svf-lib 1.0.2539 → 1.0.2541

package/SVF-linux-aarch64/include/AE/Core/AbstractState.h

@@ -74,22 +74,8 @@ public:
 
     virtual ~AbstractState() = default;
 
-    // getGepObjAddrs
-    AddressValue getGepObjAddrs(u32_t pointer, IntervalValue offset);
-
     // initObjVar
     void initObjVar(const ObjVar* objVar);
-    // getElementIndex
-    IntervalValue getElementIndex(const GepStmt* gep);
-    // getByteOffset
-    IntervalValue getByteOffset(const GepStmt* gep);
-    // printAbstractState
-    // loadValue
-    AbstractValue loadValue(NodeID varId);
-    // storeValue
-    void storeValue(NodeID varId, AbstractValue val);
-
-    u32_t getAllocaInstByteSize(const AddrStmt *addr);
 
 
     /// The physical address starts with 0x7f...... + idx
@@ -275,6 +261,14 @@ public:
     /// domain join with other, important! other widen this.
     void joinWith(const AbstractState&other);
 
+
+    /// Replace address-taken (ObjVar) state with other's, preserving ValVar state.
+    void updateAddrStateOnly(const AbstractState& other)
+    {
+        _addrToAbsVal = other._addrToAbsVal;
+        _freedAddrs = other._freedAddrs;
+    }
+
     /// domain meet with other, important! other widen this.
     void meetWith(const AbstractState&other);
 
@@ -289,15 +283,6 @@ public:
     }
 
 
-    /**
-    * if this NodeID in SVFIR is a pointer, get the pointee type
-    * e.g  arr = (int*) malloc(10*sizeof(int))
-    *      getPointeeType(arr) -> return int
-    * we can set arr[0]='c', arr[1]='c', arr[2]='\0'
-    * @param call callnode of memset like api
-     */
-    const SVFType* getPointeeElement(NodeID id);
-
     void printAbstractState() const;
 
     std::string toString() const;
@@ -363,6 +348,16 @@ public:
         _freedAddrs.clear();
     }
 
+    /// Drop all top-level variables (ValVars), keeping ObjVar storage and
+    /// freed addresses intact. Used when building a cycle snapshot so the
+    /// ValVar set is controlled by the caller rather than whatever was
+    /// cached at the seed node.
+    void clearVars()
+    {
+        _varToAbsVal.clear();
+    }
+
+
 };
 
 }

package/SVF-linux-aarch64/include/AE/Core/AddressValue.h

@@ -174,11 +174,12 @@ public:
         return _addrs.count(id);
     }
 
-    bool hasIntersect(const AddressValue &other)
+    bool hasIntersect(const AddressValue &other) const
     {
-        AddressValue v = *this;
-        v.meet_with(other);
-        return !v.empty();
+        for (const auto& addr : _addrs)
+            if (other._addrs.count(addr))
+                return true;
+        return false;
     }
 
     inline bool isBottom() const

package/SVF-linux-aarch64/include/AE/Svfexe/AEDetector.h

@@ -32,6 +32,10 @@
 
 namespace SVF
 {
+
+class AbstractInterpretation;
+class AbstractStateManager;
+
 /**
  * @class AEDetector
  * @brief Base class for all detectors.
@@ -75,7 +79,7 @@ public:
      * @param as Reference to the abstract state.
      * @param node Pointer to the ICFG node.
      */
-    virtual void detect(AbstractState& as, const ICFGNode* node) = 0;
+    virtual void detect(const ICFGNode* node) = 0;
 
     /**
      * @brief Pure virtual function for handling stub external API calls. (e.g. UNSAFE_BUFACCESS)
@@ -167,7 +171,7 @@ public:
      * @param objAddrs Address value for the object.
      * @param offset The interval value of the offset.
      */
-    void updateGepObjOffsetFromBase(AbstractState& as,
+    void updateGepObjOffsetFromBase(const ICFGNode* node,
                                     AddressValue gepAddrs,
                                     AddressValue objAddrs,
                                     IntervalValue offset);
@@ -177,14 +181,14 @@ public:
      * @param as Reference to the abstract state.
      * @param node Pointer to the ICFG node.
      */
-    void detect(AbstractState& as, const ICFGNode*);
+    void detect(const ICFGNode*) override;
 
