Static Value-Flow Analysis
Loading...
Searching...
No Matches
AbstractInterpretation.cpp
Go to the documentation of this file.
1//===- AbstractExecution.cpp -- Abstract Execution---------------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created on: Jan 10, 2024
26// Author: Xiao Cheng, Jiawei Wang
27//
28
29#include "AE/Svfexe/AbstractInterpretation.h"
30#include "AE/Svfexe/AbsExtAPI.h"
31#include "SVFIR/SVFIR.h"
32#include "Util/Options.h"
33#include "Util/WorkList.h"
34#include "Graphs/CallGraph.h"
35#include "WPA/Andersen.h"
36#include <cmath>
37#include <deque>
38
39using namespace SVF;
40using namespace SVFUtil;
41
42
43void AbstractInterpretation::runOnModule(ICFG *_icfg)
44{
45 stat->startClk();
46 icfg = _icfg;
47 svfir = PAG::getPAG();
48 utils = new AbsExtAPI(abstractTrace);
49
50 // Run Andersen's pointer analysis and build WTO
51 preAnalysis = new PreAnalysis(svfir, icfg);
52 callGraph = preAnalysis->getCallGraph();
53 icfg->updateCallGraph(callGraph);
54 preAnalysis->initWTO();
55
57 utils->collectCheckPoint();
58
59 analyse();
60 utils->checkPointAllSet();
61 stat->endClk();
62 stat->finializeStat();
63 if (Options::PStat())
64 stat->performStat();
65 for (auto& detector: detectors)
66 detector->reportBug();
67}
68
73
74AbstractState& AbstractInterpretation::getAbstractState(const ICFGNode* node)
75{
76 if (abstractTrace.count(node) == 0)
77 {
78 assert(false && "No preAbsTrace for this node");
79 abort();
80 }
81 else
82 {
83 return abstractTrace[node];
84 }
85}
86
87bool AbstractInterpretation::hasAbstractState(const ICFGNode* node)
88{
89 return abstractTrace.count(node) != 0;
90}
91
92const AbstractValue& AbstractInterpretation::getAbstractValue(const ValVar* var)
93{
94 AbstractState& as = getAbstractState(var->getICFGNode());
95 return as[var->getId()];
96}
97
104
105const AbstractValue& AbstractInterpretation::getAbstractValue(const ICFGNode* node, const SVFVar* var)
106{
107 if (const ValVar* valVar = SVFUtil::dyn_cast<ValVar>(var))
108 return getAbstractValue(valVar);
109 else if (const ObjVar* objVar = SVFUtil::dyn_cast<ObjVar>(var))
110 return getAbstractValue(node, objVar);
111 assert(false && "Unknown SVFVar kind");
112 abort();
113}
114
115void AbstractInterpretation::updateAbstractValue(const ValVar* var, const AbstractValue& val)
116{
117 AbstractState& as = getAbstractState(var->getICFGNode());
118 as[var->getId()] = val;
119}
120
127
128void AbstractInterpretation::updateAbstractValue(const ICFGNode* node, const SVFVar* var, const AbstractValue& val)
129{
130 if (const ValVar* valVar = SVFUtil::dyn_cast<ValVar>(var))
131 updateAbstractValue(valVar, val);
132 else if (const ObjVar* objVar = SVFUtil::dyn_cast<ObjVar>(var))
133 updateAbstractValue(node, objVar, val);
134 else
135 assert(false && "Unknown SVFVar kind");
136}
137
138void AbstractInterpretation::getAbstractState(const ICFGNode* node, const Set<const ValVar*>& vars, AbstractState& result)
139{
140 AbstractState& as = getAbstractState(node);
141 for (const ValVar* var : vars)
142 {
143 u32_t id = var->getId();
144 result[id] = as[id];
145 }
146}
147
148void AbstractInterpretation::getAbstractState(const ICFGNode* node, const Set<const ObjVar*>& vars, AbstractState& result)
149{
150 AbstractState& as = getAbstractState(node);
151 for (const ObjVar* var : vars)
152 {
153 u32_t addr = AbstractState::getVirtualMemAddress(var->getId());
154 result.store(addr, as.load(addr));
155 }
156}
157
158void AbstractInterpretation::getAbstractState(const ICFGNode* node, const Set<const SVFVar*>& vars, AbstractState& result)
159{
160 AbstractState& as = getAbstractState(node);
161 for (const SVFVar* var : vars)
162 {
163 if (const ValVar* valVar = SVFUtil::dyn_cast<ValVar>(var))
164 {
165 u32_t id = valVar->getId();
166 result[id] = as[id];
167 }
168 else if (const ObjVar* objVar = SVFUtil::dyn_cast<ObjVar>(var))
169 {
170 u32_t addr = AbstractState::getVirtualMemAddress(objVar->getId());
171 result.store(addr, as.load(addr));
172 }
173 }
174}
175
184
191
195std::deque<const FunObjVar*> AbstractInterpretation::collectProgEntryFuns()
196{
197 std::deque<const FunObjVar*> entryFunctions;
198
199 for (auto it = callGraph->begin(); it != callGraph->end(); ++it)
200 {
201 const CallGraphNode* cgNode = it->second;
202 const FunObjVar* fun = cgNode->getFunction();
203
204 // Skip declarations
205 if (fun->isDeclaration())
206 continue;
207
208 // Entry points are functions without callers (no incoming edges)
209 if (cgNode->getInEdges().empty())
210 {
211 // If main exists, put it first for priority using deque's push_front
212 if (fun->getName() == "main")
213 {
214 entryFunctions.push_front(fun);
215 }
216 else
217 {
218 entryFunctions.push_back(fun);
219 }
220 }
221 }
222
223 return entryFunctions;
224}
225
226
228void AbstractInterpretation::analyse()
229{
230 // Always use multi-entry analysis from all entry points
231 analyzeFromAllProgEntries();
232}
233
237void AbstractInterpretation::analyzeFromAllProgEntries()
238{
239 // Collect all entry point functions
240 std::deque<const FunObjVar*> entryFunctions = collectProgEntryFuns();
241
242 if (entryFunctions.empty())
243 {
244 assert(false && "No entry functions found for analysis");
245 return;
246 }
247 // handle Global ICFGNode of SVFModule
248 handleGlobalNode();
249 for (const FunObjVar* entryFun : entryFunctions)
250 {
251 const ICFGNode* funEntry = icfg->getFunEntryICFGNode(entryFun);
252 handleFunction(funEntry);
253 }
254}
255
261void AbstractInterpretation::handleGlobalNode()
262{
263 const ICFGNode* node = icfg->getGlobalICFGNode();
264 abstractTrace[node] = AbstractState();
265 abstractTrace[node][IRGraph::NullPtr] = AddressValue();
266
267 // Global Node, we just need to handle addr, load, store, copy and gep
268 for (const SVFStmt *stmt: node->getSVFStmts())
269 {
270 handleSVFStatement(stmt);
271 }
272
273 // BlkPtr represents a pointer whose target is statically unknown (e.g., from
274 // int2ptr casts, external function returns, or unmodeled instructions like
275 // AtomicCmpXchg). It should be an address pointing to the BlackHole object
276 // (ID=2), NOT an interval top.
277 //
278 // History: this was originally set to IntervalValue::top() as a quick fix when
279 // the analysis crashed on programs containing uninitialized BlkPtr. However,
280 // BlkPtr is semantically a *pointer* (address domain), not a numeric value
281 // (interval domain). Setting it to interval top broke cross-domain consistency:
282 // the interval domain and address domain gave contradictory information for the
283 // same variable. The correct representation is an AddressValue containing the
284 // BlackHole virtual address, which means "points to unknown memory".
