Static Value-Flow Analysis
Loading...
Searching...
No Matches
AbstractInterpretation.h
Go to the documentation of this file.
1//===- AbstractInterpretation.h -- Abstract Execution----------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23
24//
25// Created on: Jan 10, 2024
26// Author: Xiao Cheng, Jiawei Wang
27// The implementation is based on
28// Xiao Cheng, Jiawei Wang and Yulei Sui. Precise Sparse Abstract Execution via Cross-Domain Interaction.
29// 46th International Conference on Software Engineering. (ICSE24)
30//
31#pragma once
32#include "AE/Core/AbstractState.h"
33#include "AE/Core/ICFGWTO.h"
34#include "AE/Svfexe/AEDetector.h"
35#include "AE/Svfexe/AEWTO.h"
36#include "AE/Svfexe/AbsExtAPI.h"
37#include "AE/Svfexe/AEStat.h"
38#include "SVFIR/SVFIR.h"
39#include "Util/SVFBugReport.h"
40#include "Util/WorkList.h"
41#include "Graphs/SCC.h"
42#include "Graphs/CallGraph.h"
43
44namespace SVF
45{
46class AbstractInterpretation;
47class AbsExtAPI;
48class AEStat;
49class AEAPI;
50class AndersenWaveDiff;
51
52template<typename T> class FILOWorkList;
53
60class AbstractInterpretation
61{
62 friend class AEStat;
63 friend class AEAPI;
64 friend class BufOverflowDetector;
65 friend class NullptrDerefDetector;
66
67public:
68 /*
69 * For recursive test case
70 * int demo(int a) {
71 if (a >= 10000)
72 return a;
73 demo(a+1);
74 }
75
76 int main() {
77 int result = demo(0);
78 }
79 * if set TOP, result = [-oo, +oo] since the return value, and any stored object pointed by q at *q = p in recursive functions will be set to the top value.
80 * if set WIDEN_ONLY, result = [10000, +oo] since only widening is applied at the cycle head of recursive functions without narrowing.
81 * if set WIDEN_NARROW, result = [10000, 10000] since both widening and narrowing are applied at the cycle head of recursive functions.
82 * */
89
96
102
103 virtual void runOnModule();
104
106 virtual ~AbstractInterpretation();
107
109 void analyse();
110
112 void analyzeFromAllProgEntries();
113
115 FIFOWorkList<const FunObjVar*> collectProgEntryFuns();
116
122 static AbstractInterpretation& getAEInstance();
123
124 void addDetector(std::unique_ptr<AEDetector> detector)
125 {
126 detectors.push_back(std::move(detector));
127 }
128
130 inline const SVFVar* getSVFVar(NodeID varId) const
131 {
132 return svfir->getSVFVar(varId);
133 }
134
135 // ---- Abstract Value Access ----------------------------------------
136
142 virtual const AbstractValue& getAbsValue(const ValVar* var, const ICFGNode* node);
143 virtual const AbstractValue& getAbsValue(const ObjVar* var, const ICFGNode* node);
144 virtual const AbstractValue& getAbsValue(const SVFVar* var, const ICFGNode* node);
145
147 virtual bool hasAbsValue(const ValVar* var, const ICFGNode* node) const;
148 virtual bool hasAbsValue(const ObjVar* var, const ICFGNode* node) const;
149 virtual bool hasAbsValue(const SVFVar* var, const ICFGNode* node) const;
150
153 virtual void updateAbsValue(const ValVar* var, const AbstractValue& val, const ICFGNode* node);
154 virtual void updateAbsValue(const ObjVar* var, const AbstractValue& val, const ICFGNode* node);
155 virtual void updateAbsValue(const SVFVar* var, const AbstractValue& val, const ICFGNode* node);
156
157 // ---- State Access -------------------------------------------------
158
159 AbstractState& getAbsState(const ICFGNode* node);
160
163 virtual void updateAbsState(const ICFGNode* node, const AbstractState& state);
164
167 virtual void joinStates(AbstractState& dst, const AbstractState& src);
168
169 bool hasAbsState(const ICFGNode* node);
170
171 void getAbsState(const Set<const ValVar*>& vars, AbstractState& result, const ICFGNode* node);
172 void getAbsState(const Set<const ObjVar*>& vars, AbstractState& result, const ICFGNode* node);
173 void getAbsState(const Set<const SVFVar*>& vars, AbstractState& result, const ICFGNode* node);
174
175 // ---- GEP / Load-Store / Type Helpers ------------------------------
176
177 IntervalValue getGepElementIndex(const GepStmt* gep);
178 IntervalValue getGepByteOffset(const GepStmt* gep);
179 AddressValue getGepObjAddrs(const ValVar* pointer, IntervalValue offset);
180
182 virtual AbstractValue loadValue(const ValVar* pointer,
183 const ICFGNode* node);
184 virtual void storeValue(const ValVar* pointer, const AbstractValue& val,
185 const ICFGNode* node);
186
187 const SVFType* getPointeeElement(const ObjVar* var, const ICFGNode* node);
188 u32_t getAllocaInstByteSize(const AddrStmt* addr);
189
190 // ---- Direct Trace Access ------------------------------------------
191
196 AbstractState& operator[](const ICFGNode* node)
197 {
198 return abstractTrace[node];
199 }
200
201protected:
204 AbstractInterpretation();
205
206 // ---- Cycle helpers overridden by SparseAbstractInterpretation ----
207 // The dense versions write only to trace[cycle_head]. The semi-sparse
208 // subclass adds def-site scatter on top for body ValVars.