 
     /**
      * @brief Handles external API calls related to buffer overflow detection.
      * @param call Pointer to the call ICFG node.
      */
-    void handleStubFunctions(const CallICFGNode*);
+    void handleStubFunctions(const CallICFGNode*) override;
 
     /**
      * @brief Adds an offset to a GEP object.
@@ -229,7 +233,7 @@ public:
      * @param gep Pointer to the GEP statement.
      * @return The interval value of the access offset.
      */
-    IntervalValue getAccessOffset(AbstractState& as, NodeID objId, const GepStmt* gep);
+    IntervalValue getAccessOffset(NodeID objId, const GepStmt* gep);
 
     /**
      * @brief Adds a bug to the reporter based on an exception.
@@ -268,7 +272,7 @@ public:
     /**
      * @brief Reports all detected buffer overflow bugs.
      */
-    void reportBug()
+    void reportBug() override
     {
         if (!nodeToBugInfo.empty())
         {
@@ -292,33 +296,31 @@ public:
      * @param as Reference to the abstract state.
      * @param call Pointer to the call ICFG node.
      */
-    void detectExtAPI(AbstractState& as, const CallICFGNode *call);
+    void detectExtAPI(const CallICFGNode *call);
 
     /**
      * @brief Checks if memory can be safely accessed.
-     * @param as Reference to the abstract state.
      * @param value Pointer to the SVF var.
      * @param len The interval value representing the length of the memory access.
+     * @param node The ICFG node providing context.
      * @return True if the memory access is safe, false otherwise.
      */
-    bool canSafelyAccessMemory(AbstractState& as, const SVFVar *value, const IntervalValue &len);
+    bool canSafelyAccessMemory(const ValVar *value, const IntervalValue &len, const ICFGNode* node);
 
 private:
     /**
      * @brief Detects buffer overflow in 'strcat' function calls.
-     * @param as Reference to the abstract state.
      * @param call Pointer to the call ICFG node.
      * @return True if a buffer overflow is detected, false otherwise.
      */
-    bool detectStrcat(AbstractState& as, const CallICFGNode *call);
+    bool detectStrcat(const CallICFGNode *call);
 
     /**
      * @brief Detects buffer overflow in 'strcpy' function calls.
-     * @param as Reference to the abstract state.
      * @param call Pointer to the call ICFG node.
      * @return True if a buffer overflow is detected, false otherwise.
      */
-    bool detectStrcpy(AbstractState& as, const CallICFGNode *call);
+    bool detectStrcpy(const CallICFGNode *call);
 
 private:
     Map<const GepObjVar*, IntervalValue> gepObjOffsetFromBase; ///< Maps GEP objects to their offsets from the base.
@@ -348,13 +350,13 @@ public:
      * @param as Reference to the abstract state.
      * @param node Pointer to the ICFG node.
      */
-    void detect(AbstractState& as, const ICFGNode* node);
+    void detect(const ICFGNode* node) override;
 
     /**
      * @brief Handles external API calls related to nullptr dereferences.
      * @param call Pointer to the call ICFG node.
      */
-    void handleStubFunctions(const CallICFGNode* call);
+    void handleStubFunctions(const CallICFGNode* call) override;
 
     /**
      * @brief Checks if an Abstract Value is uninitialized.
@@ -401,7 +403,7 @@ public:
     /**
      * @brief Reports all detected nullptr dereference bugs.
      */
-    void reportBug()
+    void reportBug() override
     {
         if (!nodeToBugInfo.empty())
         {
@@ -420,7 +422,7 @@ public:
      * @param as Reference to the abstract state.
      * @param call Pointer to the call ICFG node.
      */
-    void detectExtAPI(AbstractState& as, const CallICFGNode* call);
+    void detectExtAPI(const CallICFGNode* call);
 