285 abstractTrace[node][PAG::getPAG()->getBlkPtr()] =
286 AddressValue(BlackHoleObjAddr);
287}
288
293bool AbstractInterpretation::mergeStatesFromPredecessors(const ICFGNode* node)
294{
295 std::vector<AbstractState> workList;
296 for (auto& edge : node->getInEdges())
297 {
298 const ICFGNode* pred = edge->getSrcNode();
299 if (abstractTrace.find(pred) == abstractTrace.end())
300 continue;
301
302 if (const IntraCFGEdge* intraCfgEdge = SVFUtil::dyn_cast<IntraCFGEdge>(edge))
303 {
304 AbstractState tmpState = abstractTrace[pred];
305 if (intraCfgEdge->getCondition())
306 {
307 if (isBranchFeasible(intraCfgEdge, tmpState))
308 workList.push_back(tmpState);
309 }
310 else
311 {
312 workList.push_back(tmpState);
313 }
314 }
315 else if (SVFUtil::isa<CallCFGEdge>(edge))
316 {
317 workList.push_back(abstractTrace[pred]);
318 }
319 else if (SVFUtil::isa<RetCFGEdge>(edge))
320 {
321 switch (Options::HandleRecur())
322 {
323 case TOP:
324 {
325 workList.push_back(abstractTrace[pred]);
326 break;
327 }
328 case WIDEN_ONLY:
329 case WIDEN_NARROW:
330 {
331 const RetICFGNode* returnSite = SVFUtil::dyn_cast<RetICFGNode>(node);
332 const CallICFGNode* callSite = returnSite->getCallICFGNode();
333 if (hasAbstractState(callSite))
334 workList.push_back(abstractTrace[pred]);
335 break;
336 }
337 }
338 }
339 }
340
341 if (workList.empty())
342 return false;
343
344 auto it = workList.begin();
345 abstractTrace[node] = *it;
346 for (++it; it != workList.end(); ++it)
347 abstractTrace[node].joinWith(*it);
348
349 return true;
350}
351
352
353bool AbstractInterpretation::isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t succ,
354 AbstractState& as)
355{
356 AbstractState new_es = as;
357 // get cmp stmt's op0, op1, and predicate
358 NodeID op0 = cmpStmt->getOpVarID(0);
359 NodeID op1 = cmpStmt->getOpVarID(1);
360 NodeID res_id = cmpStmt->getResID();
361 s32_t predicate = cmpStmt->getPredicate();
362 // if op0 or op1 is nullptr, no need to change value, just copy the state
363 if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr)
364 {
365 as = new_es;
366 return true;
367 }
368 // if op0 or op1 is undefined, return;
369 // skip address compare
370 if (new_es.inVarToAddrsTable(op0) || new_es.inVarToAddrsTable(op1))
371 {
372 as = new_es;
373 return true;
374 }
375 const LoadStmt *load_op0 = nullptr;
376 const LoadStmt *load_op1 = nullptr;
377 // get '%1 = load i32 s', and load inst may not exist
378 const SVFVar* loadVar0 = getSVFVar(op0);
379 if (!loadVar0->getInEdges().empty())
380 {
381 SVFStmt *loadVar0InStmt = *loadVar0->getInEdges().begin();
382 if (const LoadStmt *loadStmt = SVFUtil::dyn_cast<LoadStmt>(loadVar0InStmt))
383 {
384 load_op0 = loadStmt;
385 }
386 else if (const CopyStmt *copyStmt = SVFUtil::dyn_cast<CopyStmt>(loadVar0InStmt))
387 {
388 loadVar0 = getSVFVar(copyStmt->getRHSVarID());
389 if (!loadVar0->getInEdges().empty())
390 {
391 SVFStmt *loadVar0InStmt2 = *loadVar0->getInEdges().begin();
392 if (const LoadStmt *loadStmt = SVFUtil::dyn_cast<LoadStmt>(loadVar0InStmt2))
393 {
394 load_op0 = loadStmt;
395 }
396 }
397 }
398 }
399
400 const SVFVar* loadVar1 = getSVFVar(op1);
401 if (!loadVar1->getInEdges().empty())
402 {
403 SVFStmt *loadVar1InStmt = *loadVar1->getInEdges().begin();
404 if (const LoadStmt *loadStmt = SVFUtil::dyn_cast<LoadStmt>(loadVar1InStmt))
405 {
406 load_op1 = loadStmt;
407 }
408 else if (const CopyStmt *copyStmt = SVFUtil::dyn_cast<CopyStmt>(loadVar1InStmt))
409 {
410 loadVar1 = getSVFVar(copyStmt->getRHSVarID());
411 if (!loadVar1->getInEdges().empty())
412 {
413 SVFStmt *loadVar1InStmt2 = *loadVar1->getInEdges().begin();
414 if (const LoadStmt *loadStmt = SVFUtil::dyn_cast<LoadStmt>(loadVar1InStmt2))
415 {
416 load_op1 = loadStmt;
417 }
418 }
419 }
420 }
421 // for const X const, we may get concrete resVal instantly
422 // for var X const, we may get [0,1] if the intersection of var and const is not empty set
423 IntervalValue resVal = new_es[res_id].getInterval();
424 resVal.meet_with(IntervalValue((s64_t) succ, succ));
425 // If Var X const generates bottom value, it means this branch path is not feasible.
426 if (resVal.isBottom())
427 {
428 return false;
429 }
430
431 bool b0 = new_es[op0].getInterval().is_numeral();
432 bool b1 = new_es[op1].getInterval().is_numeral();
433
434 // if const X var, we should reverse op0 and op1.
435 if (b0 && !b1)
436 {
437 std::swap(op0, op1);
438 std::swap(load_op0, load_op1);
439 predicate = _switch_lhsrhs_predicate[predicate];
440 }
441 else
442 {
443 // if var X var, we cannot preset the branch condition to infer the intervals of var0,var1
444 if (!b0 && !b1)
445 {
446 as = new_es;
447 return true;
448 }
449 // if const X const, we can instantly get the resVal
450 else if (b0 && b1)
451 {
452 as = new_es;
453 return true;
454 }
455 }
456 // if cmp is 'var X const == false', we should reverse predicate 'var X' const == true'
457 // X' is reverse predicate of X
458 if (succ == 0)
459 {
460 predicate = _reverse_predicate[predicate];
461 }
462 else {}
463 // change interval range according to the compare predicate
464 AddressValue addrs;
465 if(load_op0 && new_es.inVarToAddrsTable(load_op0->getRHSVarID()))
466 addrs = new_es[load_op0->getRHSVarID()].getAddrs();
467
468 IntervalValue &lhs = new_es[op0].getInterval(), &rhs = new_es[op1].getInterval();
469 switch (predicate)
470 {
471 case CmpStmt::Predicate::ICMP_EQ:
472 case CmpStmt::Predicate::FCMP_OEQ:
473 case CmpStmt::Predicate::FCMP_UEQ:
474 {
475 // Var == Const, so [var.lb, var.ub].meet_with(const)
476 lhs.meet_with(rhs);
477 // if lhs is register value, we should also change its mem obj
478 for (const auto &addr: addrs)
479 {
480 NodeID objId = new_es.getIDFromAddr(addr);
481 if (new_es.inAddrToValTable(objId))
482 {
483 new_es.load(addr).meet_with(rhs);
484 }
485 }
486 break;
487 }
488 case CmpStmt::Predicate::ICMP_NE:
489 case CmpStmt::Predicate::FCMP_ONE:
490 case CmpStmt::Predicate::FCMP_UNE:
491 // Compliment set
492 break;
493 case CmpStmt::Predicate::ICMP_UGT:
494 case CmpStmt::Predicate::ICMP_SGT:
495 case CmpStmt::Predicate::FCMP_OGT:
496 case CmpStmt::Predicate::FCMP_UGT:
497 // Var > Const, so [var.lb, var.ub].meet_with([Const+1, +INF])
498 lhs.meet_with(IntervalValue(rhs.lb() + 1, IntervalValue::plus_infinity()));
499 // if lhs is register value, we should also change its mem obj
500 for (const auto &addr: addrs)
501 {
502 NodeID objId = new_es.getIDFromAddr(addr);
503 if (new_es.inAddrToValTable(objId))
504 {
505 new_es.load(addr).meet_with(
506 IntervalValue(rhs.lb() + 1, IntervalValue::plus_infinity()));
507 }
508 }
509 break;
510 case CmpStmt::Predicate::ICMP_UGE:
511 case CmpStmt::Predicate::ICMP_SGE:
512 case CmpStmt::Predicate::FCMP_OGE:
513 case CmpStmt::Predicate::FCMP_UGE:
514 {
515 // Var >= Const, so [var.lb, var.ub].meet_with([Const, +INF])
516 lhs.meet_with(IntervalValue(rhs.lb(), IntervalValue::plus_infinity()));
517 // if lhs is register value, we should also change its mem obj
518 for (const auto &addr: addrs)
519 {
520 NodeID objId = new_es.getIDFromAddr(addr);
521 if (new_es.inAddrToValTable(objId))
522 {
523 new_es.load(addr).meet_with(
524 IntervalValue(rhs.lb(), IntervalValue::plus_infinity()));
525 }
526 }
527 break;
528 }
529 case CmpStmt::Predicate::ICMP_ULT:
530 case CmpStmt::Predicate::ICMP_SLT:
531 case CmpStmt::Predicate::FCMP_OLT:
532 case CmpStmt::Predicate::FCMP_ULT:
533 {
534 // Var < Const, so [var.lb, var.ub].meet_with([-INF, const.ub-1])
535 lhs.meet_with(IntervalValue(IntervalValue::minus_infinity(), rhs.ub() - 1));
536 // if lhs is register value, we should also change its mem obj
537 for (const auto &addr: addrs)
538 {
539 NodeID objId = new_es.getIDFromAddr(addr);
540 if (new_es.inAddrToValTable(objId))
541 {
542 new_es.load(addr).meet_with(
543 IntervalValue(IntervalValue::minus_infinity(), rhs.ub() - 1));
544 }
545 }
546 break;
547 }
548 case CmpStmt::Predicate::ICMP_ULE:
549 case CmpStmt::Predicate::ICMP_SLE:
550 case CmpStmt::Predicate::FCMP_OLE:
551 case CmpStmt::Predicate::FCMP_ULE:
552 {
553 // Var <= Const, so [var.lb, var.ub].meet_with([-INF, const.ub])
554 lhs.meet_with(IntervalValue(IntervalValue::minus_infinity(), rhs.ub()));
555 // if lhs is register value, we should also change its mem obj
556 for (const auto &addr: addrs)
557 {
558 NodeID objId = new_es.getIDFromAddr(addr);
559 if (new_es.inAddrToValTable(objId))
560 {
561 new_es.load(addr).meet_with(
562 IntervalValue(IntervalValue::minus_infinity(), rhs.ub()));
563 }
564 }
565 break;
566 }
567 case CmpStmt::Predicate::FCMP_FALSE:
568 break;
569 case CmpStmt::Predicate::FCMP_TRUE:
570 break;
571 default:
572 assert(false && "implement this part");
573 abort();
574 }
575 as = new_es;
576 return true;
577}
578
579bool AbstractInterpretation::isSwitchBranchFeasible(const SVFVar* var, s64_t succ,
580 AbstractState& as)
581{
582 AbstractState new_es = as;
583 IntervalValue& switch_cond = new_es[var->getId()].getInterval();
584 s64_t value = succ;
585 FIFOWorkList<const SVFStmt*> workList;
586 for (SVFStmt *cmpVarInStmt: var->getInEdges())
587 {
588 workList.push(cmpVarInStmt);
589 }
590 switch_cond.meet_with(IntervalValue(value, value));
591 if (switch_cond.isBottom())
592 {
593 return false;
594 }
595 while(!workList.empty())
596 {
