Static Value-Flow Analysis
RelationSolver.cpp
Go to the documentation of this file.
1 //===- RelationSolver.cpp ----Relation Solver for Interval Domains-----------//
2 //
3 // SVF: Static Value-Flow Analysis
4 //
5 // Copyright (C) <2013-2022> <Yulei Sui>
6 //
7 
8 // This program is free software: you can redistribute it and/or modify
9 // it under the terms of the GNU Affero General Public License as published by
10 // the Free Software Foundation, either version 3 of the License, or
11 // (at your option) any later version.
12 
13 // This program is distributed in the hope that it will be useful,
14 // but WITHOUT ANY WARRANTY; without even the implied warranty of
15 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 // GNU Affero General Public License for more details.
17 
18 // You should have received a copy of the GNU Affero General Public License
19 // along with this program. If not, see <http://www.gnu.org/licenses/>.
20 //
21 //===----------------------------------------------------------------------===//
22 /*
23  * RelationSolver.cpp
24  *
25  * Created on: Aug 4, 2022
26  * Author: Jiawei Ren
27  *
28  */
29 #include "AE/Core/RelationSolver.h"
30 #include <cmath>
31 #include "Util/Options.h"
32 
33 using namespace SVF;
34 using namespace SVFUtil;
35 
36 AbstractState RelationSolver::bilateral(const AbstractState&domain, const Z3Expr& phi,
37  u32_t descend_check)
38 {
40  AbstractState upper = domain.top();
41  AbstractState lower = domain.bottom();
42  u32_t meets_in_a_row = 0;
43  z3::solver solver = Z3Expr::getSolver();
44  z3::params p(Z3Expr::getContext());
46  p.set(":timeout", static_cast<unsigned>(600)); // in milliseconds
47  solver.set(p);
48  AbstractState consequence;
49 
51  while (lower != upper)
52  {
53  if (meets_in_a_row == descend_check)
54  {
55  consequence = lower;
56  }
57  else
58  {
59  consequence = abstract_consequence(lower, upper, domain);
60  }
62  Z3Expr rhs = !(gamma_hat(consequence, domain));
63  solver.push();
64  solver.add(phi.getExpr() && rhs.getExpr());
65  Map<u32_t, s32_t> solution;
66  z3::check_result checkRes = solver.check();
68  if (checkRes == z3::sat)
69  {
70  z3::model m = solver.get_model();
71  for (u32_t i = 0; i < m.size(); i++)
72  {
73  z3::func_decl v = m[i];
74  // assert(v.arity() == 0);
75  if (v.arity() != 0)
76  continue;
77  solution.emplace(std::stoi(v.name().str()),
78  m.get_const_interp(v).get_numeral_int());
79  }
80  for (const auto& item : domain.getVarToVal())
81  {
82  if (solution.find(item.first) == solution.end())
83  {
84  solution.emplace(item.first, 0);
85  }
86  }
87  solver.pop();
88  AbstractState newLower = domain.bottom();
89  newLower.joinWith(lower);
90  AbstractState rhs = beta(solution, domain);
91  newLower.joinWith(rhs);
92  lower = newLower;
93  meets_in_a_row = 0;
94  }
95  else
96  {
97  solver.pop();
98  if (checkRes == z3::unknown)
99  {
101  if (solver.reason_unknown() == "timeout")
102  return upper;
103  }
104  AbstractState newUpper = domain.top();
105  newUpper.meetWith(upper);
106  newUpper.meetWith(consequence);
107  upper = newUpper;
108  meets_in_a_row += 1;
109  }
110  }
111  return upper;
112 }
113 
114 AbstractState RelationSolver::RSY(const AbstractState& domain, const Z3Expr& phi)
115 {
116  AbstractState lower = domain.bottom();
117  z3::solver& solver = Z3Expr::getSolver();
118  z3::params p(Z3Expr::getContext());
120  p.set(":timeout", static_cast<unsigned>(600)); // in milliseconds
