Static Value-Flow Analysis
Loading...
Searching...
No Matches
ObjTypeInference.cpp
Go to the documentation of this file.
1//===- ObjTypeInference.cpp -- Type inference----------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23/*
24 * ObjTypeInference.cpp
25 *
26 * Created by Xiao Cheng on 10/01/24.
27 *
28 */
29
30#include "SVF-LLVM/ObjTypeInference.h"
31#include "SVF-LLVM/BasicTypes.h"
32#include "SVF-LLVM/LLVMModule.h"
33#include "SVF-LLVM/LLVMUtil.h"
34#include "SVF-LLVM/CppUtil.h"
35#include "Util/Casting.h"
36
37#define TYPE_DEBUG 0 /* Turn this on if you're debugging type inference */
38#define ERR_MSG(msg) \
39 do \
40 { \
41 SVFUtil::errs() << SVFUtil::errMsg("Error ") << __FILE__ << ':' \
42 << __LINE__ << ": " << (msg) << '\n'; \
43 } while (0)
44#define ABORT_MSG(msg) \
45 do \
46 { \
47 ERR_MSG(msg); \
48 abort(); \
49 } while (0)
50#define ABORT_IFNOT(condition, msg) \
51 do \
52 { \
53 if (!(condition)) \
54 ABORT_MSG(msg); \
55 } while (0)
56
57#if TYPE_DEBUG
58#define WARN_MSG(msg) \
59 do \
60 { \
61 SVFUtil::outs() << SVFUtil::wrnMsg("Warning ") << __FILE__ << ':' \
62 << __LINE__ << ": " << msg << '\n'; \
63 } while (0)
64#define WARN_IFNOT(condition, msg) \
65 do \
66 { \
67 if (!(condition)) \
68 WARN_MSG(msg); \
69 } while (0)
70#else
71#define WARN_MSG(msg)
72#define WARN_IFNOT(condition, msg)
73#endif
74
75using namespace SVF;
76using namespace SVFUtil;
77using namespace LLVMUtil;
78using namespace cppUtil;
79
80
81const std::string TYPEMALLOC = "TYPE_MALLOC";
82
85const Type *infersiteToType(const Value *val)
86{
87 assert(val && "value cannot be empty");
88 if (SVFUtil::isa<LoadInst, StoreInst>(val))
89 {
90 return llvm::getLoadStoreType(const_cast<Value *>(val));
91 }
92 else if (const auto *gepInst = SVFUtil::dyn_cast<GetElementPtrInst>(val))
93 {
94 return gepInst->getSourceElementType();
95 }
96 else if (const auto *call = SVFUtil::dyn_cast<CallBase>(val))
97 {
98 return call->getFunctionType();
99 }
100 else if (const auto *allocaInst = SVFUtil::dyn_cast<AllocaInst>(val))
101 {
102 return allocaInst->getAllocatedType();
103 }
104 else if (const auto *globalValue = SVFUtil::dyn_cast<GlobalValue>(val))
105 {
106 return globalValue->getValueType();
107 }
108 else
109 {
110 ABORT_MSG("unknown value:" + dumpValueAndDbgInfo(val));
111 }
112}
113
114const Type *ObjTypeInference::defaultType(const Value *val)
115{
116 ABORT_IFNOT(val, "val cannot be null");
117 // heap has a default type of 8-bit integer type
118 if (SVFUtil::isa<Instruction>(val) && LLVMUtil::isHeapAllocExtCallViaRet(
119 SVFUtil::cast<Instruction>(val)))
120 return int8Type();
121 // otherwise we return a pointer type in the default address space
122 return ptrType();
123}
124
129
136const Type *ObjTypeInference::inferObjType(const Value *var)
137{
138 const Type* res = inferPointsToType(var);
139 // infer type by leveraging the type alignment of src and dst in memcpy
140 // for example,
141 //
142 // %tmp = alloca %struct.outer
143 // %inner_v = alloca %struct.inner
144 // %ptr = getelementptr inbounds %struct.outer, ptr %tmp, i32 0, i32 1, !dbg !38
145 // %0 = load ptr, ptr %ptr, align 8, !dbg !38
146 // call void @llvm.memcpy.p0.p0.i64(ptr %inner_v, ptr %0, i64 24, i1 false)
147 //
148 // It is difficult to infer the type of %0 without deep alias analysis,
149 // but we can infer the obj type of %0 based on that of %inner_v.