 
     /**
@@ -433,7 +435,7 @@ public:
         return !v.isAddr() && !v.isInterval();
     }
 
-    bool canSafelyDerefPtr(AbstractState& as, const SVFVar* ptr);
+    bool canSafelyDerefPtr(const ValVar* ptr, const ICFGNode* node);
 
 private:
     Set<std::string> bugLoc; ///< Set of locations where bugs have been reported.

package/SVF-linux-aarch64/include/AE/Svfexe/AbsExtAPI.h

@@ -33,8 +33,8 @@
 namespace SVF
 {
 
-// Forward declaration of AbstractInterpretation class
 class AbstractInterpretation;
+class AbstractStateManager;
 
 /**
  * @class AbsExtAPI
@@ -51,9 +51,9 @@ public:
 
     /**
      * @brief Constructor for AbsExtAPI.
-     * @param abstractTrace Reference to a map of ICFG nodes to abstract states.
+     * @param ae Reference to the AbstractInterpretation instance.
      */
-    AbsExtAPI(Map<const ICFGNode*, AbstractState>& traces);
+    AbsExtAPI(AbstractStateManager* mgr);
 
     /**
      * @brief Initializes the external function map.
@@ -66,7 +66,7 @@ public:
      * @param rhs Pointer to the SVF variable representing the string.
      * @return The string value.
      */
-    std::string strRead(AbstractState& as, const SVFVar* rhs);
+    std::string strRead(const ValVar* rhs, const ICFGNode* node);
 
     /**
      * @brief Handles an external API call.
@@ -77,21 +77,21 @@ public:
     // --- Shared primitives used by string/memory handlers ---
 
     /// Get the byte size of each element for a pointer/array variable.
-    u32_t getElementSize(AbstractState& as, const SVFVar* var);
+    u32_t getElementSize(const ValVar* var);
 
     /// Check if an interval length is usable (not bottom, not unbounded).
     static bool isValidLength(const IntervalValue& len);
 
     /// Calculate the length of a null-terminated string in abstract state.
-    IntervalValue getStrlen(AbstractState& as, const SVF::SVFVar *strValue);
+    IntervalValue getStrlen(const ValVar *strValue, const ICFGNode* node);
 
     // --- String/memory operation handlers ---
 
     void handleStrcpy(const CallICFGNode *call);
     void handleStrcat(const CallICFGNode *call);
     void handleStrncat(const CallICFGNode *call);
-    void handleMemcpy(AbstractState& as, const SVF::SVFVar *dst, const SVF::SVFVar *src, IntervalValue len, u32_t start_idx);
-    void handleMemset(AbstractState& as, const SVFVar* dst, IntervalValue elem, IntervalValue len);
+    void handleMemcpy(const ValVar *dst, const ValVar *src, const IntervalValue& len, u32_t start_idx, const ICFGNode* node);
+    void handleMemset(const ValVar* dst, const IntervalValue& elem, const IntervalValue& len, const ICFGNode* node);
 
     /**
      * @brief Gets the range limit from a type.
@@ -114,9 +114,9 @@ public:
     Set<const CallICFGNode*> checkpoints; // for CI check
 
 protected:
+    AbstractStateManager* mgr; ///< Pointer to the state manager.
     SVFIR* svfir; ///< Pointer to the SVF intermediate representation.
     ICFG* icfg; ///< Pointer to the interprocedural control flow graph.
-    Map<const ICFGNode*, AbstractState>& abstractTrace; ///< Map of ICFG nodes to abstract states.
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map; ///< Map of function names to handlers.
 };
 

