Static Value-Flow Analysis
Loading...
Searching...
No Matches
SaberCondAllocator.h
Go to the documentation of this file.
1//===- SaberCondAllocator.h -- Path condition manipulation---------------------//
2//
3// SVF: Static Value-Flow Analysis
4//
5// Copyright (C) <2013-> <Yulei Sui>
6//
7
8// This program is free software: you can redistribute it and/or modify
9// it under the terms of the GNU Affero General Public License as published by
10// the Free Software Foundation, either version 3 of the License, or
11// (at your option) any later version.
12
13// This program is distributed in the hope that it will be useful,
14// but WITHOUT ANY WARRANTY; without even the implied warranty of
15// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16// GNU Affero General Public License for more details.
17
18// You should have received a copy of the GNU Affero General Public License
19// along with this program. If not, see <http://www.gnu.org/licenses/>.
20//
21//===----------------------------------------------------------------------===//
22
23/*
24 * PathAllocator.h
25 *
26 * Created on: Apr 3, 2014
27 * Author: Yulei Sui
28 */
29
30#ifndef PATHALLOCATOR_H_
31#define PATHALLOCATOR_H_
32
33#include "SVFIR/SVFValue.h"
34#include "Util/WorkList.h"
35#include "Graphs/SVFG.h"
36#include "Util/Z3Expr.h"
37
38
39namespace SVF
40{
41
45class SaberCondAllocator
46{
47
48public:
49
50 typedef Z3Expr Condition;
51 typedef Map<u32_t, const ICFGNode*> IndexToTermInstMap;
52 typedef Map<u32_t,Condition> CondPosMap;
53 typedef Map<const SVFBasicBlock*, CondPosMap > BBCondMap;
54 typedef Set<const SVFBasicBlock*> BasicBlockSet;
55 typedef Map<const FunObjVar*, BasicBlockSet> FunToExitBBsMap;
56 typedef Map<const SVFBasicBlock*, Condition> BBToCondMap;
57 typedef FIFOWorkList<const SVFBasicBlock*> CFWorkList;
58 typedef Map<const SVFGNode*, Set<const SVFGNode*>> SVFGNodeToSVFGNodeSetMap;
59
60
62 SaberCondAllocator();
63
65 virtual ~SaberCondAllocator()
66 {
67 }
69
70 inline std::string getMemUsage()
71 {
72 u32_t vmrss, vmsize;
73 if (SVFUtil::getMemoryUsageKB(&vmrss, &vmsize))
74 return std::to_string(vmsize) + "KB";
75 else
76 return "cannot read memory usage";
77 }
78 inline u32_t getCondNum()
79 {
80 return totalCondNum;
81 }
83
85
86 inline Condition condAnd(const Condition& lhs, const Condition& rhs)
87 {
88 return Condition::AND(lhs,rhs);
89 }
90 inline Condition condOr(const Condition& lhs, const Condition& rhs)
91 {
92 return Condition::OR(lhs,rhs);
93 }
94 inline Condition condNeg(const Condition& cond)
95 {
96 return Condition::NEG(cond);
97 }
98 inline Condition getTrueCond() const
99 {
100 return Condition::getTrueCond();
101 }
102 inline Condition getFalseCond() const
103 {
104 return Condition::getFalseCond();
105 }
107 inline NodeBS exactCondElem(const Condition& cond)
108 {
109 NodeBS elems;
110 extractSubConds(cond, elems);
111 return elems;
112 }
113
114 inline std::string dumpCond(const Condition& cond) const
115 {
116 return Condition::dumpStr(cond);
117 }
118
120 Condition newCond(const ICFGNode* inst);
121
123 void allocate();
124
126 //{@
127 inline const ICFGNode* getCondInst(u32_t id) const
128 {
129 IndexToTermInstMap::const_iterator it = idToTermInstMap.find(id);
130 assert(it != idToTermInstMap.end() && "this should be a fresh condition");
131 return it->second;
132 }
133