209
212 virtual AbstractState getFullCycleHeadState(const ICFGCycleWTO* cycle);
213
217 virtual bool widenCycleState(const AbstractState& prev, const AbstractState& cur,
218 const ICFGCycleWTO* cycle);
219
223 virtual bool narrowCycleState(const AbstractState& prev, const AbstractState& cur,
224 const ICFGCycleWTO* cycle);
225
226protected:
232 virtual bool mergeStatesFromPredecessors(const ICFGNode* node);
233
236 bool isBranchEdgeFeasible(const IntraCFGEdge* edge, AbstractState& as);
237
240 void collectBranchRefinement(const IntraCFGEdge* edge, AbstractState& as);
241
248 virtual void recordBranchRefinement(NodeID objId,
249 const IntervalValue& narrowed,
250 AbstractState& as,
251 const ICFGNode* loadIcfg,
252 const ICFGNode* succ);
253
254private:
257 virtual void handleGlobalNode();
258
260 virtual void handleCallSite(const ICFGNode* node);
261
263 virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller);
264
266 void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller);
267
269 bool handleICFGNode(const ICFGNode* node);
270
272 virtual void handleSVFStatement(const SVFStmt* stmt);
273
275 bool isCmpBranchEdgeFeasible(const IntraCFGEdge* edge, AbstractState& as);
276
278 bool isSwitchBranchEdgeFeasible(const IntraCFGEdge* edge,
279 AbstractState& as);
280
281 void updateStateOnAddr(const AddrStmt *addr);
282
283 void updateStateOnBinary(const BinaryOPStmt *binary);
284
285 void updateStateOnCmp(const CmpStmt *cmp);
286
287 void updateStateOnLoad(const LoadStmt *load);
288
289 void updateStateOnStore(const StoreStmt *store);
290
291 void updateStateOnCopy(const CopyStmt *copy);
292
293 void updateStateOnCall(const CallPE *callPE);
294
295 void updateStateOnRet(const RetPE *retPE);
296
297 void updateStateOnGep(const GepStmt *gep);
298
299 void updateStateOnSelect(const SelectStmt *select);
300
301 void updateStateOnPhi(const PhiStmt *phi);
302
304 AEAPI* api{nullptr};
305
306 ICFG* icfg;
307 CallGraph* callGraph;
308 AEStat* stat;
309
310 AbsExtAPI* getUtils()
311 {
312 return utils;
313 }
314
315 // helper functions in handleCallSite
316 virtual bool isExtCall(const CallICFGNode* callNode);
317 virtual void handleExtCall(const CallICFGNode* callNode);
318 virtual bool isRecursiveFun(const FunObjVar* fun);
319 virtual void skipRecursionWithTop(const CallICFGNode *callNode);
320 virtual bool isRecursiveCallSite(const CallICFGNode* callNode, const FunObjVar *);
321 virtual void handleFunCall(const CallICFGNode* callNode);
322
323 bool skipRecursiveCall(const CallICFGNode* callNode);
324 const FunObjVar* getCallee(const CallICFGNode* callNode);
325
326 // there data should be shared with subclasses
327 Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
328
329 Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
330 std::string moduleName;
331
332 std::vector<std::unique_ptr<AEDetector>> detectors;
333 AbsExtAPI* utils;
334
335protected:
337 SVFIR* svfir{nullptr};
338 AEWTO* preAnalysis{nullptr};
339 Map<const ICFGNode*, AbstractState> abstractTrace;
340
341 bool shouldApplyNarrowing(const FunObjVar* fun);
342};
343} // namespace SVF
copy
copy
Definition cJSON.cpp:414
prev
newitem prev
Definition cJSON.cpp:2285
offset
buffer offset
Definition cJSON.cpp:1113
SVF::AEStat
AEStat: Statistic for AE.
