Static Value-Flow Analysis
Public Types | Public Member Functions | Protected Attributes | Private Member Functions | Private Attributes | Static Private Attributes | List of all members
SVF::SaberCondAllocator Class Reference

#include <SaberCondAllocator.h>

Public Types

typedef Z3Expr Condition
 
typedef Map< u32_t, const ICFGNode * > IndexToTermInstMap
 z3 condition More...
 
typedef Map< u32_t, ConditionCondPosMap
 id to instruction map for z3 More...
 
typedef Map< const SVFBasicBlock *, CondPosMapBBCondMap
 
typedef Set< const SVFBasicBlock * > BasicBlockSet
 map bb to a Condition More...
 
typedef Map< const SVFFunction *, BasicBlockSetFunToExitBBsMap
 map a function to all its basic blocks calling program exit More...
 
typedef Map< const SVFBasicBlock *, ConditionBBToCondMap
 map a basic block to its condition during control-flow guard computation More...
 
typedef FIFOWorkList< const SVFBasicBlock * > CFWorkList
 worklist for control-flow guard computation More...
 
typedef Map< const SVFGNode *, Set< const SVFGNode * > > SVFGNodeToSVFGNodeSetMap
 

Public Member Functions

 SaberCondAllocator ()
 Constructor. More...
 
virtual ~SaberCondAllocator ()
 Destructor. More...
 
std::string getMemUsage ()
 Statistics. More...
 
u32_t getCondNum ()
 
Condition condAnd (const Condition &lhs, const Condition &rhs)
 Condition operations. More...
 
Condition condOr (const Condition &lhs, const Condition &rhs)
 
Condition condNeg (const Condition &cond)
 
Condition getTrueCond () const
 
Condition getFalseCond () const
 
NodeBS exactCondElem (const Condition &cond)
 Iterator every element of the condition. More...
 
std::string dumpCond (const Condition &cond) const
 
Condition newCond (const ICFGNode *inst)
 Allocate a new condition. More...
 
void allocate (const SVFModule *module)
 Perform path allocation. More...
 
const ICFGNodegetCondInst (u32_t id) const
 Get/Set instruction based on Z3 expression id. More...
 
void setCondInst (const Condition &condition, const ICFGNode *inst)
 
bool isNegCond (u32_t id) const
 
bool postDominate (const SVFBasicBlock *bbKey, const SVFBasicBlock *bbValue) const
 
bool dominate (const SVFBasicBlock *bbKey, const SVFBasicBlock *bbValue) const
 
virtual Condition ComputeIntraVFGGuard (const SVFBasicBlock *src, const SVFBasicBlock *dst)
 Guard Computation for a value-flow (between two basic blocks) More...
 
virtual Condition ComputeInterCallVFGGuard (const SVFBasicBlock *src, const SVFBasicBlock *dst, const SVFBasicBlock *callBB)
 
virtual Condition ComputeInterRetVFGGuard (const SVFBasicBlock *src, const SVFBasicBlock *dst, const SVFBasicBlock *retBB)
 
virtual Condition getPHIComplementCond (const SVFBasicBlock *BB1, const SVFBasicBlock *BB2, const SVFBasicBlock *BB0)
 
void clearCFCond ()
 
void setCurEvalSVFGNode (const SVFGNode *node)
 Set current value for branch condition evaluation. More...
 
const SVFGNodegetCurEvalSVFGNode () const
 Get current value for branch condition evaluation. More...
 
void printPathCond ()
 Print out the path condition information. More...
 
bool isSatisfiable (const Condition &condition)
 whether condition is satisfiable More...
 
bool isAllPathReachable (Condition &condition)
 whether condition is satisfiable for all possible boolean guards More...
 
bool isEquivalentBranchCond (const Condition &lhs, const Condition &rhs) const
 Whether lhs and rhs are equivalent branch conditions. More...
 
ICFGgetICFG () const
 
bool setCFCond (const SVFBasicBlock *bb, const Condition &cond)
 Get/Set control-flow conditions. More...
 
Condition getCFCond (const SVFBasicBlock *bb) const
 
void setNegCondInst (const Condition &condition, const ICFGNode *inst)
 mark neg Z3 expression More...
 
SVFGNodeToSVFGNodeSetMapgetRemovedSUVFEdges ()
 

Protected Attributes

BBCondMap bbConds
 map basic block to its successors/predecessors branch conditions More...
 

Private Member Functions

virtual void allocateForBB (const SVFBasicBlock &bb)
 Allocate path condition for every basic block. More...
 
void setBranchCond (const SVFBasicBlock *bb, const SVFBasicBlock *succ, const Condition &cond)
 Get/Set a branch condition, and its terminator instruction. More...
 
Condition getBranchCond (const SVFBasicBlock *bb, const SVFBasicBlock *succ) const
 Get branch condition. More...
 
Condition getEvalBrCond (const SVFBasicBlock *bb, const SVFBasicBlock *succ)
 Get a condition, evaluate the value for conditions if necessary (e.g., testNull like express) More...
 
Condition evaluateBranchCond (const SVFBasicBlock *bb, const SVFBasicBlock *succ)
 Evaluate branch conditions. More...
 
Condition evaluateLoopExitBranch (const SVFBasicBlock *bb, const SVFBasicBlock *succ)
 Evaluate loop exit branch. More...
 
Condition evaluateTestNullLikeExpr (const BranchStmt *branchStmt, const SVFBasicBlock *succ)
 Return branch condition after evaluating test null like expression. More...
 
Condition evaluateProgExit (const BranchStmt *branchStmt, const SVFBasicBlock *succ)
 Return condition when there is a branch calls program exit. More...
 
void collectBBCallingProgExit (const SVFBasicBlock &bb)
 Collect basic block contains program exit function call. More...
 
bool isBBCallsProgExit (const SVFBasicBlock *bb)
 
bool isEQCmp (const CmpStmt *cmp) const
 Evaluate test null/not null like expressions. More...
 
bool isNECmp (const CmpStmt *cmp) const
 Return true if the predicate of this compare instruction is not equal. More...
 
bool isTestNullExpr (const ICFGNode *test) const
 Return true if this is a test null expression. More...
 
bool isTestNotNullExpr (const ICFGNode *test) const
 Return true if this is a test not null expression. More...
 
bool isTestContainsNullAndTheValue (const CmpStmt *cmp) const
 Return true if two values on the predicate are what we want. More...
 
void destroy ()
 Release memory. More...
 
void extractSubConds (const Condition &condition, NodeBS &support) const
 extract subexpression from a Z3 expression More...
 

Private Attributes

FunToExitBBsMap funToExitBBsMap
 map a function to all its basic blocks calling program exit More...
 
BBToCondMap bbToCondMap
 map a basic block to its path condition starting from root More...
 
const SVFGNodecurEvalSVFGNode {}
 current llvm value to evaluate branch condition when computing guards More...
 
IndexToTermInstMap idToTermInstMap
 
NodeBS negConds
 key: z3 expression id, value: instruction More...
 
std::vector< ConditionconditionVec
 bit vector for distinguish neg More...
 
SVFGNodeToSVFGNodeSetMap removedSUVFEdges
 a counter for fresh condition More...
 

Static Private Attributes

static u32_t totalCondNum = 0
 vector storing z3expression More...
 

Detailed Description

SaberCondAllocator allocates conditions for each basic block of a certain CFG.

Definition at line 46 of file SaberCondAllocator.h.

Member Typedef Documentation

◆ BasicBlockSet

typedef Set<const SVFBasicBlock*> SVF::SaberCondAllocator::BasicBlockSet

map bb to a Condition

Definition at line 55 of file SaberCondAllocator.h.

