Static Value-Flow Analysis
Loading...
Searching...
No Matches
AbstractInterpretation.h
Go to the documentation of this file.
1//===- AbstractInterpretation.h -- Abstract Execution----------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created on: Jan 10, 2024
26// Author: Xiao Cheng, Jiawei Wang
27// The implementation is based on
28// Xiao Cheng, Jiawei Wang and Yulei Sui. Precise Sparse Abstract Execution via Cross-Domain Interaction.
29// 46th International Conference on Software Engineering. (ICSE24)
30//
31#pragma once
32#include "AE/Core/AbstractState.h"
33#include "AE/Core/ICFGWTO.h"
34#include "AE/Svfexe/AEDetector.h"
35#include "AE/Svfexe/AEWTO.h"
36#include "AE/Svfexe/AbsExtAPI.h"
37#include "AE/Svfexe/AEStat.h"
38#include "SVFIR/SVFIR.h"
39#include "Util/SVFBugReport.h"
40#include "Graphs/SCC.h"
41#include "Graphs/CallGraph.h"
42#include <deque>
43
44namespace SVF
45{
46class AbstractInterpretation;
47class AbsExtAPI;
48class AEStat;
49class AEAPI;
50class AndersenWaveDiff;
51
52template<typename T> class FILOWorkList;
53
60class AbstractInterpretation
61{
62 friend class AEStat;
63 friend class AEAPI;
64 friend class BufOverflowDetector;
65 friend class NullptrDerefDetector;
66
67public:
68 /*
69 * For recursive test case
70 * int demo(int a) {
71 if (a >= 10000)
72 return a;
73 demo(a+1);
74 }
75
76 int main() {
77 int result = demo(0);
78 }
79 * if set TOP, result = [-oo, +oo] since the return value, and any stored object pointed by q at *q = p in recursive functions will be set to the top value.
80 * if set WIDEN_ONLY, result = [10000, +oo] since only widening is applied at the cycle head of recursive functions without narrowing.
81 * if set WIDEN_NARROW, result = [10000, 10000] since both widening and narrowing are applied at the cycle head of recursive functions.
82 * */
89
96
97 virtual void runOnModule();
98
100 virtual ~AbstractInterpretation();
101
103 void analyse();
104
106 void analyzeFromAllProgEntries();
107
109 std::deque<const FunObjVar*> collectProgEntryFuns();
110
116 static AbstractInterpretation& getAEInstance();
117
118 void addDetector(std::unique_ptr<AEDetector> detector)
119 {
120 detectors.push_back(std::move(detector));
121 }
122
124 inline const SVFVar* getSVFVar(NodeID varId) const
125 {
126 return svfir->getSVFVar(varId);
127 }
128
129 // ---- Abstract Value Access ----------------------------------------
130
136 virtual const AbstractValue& getAbsValue(const ValVar* var, const ICFGNode* node);
137 virtual const AbstractValue& getAbsValue(const ObjVar* var, const ICFGNode* node);
138 virtual const AbstractValue& getAbsValue(const SVFVar* var, const ICFGNode* node);
139
141 virtual bool hasAbsValue(const ValVar* var, const ICFGNode* node) const;
142 virtual bool hasAbsValue(const ObjVar* var, const ICFGNode* node) const;
143 virtual bool hasAbsValue(const SVFVar* var, const ICFGNode* node) const;
144
147 virtual void updateAbsValue(const ValVar* var, const AbstractValue& val, const ICFGNode* node);
148 virtual void updateAbsValue(const ObjVar* var, const AbstractValue& val, const ICFGNode* node);
149 virtual void updateAbsValue(const SVFVar* var, const AbstractValue& val, const ICFGNode* node);
150
151 // ---- State Access -------------------------------------------------
152
153 AbstractState& getAbsState(const ICFGNode* node);
154
157 virtual void updateAbsState(const ICFGNode* node, const AbstractState& state);
158
161 virtual void joinStates(AbstractState& dst, const AbstractState& src);
162
163 bool hasAbsState(const ICFGNode* node);
164
165 void getAbsState(const Set<const ValVar*>& vars, AbstractState& result, const ICFGNode* node);
166 void getAbsState(const Set<const ObjVar*>& vars, AbstractState& result, const ICFGNode* node);
167 void getAbsState(const Set<const SVFVar*>& vars, AbstractState& result, const ICFGNode* node);
168
169 // ---- GEP / Load-Store / Type Helpers ------------------------------