134 inline void setCondInst(const Condition &condition, const ICFGNode* inst)
135 {
136 assert(idToTermInstMap.find(condition.id()) == idToTermInstMap.end() && "this should be a fresh condition");
137 idToTermInstMap[condition.id()] = inst;
138 }
140
141 bool isNegCond(u32_t id) const
142 {
143 return negConds.test(id);
144 }
145
146 inline bool postDominate(const SVFBasicBlock* bbKey, const SVFBasicBlock* bbValue) const
147 {
148 const FunObjVar* keyFunc = bbKey->getParent();
149 const FunObjVar* valueFunc = bbValue->getParent();
150 bool funcEq = (keyFunc == valueFunc);
151 (void)funcEq; // Suppress warning of unused variable under release build
152 assert(funcEq && "two basicblocks should be in the same function!");
153 return keyFunc->postDominate(bbKey,bbValue);
154 }
155
156 inline bool dominate(const SVFBasicBlock* bbKey, const SVFBasicBlock* bbValue) const
157 {
158 const FunObjVar* keyFunc = bbKey->getParent();
159 const FunObjVar* valueFunc = bbValue->getParent();
160 bool funcEq = (keyFunc == valueFunc);
161 (void)funcEq; // Suppress warning of unused variable under release build
162 assert(funcEq && "two basicblocks should be in the same function!");
163 return keyFunc->dominate(bbKey,bbValue);
164 }
165
167
168 virtual Condition ComputeIntraVFGGuard(const SVFBasicBlock* src, const SVFBasicBlock* dst);
169 virtual Condition ComputeInterCallVFGGuard(const SVFBasicBlock* src, const SVFBasicBlock* dst, const SVFBasicBlock* callBB);
170 virtual Condition ComputeInterRetVFGGuard(const SVFBasicBlock* src, const SVFBasicBlock* dst, const SVFBasicBlock* retBB);
171
174 virtual Condition getPHIComplementCond(const SVFBasicBlock* BB1, const SVFBasicBlock* BB2, const SVFBasicBlock* BB0);
175
176 inline void clearCFCond()
177 {
178 bbToCondMap.clear();
179 }
181 inline void setCurEvalSVFGNode(const SVFGNode* node)
182 {
183 curEvalSVFGNode = node;
184 }
186 inline const SVFGNode* getCurEvalSVFGNode() const
187 {
188 return curEvalSVFGNode;
189 }
191
193 void printPathCond();
194
196 bool isSatisfiable(const Condition& condition);
197
199 inline bool isAllPathReachable(Condition& condition)
200 {
201 return isEquivalentBranchCond(condition, Condition::getTrueCond());
202 }
203
205 bool isEquivalentBranchCond(const Condition &lhs, const Condition &rhs) const;
206
207 inline ICFG* getICFG() const
208 {
209 return PAG::getPAG()->getICFG();
210 }
211
213
214 inline bool setCFCond(const SVFBasicBlock* bb, const Condition& cond)
215 {
216 BBToCondMap::iterator it = bbToCondMap.find(bb);
217 // until a fixed-point is reached (condition is not changed)
218 if(it!=bbToCondMap.end() && isEquivalentBranchCond(it->second, cond))
219 return false;
220
221 bbToCondMap[bb] = cond;
222 return true;
223 }
224 inline Condition getCFCond(const SVFBasicBlock* bb) const
225 {
226 BBToCondMap::const_iterator it = bbToCondMap.find(bb);
227 if(it==bbToCondMap.end())
228 {
229 return getFalseCond();
230 }
231 return it->second;
232 }
234
235
237 inline void setNegCondInst(const Condition &condition, const ICFGNode* inst)
238 {
239 setCondInst(condition, inst);
240 negConds.set(condition.id());
241 }
242
247
248private:
249
251 virtual void allocateForBB(const SVFBasicBlock& bb);
252
254
255
256 void setBranchCond(const SVFBasicBlock* bb, const SVFBasicBlock* succ, const Condition& cond);
258 Condition getBranchCond(const SVFBasicBlock* bb, const SVFBasicBlock* succ) const;