◆ BBCondMap

typedef Map<const SVFBasicBlock*, CondPosMap > SVF::SaberCondAllocator::BBCondMap

Definition at line 54 of file SaberCondAllocator.h.

◆ BBToCondMap

typedef Map<const SVFBasicBlock*, Condition> SVF::SaberCondAllocator::BBToCondMap

map a basic block to its condition during control-flow guard computation

Definition at line 57 of file SaberCondAllocator.h.

◆ CFWorkList

typedef FIFOWorkList<const SVFBasicBlock*> SVF::SaberCondAllocator::CFWorkList

worklist for control-flow guard computation

Definition at line 58 of file SaberCondAllocator.h.

◆ Condition

typedef Z3Expr SVF::SaberCondAllocator::Condition

Definition at line 51 of file SaberCondAllocator.h.

◆ CondPosMap

typedef Map<u32_t,Condition> SVF::SaberCondAllocator::CondPosMap

id to instruction map for z3

map a branch to its Condition

Definition at line 53 of file SaberCondAllocator.h.

◆ FunToExitBBsMap

typedef Map<const SVFFunction*, BasicBlockSet> SVF::SaberCondAllocator::FunToExitBBsMap

map a function to all its basic blocks calling program exit

Definition at line 56 of file SaberCondAllocator.h.

◆ IndexToTermInstMap

typedef Map<u32_t, const ICFGNode*> SVF::SaberCondAllocator::IndexToTermInstMap

z3 condition

Definition at line 52 of file SaberCondAllocator.h.

◆ SVFGNodeToSVFGNodeSetMap

typedef Map<const SVFGNode*, Set<const SVFGNode*> > SVF::SaberCondAllocator::SVFGNodeToSVFGNodeSetMap

Definition at line 59 of file SaberCondAllocator.h.

Constructor & Destructor Documentation

◆ SaberCondAllocator()

SaberCondAllocator::SaberCondAllocator ( )

Constructor.

Definition at line 50 of file SaberCondAllocator.cpp.

51 {
52 
53 }

◆ ~SaberCondAllocator()

virtual SVF::SaberCondAllocator::~SaberCondAllocator ( )
inlinevirtual

Destructor.

Definition at line 66 of file SaberCondAllocator.h.

67  {
68  }

Member Function Documentation

◆ allocate()

void SaberCondAllocator::allocate ( const SVFModule M)

Perform path allocation.

Allocate path condition for each branch

Definition at line 58 of file SaberCondAllocator.cpp.

59 {
60  DBOUT(DGENERAL, outs() << pasMsg("path condition allocation starts\n"));
61 
62  PTACallGraph* svfirCallGraph = PAG::getPAG()->getCallGraph();
63  for (const auto& item: *svfirCallGraph)
64  {
65  const SVFFunction *func = (item.second)->getFunction();
66  if (!SVFUtil::isExtCall(func))
67  {
68  // Allocate conditions for a program.
69  for (SVFFunction::const_iterator bit = func->begin(), ebit = func->end();
70  bit != ebit; ++bit)
71  {
72  const SVFBasicBlock* bb = *bit;
73  collectBBCallingProgExit(*bb);
74  allocateForBB(*bb);
75  }
76  }
77  }
78 
79  if (Options::PrintPathCond())
80  printPathCond();
81 
82  DBOUT(DGENERAL, outs() << pasMsg("path condition allocation ends\n"));
83 }
DBOUT
#define DBOUT(TYPE, X)
LLVM debug macros, define type of your DBUG model of each pass.
Definition: SVFType.h:484
DGENERAL
#define DGENERAL
Definition: SVFType.h:490
item
cJSON * item
Definition: cJSON.h:222
SVF::Options::PrintPathCond
static const Option< bool > PrintPathCond
Definition: Options.h:199
SVF::SVFFunction::end
const_iterator end() const
Definition: SVFValue.h:440
SVF::SVFFunction::begin
const_iterator begin() const
Definition: SVFValue.h:435
SVF::SVFFunction::const_iterator
std::vector< const SVFBasicBlock * >::const_iterator const_iterator
Definition: SVFValue.h:305
SVF::SVFIR::getCallGraph
PTACallGraph * getCallGraph()
Definition: SVFIR.h:192
SVF::SVFIR::getPAG
static SVFIR * getPAG(bool buildFromFile=false)
Singleton design here to make sure we only have one instance during any analysis.
Definition: SVFIR.h:115
SVF::SaberCondAllocator::allocateForBB
virtual void allocateForBB(const SVFBasicBlock &bb)
Allocate path condition for every basic block.
Definition: SaberCondAllocator.cpp:88
SVF::SaberCondAllocator::printPathCond
void printPathCond()
Print out the path condition information.
Definition: SaberCondAllocator.cpp:568
SVF::SaberCondAllocator::collectBBCallingProgExit
void collectBBCallingProgExit(const SVFBasicBlock &bb)
Collect basic block contains program exit function call.
Definition: SaberCondAllocator.cpp:424
SVF::LLVMUtil::getFunction
const SVFFunction * getFunction(const std::string &name)
Get the corresponding Function based on its name.
Definition: LLVMUtil.cpp:412
SVF::SVFUtil::isExtCall
bool isExtCall(const SVFFunction *fun)
Definition: SVFUtil.h:278
SVF::SVFUtil::pasMsg
std::string pasMsg(const std::string &msg)
Print each pass/phase message by converting a string into blue string output.
Definition: SVFUtil.cpp:99
SVF::SVFUtil::outs
std::ostream & outs()
Overwrite llvm::outs()
Definition: SVFUtil.h:50

◆ allocateForBB()

void SaberCondAllocator::allocateForBB ( const SVFBasicBlock bb)
privatevirtual

Allocate path condition for every basic block.

Allocate conditions for a basic block and propagate its condition to its successors.

TODO: handle BranchInst and SwitchInst individually here!!

Definition at line 88 of file SaberCondAllocator.cpp.

89 {
90 
91  u32_t succ_number = bb.getNumSuccessors();
92 
93  // if successor number greater than 1, allocate new decision variable for successors
94  if (succ_number > 1)
95  {
96 
97  //allocate log2(num_succ) decision variables
98  double num = log(succ_number) / log(2);
99  u32_t bit_num = (u32_t) ceil(num);
100  u32_t succ_index = 0;
101  std::vector<Condition> condVec;
102  for (u32_t i = 0; i < bit_num; i++)
103  {
104  const IntraICFGNode* svfInst = cast<IntraICFGNode>(bb.back());
105  condVec.push_back(newCond(svfInst));
106  }
107 
108  // iterate each successor
109  for (const SVFBasicBlock* svf_succ_bb : bb.getSuccessors())
110  {
111  Condition path_cond = getTrueCond();
112 
114 
115  // for each successor decide its bit representation
116  // decide whether each bit of succ_index is 1 or 0, if (three successor) succ_index is 000 then use C1^C2^C3
117  // if 001 use C1^C2^negC3
118  for (u32_t j = 0; j < bit_num; j++)
119  {
120  //test each bit of this successor's index (binary representation)
121  u32_t tool = 0x01 << j;
122  if (tool & succ_index)
123  {
124  path_cond = condAnd(path_cond, (condNeg(condVec.at(j))));
125  }
126  else
127  {
128  path_cond = condAnd(path_cond, condVec.at(j));
129  }
130  }
131  setBranchCond(&bb, svf_succ_bb, path_cond);
132 
133  succ_index++;
134  }
135 
136  }
137 }
u32_t
unsigned u32_t
Definition: CommandLine.h:18
SVF::SVFBasicBlock::getSuccessors
const std::vector< const SVFBasicBlock * > & getSuccessors() const
Definition: SVFValue.h:606
SVF::SVFBasicBlock::back
const ICFGNode * back() const
Definition: SVFValue.h:600
SVF::SVFBasicBlock::getNumSuccessors
u32_t getNumSuccessors() const
Definition: SVFValue.h:615
SVF::SaberCondAllocator::newCond
Condition newCond(const ICFGNode *inst)
Allocate a new condition.
Definition: SaberCondAllocator.cpp:595
SVF::SaberCondAllocator::setBranchCond
void setBranchCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ, const Condition &cond)
Get/Set a branch condition, and its terminator instruction.
Definition: SaberCondAllocator.cpp:168
SVF::SaberCondAllocator::condNeg
Condition condNeg(const Condition &cond)
Definition: SaberCondAllocator.h:95
SVF::SaberCondAllocator::condAnd
Condition condAnd(const Condition &lhs, const Condition &rhs)
Condition operations.
Definition: SaberCondAllocator.h:87
SVF::SaberCondAllocator::getTrueCond
Condition getTrueCond() const
Definition: SaberCondAllocator.h:99
SVF::u32_t
unsigned u32_t
Definition: GeneralType.h:46

