svf-lib 1.0.2549 → 1.0.2551

package/SVF-linux-aarch64/include/AE/Core/AbstractState.h

@@ -261,7 +261,6 @@ public:
     /// domain join with other, important! other widen this.
     void joinWith(const AbstractState&other);
 
-
     /// Replace address-taken (ObjVar) state with other's, preserving ValVar state.
     void updateAddrStateOnly(const AbstractState& other)
     {
@@ -277,6 +276,11 @@ public:
         _freedAddrs.insert(addr);
     }
 
+    const Set<NodeID>& getFreedAddrs() const
+    {
+        return _freedAddrs;
+    }
+
     bool isFreedMem(u32_t addr) const
     {
         return _freedAddrs.find(addr) != _freedAddrs.end();

package/SVF-linux-aarch64/include/AE/Svfexe/AEDetector.h

@@ -34,7 +34,6 @@ namespace SVF
 {
 
 class AbstractInterpretation;
-class AbstractStateManager;
 
 /**
  * @class AEDetector

package/SVF-linux-aarch64/include/AE/Svfexe/{PreAnalysis.h → AEWTO.h}

@@ -1,4 +1,4 @@
-//===- PreAnalysis.h -- Pre-Analysis for Abstract Interpretation----------//
+//===- AEWTO.h -- WTO + pointer-analysis prep for Abstract Interpretation ---//
 //
 //                     SVF: Static Value-Flow Analysis
 //
@@ -21,18 +21,18 @@
 //===----------------------------------------------------------------------===//
 
 /*
- * PreAnalysis.h
+ * AEWTO.h
  *
  *  Created on: Feb 25, 2026
  *      Author: Jiawei Wang
  *
- * This file provides a pre-analysis phase for Abstract Interpretation.
- * It runs Andersen's pointer analysis and builds WTO (Weak Topological Order)
- * for each function before the main abstract interpretation.
+ * Runs Andersen's pointer analysis and builds the per-function WTO
+ * (Weak Topological Order) consumed by Abstract Interpretation.  Also
+ * caches per-cycle ValVar sets for the semi-sparse loop helpers.
  */
 
-#ifndef INCLUDE_AE_SVFEXE_PREANALYSIS_H_
-#define INCLUDE_AE_SVFEXE_PREANALYSIS_H_
+#ifndef INCLUDE_AE_SVFEXE_AEWTO_H_
+#define INCLUDE_AE_SVFEXE_AEWTO_H_
 
 #include "SVFIR/SVFIR.h"
 #include "Graphs/ICFG.h"
@@ -44,13 +44,13 @@
 namespace SVF
 {
 
-class PreAnalysis
+class AEWTO
 {
 public:
     typedef SCCDetection<CallGraph*> CallGraphSCC;
 
-    PreAnalysis(SVFIR* pag, ICFG* icfg);
-    virtual ~PreAnalysis();
+    AEWTO(SVFIR* pag, ICFG* icfg);
+    virtual ~AEWTO();
 
     /// Accessors for Andersen's results
     AndersenWaveDiff* getPointerAnalysis() const
@@ -103,4 +103,4 @@ private:
 
 } // End namespace SVF
 
-#endif /* INCLUDE_AE_SVFEXE_PREANALYSIS_H_ */
+#endif /* INCLUDE_AE_SVFEXE_AEWTO_H_ */

package/SVF-linux-aarch64/include/AE/Svfexe/AbsExtAPI.h

@@ -34,7 +34,6 @@ namespace SVF
 {
 
 class AbstractInterpretation;
-class AbstractStateManager;
 
 /**
  * @class AbsExtAPI
@@ -53,7 +52,7 @@ public:
      * @brief Constructor for AbsExtAPI.
      * @param ae Reference to the AbstractInterpretation instance.
      */
-    AbsExtAPI(AbstractStateManager* mgr);
+    AbsExtAPI(AbstractInterpretation* ae);
 
     /**
      * @brief Initializes the external function map.
@@ -106,7 +105,7 @@ public:
      * @return Reference to the abstract state.
      * @throws Assertion if no trace exists for the node.
      */
-    AbstractState& getAbstractState(const ICFGNode* node);
+    AbstractState& getAbsState(const ICFGNode* node);
 
     void collectCheckPoint();
     void checkPointAllSet();
@@ -114,7 +113,7 @@ public:
     Set<const CallICFGNode*> checkpoints; // for CI check
 
 protected:
-    AbstractStateManager* mgr; ///< Pointer to the state manager.
+    AbstractInterpretation* ae; ///< Owning AbstractInterpretation; provides state access.
     SVFIR* svfir; ///< Pointer to the SVF intermediate representation.
     ICFG* icfg; ///< Pointer to the interprocedural control flow graph.
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map; ///< Map of function names to handlers.

package/SVF-linux-aarch64/include/AE/Svfexe/AbstractInterpretation.h

@@ -31,11 +31,11 @@
 #pragma once
 #include "AE/Core/AbstractState.h"
 #include "AE/Core/ICFGWTO.h"
-#include "AE/Svfexe/AbstractStateManager.h"
 #include "AE/Svfexe/AEDetector.h"
-#include "AE/Svfexe/PreAnalysis.h"
+#include "AE/Svfexe/AEWTO.h"
 #include "AE/Svfexe/AbsExtAPI.h"
 #include "AE/Svfexe/AEStat.h"
+#include "SVFIR/SVFIR.h"
 #include "Util/SVFBugReport.h"
 #include "Graphs/SCC.h"
 #include "Graphs/CallGraph.h"
@@ -47,10 +47,16 @@ class AbstractInterpretation;
 class AbsExtAPI;
 class AEStat;
 class AEAPI;
+class AndersenWaveDiff;
 
 template<typename T> class FILOWorkList;
 