Definition AEStat.h:36
SVF::AbsExtAPI
Handles external API calls and manages abstract states.
Definition AbsExtAPI.h:43
SVF::AbstractInterpretation::handleFunction
void handleFunction(const ICFGNode *funEntry, const CallICFGNode *caller)
Handle a function body via worklist-driven WTO traversal starting from funEntry.
Definition AbstractInterpretation.cpp:782
SVF::AbstractInterpretation::updateStateOnCall
void updateStateOnCall(const CallPE *callPE)
Definition AbstractInterpretation.cpp:1041
SVF::AbstractInterpretation::getCallee
const FunObjVar * getCallee(const CallICFGNode *callNode)
Get callee function: directly for direct calls, via pointer analysis for indirect calls.
Definition AbstractInterpretation.cpp:842
SVF::AbstractInterpretation::getAbsState
AbstractState & getAbsState(const ICFGNode *node)
Definition AbstractStateManager.cpp:44
SVF::AbstractInterpretation::getAllocaInstByteSize
u32_t getAllocaInstByteSize(const AddrStmt *addr)
Definition AbstractStateManager.cpp:373
SVF::AbstractInterpretation::func_map
Map< std::string, std::function< void(const CallICFGNode *)> > func_map
Definition AbstractInterpretation.h:327
SVF::AbstractInterpretation::updateStateOnStore
void updateStateOnStore(const StoreStmt *store)
Definition AbstractInterpretation.cpp:1374
SVF::AbstractInterpretation::narrowCycleState
virtual bool narrowCycleState(const AbstractState &prev, const AbstractState &cur, const ICFGCycleWTO *cycle)
Definition AELoopRecursion.cpp:183
SVF::AbstractInterpretation::handleFunCall
virtual void handleFunCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:876
SVF::AbstractInterpretation::analyzeFromAllProgEntries
void analyzeFromAllProgEntries()
Analyze all entry points (functions without callers)
Definition AbstractInterpretation.cpp:208
SVF::AbstractInterpretation::updateStateOnGep
void updateStateOnGep(const GepStmt *gep)
Definition AbstractInterpretation.cpp:979
SVF::AbstractInterpretation::isCmpBranchEdgeFeasible
bool isCmpBranchEdgeFeasible(const IntraCFGEdge *edge, AbstractState &as)
Returns true if the cmp-conditional branch is feasible.
Definition AbstractInterpretation.cpp:491
SVF::AbstractInterpretation::hasAbsValue
virtual bool hasAbsValue(const ValVar *var, const ICFGNode *node) const
Side-effect-free existence check.
Definition AbstractStateManager.cpp:111
SVF::AbstractInterpretation::isExtCall
virtual bool isExtCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:827
SVF::AbstractInterpretation::operator[]
AbstractState & operator[](const ICFGNode *node)
Definition AbstractInterpretation.h:196
SVF::AbstractInterpretation::getFullCycleHeadState
virtual AbstractState getFullCycleHeadState(const ICFGCycleWTO *cycle)
Definition AELoopRecursion.cpp:162
SVF::AbstractInterpretation::updateStateOnPhi
void updateStateOnPhi(const PhiStmt *phi)
Definition AbstractInterpretation.cpp:1006
SVF::AbstractInterpretation::handleICFGNode
bool handleICFGNode(const ICFGNode *node)
Handle an ICFG node: execute statements; return true if state changed.
Definition AbstractInterpretation.cpp:723
SVF::AbstractInterpretation::getGepByteOffset
IntervalValue getGepByteOffset(const GepStmt *gep)
Definition AbstractStateManager.cpp:253
SVF::AbstractInterpretation::detectors
std::vector< std::unique_ptr< AEDetector > > detectors
Definition AbstractInterpretation.h:332
SVF::AbstractInterpretation::addDetector
void addDetector(std::unique_ptr< AEDetector > detector)
Definition AbstractInterpretation.h:124
SVF::AbstractInterpretation::loadValue
virtual AbstractValue loadValue(const ValVar *pointer, const ICFGNode *node)
Virtual so full-sparse can layer the GepObj overlay on top.
