Static Value-Flow Analysis
Loading...
Searching...
No Matches
ProgSlice.cpp
Go to the documentation of this file.
1//===- ProgSlice.cpp -- Program slicing--------------------------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23/*
24 * ProgSlice.cpp
25 *
26 * Created on: Apr 5, 2014
27 * Author: Yulei Sui
28 */
29
30#include "SABER/ProgSlice.h"
31
32using namespace SVF;
33using namespace SVFUtil;
34
43bool ProgSlice::AllPathReachableSolve()
44{
45 const SVFGNode* source = getSource();
46 VFWorkList worklist;
47 worklist.push(source);
49 setVFCond(source,getTrueCond());
50
51 while(!worklist.empty())
52 {
53 const SVFGNode* node = worklist.pop();
54 setCurSVFGNode(node);
55
56 Condition invalidCond = computeInvalidCondFromRemovedSUVFEdge(node);
57 Condition cond = getVFCond(node);
58 for(SVFGNode::const_iterator it = node->OutEdgeBegin(), eit = node->OutEdgeEnd(); it!=eit; ++it)
59 {
60 const SVFGEdge* edge = (*it);
61 const SVFGNode* succ = edge->getDstNode();
62 if(inBackwardSlice(succ))
63 {
64 Condition vfCond;
65 const SVFBasicBlock* nodeBB = getSVFGNodeBB(node);
66 const SVFBasicBlock* succBB = getSVFGNodeBB(succ);
68 clearCFCond();
69
70 if(edge->isCallVFGEdge())
71 {
72 vfCond = ComputeInterCallVFGGuard(nodeBB,succBB, getCallSite(edge)->getParent());
73 }
74 else if(edge->isRetVFGEdge())
75 {
76 vfCond = ComputeInterRetVFGGuard(nodeBB,succBB, getRetSite(edge)->getParent());
77 }
78 else
79 vfCond = ComputeIntraVFGGuard(nodeBB,succBB);
80 vfCond = condAnd(vfCond, condNeg(invalidCond));
81 Condition succPathCond = condAnd(cond, vfCond);
82 if(setVFCond(succ, condOr(getVFCond(succ), succPathCond) ))
83 worklist.push(succ);
84 }
85
86 DBOUT(DSaber, outs() << " node (" << node->getId() <<
87 ") --> " << "succ (" << succ->getId() << ") condition: " << getVFCond(succ) << "\n");
88 }
89 }
90
91 return isSatisfiableForAll();
92}
93
108ProgSlice::Condition ProgSlice::computeInvalidCondFromRemovedSUVFEdge(const SVFGNode * cur)
109{
110 Set<const SVFBasicBlock*> validOutBBs; // the BBs of valid successors
111 for(SVFGNode::const_iterator it = cur->OutEdgeBegin(), eit = cur->OutEdgeEnd(); it!=eit; ++it)
112 {
113 const SVFGEdge* edge = (*it);
114 const SVFGNode* succ = edge->getDstNode();
115 if(inBackwardSlice(succ))
116 {
117 validOutBBs.insert(getSVFGNodeBB(succ));
118 }
119 }
120 Condition invalidCond = getFalseCond();
121 auto suVFEdgesIt = getRemovedSUVFEdges().find(cur);
122 if (suVFEdgesIt != getRemovedSUVFEdges().end())
123 {
124 for (const auto &succ: suVFEdgesIt->second)
125 {
126 if (!validOutBBs.count(getSVFGNodeBB(succ)))
127 {
128 // removed vfg node does not reside in the BBs of valid successors
129 const SVFBasicBlock *nodeBB = getSVFGNodeBB(cur);
130 const SVFBasicBlock *succBB = getSVFGNodeBB(succ);
131 clearCFCond();
132 invalidCond = condOr(invalidCond, ComputeIntraVFGGuard(nodeBB, succBB));
133 }
134 }
135 }
136 return invalidCond;
137}
138
154
158bool ProgSlice::isSatisfiableForPairs()
159{
160
161 for(SVFGNodeSetIter it = sinksBegin(), eit = sinksEnd(); it!=eit; ++it)
162 {
163 for(SVFGNodeSetIter sit = it, esit = sinksEnd(); sit!=esit; ++sit)
164 {
165 if(*it == *sit)
166 continue;
167 Condition guard = condAnd(getVFCond(*sit),getVFCond(*it));
168 if(!isEquivalentBranchCond(guard, getFalseCond()))
169 {
170 setFinalCond(guard);
171 return false;
172 }
173 }
174 }
175
176 return true;
177}
178
179const CallICFGNode* ProgSlice::getCallSite(const SVFGEdge* edge) const
180{
181 assert(edge->isCallVFGEdge() && "not a call svfg edge?");
182 if(const CallDirSVFGEdge* callEdge = SVFUtil::dyn_cast<CallDirSVFGEdge>(edge))
183 return getSVFG()->getCallSite(callEdge->getCallSiteId());
184 else
185 return getSVFG()->getCallSite(SVFUtil::cast<CallIndSVFGEdge>(edge)->getCallSiteId());
186}
187const CallICFGNode* ProgSlice::getRetSite(const SVFGEdge* edge) const
188{
189 assert(edge->isRetVFGEdge() && "not a return svfg edge?");