◆ clearCFCond()

void SVF::SaberCondAllocator::clearCFCond ( )
inline

Definition at line 177 of file SaberCondAllocator.h.

178  {
179  bbToCondMap.clear();
180  }
SVF::SaberCondAllocator::bbToCondMap
BBToCondMap bbToCondMap
map a basic block to its path condition starting from root
Definition: SaberCondAllocator.h:303

◆ collectBBCallingProgExit()

void SaberCondAllocator::collectBBCallingProgExit ( const SVFBasicBlock bb)
private

Collect basic block contains program exit function call.

Whether this basic block contains program exit function call

Definition at line 424 of file SaberCondAllocator.cpp.

425 {
426 
427  for (const auto& icfgNode: bb.getICFGNodeList())
428  {
429  if (const CallICFGNode* cs = SVFUtil::dyn_cast<CallICFGNode>(icfgNode))
430  if (SVFUtil::isProgExitCall(cs))
431  {
432  const SVFFunction* svfun = bb.getParent();
433  funToExitBBsMap[svfun].insert(&bb);
434  }
435  }
436 }
SVF::SVFBasicBlock::getICFGNodeList
const std::vector< const ICFGNode * > & getICFGNodeList() const
Definition: SVFValue.h:569
SVF::SVFBasicBlock::getParent
const SVFFunction * getParent() const
Definition: SVFValue.h:584
SVF::SaberCondAllocator::funToExitBBsMap
FunToExitBBsMap funToExitBBsMap
map a function to all its basic blocks calling program exit
Definition: SaberCondAllocator.h:302
SVF::SVFUtil::isProgExitCall
bool isProgExitCall(const CallICFGNode *cs)
Definition: SVFUtil.cpp:396

◆ ComputeInterCallVFGGuard()

SaberCondAllocator::Condition SaberCondAllocator::ComputeInterCallVFGGuard ( const SVFBasicBlock srcBB,
const SVFBasicBlock dstBB,
const SVFBasicBlock callBB 
)
virtual

Compute calling inter-procedural guards between two SVFGNodes (from caller to callee) src –c1--> callBB –true--> funEntryBB –c2--> dst the InterCallVFGGuard is c1 ^ c2

Definition at line 483 of file SaberCondAllocator.cpp.

485 {
486  const SVFBasicBlock* funEntryBB = dstBB->getParent()->getEntryBlock();
487 
488  Condition c1 = ComputeIntraVFGGuard(srcBB, callBB);
489  setCFCond(funEntryBB, condOr(getCFCond(funEntryBB), getCFCond(callBB)));
490  Condition c2 = ComputeIntraVFGGuard(funEntryBB, dstBB);
491  return condAnd(c1, c2);
492 }
SVF::SVFFunction::getEntryBlock
const SVFBasicBlock * getEntryBlock() const
Definition: SVFValue.h:409
SVF::SaberCondAllocator::condOr
Condition condOr(const Condition &lhs, const Condition &rhs)
Definition: SaberCondAllocator.h:91
SVF::SaberCondAllocator::setCFCond
bool setCFCond(const SVFBasicBlock *bb, const Condition &cond)
Get/Set control-flow conditions.
Definition: SaberCondAllocator.h:215
SVF::SaberCondAllocator::getCFCond
Condition getCFCond(const SVFBasicBlock *bb) const
Definition: SaberCondAllocator.h:225
SVF::SaberCondAllocator::ComputeIntraVFGGuard
virtual Condition ComputeIntraVFGGuard(const SVFBasicBlock *src, const SVFBasicBlock *dst)
Guard Computation for a value-flow (between two basic blocks)
Definition: SaberCondAllocator.cpp:514

◆ ComputeInterRetVFGGuard()

SaberCondAllocator::Condition SaberCondAllocator::ComputeInterRetVFGGuard ( const SVFBasicBlock srcBB,
const SVFBasicBlock dstBB,
const SVFBasicBlock retBB 
)
virtual

Compute return inter-procedural guards between two SVFGNodes (from callee to caller) src –c1--> funExitBB –true--> retBB –c2--> dst the InterRetVFGGuard is c1 ^ c2

Definition at line 500 of file SaberCondAllocator.cpp.

501 {
502  const SVFFunction* parent = srcBB->getParent();
503  const SVFBasicBlock* funExitBB = parent->getExitBB();
504 
505  Condition c1 = ComputeIntraVFGGuard(srcBB, funExitBB);
506  setCFCond(retBB, condOr(getCFCond(retBB), getCFCond(funExitBB)));
507  Condition c2 = ComputeIntraVFGGuard(retBB, dstBB);
508  return condAnd(c1, c2);
509 }
SVF::SVFFunction::getExitBB
const SVFBasicBlock * getExitBB() const
Definition: SVFValue.cpp:186

◆ ComputeIntraVFGGuard()

SaberCondAllocator::Condition SaberCondAllocator::ComputeIntraVFGGuard ( const SVFBasicBlock srcBB,
const SVFBasicBlock dstBB 
)
virtual

Guard Computation for a value-flow (between two basic blocks)

Compute intra-procedural guards between two SVFGNodes (inside same function)

if the dstBB is the eligible loop exit of the current basic block we can early terminate the computation

calculate the branch condition if succ post dominate bb, then we get brCond quicker by using postDT note that we assume loop exit always post dominate loop bodys which means loops are approximated only once.

Definition at line 514 of file SaberCondAllocator.cpp.

