475
SVF::IntervalValue::minus_infinity
static BoundedInt minus_infinity()
Get minus infinity -inf.
Definition IntervalValue.h:77
SVF::IntervalValue::plus_infinity
static BoundedInt plus_infinity()
Get plus infinity +inf.
Definition IntervalValue.h:83
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76

◆ findBackingLoad()

static const LoadStmt * findBackingLoad ( const SVFVar var)
static

Given a cmp operand, walk its SSA def edge to find the LoadStmt that produced it. This lets us trace back to the ObjVar in memory so that branch narrowing can refine the stored value.

Example: for cmp = icmp sgt a, 5 where a = load i32, ptr p, calling findBackingLoad(a) returns the LoadStmt, and we can then narrow the ObjVar behind p.

Follows one level of CopyStmt (e.g., zext/sext) if the load is not directly on the cmp operand. Returns nullptr if no load is found.

Definition at line 345 of file AbstractInterpretation.cpp.

346{
347 if (var->getInEdges().empty())
348 return nullptr;
349 SVFStmt* inStmt = *var->getInEdges().begin();
350 if (const LoadStmt* ls = SVFUtil::dyn_cast<LoadStmt>(inStmt))
351 return ls;
352 if (const CopyStmt* cs = SVFUtil::dyn_cast<CopyStmt>(inStmt))
353 {
354 const SVFVar* src = cs->getRHSVar();
355 if (!src->getInEdges().empty())
356 return SVFUtil::dyn_cast<LoadStmt>(*src->getInEdges().begin());
357 }
358 return nullptr;
359}
SVF::GenericNode::getInEdges
const GEdgeSetTy & getInEdges() const
Definition GenericGraph.h:180
Generated by doxygen 1.9.8