170
171 IntervalValue getGepElementIndex(const GepStmt* gep);
172 IntervalValue getGepByteOffset(const GepStmt* gep);
173 AddressValue getGepObjAddrs(const ValVar* pointer, IntervalValue offset);
174
175 AbstractValue loadValue(const ValVar* pointer, const ICFGNode* node);
176 void storeValue(const ValVar* pointer, const AbstractValue& val, const ICFGNode* node);
177
178 const SVFType* getPointeeElement(const ObjVar* var, const ICFGNode* node);
179 u32_t getAllocaInstByteSize(const AddrStmt* addr);
180
181 // ---- Direct Trace Access ------------------------------------------
182
187 AbstractState& operator[](const ICFGNode* node)
188 {
189 return abstractTrace[node];
190 }
191
192protected:
195 AbstractInterpretation();
196
197 // ---- Cycle helpers overridden by SparseAbstractInterpretation ----
198 // The dense versions write only to trace[cycle_head]. The semi-sparse
199 // subclass adds def-site scatter on top for body ValVars.
200
203 virtual AbstractState getFullCycleHeadState(const ICFGCycleWTO* cycle);
204
208 virtual bool widenCycleState(const AbstractState& prev, const AbstractState& cur,
209 const ICFGCycleWTO* cycle);
210
214 virtual bool narrowCycleState(const AbstractState& prev, const AbstractState& cur,
215 const ICFGCycleWTO* cycle);
216
217private:
219 virtual void handleGlobalNode();
220
224 bool mergeStatesFromPredecessors(const ICFGNode* node);
225
227 bool isBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
228
230 virtual void handleCallSite(const ICFGNode* node);
231
233 virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller = nullptr);
234
236 void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller = nullptr);
237
239 bool handleICFGNode(const ICFGNode* node);
240
242 virtual void handleSVFStatement(const SVFStmt* stmt);
243
245 bool isCmpBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
246
248 bool isSwitchBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
249
250 void updateStateOnAddr(const AddrStmt *addr);
251
252 void updateStateOnBinary(const BinaryOPStmt *binary);
253
254 void updateStateOnCmp(const CmpStmt *cmp);
255
256 void updateStateOnLoad(const LoadStmt *load);
257
258 void updateStateOnStore(const StoreStmt *store);
259
260 void updateStateOnCopy(const CopyStmt *copy);
261
262 void updateStateOnCall(const CallPE *callPE);
263
264 void updateStateOnRet(const RetPE *retPE);
265
266 void updateStateOnGep(const GepStmt *gep);
267
268 void updateStateOnSelect(const SelectStmt *select);
269
270 void updateStateOnPhi(const PhiStmt *phi);
271
273 AEAPI* api{nullptr};
274
275 ICFG* icfg;
276 CallGraph* callGraph;
277 AEStat* stat;
278
279 AbsExtAPI* getUtils()
280 {
281 return utils;
282 }
283
284 // helper functions in handleCallSite
285 virtual bool isExtCall(const CallICFGNode* callNode);
286 virtual void handleExtCall(const CallICFGNode* callNode);
287 virtual bool isRecursiveFun(const FunObjVar* fun);
288 virtual void skipRecursionWithTop(const CallICFGNode *callNode);
289 virtual bool isRecursiveCallSite(const CallICFGNode* callNode, const FunObjVar *);
290 virtual void handleFunCall(const CallICFGNode* callNode);
291
292 bool skipRecursiveCall(const CallICFGNode* callNode);
293 const FunObjVar* getCallee(const CallICFGNode* callNode);
294
295 // there data should be shared with subclasses
296 Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
297
298 Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
299 std::string moduleName;
300
301 std::vector<std::unique_ptr<AEDetector>> detectors;
302 AbsExtAPI* utils;
303
304protected:
306 SVFIR* svfir{nullptr};
307 AEWTO* preAnalysis{nullptr};
308 Map<const ICFGNode*, AbstractState> abstractTrace;
309
310 bool shouldApplyNarrowing(const FunObjVar* fun);
311};
312}
copy
copy
Definition cJSON.cpp:414
prev
newitem prev
Definition cJSON.cpp:2285
offset
buffer offset
Definition cJSON.cpp:1113
SVF::AEStat
AEStat: Statistic for AE.