-/// AbstractInterpretation is same as Abstract Execution
+/// AbstractInterpretation is same as Abstract Execution.
+///
+/// Owns the per-node abstract trace and exposes the read/write API
+/// directly (no separate state-manager indirection).  Sparse modes are
+/// implemented as subclasses that override the virtual hooks below
+/// (cycle helpers, ValVar accessors, joinStates, def/use queries).
 class AbstractInterpretation
 {
     friend class AEStat;
@@ -88,10 +94,7 @@ public:
         WIDEN_NARROW
     };
 
-    /// Constructor
-    AbstractInterpretation();
-
-    virtual void runOnModule(ICFG* icfg);
+    virtual void runOnModule();
 
     /// Destructor
     virtual ~AbstractInterpretation();
@@ -105,12 +108,12 @@ public:
     /// Get all entry point functions (functions without callers)
     std::deque<const FunObjVar*> collectProgEntryFuns();
 
-
-    static AbstractInterpretation& getAEInstance()
-    {
-        static AbstractInterpretation instance;
-        return instance;
-    }
+    /// Factory: returns the singleton instance.  The concrete class is
+    /// chosen once, on first call, from `Options::AESparsity()`:
+    /// `SemiSparseAbstractInterpretation` for SemiSparse,
+    /// `FullSparseAbstractInterpretation` for Sparse, otherwise the
+    /// dense base.  Must be called only after the option parser has run.
+    static AbstractInterpretation& getAEInstance();
 
     void addDetector(std::unique_ptr<AEDetector> detector)
     {
@@ -123,50 +126,104 @@ public:
         return svfir->getSVFVar(varId);
     }
 
-    /// Get the state manager instance.
-    AbstractStateManager* getStateMgr()
-    {
-        return svfStateMgr;
-    }
+    // ---- Abstract Value Access ----------------------------------------
 
-    // ---------------------------------------------------------------
-    //  Convenience wrappers around AbstractStateManager
-    // ---------------------------------------------------------------
-    /// Read-only access to a node's AbstractState. Mutations must go through
-    /// updateAbsState (to replace) or updateAbsValue (to update one variable).
-    inline const AbstractState& getAbsState(const ICFGNode* node) const
-    {
-        return svfStateMgr->getAbstractState(node);
-    }
+    /// Read a top-level variable's abstract value.  Dense base does a
+    /// direct trace lookup; sparse subclasses override with their own
+    /// resolution chain (def-site walk, call-result fallback, etc.).
+    /// All three overloads are virtual so full-sparse can route ObjVar
+    /// reads through the SVFG.
+    virtual const AbstractValue& getAbsValue(const ValVar* var, const ICFGNode* node);
+    virtual const AbstractValue& getAbsValue(const ObjVar* var, const ICFGNode* node);
+    virtual const AbstractValue& getAbsValue(const SVFVar* var, const ICFGNode* node);
 
-    inline bool hasAbsState(const ICFGNode* node)
-    {
-        return svfStateMgr->hasAbstractState(node);
-    }
+    /// Side-effect-free existence check.
+    virtual bool hasAbsValue(const ValVar* var, const ICFGNode* node) const;
+    virtual bool hasAbsValue(const ObjVar* var, const ICFGNode* node) const;
+    virtual bool hasAbsValue(const SVFVar* var, const ICFGNode* node) const;
 
-    inline void updateAbsState(const ICFGNode* node, const AbstractState& state)
-    {
-        svfStateMgr->updateAbstractState(node, state);
-    }
+    /// Write a variable's abstract value.  Sparse subclasses re-route
+    /// ValVar writes to the def-site.
+    virtual void updateAbsValue(const ValVar* var, const AbstractValue& val, const ICFGNode* node);
+    virtual void updateAbsValue(const ObjVar* var, const AbstractValue& val, const ICFGNode* node);
+    virtual void updateAbsValue(const SVFVar* var, const AbstractValue& val, const ICFGNode* node);
 
-    inline bool hasAbsValue(const SVFVar* var, const ICFGNode* node)
-    {
-        return svfStateMgr->hasAbstractValue(var, node);
-    }
+    // ---- State Access -------------------------------------------------
+
+    AbstractState& getAbsState(const ICFGNode* node);
+
+    /// Replace the state at `node`.  Sparse subclasses replace only the
+    /// ObjVar map (ValVars live at def-sites).
+    virtual void updateAbsState(const ICFGNode* node, const AbstractState& state);
+
+    /// Join `src` into `dst` with sparsity-aware semantics.  Dense merges
+    /// everything; semi-sparse skips ValVars.
+    virtual void joinStates(AbstractState& dst, const AbstractState& src);
+
+    bool hasAbsState(const ICFGNode* node);
 