597 const SVFStmt* stmt = workList.pop();
598 if (SVFUtil::isa<CopyStmt>(stmt))
599 {
600 IntervalValue& copy_cond = new_es[var->getId()].getInterval();
601 copy_cond.meet_with(IntervalValue(value, value));
602 }
603 else if (const LoadStmt* load = SVFUtil::dyn_cast<LoadStmt>(stmt))
604 {
605 if (new_es.inVarToAddrsTable(load->getRHSVarID()))
606 {
607 AddressValue &addrs = new_es[load->getRHSVarID()].getAddrs();
608 for (const auto &addr: addrs)
609 {
610 NodeID objId = new_es.getIDFromAddr(addr);
611 if (new_es.inAddrToValTable(objId))
612 {
613 new_es.load(addr).meet_with(switch_cond);
614 }
615 }
616 }
617 }
618 }
619 as = new_es;
620 return true;
621}
622
623bool AbstractInterpretation::isBranchFeasible(const IntraCFGEdge* intraEdge,
624 AbstractState& as)
625{
626 const SVFVar *cmpVar = intraEdge->getCondition();
627 if (cmpVar->getInEdges().empty())
628 {
629 return isSwitchBranchFeasible(cmpVar,
630 intraEdge->getSuccessorCondValue(), as);
631 }
632 else
633 {
634 assert(!cmpVar->getInEdges().empty() &&
635 "no in edges?");
636 SVFStmt *cmpVarInStmt = *cmpVar->getInEdges().begin();
637 if (const CmpStmt *cmpStmt = SVFUtil::dyn_cast<CmpStmt>(cmpVarInStmt))
638 {
639 return isCmpBranchFeasible(cmpStmt,
640 intraEdge->getSuccessorCondValue(), as);
641 }
642 else
643 {
644 return isSwitchBranchFeasible(
645 cmpVar, intraEdge->getSuccessorCondValue(), as);
646 }
647 }
648 return true;
649}
656bool AbstractInterpretation::handleICFGNode(const ICFGNode* node)
657{
658 // Check reachability: pre-state must have been propagated by predecessors
659 bool isFunEntry = SVFUtil::isa<FunEntryICFGNode>(node);
660 if (!hasAbstractState(node))
661 {
662 if (isFunEntry)
663 {
664 // Entry point with no callers: inherit from global node
665 const ICFGNode* globalNode = icfg->getGlobalICFGNode();
666 if (hasAbstractState(globalNode))
667 abstractTrace[node] = abstractTrace[globalNode];
668 else
669 abstractTrace[node] = AbstractState();
670 }
671 else
672 {
673 return false; // unreachable node
674 }
675 }
676
677 // Store the previous state for fixpoint detection
678 AbstractState prevState = abstractTrace[node];
679
680 stat->getBlockTrace()++;
681 stat->getICFGNodeTrace()++;
682
683 // Handle SVF statements
684 for (const SVFStmt *stmt: node->getSVFStmts())
685 {
686 handleSVFStatement(stmt);
687 }
688
689 // Handle call sites
690 if (const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(node))
691 {
692 handleCallSite(callNode);
693 }
694
695 // Run detectors
696 for (auto& detector: detectors)
697 detector->detect(getAbstractState(node), node);
698 stat->countStateSize();
699
700 // Track this node as analyzed (for coverage statistics across all entry points)
701 allAnalyzedNodes.insert(node);
702
703 if (abstractTrace[node] == prevState)
704 return false;
705
706 return true;
707}
708
715void AbstractInterpretation::handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller)
716{
717 auto it = preAnalysis->getFuncToWTO().find(funEntry->getFun());
718 if (it == preAnalysis->getFuncToWTO().end())
719 return;
720
721 // Push all top-level WTO components into the worklist in WTO order
722 FIFOWorkList<const ICFGWTOComp*> worklist(it->second->getWTOComponents());
723
724 while (!worklist.empty())
725 {
726 const ICFGWTOComp* comp = worklist.pop();
727
728 if (const ICFGSingletonWTO* singleton = SVFUtil::dyn_cast<ICFGSingletonWTO>(comp))
729 {
730 const ICFGNode* node = singleton->getICFGNode();
731 if (mergeStatesFromPredecessors(node))
732 handleICFGNode(node);
733 }
734 else if (const ICFGCycleWTO* cycle = SVFUtil::dyn_cast<ICFGCycleWTO>(comp))
735 {
736 if (mergeStatesFromPredecessors(cycle->head()->getICFGNode()))
737 handleLoopOrRecursion(cycle, caller);
738 }
739 }
740}
741
742
743void AbstractInterpretation::handleCallSite(const ICFGNode* node)
744{
745 if (const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(node))
746 {
747 if (isExtCall(callNode))
748 {
749 handleExtCall(callNode);
750 }
751 else
752 {
753 // Handle both direct and indirect calls uniformly
754 handleFunCall(callNode);
755 }
756 }
757 else
758 assert (false && "it is not call node");
759}
760
761bool AbstractInterpretation::isExtCall(const CallICFGNode *callNode)
762{
763 return SVFUtil::isExtCall(callNode->getCalledFunction());
764}
765
766void AbstractInterpretation::handleExtCall(const CallICFGNode *callNode)
767{
768 utils->handleExtAPI(callNode);
769 for (auto& detector : detectors)
770 {
771 detector->handleStubFunctions(callNode);
772 }
773}
774
780
782void AbstractInterpretation::handleRecursiveCall(const CallICFGNode *callNode)
783{
784 AbstractState& as = getAbstractState(callNode);
785 setTopToObjInRecursion(callNode);
786 const RetICFGNode *retNode = callNode->getRetICFGNode();
787 if (retNode->getSVFStmts().size() > 0)
788 {
789 if (const RetPE *retPE = SVFUtil::dyn_cast<RetPE>(*retNode->getSVFStmts().begin()))
790 {
791 if (!retPE->getLHSVar()->isPointer() &&
792 !retPE->getLHSVar()->isConstDataOrAggDataButNotNullPtr())
793 {
794 as[retPE->getLHSVarID()] = IntervalValue::top();
795 }
796 }
797 }
798 abstractTrace[retNode] = as;
799}
800
808
810const FunObjVar* AbstractInterpretation::getCallee(const CallICFGNode* callNode)
811{
812 // Direct call: get callee directly from call node
813 if (const FunObjVar* callee = callNode->getCalledFunction())
814 return callee;
815
816 // Indirect call: resolve callee through pointer analysis
817 const auto callsiteMaps = svfir->getIndirectCallsites();
818 auto it = callsiteMaps.find(callNode);
819 if (it == callsiteMaps.end())
820 return nullptr;
821
822 NodeID call_id = it->second;
823 if (!hasAbstractState(callNode))
824 return nullptr;
825
826 AbstractState& as = getAbstractState(callNode);
827 if (!as.inVarToAddrsTable(call_id))
828 return nullptr;
829
830 AbstractValue Addrs = as[call_id];
831 if (Addrs.getAddrs().empty())
832 return nullptr;
833
834 NodeID addr = *Addrs.getAddrs().begin();
835 const SVFVar* func_var = getSVFVar(as.getIDFromAddr(addr));
836 return SVFUtil::dyn_cast<FunObjVar>(func_var);
837}
838
840bool AbstractInterpretation::skipRecursiveCall(const CallICFGNode* callNode)
841{
842 const FunObjVar* callee = getCallee(callNode);
843 if (!callee)
844 return false;
845
846 // Non-recursive function: never skip, always inline
847 if (!isRecursiveFun(callee))
848 return false;
849
850 // For recursive functions, skip only recursive callsites (within same SCC).
851 // Entry calls (from outside SCC) are not skipped - they are inlined so that
852 // handleLoopOrRecursion() can analyze the function body.
853 // This applies uniformly to all modes (TOP/WIDEN_ONLY/WIDEN_NARROW).
854 return isRecursiveCallSite(callNode, callee);
855}
856
858bool AbstractInterpretation::shouldApplyNarrowing(const FunObjVar* fun)
859{
860 // Non-recursive functions (regular loops): always apply narrowing
861 if (!isRecursiveFun(fun))
862 return true;
863
864 // Recursive functions: WIDEN_NARROW applies narrowing, WIDEN_ONLY does not
865 // TOP mode exits early in handleLoopOrRecursion, so should not reach here
866 switch (Options::HandleRecur())
867 {
868 case TOP:
869 assert(false && "TOP mode should not reach narrowing phase for recursive functions");
870 return false;
871 case WIDEN_ONLY:
872 return false; // Skip narrowing for recursive functions
873 case WIDEN_NARROW:
874 return true; // Apply narrowing for recursive functions
875 default:
876 assert(false && "Unknown recursion handling mode");
877 return false;
878 }
879}
889void AbstractInterpretation::handleFunCall(const CallICFGNode *callNode)
890{
891 AbstractState& as = getAbstractState(callNode);
892 abstractTrace[callNode] = as;
893 if (skipRecursiveCall(callNode))
894 return;
895
896 // Direct call: callee is known
897 if (const FunObjVar* callee = callNode->getCalledFunction())
898 {
899 const ICFGNode* calleeEntry = icfg->getFunEntryICFGNode(callee);
900 handleFunction(calleeEntry, callNode);
901 // Resume return node from caller's state (context-insensitive).
902 // Callee's side effects are reflected through shared abstractTrace.
903 const RetICFGNode* retNode = callNode->getRetICFGNode();
904 abstractTrace[retNode] = abstractTrace[callNode];
905 return;
906 }
907
908 // Indirect call: use Andersen's call graph to get all resolved callees.
909 const RetICFGNode* retNode = callNode->getRetICFGNode();
910 if (callGraph->hasIndCSCallees(callNode))
911 {
912 const auto& callees = callGraph->getIndCSCallees(callNode);
913 for (const FunObjVar* callee : callees)
914 {
915 if (callee->isDeclaration())
916 continue;
917 const ICFGNode* calleeEntry = icfg->getFunEntryICFGNode(callee);
918 handleFunction(calleeEntry, callNode);
919 }
920 }
921 // Resume return node from caller's state (context-insensitive)
922 abstractTrace[retNode] = abstractTrace[callNode];
923}
924
965void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller)
966{
967 const ICFGNode* cycle_head = cycle->head()->getICFGNode();
968
969 // TOP mode for recursive function cycles: set all stores and return value to TOP
970 if (Options::HandleRecur() == TOP && isRecursiveFun(cycle_head->getFun()))
971 {
972 if (caller)
973 handleRecursiveCall(caller);
974 return;
975 }
976
977 // Iterate until fixpoint with widening/narrowing on the cycle head.