Definition AEStat.h:36
SVF::AbsExtAPI
Handles external API calls and manages abstract states.
Definition AbsExtAPI.h:43
SVF::AbstractInterpretation::updateStateOnCall
void updateStateOnCall(const CallPE *callPE)
Definition AbstractInterpretation.cpp:882
SVF::AbstractInterpretation::getCallee
const FunObjVar * getCallee(const CallICFGNode *callNode)
Get callee function: directly for direct calls, via pointer analysis for indirect calls.
Definition AbstractInterpretation.cpp:684
SVF::AbstractInterpretation::getAbsState
AbstractState & getAbsState(const ICFGNode *node)
Definition AbstractStateManager.cpp:44
SVF::AbstractInterpretation::isBranchFeasible
bool isBranchFeasible(const IntraCFGEdge *edge, AbstractState &as)
Returns true if the branch is reachable; narrows as in-place.
Definition AbstractInterpretation.cpp:548
SVF::AbstractInterpretation::getAllocaInstByteSize
u32_t getAllocaInstByteSize(const AddrStmt *addr)
Definition AbstractStateManager.cpp:370
SVF::AbstractInterpretation::func_map
Map< std::string, std::function< void(const CallICFGNode *)> > func_map
Definition AbstractInterpretation.h:296
SVF::AbstractInterpretation::updateStateOnStore
void updateStateOnStore(const StoreStmt *store)
Definition AbstractInterpretation.cpp:1214
SVF::AbstractInterpretation::narrowCycleState
virtual bool narrowCycleState(const AbstractState &prev, const AbstractState &cur, const ICFGCycleWTO *cycle)
Definition AELoopRecursion.cpp:183
SVF::AbstractInterpretation::handleFunCall
virtual void handleFunCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:718
SVF::AbstractInterpretation::analyzeFromAllProgEntries
void analyzeFromAllProgEntries()
Analyze all entry points (functions without callers)
Definition AbstractInterpretation.cpp:165
SVF::AbstractInterpretation::updateStateOnGep
void updateStateOnGep(const GepStmt *gep)
Definition AbstractInterpretation.cpp:820
SVF::AbstractInterpretation::handleGlobalNode
virtual void handleGlobalNode()
Initialize abstract state for the global ICFG node and process global statements.
Definition AbstractInterpretation.cpp:189
SVF::AbstractInterpretation::hasAbsValue
virtual bool hasAbsValue(const ValVar *var, const ICFGNode *node) const
Side-effect-free existence check.
Definition AbstractStateManager.cpp:111
SVF::AbstractInterpretation::handleFunction
void handleFunction(const ICFGNode *funEntry, const CallICFGNode *caller=nullptr)
Handle a function body via worklist-driven WTO traversal starting from funEntry.
Definition AbstractInterpretation.cpp:623
SVF::AbstractInterpretation::isExtCall
virtual bool isExtCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:669
SVF::AbstractInterpretation::isSwitchBranchFeasible
bool isSwitchBranchFeasible(const IntraCFGEdge *edge, AbstractState &as)
Returns true if the switch branch is feasible; narrows as in-place.
Definition AbstractInterpretation.cpp:511
SVF::AbstractInterpretation::operator[]
AbstractState & operator[](const ICFGNode *node)
Definition AbstractInterpretation.h:187
SVF::AbstractInterpretation::getFullCycleHeadState
virtual AbstractState getFullCycleHeadState(const ICFGCycleWTO *cycle)
Definition AELoopRecursion.cpp:162
SVF::AbstractInterpretation::updateStateOnPhi
void updateStateOnPhi(const PhiStmt *phi)
Definition AbstractInterpretation.cpp:847
SVF::AbstractInterpretation::handleICFGNode
bool handleICFGNode(const ICFGNode *node)
Handle an ICFG node: execute statements; return true if state changed.
