svf-lib 1.0.2575 → 1.0.2577

package/SVF-linux-x86_64/include/AE/Svfexe/AbstractInterpretation.h

@@ -172,8 +172,11 @@ public:
     IntervalValue getGepByteOffset(const GepStmt* gep);
     AddressValue getGepObjAddrs(const ValVar* pointer, IntervalValue offset);
 
-    AbstractValue loadValue(const ValVar* pointer, const ICFGNode* node);
-    void storeValue(const ValVar* pointer, const AbstractValue& val, const ICFGNode* node);
+    /// Virtual so full-sparse can layer the GepObj overlay on top.
+    virtual AbstractValue loadValue(const ValVar* pointer,
+                                    const ICFGNode* node);
+    virtual void storeValue(const ValVar* pointer, const AbstractValue& val,
+                            const ICFGNode* node);
 
     const SVFType* getPointeeElement(const ObjVar* var, const ICFGNode* node);
     u32_t getAllocaInstByteSize(const AddrStmt* addr);
@@ -214,17 +217,38 @@ protected:
     virtual bool narrowCycleState(const AbstractState& prev, const AbstractState& cur,
                                   const ICFGCycleWTO* cycle);
 
-private:
-    /// Initialize abstract state for the global ICFG node and process global statements
-    virtual void handleGlobalNode();
-
+protected:
     /// Pull-based state merge: read abstractTrace[pred] for each predecessor,
     /// apply branch refinement for conditional IntraCFGEdges, and join into
     /// abstractTrace[node]. Returns true if at least one predecessor had state.
-    bool mergeStatesFromPredecessors(const ICFGNode* node);
+    /// Virtual so full-sparse can layer per-MRSVFGNode obj pulls on top of the
+    /// base ICFG-edge merge.
+    virtual bool mergeStatesFromPredecessors(const ICFGNode* node);
+
+    /// Returns true if the branch edge is reachable under the current state.
+    /// Pure query: does not update `as` or branch refinement traces.
+    bool isBranchEdgeFeasible(const IntraCFGEdge* edge, AbstractState& as);
+
+    /// Collect branch-induced interval refinement after a feasible edge has
+    /// been selected for normal CFG-state merging.
+    void collectBranchRefinement(const IntraCFGEdge* edge, AbstractState& as);
+
+    /// Hook called by collectBranchRefinement for each obj that the
+    /// branch narrows.  Default (dense/semi): MEET `narrowed` onto
+    /// obj's value (read at `loadIcfg` where sparse keeps it) and
+    /// write the result into the local `as` (per-edge predState copy)
+    /// so joinStates carries it to `succ`.  FullSparse overrides to
+    /// capture into refinementTrace[succ] instead.
+    virtual void recordBranchRefinement(NodeID objId,
+                                        const IntervalValue& narrowed,
+                                        AbstractState& as,
+                                        const ICFGNode* loadIcfg,
+                                        const ICFGNode* succ);
 
-    /// Returns true if the branch is reachable; narrows as in-place.
-    bool isBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
+private:
+    /// Initialize abstract state for the global ICFG node and process global
+    /// statements
+    virtual void handleGlobalNode();
 
     /// Handle a call site node: dispatch to ext-call, direct-call, or indirect-call handling
     virtual void handleCallSite(const ICFGNode* node);
@@ -241,11 +265,12 @@ private:
     /// Dispatch an SVF statement (Addr/Binary/Cmp/Load/Store/Copy/Gep/Select/Phi/Call/Ret) to its handler
     virtual void handleSVFStatement(const SVFStmt* stmt);
 
-    /// Returns true if the cmp-conditional branch is feasible; narrows as in-place.
-    bool isCmpBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
+    /// Returns true if the cmp-conditional branch is feasible.
+    bool isCmpBranchEdgeFeasible(const IntraCFGEdge* edge, AbstractState& as);
 
-    /// Returns true if the switch branch is feasible; narrows as in-place.
-    bool isSwitchBranchFeasible(const IntraCFGEdge* edge, AbstractState& as);
+    /// Returns true if the switch branch is feasible.
+    bool isSwitchBranchEdgeFeasible(const IntraCFGEdge* edge,
+                                    AbstractState& as);
 
     void updateStateOnAddr(const AddrStmt *addr);
 
