Static Value-Flow Analysis
Loading...
Searching...
No Matches
Functions
AbstractInterpretation.cpp File Reference
#include "AE/Svfexe/AbstractInterpretation.h"
#include "AE/Svfexe/AbsExtAPI.h"
#include "SVFIR/SVFIR.h"
#include "Util/Options.h"
#include "Util/WorkList.h"
#include "Graphs/CallGraph.h"
#include "WPA/Andersen.h"
#include <cmath>
#include <deque>

Go to the source code of this file.

Functions

static const LoadStmtfindBackingLoad (const SVFVar *var)
 
static IntervalValue computeCmpConstraint (s32_t predicate, s64_t succ, bool isLHS, const IntervalValue &self, const IntervalValue &other)
 

Function Documentation

◆ computeCmpConstraint()

static IntervalValue computeCmpConstraint ( s32_t  predicate,
s64_t  succ,
bool  isLHS,
const IntervalValue self,
const IntervalValue other 
)
static

Compute the interval constraint on one cmp operand given the predicate, branch direction (succ), which side it is on, and the other operand's interval. Returns top if no useful narrowing is possible.

Called from isCmpBranchFeasible for each non-constant operand that has a backing load. Given a branch condition like:

cmp = icmp sgt a, 5 ; a > 5 br i1 cmp, label T, F

On the true branch (succ=1), operand a (isLHS=true) is constrained to [6, +inf). On the false branch (succ=0), a is constrained to (-inf, 5]. The result is used to narrow the ObjVar behind a's load.

Definition at line 310 of file AbstractInterpretation.cpp.

