Static Value-Flow Analysis
Loading...
Searching...
No Matches
Functions
AbstractInterpretation.cpp File Reference
#include "AE/Svfexe/AbstractInterpretation.h"
#include "AE/Svfexe/SparseAbstractInterpretation.h"
#include "AE/Svfexe/AbsExtAPI.h"
#include "SVFIR/SVFIR.h"
#include "Util/Options.h"
#include "Util/WorkList.h"
#include "Graphs/CallGraph.h"
#include "WPA/Andersen.h"
#include <cmath>
#include <deque>
#include <memory>

Go to the source code of this file.

Functions

static const LoadStmtfindBackingLoad (const SVFVar *var)
 
static IntervalValue computeCmpConstraint (s32_t predicate, s64_t succ, bool isLHS, const IntervalValue &self, const IntervalValue &other)
 

Function Documentation

◆ computeCmpConstraint()

static IntervalValue computeCmpConstraint ( s32_t  predicate,
s64_t  succ,
bool  isLHS,
const IntervalValue self,
const IntervalValue other 
)
static

Compute the interval constraint on one cmp operand given the predicate, branch direction (succ), which side it is on, and the other operand's interval. Returns top if no useful narrowing is possible.

Called from isCmpBranchFeasible for each non-constant operand that has a backing load. Given a branch condition like:

cmp = icmp sgt a, 5 ; a > 5 br i1 cmp, label T, F

On the true branch (succ=1), operand a (isLHS=true) is constrained to [6, +inf). On the false branch (succ=0), a is constrained to (-inf, 5]. The result is used to narrow the ObjVar behind a's load.

Definition at line 335 of file AbstractInterpretation.cpp.