150 if (res == defaultType(var))
151 {
152 for (const auto& use: var->users())
153 {
154 if (const CallBase* cs = SVFUtil::dyn_cast<CallBase>(use))
155 {
156 if (const Function* calledFun = cs->getCalledFunction())
157 if (LLVMUtil::isMemcpyExtFun(calledFun))
158 {
159 assert(cs->getNumOperands() > 1 && "arguments should be greater than 1");
160 const Value* dst = cs->getArgOperand(0);
161 const Value* src = cs->getArgOperand(1);
162 if(calledFun->getName().find("iconv") != std::string::npos)
163 dst = cs->getArgOperand(3), src = cs->getArgOperand(1);
164
165 if (var == dst) return inferPointsToType(src);
166 else if (var == src) return inferPointsToType(dst);
167 else ABORT_MSG("invalid memcpy call");
168 }
169 }
170 }
171 }
172 return res;
173}
174
175const Type *ObjTypeInference::inferPointsToType(const Value *var)
176{
177 if (isAlloc(var)) return fwInferObjType(var);
178 Set<const Value *> &sources = bwfindAllocOfVar(var);
179 Set<const Type *> types;
180 if (sources.empty())
181 {
182 // cannot find allocation, try to fw infer starting from var
183 types.insert(fwInferObjType(var));
184 }
185 else
186 {
187 for (const auto &source: sources)
188 {
189 types.insert(fwInferObjType(source));
190 }
191 }
192 const Type *largestTy = selectLargestSizedType(types);
193 ABORT_IFNOT(largestTy, "return type cannot be null");
194 return largestTy;
195}
196
201const Type *ObjTypeInference::fwInferObjType(const Value *var)
202{
203 if (const AllocaInst *allocaInst = SVFUtil::dyn_cast<AllocaInst>(var))
204 {
205 // stack object
206 return infersiteToType(allocaInst);
207 }
208 else if (const GlobalValue *global = SVFUtil::dyn_cast<GlobalValue>(var))
209 {
210 // global object
211 return infersiteToType(global);
212 }
213 else
214 {
215 // for heap or static object, we forward infer its type
216
217 // consult cache
218 auto tIt = _valueToType.find(var);
219 if (tIt != _valueToType.end())
220 {
221 return tIt->second ? tIt->second : defaultType(var);
222 }
223
224 // simulate the call stack, the second element indicates whether we should update valueTypes for current value
225 FILOWorkList<ValueBoolPair> workList;
226 Set<ValueBoolPair> visited;
227 workList.push({var, false});
228
229 while (!workList.empty())
230 {
231 auto curPair = workList.pop();
232 if (visited.count(curPair))
233 continue;
234 visited.insert(curPair);
235 const Value* curValue = curPair.first;
236 bool canUpdate = curPair.second;
237 Set<const Value*> infersites;
238
239 auto insertInferSite = [&infersites,
240 &canUpdate](const Value* infersite)
241 {
242 if (canUpdate)
243 infersites.insert(infersite);
244 };
245 auto insertInferSitesOrPushWorklist =
246 [this, &infersites, &workList, &canUpdate](const auto& pUser)
247 {
248 auto vIt = _valueToInferSites.find(pUser);
249 if (canUpdate)
250 {
251 if (vIt != _valueToInferSites.end())
252 {
253 infersites.insert(vIt->second.begin(),
254 vIt->second.end());
255 }
256 }
257 else
258 {
259 if (vIt == _valueToInferSites.end())
260 workList.push({pUser, false});
261 }
262 };
263 if (!canUpdate && !_valueToInferSites.count(curValue))
264 {
265 workList.push({curValue, true});
266 }
267 if (const auto* gepInst =
268 SVFUtil::dyn_cast<GetElementPtrInst>(curValue))
269 insertInferSite(gepInst);
270 for (const auto it : curValue->users())
271 {
272 if (const auto* loadInst = SVFUtil::dyn_cast<LoadInst>(it))
273 {
274 /*
275 * infer based on load, e.g.,
276 %call = call i8* malloc()
277 %1 = bitcast i8* %call to %struct.MyStruct*
278 %q = load %struct.MyStruct, %struct.MyStruct* %1
279 */
280 insertInferSite(loadInst);
281 }
282 else if (const auto* storeInst =
283 SVFUtil::dyn_cast<StoreInst>(it))
284 {
285 if (storeInst->getPointerOperand() == curValue)
286 {
287 /*
288 * infer based on store (pointer operand), e.g.,
289 %call = call i8* malloc()
290 %1 = bitcast i8* %call to %struct.MyStruct*
291 store %struct.MyStruct .., %struct.MyStruct* %1
292 */
293 insertInferSite(storeInst);
294 }
295 else
296 {
297 for (const auto nit :
298 storeInst->getPointerOperand()->users())
299 {
300 /*
301 * propagate across store (value operand) and load
302 %call = call i8* malloc()
303 store i8* %call, i8** %p
304 %q = load i8*, i8** %p
305 ..infer based on %q..
306 */
307 if (SVFUtil::isa<LoadInst>(nit))
308 insertInferSitesOrPushWorklist(nit);
309 }
310 /*
311 * infer based on store (value operand) <- gep (result element)
312 */
313 if (const auto* gepInst =
314 SVFUtil::dyn_cast<GetElementPtrInst>(
315 storeInst->getPointerOperand()))
316 {
317 /*
318 %call1 = call i8* @TYPE_MALLOC(i32 noundef 16, i32
319 noundef 2), !dbg !39 %2 = bitcast i8* %call1 to
320 %struct.MyStruct*, !dbg !41 %3 = load
321 %struct.MyStruct*, %struct.MyStruct** %p, align 8,
322 !dbg !42 %next = getelementptr inbounds