121  solver.set(p);
122  while (1)
123  {
124  Z3Expr rhs = !(gamma_hat(lower, domain));
125  solver.push();
126  solver.add(phi.getExpr() && rhs.getExpr());
127  Map<u32_t, s32_t> solution;
128  z3::check_result checkRes = solver.check();
130  if (checkRes == z3::sat)
131  {
132  z3::model m = solver.get_model();
133  for (u32_t i = 0; i < m.size(); i++)
134  {
135  z3::func_decl v = m[i];
136  if (v.arity() != 0)
137  continue;
138 
139  solution.emplace(std::stoi(v.name().str()),
140  m.get_const_interp(v).get_numeral_int());
141  }
142  for (const auto& item : domain.getVarToVal())
143  {
144  if (solution.find(item.first) == solution.end())
145  {
146  solution.emplace(item.first, 0);
147  }
148  }
149  solver.pop();
150  AbstractState newLower = domain.bottom();
151  newLower.joinWith(lower);
152  newLower.joinWith(beta(solution, domain));
153  lower = newLower;
154  }
155  else
156  {
157  solver.pop();
158  if (checkRes == z3::unknown)
159  {
161  if (solver.reason_unknown() == "timeout")
162  return domain.top();
163  }
164  break;
165  }
166  }
167  return lower;
168 }
169 
170 AbstractState RelationSolver::abstract_consequence(
171  const AbstractState& lower, const AbstractState& upper, const AbstractState& domain) const
172 {
173  /*Returns the "abstract consequence" of lower and upper.
174 
175  The abstract consequence must be a superset of lower and *NOT* a
176  superset of upper.
177 
178  Note that this is a fairly "simple" abstract consequence, in that it
179  sets only one variable to a non-top interval. This improves performance
180  of the SMT solver in many cases. In certain cases, other choices for
181  the abstract consequence will lead to better algorithm performance.*/
182 
183  for (auto it = domain.getVarToVal().begin();
184  it != domain.getVarToVal().end(); ++it)
186  {
187  AbstractState proposed = domain.top();
188  proposed[it->first] = lower[it->first].getInterval();
191  if (!(proposed >= upper))
192  {
193  return proposed;
194  }
195  }
196  return lower;
197 }
198 
199 Z3Expr RelationSolver::gamma_hat(const AbstractState& exeState) const
200 {
201  Z3Expr res(Z3Expr::getContext().bool_val(true));
202  for (auto& item : exeState.getVarToVal())
203  {
204  IntervalValue interval = item.second.getInterval();
205  if (interval.isBottom())
206  return Z3Expr::getContext().bool_val(false);
207  if (interval.isTop())
208  continue;
209  Z3Expr v = toIntZ3Expr(item.first);
210  res = (res && v >= (int)interval.lb().getNumeral() &&
211  v <= (int)interval.ub().getNumeral()).simplify();
212  }
213  return res;
214 }
215 
216 Z3Expr RelationSolver::gamma_hat(const AbstractState& alpha,
217  const AbstractState& exeState) const
218 {
219  Z3Expr res(Z3Expr::getContext().bool_val(true));
220  for (auto& item : exeState.getVarToVal())
221  {
222  IntervalValue interval = alpha[item.first].getInterval();
223  if (interval.isBottom())
224  return Z3Expr::getContext().bool_val(false);
225  if (interval.isTop())
226  continue;
227  Z3Expr v = toIntZ3Expr(item.first);
228  res = (res && v >= (int)interval.lb().getNumeral() &&
229  v <= (int)interval.ub().getNumeral()).simplify();
230  }
231  return res;
232 }
233 
234 Z3Expr RelationSolver::gamma_hat(u32_t id, const AbstractState& exeState) const
235 {
236  auto it = exeState.getVarToVal().find(id);
237  assert(it != exeState.getVarToVal().end() && "id not in varToVal?");