338{
339 // Normalize: always reason from the LHS perspective.
340 // If we are the RHS operand, swap the predicate direction.
341 if (!isLHS)
342 {
343 // a > b from b's perspective: b < a
344 static const Map<s32_t, s32_t> swapPred =
345 {
346 {CmpStmt::ICMP_EQ, CmpStmt::ICMP_EQ},
347 {CmpStmt::ICMP_NE, CmpStmt::ICMP_NE},
348 {CmpStmt::ICMP_SGT, CmpStmt::ICMP_SLT},
349 {CmpStmt::ICMP_SGE, CmpStmt::ICMP_SLE},
350 {CmpStmt::ICMP_SLT, CmpStmt::ICMP_SGT},
351 {CmpStmt::ICMP_SLE, CmpStmt::ICMP_SGE},
352 {CmpStmt::ICMP_UGT, CmpStmt::ICMP_ULT},
353 {CmpStmt::ICMP_UGE, CmpStmt::ICMP_ULE},
354 {CmpStmt::ICMP_ULT, CmpStmt::ICMP_UGT},
355 {CmpStmt::ICMP_ULE, CmpStmt::ICMP_UGE},
356 {CmpStmt::FCMP_OEQ, CmpStmt::FCMP_OEQ},
357 {CmpStmt::FCMP_UEQ, CmpStmt::FCMP_UEQ},
358 {CmpStmt::FCMP_OGT, CmpStmt::FCMP_OLT},
359 {CmpStmt::FCMP_OGE, CmpStmt::FCMP_OLE},
360 {CmpStmt::FCMP_OLT, CmpStmt::FCMP_OGT},
361 {CmpStmt::FCMP_OLE, CmpStmt::FCMP_OGE},
362 {CmpStmt::FCMP_UGT, CmpStmt::FCMP_ULT},
363 {CmpStmt::FCMP_UGE, CmpStmt::FCMP_ULE},
364 {CmpStmt::FCMP_ULT, CmpStmt::FCMP_UGT},
365 {CmpStmt::FCMP_ULE, CmpStmt::FCMP_UGE},
366 {CmpStmt::FCMP_ONE, CmpStmt::FCMP_ONE},
367 {CmpStmt::FCMP_UNE, CmpStmt::FCMP_UNE},
368 };
369 auto it = swapPred.find(predicate);
370 if (it == swapPred.end()) return IntervalValue::top();
371 predicate = it->second;
372 }
373
374 // If false branch, negate the predicate.
375 if (succ == 0)
376 {
377 static const Map<s32_t, s32_t> negPred =
378 {
379 {CmpStmt::ICMP_EQ, CmpStmt::ICMP_NE},
380 {CmpStmt::ICMP_NE, CmpStmt::ICMP_EQ},
381 {CmpStmt::ICMP_SGT, CmpStmt::ICMP_SLE},
382 {CmpStmt::ICMP_SGE, CmpStmt::ICMP_SLT},
383 {CmpStmt::ICMP_SLT, CmpStmt::ICMP_SGE},
384 {CmpStmt::ICMP_SLE, CmpStmt::ICMP_SGT},
385 {CmpStmt::ICMP_UGT, CmpStmt::ICMP_ULE},
386 {CmpStmt::ICMP_UGE, CmpStmt::ICMP_ULT},
387 {CmpStmt::ICMP_ULT, CmpStmt::ICMP_UGE},
388 {CmpStmt::ICMP_ULE, CmpStmt::ICMP_UGT},
389 {CmpStmt::FCMP_OEQ, CmpStmt::FCMP_ONE},
390 {CmpStmt::FCMP_UEQ, CmpStmt::FCMP_UNE},
391 {CmpStmt::FCMP_OGT, CmpStmt::FCMP_OLE},
392 {CmpStmt::FCMP_OGE, CmpStmt::FCMP_OLT},
393 {CmpStmt::FCMP_OLT, CmpStmt::FCMP_OGE},
394 {CmpStmt::FCMP_OLE, CmpStmt::FCMP_OGT},
395 {CmpStmt::FCMP_UGT, CmpStmt::FCMP_ULE},
396 {CmpStmt::FCMP_UGE, CmpStmt::FCMP_ULT},
397 {CmpStmt::FCMP_ULT, CmpStmt::FCMP_UGE},
398 {CmpStmt::FCMP_ULE, CmpStmt::FCMP_UGT},
399 {CmpStmt::FCMP_ONE, CmpStmt::FCMP_OEQ},
400 {CmpStmt::FCMP_UNE, CmpStmt::FCMP_UEQ},
401 };
402 auto it = negPred.find(predicate);
403 if (it == negPred.end()) return IntervalValue::top();
404 predicate = it->second;
405 }
406
407 // Now compute the constraint on LHS given: LHS <predicate> other
408 IntervalValue result = self;
409 switch (predicate)
410 {
411 case CmpStmt::ICMP_EQ:
412 case CmpStmt::FCMP_OEQ:
413 case CmpStmt::FCMP_UEQ:
414 result.meet_with(other);
415 break;
416 case CmpStmt::ICMP_NE:
417 case CmpStmt::FCMP_ONE:
418 case CmpStmt::FCMP_UNE:
419 case CmpStmt::FCMP_FALSE:
420 case CmpStmt::FCMP_TRUE:
421 return IntervalValue::top(); // no useful narrowing
422 case CmpStmt::ICMP_UGT:
423 case CmpStmt::ICMP_SGT:
424 case CmpStmt::FCMP_OGT:
425 case CmpStmt::FCMP_UGT:
426 result.meet_with(IntervalValue(other.lb() + 1, IntervalValue::plus_infinity()));
427 break;
428 case CmpStmt::ICMP_UGE:
429 case CmpStmt::ICMP_SGE:
430 case CmpStmt::FCMP_OGE:
431 case CmpStmt::FCMP_UGE:
432 result.meet_with(IntervalValue(other.lb(), IntervalValue::plus_infinity()));
433 break;
434 case CmpStmt::ICMP_ULT:
435 case CmpStmt::ICMP_SLT:
436 case CmpStmt::FCMP_OLT:
437 case CmpStmt::FCMP_ULT:
438 result.meet_with(IntervalValue(IntervalValue::minus_infinity(), other.ub() - 1));
439 break;
440 case CmpStmt::ICMP_ULE:
441 case CmpStmt::ICMP_SLE:
442 case CmpStmt::FCMP_OLE:
443 case CmpStmt::FCMP_ULE:
444 result.meet_with(IntervalValue(IntervalValue::minus_infinity(), other.ub()));
445 break;
446 default:
447 return IntervalValue::top();
448 }
449 return result;
450}
SVF::CmpStmt::ICMP_SGT
@ ICMP_SGT
signed greater than
Definition SVFStatements.h:1078
SVF::CmpStmt::FCMP_UEQ
@ FCMP_UEQ
1 0 0 1 True if unordered or equal
Definition SVFStatements.h:1062
SVF::CmpStmt::FCMP_ONE
@ FCMP_ONE
0 1 1 0 True if ordered and operands are unequal
Definition SVFStatements.h:1059
SVF::CmpStmt::ICMP_UGE
@ ICMP_UGE
unsigned greater or equal
Definition SVFStatements.h:1075
SVF::CmpStmt::FCMP_UGT
@ FCMP_UGT
1 0 1 0 True if unordered or greater than
Definition SVFStatements.h:1063
SVF::CmpStmt::ICMP_ULE
@ ICMP_ULE
unsigned less or equal
Definition SVFStatements.h:1077
SVF::CmpStmt::FCMP_OGE
@ FCMP_OGE
0 0 1 1 True if ordered and greater than or equal
Definition SVFStatements.h:1056
SVF::CmpStmt::FCMP_OLT
@ FCMP_OLT
0 1 0 0 True if ordered and less than
Definition SVFStatements.h:1057
SVF::CmpStmt::FCMP_OGT
@ FCMP_OGT
0 0 1 0 True if ordered and greater than
Definition SVFStatements.h:1055
SVF::CmpStmt::ICMP_NE
@ ICMP_NE
not equal
Definition SVFStatements.h:1073
SVF::CmpStmt::FCMP_TRUE
@ FCMP_TRUE
1 1 1 1 Always true (always folded)
Definition SVFStatements.h:1068
SVF::CmpStmt::ICMP_ULT
@ ICMP_ULT
unsigned less than
Definition SVFStatements.h:1076
SVF::CmpStmt::FCMP_ULE
@ FCMP_ULE
1 1 0 1 True if unordered, less than, or equal
Definition SVFStatements.h:1066
SVF::CmpStmt::ICMP_SLT
@ ICMP_SLT
signed less than
Definition SVFStatements.h:1080
SVF::CmpStmt::ICMP_UGT
@ ICMP_UGT
unsigned greater than
Definition SVFStatements.h:1074
SVF::CmpStmt::FCMP_OEQ
@ FCMP_OEQ
0 0 0 1 True if ordered and equal
Definition SVFStatements.h:1054
SVF::CmpStmt::FCMP_OLE
@ FCMP_OLE
0 1 0 1 True if ordered and less than or equal
Definition SVFStatements.h:1058
SVF::CmpStmt::FCMP_FALSE
@ FCMP_FALSE
0 0 0 0 Always false (always folded)
Definition SVFStatements.h:1053
SVF::CmpStmt::FCMP_ULT
@ FCMP_ULT
1 1 0 0 True if unordered or less than
Definition SVFStatements.h:1065
SVF::CmpStmt::FCMP_UGE
@ FCMP_UGE
1 0 1 1 True if unordered, greater than, or equal
Definition SVFStatements.h:1064
SVF::CmpStmt::ICMP_SGE
@ ICMP_SGE
signed greater or equal
Definition SVFStatements.h:1079
SVF::CmpStmt::FCMP_UNE
@ FCMP_UNE
1 1 1 0 True if unordered or not equal
Definition SVFStatements.h:1067
SVF::CmpStmt::ICMP_SLE
@ ICMP_SLE
signed less or equal
Definition SVFStatements.h:1081
SVF::IntervalValue::meet_with
void meet_with(const IntervalValue &other)
Return a intersected IntervalValue.
Definition IntervalValue.h:475
SVF::IntervalValue::minus_infinity
static BoundedInt minus_infinity()
Get minus infinity -inf.
Definition IntervalValue.h:77
SVF::IntervalValue::plus_infinity
static BoundedInt plus_infinity()
Get plus infinity +inf.
Definition IntervalValue.h:83
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76