@@ -309,4 +334,4 @@ protected:
 
     bool shouldApplyNarrowing(const FunObjVar* fun);
 };
-}
+} // namespace SVF

package/SVF-linux-x86_64/include/AE/Svfexe/SparseAbstractInterpretation.h

@@ -24,11 +24,15 @@
 #define INCLUDE_AE_SVFEXE_SPARSEABSTRACTINTERPRETATION_H_
 
 #include "AE/Svfexe/AbstractInterpretation.h"
+#include <memory>
 
 namespace SVF
 {
 
 class SVFG;
+class SVFGBuilder;
+class IndirectSVFGEdge;
+class VFGNode;
 
 /// Abstract Interpretation for `Options::AESparsity::SemiSparse`.
 ///
@@ -76,10 +80,8 @@ protected:
 ///
 /// In full-sparse mode both ValVars and ObjVars live at their SVFG
 /// def-sites; reads query the SVFG for the reaching-def site, writes
-/// happen at def-sites.  ValVar reads currently assert(false) until the
-/// SVFG-backed resolution lands (see `doc/plan-full-sparse.md`); cycle
-/// helpers are inherited from the semi-sparse parent and will also need
-/// extension for ObjVars.
+/// happen at def-sites.  See `doc/plan-full-sparse.md` for the
+/// phase plan; Phase 1 routes ValVar and ObjVar reads through the SVFG.
 class FullSparseAbstractInterpretation : public SemiSparseAbstractInterpretation
 {
 public:
@@ -89,28 +91,83 @@ public:
     }
     ~FullSparseAbstractInterpretation() override;
 
-    // Full-sparse ValVar resolution will route through the SVFG once
-    // implemented; fail loudly until then rather than silently inherit
-    // semi-sparse semantics.
-    const AbstractValue& getAbsValue(const ValVar* var, const ICFGNode* node) override;
-    using SemiSparseAbstractInterpretation::getAbsValue;
-
-    bool hasAbsValue(const ValVar* var, const ICFGNode* node) const override;
-    using SemiSparseAbstractInterpretation::hasAbsValue;
+protected:
+    /// Full-sparse does not merge normal value-flow state along ICFG
+    /// edges.  The ICFG join carries only side-channel state that is not
+    /// represented as MemorySSA def-use flow: GepObjVar field snapshots
+    /// and `_freedAddrs`.  Base/Dummy ObjVars are populated later by
+    /// pullObjValueFlows from SVFG indirect in-edges; ValVars stay at their
+    /// def-sites.
+    void joinStates(AbstractState& dst, const AbstractState& src) override;
 
-    const Set<const ICFGNode*> getUseSitesOfValVar(const ValVar* var) const;
-    const ICFGNode* getDefSiteOfValVar(const ValVar* var) const;
-    /// Given an ObjVar and its def-site ICFGNode, find all use-site ICFGNodes
-    /// by following outgoing IndirectSVFGEdges whose pts contains the ObjVar
-    const Set<const ICFGNode*> getDefSiteOfObjVar(const ObjVar* obj, const ICFGNode* node) const;
-    /// Given an ObjVar and its def-site ICFGNode, find all use-site ICFGNodes
-    /// by following outgoing IndirectSVFGEdges whose pts contains the ObjVar
-    const Set<const ICFGNode*> getUseSitesOfObjVar(const ObjVar* obj, const ICFGNode* node) const;
+    /// After a store overwrites an ObjVar, clear any branch refinement
+    /// for that ObjVar at the store's node so stale branch constraints
+    /// don't propagate past the redefinition.
+    void storeValue(const ValVar* pointer, const AbstractValue& val,
+                    const ICFGNode* node) override;
+
+    /// Thin wrapper: defer to base for ICFG-edge bookkeeping
+    /// (predecessor iteration, branch feasibility, joinStates,
+    /// updateAbsState, reachability return).  For reachable nodes,
+    /// additionally run pullObjValueFlows to populate trace[node] with obj
+    /// values from SVFG def-sites.
+    bool mergeStatesFromPredecessors(const ICFGNode* node) override;
+
+    /// Capture branch narrowings into refinementTrace[succ] instead of
+    /// writing them into the local `as`: in FullSparse `as` would be
+    /// discarded by joinStates (no-op for ObjVar), so we route the
+    /// narrowing to refinementTrace and let propagateAndApplyRefinement
+    /// bake it into trace at the end of mergeStatesFromPredecessors.
+    void recordBranchRefinement(NodeID objId, const IntervalValue& narrowed,
+                                AbstractState& as, const ICFGNode* loadIcfg,
+                                const ICFGNode* succ) override;
+
+private:
+    /// SVFG-pull helper: walk each VFG node's indirect SVFG in-edges
+    /// and pull obj values from upstream def-site traces into
+    /// trace[node].  Multiple sources (e.g. mphi operands) JOIN.
+    void pullObjValueFlows(const ICFGNode* node);
+
+    /// Return whether an indirect SVFG edge should be pulled into dst.
+    /// Besides branch-feasible ICFG reachability, this rejects paths where
+    /// another store to the same points-to object kills the edge's value.
+    bool isIndirectSVFGEdgeFeasible(const IndirectSVFGEdge* edge,
+                                    const VFGNode* dst);
+
+    /// Return whether a branch-feasible ICFG path exists from src to dst.
+    /// Conditional edges are checked with a pure branch-feasibility query,
+    /// so path probing does not create branch-refinement side effects.
+    bool isICFGPathFeasible(const ICFGNode* src, const ICFGNode* dst);
+
+    /// Return whether this intra edge is allowed by the current branch state.
+    bool isIntraEdgeBranchFeasible(const IntraCFGEdge* edge,
+                                   const ICFGNode* src);
+
+    /// Compose pred-inherited refinement into refinementTrace[node]
+    /// (single-pred linear copy / multi-pred intersect-JOIN; any pred
+    /// without refinement drops the inheritance), then MEET the final
+    /// refinementTrace[node] into trace[node]._addrToAbsVal so the
+    /// inherited base getAbsValue(ObjVar*, node) returns the narrowed
+    /// value directly — no read-time override or cache.  Called once
+    /// per merge as the last step.
+    void propagateAndApplyRefinement(const ICFGNode* node);
+
+    /// Path-refined obj values produced by branch narrowing.  Each
+    /// entry is the *interval constraint* (not effective value) so
+    /// base trace can widen/narrow independently.  Cached at branch
+    /// successors by recordBranchRefinement; propagated and applied by
+    /// propagateAndApplyRefinement at the end of
+    /// mergeStatesFromPredecessors.
+    Map<const ICFGNode*, Map<NodeID, IntervalValue>> refinementTrace;
 