978 bool increasing = true;
979 u32_t widen_delay = Options::WidenDelay();
980 for (u32_t cur_iter = 0;; cur_iter++)
981 {
982 if (cur_iter >= widen_delay)
983 {
984 // Save state before processing head
985 AbstractState prev_head_state = abstractTrace[cycle_head];
986
987 // Process cycle head: merge from predecessors, then execute statements
988 // (uses same gated pattern as handleWTOComponent in origin/master)
989 if (mergeStatesFromPredecessors(cycle_head))
990 handleICFGNode(cycle_head);
991 AbstractState cur_head_state = abstractTrace[cycle_head];
992
993 if (increasing)
994 {
995 abstractTrace[cycle_head] = prev_head_state.widening(cur_head_state);
996 if (abstractTrace[cycle_head] == prev_head_state)
997 {
998 // Widening fixpoint reached; switch to narrowing phase.
999 increasing = false;
1000 continue;
1001 }
1002 }
1003 else
1004 {
1005 if (!shouldApplyNarrowing(cycle_head->getFun()))
1006 break;
1007 abstractTrace[cycle_head] = prev_head_state.narrowing(cur_head_state);
1008 if (abstractTrace[cycle_head] == prev_head_state)
1009 break;
1010 }
1011 }
1012 else
1013 {
1014 // Before widen_delay: process cycle head with gated pattern
1015 if (mergeStatesFromPredecessors(cycle_head))
1016 handleICFGNode(cycle_head);
1017 }
1018
1019 // Process cycle body components (each with gated merge+handle)
1020 for (const ICFGWTOComp* comp : cycle->getWTOComponents())
1021 {
1022 if (const ICFGSingletonWTO* singleton = SVFUtil::dyn_cast<ICFGSingletonWTO>(comp))
1023 {
1024 const ICFGNode* node = singleton->getICFGNode();
1025 if (mergeStatesFromPredecessors(node))
1026 handleICFGNode(node);
1027 }
1028 else if (const ICFGCycleWTO* subCycle = SVFUtil::dyn_cast<ICFGCycleWTO>(comp))
1029 {
1030 if (mergeStatesFromPredecessors(subCycle->head()->getICFGNode()))
1031 handleLoopOrRecursion(subCycle, caller);
1032 }
1033 }
1034 }
1035}
1036
1037void AbstractInterpretation::handleSVFStatement(const SVFStmt *stmt)
1038{
1039 if (const AddrStmt *addr = SVFUtil::dyn_cast<AddrStmt>(stmt))
1040 {
1041 updateStateOnAddr(addr);
1042 }
1043 else if (const BinaryOPStmt *binary = SVFUtil::dyn_cast<BinaryOPStmt>(stmt))
1044 {
1045 updateStateOnBinary(binary);
1046 }
1047 else if (const CmpStmt *cmp = SVFUtil::dyn_cast<CmpStmt>(stmt))
1048 {
1049 updateStateOnCmp(cmp);
1050 }
1051 else if (SVFUtil::isa<UnaryOPStmt>(stmt))
1052 {
1053 }
1054 else if (SVFUtil::isa<BranchStmt>(stmt))
1055 {
1056 // branch stmt is handled in hasBranchES
1057 }
1058 else if (const LoadStmt *load = SVFUtil::dyn_cast<LoadStmt>(stmt))
1059 {
1060 updateStateOnLoad(load);
1061 }
1062 else if (const StoreStmt *store = SVFUtil::dyn_cast<StoreStmt>(stmt))
1063 {
1064 updateStateOnStore(store);
1065 }
1066 else if (const CopyStmt *copy = SVFUtil::dyn_cast<CopyStmt>(stmt))
1067 {
1068 updateStateOnCopy(copy);
1069 }
1070 else if (const GepStmt *gep = SVFUtil::dyn_cast<GepStmt>(stmt))
1071 {
1072 updateStateOnGep(gep);
1073 }
1074 else if (const SelectStmt *select = SVFUtil::dyn_cast<SelectStmt>(stmt))
1075 {
1076 updateStateOnSelect(select);
1077 }
1078 else if (const PhiStmt *phi = SVFUtil::dyn_cast<PhiStmt>(stmt))
1079 {
1080 updateStateOnPhi(phi);
1081 }
1082 else if (const CallPE *callPE = SVFUtil::dyn_cast<CallPE>(stmt))
1083 {
1084 // To handle Call Edge
1085 updateStateOnCall(callPE);
1086 }
1087 else if (const RetPE *retPE = SVFUtil::dyn_cast<RetPE>(stmt))
1088 {
1089 updateStateOnRet(retPE);
1090 }
1091 else
1092 assert(false && "implement this part");
1093 // NullPtr is index 0, it should not be changed
1094 assert(!getAbstractState(stmt->getICFGNode())[IRGraph::NullPtr].isInterval() &&
1095 !getAbstractState(stmt->getICFGNode())[IRGraph::NullPtr].isAddr());
1096}
1097
1099void AbstractInterpretation::setTopToObjInRecursion(const CallICFGNode *callNode)
1100{
1101 AbstractState& as = getAbstractState(callNode);
1102 const RetICFGNode *retNode = callNode->getRetICFGNode();
1103 if (retNode->getSVFStmts().size() > 0)
1104 {
1105 if (const RetPE *retPE = SVFUtil::dyn_cast<RetPE>(*retNode->getSVFStmts().begin()))
1106 {
1107 AbstractState as;
1108 if (!retPE->getLHSVar()->isPointer() && !retPE->getLHSVar()->isConstDataOrAggDataButNotNullPtr())
1109 as[retPE->getLHSVarID()] = IntervalValue::top();
1110 }
1111 }
1112 if (!retNode->getOutEdges().empty())
1113 {
1114 if (retNode->getOutEdges().size() == 1)
1115 {
1116
1117 }
1118 else
1119 {
1120 return;
1121 }
1122 }
1123 FIFOWorkList<const SVFBasicBlock *> blkWorkList;
1124 FIFOWorkList<const ICFGNode *> instWorklist;
1125 for (const SVFBasicBlock * bb: callNode->getCalledFunction()->getReachableBBs())
1126 {
1127 for (const ICFGNode* node: bb->getICFGNodeList())
1128 {
1129 for (const SVFStmt *stmt: node->getSVFStmts())
1130 {
1131 if (const StoreStmt *store = SVFUtil::dyn_cast<StoreStmt>(stmt))
1132 {
1133 const SVFVar *rhsVar = store->getRHSVar();
1134 u32_t lhs = store->getLHSVarID();
1135 if (as.inVarToAddrsTable(lhs))
1136 {
1137 if (!rhsVar->isPointer() && !rhsVar->isConstDataOrAggDataButNotNullPtr())
1138 {
1139 const AbstractValue &addrs = as[lhs];
1140 for (const auto &addr: addrs.getAddrs())
1141 {
1142 as.store(addr, IntervalValue::top());
1143 }
1144 }
1145 }
1146 }
1147 }
1148 }
1149 }
1150}
1151
1152void AbstractInterpretation::updateStateOnGep(const GepStmt *gep)
1153{
1154 AbstractState& as = getAbstractState(gep->getICFGNode());
1155 u32_t rhs = gep->getRHSVarID();
1156 u32_t lhs = gep->getLHSVarID();
1157 IntervalValue offsetPair = as.getElementIndex(gep);
1158 AbstractValue gepAddrs;
1159 APOffset lb = offsetPair.lb().getIntNumeral() < Options::MaxFieldLimit()?
1160 offsetPair.lb().getIntNumeral(): Options::MaxFieldLimit();