◆ findBackingLoad()

static const LoadStmt * findBackingLoad ( const SVFVar var)
static

Given a cmp operand, walk its SSA def edge to find the LoadStmt that produced it. This lets us trace back to the ObjVar in memory so that branch narrowing can refine the stored value.

Example: for cmp = icmp sgt a, 5 where a = load i32, ptr p, calling findBackingLoad(a) returns the LoadStmt, and we can then narrow the ObjVar behind p.

Follows one level of CopyStmt (e.g., zext/sext) if the load is not directly on the cmp operand. Returns nullptr if no load is found.

Definition at line 306 of file AbstractInterpretation.cpp.

307{
308 if (var->getInEdges().empty())
309 return nullptr;
310 SVFStmt* inStmt = *var->getInEdges().begin();
311 if (const LoadStmt* ls = SVFUtil::dyn_cast<LoadStmt>(inStmt))
312 return ls;
313 if (const CopyStmt* cs = SVFUtil::dyn_cast<CopyStmt>(inStmt))
314 {
315 const SVFVar* src = cs->getRHSVar();
316 if (!src->getInEdges().empty())
317 return SVFUtil::dyn_cast<LoadStmt>(*src->getInEdges().begin());
318 }
319 return nullptr;
320}
SVF::GenericNode::getInEdges
const GEdgeSetTy & getInEdges() const
Definition GenericGraph.h:180
Generated by doxygen 1.9.8