190 if(const RetDirSVFGEdge* callEdge = SVFUtil::dyn_cast<RetDirSVFGEdge>(edge))
191 return getSVFG()->getCallSite(callEdge->getCallSiteId());
192 else
193 return getSVFG()->getCallSite(SVFUtil::cast<RetIndSVFGEdge>(edge)->getCallSiteId());
194}
195
196void ProgSlice::evalFinalCond2Event(GenericBug::EventStack &eventStack) const
197{
198 NodeBS elems = pathAllocator->exactCondElem(finalCond);
199 for(NodeBS::iterator it = elems.begin(), eit = elems.end(); it!=eit; ++it)
200 {
201 const ICFGNode* tinst = pathAllocator->getCondInst(*it);
202 if(pathAllocator->isNegCond(*it))
203 eventStack.push_back(SVFBugEvent(
204 SVFBugEvent::Branch|((((u32_t)false) << 4) & BRANCHFLAGMASK), tinst));
205 else
206 eventStack.push_back(SVFBugEvent(
207 SVFBugEvent::Branch|((((u32_t)true) << 4) & BRANCHFLAGMASK), tinst));
208 }
209}
210
220std::string ProgSlice::evalFinalCond() const
221{
222 std::string str;
223 std::stringstream rawstr(str);
224 Set<std::string> locations;
225 NodeBS elems = pathAllocator->exactCondElem(finalCond);
226
227 for(NodeBS::iterator it = elems.begin(), eit = elems.end(); it!=eit; ++it)
228 {
229 const ICFGNode* tinst = pathAllocator->getCondInst(*it);
230 if(pathAllocator->isNegCond(*it))
231 locations.insert(tinst->getSourceLoc()+"|False");
232 else
233 locations.insert(tinst->getSourceLoc()+"|True");
234 }
235
237 for(Set<std::string>::iterator iter = locations.begin(), eiter = locations.end();
238 iter!=eiter; ++iter)
239 {
240 rawstr << "\t\t --> (" << *iter << ") \n";
241 }
242
243 return rawstr.str();
244}
245
246void ProgSlice::destroy()
247{
248}
BRANCHFLAGMASK
#define BRANCHFLAGMASK
Definition SVFBugReport.h:40
DBOUT
#define DBOUT(TYPE, X)
LLVM debug macros, define type of your DBUG model of each pass.
Definition SVFType.h:484
DSaber
#define DSaber
Definition SVFType.h:504
SVF::GenericBug::EventStack
std::vector< SVFBugEvent > EventStack
Definition SVFBugReport.h:83
SVF::GenericNode::OutEdgeEnd
iterator OutEdgeEnd()
Definition GenericGraph.h:459
SVF::GenericNode::OutEdgeBegin
iterator OutEdgeBegin()
iterators
Definition GenericGraph.h:455
SVF::ProgSlice::finalCond
Condition finalCond
final condition
Definition ProgSlice.h:321
SVF::ProgSlice::inBackwardSlice
bool inBackwardSlice(const SVFGNode *node)
Definition ProgSlice.h:99
SVF::ProgSlice::getRetSite
const CallICFGNode * getRetSite(const SVFGEdge *edge) const
Definition ProgSlice.cpp:187
SVF::ProgSlice::condNeg
Condition condNeg(const Condition &cond)
Definition ProgSlice.h:190
SVF::ProgSlice::getSVFGNodeBB
const SVFBasicBlock * getSVFGNodeBB(const SVFGNode *node) const
Definition ProgSlice.h:274
SVF::ProgSlice::evalFinalCond2Event
void evalFinalCond2Event(GenericBug::EventStack &eventStack) const
Add final condition to eventStack.
Definition ProgSlice.cpp:196
SVF::ProgSlice::sinksEnd
SVFGNodeSetIter sinksEnd() const
Definition ProgSlice.h:139
SVF::ProgSlice::getRemovedSUVFEdges
const SVFGNodeToSVFGNodeSetMap & getRemovedSUVFEdges() const
Definition ProgSlice.h:305
SVF::ProgSlice::condOr
Condition condOr(const Condition &lhs, const Condition &rhs)
Definition ProgSlice.h:186
SVF::ProgSlice::isSatisfiableForPairs
bool isSatisfiableForPairs()
Definition ProgSlice.cpp:158
SVF::ProgSlice::getTrueCond
Condition getTrueCond() const
Definition ProgSlice.h:194
SVF::ProgSlice::isSatisfiableForAll
bool isSatisfiableForAll()
Definition ProgSlice.cpp:142
SVF::ProgSlice::getSVFG
const SVFG * getSVFG() const
Definition ProgSlice.h:213
SVF::ProgSlice::VFWorkList
FIFOWorkList< const SVFGNode * > VFWorkList
worklist for value-flow guard computation
Definition ProgSlice.h:58
SVF::ProgSlice::isEquivalentBranchCond
bool isEquivalentBranchCond(const Condition &lhs, const Condition &rhs) const
Definition ProgSlice.h:266
SVF::ProgSlice::ComputeInterCallVFGGuard
Condition ComputeInterCallVFGGuard(const SVFBasicBlock *src, const SVFBasicBlock *dst, const SVFBasicBlock *callBB)
Definition ProgSlice.h:256
SVF::ProgSlice::destroy
void destroy()
Release memory.