-    inline const AbstractValue& getAbsValue(const SVFVar* var, const ICFGNode* node)
+    void getAbsState(const Set<const ValVar*>& vars, AbstractState& result, const ICFGNode* node);
+    void getAbsState(const Set<const ObjVar*>& vars, AbstractState& result, const ICFGNode* node);
+    void getAbsState(const Set<const SVFVar*>& vars, AbstractState& result, const ICFGNode* node);
+
+    // ---- GEP / Load-Store / Type Helpers ------------------------------
+
+    IntervalValue getGepElementIndex(const GepStmt* gep);
+    IntervalValue getGepByteOffset(const GepStmt* gep);
+    AddressValue getGepObjAddrs(const ValVar* pointer, IntervalValue offset);
+
+    AbstractValue loadValue(const ValVar* pointer, const ICFGNode* node);
+    void storeValue(const ValVar* pointer, const AbstractValue& val, const ICFGNode* node);
+
+    const SVFType* getPointeeElement(const ObjVar* var, const ICFGNode* node);
+    u32_t getAllocaInstByteSize(const AddrStmt* addr);
+
+    // ---- Direct Trace Access ------------------------------------------
+
+    Map<const ICFGNode*, AbstractState>& getTrace()
     {
-        return svfStateMgr->getAbstractValue(var, node);
+        return abstractTrace;
     }
-
-    inline void updateAbsValue(const SVFVar* var, const AbstractValue& val, const ICFGNode* node)
+    AbstractState& operator[](const ICFGNode* node)
     {
-        svfStateMgr->updateAbstractValue(var, val, node);
+        return abstractTrace[node];
     }
 
+    // ---- Def/Use site queries (sparsity-aware) ------------------------
+
+    virtual Set<const ICFGNode*> getUseSitesOfObjVar(const ObjVar* obj, const ICFGNode* node) const;
+    virtual Set<const ICFGNode*> getUseSitesOfValVar(const ValVar* var) const;
+    virtual const ICFGNode* getDefSiteOfValVar(const ValVar* var) const;
+    virtual const ICFGNode* getDefSiteOfObjVar(const ObjVar* obj, const ICFGNode* node) const;
+
     /// Propagate an ObjVar's abstract value from defSite to all its use-sites.
     void propagateObjVarAbsVal(const ObjVar* var, const ICFGNode* defSite);
 
+protected:
+    /// Factory-only construction.  External callers must use getAEInstance();
+    /// `SparseAbstractInterpretation` reaches this via its own ctor.
+    AbstractInterpretation();
+
+    // ---- Cycle helpers overridden by SparseAbstractInterpretation ----
+    // The dense versions write only to trace[cycle_head].  The semi-sparse
+    // subclass adds def-site scatter on top for body ValVars.
+
+    /// Build a full cycle-head AbstractState.  Dense default: trace[cycle_head]
+    /// as-is.  Semi-sparse subclass: also pull cycle ValVars from def-sites.
+    virtual AbstractState getFullCycleHeadState(const ICFGCycleWTO* cycle);
+
+    /// Widen prev with cur; write the widened state to trace[cycle_head].
+    /// Returns true when next == prev (fixpoint).  Semi-sparse subclass
+    /// additionally scatters ValVars to their def-sites.
+    virtual bool widenCycleState(const AbstractState& prev, const AbstractState& cur,
+                                 const ICFGCycleWTO* cycle);
+
+    /// Narrow prev with cur; write the narrowed state back.  Returns true
+    /// when narrowing is disabled or the narrowed state equals prev.
+    /// Semi-sparse subclass scatters the narrowed ValVars on non-fixpoint.
+    virtual bool narrowCycleState(const AbstractState& prev, const AbstractState& cur,
+                                  const ICFGCycleWTO* cycle);
+
 private:
     /// Initialize abstract state for the global ICFG node and process global statements
     virtual void handleGlobalNode();
@@ -185,30 +242,6 @@ private:
     /// Handle a WTO cycle (loop or recursive function) using widening/narrowing iteration
     virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller = nullptr);
 
-    // ---- Semi-sparse cycle helpers ----
-    // ValVars whose def-site is inside the cycle but NOT cycle_head do not
-    // flow through cycle_head's merge in semi-sparse mode, so the around-merge
-    // widening cannot observe them.  getFullCycleHeadState pulls these ValVars
-    // into a single AbstractState snapshot so widen/narrow can treat ValVars
-    // and ObjVars uniformly; after widen/narrow we scatter the ValVars back
-    // to their def-sites.
-
-    /// Build a full cycle-head AbstractState: the ObjVars currently at
-    /// cycle_head combined with every cycle ValVar pulled from its
-    /// def-site.  Skips ValVars without a stored value to avoid the
-    /// top-fallback contamination.  In dense mode this is equivalent to
-    /// trace[cycle_head] since ValVars already live there.
-    AbstractState getFullCycleHeadState(const ICFGCycleWTO* cycle);
-
-    /// Widen prev with cur; write the widened state to trace[cycle_head]
-    /// and scatter its ValVars back to their def-sites.  Returns true
-    /// when the widened result equals prev (fixpoint).
-    bool widenCycleState(const AbstractState& prev, const AbstractState& cur,
-                         const ICFGCycleWTO* cycle);
-    /// Narrow prev with cur; write the narrowed state back and scatter.
-    bool narrowCycleState(const AbstractState& prev, const AbstractState& cur,
-                          const ICFGCycleWTO* cycle);
-
     /// Handle a function body via worklist-driven WTO traversal starting from funEntry
     void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller = nullptr);
 
@@ -246,8 +279,6 @@ private:
 
     void updateStateOnPhi(const PhiStmt *phi);
 
-    /// protected data members, also used in subclasses
-    SVFIR* svfir;
     /// Execution State, used to store the Interval Value of every SVF variable
     AEAPI* api{nullptr};
 
@@ -255,8 +286,6 @@ private:
     CallGraph* callGraph;
     AEStat* stat;
 
-    PreAnalysis* preAnalysis{nullptr};
-
     AbsExtAPI* getUtils()
     {
         return utils;
@@ -272,18 +301,22 @@ private:
 
     bool skipRecursiveCall(const CallICFGNode* callNode);
     const FunObjVar* getCallee(const CallICFGNode* callNode);
-    bool shouldApplyNarrowing(const FunObjVar* fun);
 