260 Condition getEvalBrCond(const SVFBasicBlock* bb, const SVFBasicBlock* succ);
262
264
265 Condition evaluateBranchCond(const SVFBasicBlock* bb, const SVFBasicBlock* succ) ;
267 Condition evaluateLoopExitBranch(const SVFBasicBlock* bb, const SVFBasicBlock* succ);
269 Condition evaluateTestNullLikeExpr(const BranchStmt* branchStmt, const SVFBasicBlock* succ);
271 Condition evaluateProgExit(const BranchStmt* branchStmt, const SVFBasicBlock* succ);
273 void collectBBCallingProgExit(const SVFBasicBlock& bb);
274 bool isBBCallsProgExit(const SVFBasicBlock* bb);
276
278
279
280 bool isEQCmp(const CmpStmt* cmp) const;
282 bool isNECmp(const CmpStmt* cmp) const;
284 bool isTestNullExpr(const ICFGNode* test) const;
286 bool isTestNotNullExpr(const ICFGNode* test) const;
288 bool isTestContainsNullAndTheValue(const CmpStmt* cmp) const;
290
292 void destroy()
293 {
294
295 }
296
298 void extractSubConds(const Condition &condition, NodeBS &support) const;
299
300
301 FunToExitBBsMap funToExitBBsMap;
302 BBToCondMap bbToCondMap;
303 const SVFGNode* curEvalSVFGNode{};
304 IndexToTermInstMap idToTermInstMap;
305 NodeBS negConds;
306 std::vector<Condition> conditionVec;
307 static u32_t totalCondNum;
308 SVFGNodeToSVFGNodeSetMap removedSUVFEdges;
309
310protected:
311 BBCondMap bbConds;
312
313};
314
315} // End namespace SVF
316
317#endif /* PATHALLOCATOR_H_ */
SVF::SVFIR::getICFG
ICFG * getICFG() const
Definition SVFIR.h:163
SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition SVFIR.h:116
SVF::SaberCondAllocator::~SaberCondAllocator
virtual ~SaberCondAllocator()
Destructor.
Definition SaberCondAllocator.h:65
SVF::SaberCondAllocator::allocateForBB
virtual void allocateForBB(const SVFBasicBlock &bb)
Allocate path condition for every basic block.
Definition SaberCondAllocator.cpp:89
SVF::SaberCondAllocator::removedSUVFEdges
SVFGNodeToSVFGNodeSetMap removedSUVFEdges
a counter for fresh condition
Definition SaberCondAllocator.h:308
SVF::SaberCondAllocator::dumpCond
std::string dumpCond(const Condition &cond) const
Definition SaberCondAllocator.h:114
SVF::SaberCondAllocator::newCond
Condition newCond(const ICFGNode *inst)
Allocate a new condition.
Definition SaberCondAllocator.cpp:602
SVF::SaberCondAllocator::SVFGNodeToSVFGNodeSetMap
Map< const SVFGNode *, Set< const SVFGNode * > > SVFGNodeToSVFGNodeSetMap
Definition SaberCondAllocator.h:58
SVF::SaberCondAllocator::isAllPathReachable
bool isAllPathReachable(Condition &condition)
whether condition is satisfiable for all possible boolean guards
Definition SaberCondAllocator.h:199
SVF::SaberCondAllocator::evaluateTestNullLikeExpr
Condition evaluateTestNullLikeExpr(const BranchStmt *branchStmt, const SVFBasicBlock *succ)
Return branch condition after evaluating test null like expression.
Definition SaberCondAllocator.cpp:186
SVF::SaberCondAllocator::evaluateProgExit
Condition evaluateProgExit(const BranchStmt *branchStmt, const SVFBasicBlock *succ)
Return condition when there is a branch calls program exit.
Definition SaberCondAllocator.cpp:222
SVF::SaberCondAllocator::condOr
Condition condOr(const Condition &lhs, const Condition &rhs)
Definition SaberCondAllocator.h:90
SVF::SaberCondAllocator::isTestContainsNullAndTheValue
bool isTestContainsNullAndTheValue(const CmpStmt *cmp) const
Return true if two values on the predicate are what we want.