238  Z3Expr v = toIntZ3Expr(id);
239  // Z3Expr v = Z3Expr::getContext().int_const(std::to_string(id).c_str());
240  Z3Expr res = (v >= (int)it->second.getInterval().lb().getNumeral() &&
241  v <= (int)it->second.getInterval().ub().getNumeral());
242  return res;
243 }
244 
245 AbstractState RelationSolver::beta(const Map<u32_t, s32_t>& sigma,
246  const AbstractState& exeState) const
247 {
248  AbstractState res;
249  for (const auto& item : exeState.getVarToVal())
250  {
251  res[item.first] = IntervalValue(
252  sigma.at(item.first), sigma.at(item.first));
253  }
254  return res;
255 }
256 
257 void RelationSolver::updateMap(Map<u32_t, s32_t>& map, u32_t key, const s32_t& value)
258 {
259  auto it = map.find(key);
260  if (it == map.end())
261  {
262  map.emplace(key, value);
263  }
264  else
265  {
266  it->second = value;
267  }
268 }
269 
270 AbstractState RelationSolver::BS(const AbstractState& domain, const Z3Expr &phi)
271 {
274  u32_t bias = 0;
275  s32_t infinity = INT32_MAX/2 - 1;
276 
277  // int infinity = (INT32_MAX) - 1;
278  // int infinity = 20;
279  Map<u32_t, s32_t> ret;
280  Map<u32_t, s32_t> low_values, high_values;
281  Z3Expr new_phi = phi;
283  for (const auto& item: domain.getVarToVal())
284  {
285  IntervalValue interval = item.second.getInterval();
286  updateMap(ret, item.first, interval.ub().getIntNumeral());
287  if (interval.lb().is_minus_infinity())
288  updateMap(low_values, item.first, -infinity);
289  else
290  updateMap(low_values, item.first, interval.lb().getIntNumeral());
291  if (interval.ub().is_plus_infinity())
292  updateMap(high_values, item.first, infinity);
293  else
294  updateMap(high_values, item.first, interval.ub().getIntNumeral());
295  if (item.first > bias)
296  bias = item.first + 1;
297  }
298  for (const auto& item: domain.getVarToVal())
299  {
301  IntervalValue interval = item.second.getInterval();
302  u32_t reverse_key = item.first + bias;
303  updateMap(ret, reverse_key, -interval.lb().getIntNumeral());
304  if (interval.ub().is_plus_infinity())
305  updateMap(low_values, reverse_key, -infinity);
306  else
307  updateMap(low_values, reverse_key, -interval.ub().getIntNumeral());
308  if (interval.lb().is_minus_infinity())
309  updateMap(high_values, reverse_key, infinity);
310  else
311  updateMap(high_values, reverse_key, -interval.lb().getIntNumeral());
313  new_phi = (new_phi && (toIntZ3Expr(reverse_key) == -1 * toIntZ3Expr(item.first)));
314  }
316  BoxedOptSolver(new_phi.simplify(), ret, low_values, high_values);
318  AbstractState retInv;
319  for (const auto& item: ret)
320  {
321  if (item.first >= bias)
322  {
323  if (!retInv.inVarToValTable(item.first-bias))
324  retInv[item.first-bias] = IntervalValue::top();
325 
326  if (item.second == (infinity))
327  retInv[item.first - bias] = IntervalValue(BoundedInt::minus_infinity(),
328  retInv[item.first - bias].getInterval().ub());
329  else
330  retInv[item.first - bias] = IntervalValue(float(-item.second), retInv[item.first - bias].getInterval().ub());
331 
332  }
333  else
334  {
335  if (item.second == (infinity))
336  retInv[item.first] = IntervalValue(retInv[item.first].getInterval().lb(),
337  BoundedInt::plus_infinity());
338  else
339  retInv[item.first] = IntervalValue(retInv[item.first].getInterval().lb(), float(item.second));
340  }
341  }
342  return retInv;
343 }
344 
345 Map<u32_t, s32_t> RelationSolver::BoxedOptSolver(const Z3Expr& phi, Map<u32_t, s32_t>& ret, Map<u32_t, s32_t>& low_values, Map<u32_t, s32_t>& high_values)