     // there data should be shared with subclasses
     Map<std::string, std::function<void(const CallICFGNode*)>> func_map;
 
-    AbstractStateManager* svfStateMgr{nullptr}; // state management (owns abstractTrace)
     Set<const ICFGNode*> allAnalyzedNodes; // All nodes ever analyzed (across all entry points)
     std::string moduleName;
 
     std::vector<std::unique_ptr<AEDetector>> detectors;
     AbsExtAPI* utils;
 
+protected:
+    /// Data and helpers reachable from SparseAbstractInterpretation.
+    SVFIR* svfir{nullptr};
+    AEWTO* preAnalysis{nullptr};
+    Map<const ICFGNode*, AbstractState> abstractTrace; ///< per-node trace; owned here
 
+    bool shouldApplyNarrowing(const FunObjVar* fun);
 };
 }

package/SVF-linux-aarch64/include/AE/Svfexe/SparseAbstractInterpretation.h

@@ -0,0 +1,115 @@
+//===- SparseAbstractInterpretation.h -- Sparse Abstract Execution------//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===---------------------------------------------------------------------===//
+
+#ifndef INCLUDE_AE_SVFEXE_SPARSEABSTRACTINTERPRETATION_H_
+#define INCLUDE_AE_SVFEXE_SPARSEABSTRACTINTERPRETATION_H_
+
+#include "AE/Svfexe/AbstractInterpretation.h"
+
+namespace SVF
+{
+
+class SVFG;
+
+/// Abstract Interpretation for `Options::AESparsity::SemiSparse`.
+///
+/// ValVars live at their SVFG-style def-sites: reads pull from there,
+/// writes go there, state merges replace only the ObjVar map and skip
+/// the ValVar map, and the cycle helpers gather/scatter cycle ValVars
+/// around each widening iteration.
+class SemiSparseAbstractInterpretation : public AbstractInterpretation
+{
+public:
+    SemiSparseAbstractInterpretation()
+    {
+        preAnalysis->initCycleValVars();
+    }
+    ~SemiSparseAbstractInterpretation() override = default;
+
+protected:
+    AbstractState getFullCycleHeadState(const ICFGCycleWTO* cycle) override;
+
+    bool widenCycleState(const AbstractState& prev,
+                         const AbstractState& cur,
+                         const ICFGCycleWTO* cycle) override;
+
+    bool narrowCycleState(const AbstractState& prev,
+                          const AbstractState& cur,
+                          const ICFGCycleWTO* cycle) override;
+
+    const AbstractValue& getAbsValue(const ValVar* var, const ICFGNode* node) override;
+    using AbstractInterpretation::getAbsValue;
+
+    bool hasAbsValue(const ValVar* var, const ICFGNode* node) const override;
+    using AbstractInterpretation::hasAbsValue;
+
+    void updateAbsValue(const ValVar* var, const AbstractValue& val, const ICFGNode* node) override;
+    using AbstractInterpretation::updateAbsValue;
+
+    void updateAbsState(const ICFGNode* node, const AbstractState& state) override;
+
+    void joinStates(AbstractState& dst, const AbstractState& src) override;
+
+    const ICFGNode* getICFGNode(const ValVar* var) const;
+};
+
+/// Abstract Interpretation for `Options::AESparsity::Sparse` (full-sparse).
+///
+/// In full-sparse mode both ValVars and ObjVars live at their SVFG
+/// def-sites; reads query the SVFG for the reaching-def site, writes
+/// happen at def-sites.  ValVar reads currently assert(false) until the
+/// SVFG-backed resolution lands (see `doc/plan-full-sparse.md`); cycle
+/// helpers are inherited from the semi-sparse parent and will also need
+/// extension for ObjVars.
+class FullSparseAbstractInterpretation : public SemiSparseAbstractInterpretation
+{
+public:
+    FullSparseAbstractInterpretation()
+    {
+        buildSVFG();
+    }
+    ~FullSparseAbstractInterpretation() override;
+
+    // Full-sparse ValVar resolution will route through the SVFG once
+    // implemented; fail loudly until then rather than silently inherit
+    // semi-sparse semantics.
+    const AbstractValue& getAbsValue(const ValVar* var, const ICFGNode* node) override;
+    using SemiSparseAbstractInterpretation::getAbsValue;
+
+    bool hasAbsValue(const ValVar* var, const ICFGNode* node) const override;
+    using SemiSparseAbstractInterpretation::hasAbsValue;
+
+    Set<const ICFGNode*> getUseSitesOfObjVar(const ObjVar* obj, const ICFGNode* node) const override;
+    Set<const ICFGNode*> getUseSitesOfValVar(const ValVar* var) const override;
+    const ICFGNode* getDefSiteOfValVar(const ValVar* var) const override;
+    const ICFGNode* getDefSiteOfObjVar(const ObjVar* obj, const ICFGNode* node) const override;
+
+protected:
+    /// Build the SVFG on top of the semi-sparse precompute.
+    void buildSVFG();
+
+    SVFG* svfg{nullptr};
+};
+
+} // namespace SVF
+
+#endif /* INCLUDE_AE_SVFEXE_SPARSEABSTRACTINTERPRETATION_H_ */