313{
314 // Normalize: always reason from the LHS perspective.
315 // If we are the RHS operand, swap the predicate direction.
316 if (!isLHS)
317 {
318 // a > b from b's perspective: b < a
319 static const Map<s32_t, s32_t> swapPred =
320 {
321 {CmpStmt::ICMP_EQ, CmpStmt::ICMP_EQ},
322 {CmpStmt::ICMP_NE, CmpStmt::ICMP_NE},
323 {CmpStmt::ICMP_SGT, CmpStmt::ICMP_SLT},
324 {CmpStmt::ICMP_SGE, CmpStmt::ICMP_SLE},
325 {CmpStmt::ICMP_SLT, CmpStmt::ICMP_SGT},
326 {CmpStmt::ICMP_SLE, CmpStmt::ICMP_SGE},
327 {CmpStmt::ICMP_UGT, CmpStmt::ICMP_ULT},
328 {CmpStmt::ICMP_UGE, CmpStmt::ICMP_ULE},
329 {CmpStmt::ICMP_ULT, CmpStmt::ICMP_UGT},
330 {CmpStmt::ICMP_ULE, CmpStmt::ICMP_UGE},
331 {CmpStmt::FCMP_OEQ, CmpStmt::FCMP_OEQ},
332 {CmpStmt::FCMP_UEQ, CmpStmt::FCMP_UEQ},
333 {CmpStmt::FCMP_OGT, CmpStmt::FCMP_OLT},
334 {CmpStmt::FCMP_OGE, CmpStmt::FCMP_OLE},
335 {CmpStmt::FCMP_OLT, CmpStmt::FCMP_OGT},
336 {CmpStmt::FCMP_OLE, CmpStmt::FCMP_OGE},
337 {CmpStmt::FCMP_UGT, CmpStmt::FCMP_ULT},
338 {CmpStmt::FCMP_UGE, CmpStmt::FCMP_ULE},
339 {CmpStmt::FCMP_ULT, CmpStmt::FCMP_UGT},
340 {CmpStmt::FCMP_ULE, CmpStmt::FCMP_UGE},
341 {CmpStmt::FCMP_ONE, CmpStmt::FCMP_ONE},
342 {CmpStmt::FCMP_UNE, CmpStmt::FCMP_UNE},
343 };
344 auto it = swapPred.find(predicate);
345 if (it == swapPred.end()) return IntervalValue::top();
346 predicate = it->second;
347 }
348
349 // If false branch, negate the predicate.
350 if (succ == 0)
351 {
352 static const Map<s32_t, s32_t> negPred =
353 {
354 {CmpStmt::ICMP_EQ, CmpStmt::ICMP_NE},
355 {CmpStmt::ICMP_NE, CmpStmt::ICMP_EQ},
356 {CmpStmt::ICMP_SGT, CmpStmt::ICMP_SLE},
357 {CmpStmt::ICMP_SGE, CmpStmt::ICMP_SLT},
358 {CmpStmt::ICMP_SLT, CmpStmt::ICMP_SGE},
359 {CmpStmt::ICMP_SLE, CmpStmt::ICMP_SGT},
360 {CmpStmt::ICMP_UGT, CmpStmt::ICMP_ULE},
361 {CmpStmt::ICMP_UGE, CmpStmt::ICMP_ULT},
362 {CmpStmt::ICMP_ULT, CmpStmt::ICMP_UGE},
363 {CmpStmt::ICMP_ULE, CmpStmt::ICMP_UGT},
364 {CmpStmt::FCMP_OEQ, CmpStmt::FCMP_ONE},
365 {CmpStmt::FCMP_UEQ, CmpStmt::FCMP_UNE},
366 {CmpStmt::FCMP_OGT, CmpStmt::FCMP_OLE},
367 {CmpStmt::FCMP_OGE, CmpStmt::FCMP_OLT},
368 {CmpStmt::FCMP_OLT, CmpStmt::FCMP_OGE},
369 {CmpStmt::FCMP_OLE, CmpStmt::FCMP_OGT},
370 {CmpStmt::FCMP_UGT, CmpStmt::FCMP_ULE},
371 {CmpStmt::FCMP_UGE, CmpStmt::FCMP_ULT},
372 {CmpStmt::FCMP_ULT, CmpStmt::FCMP_UGE},
373 {CmpStmt::FCMP_ULE, CmpStmt::FCMP_UGT},
374 {CmpStmt::FCMP_ONE, CmpStmt::FCMP_OEQ},
375 {CmpStmt::FCMP_UNE, CmpStmt::FCMP_UEQ},
376 };
377 auto it = negPred.find(predicate);
378 if (it == negPred.end()) return IntervalValue::top();
379 predicate = it->second;
380 }
381
382 // Now compute the constraint on LHS given: LHS <predicate> other
383 IntervalValue result = self;
384 switch (predicate)
385 {
386 case CmpStmt::ICMP_EQ:
387 case CmpStmt::FCMP_OEQ:
388 case CmpStmt::FCMP_UEQ:
389 result.meet_with(other);
390 break;
391 case CmpStmt::ICMP_NE:
392 case CmpStmt::FCMP_ONE:
393 case CmpStmt::FCMP_UNE:
394 case CmpStmt::FCMP_FALSE:
395 case CmpStmt::FCMP_TRUE:
396 return IntervalValue::top(); // no useful narrowing
397 case CmpStmt::ICMP_UGT:
398 case CmpStmt::ICMP_SGT:
399 case CmpStmt::FCMP_OGT:
400 case CmpStmt::FCMP_UGT:
401 result.meet_with(IntervalValue(other.lb() + 1, IntervalValue::plus_infinity()));
402 break;
403 case CmpStmt::ICMP_UGE:
404 case CmpStmt::ICMP_SGE:
405 case CmpStmt::FCMP_OGE:
406 case CmpStmt::FCMP_UGE:
407 result.meet_with(IntervalValue(other.lb(), IntervalValue::plus_infinity()));
408 break;
409 case CmpStmt::ICMP_ULT:
410 case CmpStmt::ICMP_SLT:
411 case CmpStmt::FCMP_OLT:
412 case CmpStmt::FCMP_ULT:
413 result.meet_with(IntervalValue(IntervalValue::minus_infinity(), other.ub() - 1));
414 break;
415 case CmpStmt::ICMP_ULE:
416 case CmpStmt::ICMP_SLE:
417 case CmpStmt::FCMP_OLE:
418 case CmpStmt::FCMP_ULE:
419 result.meet_with(IntervalValue(IntervalValue::minus_infinity(), other.ub()));
420 break;
421 default:
422 return IntervalValue::top();
423 }
424 return result;
425}
SVF::CmpStmt::ICMP_SGT
@ ICMP_SGT
signed greater than
Definition SVFStatements.h:1078
SVF::CmpStmt::FCMP_UEQ
@ FCMP_UEQ
1 0 0 1 True if unordered or equal
Definition SVFStatements.h:1062
SVF::CmpStmt::FCMP_ONE
@ FCMP_ONE
0 1 1 0 True if ordered and operands are unequal
Definition SVFStatements.h:1059
SVF::CmpStmt::ICMP_UGE
@ ICMP_UGE
unsigned greater or equal
Definition SVFStatements.h:1075
SVF::CmpStmt::FCMP_UGT
@ FCMP_UGT
1 0 1 0 True if unordered or greater than
Definition SVFStatements.h:1063
SVF::CmpStmt::ICMP_ULE
@ ICMP_ULE
unsigned less or equal
Definition SVFStatements.h:1077
SVF::CmpStmt::FCMP_OGE
@ FCMP_OGE
0 0 1 1 True if ordered and greater than or equal
Definition SVFStatements.h:1056
SVF::CmpStmt::FCMP_OLT
@ FCMP_OLT
0 1 0 0 True if ordered and less than
Definition SVFStatements.h:1057
SVF::CmpStmt::FCMP_OGT
@ FCMP_OGT
0 0 1 0 True if ordered and greater than
Definition SVFStatements.h:1055
SVF::CmpStmt::ICMP_NE
@ ICMP_NE
not equal
Definition SVFStatements.h:1073
SVF::CmpStmt::FCMP_TRUE
@ FCMP_TRUE
1 1 1 1 Always true (always folded)
Definition SVFStatements.h:1068
SVF::CmpStmt::ICMP_ULT
@ ICMP_ULT
unsigned less than
Definition SVFStatements.h:1076
SVF::CmpStmt::FCMP_ULE
@ FCMP_ULE
1 1 0 1 True if unordered, less than, or equal
Definition SVFStatements.h:1066
SVF::CmpStmt::ICMP_SLT
@ ICMP_SLT
signed less than
Definition SVFStatements.h:1080
SVF::CmpStmt::ICMP_UGT
@ ICMP_UGT
unsigned greater than
Definition SVFStatements.h:1074
SVF::CmpStmt::FCMP_OEQ
@ FCMP_OEQ
0 0 0 1 True if ordered and equal
Definition SVFStatements.h:1054
SVF::CmpStmt::FCMP_OLE
@ FCMP_OLE
0 1 0 1 True if ordered and less than or equal
Definition SVFStatements.h:1058
SVF::CmpStmt::FCMP_FALSE
@ FCMP_FALSE
0 0 0 0 Always false (always folded)
Definition SVFStatements.h:1053
SVF::CmpStmt::FCMP_ULT
@ FCMP_ULT
1 1 0 0 True if unordered or less than
Definition SVFStatements.h:1065
SVF::CmpStmt::FCMP_UGE
@ FCMP_UGE
1 0 1 1 True if unordered, greater than, or equal
Definition SVFStatements.h:1064
SVF::CmpStmt::ICMP_SGE
@ ICMP_SGE
signed greater or equal
Definition SVFStatements.h:1079
SVF::CmpStmt::FCMP_UNE
@ FCMP_UNE
1 1 1 0 True if unordered or not equal
Definition SVFStatements.h:1067
SVF::CmpStmt::ICMP_SLE
@ ICMP_SLE
signed less or equal
Definition SVFStatements.h:1081
SVF::IntervalValue::meet_with
void meet_with(const IntervalValue &other)
Return a intersected IntervalValue.
Definition IntervalValue.h:475
SVF::IntervalValue::minus_infinity
static BoundedInt minus_infinity()
Get minus infinity -inf.
Definition IntervalValue.h:77
SVF::IntervalValue::plus_infinity
static BoundedInt plus_infinity()
Get plus infinity +inf.
Definition IntervalValue.h:83
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76