1161 APOffset ub = offsetPair.ub().getIntNumeral() < Options::MaxFieldLimit()?
1162 offsetPair.ub().getIntNumeral(): Options::MaxFieldLimit();
1163 for (APOffset i = lb; i <= ub; i++)
1164 gepAddrs.join_with(as.getGepObjAddrs(rhs,IntervalValue(i)));
1165 as[lhs] = gepAddrs;
1166}
1167
1168void AbstractInterpretation::updateStateOnSelect(const SelectStmt *select)
1169{
1170 AbstractState& as = getAbstractState(select->getICFGNode());
1171 u32_t res = select->getResID();
1172 u32_t tval = select->getTrueValue()->getId();
1173 u32_t fval = select->getFalseValue()->getId();
1174 u32_t cond = select->getCondition()->getId();
1175 if (as[cond].getInterval().is_numeral())
1176 {
1177 as[res] = as[cond].getInterval().is_zero() ? as[fval] : as[tval];
1178 }
1179 else
1180 {
1181 as[res] = as[tval];
1182 as[res].join_with(as[fval]);
1183 }
1184}
1185
1186void AbstractInterpretation::updateStateOnPhi(const PhiStmt *phi)
1187{
1188 const ICFGNode* icfgNode = phi->getICFGNode();
1189 AbstractState& as = getAbstractState(icfgNode);
1190 u32_t res = phi->getResID();
1191 AbstractValue rhs;
1192 for (u32_t i = 0; i < phi->getOpVarNum(); i++)
1193 {
1194 NodeID curId = phi->getOpVarID(i);
1195 const ICFGNode* opICFGNode = phi->getOpICFGNode(i);
1196 if (hasAbstractState(opICFGNode))
1197 {
1198 AbstractState tmpEs = abstractTrace[opICFGNode];
1199 AbstractState& opAs = getAbstractState(opICFGNode);
1200 const ICFGEdge* edge = icfg->getICFGEdge(opICFGNode, icfgNode, ICFGEdge::IntraCF);
1201 // if IntraEdge, check the condition, if it is feasible, join the value
1202 // if IntraEdge but not conditional edge, join the value
1203 // if not IntraEdge, join the value
1204 if (edge)
1205 {
1206 const IntraCFGEdge* intraEdge = SVFUtil::cast<IntraCFGEdge>(edge);
1207 if (intraEdge->getCondition())
1208 {
1209 if (isBranchFeasible(intraEdge, tmpEs))
1210 rhs.join_with(opAs[curId]);
1211 }
1212 else
1213 rhs.join_with(opAs[curId]);
1214 }
1215 else
1216 {
1217 rhs.join_with(opAs[curId]);
1218 }
1219 }
1220 }
1221 as[res] = rhs;
1222}
1223
1224
1225void AbstractInterpretation::updateStateOnCall(const CallPE *callPE)
1226{
1227 AbstractState& as = getAbstractState(callPE->getICFGNode());
1228 NodeID lhs = callPE->getLHSVarID();
1229 NodeID rhs = callPE->getRHSVarID();
1230 as[lhs] = as[rhs];
1231}
1232
1233void AbstractInterpretation::updateStateOnRet(const RetPE *retPE)
1234{
1235 AbstractState& as = getAbstractState(retPE->getICFGNode());
1236 NodeID lhs = retPE->getLHSVarID();
1237 NodeID rhs = retPE->getRHSVarID();
1238 as[lhs] = as[rhs];
1239}
1240
1241
1242void AbstractInterpretation::updateStateOnAddr(const AddrStmt *addr)
1243{
1244 AbstractState& as = getAbstractState(addr->getICFGNode());
1245 as.initObjVar(SVFUtil::cast<ObjVar>(addr->getRHSVar()));
1246 if (addr->getRHSVar()->getType()->getKind() == SVFType::SVFIntegerTy)
1247 as[addr->getRHSVarID()].getInterval().meet_with(utils->getRangeLimitFromType(addr->getRHSVar()->getType()));
1248 as[addr->getLHSVarID()] = as[addr->getRHSVarID()];
1249}
1250
1251
1252void AbstractInterpretation::updateStateOnBinary(const BinaryOPStmt *binary)
1253{
1257 const ICFGNode* node = binary->getICFGNode();
1258 AbstractState& as = getAbstractState(node);
1259 u32_t op0 = binary->getOpVarID(0);
1260 u32_t op1 = binary->getOpVarID(1);
1261 u32_t res = binary->getResID();
1262 if (!as.inVarToValTable(op0)) as[op0] = IntervalValue::top();
1263 if (!as.inVarToValTable(op1)) as[op1] = IntervalValue::top();
1264 IntervalValue &lhs = as[op0].getInterval(), &rhs = as[op1].getInterval();
1265 IntervalValue resVal;
1266 switch (binary->getOpcode())
1267 {
1268 case BinaryOPStmt::Add:
1269 case BinaryOPStmt::FAdd:
1270 resVal = (lhs + rhs);
1271 break;
1272 case BinaryOPStmt::Sub:
1273 case BinaryOPStmt::FSub:
1274 resVal = (lhs - rhs);
1275 break;
1276 case BinaryOPStmt::Mul:
1277 case BinaryOPStmt::FMul:
1278 resVal = (lhs * rhs);
1279 break;
1280 case BinaryOPStmt::SDiv:
1281 case BinaryOPStmt::FDiv:
1282 case BinaryOPStmt::UDiv:
1283 resVal = (lhs / rhs);
1284 break;
1285 case BinaryOPStmt::SRem:
1286 case BinaryOPStmt::FRem:
1287 case BinaryOPStmt::URem:
1288 resVal = (lhs % rhs);
1289 break;
1290 case BinaryOPStmt::Xor:
1291 resVal = (lhs ^ rhs);
1292 break;
1293 case BinaryOPStmt::And:
1294 resVal = (lhs & rhs);
1295 break;
1296 case BinaryOPStmt::Or:
1297 resVal = (lhs | rhs);
1298 break;
1299 case BinaryOPStmt::AShr:
1300 resVal = (lhs >> rhs);
1301 break;
1302 case BinaryOPStmt::Shl:
1303 resVal = (lhs << rhs);
1304 break;
1305 case BinaryOPStmt::LShr:
1306 resVal = (lhs >> rhs);
1307 break;
1308 default:
1309 assert(false && "undefined binary: ");
1310 }
1311 as[res] = resVal;
1312}
1313
1314void AbstractInterpretation::updateStateOnCmp(const CmpStmt *cmp)
1315{
1316 AbstractState& as = getAbstractState(cmp->getICFGNode());
1317 u32_t op0 = cmp->getOpVarID(0);
1318 u32_t op1 = cmp->getOpVarID(1);
1319 // if it is address
1320 if (as.inVarToAddrsTable(op0) && as.inVarToAddrsTable(op1))
1321 {
1322 IntervalValue resVal;
1323 AddressValue addrOp0 = as[op0].getAddrs();
1324 AddressValue addrOp1 = as[op1].getAddrs();
1325 u32_t res = cmp->getResID();
1326 if (addrOp0.equals(addrOp1))
1327 {
1328 resVal = IntervalValue(1, 1);
1329 }
1330 else if (addrOp0.hasIntersect(addrOp1))
1331 {
1332 resVal = IntervalValue(0, 1);
1333 }
1334 else
1335 {
1336 resVal = IntervalValue(0, 0);
1337 }
1338 as[res] = resVal;
1339 }
1340 // if op0 or op1 is nullptr, compare abstractValue instead of touching addr or interval
1341 else if (op0 == IRGraph::NullPtr || op1 == IRGraph::NullPtr)
1342 {
1343 u32_t res = cmp->getResID();
1344 IntervalValue resVal = (as[op0].equals(as[op1])) ? IntervalValue(1, 1) : IntervalValue(0, 0);
1345 as[res] = resVal;
1346 }
1347 else
1348 {
1349 if (!as.inVarToValTable(op0))
1350 as[op0] = IntervalValue::top();
1351 if (!as.inVarToValTable(op1))
1352 as[op1] = IntervalValue::top();
1353 u32_t res = cmp->getResID();
1354 if (as.inVarToValTable(op0) && as.inVarToValTable(op1))
1355 {
1356 IntervalValue resVal;
1357 if (as[op0].isInterval() && as[op1].isInterval())
1358 {
1359 IntervalValue &lhs = as[op0].getInterval(),
1360 &rhs = as[op1].getInterval();
1361 // AbstractValue
1362 auto predicate = cmp->getPredicate();
1363 switch (predicate)
1364 {
1365 case CmpStmt::ICMP_EQ:
1366 case CmpStmt::FCMP_OEQ:
1367 case CmpStmt::FCMP_UEQ:
1368 resVal = (lhs == rhs);
1369 // resVal = (lhs.getInterval() == rhs.getInterval());
1370 break;
1371 case CmpStmt::ICMP_NE:
1372 case CmpStmt::FCMP_ONE:
1373 case CmpStmt::FCMP_UNE:
1374 resVal = (lhs != rhs);
1375 break;
1376 case CmpStmt::ICMP_UGT:
1377 case CmpStmt::ICMP_SGT:
1378 case CmpStmt::FCMP_OGT:
1379 case CmpStmt::FCMP_UGT:
1380 resVal = (lhs > rhs);
1381 break;
1382 case CmpStmt::ICMP_UGE:
1383 case CmpStmt::ICMP_SGE:
1384 case CmpStmt::FCMP_OGE:
1385 case CmpStmt::FCMP_UGE:
1386 resVal = (lhs >= rhs);
1387 break;
1388 case CmpStmt::ICMP_ULT:
1389 case CmpStmt::ICMP_SLT:
1390 case CmpStmt::FCMP_OLT:
1391 case CmpStmt::FCMP_ULT:
1392 resVal = (lhs < rhs);
1393 break;
1394 case CmpStmt::ICMP_ULE:
1395 case CmpStmt::ICMP_SLE:
1396 case CmpStmt::FCMP_OLE:
1397 case CmpStmt::FCMP_ULE:
1398 resVal = (lhs <= rhs);
1399 break;
1400 case CmpStmt::FCMP_FALSE:
1401 resVal = IntervalValue(0, 0);
1402 break;
1403 case CmpStmt::FCMP_TRUE:
1404 resVal = IntervalValue(1, 1);
1405 break;
1406 case CmpStmt::FCMP_ORD:
1407 case CmpStmt::FCMP_UNO:
1408 // FCMP_ORD: true if both operands are not NaN
1409 // FCMP_UNO: true if either operand is NaN
1410 // Conservatively return [0, 1] since we don't track NaN
1411 resVal = IntervalValue(0, 1);
1412 break;
1413 default:
1414 assert(false && "undefined compare: ");
1415 }
1416 as[res] = resVal;
1417 }
1418 else if (as[op0].isAddr() && as[op1].isAddr())
1419 {
1420 AddressValue &lhs = as[op0].getAddrs(),
1421 &rhs = as[op1].getAddrs();
1422 auto predicate = cmp->getPredicate();
1423 switch (predicate)
1424 {
1425 case CmpStmt::ICMP_EQ:
1426 case CmpStmt::FCMP_OEQ:
1427 case CmpStmt::FCMP_UEQ:
1428 {
1429 if (lhs.hasIntersect(rhs))
1430 {
1431 resVal = IntervalValue(0, 1);
1432 }
1433 else if (lhs.empty() && rhs.empty())
1434 {
1435 resVal = IntervalValue(1, 1);
1436 }
1437 else
1438 {
1439 resVal = IntervalValue(0, 0);
1440 }
1441 break;
1442 }
1443 case CmpStmt::ICMP_NE:
1444 case CmpStmt::FCMP_ONE:
1445 case CmpStmt::FCMP_UNE:
1446 {