323 %struct.MyStruct, %struct.MyStruct* %3, i32 0, i32
324 1, !dbg !43 store %struct.MyStruct* %2,
325 %struct.MyStruct** %next, align 8, !dbg !44 %5 =
326 load %struct.MyStruct*, %struct.MyStruct** %p,
327 align 8, !dbg !48 %next3 = getelementptr inbounds
328 %struct.MyStruct, %struct.MyStruct* %5, i32 0, i32
329 1, !dbg !49 %6 = load %struct.MyStruct*,
330 %struct.MyStruct** %next3, align 8, !dbg !49 infer
331 site -> %f1 = getelementptr inbounds
332 %struct.MyStruct, %struct.MyStruct* %6, i32 0, i32
333 0, !dbg !50
334 */
335 const Value* gepBase = gepInst->getPointerOperand();
336 if (const auto* load =
337 SVFUtil::dyn_cast<LoadInst>(gepBase))
338 {
339 for (const auto loadUse :
340 load->getPointerOperand()->users())
341 {
342 if (loadUse == load ||
343 !SVFUtil::isa<LoadInst>(loadUse))
344 continue;
345 for (const auto gepUse : loadUse->users())
346 {
347 if (!SVFUtil::isa<GetElementPtrInst>(
348 gepUse))
349 continue;
350 for (const auto loadUse2 :
351 gepUse->users())
352 {
353 if (SVFUtil::isa<LoadInst>(
354 loadUse2))
355 {
356 insertInferSitesOrPushWorklist(
357 loadUse2);
358 }
359 }
360 }
361 }
362 }
363 else if (const auto* alloc =
364 SVFUtil::dyn_cast<AllocaInst>(gepBase))
365 {
366 /*
367 %2 = alloca %struct.ll, align 8
368 store i32 0, ptr %1, align 4
369 %3 = call noalias noundef nonnull ptr
370 @_Znwm(i64 noundef 16) #2 %4 = getelementptr
371 inbounds %struct.ll, ptr %2, i32 0, i32 1
372 store ptr %3, ptr %4, align 8
373 %5 = getelementptr inbounds %struct.ll, ptr
374 %2, i32 0, i32 1 %6 = load ptr, ptr %5, align
375 8 %7 = getelementptr inbounds %struct.ll, ptr
376 %6, i32 0, i32 0
377 */
378 for (const auto gepUse : alloc->users())
379 {
380 if (!SVFUtil::isa<GetElementPtrInst>(
381 gepUse))
382 continue;
383 for (const auto loadUse2 : gepUse->users())
384 {
385 if (SVFUtil::isa<LoadInst>(loadUse2))
386 {
387 insertInferSitesOrPushWorklist(
388 loadUse2);
389 }
390 }
391 }
392 }
393 }
394 }
395 }
396 else if (const auto* gepInst =
397 SVFUtil::dyn_cast<GetElementPtrInst>(it))
398 {
399 /*
400 * infer based on gep (pointer operand)
401 %call = call i8* malloc()
402 %1 = bitcast i8* %call to %struct.MyStruct*
403 %next = getelementptr inbounds %struct.MyStruct,
404 %struct.MyStruct* %1, i32 0..
405 */
406 if (gepInst->getPointerOperand() == curValue)
407 insertInferSite(gepInst);
408 }
409 else if (const auto* bitcast =
410 SVFUtil::dyn_cast<BitCastInst>(it))
411 {
412 // continue on bitcast
413 insertInferSitesOrPushWorklist(bitcast);
414 }
415 else if (const auto* phiNode = SVFUtil::dyn_cast<PHINode>(it))
416 {
417 // continue on bitcast
418 insertInferSitesOrPushWorklist(phiNode);
419 }
420 else if (const auto* retInst =
421 SVFUtil::dyn_cast<ReturnInst>(it))
422 {
423 /*
424 * propagate from return to caller
425 Function Attrs: noinline nounwind optnone uwtable
426 define dso_local i8* @malloc_wrapper() #0 !dbg !22 {
427 entry:
428 %call = call i8* @malloc(i32 noundef 16), !dbg !25
429 ret i8* %call, !dbg !26
430 }
431 %call = call i8* @malloc_wrapper()
432 ..infer based on %call..
433 */
434 for (const auto callsite : retInst->getFunction()->users())
435 {
436 if (const auto* callBase =
437 SVFUtil::dyn_cast<CallBase>(callsite))
438 {
439 // skip function as parameter
440 // e.g., call void @foo(%struct.ssl_ctx_st* %9, i32 (i8*, i32, i32, i8*)* @passwd_callback)
441 if (callBase->getCalledFunction() !=
442 retInst->getFunction())
443 continue;
444 insertInferSitesOrPushWorklist(callBase);
445 }
446 }
447 }
448 else if (const auto* callBase = SVFUtil::dyn_cast<CallBase>(it))
449 {
450 /*
451 * propagate from callsite to callee
452 %call = call i8* @malloc(i32 noundef 16)
453 %0 = bitcast i8* %call to %struct.Node*, !dbg !43
454 call void @foo(%struct.Node* noundef %0), !dbg !45
455
456 define dso_local void @foo(%struct.Node* noundef %param)
457 #0 !dbg !22 {...}
458 ..infer based on the formal param %param..
459 */
460 // skip global function value -> callsite
461 // e.g., def @foo() -> call @foo()
462 // we don't skip function as parameter, e.g., def @foo() -> call @bar(..., @foo)
463 if (SVFUtil::isa<Function>(curValue) &&
464 curValue == callBase->getCalledFunction())
465 continue;
466 // skip indirect call
467 // e.g., %0 = ... -> call %0(...)
468 if (!callBase->hasArgument(curValue))
469 continue;
470 if (Function* calleeFunc = callBase->getCalledFunction())
471 {
472 u32_t pos = getArgPosInCall(callBase, curValue);
473 // for varargs function, we cannot directly get the value-flow between actual and formal args e.g., consider the following vararg function @callee 1: call void @callee(%arg) 2: define dso_local i32 @callee(...) #0 !dbg !17 { 3: ....... 4: %5 = load i32, ptr %vaarg.addr, align 4, !dbg !55 5: .......