◆ findBackingLoad()

static const LoadStmt * findBackingLoad ( const SVFVar var)
static

Given a cmp operand, walk its SSA def edge to find the LoadStmt that produced it. This lets us trace back to the ObjVar in memory so that branch narrowing can refine the stored value.

Example: for cmp = icmp sgt a, 5 where a = load i32, ptr p, calling findBackingLoad(a) returns the LoadStmt, and we can then narrow the ObjVar behind p.

Follows one level of CopyStmt (e.g., zext/sext) if the load is not directly on the cmp operand. Returns nullptr if no load is found.

Definition at line 281 of file AbstractInterpretation.cpp.

282{
283 if (var->getInEdges().empty())
284 return nullptr;
285 SVFStmt* inStmt = *var->getInEdges().begin();
286 if (const LoadStmt* ls = SVFUtil::dyn_cast<LoadStmt>(inStmt))
287 return ls;
288 if (const CopyStmt* cs = SVFUtil::dyn_cast<CopyStmt>(inStmt))
289 {
290 const SVFVar* src = cs->getRHSVar();
291 if (!src->getInEdges().empty())
292 return SVFUtil::dyn_cast<LoadStmt>(*src->getInEdges().begin());
293 }
294 return nullptr;
295}
SVF::GenericNode::getInEdges
const GEdgeSetTy & getInEdges() const
Definition GenericGraph.h:180
Generated by doxygen 1.9.8