Definition AbstractStateManager.cpp:337
SVF::AbstractInterpretation::handleExtCall
virtual void handleExtCall(const CallICFGNode *callNode)
Definition AbstractInterpretation.cpp:832
SVF::AbstractInterpretation::getTrace
Map< const ICFGNode *, AbstractState > & getTrace()
Definition AbstractInterpretation.h:192
SVF::AbstractInterpretation::isBranchEdgeFeasible
bool isBranchEdgeFeasible(const IntraCFGEdge *edge, AbstractState &as)
Definition AbstractInterpretation.cpp:707
SVF::AbstractInterpretation::getGepObjAddrs
AddressValue getGepObjAddrs(const ValVar *pointer, IntervalValue offset)
Definition AbstractStateManager.cpp:313
SVF::AbstractInterpretation::skipRecursionWithTop
virtual void skipRecursionWithTop(const CallICFGNode *callNode)
Definition AELoopRecursion.cpp:54
SVF::AbstractInterpretation::widenCycleState
virtual bool widenCycleState(const AbstractState &prev, const AbstractState &cur, const ICFGCycleWTO *cycle)
Definition AELoopRecursion.cpp:171
SVF::AbstractInterpretation::getGepElementIndex
IntervalValue getGepElementIndex(const GepStmt *gep)
Definition AbstractStateManager.cpp:196
SVF::AbstractInterpretation::joinStates
virtual void joinStates(AbstractState &dst, const AbstractState &src)
Definition AbstractStateManager.cpp:59
SVF::AbstractInterpretation::mergeStatesFromPredecessors
virtual bool mergeStatesFromPredecessors(const ICFGNode *node)
Definition AbstractInterpretation.cpp:268
SVF::AbstractInterpretation::updateStateOnSelect
void updateStateOnSelect(const SelectStmt *select)
Definition AbstractInterpretation.cpp:987
SVF::AbstractInterpretation::handleSVFStatement
virtual void handleSVFStatement(const SVFStmt *stmt)
Dispatch an SVF statement (Addr/Binary/Cmp/Load/Store/Copy/Gep/Select/Phi/Call/Ret) to its handler.
Definition AbstractInterpretation.cpp:911
SVF::AbstractInterpretation::skipRecursiveCall
bool skipRecursiveCall(const CallICFGNode *callNode)
Skip recursive callsites (within SCC); entry calls from outside SCC are not skipped.
Definition AELoopRecursion.cpp:112
SVF::AbstractInterpretation::svfir
SVFIR * svfir
Data and helpers reachable from SparseAbstractInterpretation.
Definition AbstractInterpretation.h:337
SVF::AbstractInterpretation::isRecursiveCallSite
virtual bool isRecursiveCallSite(const CallICFGNode *callNode, const FunObjVar *)
Check if caller and callee are in the same CallGraph SCC (i.e. a recursive callsite)
Definition AELoopRecursion.cpp:104
SVF::AbstractInterpretation::handleLoopOrRecursion
virtual void handleLoopOrRecursion(const ICFGCycleWTO *cycle, const CallICFGNode *caller)
Handle a WTO cycle (loop or recursive function) using widening/narrowing iteration.
Definition AELoopRecursion.cpp:235
SVF::AbstractInterpretation::shouldApplyNarrowing
bool shouldApplyNarrowing(const FunObjVar *fun)
Check if narrowing should be applied: always for regular loops, mode-dependent for recursion.
Definition AELoopRecursion.cpp:130
SVF::AbstractInterpretation::isRecursiveFun
virtual bool isRecursiveFun(const FunObjVar *fun)
Check if a function is recursive (part of a call graph SCC)
Definition AELoopRecursion.cpp:47
SVF::AbstractInterpretation::updateStateOnAddr
void updateStateOnAddr(const AddrStmt *addr)
Definition AbstractInterpretation.cpp:1066
SVF::AbstractInterpretation::~AbstractInterpretation
virtual ~AbstractInterpretation()
Destructor.
Definition AbstractInterpretation.cpp:112
SVF::AbstractInterpretation::getAbsValue
virtual const AbstractValue & getAbsValue(const ValVar *var, const ICFGNode *node)
Definition AbstractStateManager.cpp:80
SVF::AbstractInterpretation::handleCallSite
virtual void handleCallSite(const ICFGNode *node)
Handle a call site node: dispatch to ext-call, direct-call, or indirect-call handling.