package/SVF-linux-aarch64/include/AE/Svfexe/AbstractInterpretation.h

@@ -31,6 +31,7 @@
 #pragma once
 #include "AE/Core/AbstractState.h"
 #include "AE/Core/ICFGWTO.h"
+#include "AE/Svfexe/AbstractStateManager.h"
 #include "AE/Svfexe/AEDetector.h"
 #include "AE/Svfexe/PreAnalysis.h"
 #include "AE/Svfexe/AbsExtAPI.h"
@@ -73,6 +74,13 @@ public:
      * if set WIDEN_ONLY, result = [10000, +oo] since only widening is applied at the cycle head of recursive functions without narrowing.
      * if set WIDEN_NARROW, result = [10000, 10000] since both widening and narrowing are applied at the cycle head of recursive functions.
      * */
+    enum AESparsity
+    {
+        Dense,
+        SemiSparse,
+        Sparse
+    };
+
     enum HandleRecur
     {
         TOP,
@@ -115,43 +123,45 @@ public:
         return svfir->getSVFVar(varId);
     }
 
-    /// Retrieve abstract value for a top-level variable at a given ICFG node
-    const AbstractValue& getAbstractValue(const ValVar* var);
+    /// Get the state manager instance.
+    AbstractStateManager* getStateMgr()
+    {
+        return svfStateMgr;
+    }
 
-    /// Retrieve abstract value for an address-taken variable at a given ICFG node
-    const AbstractValue& getAbstractValue(const ICFGNode* node, const ObjVar* var);
+    // ---------------------------------------------------------------
+    //  Convenience wrappers around AbstractStateManager
+    // ---------------------------------------------------------------
+    /// Read-only access to a node's AbstractState. Mutations must go through
+    /// updateAbsState (to replace) or updateAbsValue (to update one variable).
+    inline const AbstractState& getAbsState(const ICFGNode* node) const
+    {
+        return svfStateMgr->getAbstractState(node);
+    }
 
-    /// Retrieve abstract value for any SVF variable at a given ICFG node
-    const AbstractValue& getAbstractValue(const ICFGNode* node, const SVFVar* var);
+    inline bool hasAbsState(const ICFGNode* node)
+    {
+        return svfStateMgr->hasAbstractState(node);
+    }
 
-    /// Set abstract value for a top-level variable at a given ICFG node
-    void updateAbstractValue(const ValVar* var, const AbstractValue& val);
+    inline void updateAbsState(const ICFGNode* node, const AbstractState& state)
+    {
+        svfStateMgr->updateAbstractState(node, state);
+    }
 
-    /// Set abstract value for an address-taken variable at a given ICFG node
-    void updateAbstractValue(const ICFGNode* node, const ObjVar* var, const AbstractValue& val);
+    inline const AbstractValue& getAbsValue(const SVFVar* var, const ICFGNode* node)
+    {
+        return svfStateMgr->getAbstractValue(var, node);
+    }
 
-    /// Set abstract value for any SVF variable at a given ICFG node
-    void updateAbstractValue(const ICFGNode* node, const SVFVar* var, const AbstractValue& val);
+    inline void updateAbsValue(const SVFVar* var, const AbstractValue& val, const ICFGNode* node)
+    {
+        svfStateMgr->updateAbstractValue(var, val, node);
+    }
 
-    /// Propagate an ObjVar's abstract value from defSite to all its use-site ICFGNodes via SVFG
+    /// Propagate an ObjVar's abstract value from defSite to all its use-sites.
     void propagateObjVarAbsVal(const ObjVar* var, const ICFGNode* defSite);
 
-    /// Retrieve the abstract state from the trace for a given ICFG node; asserts if no trace exists
-    AbstractState& getAbstractState(const ICFGNode* node);
-
-    /// Check if an abstract state exists in the trace for a given ICFG node
-    bool hasAbstractState(const ICFGNode* node);
-
-    /// Retrieve abstract state filtered to specific top-level variables
-    void getAbstractState(const ICFGNode* node, const Set<const ValVar*>& vars, AbstractState& result);
-
-    /// Retrieve abstract state filtered to specific address-taken variables
-    void getAbstractState(const ICFGNode* node, const Set<const ObjVar*>& vars, AbstractState& result);
-
-    /// Retrieve abstract state filtered to specific SVF variables
-    void getAbstractState(const ICFGNode* node, const Set<const SVFVar*>& vars, AbstractState& result);
-
-
 private:
     /// Initialize abstract state for the global ICFG node and process global statements
     virtual void handleGlobalNode();
@@ -161,8 +171,8 @@ private:
     /// abstractTrace[node]. Returns true if at least one predecessor had state.
     bool mergeStatesFromPredecessors(const ICFGNode* node);
 