474 // 6: }
475 // it is challenging to precisely identify the forward value-flow of %arg (Line 2) because the function definition of callee (Line 2) does not have any formal args related to the actual arg %arg therefore we track all possible instructions like ``load i32, ptr %vaarg.addr''
476 if (calleeFunc->isVarArg())
477 {
478 // conservatively track all var args
479 for (auto& I : instructions(calleeFunc))
480 {
481 if (auto* load =
482 llvm::dyn_cast<llvm::LoadInst>(&I))
483 {
484 llvm::Value* loadPointer =
485 load->getPointerOperand();
486 if (loadPointer->getName().compare(
487 "vaarg.addr") == 0)
488 {
489 insertInferSitesOrPushWorklist(load);
490 }
491 }
492 }
493 }
494 else if (!calleeFunc->isDeclaration())
495 {
496 insertInferSitesOrPushWorklist(
497 calleeFunc->getArg(pos));
498 }
499 }
500 }
501 }
502 if (canUpdate)
503 {
504 Set<const Type*> types;
505 std::transform(infersites.begin(), infersites.end(),
506 std::inserter(types, types.begin()),
507 infersiteToType);
508 _valueToInferSites[curValue] = SVFUtil::move(infersites);
509 _valueToType[curValue] = selectLargestSizedType(types);
510 }
511 }
512 const Type* type = _valueToType[var];
513 if (type == nullptr)
514 {
515 type = defaultType(var);
516 WARN_MSG("Using default type, trace ID is " +
517 std::to_string(traceId) + ":" + dumpValueAndDbgInfo(var));
518 }
519 ABORT_IFNOT(type, "type cannot be a null ptr");
520 return type;
521 }
522}
523
529Set<const Value *> &ObjTypeInference::bwfindAllocOfVar(const Value *var)
530{
531
532 // consult cache
533 auto tIt = _valueToAllocs.find(var);
534 if (tIt != _valueToAllocs.end())
535 {
536 return tIt->second;
537 }
538
539 // simulate the call stack, the second element indicates whether we should update sources for current value
540 FILOWorkList<ValueBoolPair> workList;
541 Set<ValueBoolPair> visited;
542 workList.push({var, false});
543 while (!workList.empty())
544 {
545 auto curPair = workList.pop();
546 if (visited.count(curPair)) continue;
547 visited.insert(curPair);
548 const Value *curValue = curPair.first;
549 bool canUpdate = curPair.second;
550
551 Set<const Value *> sources;
552 auto insertAllocs = [&sources, &canUpdate](const Value *source)
553 {
554 if (canUpdate) sources.insert(source);
555 };
556 auto insertAllocsOrPushWorklist = [this, &sources, &workList, &canUpdate](const auto &pUser)
557 {
558 auto vIt = _valueToAllocs.find(pUser);
559 if (canUpdate)
560 {
561 if (vIt != _valueToAllocs.end())
562 {
563 sources.insert(vIt->second.begin(), vIt->second.end());
564 }
565 }
566 else
567 {
568 if (vIt == _valueToAllocs.end()) workList.push({pUser, false});
569 }
570 };
571
572 if (!canUpdate && !_valueToAllocs.count(curValue))
573 {
574 workList.push({curValue, true});
575 }
576
577 if (isAlloc(curValue))
578 {
579 insertAllocs(curValue);
580 }
581 else if (const auto *bitCastInst = SVFUtil::dyn_cast<BitCastInst>(curValue))
582 {
583 Value *prevVal = bitCastInst->getOperand(0);
584 insertAllocsOrPushWorklist(prevVal);
585 }
586 else if (const auto *phiNode = SVFUtil::dyn_cast<PHINode>(curValue))
587 {
588 for (u32_t i = 0; i < phiNode->getNumOperands(); ++i)
589 {
590 insertAllocsOrPushWorklist(phiNode->getOperand(i));
591 }
592 }
593 else if (const auto *loadInst = SVFUtil::dyn_cast<LoadInst>(curValue))
594 {
595 for (const auto use: loadInst->getPointerOperand()->users())
596 {
597 if (const StoreInst *storeInst = SVFUtil::dyn_cast<StoreInst>(use))
598 {
599 if (storeInst->getPointerOperand() == loadInst->getPointerOperand())
600 {
601 insertAllocsOrPushWorklist(storeInst->getValueOperand());
602 }
603 }
604 }
605 }
606 else if (const auto *argument = SVFUtil::dyn_cast<Argument>(curValue))
607 {
608 for (const auto use: argument->getParent()->users())
609 {
610 if (const CallBase *callBase = SVFUtil::dyn_cast<CallBase>(use))
611 {
612 // skip function as parameter
613 // e.g., call void @foo(%struct.ssl_ctx_st* %9, i32 (i8*, i32, i32, i8*)* @passwd_callback)
614 if (callBase->getCalledFunction() != argument->getParent()) continue;
615 u32_t pos = argument->getParent()->isVarArg() ? 0 : argument->getArgNo();
616 insertAllocsOrPushWorklist(callBase->getArgOperand(pos));
617 }
618 }
619 }
620 else if (const auto *callBase = SVFUtil::dyn_cast<CallBase>(curValue))
621 {
622 ABORT_IFNOT(!callBase->doesNotReturn(), "callbase does not return:" + dumpValueAndDbgInfo(callBase));
623 if (Function *callee = callBase->getCalledFunction())
624 {
625 if (!callee->isDeclaration())
626 {
627
628 LLVMModuleSet* llvmmodule = LLVMModuleSet::getLLVMModuleSet();
629 const BasicBlock* exitBB = llvmmodule->getFunExitBB(callee);
630 assert (exitBB && "exit bb is not a basic block?");
631 const Value *pValue = &exitBB->back();
632 const auto *retInst = SVFUtil::dyn_cast<ReturnInst>(pValue);
633 ABORT_IFNOT(retInst && retInst->getReturnValue(), "not return inst?");
634 insertAllocsOrPushWorklist(retInst->getReturnValue());
635 }
636 }
637 }
638 if (canUpdate)
639 {
640 _valueToAllocs[curValue] = SVFUtil::move(sources);
641 }
642 }
643 Set<const Value *> &srcs = _valueToAllocs[var];
644 if (srcs.empty())
645 {
646 WARN_MSG("Cannot find allocation: " + dumpValueAndDbgInfo(var));
647 }
648 return srcs;
649}
650
655