package/SVF-linux-aarch64/lib/cmake/SVF/SVFTargets.cmake

@@ -81,7 +81,7 @@ if(NOT CMAKE_VERSION VERSION_LESS "3.23.0")
       FILE_SET "HEADERS"
       TYPE "HEADERS"
       BASE_DIRS "${_IMPORT_PREFIX}/include"
-      FILES "${_IMPORT_PREFIX}/include/AE/Core/AbstractState.h" "${_IMPORT_PREFIX}/include/AE/Core/AbstractValue.h" "${_IMPORT_PREFIX}/include/AE/Core/AddressValue.h" "${_IMPORT_PREFIX}/include/AE/Core/ICFGWTO.h" "${_IMPORT_PREFIX}/include/AE/Core/IntervalValue.h" "${_IMPORT_PREFIX}/include/AE/Core/NumericValue.h" "${_IMPORT_PREFIX}/include/AE/Core/RelExeState.h" "${_IMPORT_PREFIX}/include/AE/Core/RelationSolver.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AEDetector.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AEStat.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AbsExtAPI.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AbstractInterpretation.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AbstractStateManager.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/PreAnalysis.h" "${_IMPORT_PREFIX}/include/CFL/CFGNormalizer.h" "${_IMPORT_PREFIX}/include/CFL/CFGrammar.h" "${_IMPORT_PREFIX}/include/CFL/CFLAlias.h" "${_IMPORT_PREFIX}/include/CFL/CFLBase.h" "${_IMPORT_PREFIX}/include/CFL/CFLGramGraphChecker.h" "${_IMPORT_PREFIX}/include/CFL/CFLGraphBuilder.h" "${_IMPORT_PREFIX}/include/CFL/CFLSVFGBuilder.h" "${_IMPORT_PREFIX}/include/CFL/CFLSolver.h" "${_IMPORT_PREFIX}/include/CFL/CFLStat.h" "${_IMPORT_PREFIX}/include/CFL/CFLVF.h" "${_IMPORT_PREFIX}/include/CFL/GrammarBuilder.h" "${_IMPORT_PREFIX}/include/DDA/ContextDDA.h" "${_IMPORT_PREFIX}/include/DDA/DDAClient.h" "${_IMPORT_PREFIX}/include/DDA/DDAPass.h" "${_IMPORT_PREFIX}/include/DDA/DDAStat.h" "${_IMPORT_PREFIX}/include/DDA/DDAVFSolver.h" "${_IMPORT_PREFIX}/include/DDA/FlowDDA.h" "${_IMPORT_PREFIX}/include/FastCluster/fastcluster.h" "${_IMPORT_PREFIX}/include/Graphs/BasicBlockG.h" "${_IMPORT_PREFIX}/include/Graphs/CDG.h" "${_IMPORT_PREFIX}/include/Graphs/CFLGraph.h" "${_IMPORT_PREFIX}/include/Graphs/CHG.h" "${_IMPORT_PREFIX}/include/Graphs/CallGraph.h" "${_IMPORT_PREFIX}/include/Graphs/ConsG.h" "${_IMPORT_PREFIX}/include/Graphs/ConsGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/ConsGNode.h" "${_IMPORT_PREFIX}/include/Graphs/DOTGraphTraits.h" "${_IMPORT_PREFIX}/include/Graphs/GenericGraph.h" "${_IMPORT_PREFIX}/include/Graphs/GraphPrinter.h" "${_IMPORT_PREFIX}/include/Graphs/GraphTraits.h" "${_IMPORT_PREFIX}/include/Graphs/GraphWriter.h" "${_IMPORT_PREFIX}/include/Graphs/ICFG.h" "${_IMPORT_PREFIX}/include/Graphs/ICFGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/ICFGNode.h" "${_IMPORT_PREFIX}/include/Graphs/ICFGStat.h" "${_IMPORT_PREFIX}/include/Graphs/IRGraph.h" "${_IMPORT_PREFIX}/include/Graphs/SCC.h" "${_IMPORT_PREFIX}/include/Graphs/SVFG.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGNode.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGOPT.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGStat.h" "${_IMPORT_PREFIX}/include/Graphs/ThreadCallGraph.h" "${_IMPORT_PREFIX}/include/Graphs/VFG.h" "${_IMPORT_PREFIX}/include/Graphs/VFGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/VFGNode.h" "${_IMPORT_PREFIX}/include/Graphs/WTO.h" "${_IMPORT_PREFIX}/include/MSSA/MSSAMuChi.h" "${_IMPORT_PREFIX}/include/MSSA/MemPartition.h" "${_IMPORT_PREFIX}/include/MSSA/MemRegion.h" "${_IMPORT_PREFIX}/include/MSSA/MemSSA.h" "${_IMPORT_PREFIX}/include/MSSA/SVFGBuilder.h" "${_IMPORT_PREFIX}/include/MTA/LockAnalysis.h" "${_IMPORT_PREFIX}/include/MTA/MHP.h" "${_IMPORT_PREFIX}/include/MTA/MTA.h" "${_IMPORT_PREFIX}/include/MTA/MTAStat.h" "${_IMPORT_PREFIX}/include/MTA/TCT.h" "${_IMPORT_PREFIX}/include/MemoryModel/AbstractPointsToDS.h" "${_IMPORT_PREFIX}/include/MemoryModel/AccessPath.h" "${_IMPORT_PREFIX}/include/MemoryModel/ConditionalPT.h" "${_IMPORT_PREFIX}/include/MemoryModel/MutablePointsToDS.h" "${_IMPORT_PREFIX}/include/MemoryModel/PersistentPointsToCache.h" "${_IMPORT_PREFIX}/include/MemoryModel/PersistentPointsToDS.h" "${_IMPORT_PREFIX}/include/MemoryModel/PointerAnalysis.h" "${_IMPORT_PREFIX}/include/MemoryModel/PointerAnalysisImpl.h" "${_IMPORT_PREFIX}/include/MemoryModel/PointsTo.h" "${_IMPORT_PREFIX}/include/MemoryModel/SVFLoop.h" "${_IMPORT_PREFIX}/include/SABER/DoubleFreeChecker.h" "${_IMPORT_PREFIX}/include/SABER/FileChecker.h" "${_IMPORT_PREFIX}/include/SABER/LeakChecker.h" "${_IMPORT_PREFIX}/include/SABER/ProgSlice.h" "${_IMPORT_PREFIX}/include/SABER/SaberCheckerAPI.h" "${_IMPORT_PREFIX}/include/SABER/SaberCondAllocator.h" "${_IMPORT_PREFIX}/include/SABER/SaberSVFGBuilder.h" "${_IMPORT_PREFIX}/include/SABER/SrcSnkDDA.h" "${_IMPORT_PREFIX}/include/SABER/SrcSnkSolver.h" "${_IMPORT_PREFIX}/include/SVFIR/ObjTypeInfo.h" "${_IMPORT_PREFIX}/include/SVFIR/PAGBuilderFromFile.