1447 if (lhs.hasIntersect(rhs))
1448 {
1449 resVal = IntervalValue(0, 1);
1450 }
1451 else if (lhs.empty() && rhs.empty())
1452 {
1453 resVal = IntervalValue(0, 0);
1454 }
1455 else
1456 {
1457 resVal = IntervalValue(1, 1);
1458 }
1459 break;
1460 }
1461 case CmpStmt::ICMP_UGT:
1462 case CmpStmt::ICMP_SGT:
1463 case CmpStmt::FCMP_OGT:
1464 case CmpStmt::FCMP_UGT:
1465 {
1466 if (lhs.size() == 1 && rhs.size() == 1)
1467 {
1468 resVal = IntervalValue(*lhs.begin() > *rhs.begin());
1469 }
1470 else
1471 {
1472 resVal = IntervalValue(0, 1);
1473 }
1474 break;
1475 }
1476 case CmpStmt::ICMP_UGE:
1477 case CmpStmt::ICMP_SGE:
1478 case CmpStmt::FCMP_OGE:
1479 case CmpStmt::FCMP_UGE:
1480 {
1481 if (lhs.size() == 1 && rhs.size() == 1)
1482 {
1483 resVal = IntervalValue(*lhs.begin() >= *rhs.begin());
1484 }
1485 else
1486 {
1487 resVal = IntervalValue(0, 1);
1488 }
1489 break;
1490 }
1491 case CmpStmt::ICMP_ULT:
1492 case CmpStmt::ICMP_SLT:
1493 case CmpStmt::FCMP_OLT:
1494 case CmpStmt::FCMP_ULT:
1495 {
1496 if (lhs.size() == 1 && rhs.size() == 1)
1497 {
1498 resVal = IntervalValue(*lhs.begin() < *rhs.begin());
1499 }
1500 else
1501 {
1502 resVal = IntervalValue(0, 1);
1503 }
1504 break;
1505 }
1506 case CmpStmt::ICMP_ULE:
1507 case CmpStmt::ICMP_SLE:
1508 case CmpStmt::FCMP_OLE:
1509 case CmpStmt::FCMP_ULE:
1510 {
1511 if (lhs.size() == 1 && rhs.size() == 1)
1512 {
1513 resVal = IntervalValue(*lhs.begin() <= *rhs.begin());
1514 }
1515 else
1516 {
1517 resVal = IntervalValue(0, 1);
1518 }
1519 break;
1520 }
1521 case CmpStmt::FCMP_FALSE:
1522 resVal = IntervalValue(0, 0);
1523 break;
1524 case CmpStmt::FCMP_TRUE:
1525 resVal = IntervalValue(1, 1);
1526 break;
1527 case CmpStmt::FCMP_ORD:
1528 case CmpStmt::FCMP_UNO:
1529 // FCMP_ORD: true if both operands are not NaN
1530 // FCMP_UNO: true if either operand is NaN
1531 // Conservatively return [0, 1] since we don't track NaN
1532 resVal = IntervalValue(0, 1);
1533 break;
1534 default:
1535 assert(false && "undefined compare: ");
1536 }
1537 as[res] = resVal;
1538 }
1539 }
1540 }
1541}
1542
1543void AbstractInterpretation::updateStateOnLoad(const LoadStmt *load)
1544{
1545 AbstractState& as = getAbstractState(load->getICFGNode());
1546 u32_t rhs = load->getRHSVarID();
1547 u32_t lhs = load->getLHSVarID();
1548 as[lhs] = as.loadValue(rhs);
1549}
1550
1551void AbstractInterpretation::updateStateOnStore(const StoreStmt *store)
1552{
1553 AbstractState& as = getAbstractState(store->getICFGNode());
1554 u32_t rhs = store->getRHSVarID();
1555 u32_t lhs = store->getLHSVarID();
1556 as.storeValue(lhs, as[rhs]);
1557}
1558
1559void AbstractInterpretation::updateStateOnCopy(const CopyStmt *copy)
1560{
1561 auto getZExtValue = [](AbstractState& as, const SVFVar* var)
1562 {
1563 const SVFType* type = var->getType();
1564 if (SVFUtil::isa<SVFIntegerType>(type))
1565 {
1566 u32_t bits = type->getByteSize() * 8;
1567 if (as[var->getId()].getInterval().is_numeral())
1568 {
1569 if (bits == 8)
1570 {
1571 int8_t signed_i8_value = as[var->getId()].getInterval().getIntNumeral();
1572 u32_t unsigned_value = static_cast<uint8_t>(signed_i8_value);
1573 return IntervalValue(unsigned_value, unsigned_value);
1574 }
1575 else if (bits == 16)
1576 {
1577 s16_t signed_i16_value = as[var->getId()].getInterval().getIntNumeral();
1578 u32_t unsigned_value = static_cast<u16_t>(signed_i16_value);
1579 return IntervalValue(unsigned_value, unsigned_value);
1580 }
1581 else if (bits == 32)
1582 {
1583 s32_t signed_i32_value = as[var->getId()].getInterval().getIntNumeral();
1584 u32_t unsigned_value = static_cast<u32_t>(signed_i32_value);
1585 return IntervalValue(unsigned_value, unsigned_value);
1586 }
1587 else if (bits == 64)
1588 {
1589 s64_t signed_i64_value = as[var->getId()].getInterval().getIntNumeral();
1590 return IntervalValue((s64_t)signed_i64_value, (s64_t)signed_i64_value);
1591 // we only support i64 at most
1592 }
1593 else
1594 assert(false && "cannot support int type other than u8/16/32/64");
1595 }
1596 else
1597 {
1598 return IntervalValue::top(); // TODO: may have better solution
1599 }
1600 }
1601 return IntervalValue::top(); // TODO: may have better solution
1602 };
1603
1604 auto getTruncValue = [&](const AbstractState& as, const SVFVar* var,
1605 const SVFType* dstType)
1606 {
1607 const IntervalValue& itv = as[var->getId()].getInterval();
1608 if(itv.isBottom()) return itv;
1609 // get the value of ub and lb
1610 s64_t int_lb = itv.lb().getIntNumeral();
1611 s64_t int_ub = itv.ub().getIntNumeral();
1612 // get dst type
1613 u32_t dst_bits = dstType->getByteSize() * 8;
1614 if (dst_bits == 8)
1615 {
1616 // get the signed value of ub and lb
1617 int8_t s8_lb = static_cast<int8_t>(int_lb);
1618 int8_t s8_ub = static_cast<int8_t>(int_ub);
1619 if (s8_lb > s8_ub)
1620 {
1621 // return range of s8
1622 return utils->getRangeLimitFromType(dstType);
1623 }
1624 return IntervalValue(s8_lb, s8_ub);
1625 }
1626 else if (dst_bits == 16)
1627 {
1628 // get the signed value of ub and lb
1629 s16_t s16_lb = static_cast<s16_t>(int_lb);
1630 s16_t s16_ub = static_cast<s16_t>(int_ub);
1631 if (s16_lb > s16_ub)
1632 {
1633 // return range of s16
1634 return utils->getRangeLimitFromType(dstType);
1635 }
1636 return IntervalValue(s16_lb, s16_ub);
1637 }
1638 else if (dst_bits == 32)
1639 {
1640 // get the signed value of ub and lb
1641 s32_t s32_lb = static_cast<s32_t>(int_lb);
1642 s32_t s32_ub = static_cast<s32_t>(int_ub);
1643 if (s32_lb > s32_ub)
1644 {
1645 // return range of s32
1646 return utils->getRangeLimitFromType(dstType);
1647 }
1648 return IntervalValue(s32_lb, s32_ub);
1649 }
1650 else
1651 {
1652 assert(false && "cannot support dst int type other than u8/16/32");
1653 abort();
1654 }
1655 };
1656
1657 AbstractState& as = getAbstractState(copy->getICFGNode());
1658 u32_t lhs = copy->getLHSVarID();
1659 u32_t rhs = copy->getRHSVarID();
1660
1661 if (copy->getCopyKind() == CopyStmt::COPYVAL)
1662 {
1663 as[lhs] = as[rhs];
1664 }
1665 else if (copy->getCopyKind() == CopyStmt::ZEXT)
1666 {
1667 as[lhs] = getZExtValue(as, copy->getRHSVar());
1668 }
1669 else if (copy->getCopyKind() == CopyStmt::SEXT)
1670 {
1671 as[lhs] = as[rhs].getInterval();
1672 }
1673 else if (copy->getCopyKind() == CopyStmt::FPTOSI)
1674 {
1675 as[lhs] = as[rhs].getInterval();
1676 }
1677 else if (copy->getCopyKind() == CopyStmt::FPTOUI)
1678 {
1679 as[lhs] = as[rhs].getInterval();
1680 }
1681 else if (copy->getCopyKind() == CopyStmt::SITOFP)
1682 {
1683 as[lhs] = as[rhs].getInterval();
1684 }
1685 else if (copy->getCopyKind() == CopyStmt::UITOFP)
1686 {
1687 as[lhs] = as[rhs].getInterval();
1688 }
1689 else if (copy->getCopyKind() == CopyStmt::TRUNC)
1690 {
1691 as[lhs] = getTruncValue(as, copy->getRHSVar(), copy->getLHSVar()->getType());
1692 }
1693 else if (copy->getCopyKind() == CopyStmt::FPTRUNC)
1694 {
1695 as[lhs] = as[rhs].getInterval();
1696 }
1697 else if (copy->getCopyKind() == CopyStmt::INTTOPTR)
1698 {
1699 //insert nullptr
1700 }
1701 else if (copy->getCopyKind() == CopyStmt::PTRTOINT)
1702 {
1703 as[lhs] = IntervalValue::top();
1704 }
1705 else if (copy->getCopyKind() == CopyStmt::BITCAST)
1706 {
1707 if (as[rhs].isAddr())
1708 {
1709 as[lhs] = as[rhs];
1710 }
1711 else
1712 {
1713 // do nothing
1714 }
1715 }
1716 else
1717 assert(false && "undefined copy kind");
1718}
1719
1720
1721
BlackHoleObjAddr
#define BlackHoleObjAddr
Definition AddressValue.h:36
type
newitem type
Definition cJSON.cpp:2739
copy
copy
Definition cJSON.cpp:414
SVF::AEStat::finializeStat
void finializeStat()
Definition AEStat.cpp:43
SVF::AEStat::getBlockTrace
u32_t & getBlockTrace()
Definition AEStat.h:70
SVF::AEStat::performStat
void performStat() override
Definition AEStat.cpp:120
SVF::AEStat::getICFGNodeTrace
u32_t & getICFGNodeTrace()
Definition AEStat.h:78
SVF::AEStat::countStateSize
void countStateSize()
Definition AEStat.cpp:31
SVF::AbsExtAPI
Handles external API calls and manages abstract states.
Definition AbsExtAPI.h:44
SVF::AbsExtAPI::collectCheckPoint
void collectCheckPoint()
Definition AbsExtAPI.cpp:351
SVF::AbsExtAPI::handleExtAPI
void handleExtAPI(const CallICFGNode *call)
Handles an external API call.
Definition AbsExtAPI.cpp:436
SVF::AbsExtAPI::checkPointAllSet
void checkPointAllSet()
Definition AbsExtAPI.cpp:391
SVF::AbsExtAPI::getRangeLimitFromType
IntervalValue getRangeLimitFromType(const SVFType *type)
Gets the range limit from a type.