515 {
516 
517  assert(srcBB->getParent() == dstBB->getParent() && "two basic blocks are not in the same function??");
518 
519  if (postDominate(dstBB, srcBB))
520  return getTrueCond();
521 
522  CFWorkList worklist;
523  worklist.push(srcBB);
524  setCFCond(srcBB, getTrueCond());
525 
526  while (!worklist.empty())
527  {
528  const SVFBasicBlock* bb = worklist.pop();
529  Condition cond = getCFCond(bb);
530 
533  Condition loopExitCond = evaluateLoopExitBranch(bb, dstBB);
534  if (!eq(loopExitCond, Condition::nullExpr()))
535  return condAnd(cond, loopExitCond);
536 
537  for (const SVFBasicBlock* succ : bb->getSuccessors())
538  {
543  Condition brCond;
544  if (postDominate(succ, bb))
545  brCond = getTrueCond();
546  else
547  brCond = getEvalBrCond(bb, succ);
548 
549  DBOUT(DSaber, outs() << " bb (" << bb->getName() <<
550  ") --> " << "succ_bb (" << succ->getName() << ") condition: " << brCond << "\n");
551  Condition succPathCond = condAnd(cond, brCond);
552  if (setCFCond(succ, condOr(getCFCond(succ), succPathCond)))
553  worklist.push(succ);
554  }
555  }
556 
557  DBOUT(DSaber, outs() << " src_bb (" << srcBB->getName() <<
558  ") --> " << "dst_bb (" << dstBB->getName() << ") condition: " << getCFCond(dstBB)
559  << "\n");
560 
561  return getCFCond(dstBB);
562 }
DSaber
#define DSaber
Definition: SVFType.h:504
SVF::SVFValue::getName
const std::string & getName() const
Definition: SVFValue.h:243
SVF::SaberCondAllocator::postDominate
bool postDominate(const SVFBasicBlock *bbKey, const SVFBasicBlock *bbValue) const
Definition: SaberCondAllocator.h:147
SVF::SaberCondAllocator::evaluateLoopExitBranch
Condition evaluateLoopExitBranch(const SVFBasicBlock *bb, const SVFBasicBlock *succ)
Evaluate loop exit branch.
Definition: SaberCondAllocator.cpp:260
SVF::SaberCondAllocator::CFWorkList
FIFOWorkList< const SVFBasicBlock * > CFWorkList
worklist for control-flow guard computation
Definition: SaberCondAllocator.h:58
SVF::SaberCondAllocator::getEvalBrCond
Condition getEvalBrCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ)
Get a condition, evaluate the value for conditions if necessary (e.g., testNull like express)
Definition: SaberCondAllocator.cpp:157
SVF::Z3Expr::nullExpr
static z3::expr nullExpr()
null expression
Definition: Z3Expr.h:105

◆ condAnd()

Condition SVF::SaberCondAllocator::condAnd ( const Condition lhs,
const Condition rhs 
)
inline

Condition operations.

Definition at line 87 of file SaberCondAllocator.h.

88  {
89  return Condition::AND(lhs,rhs);
90  }
SVF::Z3Expr::AND
static Z3Expr AND(const Z3Expr &lhs, const Z3Expr &rhs)
compute AND, used for branch condition
Definition: Z3Expr.cpp:92

◆ condNeg()

Condition SVF::SaberCondAllocator::condNeg ( const Condition cond)
inline

Definition at line 95 of file SaberCondAllocator.h.

96  {
97  return Condition::NEG(cond);
98  }
SVF::Z3Expr::NEG
static Z3Expr NEG(const Z3Expr &z3Expr)
compute NEG
Definition: Z3Expr.h:301

◆ condOr()

Condition SVF::SaberCondAllocator::condOr ( const Condition lhs,
const Condition rhs 
)
inline

Definition at line 91 of file SaberCondAllocator.h.

92  {
93  return Condition::OR(lhs,rhs);
94  }
SVF::Z3Expr::OR
static Z3Expr OR(const Z3Expr &lhs, const Z3Expr &rhs)
compute OR, used for branch condition
Definition: Z3Expr.cpp:130

◆ destroy()

void SVF::SaberCondAllocator::destroy ( )
inlineprivate

Release memory.

Definition at line 293 of file SaberCondAllocator.h.

294  {
295 
296  }

◆ dominate()

bool SVF::SaberCondAllocator::dominate ( const SVFBasicBlock bbKey,
const SVFBasicBlock bbValue 
) const
inline

Definition at line 157 of file SaberCondAllocator.h.

158  {
159  const SVFFunction* keyFunc = bbKey->getParent();
160  const SVFFunction* valueFunc = bbValue->getParent();
161  bool funcEq = (keyFunc == valueFunc);
162  (void)funcEq; // Suppress warning of unused variable under release build
163  assert(funcEq && "two basicblocks should be in the same function!");
164  return keyFunc->dominate(bbKey,bbValue);
165  }

◆ dumpCond()

std::string SVF::SaberCondAllocator::dumpCond ( const Condition cond) const
inline

Definition at line 115 of file SaberCondAllocator.h.

116  {
117  return Condition::dumpStr(cond);
118  }
SVF::Z3Expr::dumpStr
static std::string dumpStr(const Z3Expr &z3Expr)
output Z3 expression as a string
Definition: Z3Expr.cpp:168

◆ evaluateBranchCond()

SaberCondAllocator::Condition SaberCondAllocator::evaluateBranchCond ( const SVFBasicBlock bb,
const SVFBasicBlock succ 
)
private

Evaluate branch conditions.

Evaluate the branch condition

(1) Evaluate a branch when it reaches a program exit (2) Evaluate a branch when it is loop exit branch (3) Evaluate a branch when it is a test null like condition

Definition at line 296 of file SaberCondAllocator.cpp.

297 {
298  if(bb->getNumSuccessors() == 1)
299  {
300  return getTrueCond();
301  }
302 
303  assert(!bb->getICFGNodeList().empty() && "bb not empty");
304  if (const ICFGNode* icfgNode = bb->back())
305  {
306  for (const auto &svfStmt: icfgNode->getSVFStmts())
307  {
308  if (const BranchStmt *branchStmt = SVFUtil::dyn_cast<BranchStmt>(svfStmt))
309  {
310  if (branchStmt->getNumSuccessors() == 2)
311  {
312  const SVFBasicBlock* succ1 = branchStmt->getSuccessor(0)->getBB();
313  const SVFBasicBlock* succ2 = branchStmt->getSuccessor(1)->getBB();
314  bool is_succ = (succ1 == succ || succ2 == succ);
315  (void)is_succ; // Suppress warning of unused variable under release build
316  assert(is_succ && "not a successor??");
317  Condition evalLoopExit = evaluateLoopExitBranch(bb, succ);
318  if (!eq(evalLoopExit, Condition::nullExpr()))
319  return evalLoopExit;
320 
321  Condition evalProgExit = evaluateProgExit(branchStmt, succ);
322  if (!eq(evalProgExit, Condition::nullExpr()))
323  return evalProgExit;
324 
325  Condition evalTestNullLike = evaluateTestNullLikeExpr(branchStmt, succ);
326  if (!eq(evalTestNullLike, Condition::nullExpr()))
327  return evalTestNullLike;
328  break;
329  }
330  }
331  }
332  }
333 
334  return getBranchCond(bb, succ);
335 }
SVF::SaberCondAllocator::evaluateTestNullLikeExpr
Condition evaluateTestNullLikeExpr(const BranchStmt *branchStmt, const SVFBasicBlock *succ)
Return branch condition after evaluating test null like expression.
Definition: SaberCondAllocator.cpp:186
SVF::SaberCondAllocator::evaluateProgExit
Condition evaluateProgExit(const BranchStmt *branchStmt, const SVFBasicBlock *succ)
Return condition when there is a branch calls program exit.
Definition: SaberCondAllocator.cpp:216
SVF::SaberCondAllocator::getBranchCond
Condition getBranchCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ) const
Get branch condition.
Definition: SaberCondAllocator.cpp:142

◆ evaluateLoopExitBranch()

SaberCondAllocator::Condition SaberCondAllocator::evaluateLoopExitBranch ( const SVFBasicBlock bb,
const SVFBasicBlock dst 
)
private

Evaluate loop exit branch.