346 {
348  Map<u32_t, Z3Expr> L_phi;
349  Map<u32_t, s32_t> mid_values;
350  while (1)
351  {
352  L_phi.clear();
353  for (const auto& item : ret)
354  {
355  Z3Expr v = toIntZ3Expr(item.first);
356  if (low_values.at(item.first) <= (high_values.at(item.first)))
357  {
358  s32_t mid = (low_values.at(item.first) + (high_values.at(item.first) - low_values.at(item.first)) / 2);
359  updateMap(mid_values, item.first, mid);
360  Z3Expr expr = (toIntVal(mid) <= v && v <= toIntVal(high_values.at(item.first)));
361  L_phi[item.first] = expr;
362  }
363  }
364  if (L_phi.empty())
365  break;
366  else
367  decide_cpa_ext(phi, L_phi, mid_values, ret, low_values, high_values);
368  }
369  return ret;
370 }
371 
372 
373 void RelationSolver::decide_cpa_ext(const Z3Expr& phi,
374  Map<u32_t, Z3Expr>& L_phi,
375  Map<u32_t, s32_t>& mid_values,
376  Map<u32_t, s32_t>& ret,
377  Map<u32_t, s32_t>& low_values,
378  Map<u32_t, s32_t>& high_values)
379 {
380  while (1)
381  {
382  Z3Expr join_expr(Z3Expr::getContext().bool_val(false));
383  for (const auto& item : L_phi)
384  join_expr = (join_expr || item.second);
385  join_expr = (join_expr && phi).simplify();
386  z3::solver& solver = Z3Expr::getSolver();
387  solver.push();
388  solver.add(join_expr.getExpr());
389  Map<u32_t, double> solution;
390  z3::check_result checkRes = solver.check();
392  if (checkRes == z3::sat)
393  {
394  z3::model m = solver.get_model();
395  solver.pop();
396  for(const auto & item : L_phi)
397  {
398  u32_t id = item.first;
399  int value = m.eval(toIntZ3Expr(id).getExpr()).get_numeral_int();
400  // int value = m.eval(Z3Expr::getContext().int_const(std::to_string(id).c_str())).get_numeral_int();
403  Z3Expr expr = (item.second && toIntZ3Expr(id) == value);
404  solver.push();
405  solver.add(expr.getExpr());
406  // solution meets phi_id
407  if (solver.check() == z3::sat)
408  {
409  updateMap(ret, id, (value));
410  updateMap(low_values, id, ret.at(id) + 1);
411 
412  s32_t mid = (low_values.at(id) + high_values.at(id) + 1) / 2;
413  updateMap(mid_values, id, mid);
414  Z3Expr v = toIntZ3Expr(id);
415  // Z3Expr v = Z3Expr::getContext().int_const(std::to_string(id).c_str());
416  Z3Expr expr = (toIntVal(mid_values.at(id)) <= v && v <= toIntVal(high_values.at(id)));
417  L_phi[id] = expr;
418  }
419  solver.pop();
420  }
421  }
422  else
423  {
424  solver.pop();
425  for (const auto& item : L_phi)
426  high_values.at(item.first) = mid_values.at(item.first) - 1;
427  return;
428  }
429  }
430 
431 }
p
cJSON * p
Definition: cJSON.cpp:2559
item
cJSON * item
Definition: cJSON.h:222
SVF::AbstractState::bottom
AbstractState bottom() const
Set all value bottom.
Definition: AbstractState.h:153
SVF::AbstractState::joinWith
void joinWith(const AbstractState &other)
domain join with other, important! other widen this.
Definition: AbstractState.cpp:102
SVF::AbstractState::getVarToVal
const VarToAbsValMap & getVarToVal() const
get var2val map
Definition: AbstractState.h:260
SVF::AbstractState::inVarToValTable
virtual bool inVarToValTable(u32_t id) const
whether the variable is in varToVal table
Definition: AbstractState.h:221
SVF::AbstractState::top
AbstractState top() const
Set all value top.
Definition: AbstractState.h:165
SVF::AbstractState::meetWith
void meetWith(const AbstractState &other)
domain meet with other, important! other widen this.