Definition AbsExtAPI.cpp:751
SVF::AbstractInterpretation::updateStateOnCall
void updateStateOnCall(const CallPE *callPE)
Definition AbstractInterpretation.cpp:1225
SVF::AbstractInterpretation::getCallee
const FunObjVar * getCallee(const CallICFGNode *callNode)
Get callee function: directly for direct calls, via pointer analysis for indirect calls.
Definition AbstractInterpretation.cpp:810
SVF::AbstractInterpretation::updateStateOnStore
void updateStateOnStore(const StoreStmt *store)
Definition AbstractInterpretation.cpp:1551
SVF::AbstractInterpretation::handleFunCall
virtual void handleFunCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:889
SVF::AbstractInterpretation::analyzeFromAllProgEntries
void analyzeFromAllProgEntries()
Analyze all entry points (functions without callers)
Definition AbstractInterpretation.cpp:237
SVF::AbstractInterpretation::updateStateOnGep
void updateStateOnGep(const GepStmt *gep)
Definition AbstractInterpretation.cpp:1152
SVF::AbstractInterpretation::handleGlobalNode
virtual void handleGlobalNode()
Initialize abstract state for the global ICFG node and process global statements.
Definition AbstractInterpretation.cpp:261
SVF::AbstractInterpretation::handleFunction
void handleFunction(const ICFGNode *funEntry, const CallICFGNode *caller=nullptr)
Handle a function body via worklist-driven WTO traversal starting from funEntry.
Definition AbstractInterpretation.cpp:715
SVF::AbstractInterpretation::isExtCall
virtual bool isExtCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:761
SVF::AbstractInterpretation::updateAbstractValue
void updateAbstractValue(const ValVar *var, const AbstractValue &val)
Set abstract value for a top-level variable at a given ICFG node.
Definition AbstractInterpretation.cpp:115
SVF::AbstractInterpretation::getAbstractState
AbstractState & getAbstractState(const ICFGNode *node)
Retrieve the abstract state from the trace for a given ICFG node; asserts if no trace exists.
Definition AbstractInterpretation.cpp:74
SVF::AbstractInterpretation::updateStateOnPhi
void updateStateOnPhi(const PhiStmt *phi)
Definition AbstractInterpretation.cpp:1186
SVF::AbstractInterpretation::handleICFGNode
bool handleICFGNode(const ICFGNode *node)
Handle an ICFG node: execute statements; return true if state changed.
Definition AbstractInterpretation.cpp:656
SVF::AbstractInterpretation::isBranchFeasible
bool isBranchFeasible(const IntraCFGEdge *intraEdge, AbstractState &as)
Check if the branch on intraEdge is feasible under abstract state as.
Definition AbstractInterpretation.cpp:623
SVF::AbstractInterpretation::detectors
std::vector< std::unique_ptr< AEDetector > > detectors
Definition AbstractInterpretation.h:250
SVF::AbstractInterpretation::handleExtCall
virtual void handleExtCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:766
SVF::AbstractInterpretation::isSwitchBranchFeasible
bool isSwitchBranchFeasible(const SVFVar *var, s64_t succ, AbstractState &as)
Check if switch branch with case value succ is feasible; refine intervals in as accordingly.
Definition AbstractInterpretation.cpp:579
SVF::AbstractInterpretation::mergeStatesFromPredecessors
bool mergeStatesFromPredecessors(const ICFGNode *node)
Definition AbstractInterpretation.cpp:293
SVF::AbstractInterpretation::updateStateOnSelect
void updateStateOnSelect(const SelectStmt *select)
Definition AbstractInterpretation.cpp:1168
SVF::AbstractInterpretation::handleSVFStatement
virtual void handleSVFStatement(const SVFStmt *stmt)
Dispatch an SVF statement (Addr/Binary/Cmp/Load/Store/Copy/Gep/Select/Phi/Call/Ret) to its handler.
Definition AbstractInterpretation.cpp:1037
SVF::AbstractInterpretation::skipRecursiveCall
bool skipRecursiveCall(const CallICFGNode *callNode)
Skip recursive callsites (within SCC); entry calls from outside SCC are not skipped.
Definition AbstractInterpretation.cpp:840
SVF::AbstractInterpretation::hasAbstractState
bool hasAbstractState(const ICFGNode *node)
Check if an abstract state exists in the trace for a given ICFG node.
Definition AbstractInterpretation.cpp:87
SVF::AbstractInterpretation::svfir
SVFIR * svfir
protected data members, also used in subclasses
Definition AbstractInterpretation.h:216
SVF::AbstractInterpretation::runOnModule
virtual void runOnModule(ICFG *icfg)
Definition AbstractInterpretation.cpp:43
SVF::AbstractInterpretation::isRecursiveCallSite
virtual bool isRecursiveCallSite(const CallICFGNode *callNode, const FunObjVar *)
Check if caller and callee are in the same CallGraph SCC (i.e. a recursive callsite)
Definition AbstractInterpretation.cpp:802
SVF::AbstractInterpretation::shouldApplyNarrowing
bool shouldApplyNarrowing(const FunObjVar *fun)
Check if narrowing should be applied: always for regular loops, mode-dependent for recursion.
Definition AbstractInterpretation.cpp:858
SVF::AbstractInterpretation::isRecursiveFun
virtual bool isRecursiveFun(const FunObjVar *fun)
Check if a function is recursive (part of a call graph SCC)
Definition AbstractInterpretation.cpp:776
SVF::AbstractInterpretation::updateStateOnAddr
void updateStateOnAddr(const AddrStmt *addr)
Definition AbstractInterpretation.cpp:1242
SVF::AbstractInterpretation::~AbstractInterpretation
virtual ~AbstractInterpretation()
Destructor.
Definition AbstractInterpretation.cpp:186
SVF::AbstractInterpretation::isCmpBranchFeasible
bool isCmpBranchFeasible(const CmpStmt *cmpStmt, s64_t succ, AbstractState &as)
Check if cmpStmt with successor value succ is feasible; refine intervals in as accordingly.
Definition AbstractInterpretation.cpp:353
SVF::AbstractInterpretation::handleCallSite
virtual void handleCallSite(const ICFGNode *node)
Handle a call site node: dispatch to ext-call, direct-call, or indirect-call handling.
Definition AbstractInterpretation.cpp:743
SVF::AbstractInterpretation::updateStateOnRet
void updateStateOnRet(const RetPE *retPE)
Definition AbstractInterpretation.cpp:1233
SVF::AbstractInterpretation::updateStateOnCopy
void updateStateOnCopy(const CopyStmt *copy)
Definition AbstractInterpretation.cpp:1559
SVF::AbstractInterpretation::propagateObjVarAbsVal
void propagateObjVarAbsVal(const ObjVar *var, const ICFGNode *defSite)
Propagate an ObjVar's abstract value from defSite to all its use-site ICFGNodes via SVFG.
Definition AbstractInterpretation.cpp:176
SVF::AbstractInterpretation::collectProgEntryFuns
std::deque< const FunObjVar * > collectProgEntryFuns()
Get all entry point functions (functions without callers)
Definition AbstractInterpretation.cpp:195
SVF::AbstractInterpretation::updateStateOnLoad
void updateStateOnLoad(const LoadStmt *load)
Definition AbstractInterpretation.cpp:1543
SVF::AbstractInterpretation::updateStateOnBinary
void updateStateOnBinary(const BinaryOPStmt *binary)
Definition AbstractInterpretation.cpp:1252
SVF::AbstractInterpretation::abstractTrace
Map< const ICFGNode *, AbstractState > abstractTrace
Definition AbstractInterpretation.h:246
SVF::AbstractInterpretation::allAnalyzedNodes
Set< const ICFGNode * > allAnalyzedNodes
Definition AbstractInterpretation.h:247
SVF::AbstractInterpretation::setTopToObjInRecursion
virtual void setTopToObjInRecursion(const CallICFGNode *callnode)
Set all store targets and return value to TOP for a recursive call node.
Definition AbstractInterpretation.cpp:1099
SVF::AbstractInterpretation::handleRecursiveCall
virtual void handleRecursiveCall(const CallICFGNode *callNode)
Handle recursive call in TOP mode: set all stores and return value to TOP.
Definition AbstractInterpretation.cpp:782
SVF::AbstractInterpretation::handleLoopOrRecursion
virtual void handleLoopOrRecursion(const ICFGCycleWTO *cycle, const CallICFGNode *caller=nullptr)
Handle a WTO cycle (loop or recursive function) using widening/narrowing iteration.
Definition AbstractInterpretation.cpp:965
SVF::AbstractInterpretation::_switch_lhsrhs_predicate
Map< s32_t, s32_t > _switch_lhsrhs_predicate
Definition AbstractInterpretation.h:281
SVF::AbstractInterpretation::getSVFVar
const SVFVar * getSVFVar(NodeID varId) const
Retrieve SVFVar given its ID; asserts if no such variable exists.
Definition AbstractInterpretation.h:113
SVF::AbstractInterpretation::updateStateOnCmp
void updateStateOnCmp(const CmpStmt *cmp)
Definition AbstractInterpretation.cpp:1314
SVF::AbstractInterpretation::getAbstractValue
const AbstractValue & getAbstractValue(const ValVar *var)
Retrieve abstract value for a top-level variable at a given ICFG node.
Definition AbstractInterpretation.cpp:92
SVF::AbstractState::getVirtualMemAddress
static u32_t getVirtualMemAddress(u32_t idx)
The physical address starts with 0x7f...... + idx.
Definition AbstractState.h:96
SVF::AbstractState::narrowing
AbstractState narrowing(const AbstractState &other)
domain narrow with other, and return the narrowed domain
Definition AbstractState.cpp:80
SVF::AbstractState::widening
AbstractState widening(const AbstractState &other)
domain widen with other, and return the widened domain
Definition AbstractState.cpp:59
SVF::AbstractValue::getAddrs
AddressValue & getAddrs()
Definition AbstractValue.h:111
SVF::AddressValue::meet_with
bool meet_with(const AddressValue &other)
Return a intersected AddressValue.