Definition AbstractInterpretation.cpp:809
SVF::AbstractInterpretation::collectBranchRefinement
void collectBranchRefinement(const IntraCFGEdge *edge, AbstractState &as)
Definition AbstractInterpretation.cpp:537
SVF::AbstractInterpretation::updateStateOnRet
void updateStateOnRet(const RetPE *retPE)
Definition AbstractInterpretation.cpp:1058
SVF::AbstractInterpretation::hasAbsState
bool hasAbsState(const ICFGNode *node)
Definition AbstractStateManager.cpp:64
SVF::AbstractInterpretation::updateStateOnCopy
void updateStateOnCopy(const CopyStmt *copy)
Definition AbstractInterpretation.cpp:1381
SVF::AbstractInterpretation::collectProgEntryFuns
FIFOWorkList< const FunObjVar * > collectProgEntryFuns()
Get all entry point functions (functions without callers)
Definition AbstractInterpretation.cpp:122
SVF::AbstractInterpretation::api
AEAPI * api
Execution State, used to store the Interval Value of every SVF variable.
Definition AbstractInterpretation.h:304
SVF::AbstractInterpretation::getPointeeElement
const SVFType * getPointeeElement(const ObjVar *var, const ICFGNode *node)
Definition AbstractStateManager.cpp:358
SVF::AbstractInterpretation::isSwitchBranchEdgeFeasible
bool isSwitchBranchEdgeFeasible(const IntraCFGEdge *edge, AbstractState &as)
Returns true if the switch branch is feasible.
Definition AbstractInterpretation.cpp:522
SVF::AbstractInterpretation::updateStateOnLoad
void updateStateOnLoad(const LoadStmt *load)
Definition AbstractInterpretation.cpp:1366
SVF::AbstractInterpretation::updateStateOnBinary
void updateStateOnBinary(const BinaryOPStmt *binary)
Definition AbstractInterpretation.cpp:1084
SVF::AbstractInterpretation::abstractTrace
Map< const ICFGNode *, AbstractState > abstractTrace
per-node trace; owned here
Definition AbstractInterpretation.h:339
SVF::AbstractInterpretation::getAEInstance
static AbstractInterpretation & getAEInstance()
Definition AbstractInterpretation.cpp:76
SVF::AbstractInterpretation::recordBranchRefinement
virtual void recordBranchRefinement(NodeID objId, const IntervalValue &narrowed, AbstractState &as, const ICFGNode *loadIcfg, const ICFGNode *succ)
Definition AbstractInterpretation.cpp:674
SVF::AbstractInterpretation::updateAbsValue
virtual void updateAbsValue(const ValVar *var, const AbstractValue &val, const ICFGNode *node)
Definition AbstractStateManager.cpp:136
SVF::AbstractInterpretation::allAnalyzedNodes
Set< const ICFGNode * > allAnalyzedNodes
Definition AbstractInterpretation.h:329
SVF::AbstractInterpretation::storeValue
virtual void storeValue(const ValVar *pointer, const AbstractValue &val, const ICFGNode *node)
Definition AbstractStateManager.cpp:350
SVF::AbstractInterpretation::getSVFVar
const SVFVar * getSVFVar(NodeID varId) const
Retrieve SVFVar given its ID; asserts if no such variable exists.
Definition AbstractInterpretation.h:130
SVF::AbstractInterpretation::updateStateOnCmp
void updateStateOnCmp(const CmpStmt *cmp)
Definition AbstractInterpretation.cpp:1141
SVF::AbstractInterpretation::updateAbsState
virtual void updateAbsState(const ICFGNode *node, const AbstractState &state)
Definition AbstractStateManager.cpp:54
SVF::BufOverflowDetector
Detector for identifying buffer overflow issues.
Definition AEDetector.h:139
SVF::SVFIR::getSVFVar
const SVFVar * getSVFVar(NodeID id) const
ObjVar/GepObjVar/BaseObjVar.
Definition SVFIR.h:133
SVF
for isBitcode
Definition BasicTypes.h:70
SVF::NodeID
u32_t NodeID
Definition GeneralType.h:56
SVF::Map
std::unordered_map< Key, Value, Hash, KeyEqual, Allocator > Map
Definition GeneralType.h:101
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:76
SVF::u32_t
unsigned u32_t
Definition GeneralType.h:47
Generated by doxygen 1.9.8