Definition: AbstractState.cpp:133
SVF::BoundedInt::plus_infinity
static BoundedInt plus_infinity()
Definition: NumericValue.h:131
SVF::BoundedInt::is_minus_infinity
bool is_minus_infinity() const
Definition: NumericValue.h:107
SVF::BoundedInt::getNumeral
s64_t getNumeral() const
Retrieves the numeral value of the BoundedInt object.
Definition: NumericValue.h:661
SVF::BoundedInt::is_plus_infinity
bool is_plus_infinity() const
Definition: NumericValue.h:101
SVF::BoundedInt::getIntNumeral
s64_t getIntNumeral() const
Definition: NumericValue.h:703
SVF::BoundedInt::minus_infinity
static BoundedInt minus_infinity()
Definition: NumericValue.h:137
SVF::IntervalValue::isTop
bool isTop() const
Definition: IntervalValue.h:66
SVF::IntervalValue::lb
const BoundedInt & lb() const
Return the lower bound.
Definition: IntervalValue.h:220
SVF::IntervalValue::isBottom
bool isBottom() const
Definition: IntervalValue.h:71
SVF::IntervalValue::ub
const BoundedInt & ub() const
Return the upper bound.
Definition: IntervalValue.h:227
SVF::IntervalValue::top
static IntervalValue top()
Create the IntervalValue [-inf, +inf].
Definition: IntervalValue.h:94
SVF::RelationSolver::gamma_hat
Z3Expr gamma_hat(const AbstractState &exeState) const
Return Z3Expr according to valToValMap.
Definition: RelationSolver.cpp:199
SVF::RelationSolver::RSY
AbstractState RSY(const AbstractState &domain, const Z3Expr &phi)
Definition: RelationSolver.cpp:114
SVF::RelationSolver::bilateral
AbstractState bilateral(const AbstractState &domain, const Z3Expr &phi, u32_t descend_check=0)
Definition: RelationSolver.cpp:36
SVF::RelationSolver::BoxedOptSolver
Map< u32_t, s32_t > BoxedOptSolver(const Z3Expr &phi, Map< u32_t, s32_t > &ret, Map< u32_t, s32_t > &low_values, Map< u32_t, s32_t > &high_values)
Definition: RelationSolver.cpp:345
SVF::RelationSolver::beta
AbstractState beta(const Map< u32_t, s32_t > &sigma, const AbstractState &exeState) const
Definition: RelationSolver.cpp:245
SVF::RelationSolver::updateMap
void updateMap(Map< u32_t, s32_t > &map, u32_t key, const s32_t &value)
Definition: RelationSolver.cpp:257
SVF::RelationSolver::abstract_consequence
AbstractState abstract_consequence(const AbstractState &lower, const AbstractState &upper, const AbstractState &domain) const
Definition: RelationSolver.cpp:170
SVF::RelationSolver::decide_cpa_ext
void decide_cpa_ext(const Z3Expr &phi, Map< u32_t, Z3Expr > &, Map< u32_t, s32_t > &, Map< u32_t, s32_t > &, Map< u32_t, s32_t > &, Map< u32_t, s32_t > &)
Definition: RelationSolver.cpp:373
SVF::RelationSolver::BS
AbstractState BS(const AbstractState &domain, const Z3Expr &phi)
Definition: RelationSolver.cpp:270
SVF::Z3Expr::getSolver
static z3::solver & getSolver()
Get z3 solver, singleton design here to make sure we only have one context.
Definition: Z3Expr.cpp:56
SVF::Z3Expr::getExpr
const z3::expr & getExpr() const
Definition: Z3Expr.h:86
SVF::Z3Expr::getContext
static z3::context & getContext()
Get z3 context, singleton design here to make sure we only have one context.
Definition: Z3Expr.cpp:66
SVF::Z3Expr::simplify
Z3Expr simplify() const
Definition: Z3Expr.h:137
SVF
for isBitcode
Definition: BasicTypes.h:68
SVF::Map
std::unordered_map< Key, Value, Hash, KeyEqual, Allocator > Map
Definition: GeneralType.h:101
SVF::s32_t
signed s32_t
Definition: GeneralType.h:47
SVF::u32_t
unsigned u32_t
Definition: GeneralType.h:46
Generated by doxygen 1.9.1