Definition SaberCondAllocator.cpp:399
SVF::SaberCondAllocator::isTestNullExpr
bool isTestNullExpr(const ICFGNode *test) const
Return true if this is a test null expression.
Definition SaberCondAllocator.cpp:353
SVF::SaberCondAllocator::printPathCond
void printPathCond()
Print out the path condition information.
Definition SaberCondAllocator.cpp:575
SVF::SaberCondAllocator::postDominate
bool postDominate(const SVFBasicBlock *bbKey, const SVFBasicBlock *bbValue) const
Definition SaberCondAllocator.h:146
SVF::SaberCondAllocator::negConds
NodeBS negConds
key: z3 expression id, value: instruction
Definition SaberCondAllocator.h:305
SVF::SaberCondAllocator::BasicBlockSet
Set< const SVFBasicBlock * > BasicBlockSet
map bb to a Condition
Definition SaberCondAllocator.h:54
SVF::SaberCondAllocator::curEvalSVFGNode
const SVFGNode * curEvalSVFGNode
current llvm value to evaluate branch condition when computing guards
Definition SaberCondAllocator.h:303
SVF::SaberCondAllocator::setBranchCond
void setBranchCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ, const Condition &cond)
Get/Set a branch condition, and its terminator instruction.
Definition SaberCondAllocator.cpp:168
SVF::SaberCondAllocator::BBCondMap
Map< const SVFBasicBlock *, CondPosMap > BBCondMap
Definition SaberCondAllocator.h:53
SVF::SaberCondAllocator::destroy
void destroy()
Release memory.
Definition SaberCondAllocator.h:292
SVF::SaberCondAllocator::getPHIComplementCond
virtual Condition getPHIComplementCond(const SVFBasicBlock *BB1, const SVFBasicBlock *BB2, const SVFBasicBlock *BB0)
Definition SaberCondAllocator.cpp:470
SVF::SaberCondAllocator::bbConds
BBCondMap bbConds
map basic block to its successors/predecessors branch conditions
Definition SaberCondAllocator.h:311
SVF::SaberCondAllocator::condNeg
Condition condNeg(const Condition &cond)
Definition SaberCondAllocator.h:94
SVF::SaberCondAllocator::allocate
void allocate()
Perform path allocation.
Definition SaberCondAllocator.cpp:59
SVF::SaberCondAllocator::bbToCondMap
BBToCondMap bbToCondMap
map a basic block to its path condition starting from root
Definition SaberCondAllocator.h:302
SVF::SaberCondAllocator::totalCondNum
static u32_t totalCondNum
vector storing z3expression
Definition SaberCondAllocator.h:307
SVF::SaberCondAllocator::condAnd
Condition condAnd(const Condition &lhs, const Condition &rhs)
Condition operations.
Definition SaberCondAllocator.h:86
SVF::SaberCondAllocator::isSatisfiable
bool isSatisfiable(const Condition &condition)
whether condition is satisfiable
Definition SaberCondAllocator.cpp:626
SVF::SaberCondAllocator::getBranchCond
Condition getBranchCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ) const
Get branch condition.
Definition SaberCondAllocator.cpp:142
SVF::SaberCondAllocator::IndexToTermInstMap
Map< u32_t, const ICFGNode * > IndexToTermInstMap
z3 condition
Definition SaberCondAllocator.h:51
SVF::SaberCondAllocator::exactCondElem
NodeBS exactCondElem(const Condition &cond)
Iterator every element of the condition.
Definition SaberCondAllocator.h:107
SVF::SaberCondAllocator::ComputeInterRetVFGGuard
virtual Condition ComputeInterRetVFGGuard(const SVFBasicBlock *src, const SVFBasicBlock *dst, const SVFBasicBlock *retBB)
Definition SaberCondAllocator.cpp:507
SVF::SaberCondAllocator::getCurEvalSVFGNode
const SVFGNode * getCurEvalSVFGNode() const
Get current value for branch condition evaluation.