Evaluate loop exit branch to be true if bb is loop header and succ is the only exit basic block outside the loop (excluding exit bbs which call program exit) for all other case, we conservatively evaluate false for now

exclude exit bb which calls program exit

if the dst dominate all other loop exit bbs, then dst can certainly be reached

Definition at line 260 of file SaberCondAllocator.cpp.

261 {
262  const SVFFunction* svffun = bb->getParent();
263  assert(svffun == dst->getParent() && "two basic blocks should be in the same function");
264 
265  if (svffun->isLoopHeader(bb))
266  {
267  Set<const SVFBasicBlock* > filteredbbs;
268  std::vector<const SVFBasicBlock*> exitbbs;
269  svffun->getExitBlocksOfLoop(bb,exitbbs);
271  for(const SVFBasicBlock* eb : exitbbs)
272  {
273  if(!isBBCallsProgExit(eb))
274  filteredbbs.insert(eb);
275  }
276 
278  bool allPDT = true;
279  for (const auto &filteredbb: filteredbbs)
280  {
281  if (!postDominate(dst, filteredbb))
282  allPDT = false;
283  }
284 
285  if (allPDT)
286  return getTrueCond();
287  }
288  return Condition::nullExpr();
289 }
SVF::SVFFunction::getExitBlocksOfLoop
void getExitBlocksOfLoop(const SVFBasicBlock *bb, BBList &exitbbs) const
Definition: SVFValue.h:465
SVF::SVFFunction::isLoopHeader
bool isLoopHeader(const SVFBasicBlock *bb) const
Definition: SVFValue.h:500
SVF::SaberCondAllocator::isBBCallsProgExit
bool isBBCallsProgExit(const SVFBasicBlock *bb)
Definition: SaberCondAllocator.cpp:441
SVF::Set
std::unordered_set< Key, Hash, KeyEqual, Allocator > Set
Definition: GeneralType.h:96

◆ evaluateProgExit()

SaberCondAllocator::Condition SaberCondAllocator::evaluateProgExit ( const BranchStmt branchStmt,
const SVFBasicBlock succ 
)
private

Return condition when there is a branch calls program exit.

Evaluate condition for program exit (e.g., exit(0))

then branch calls program exit

else branch calls program exit

no branch call program exit

Definition at line 216 of file SaberCondAllocator.cpp.

217 {
218  const SVFBasicBlock* succ1 = branchStmt->getSuccessor(0)->getBB();
219  const SVFBasicBlock* succ2 = branchStmt->getSuccessor(1)->getBB();
220 
221  bool branch1 = isBBCallsProgExit(succ1);
222  bool branch2 = isBBCallsProgExit(succ2);
223 
225  if (branch1 && !branch2)
226  {
227  // succ is then branch
228  if (succ1 == succ)
229  return getFalseCond();
230  // succ is else branch
231  else
232  return getTrueCond();
233  }
235  else if (!branch1 && branch2)
236  {
237  // succ is else branch
238  if (succ2 == succ)
239  return getFalseCond();
240  // succ is then branch
241  else
242  return getTrueCond();
243  }
244  // two branches both call program exit
245  else if (branch1 && branch2)
246  {
247  return getFalseCond();
248  }
250  else
251  return Condition::nullExpr();
252 
253 }
SVF::BranchStmt::getSuccessor
const ICFGNode * getSuccessor(u32_t i) const
Definition: SVFStatements.h:1235
SVF::ICFGNode::getBB
virtual const SVFBasicBlock * getBB() const
Return the basic block of this ICFGNode.
Definition: ICFGNode.h:82
SVF::SaberCondAllocator::getFalseCond
Condition getFalseCond() const
Definition: SaberCondAllocator.h:103

◆ evaluateTestNullLikeExpr()

SaberCondAllocator::Condition SaberCondAllocator::evaluateTestNullLikeExpr ( const BranchStmt branchStmt,
const SVFBasicBlock succ 
)
private

Return branch condition after evaluating test null like expression.

Evaluate null like expression for source-sink related bug detection in SABER

Definition at line 186 of file SaberCondAllocator.cpp.

187 {
188 
189  const SVFBasicBlock* succ1 = branchStmt->getSuccessor(0)->getBB();
190 
191  const ValVar* condVar = SVFUtil::cast<ValVar>(branchStmt->getCondition());
192  if (isTestNullExpr(SVFUtil::cast<ICFGNode>(condVar->getGNode())))
193  {
194  // succ is then branch
195  if (succ1 == succ)
196  return getFalseCond();
197  // succ is else branch
198  else
199  return getTrueCond();
200  }
201  if (isTestNotNullExpr(SVFUtil::cast<ICFGNode>(condVar->getGNode())))
202  {
203  // succ is then branch
204  if (succ1 == succ)
205  return getTrueCond();
206  // succ is else branch
207  else
208  return getFalseCond();
209  }
210  return Condition::nullExpr();
211 }
SVF::BranchStmt::getCondition
const SVFVar * getCondition() const
Return the condition.
Definition: SVFStatements.cpp:322
SVF::SaberCondAllocator::isTestNullExpr
bool isTestNullExpr(const ICFGNode *test) const
Return true if this is a test null expression.
Definition: SaberCondAllocator.cpp:347
SVF::SaberCondAllocator::isTestNotNullExpr
bool isTestNotNullExpr(const ICFGNode *test) const
Return true if this is a test not null expression.
Definition: SaberCondAllocator.cpp:360
SVF::ValVar::getGNode
const SVFBaseNode * getGNode() const
Definition: SVFVariables.h:311

◆ exactCondElem()

NodeBS SVF::SaberCondAllocator::exactCondElem ( const Condition cond)
inline

Iterator every element of the condition.

Definition at line 108 of file SaberCondAllocator.h.

109  {
110  NodeBS elems;
111  extractSubConds(cond, elems);
112  return elems;
113  }
SVF::SaberCondAllocator::extractSubConds
void extractSubConds(const Condition &condition, NodeBS &support) const
extract subexpression from a Z3 expression
Definition: SaberCondAllocator.cpp:631
SVF::NodeBS
SparseBitVector NodeBS
Definition: GeneralType.h:62

◆ extractSubConds()

void SaberCondAllocator::extractSubConds ( const Condition condition,
NodeBS support 
) const
private

extract subexpression from a Z3 expression

Definition at line 631 of file SaberCondAllocator.cpp.

632 {
633  if (condition.getExpr().num_args() == 1 && isNegCond(condition.id()))
634  {
635  support.set(condition.getExpr().id());
636  return;
637  }
638  if (condition.getExpr().num_args() == 0)
639  if (!condition.getExpr().is_true() && !condition.getExpr().is_false())
640  support.set(condition.getExpr().id());
641  for (u32_t i = 0; i < condition.getExpr().num_args(); ++i)
642  {
643  Condition expr = condition.getExpr().arg(i);
644  extractSubConds(expr, support);
645  }
646 
647 }
SVF::SaberCondAllocator::isNegCond
bool isNegCond(u32_t id) const
Definition: SaberCondAllocator.h:142
SVF::SparseBitVector::set
void set(unsigned Idx)
Definition: SparseBitVector.h:789
SVF::Z3Expr::getExpr
const z3::expr & getExpr() const
Definition: Z3Expr.h:86

◆ getBranchCond()

SaberCondAllocator::Condition SaberCondAllocator::getBranchCond ( const SVFBasicBlock bb,
const SVFBasicBlock succ 
) const
private

Get branch condition.

Get a branch condition

Definition at line 142 of file SaberCondAllocator.cpp.