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFIR.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFStatements.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFType.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFValue.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFVariables.h" "${_IMPORT_PREFIX}/include/Util/Annotator.h" "${_IMPORT_PREFIX}/include/Util/BitVector.h" "${_IMPORT_PREFIX}/include/Util/CDGBuilder.h" "${_IMPORT_PREFIX}/include/Util/CallGraphBuilder.h" "${_IMPORT_PREFIX}/include/Util/Casting.h" "${_IMPORT_PREFIX}/include/Util/CommandLine.h" "${_IMPORT_PREFIX}/include/Util/CoreBitVector.h" "${_IMPORT_PREFIX}/include/Util/CxtStmt.h" "${_IMPORT_PREFIX}/include/Util/DPItem.h" "${_IMPORT_PREFIX}/include/Util/ExtAPI.h" "${_IMPORT_PREFIX}/include/Util/GeneralType.h" "${_IMPORT_PREFIX}/include/Util/GraphReachSolver.h" "${_IMPORT_PREFIX}/include/Util/NodeIDAllocator.h" "${_IMPORT_PREFIX}/include/Util/Options.h" "${_IMPORT_PREFIX}/include/Util/PTAStat.h" "${_IMPORT_PREFIX}/include/Util/SVFBugReport.h" "${_IMPORT_PREFIX}/include/Util/SVFLoopAndDomInfo.h" "${_IMPORT_PREFIX}/include/Util/SVFStat.h" "${_IMPORT_PREFIX}/include/Util/SVFUtil.h" "${_IMPORT_PREFIX}/include/Util/SparseBitVector.h" "${_IMPORT_PREFIX}/include/Util/ThreadAPI.h" "${_IMPORT_PREFIX}/include/Util/WorkList.h" "${_IMPORT_PREFIX}/include/Util/Z3Expr.h" "${_IMPORT_PREFIX}/include/Util/cJSON.h" "${_IMPORT_PREFIX}/include/Util/iterator.h" "${_IMPORT_PREFIX}/include/Util/iterator_range.h" "${_IMPORT_PREFIX}/include/WPA/Andersen.h" "${_IMPORT_PREFIX}/include/WPA/AndersenPWC.h" "${_IMPORT_PREFIX}/include/WPA/CSC.h" "${_IMPORT_PREFIX}/include/WPA/FlowSensitive.h" "${_IMPORT_PREFIX}/include/WPA/Steensgaard.h" "${_IMPORT_PREFIX}/include/WPA/TypeAnalysis.h" "${_IMPORT_PREFIX}/include/WPA/VersionedFlowSensitive.h" "${_IMPORT_PREFIX}/include/WPA/WPAFSSolver.h" "${_IMPORT_PREFIX}/include/WPA/WPAPass.h" "${_IMPORT_PREFIX}/include/WPA/WPASolver.h" "${_IMPORT_PREFIX}/include/WPA/WPAStat.h"
+      FILES "${_IMPORT_PREFIX}/include/AE/Core/AbstractState.h" "${_IMPORT_PREFIX}/include/AE/Core/AbstractValue.h" "${_IMPORT_PREFIX}/include/AE/Core/AddressValue.h" "${_IMPORT_PREFIX}/include/AE/Core/ICFGWTO.h" "${_IMPORT_PREFIX}/include/AE/Core/IntervalValue.h" "${_IMPORT_PREFIX}/include/AE/Core/NumericValue.h" "${_IMPORT_PREFIX}/include/AE/Core/RelExeState.h" "${_IMPORT_PREFIX}/include/AE/Core/RelationSolver.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AEDetector.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AEStat.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AEWTO.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AbsExtAPI.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/AbstractInterpretation.h" "${_IMPORT_PREFIX}/include/AE/Svfexe/SparseAbstractInterpretation.h" "${_IMPORT_PREFIX}/include/CFL/CFGNormalizer.h" "${_IMPORT_PREFIX}/include/CFL/CFGrammar.h" "${_IMPORT_PREFIX}/include/CFL/CFLAlias.h" "${_IMPORT_PREFIX}/include/CFL/CFLBase.h" "${_IMPORT_PREFIX}/include/CFL/CFLGramGraphChecker.h" "${_IMPORT_PREFIX}/include/CFL/CFLGraphBuilder.h" "${_IMPORT_PREFIX}/include/CFL/CFLSVFGBuilder.h" "${_IMPORT_PREFIX}/include/CFL/CFLSolver.h" "${_IMPORT_PREFIX}/include/CFL/CFLStat.h" "${_IMPORT_PREFIX}/include/CFL/CFLVF.h" "${_IMPORT_PREFIX}/include/CFL/GrammarBuilder.h" "${_IMPORT_PREFIX}/include/DDA/ContextDDA.h" "${_IMPORT_PREFIX}/include/DDA/DDAClient.h" "${_IMPORT_PREFIX}/include/DDA/DDAPass.h" "${_IMPORT_PREFIX}/include/DDA/DDAStat.h" "${_IMPORT_PREFIX}/include/DDA/DDAVFSolver.h" "${_IMPORT_PREFIX}/include/DDA/FlowDDA.h" "${_IMPORT_PREFIX}/include/FastCluster/fastcluster.h" "${_IMPORT_PREFIX}/include/Graphs/BasicBlockG.h" "${_IMPORT_PREFIX}/include/Graphs/CDG.h" "${_IMPORT_PREFIX}/include/Graphs/CFLGraph.h" "${_IMPORT_PREFIX}/include/Graphs/CHG.h" "${_IMPORT_PREFIX}/include/Graphs/CallGraph.h" "${_IMPORT_PREFIX}/include/Graphs/ConsG.h" "${_IMPORT_PREFIX}/include/Graphs/ConsGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/ConsGNode.h" "${_IMPORT_PREFIX}/include/Graphs/DOTGraphTraits.h" "${_IMPORT_PREFIX}/include/Graphs/GenericGraph.h" "${_IMPORT_PREFIX}/include/Graphs/GraphPrinter.h" "${_IMPORT_PREFIX}/include/Graphs/GraphTraits.h" "${_IMPORT_PREFIX}/include/Graphs/GraphWriter.h" "${_IMPORT_PREFIX}/include/Graphs/ICFG.h" "${_IMPORT_PREFIX}/include/Graphs/ICFGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/ICFGNode.h" "${_IMPORT_PREFIX}/include/Graphs/ICFGStat.h" "${_IMPORT_PREFIX}/include/Graphs/IRGraph.h" "${_IMPORT_PREFIX}/include/Graphs/SCC.h" "${_IMPORT_PREFIX}/include/Graphs/SVFG.