660void ObjTypeInference::validateTypeCheck(const CallBase *cs)
661{
662 if (const Function *func = cs->getCalledFunction())
663 {
664 if (func->getName().find(TYPEMALLOC) != std::string::npos)
665 {
666 const Type *objType = fwInferObjType(cs);
667 const auto *pInt =
668 SVFUtil::dyn_cast<llvm::ConstantInt>(cs->getOperand(1));
669 assert(pInt && "the second argument is a integer");
670 u32_t iTyNum = objTyToNumFields(objType);
671 if (iTyNum >= LLVMUtil::getIntegerValue(pInt).second)
672 SVFUtil::outs() << SVFUtil::sucMsg("\t SUCCESS :") << dumpValueAndDbgInfo(cs)
673 << SVFUtil::pasMsg(" TYPE: ")
674 << dumpType(objType) << "\n";
675 else
676 {
677 SVFUtil::errs() << SVFUtil::errMsg("\t FAILURE :") << ":" << dumpValueAndDbgInfo(cs) << " TYPE: "
678 << dumpType(objType) << "\n";
679 abort();
680 }
681 }
682 }
683}
684
685void ObjTypeInference::typeSizeDiffTest(const PointerType *oPTy, const Type *iTy, const Value *val)
686{
687#if TYPE_DEBUG
688 Type *oTy = getPtrElementType(oPTy);
689 u32_t iTyNum = objTyToNumFields(iTy);
690 if (getNumOfElements(oTy) > iTyNum)
691 {
692 ERR_MSG("original type is:" + dumpType(oTy));
693 ERR_MSG("infered type is:" + dumpType(iTy));
694 ABORT_MSG("wrong type, trace ID is " + std::to_string(traceId) + ":" + dumpValueAndDbgInfo(val));
695 }
696#endif
697}
698
699u32_t ObjTypeInference::getArgPosInCall(const CallBase *callBase, const Value *arg)
700{
701 assert(callBase->hasArgument(arg) && "callInst does not have argument arg?");
702 auto it = std::find(callBase->arg_begin(), callBase->arg_end(), arg);
703 assert(it != callBase->arg_end() && "Didn't find argument?");
704 return std::distance(callBase->arg_begin(), it);
705}
706
707
708const Type *ObjTypeInference::selectLargestSizedType(Set<const Type *> &objTys)
709{
710 if (objTys.empty()) return nullptr;
711 // map type size to types from with key in descending order
712 OrderedMap<u32_t, OrderedSet<const Type *>, std::greater<int>> typeSzToTypes;
713 for (const Type *ty: objTys)
714 {
715 typeSzToTypes[objTyToNumFields(ty)].insert(ty);
716 }
717 assert(!typeSzToTypes.empty() && "typeSzToTypes cannot be empty");
718 OrderedSet<const Type *> largestTypes;
719 std::tie(std::ignore, largestTypes) = *typeSzToTypes.begin();
720 assert(!largestTypes.empty() && "largest element cannot be empty");
721 return *largestTypes.begin();
722}
723
724u32_t ObjTypeInference::objTyToNumFields(const Type *objTy)
725{
726 u32_t num = Options::MaxFieldLimit();
727 if (SVFUtil::isa<ArrayType>(objTy))
728 num = getNumOfElements(objTy);
729 else if (const auto *st = SVFUtil::dyn_cast<StructType>(objTy))
730 {
733 if (!classTyHasVTable(st))
734 num = getNumOfElements(st);
735 }
736 return num;
737}
738
739
749Set<std::string> &ObjTypeInference::inferThisPtrClsName(const Value *thisPtr)
750{
751 auto it = _thisPtrClassNames.find(thisPtr);
752 if (it != _thisPtrClassNames.end()) return it->second;
753
754 Set<std::string> names;
755
756 // Lambda for checking a function is a valid name source & extracting a class name from it
757 auto addNamesFromFunc = [&names](const Function *func) -> void
758 {
759 ABORT_IFNOT(isClsNameSource(func), "Func is invalid class name source: " + dumpValueAndDbgInfo(func));
760 for (const auto &name : extractClsNamesFromFunc(func)) names.insert(name);
761 };
762
763 // Lambda for getting callee & extracting class name for calls to constructors/destructors/template funcs
764 auto addNamesFromCall = [&names, &addNamesFromFunc](const CallBase *call) -> void
765 {
766 ABORT_IFNOT(isClsNameSource(call), "Call is invalid class name source: " + dumpValueAndDbgInfo(call));
767
768 const auto *func = call->getCalledFunction();
769 if (isDynCast(func)) names.insert(extractClsNameFromDynCast(call));
770 else addNamesFromFunc(func);
771 };
772
773 // Walk backwards to find all valid source sites for the pointer (e.g. stack/global/heap variables)
774 for (const auto &val: bwFindAllocOrClsNameSources(thisPtr))
775 {
776 // A source site is either a constructor/destructor/template function from which the class name can be
777 // extracted; a call to a C++ constructor/destructor/template function from which the class name can be
778 // extracted; or an allocation site of an object (i.e. a stack/global/heap variable), from which a
779 // forward walk can be performed to find calls to C++ constructor/destructor/template functions from
780 // which the class' name can then be extracted; skip starting pointer
781 if (val == thisPtr) continue;
782
783 if (const auto *func = SVFUtil::dyn_cast<Function>(val))
784 {
785 // Constructor/destructor/template func; extract name from func directly
786 addNamesFromFunc(func);
787 }
788 else if (isClsNameSource(val))
789 {
790 // Call to constructor/destructor/template func; get callee; extract name from callee
791 ABORT_IFNOT(SVFUtil::isa<CallBase>(val), "Call source site is not a callbase: " + dumpValueAndDbgInfo(val));
792 addNamesFromCall(SVFUtil::cast<CallBase>(val));
793 }
794 else if (isAlloc(val))
795 {
796 // Stack/global/heap allocation site; walk forward; find constructor/destructor/template calls
797 ABORT_IFNOT((SVFUtil::isa<AllocaInst, CallBase, GlobalVariable>(val)),