-protected:
     /// Build the SVFG on top of the semi-sparse precompute.
     void buildSVFG();
 
+    /// Owns the SVFG (via SVFGBuilder's internal unique_ptr).  Without
+    /// this, SVFGBuilder would be a local in buildSVFG() and free the
+    /// graph at scope exit, leaving `svfg` dangling.
+    std::unique_ptr<SVFGBuilder> svfgBuilder;
+    /// View pointer into svfgBuilder's graph; non-null after buildSVFG().
     SVFG* svfg{nullptr};
 };
 

package/SVF-osx/include/AE/Svfexe/AbstractInterpretation.h

@@ -37,9 +37,9 @@
 #include "AE/Svfexe/AEStat.h"
 #include "SVFIR/SVFIR.h"
 #include "Util/SVFBugReport.h"
+#include "Util/WorkList.h"
 #include "Graphs/SCC.h"
 #include "Graphs/CallGraph.h"
-#include <deque>
 
 namespace SVF
 {
@@ -94,6 +94,12 @@ public:
         WIDEN_NARROW
     };
 
+    enum AEFunEntryMode
+    {
+        MAIN,
+        NO_MAIN
+    };
+
     virtual void runOnModule();
 
     /// Destructor
@@ -106,7 +112,7 @@ public:
     void analyzeFromAllProgEntries();
 
     /// Get all entry point functions (functions without callers)
-    std::deque<const FunObjVar*> collectProgEntryFuns();
+    FIFOWorkList<const FunObjVar*> collectProgEntryFuns();
 
     /// Factory: returns the singleton instance.  The concrete class is
     /// chosen once, on first call, from `Options::AESparsity()`:
@@ -254,10 +260,10 @@ private:
     virtual void handleCallSite(const ICFGNode* node);
 
     /// Handle a WTO cycle (loop or recursive function) using widening/narrowing iteration
-    virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller = nullptr);
+    virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller);
 
     /// Handle a function body via worklist-driven WTO traversal starting from funEntry
-    void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller = nullptr);
+    void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller);
 
     /// Handle an ICFG node: execute statements; return true if state changed
     bool handleICFGNode(const ICFGNode* node);

package/SVF-osx/include/Util/Options.h

@@ -241,6 +241,7 @@ public:
 
     // Abstract Execution
     static const OptionMap<u32_t> AESparsity;
+    static const OptionMap<u32_t> AEFunEntry;
     static const Option<u32_t> WidenDelay;
     /// recursion handling mode, Default: TOP
     static const OptionMap<u32_t> HandleRecur;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-lib",
-  "version": "1.0.2575",
+  "version": "1.0.2577",
   "description": "SVF's npm support",
   "main": "index.js",
   "scripts": {