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGNode.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGOPT.h" "${_IMPORT_PREFIX}/include/Graphs/SVFGStat.h" "${_IMPORT_PREFIX}/include/Graphs/ThreadCallGraph.h" "${_IMPORT_PREFIX}/include/Graphs/VFG.h" "${_IMPORT_PREFIX}/include/Graphs/VFGEdge.h" "${_IMPORT_PREFIX}/include/Graphs/VFGNode.h" "${_IMPORT_PREFIX}/include/Graphs/WTO.h" "${_IMPORT_PREFIX}/include/MSSA/MSSAMuChi.h" "${_IMPORT_PREFIX}/include/MSSA/MemPartition.h" "${_IMPORT_PREFIX}/include/MSSA/MemRegion.h" "${_IMPORT_PREFIX}/include/MSSA/MemSSA.h" "${_IMPORT_PREFIX}/include/MSSA/SVFGBuilder.h" "${_IMPORT_PREFIX}/include/MTA/LockAnalysis.h" "${_IMPORT_PREFIX}/include/MTA/MHP.h" "${_IMPORT_PREFIX}/include/MTA/MTA.h" "${_IMPORT_PREFIX}/include/MTA/MTAStat.h" "${_IMPORT_PREFIX}/include/MTA/TCT.h" "${_IMPORT_PREFIX}/include/MemoryModel/AbstractPointsToDS.h" "${_IMPORT_PREFIX}/include/MemoryModel/AccessPath.h" "${_IMPORT_PREFIX}/include/MemoryModel/ConditionalPT.h" "${_IMPORT_PREFIX}/include/MemoryModel/MutablePointsToDS.h" "${_IMPORT_PREFIX}/include/MemoryModel/PersistentPointsToCache.h" "${_IMPORT_PREFIX}/include/MemoryModel/PersistentPointsToDS.h" "${_IMPORT_PREFIX}/include/MemoryModel/PointerAnalysis.h" "${_IMPORT_PREFIX}/include/MemoryModel/PointerAnalysisImpl.h" "${_IMPORT_PREFIX}/include/MemoryModel/PointsTo.h" "${_IMPORT_PREFIX}/include/MemoryModel/SVFLoop.h" "${_IMPORT_PREFIX}/include/SABER/DoubleFreeChecker.h" "${_IMPORT_PREFIX}/include/SABER/FileChecker.h" "${_IMPORT_PREFIX}/include/SABER/LeakChecker.h" "${_IMPORT_PREFIX}/include/SABER/ProgSlice.h" "${_IMPORT_PREFIX}/include/SABER/SaberCheckerAPI.h" "${_IMPORT_PREFIX}/include/SABER/SaberCondAllocator.h" "${_IMPORT_PREFIX}/include/SABER/SaberSVFGBuilder.h" "${_IMPORT_PREFIX}/include/SABER/SrcSnkDDA.h" "${_IMPORT_PREFIX}/include/SABER/SrcSnkSolver.h" "${_IMPORT_PREFIX}/include/SVFIR/ObjTypeInfo.h" "${_IMPORT_PREFIX}/include/SVFIR/PAGBuilderFromFile.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFIR.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFStatements.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFType.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFValue.h" "${_IMPORT_PREFIX}/include/SVFIR/SVFVariables.h" "${_IMPORT_PREFIX}/include/Util/Annotator.h" "${_IMPORT_PREFIX}/include/Util/BitVector.h" "${_IMPORT_PREFIX}/include/Util/CDGBuilder.h" "${_IMPORT_PREFIX}/include/Util/CallGraphBuilder.h" "${_IMPORT_PREFIX}/include/Util/Casting.h" "${_IMPORT_PREFIX}/include/Util/CommandLine.h" "${_IMPORT_PREFIX}/include/Util/CoreBitVector.h" "${_IMPORT_PREFIX}/include/Util/CxtStmt.h" "${_IMPORT_PREFIX}/include/Util/DPItem.h" "${_IMPORT_PREFIX}/include/Util/ExtAPI.h" "${_IMPORT_PREFIX}/include/Util/GeneralType.h" "${_IMPORT_PREFIX}/include/Util/GraphReachSolver.h" "${_IMPORT_PREFIX}/include/Util/NodeIDAllocator.h" "${_IMPORT_PREFIX}/include/Util/Options.h" "${_IMPORT_PREFIX}/include/Util/PTAStat.h" "${_IMPORT_PREFIX}/include/Util/SVFBugReport.h" "${_IMPORT_PREFIX}/include/Util/SVFLoopAndDomInfo.h" "${_IMPORT_PREFIX}/include/Util/SVFStat.h" "${_IMPORT_PREFIX}/include/Util/SVFUtil.h" "${_IMPORT_PREFIX}/include/Util/SparseBitVector.h" "${_IMPORT_PREFIX}/include/Util/ThreadAPI.h" "${_IMPORT_PREFIX}/include/Util/WorkList.h" "${_IMPORT_PREFIX}/include/Util/Z3Expr.h" "${_IMPORT_PREFIX}/include/Util/cJSON.h" "${_IMPORT_PREFIX}/include/Util/iterator.h" "${_IMPORT_PREFIX}/include/Util/iterator_range.h" "${_IMPORT_PREFIX}/include/WPA/Andersen.h" "${_IMPORT_PREFIX}/include/WPA/AndersenPWC.h" "${_IMPORT_PREFIX}/include/WPA/CSC.h" "${_IMPORT_PREFIX}/include/WPA/FlowSensitive.h" "${_IMPORT_PREFIX}/include/WPA/Steensgaard.h" "${_IMPORT_PREFIX}/include/WPA/TypeAnalysis.h" "${_IMPORT_PREFIX}/include/WPA/VersionedFlowSensitive.h" "${_IMPORT_PREFIX}/include/WPA/WPAFSSolver.h" "${_IMPORT_PREFIX}/include/WPA/WPAPass.h" "${_IMPORT_PREFIX}/include/WPA/WPASolver.h" "${_IMPORT_PREFIX}/include/WPA/WPAStat.h"
   )
 else()
   set_property(TARGET SVF::SvfCore