798 "Alloc site source is not a stack/heap/global variable: " + dumpValueAndDbgInfo(val));
799 for (const auto *src : fwFindClsNameSources(val))
800 {
801 if (const auto *func = SVFUtil::dyn_cast<Function>(src)) addNamesFromFunc(func);
802 else if (const auto *call = SVFUtil::dyn_cast<CallBase>(src)) addNamesFromCall(call);
803 else ABORT_MSG("Source site from forward walk is invalid: " + dumpValueAndDbgInfo(src));
804 }
805 }
806 else
807 {
808 ERR_MSG("Unsupported source type found:" + dumpValueAndDbgInfo(val));
809 }
810 }
811
812 return _thisPtrClassNames[thisPtr] = names;
813}
814
822Set<const Value *> &ObjTypeInference::bwFindAllocOrClsNameSources(const Value *startValue)
823{
824
825 // consult cache
826 auto tIt = _valueToAllocOrClsNameSources.find(startValue);
827 if (tIt != _valueToAllocOrClsNameSources.end())
828 {
829 return tIt->second;
830 }
831
832 // simulate the call stack, the second element indicates whether we should update sources for current value
833 FILOWorkList<ValueBoolPair> workList;
834 Set<ValueBoolPair> visited;
835 workList.push({startValue, false});
836 while (!workList.empty())
837 {
838 auto curPair = workList.pop();
839 if (visited.count(curPair)) continue;
840 visited.insert(curPair);
841 const Value *curValue = curPair.first;
842 bool canUpdate = curPair.second;
843
844 Set<const Value *> sources;
845 auto insertSource = [&sources, &canUpdate](const Value *source)
846 {
847 if (canUpdate) sources.insert(source);
848 };
849 auto insertSourcesOrPushWorklist = [this, &sources, &workList, &canUpdate](const auto &pUser)
850 {
851 auto vIt = _valueToAllocOrClsNameSources.find(pUser);
852 if (canUpdate)
853 {
854 if (vIt != _valueToAllocOrClsNameSources.end() && !vIt->second.empty())
855 {
856 sources.insert(vIt->second.begin(), vIt->second.end());
857 }
858 }
859 else
860 {
861 if (vIt == _valueToAllocOrClsNameSources.end()) workList.push({pUser, false});
862 }
863 };
864
865 if (!canUpdate && !_valueToAllocOrClsNameSources.count(curValue))
866 {
867 workList.push({curValue, true});
868 }
869
870 // If current value is an instruction inside a constructor/destructor/template, use it as a source
871 if (const auto *inst = SVFUtil::dyn_cast<Instruction>(curValue))
872 {
873 if (const auto *parent = inst->getFunction())
874 {
875 if (isClsNameSource(parent)) insertSource(parent);
876 }
877 }
878
879 // If the current value is an object (global, heap, stack, etc) or name source (constructor/destructor,
880 // a C++ dynamic cast, or a template function), use it as a source
881 if (isAlloc(curValue) || isClsNameSource(curValue))
882 {
883 insertSource(curValue);
884 }
885
886 // Explore the current value further depending on the type of the value; use cached values if possible
887 if (const auto *getElementPtrInst = SVFUtil::dyn_cast<GetElementPtrInst>(curValue))
888 {
889 insertSourcesOrPushWorklist(getElementPtrInst->getPointerOperand());
890 }
891 else if (const auto *bitCastInst = SVFUtil::dyn_cast<BitCastInst>(curValue))
892 {
893 insertSourcesOrPushWorklist(bitCastInst->getOperand(0));
894 }
895 else if (const auto *phiNode = SVFUtil::dyn_cast<PHINode>(curValue))
896 {
897 for (const auto *op : phiNode->operand_values())
898 {
899 insertSourcesOrPushWorklist(op);
900 }
901 }
902 else if (const auto *loadInst = SVFUtil::dyn_cast<LoadInst>(curValue))
903 {
904 for (const auto *user : loadInst->getPointerOperand()->users())
905 {
906 if (const auto *storeInst = SVFUtil::dyn_cast<StoreInst>(user))
907 {
908 if (storeInst->getPointerOperand() == loadInst->getPointerOperand())
909 {
910 insertSourcesOrPushWorklist(storeInst->getValueOperand());
911 }
912 }
913 }
914 }
915 else if (const auto *argument = SVFUtil::dyn_cast<Argument>(curValue))
916 {
917 for (const auto *user: argument->getParent()->users())
918 {
919 if (const auto *callBase = SVFUtil::dyn_cast<CallBase>(user))
920 {
921 // skip function as parameter
922 // e.g., call void @foo(%struct.ssl_ctx_st* %9, i32 (i8*, i32, i32, i8*)* @passwd_callback)
923 if (callBase->getCalledFunction() != argument->getParent()) continue;
924 u32_t pos = argument->getParent()->isVarArg() ? 0 : argument->getArgNo();
925 insertSourcesOrPushWorklist(callBase->getArgOperand(pos));
926 }
927 }
928 }
929 else if (const auto *callBase = SVFUtil::dyn_cast<CallBase>(curValue))
930 {
931 ABORT_IFNOT(!callBase->doesNotReturn(), "callbase does not return:" + dumpValueAndDbgInfo(callBase));
932 if (const auto *callee = callBase->getCalledFunction())
933 {
934 if (!callee->isDeclaration())
935 {
936 LLVMModuleSet* llvmmodule = LLVMModuleSet::getLLVMModuleSet();
937 const BasicBlock* exitBB = llvmmodule->getFunExitBB(callee);
938 assert (exitBB && "exit bb is not a basic block?");
939 const Value *pValue = &exitBB->back();
940 const auto *retInst = SVFUtil::dyn_cast<ReturnInst>(pValue);
941 ABORT_IFNOT(retInst && retInst->getReturnValue(), "not return inst?");
942 insertSourcesOrPushWorklist(retInst->getReturnValue());
943 }
944 }
945 }
946
947 // If updating is allowed; store the gathered sources as sources for the current value in the cache
948 if (canUpdate)
949 {
950 _valueToAllocOrClsNameSources[curValue] = sources;
951 }
952 }
953
954 return _valueToAllocOrClsNameSources[startValue];