Definition SaberCondAllocator.h:186
SVF::SaberCondAllocator::getFalseCond
Condition getFalseCond() const
Definition SaberCondAllocator.h:102
SVF::SaberCondAllocator::setCFCond
bool setCFCond(const SVFBasicBlock *bb, const Condition &cond)
Get/Set control-flow conditions.
Definition SaberCondAllocator.h:214
SVF::SaberCondAllocator::collectBBCallingProgExit
void collectBBCallingProgExit(const SVFBasicBlock &bb)
Collect basic block contains program exit function call.
Definition SaberCondAllocator.cpp:431
SVF::SaberCondAllocator::isBBCallsProgExit
bool isBBCallsProgExit(const SVFBasicBlock *bb)
Definition SaberCondAllocator.cpp:448
SVF::SaberCondAllocator::extractSubConds
void extractSubConds(const Condition &condition, NodeBS &support) const
extract subexpression from a Z3 expression
Definition SaberCondAllocator.cpp:638
SVF::SaberCondAllocator::CondPosMap
Map< u32_t, Condition > CondPosMap
id to instruction map for z3
Definition SaberCondAllocator.h:52
SVF::SaberCondAllocator::isEquivalentBranchCond
bool isEquivalentBranchCond(const Condition &lhs, const Condition &rhs) const
Whether lhs and rhs are equivalent branch conditions.
Definition SaberCondAllocator.cpp:615
SVF::SaberCondAllocator::isEQCmp
bool isEQCmp(const CmpStmt *cmp) const
Evaluate test null/not null like expressions.
Definition SaberCondAllocator.cpp:343
SVF::SaberCondAllocator::isNECmp
bool isNECmp(const CmpStmt *cmp) const
Return true if the predicate of this compare instruction is not equal.
Definition SaberCondAllocator.cpp:348
SVF::SaberCondAllocator::evaluateBranchCond
Condition evaluateBranchCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ)
Evaluate branch conditions.
Definition SaberCondAllocator.cpp:302
SVF::SaberCondAllocator::evaluateLoopExitBranch
Condition evaluateLoopExitBranch(const SVFBasicBlock *bb, const SVFBasicBlock *succ)
Evaluate loop exit branch.
Definition SaberCondAllocator.cpp:266
SVF::SaberCondAllocator::getTrueCond
Condition getTrueCond() const
Definition SaberCondAllocator.h:98
SVF::SaberCondAllocator::CFWorkList
FIFOWorkList< const SVFBasicBlock * > CFWorkList
worklist for control-flow guard computation
Definition SaberCondAllocator.h:57
SVF::SaberCondAllocator::FunToExitBBsMap
Map< const FunObjVar *, BasicBlockSet > FunToExitBBsMap
map a function to all its basic blocks calling program exit
Definition SaberCondAllocator.h:55
SVF::SaberCondAllocator::isTestNotNullExpr
bool isTestNotNullExpr(const ICFGNode *test) const
Return true if this is a test not null expression.
Definition SaberCondAllocator.cpp:366
SVF::SaberCondAllocator::getMemUsage
std::string getMemUsage()
Statistics.
Definition SaberCondAllocator.h:70
SVF::SaberCondAllocator::getCFCond
Condition getCFCond(const SVFBasicBlock *bb) const
Definition SaberCondAllocator.h:224
SVF::SaberCondAllocator::getCondInst
const ICFGNode * getCondInst(u32_t id) const
Get/Set instruction based on Z3 expression id.
Definition SaberCondAllocator.h:127
SVF::SaberCondAllocator::funToExitBBsMap
FunToExitBBsMap funToExitBBsMap
map a function to all its basic blocks calling program exit
Definition SaberCondAllocator.h:301
SVF::SaberCondAllocator::isNegCond
bool isNegCond(u32_t id) const
Definition SaberCondAllocator.h:141
SVF::SaberCondAllocator::getRemovedSUVFEdges
SVFGNodeToSVFGNodeSetMap & getRemovedSUVFEdges()
Definition SaberCondAllocator.h:243
SVF::SaberCondAllocator::BBToCondMap
Map< const SVFBasicBlock *, Condition > BBToCondMap
map a basic block to its condition during control-flow guard computation
Definition SaberCondAllocator.h:56
SVF::SaberCondAllocator::setCurEvalSVFGNode
void setCurEvalSVFGNode(const SVFGNode *node)
Set current value for branch condition evaluation.