Definition ProgSlice.cpp:246
SVF::ProgSlice::getCallSite
const CallICFGNode * getCallSite(const SVFGEdge *edge) const
Get callsite ID and get returnsiteID from SVFGEdge.
Definition ProgSlice.cpp:179
SVF::ProgSlice::getFalseCond
Condition getFalseCond() const
Definition ProgSlice.h:198
SVF::ProgSlice::getSource
const SVFGNode * getSource() const
root and sink operations
Definition ProgSlice.h:123
SVF::ProgSlice::AllPathReachableSolve
bool AllPathReachableSolve()
Guarded reachability solve.
Definition ProgSlice.cpp:43
SVF::ProgSlice::pathAllocator
SaberCondAllocator * pathAllocator
path condition allocator
Definition ProgSlice.h:319
SVF::ProgSlice::clearCFCond
void clearCFCond()
Clear Control flow conditions before each VF computation.
Definition ProgSlice.h:221
SVF::ProgSlice::setVFCond
bool setVFCond(const SVFGNode *node, const Condition &cond)
Definition ProgSlice.h:238
SVF::ProgSlice::ComputeInterRetVFGGuard
Condition ComputeInterRetVFGGuard(const SVFBasicBlock *src, const SVFBasicBlock *dst, const SVFBasicBlock *retBB)
Definition ProgSlice.h:260
SVF::ProgSlice::computeInvalidCondFromRemovedSUVFEdge
Condition computeInvalidCondFromRemovedSUVFEdge(const SVFGNode *cur)
Compute invalid branch condition stemming from removed strong update value-flow edges.
Definition ProgSlice.cpp:108
SVF::ProgSlice::condAnd
Condition condAnd(const Condition &lhs, const Condition &rhs)
Condition operations.
Definition ProgSlice.h:182
SVF::ProgSlice::sinksBegin
SVFGNodeSetIter sinksBegin() const
Definition ProgSlice.h:135
SVF::ProgSlice::ComputeIntraVFGGuard
Condition ComputeIntraVFGGuard(const SVFBasicBlock *src, const SVFBasicBlock *dst)
Compute guards for value-flows.
Definition ProgSlice.h:252
SVF::ProgSlice::getVFCond
Condition getVFCond(const SVFGNode *node) const
Get/set VF (value-flow) and CF (control-flow) conditions.
Definition ProgSlice.h:229
SVF::ProgSlice::setCurSVFGNode
void setCurSVFGNode(const SVFGNode *node)
Definition ProgSlice.h:290
SVF::ProgSlice::SVFGNodeSetIter
SVFGNodeSet::const_iterator SVFGNodeSetIter
Definition ProgSlice.h:54
SVF::ProgSlice::setFinalCond
void setFinalCond(const Condition &cond)
Set final condition after all path reachability analysis.
Definition ProgSlice.h:297
SVF::ProgSlice::evalFinalCond
std::string evalFinalCond() const
Evaluate final condition.
Definition ProgSlice.cpp:220
SVF::SVFBaseNode::getId
NodeID getId() const
Get ID.
Definition GenericGraph.h:236
SVF::SaberCondAllocator::isAllPathReachable
bool isAllPathReachable(Condition &condition)
whether condition is satisfiable for all possible boolean guards
Definition SaberCondAllocator.h:200
SVF::SaberCondAllocator::exactCondElem
NodeBS exactCondElem(const Condition &cond)
Iterator every element of the condition.
Definition SaberCondAllocator.h:108
SVF::SaberCondAllocator::getCondInst
const ICFGNode * getCondInst(u32_t id) const
Get/Set instruction based on Z3 expression id.
Definition SaberCondAllocator.h:128
SVF::SaberCondAllocator::isNegCond
bool isNegCond(u32_t id) const
Definition SaberCondAllocator.h:142
SVF::VFGNode::const_iterator
VFGEdge::VFGEdgeSetTy::const_iterator const_iterator
Definition VFGNode.h:55
SVF::VFG::getCallSite
const CallICFGNode * getCallSite(CallSiteID id) const
Definition VFG.h:182
SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition SVFUtil.h:50
SVF
for isBitcode
Definition BasicTypes.h:68
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74
SVF::u32_t
unsigned u32_t
Definition GeneralType.h:46
SVF::Set
std::unordered_set< Key, Hash, KeyEqual, Allocator > Set
Definition GeneralType.h:96
Generated by doxygen 1.9.8