955}
956
957Set<const CallBase *> &ObjTypeInference::fwFindClsNameSources(const Value *startValue)
958{
959 assert(startValue && "startValue was null?");
960
961 // consult cache
962 auto tIt = _objToClsNameSources.find(startValue);
963 if (tIt != _objToClsNameSources.end())
964 {
965 return tIt->second;
966 }
967
968 Set<const CallBase *> sources;
969
970 // Lambda for adding a callee to the sources iff it is a constructor/destructor/template/dyncast
971 auto inferViaCppCall = [&sources](const CallBase *caller)
972 {
973 if (!caller) return;
974 if (isClsNameSource(caller)) sources.insert(caller);
975 };
976
977 // Find all calls of starting val (or through cast); add as potential source iff applicable
978 for (const auto *user : startValue->users())
979 {
980 if (const auto *caller = SVFUtil::dyn_cast<CallBase>(user))
981 {
982 inferViaCppCall(caller);
983 }
984 else if (const auto *bitcast = SVFUtil::dyn_cast<BitCastInst>(user))
985 {
986 for (const auto *cast_user : bitcast->users())
987 {
988 if (const auto *caller = SVFUtil::dyn_cast<CallBase>(cast_user))
989 {
990 inferViaCppCall(caller);
991 }
992 }
993 }
994 }
995
996 // Store sources in cache for starting value & return the found sources
997 return _objToClsNameSources[startValue] = SVFUtil::move(sources);
998}
ABORT_MSG
#define ABORT_MSG(msg)
Definition ObjTypeInference.cpp:44
TYPEMALLOC
const std::string TYPEMALLOC
Definition ObjTypeInference.cpp:81
infersiteToType
const Type * infersiteToType(const Value *val)
Definition ObjTypeInference.cpp:85
ABORT_IFNOT
#define ABORT_IFNOT(condition, msg)
Definition ObjTypeInference.cpp:50
ERR_MSG
#define ERR_MSG(msg)
Definition ObjTypeInference.cpp:38
WARN_MSG
#define WARN_MSG(msg)
Definition ObjTypeInference.cpp:71
type
newitem type
Definition cJSON.cpp:2739
name
const char *const name
Definition cJSON.h:264
SVF::LLVMModuleSet::getLLVMModuleSet
static LLVMModuleSet * getLLVMModuleSet()
Definition LLVMModule.h:129
SVF::LLVMModuleSet::getContext
LLVMContext & getContext() const
Definition LLVMModule.h:374
SVF::ObjTypeInference::_valueToInferSites
ValueToInferSites _valueToInferSites
Definition ObjTypeInference.h:54
SVF::ObjTypeInference::_valueToAllocs
ValueToSources _valueToAllocs
Definition ObjTypeInference.h:56
SVF::ObjTypeInference::selectLargestSizedType
const Type * selectLargestSizedType(Set< const Type * > &objTys)
select the largest (conservative) type from all types
Definition ObjTypeInference.cpp:708
SVF::ObjTypeInference::inferPointsToType
const Type * inferPointsToType(const Value *var)
Definition ObjTypeInference.cpp:175
SVF::ObjTypeInference::bwfindAllocOfVar
Set< const Value * > & bwfindAllocOfVar(const Value *var)
backward collect all possible allocation sites (stack, static, heap) of var
Definition ObjTypeInference.cpp:529
SVF::ObjTypeInference::objTyToNumFields
u32_t objTyToNumFields(const Type *objTy)
Definition ObjTypeInference.cpp:724
SVF::ObjTypeInference::isAlloc
bool isAlloc(const SVF::Value *val)
is allocation (stack, static, heap)
Definition ObjTypeInference.cpp:651
SVF::ObjTypeInference::getArgPosInCall
u32_t getArgPosInCall(const CallBase *callBase, const Value *arg)
Definition ObjTypeInference.cpp:699
SVF::ObjTypeInference::bwFindAllocOrClsNameSources
Set< const Value * > & bwFindAllocOrClsNameSources(const Value *startValue)
Definition ObjTypeInference.cpp:822
SVF::ObjTypeInference::_thisPtrClassNames
ValueToClassNames _thisPtrClassNames
Definition ObjTypeInference.h:57
SVF::ObjTypeInference::inferThisPtrClsName
Set< std::string > & inferThisPtrClsName(const Value *thisPtr)
get or infer the class names of thisptr
Definition ObjTypeInference.cpp:749
SVF::ObjTypeInference::typeSizeDiffTest
void typeSizeDiffTest(const PointerType *oPTy, const Type *iTy, const Value *val)
Definition ObjTypeInference.cpp:685
SVF::ObjTypeInference::fwInferObjType
const Type * fwInferObjType(const Value *var)
forward infer the type of the object pointed by var
Definition ObjTypeInference.cpp:201
SVF::ObjTypeInference::int8Type
const IntegerType * int8Type()
int8 type
Definition ObjTypeInference.h:89
SVF::ObjTypeInference::ptrType
const Type * ptrType()
pointer type
Definition ObjTypeInference.h:83
SVF::ObjTypeInference::inferObjType
const Type * inferObjType(const Value *var)
get or infer the type of the object pointed by the value
Definition ObjTypeInference.cpp:136
SVF::ObjTypeInference::defaultType
const Type * defaultType(const Value *val)
default type
Definition ObjTypeInference.cpp:114
SVF::ObjTypeInference::_objToClsNameSources
ObjToClsNameSources _objToClsNameSources
Definition ObjTypeInference.h:59
SVF::ObjTypeInference::fwFindClsNameSources
Set< const CallBase * > & fwFindClsNameSources(const Value *startValue)
forward find class name sources starting from an allocation
Definition ObjTypeInference.cpp:957
SVF::ObjTypeInference::validateTypeCheck
void validateTypeCheck(const CallBase *cs)
validate type inference
Definition ObjTypeInference.cpp:660
SVF::ObjTypeInference::_valueToAllocOrClsNameSources
ValueToSources _valueToAllocOrClsNameSources
Definition ObjTypeInference.h:58
SVF::Options::MaxFieldLimit
static const Option< u32_t > MaxFieldLimit
Maximum number of field derivations for an object.