-    /// Check if the branch on intraEdge is feasible under abstract state as
-    bool isBranchFeasible(const IntraCFGEdge* intraEdge, AbstractState& as);
+    /// Returns true if the branch is reachable; narrows as in-place.
+    bool isBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
 
     /// Handle a call site node: dispatch to ext-call, direct-call, or indirect-call handling
     virtual void handleCallSite(const ICFGNode* node);
@@ -179,15 +189,11 @@ private:
     /// Dispatch an SVF statement (Addr/Binary/Cmp/Load/Store/Copy/Gep/Select/Phi/Call/Ret) to its handler
     virtual void handleSVFStatement(const SVFStmt* stmt);
 
-    /// Set all store targets and return value to TOP for a recursive call node
-    virtual void setTopToObjInRecursion(const CallICFGNode* callnode);
+    /// Returns true if the cmp-conditional branch is feasible; narrows as in-place.
+    bool isCmpBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
 
-    /// Check if cmpStmt with successor value succ is feasible; refine intervals in as accordingly
-    bool isCmpBranchFeasible(const CmpStmt* cmpStmt, s64_t succ,
-                             AbstractState& as);
-
-    /// Check if switch branch with case value succ is feasible; refine intervals in as accordingly
-    bool isSwitchBranchFeasible(const SVFVar* var, s64_t succ, AbstractState& as);
+    /// Returns true if the switch branch is feasible; narrows as in-place.
+    bool isSwitchBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
 
     void updateStateOnAddr(const AddrStmt *addr);
 
@@ -211,7 +217,6 @@ private:
 
     void updateStateOnPhi(const PhiStmt *phi);
 
-
     /// protected data members, also used in subclasses
     SVFIR* svfir;
     /// Execution State, used to store the Interval Value of every SVF variable
@@ -232,7 +237,7 @@ private:
     virtual bool isExtCall(const CallICFGNode* callNode);
     virtual void handleExtCall(const CallICFGNode* callNode);
     virtual bool isRecursiveFun(const FunObjVar* fun);
-    virtual void handleRecursiveCall(const CallICFGNode *callNode);
+    virtual void skipRecursionWithTop(const CallICFGNode *callNode);
     virtual bool isRecursiveCallSite(const CallICFGNode* callNode, const FunObjVar *);
     virtual void handleFunCall(const CallICFGNode* callNode);
 
@@ -243,60 +248,13 @@ private:
     // there data should be shared with subclasses
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
 
-    Map<const ICFGNode*, AbstractState> abstractTrace; // abstract states for nodes
+    AbstractStateManager* svfStateMgr{nullptr}; // state management (owns abstractTrace)
     Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;
     AbsExtAPI* utils;
 