Definition SaberCondAllocator.h:181
SVF::SaberCondAllocator::getEvalBrCond
Condition getEvalBrCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ)
Get a condition, evaluate the value for conditions if necessary (e.g., testNull like express)
Definition SaberCondAllocator.cpp:157
SVF::SaberCondAllocator::ComputeInterCallVFGGuard
virtual Condition ComputeInterCallVFGGuard(const SVFBasicBlock *src, const SVFBasicBlock *dst, const SVFBasicBlock *callBB)
Definition SaberCondAllocator.cpp:490
SVF::SaberCondAllocator::idToTermInstMap
IndexToTermInstMap idToTermInstMap
Definition SaberCondAllocator.h:304
SVF::SaberCondAllocator::setNegCondInst
void setNegCondInst(const Condition &condition, const ICFGNode *inst)
mark neg Z3 expression
Definition SaberCondAllocator.h:237
SVF::SaberCondAllocator::dominate
bool dominate(const SVFBasicBlock *bbKey, const SVFBasicBlock *bbValue) const
Definition SaberCondAllocator.h:156
SVF::SaberCondAllocator::setCondInst
void setCondInst(const Condition &condition, const ICFGNode *inst)
Definition SaberCondAllocator.h:134
SVF::SaberCondAllocator::ComputeIntraVFGGuard
virtual Condition ComputeIntraVFGGuard(const SVFBasicBlock *src, const SVFBasicBlock *dst)
Guard Computation for a value-flow (between two basic blocks)
Definition SaberCondAllocator.cpp:521
SVF::SaberCondAllocator::conditionVec
std::vector< Condition > conditionVec
bit vector for distinguish neg
Definition SaberCondAllocator.h:306
SVF::SparseBitVector::test
bool test(unsigned Idx) const
Definition SparseBitVector.h:750
SVF::SparseBitVector::set
void set(unsigned Idx)
Definition SparseBitVector.h:789
SVF::Z3Expr::AND
static Z3Expr AND(const Z3Expr &lhs, const Z3Expr &rhs)
compute AND, used for branch condition
Definition Z3Expr.cpp:92
SVF::Z3Expr::dumpStr
static std::string dumpStr(const Z3Expr &z3Expr)
output Z3 expression as a string
Definition Z3Expr.cpp:168
SVF::Z3Expr::NEG
static Z3Expr NEG(const Z3Expr &z3Expr)
compute NEG
Definition Z3Expr.h:301
SVF::Z3Expr::getTrueCond
static Z3Expr getTrueCond()
Return the unique true condition.
Definition Z3Expr.h:288
SVF::Z3Expr::OR
static Z3Expr OR(const Z3Expr &lhs, const Z3Expr &rhs)
compute OR, used for branch condition
Definition Z3Expr.cpp:130
SVF::Z3Expr::id
u32_t id() const
get id
Definition Z3Expr.h:111
SVF::Z3Expr::getFalseCond
static Z3Expr getFalseCond()
Return the unique false condition.
Definition Z3Expr.h:295
SVF::SVFUtil::getMemoryUsageKB
bool getMemoryUsageKB(u32_t *vmrss_kb, u32_t *vmsize_kb)
Get memory usage from system file. Return TRUE if succeed.
Definition SVFUtil.cpp:179
SVF
for isBitcode
Definition BasicTypes.h:68
SVF::IRBuilder
llvm::IRBuilder IRBuilder
Definition BasicTypes.h:74
SVF::u32_t
unsigned u32_t
Definition GeneralType.h:47
Generated by doxygen 1.9.8