143 {
144  u32_t pos = bb->getBBSuccessorPos(succ);
145  if(bb->getNumSuccessors() == 1)
146  return getTrueCond();
147  else
148  {
149  BBCondMap::const_iterator it = bbConds.find(bb);
150  assert(it != bbConds.end() && "basic block does not have branch and conditions??");
151  CondPosMap::const_iterator cit = it->second.find(pos);
152  assert(cit != it->second.end() && "no condition on the branch??");
153  return cit->second;
154  }
155 }
SVF::SVFBasicBlock::getBBSuccessorPos
u32_t getBBSuccessorPos(const SVFBasicBlock *succbb)
Definition: SVFValue.cpp:212
SVF::SaberCondAllocator::bbConds
BBCondMap bbConds
map basic block to its successors/predecessors branch conditions
Definition: SaberCondAllocator.h:312

◆ getCFCond()

Condition SVF::SaberCondAllocator::getCFCond ( const SVFBasicBlock bb) const
inline

Definition at line 225 of file SaberCondAllocator.h.

226  {
227  BBToCondMap::const_iterator it = bbToCondMap.find(bb);
228  if(it==bbToCondMap.end())
229  {
230  return getFalseCond();
231  }
232  return it->second;
233  }

◆ getCondInst()

const ICFGNode* SVF::SaberCondAllocator::getCondInst ( u32_t  id) const
inline

Get/Set instruction based on Z3 expression id.

Definition at line 128 of file SaberCondAllocator.h.

129  {
130  IndexToTermInstMap::const_iterator it = idToTermInstMap.find(id);
131  assert(it != idToTermInstMap.end() && "this should be a fresh condition");
132  return it->second;
133  }
SVF::SaberCondAllocator::idToTermInstMap
IndexToTermInstMap idToTermInstMap
Definition: SaberCondAllocator.h:305

◆ getCondNum()

u32_t SVF::SaberCondAllocator::getCondNum ( )
inline

Definition at line 79 of file SaberCondAllocator.h.

80  {
81  return totalCondNum;
82  }
SVF::SaberCondAllocator::totalCondNum
static u32_t totalCondNum
vector storing z3expression
Definition: SaberCondAllocator.h:308

◆ getCurEvalSVFGNode()

const SVFGNode* SVF::SaberCondAllocator::getCurEvalSVFGNode ( ) const
inline

Get current value for branch condition evaluation.

Definition at line 187 of file SaberCondAllocator.h.

188  {
189  return curEvalSVFGNode;
190  }
SVF::SaberCondAllocator::curEvalSVFGNode
const SVFGNode * curEvalSVFGNode
current llvm value to evaluate branch condition when computing guards
Definition: SaberCondAllocator.h:304

◆ getEvalBrCond()

SaberCondAllocator::Condition SaberCondAllocator::getEvalBrCond ( const SVFBasicBlock bb,
const SVFBasicBlock succ 
)
private

Get a condition, evaluate the value for conditions if necessary (e.g., testNull like express)

Definition at line 157 of file SaberCondAllocator.cpp.

158 {
159  if (getCurEvalSVFGNode() && getCurEvalSVFGNode()->getValue())
160  return evaluateBranchCond(bb, succ);
161  else
162  return getBranchCond(bb, succ);
163 }
SVF::SaberCondAllocator::getCurEvalSVFGNode
const SVFGNode * getCurEvalSVFGNode() const
Get current value for branch condition evaluation.
Definition: SaberCondAllocator.h:187
SVF::SaberCondAllocator::evaluateBranchCond
Condition evaluateBranchCond(const SVFBasicBlock *bb, const SVFBasicBlock *succ)
Evaluate branch conditions.
Definition: SaberCondAllocator.cpp:296

◆ getFalseCond()

Condition SVF::SaberCondAllocator::getFalseCond ( ) const
inline

Definition at line 103 of file SaberCondAllocator.h.

104  {
105  return Condition::getFalseCond();
106  }
SVF::Z3Expr::getFalseCond
static Z3Expr getFalseCond()
Return the unique false condition.
Definition: Z3Expr.h:295

◆ getICFG()

ICFG* SVF::SaberCondAllocator::getICFG ( ) const
inline

Definition at line 208 of file SaberCondAllocator.h.

209  {
210  return PAG::getPAG()->getICFG();
211  }
SVF::SVFIR::getICFG
ICFG * getICFG() const
Definition: SVFIR.h:171

◆ getMemUsage()

std::string SVF::SaberCondAllocator::getMemUsage ( )
inline

Statistics.

Definition at line 71 of file SaberCondAllocator.h.

72  {
73  u32_t vmrss, vmsize;
74  if (SVFUtil::getMemoryUsageKB(&vmrss, &vmsize))
75  return std::to_string(vmsize) + "KB";
76  else
77  return "cannot read memory usage";
78  }
SVF::SVFUtil::getMemoryUsageKB
bool getMemoryUsageKB(u32_t *vmrss_kb, u32_t *vmsize_kb)
Get memory usage from system file. Return TRUE if succeed.
Definition: SVFUtil.cpp:177

◆ getPHIComplementCond()

SaberCondAllocator::Condition SaberCondAllocator::getPHIComplementCond ( const SVFBasicBlock BB1,
const SVFBasicBlock BB2,
const SVFBasicBlock BB0 
)
virtual

Get complement condition (from B1 to B0) according to a complementBB (BB2) at a phi e.g., B0: dstBB; B1:incomingBB; B2:complementBB

Get complement phi condition e.g., B0: dstBB; B1:incomingBB; B2:complementBB Assume B0 (phi node) is the successor of both B1 and B2. If B1 dominates B2, and B0 not dominate B2 then condition from B1-->B0 = neg(B1-->B2)^(B1-->B0)

avoid both BB0 and BB1 dominate BB2 (e.g., while loop), then BB2 is not necessarily a complement BB

Definition at line 463 of file SaberCondAllocator.cpp.

464 {
465  assert(BB1 && BB2 && "expect nullptr BB here!");
466 
468  if (dominate(BB1, BB2) && ! dominate(BB0, BB2))
469  {
470  Condition cond = ComputeIntraVFGGuard(BB1, BB2);
471  return condNeg(cond);
472  }
473 
474  return getTrueCond();
475 }
SVF::SaberCondAllocator::dominate
bool dominate(const SVFBasicBlock *bbKey, const SVFBasicBlock *bbValue) const
Definition: SaberCondAllocator.h:157

◆ getRemovedSUVFEdges()

SVFGNodeToSVFGNodeSetMap& SVF::SaberCondAllocator::getRemovedSUVFEdges ( )
inline

Definition at line 244 of file SaberCondAllocator.h.

245  {
246  return removedSUVFEdges;
247  }
SVF::SaberCondAllocator::removedSUVFEdges
SVFGNodeToSVFGNodeSetMap removedSUVFEdges
a counter for fresh condition
Definition: SaberCondAllocator.h:309

◆ getTrueCond()

Condition SVF::SaberCondAllocator::getTrueCond ( ) const
inline

Definition at line 99 of file SaberCondAllocator.h.

100  {
101  return Condition::getTrueCond();
102  }
SVF::Z3Expr::getTrueCond
static Z3Expr getTrueCond()
Return the unique true condition.
Definition: Z3Expr.h:288

◆ isAllPathReachable()

bool SVF::SaberCondAllocator::isAllPathReachable ( Condition condition)
inline

whether condition is satisfiable for all possible boolean guards

Definition at line 200 of file SaberCondAllocator.h.