-    // according to varieties of cmp insts,
-    // maybe var X var, var X const, const X var, const X const
-    // we accept 'var X const' 'var X var' 'const X const'
-    // if 'const X var', we need to reverse op0 op1 and its predicate 'var X' const'
-    // X' is reverse predicate of X
-    // == -> !=, != -> ==, > -> <=, >= -> <, < -> >=, <= -> >
-
-    Map<s32_t, s32_t> _reverse_predicate =
-    {
-        {CmpStmt::Predicate::FCMP_OEQ, CmpStmt::Predicate::FCMP_ONE},  // == -> !=
-        {CmpStmt::Predicate::FCMP_UEQ, CmpStmt::Predicate::FCMP_UNE},  // == -> !=
-        {CmpStmt::Predicate::FCMP_OGT, CmpStmt::Predicate::FCMP_OLE},  // > -> <=
-        {CmpStmt::Predicate::FCMP_OGE, CmpStmt::Predicate::FCMP_OLT},  // >= -> <
-        {CmpStmt::Predicate::FCMP_OLT, CmpStmt::Predicate::FCMP_OGE},  // < -> >=
-        {CmpStmt::Predicate::FCMP_OLE, CmpStmt::Predicate::FCMP_OGT},  // <= -> >
-        {CmpStmt::Predicate::FCMP_ONE, CmpStmt::Predicate::FCMP_OEQ},  // != -> ==
-        {CmpStmt::Predicate::FCMP_UNE, CmpStmt::Predicate::FCMP_UEQ},  // != -> ==
-        {CmpStmt::Predicate::ICMP_EQ, CmpStmt::Predicate::ICMP_NE},  // == -> !=
-        {CmpStmt::Predicate::ICMP_NE, CmpStmt::Predicate::ICMP_EQ},  // != -> ==
-        {CmpStmt::Predicate::ICMP_UGT, CmpStmt::Predicate::ICMP_ULE},  // > -> <=
-        {CmpStmt::Predicate::ICMP_ULT, CmpStmt::Predicate::ICMP_UGE},  // < -> >=
-        {CmpStmt::Predicate::ICMP_UGE, CmpStmt::Predicate::ICMP_ULT},  // >= -> <
-        {CmpStmt::Predicate::ICMP_SGT, CmpStmt::Predicate::ICMP_SLE},  // > -> <=
-        {CmpStmt::Predicate::ICMP_SLT, CmpStmt::Predicate::ICMP_SGE},  // < -> >=
-        {CmpStmt::Predicate::ICMP_SGE, CmpStmt::Predicate::ICMP_SLT},  // >= -> <
-    };
-
-
-    Map<s32_t, s32_t> _switch_lhsrhs_predicate =
-    {
-        {CmpStmt::Predicate::FCMP_OEQ, CmpStmt::Predicate::FCMP_OEQ},  // == -> ==
-        {CmpStmt::Predicate::FCMP_UEQ, CmpStmt::Predicate::FCMP_UEQ},  // == -> ==
-        {CmpStmt::Predicate::FCMP_OGT, CmpStmt::Predicate::FCMP_OLT},  // > -> <
-        {CmpStmt::Predicate::FCMP_OGE, CmpStmt::Predicate::FCMP_OLE},  // >= -> <=
-        {CmpStmt::Predicate::FCMP_OLT, CmpStmt::Predicate::FCMP_OGT},  // < -> >
-        {CmpStmt::Predicate::FCMP_OLE, CmpStmt::Predicate::FCMP_OGE},  // <= -> >=
-        {CmpStmt::Predicate::FCMP_ONE, CmpStmt::Predicate::FCMP_ONE},  // != -> !=
-        {CmpStmt::Predicate::FCMP_UNE, CmpStmt::Predicate::FCMP_UNE},  // != -> !=
-        {CmpStmt::Predicate::ICMP_EQ, CmpStmt::Predicate::ICMP_EQ},  // == -> ==
-        {CmpStmt::Predicate::ICMP_NE, CmpStmt::Predicate::ICMP_NE},  // != -> !=
-        {CmpStmt::Predicate::ICMP_UGT, CmpStmt::Predicate::ICMP_ULT},  // > -> <
-        {CmpStmt::Predicate::ICMP_ULT, CmpStmt::Predicate::ICMP_UGT},  // < -> >
-        {CmpStmt::Predicate::ICMP_UGE, CmpStmt::Predicate::ICMP_ULE},  // >= -> <=
-        {CmpStmt::Predicate::ICMP_SGT, CmpStmt::Predicate::ICMP_SLT},  // > -> <
-        {CmpStmt::Predicate::ICMP_SLT, CmpStmt::Predicate::ICMP_SGT},  // < -> >
-        {CmpStmt::Predicate::ICMP_SGE, CmpStmt::Predicate::ICMP_SLE},  // >= -> <=
-    };
 
 };
 }