Definition AbstractInterpretation.cpp:564
SVF::AbstractInterpretation::getGepByteOffset
IntervalValue getGepByteOffset(const GepStmt *gep)
Definition AbstractStateManager.cpp:253
SVF::AbstractInterpretation::detectors
std::vector< std::unique_ptr< AEDetector > > detectors
Definition AbstractInterpretation.h:301
SVF::AbstractInterpretation::addDetector
void addDetector(std::unique_ptr< AEDetector > detector)
Definition AbstractInterpretation.h:118
SVF::AbstractInterpretation::loadValue
AbstractValue loadValue(const ValVar *pointer, const ICFGNode *node)
Definition AbstractStateManager.cpp:337
SVF::AbstractInterpretation::handleExtCall
virtual void handleExtCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:674
SVF::AbstractInterpretation::getTrace
Map< const ICFGNode *, AbstractState > & getTrace()
Definition AbstractInterpretation.h:183
SVF::AbstractInterpretation::getGepObjAddrs
AddressValue getGepObjAddrs(const ValVar *pointer, IntervalValue offset)
Definition AbstractStateManager.cpp:313
SVF::AbstractInterpretation::skipRecursionWithTop
virtual void skipRecursionWithTop(const CallICFGNode *callNode)
Definition AELoopRecursion.cpp:54
SVF::AbstractInterpretation::widenCycleState
virtual bool widenCycleState(const AbstractState &prev, const AbstractState &cur, const ICFGCycleWTO *cycle)
Definition AELoopRecursion.cpp:171
SVF::AbstractInterpretation::getGepElementIndex
IntervalValue getGepElementIndex(const GepStmt *gep)
Definition AbstractStateManager.cpp:196
SVF::AbstractInterpretation::joinStates
virtual void joinStates(AbstractState &dst, const AbstractState &src)
Definition AbstractStateManager.cpp:59
SVF::AbstractInterpretation::mergeStatesFromPredecessors
bool mergeStatesFromPredecessors(const ICFGNode *node)
Definition AbstractInterpretation.cpp:229
SVF::AbstractInterpretation::updateStateOnSelect
void updateStateOnSelect(const SelectStmt *select)
Definition AbstractInterpretation.cpp:828
SVF::AbstractInterpretation::handleSVFStatement
virtual void handleSVFStatement(const SVFStmt *stmt)
Dispatch an SVF statement (Addr/Binary/Cmp/Load/Store/Copy/Gep/Select/Phi/Call/Ret) to its handler.
Definition AbstractInterpretation.cpp:753
SVF::AbstractInterpretation::skipRecursiveCall
bool skipRecursiveCall(const CallICFGNode *callNode)
Skip recursive callsites (within SCC); entry calls from outside SCC are not skipped.
Definition AELoopRecursion.cpp:112
SVF::AbstractInterpretation::svfir
SVFIR * svfir
Data and helpers reachable from SparseAbstractInterpretation.
Definition AbstractInterpretation.h:306
SVF::AbstractInterpretation::isRecursiveCallSite
virtual bool isRecursiveCallSite(const CallICFGNode *callNode, const FunObjVar *)
Check if caller and callee are in the same CallGraph SCC (i.e. a recursive callsite)
Definition AELoopRecursion.cpp:104
SVF::AbstractInterpretation::shouldApplyNarrowing
bool shouldApplyNarrowing(const FunObjVar *fun)
Check if narrowing should be applied: always for regular loops, mode-dependent for recursion.
Definition AELoopRecursion.cpp:130
SVF::AbstractInterpretation::isRecursiveFun
virtual bool isRecursiveFun(const FunObjVar *fun)
Check if a function is recursive (part of a call graph SCC)
Definition AELoopRecursion.cpp:47
SVF::AbstractInterpretation::updateStateOnAddr
void updateStateOnAddr(const AddrStmt *addr)
Definition AbstractInterpretation.cpp:907
SVF::AbstractInterpretation::~AbstractInterpretation
virtual ~AbstractInterpretation()
Destructor.
Definition AbstractInterpretation.cpp:113
SVF::AbstractInterpretation::getAbsValue
virtual const AbstractValue & getAbsValue(const ValVar *var, const ICFGNode *node)
Definition AbstractStateManager.cpp:80
SVF::AbstractInterpretation::handleCallSite
virtual void handleCallSite(const ICFGNode *node)
Handle a call site node: dispatch to ext-call, direct-call, or indirect-call handling.