201  {
202  return isEquivalentBranchCond(condition, Condition::getTrueCond());
203  }
SVF::SaberCondAllocator::isEquivalentBranchCond
bool isEquivalentBranchCond(const Condition &lhs, const Condition &rhs) const
Whether lhs and rhs are equivalent branch conditions.
Definition: SaberCondAllocator.cpp:608

◆ isBBCallsProgExit()

bool SaberCondAllocator::isBBCallsProgExit ( const SVFBasicBlock bb)
private

Whether this basic block contains program exit function call

Definition at line 441 of file SaberCondAllocator.cpp.

442 {
443  const SVFFunction* svfun = bb->getParent();
444  FunToExitBBsMap::const_iterator it = funToExitBBsMap.find(svfun);
445  if (it != funToExitBBsMap.end())
446  {
447  for (const auto &bit: it->second)
448  {
449  if (postDominate(bit, bb))
450  return true;
451  }
452  }
453  return false;
454 }

◆ isEQCmp()

bool SaberCondAllocator::isEQCmp ( const CmpStmt cmp) const
private

Evaluate test null/not null like expressions.

Return true if the predicate of this compare instruction is equal

Definition at line 337 of file SaberCondAllocator.cpp.

338 {
339  return (cmp->getPredicate() == CmpStmt::ICMP_EQ);
340 }
SVF::CmpStmt::getPredicate
u32_t getPredicate() const
Definition: SVFStatements.h:1012

◆ isEquivalentBranchCond()

bool SaberCondAllocator::isEquivalentBranchCond ( const Condition lhs,
const Condition rhs 
) const

Whether lhs and rhs are equivalent branch conditions.

check equal using z3 solver

Definition at line 608 of file SaberCondAllocator.cpp.

610 {
611  Condition::getSolver().push();
612  Condition::getSolver().add(lhs.getExpr() != rhs.getExpr());
613  z3::check_result res = Condition::getSolver().check();
614  Condition::getSolver().pop();
615  return res == z3::unsat;
616 }
SVF::Z3Expr::getSolver
static z3::solver & getSolver()
Get z3 solver, singleton design here to make sure we only have one context.
Definition: Z3Expr.cpp:56

◆ isNECmp()

bool SaberCondAllocator::isNECmp ( const CmpStmt cmp) const
private

Return true if the predicate of this compare instruction is not equal.

Definition at line 342 of file SaberCondAllocator.cpp.

343 {
344  return (cmp->getPredicate() == CmpStmt::ICMP_NE);
345 }
SVF::CmpStmt::ICMP_NE
@ ICMP_NE
not equal
Definition: SVFStatements.h:975

◆ isNegCond()

bool SVF::SaberCondAllocator::isNegCond ( u32_t  id) const
inline

Definition at line 142 of file SaberCondAllocator.h.

143  {
144  return negConds.test(id);
145  }
SVF::SaberCondAllocator::negConds
NodeBS negConds
key: z3 expression id, value: instruction
Definition: SaberCondAllocator.h:306
SVF::SparseBitVector::test
bool test(unsigned Idx) const
Definition: SparseBitVector.h:750

◆ isSatisfiable()

bool SaberCondAllocator::isSatisfiable ( const Condition condition)

whether condition is satisfiable

Definition at line 619 of file SaberCondAllocator.cpp.

620 {
621  Condition::getSolver().add(condition.getExpr());
622  z3::check_result result = Condition::getSolver().check();
623  Condition::getSolver().pop();
624  if (result == z3::sat || result == z3::unknown)
625  return true;
626  else
627  return false;
628 }

◆ isTestContainsNullAndTheValue()

bool SaberCondAllocator::isTestContainsNullAndTheValue ( const CmpStmt cmp) const
private

Return true if two values on the predicate are what we want.

Return true if: (1) cmp contains a null value (2) there is an indirect/direct edge from cur evaluated SVFG node to cmp operand

e.g., indirect edge: cur svfg node -> 1. store i32* %0, i32** p, align 8, !dbg !157 cmp operand -> 2. %1 = load i32*, i32** p, align 8, !dbg !159

  1. tobool = icmp ne i32* %1, null, !dbg !159
  2. br i1 tobool, label if.end, label if.then, !dbg !161 There is an indirect edge 1->2 with value %0

direct edge: cur svfg node -> 1. %3 = tail call i8* @malloc(i64 16), !dbg !22 (cmp operand) 2. %4 = icmp eq i8* %3, null, !dbg !28

  1. br i1 %4, label %7, label %5, !dbg !30 There is an direct edge 1->2 with value %3

Definition at line 393 of file SaberCondAllocator.cpp.

394 {
395 
396  const SVFValue* op0 = cmp->getOpVar(0)->getValue();
397  const SVFValue* op1 = cmp->getOpVar(1)->getValue();
398  if (SVFUtil::isa<SVFConstantNullPtr>(op1))
399  {
400  Set<const SVFValue* > inDirVal;
401  inDirVal.insert(getCurEvalSVFGNode()->getValue());
402  for (const auto &it: getCurEvalSVFGNode()->getOutEdges())
403  {
404  inDirVal.insert(it->getDstNode()->getValue());
405  }
406  return inDirVal.find(op0) != inDirVal.end();
407  }
408  else if (SVFUtil::isa<SVFConstantNullPtr>(op0))
409  {
410  Set<const SVFValue* > inDirVal;
411  inDirVal.insert(getCurEvalSVFGNode()->getValue());
412  for (const auto &it: getCurEvalSVFGNode()->getOutEdges())
413  {
414  inDirVal.insert(it->getDstNode()->getValue());
415  }
416  return inDirVal.find(op1) != inDirVal.end();
417  }
418  return false;
419 }
SVF::MultiOpndStmt::getOpVar
const SVFVar * getOpVar(u32_t pos) const
Operand SVFVars.
Definition: SVFStatements.h:778
SVF::SVFVar::getValue
const SVFValue * getValue() const
Get/has methods of the components.
Definition: SVFVariables.h:83

◆ isTestNotNullExpr()

bool SaberCondAllocator::isTestNotNullExpr ( const ICFGNode test) const
private

Return true if this is a test not null expression.

Definition at line 360 of file SaberCondAllocator.cpp.

361 {
362  if(!test) return false;
363  for(const SVFStmt* stmt : PAG::getPAG()->getSVFStmtList(test))
364  {
365  if(const CmpStmt* cmp = SVFUtil::dyn_cast<CmpStmt>(stmt))
366  {
367  return isTestContainsNullAndTheValue(cmp) && isNECmp(cmp);
368  }
369  }
370  return false;
371 }
SVF::SaberCondAllocator::isTestContainsNullAndTheValue
bool isTestContainsNullAndTheValue(const CmpStmt *cmp) const
Return true if two values on the predicate are what we want.
Definition: SaberCondAllocator.cpp:393
SVF::SaberCondAllocator::isNECmp
bool isNECmp(const CmpStmt *cmp) const
Return true if the predicate of this compare instruction is not equal.
Definition: SaberCondAllocator.cpp:342

◆ isTestNullExpr()

bool SaberCondAllocator::isTestNullExpr ( const ICFGNode test) const
private

Return true if this is a test null expression.

Definition at line 347 of file SaberCondAllocator.cpp.

348 {
349  if(!test) return false;
350  for(const SVFStmt* stmt : PAG::getPAG()->getSVFStmtList(test))
351  {
352  if(const CmpStmt* cmp = SVFUtil::dyn_cast<CmpStmt>(stmt))
353  {
354  return isTestContainsNullAndTheValue(cmp) && isEQCmp(cmp);
355  }
356  }
357  return false;
358 }
SVF::SaberCondAllocator::isEQCmp
bool isEQCmp(const CmpStmt *cmp) const
Evaluate test null/not null like expressions.
Definition: SaberCondAllocator.cpp:337

◆ newCond()

SaberCondAllocator::Condition SaberCondAllocator::newCond ( const ICFGNode inst)

Allocate a new condition.