Definition Options.h:38
SVF::LLVMUtil::isHeapAllocExtCallViaRet
bool isHeapAllocExtCallViaRet(const Instruction *inst)
Definition LLVMUtil.cpp:633
SVF::LLVMUtil::isMemcpyExtFun
bool isMemcpyExtFun(const Function *fun)
Definition LLVMUtil.cpp:388
SVF::LLVMUtil::dumpType
std::string dumpType(const Type *type)
Definition LLVMUtil.cpp:611
SVF::LLVMUtil::getIntegerValue
std::pair< s64_t, u64_t > getIntegerValue(const ConstantInt *intValue)
Definition LLVMUtil.h:82
SVF::LLVMUtil::dumpValueAndDbgInfo
std::string dumpValueAndDbgInfo(const Value *val)
Definition LLVMUtil.cpp:622
SVF::LLVMUtil::getNumOfElements
u32_t getNumOfElements(const Type *ety)
Return size of this object based on LLVM value.
Definition LLVMUtil.cpp:295
SVF::LLVMUtil::isObject
bool isObject(const Value *ref)
Return true if this value refers to a object.
Definition LLVMUtil.cpp:59
SVF::LLVMUtil::getPtrElementType
static Type * getPtrElementType(const PointerType *pty)
Definition LLVMUtil.h:130
SVF::SVFUtil::sucMsg
std::string sucMsg(const std::string &msg)
Returns successful message by converting a string into green string output.
Definition SVFUtil.cpp:55
SVF::SVFUtil::pasMsg
std::string pasMsg(const std::string &msg)
Print each pass/phase message by converting a string into blue string output.
Definition SVFUtil.cpp:101
SVF::SVFUtil::errMsg
std::string errMsg(const std::string &msg)
Print error message by converting a string into red string output.
Definition SVFUtil.cpp:78
SVF::SVFUtil::errs
std::ostream & errs()
Overwrite llvm::errs()
Definition SVFUtil.h:58
SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition SVFUtil.h:52
SVF::SVFUtil::move
constexpr std::remove_reference< T >::type && move(T &&t) noexcept
Definition SVFUtil.h:420
SVF::cppUtil::extractClsNameFromDynCast
std::string extractClsNameFromDynCast(const CallBase *callBase)
extract class name from cpp dyncast function
Definition CppUtil.cpp:918
SVF::cppUtil::classTyHasVTable
bool classTyHasVTable(const StructType *ty)
Definition CppUtil.cpp:569
SVF::cppUtil::isClsNameSource
bool isClsNameSource(const Value *val)
Definition CppUtil.cpp:860
SVF::cppUtil::extractClsNamesFromFunc
Set< std::string > extractClsNamesFromFunc(const Function *foo)
extract class name from the c++ function name, e.g., constructor/destructors
Definition CppUtil.cpp:706
SVF::cppUtil::isDynCast
bool isDynCast(const Function *foo)
whether foo is a cpp dyncast function
Definition CppUtil.cpp:908
SVF
for isBitcode
Definition BasicTypes.h:68
SVF::Type
llvm::Type Type
Definition BasicTypes.h:83
SVF::CallBase
llvm::CallBase CallBase
Definition BasicTypes.h:146
SVF::BasicBlock
llvm::BasicBlock BasicBlock
Definition BasicTypes.h:86
SVF::AllocaInst
llvm::AllocaInst AllocaInst
Definition BasicTypes.h:150
SVF::Function
llvm::Function Function
Definition BasicTypes.h:85
SVF::GlobalValue
llvm::GlobalValue GlobalValue
Definition BasicTypes.h:88
SVF::Value
llvm::Value Value
LLVM Basic classes.
Definition BasicTypes.h:82
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74
SVF::PointerType
llvm::PointerType PointerType
Definition BasicTypes.h:96
SVF::StoreInst
llvm::StoreInst StoreInst
Definition BasicTypes.h:148
SVF::u32_t
unsigned u32_t
Definition GeneralType.h:47
SVF::LLVMContext
llvm::LLVMContext LLVMContext
Definition BasicTypes.h:70
Generated by doxygen 1.9.8