Definition AbstractInterpretation.cpp:651
SVF::AbstractInterpretation::updateStateOnRet
void updateStateOnRet(const RetPE *retPE)
Definition AbstractInterpretation.cpp:899
SVF::AbstractInterpretation::hasAbsState
bool hasAbsState(const ICFGNode *node)
Definition AbstractStateManager.cpp:64
SVF::AbstractInterpretation::updateStateOnCopy
void updateStateOnCopy(const CopyStmt *copy)
Definition AbstractInterpretation.cpp:1221
SVF::AbstractInterpretation::collectProgEntryFuns
std::deque< const FunObjVar * > collectProgEntryFuns()
Get all entry point functions (functions without callers)
Definition AbstractInterpretation.cpp:123
SVF::AbstractInterpretation::api
AEAPI * api
Execution State, used to store the Interval Value of every SVF variable.
Definition AbstractInterpretation.h:273
SVF::AbstractInterpretation::getPointeeElement
const SVFType * getPointeeElement(const ObjVar *var, const ICFGNode *node)
Definition AbstractStateManager.cpp:355
SVF::AbstractInterpretation::updateStateOnLoad
void updateStateOnLoad(const LoadStmt *load)
Definition AbstractInterpretation.cpp:1207
SVF::AbstractInterpretation::updateStateOnBinary
void updateStateOnBinary(const BinaryOPStmt *binary)
Definition AbstractInterpretation.cpp:925
SVF::AbstractInterpretation::abstractTrace
Map< const ICFGNode *, AbstractState > abstractTrace
per-node trace; owned here
Definition AbstractInterpretation.h:308
SVF::AbstractInterpretation::getAEInstance
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.cpp:77
SVF::AbstractInterpretation::isCmpBranchFeasible
bool isCmpBranchFeasible(const IntraCFGEdge *edge, AbstractState &as)
Returns true if the cmp-conditional branch is feasible; narrows as in-place.
Definition AbstractInterpretation.cpp:452
SVF::AbstractInterpretation::updateAbsValue
virtual void updateAbsValue(const ValVar *var, const AbstractValue &val, const ICFGNode *node)
Definition AbstractStateManager.cpp:136
SVF::AbstractInterpretation::allAnalyzedNodes
Set< const ICFGNode * > allAnalyzedNodes
Definition AbstractInterpretation.h:298
SVF::AbstractInterpretation::storeValue
void storeValue(const ValVar *pointer, const AbstractValue &val, const ICFGNode *node)
Definition AbstractStateManager.cpp:347
SVF::AbstractInterpretation::handleLoopOrRecursion
virtual void handleLoopOrRecursion(const ICFGCycleWTO *cycle, const CallICFGNode *caller=nullptr)
Handle a WTO cycle (loop or recursive function) using widening/narrowing iteration.
Definition AELoopRecursion.cpp:235
SVF::AbstractInterpretation::getSVFVar
const SVFVar * getSVFVar(NodeID varId) const
Retrieve SVFVar given its ID; asserts if no such variable exists.
Definition AbstractInterpretation.h:124
SVF::AbstractInterpretation::updateStateOnCmp
void updateStateOnCmp(const CmpStmt *cmp)
Definition AbstractInterpretation.cpp:982
SVF::AbstractInterpretation::updateAbsState
virtual void updateAbsState(const ICFGNode *node, const AbstractState &state)
Definition AbstractStateManager.cpp:54
SVF::BufOverflowDetector
Detector for identifying buffer overflow issues.
Definition AEDetector.h:139
SVF::SVFIR::getSVFVar
const SVFVar * getSVFVar(NodeID id) const
ObjVar/GepObjVar/BaseObjVar.
Definition SVFIR.h:133
SVF
for isBitcode
Definition BasicTypes.h:70
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56
SVF::Map
std::unordered_map< Key, Value, Hash, KeyEqual, Allocator > Map
Definition GeneralType.h:101
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76
SVF::u32_t
unsigned u32_t
Definition GeneralType.h:47
Generated by doxygen 1.9.8