Definition at line 595 of file SaberCondAllocator.cpp.

596 {
597  u32_t condCountIdx = totalCondNum++;
598  Condition expr = Condition::getContext().bool_const(("c" + std::to_string(condCountIdx)).c_str());
599  Condition negCond = Condition::NEG(expr);
600  setCondInst(expr, inst);
601  setNegCondInst(negCond, inst);
602  conditionVec.push_back(expr);
603  conditionVec.push_back(negCond);
604  return expr;
605 }
SVF::SaberCondAllocator::setNegCondInst
void setNegCondInst(const Condition &condition, const ICFGNode *inst)
mark neg Z3 expression
Definition: SaberCondAllocator.h:238
SVF::SaberCondAllocator::setCondInst
void setCondInst(const Condition &condition, const ICFGNode *inst)
Definition: SaberCondAllocator.h:135
SVF::SaberCondAllocator::conditionVec
std::vector< Condition > conditionVec
bit vector for distinguish neg
Definition: SaberCondAllocator.h:307
SVF::Z3Expr::getContext
static z3::context & getContext()
Get z3 context, singleton design here to make sure we only have one context.
Definition: Z3Expr.cpp:66

◆ postDominate()

bool SVF::SaberCondAllocator::postDominate ( const SVFBasicBlock bbKey,
const SVFBasicBlock bbValue 
) const
inline

Definition at line 147 of file SaberCondAllocator.h.

148  {
149  const SVFFunction* keyFunc = bbKey->getParent();
150  const SVFFunction* valueFunc = bbValue->getParent();
151  bool funcEq = (keyFunc == valueFunc);
152  (void)funcEq; // Suppress warning of unused variable under release build
153  assert(funcEq && "two basicblocks should be in the same function!");
154  return keyFunc->postDominate(bbKey,bbValue);
155  }

◆ printPathCond()

void SaberCondAllocator::printPathCond ( )

Print out the path condition information.

Print path conditions

Definition at line 568 of file SaberCondAllocator.cpp.

569 {
570 
571  outs() << "print path condition\n";
572 
573  for (const auto &bbCond: bbConds)
574  {
575  const SVFBasicBlock* bb = bbCond.first;
576  for (const auto &cit: bbCond.second)
577  {
578  u32_t i = 0;
579  for (const SVFBasicBlock* succ: bb->getSuccessors())
580  {
581  if (i == cit.first)
582  {
583  Condition cond = cit.second;
584  outs() << bb->getName() << "-->" << succ->getName() << ":";
585  outs() << dumpCond(cond) << "\n";
586  break;
587  }
588  i++;
589  }
590  }
591  }
592 }
SVF::SaberCondAllocator::dumpCond
std::string dumpCond(const Condition &cond) const
Definition: SaberCondAllocator.h:115

◆ setBranchCond()

void SaberCondAllocator::setBranchCond ( const SVFBasicBlock bb,
const SVFBasicBlock succ,
const Condition cond 
)
private

Get/Set a branch condition, and its terminator instruction.

Set branch condition

Set a branch condition

we only care about basic blocks have more than one successor

FIXME: llvm getNumSuccessors allows duplicated block in the successors, it makes this assertion fail In this case we may waste a condition allocation, because the overwrite of the previous cond

Definition at line 168 of file SaberCondAllocator.cpp.

169 {
171  assert(bb->getNumSuccessors() > 1 && "not more than one successor??");
172  u32_t pos = bb->getBBSuccessorPos(succ);
173  CondPosMap& condPosMap = bbConds[bb];
174 
177  //assert(condPosMap.find(pos) == condPosMap.end() && "this branch has already been set ");
178 
179  condPosMap[pos] = cond;
180 }
SVF::SaberCondAllocator::CondPosMap
Map< u32_t, Condition > CondPosMap
id to instruction map for z3
Definition: SaberCondAllocator.h:53

◆ setCFCond()

bool SVF::SaberCondAllocator::setCFCond ( const SVFBasicBlock bb,
const Condition cond 
)
inline

Get/Set control-flow conditions.

Definition at line 215 of file SaberCondAllocator.h.

216  {
217  BBToCondMap::iterator it = bbToCondMap.find(bb);
218  // until a fixed-point is reached (condition is not changed)
219  if(it!=bbToCondMap.end() && isEquivalentBranchCond(it->second, cond))
220  return false;
221 
222  bbToCondMap[bb] = cond;
223  return true;
224  }

◆ setCondInst()

void SVF::SaberCondAllocator::setCondInst ( const Condition condition,
const ICFGNode inst 
)
inline

Definition at line 135 of file SaberCondAllocator.h.

136  {
137  assert(idToTermInstMap.find(condition.id()) == idToTermInstMap.end() && "this should be a fresh condition");
138  idToTermInstMap[condition.id()] = inst;
139  }

◆ setCurEvalSVFGNode()

void SVF::SaberCondAllocator::setCurEvalSVFGNode ( const SVFGNode node)
inline

Set current value for branch condition evaluation.

Definition at line 182 of file SaberCondAllocator.h.

183  {
184  curEvalSVFGNode = node;
185  }

◆ setNegCondInst()

void SVF::SaberCondAllocator::setNegCondInst ( const Condition condition,
const ICFGNode inst 
)
inline

mark neg Z3 expression

Definition at line 238 of file SaberCondAllocator.h.

239  {
240  setCondInst(condition, inst);
241  negConds.set(condition.id());
242  }

Member Data Documentation

◆ bbConds

BBCondMap SVF::SaberCondAllocator::bbConds
protected

map basic block to its successors/predecessors branch conditions

Definition at line 312 of file SaberCondAllocator.h.

◆ bbToCondMap

BBToCondMap SVF::SaberCondAllocator::bbToCondMap
private

map a basic block to its path condition starting from root

Definition at line 303 of file SaberCondAllocator.h.

◆ conditionVec

std::vector<Condition> SVF::SaberCondAllocator::conditionVec
private

bit vector for distinguish neg

Definition at line 307 of file SaberCondAllocator.h.

◆ curEvalSVFGNode

const SVFGNode* SVF::SaberCondAllocator::curEvalSVFGNode {}
private

current llvm value to evaluate branch condition when computing guards

Definition at line 304 of file SaberCondAllocator.h.

◆ funToExitBBsMap

FunToExitBBsMap SVF::SaberCondAllocator::funToExitBBsMap
private

map a function to all its basic blocks calling program exit

Definition at line 302 of file SaberCondAllocator.h.

◆ idToTermInstMap

IndexToTermInstMap SVF::SaberCondAllocator::idToTermInstMap
private

Definition at line 305 of file SaberCondAllocator.h.

◆ negConds

NodeBS SVF::SaberCondAllocator::negConds
private

key: z3 expression id, value: instruction

Definition at line 306 of file SaberCondAllocator.h.

◆ removedSUVFEdges

SVFGNodeToSVFGNodeSetMap SVF::SaberCondAllocator::removedSUVFEdges
private

a counter for fresh condition

Definition at line 309 of file SaberCondAllocator.h.

◆ totalCondNum

u32_t SaberCondAllocator::totalCondNum = 0
staticprivate

vector storing z3expression

Definition at line 308 of file SaberCondAllocator.h.

The documentation for this class was generated from the following files:
Generated by doxygen 1.9.1