Definition AddressValue.h:156
SVF::AddressValue::begin
AddrSet::const_iterator begin() const
Definition AddressValue.h:105
SVF::AssignStmt::getRHSVarID
NodeID getRHSVarID() const
Definition SVFStatements.h:366
SVF::AssignStmt::getLHSVarID
NodeID getLHSVarID() const
Definition SVFStatements.h:370
SVF::BoundedInt::getIntNumeral
s64_t getIntNumeral() const
Definition NumericValue.h:706
SVF::CallGraphNode::getFunction
const FunObjVar * getFunction() const
Get function of this call node.
Definition CallGraph.h:191
SVF::CallGraph::hasIndCSCallees
bool hasIndCSCallees(const CallICFGNode *cs) const
Definition CallGraph.h:335
SVF::CallGraph::getIndCSCallees
const FunctionSet & getIndCSCallees(const CallICFGNode *cs) const
Definition CallGraph.h:339
SVF::CmpStmt::ICMP_SGT
@ ICMP_SGT
signed greater than
Definition SVFStatements.h:1066
SVF::CmpStmt::FCMP_UEQ
@ FCMP_UEQ
1 0 0 1 True if unordered or equal
Definition SVFStatements.h:1050
SVF::CmpStmt::FCMP_ONE
@ FCMP_ONE
0 1 1 0 True if ordered and operands are unequal
Definition SVFStatements.h:1047
SVF::CmpStmt::ICMP_UGE
@ ICMP_UGE
unsigned greater or equal
Definition SVFStatements.h:1063
SVF::CmpStmt::FCMP_UGT
@ FCMP_UGT
1 0 1 0 True if unordered or greater than
Definition SVFStatements.h:1051
SVF::CmpStmt::ICMP_ULE
@ ICMP_ULE
unsigned less or equal
Definition SVFStatements.h:1065
SVF::CmpStmt::FCMP_OGE
@ FCMP_OGE
0 0 1 1 True if ordered and greater than or equal
Definition SVFStatements.h:1044
SVF::CmpStmt::FCMP_OLT
@ FCMP_OLT
0 1 0 0 True if ordered and less than
Definition SVFStatements.h:1045
SVF::CmpStmt::FCMP_OGT
@ FCMP_OGT
0 0 1 0 True if ordered and greater than
Definition SVFStatements.h:1043
SVF::CmpStmt::ICMP_NE
@ ICMP_NE
not equal
Definition SVFStatements.h:1061
SVF::CmpStmt::FCMP_TRUE
@ FCMP_TRUE
1 1 1 1 Always true (always folded)
Definition SVFStatements.h:1056
SVF::CmpStmt::ICMP_ULT
@ ICMP_ULT
unsigned less than
Definition SVFStatements.h:1064
SVF::CmpStmt::FCMP_ULE
@ FCMP_ULE
1 1 0 1 True if unordered, less than, or equal
Definition SVFStatements.h:1054
SVF::CmpStmt::ICMP_SLT
@ ICMP_SLT
signed less than
Definition SVFStatements.h:1068
SVF::CmpStmt::ICMP_UGT
@ ICMP_UGT
unsigned greater than
Definition SVFStatements.h:1062
SVF::CmpStmt::FCMP_OEQ
@ FCMP_OEQ
0 0 0 1 True if ordered and equal
Definition SVFStatements.h:1042
SVF::CmpStmt::FCMP_ORD
@ FCMP_ORD
0 1 1 1 True if ordered (no nans)
Definition SVFStatements.h:1048
SVF::CmpStmt::FCMP_OLE
@ FCMP_OLE
0 1 0 1 True if ordered and less than or equal
Definition SVFStatements.h:1046
SVF::CmpStmt::FCMP_FALSE
@ FCMP_FALSE
0 0 0 0 Always false (always folded)
Definition SVFStatements.h:1041
SVF::CmpStmt::FCMP_ULT
@ FCMP_ULT
1 1 0 0 True if unordered or less than
Definition SVFStatements.h:1053
SVF::CmpStmt::FCMP_UNO
@ FCMP_UNO
1 0 0 0 True if unordered: isnan(X) | isnan(Y)
Definition SVFStatements.h:1049
SVF::CmpStmt::FCMP_UGE
@ FCMP_UGE
1 0 1 1 True if unordered, greater than, or equal
Definition SVFStatements.h:1052
SVF::CmpStmt::ICMP_SGE
@ ICMP_SGE
signed greater or equal
Definition SVFStatements.h:1067
SVF::CmpStmt::FCMP_UNE
@ FCMP_UNE
1 1 1 0 True if unordered or not equal
Definition SVFStatements.h:1055
SVF::CmpStmt::ICMP_SLE
@ ICMP_SLE
signed less or equal
Definition SVFStatements.h:1069
SVF::FIFOWorkList::empty
bool empty() const
Definition WorkList.h:161
SVF::FunObjVar::isDeclaration
bool isDeclaration() const
Definition SVFVariables.h:1080
SVF::GenericGraph::begin
iterator begin()
Iterators.
Definition GenericGraph.h:371
SVF::GenericNode::getInEdges
const GEdgeSetTy & getInEdges() const
Definition GenericGraph.h:180
SVF::ICFGNode::getSVFStmts
const SVFStmtList & getSVFStmts() const
Definition ICFGNode.h:115
SVF::ICFG::getICFGEdge
ICFGEdge * getICFGEdge(const ICFGNode *src, const ICFGNode *dst, ICFGEdge::ICFGEdgeK kind)
Get a SVFG edge according to src and dst.
Definition ICFG.cpp:311
SVF::ICFG::updateCallGraph
void updateCallGraph(CallGraph *callgraph)
update ICFG for indirect calls
Definition ICFG.cpp:427
SVF::ICFG::getFunEntryICFGNode
FunEntryICFGNode * getFunEntryICFGNode(const FunObjVar *fun)
Add a function entry node.
Definition ICFG.cpp:242
SVF::ICFG::getGlobalICFGNode
GlobalICFGNode * getGlobalICFGNode() const
Definition ICFG.h:244
SVF::IRGraph::getBlkPtr
NodeID getBlkPtr() const
Definition IRGraph.h:255
SVF::IntervalValue::meet_with
void meet_with(const IntervalValue &other)
Return a intersected IntervalValue.
Definition IntervalValue.h:475
SVF::IntervalValue::minus_infinity
static BoundedInt minus_infinity()
Get minus infinity -inf.
Definition IntervalValue.h:77
SVF::IntervalValue::plus_infinity
static BoundedInt plus_infinity()
Get plus infinity +inf.
Definition IntervalValue.h:83
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition IntervalValue.h:94
SVF::IntervalValue::lb
const BoundedInt & lb() const
Return the lower bound.
Definition IntervalValue.h:220
SVF::Options::HandleRecur
static const OptionMap< u32_t > HandleRecur
recursion handling mode, Default: TOP
Definition Options.h:246
SVF::Options::MaxFieldLimit
static const Option< u32_t > MaxFieldLimit
Maximum number of field derivations for an object.
Definition Options.h:35
SVF::Options::WidenDelay
static const Option< u32_t > WidenDelay
Definition Options.h:244
SVF::Options::PStat
static const Option< bool > PStat
Definition Options.h:116
SVF::PointerAnalysis::inSameCallGraphSCC
bool inSameCallGraphSCC(const FunObjVar *fun1, const FunObjVar *fun2)
Return TRUE if this edge is inside a PTACallGraph SCC, i.e., src node and dst node are in the same SC...
Definition PointerAnalysis.h:392
SVF::PointerAnalysis::isInRecursion
bool isInRecursion(const FunObjVar *fun) const
Definition PointerAnalysis.h:398
SVF::PreAnalysis::getFuncToWTO
const Map< const FunObjVar *, const ICFGWTO * > & getFuncToWTO() const
Accessors for WTO data.
Definition PreAnalysis.h:91
SVF::PreAnalysis::getUseSitesOfObjVar
const Set< const ICFGNode * > getUseSitesOfObjVar(const ObjVar *obj, const ICFGNode *node) const
Given an ObjVar and its def-site ICFGNode, find all use-site ICFGNodes.
Definition PreAnalysis.cpp:56
SVF::PreAnalysis::getPointerAnalysis
AndersenWaveDiff * getPointerAnalysis() const
Accessors for Andersen's results.
Definition PreAnalysis.h:56
SVF::PreAnalysis::initWTO
void initWTO()
Build WTO for each function using call graph SCC.
Definition PreAnalysis.cpp:111
SVF::PreAnalysis::getCallGraph
CallGraph * getCallGraph() const
Definition PreAnalysis.h:60
SVF::SVFIR::getIndirectCallsites
const CallSiteToFunPtrMap & getIndirectCallsites() const
Add/get indirect callsites.
Definition SVFIR.h:443
SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition SVFIR.h:116
SVF::SVFStat::endClk
virtual void endClk()
Definition SVFStat.h:63
SVF::SVFStat::startClk
virtual void startClk()
Definition SVFStat.h:58
SVF::SVFStmt::getICFGNode
ICFGNode * getICFGNode() const
Definition SVFStatements.h:207
SVF::SVFType::getByteSize
u32_t getByteSize() const
Definition SVFType.h:289
SVF::SVFValue::getName
virtual const std::string & getName() const
Definition SVFValue.h:186
SVF::SVFUtil::isExtCall
bool isExtCall(const FunObjVar *fun)
Definition SVFUtil.cpp:437
SVF
for isBitcode
Definition BasicTypes.h:68
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56
SVF::APOffset
s64_t APOffset
Definition GeneralType.h:60
SVF::s16_t
signed short s16_t
Definition GeneralType.h:54
SVF::u16_t
unsigned short u16_t
Definition GeneralType.h:53
SVF::ICFGSingletonWTO
WTONode< ICFG > ICFGSingletonWTO
Definition ICFGWTO.h:45
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74
SVF::s32_t
signed s32_t
Definition GeneralType.h:48
SVF::u32_t
unsigned u32_t
Definition GeneralType.h:47
SVF::s64_t
signed long long s64_t
Definition GeneralType.h:50
SVF::ICFGWTOComp
WTOComponent< ICFG > ICFGWTOComp
Definition ICFGWTO.h:44
Generated by doxygen 1.9.8