package/SVF-osx/include/AE/Core/AbstractState.h

@@ -261,7 +261,6 @@ public:
     /// domain join with other, important! other widen this.
     void joinWith(const AbstractState&other);
 
-
     /// Replace address-taken (ObjVar) state with other's, preserving ValVar state.
     void updateAddrStateOnly(const AbstractState& other)
     {
@@ -277,6 +276,11 @@ public:
         _freedAddrs.insert(addr);
     }
 
+    const Set<NodeID>& getFreedAddrs() const
+    {
+        return _freedAddrs;
+    }
+
     bool isFreedMem(u32_t addr) const
     {
         return _freedAddrs.find(addr) != _freedAddrs.end();

package/SVF-osx/include/AE/Svfexe/AEDetector.h

@@ -34,7 +34,6 @@ namespace SVF
 {
 
 class AbstractInterpretation;
-class AbstractStateManager;
 
 /**
  * @class AEDetector

package/SVF-osx/include/AE/Svfexe/{PreAnalysis.h → AEWTO.h}

@@ -1,4 +1,4 @@
-//===- PreAnalysis.h -- Pre-Analysis for Abstract Interpretation----------//
+//===- AEWTO.h -- WTO + pointer-analysis prep for Abstract Interpretation ---//
 //
 //                     SVF: Static Value-Flow Analysis
 //
@@ -21,18 +21,18 @@
 //===----------------------------------------------------------------------===//
 
 /*
- * PreAnalysis.h
+ * AEWTO.h
  *
  *  Created on: Feb 25, 2026
  *      Author: Jiawei Wang
  *
- * This file provides a pre-analysis phase for Abstract Interpretation.
- * It runs Andersen's pointer analysis and builds WTO (Weak Topological Order)
- * for each function before the main abstract interpretation.
+ * Runs Andersen's pointer analysis and builds the per-function WTO
+ * (Weak Topological Order) consumed by Abstract Interpretation.  Also
+ * caches per-cycle ValVar sets for the semi-sparse loop helpers.
  */
 
-#ifndef INCLUDE_AE_SVFEXE_PREANALYSIS_H_
-#define INCLUDE_AE_SVFEXE_PREANALYSIS_H_
+#ifndef INCLUDE_AE_SVFEXE_AEWTO_H_
+#define INCLUDE_AE_SVFEXE_AEWTO_H_
 
 #include "SVFIR/SVFIR.h"
 #include "Graphs/ICFG.h"
@@ -44,13 +44,13 @@
 namespace SVF
 {
 
-class PreAnalysis
+class AEWTO
 {
 public:
     typedef SCCDetection<CallGraph*> CallGraphSCC;
 
-    PreAnalysis(SVFIR* pag, ICFG* icfg);
-    virtual ~PreAnalysis();
+    AEWTO(SVFIR* pag, ICFG* icfg);
+    virtual ~AEWTO();
 
     /// Accessors for Andersen's results
     AndersenWaveDiff* getPointerAnalysis() const
@@ -103,4 +103,4 @@ private:
 
 } // End namespace SVF
 
-#endif /* INCLUDE_AE_SVFEXE_PREANALYSIS_H_ */
+#endif /* INCLUDE_AE_SVFEXE_AEWTO_H_ */