svf-tools 1.0.1017 → 1.0.1019

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1017",
+  "version": "1.0.1019",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/DDA/DDAVFSolver.h

@@ -471,9 +471,11 @@ protected:
     virtual inline bool isLocalCVarInRecursion(const CVar& var) const
     {
         NodeID id = getPtrNodeID(var);
+        const BaseObjVar* baseObj = _pag->getBaseObject(id);
+        assert(baseObj && "base object is null??");
         const MemObj* obj = _pag->getObject(id);
         assert(obj && "object not found!!");
-        if(obj->isStack())
+        if(SVFUtil::isa<StackObjVar>(baseObj))
         {
             if(const SVFFunction* svffun = _pag->getGNode(id)->getFunction())
             {
@@ -637,9 +639,8 @@ protected:
     //@{
     virtual inline bool isHeapCondMemObj(const CVar& var, const StoreSVFGNode*)
     {
-        const MemObj* mem = _pag->getObject(getPtrNodeID(var));
-        assert(mem && "memory object is null??");
-        return mem->isHeap();
+        const BaseObjVar* pVar = _pag->getBaseObject(getPtrNodeID(var));
+        return pVar && SVFUtil::isa<HeapObjVar, DummyObjVar>(pVar);
     }
 
     inline bool isArrayCondMemObj(const CVar& var) const

package/svf/include/Graphs/GenericGraph.h

@@ -141,105 +141,66 @@ public:
 
     enum GNodeK
     {
-        // ┌── ICFGNodeKinds: Combines inter-procedural and intra-procedural control flow graph nodes
-        // │   ├── Represents a node within a single procedure
-        IntraBlock,
-        // │   └── Represents a global-level block
-        GlobalBlock,
-        // │   └─ InterICFGNodeKinds: Types of inter-procedural control flow graph nodes
-        // │      ├── Entry point of a function
-        FunEntryBlock,
-        // │      ├── Exit point of a function
-        FunExitBlock,
-        // │      ├── Call site in the function
-        FunCallBlock,
-        // │      └── Return site in the function
-        FunRetBlock,
+        // ┌── ICFGNode: Classes of inter-procedural and intra-procedural control flow graph nodes
+        IntraBlock,       // ├──Represents a node within a single procedure
+        GlobalBlock,      // ├──Represents a global-level block
+        // │   └─ InterICFGNode: Classes of inter-procedural control flow graph nodes
+        FunEntryBlock,    // ├──Entry point of a function
+        FunExitBlock,     // ├──Exit point of a function
+        FunCallBlock,     // ├──Call site in the function
+        FunRetBlock,      // ├──Return site in the function
         // └────────
 
-        // ┌── SVFVarKinds: Combines ValVarKinds and ObjVarKinds for variable nodes
-        // │   ┌── ValVarKinds: Types of value variable nodes
-        // │   │   ├── Represents a standard value variable
-        ValNode,
-        // │   │   ├── Represents a Function value variable
-        FunValNode,
-        // │   │   ├── Represents a GEP value variable
-        GepValNode,
-        // │   │   ├── Represents a return value node
-        RetNode,
-        // │   │   ├── Represents a variadic argument node
-        VarargNode,
-        // │   │   └── Dummy node for uninitialized values
-        DummyValNode,
-        // │   └── ObjVarKinds: Types of object variable nodes
-        // │       ├── Represents an object variable
-        ObjNode,
-        // │       ├── GepObjNode: Represents a GEP object variable
-        GepObjNode,
-        // │       └── FIObjNode: Represents a flow-insensitive object node
-        FIObjNode,
-        // │            ├──FunObjNode: Types of function object
-        FunObjNode,
-        // │       └── DummyObjNode: Dummy node for uninitialized objects
-        DummyObjNode,
+        // ┌── SVFVar: Classes of top-level variables (ValVar) and address-taken variables (ObjVar)
+        // │   └── ValVar: Classes of top-level variable nodes
+        ValNode,          // ├──Represents a standard value variable
+        FunValNode,       // ├──Represents a Function value variable
+        GepValNode,       // ├──Represents a GEP value variable
+        RetNode,          // ├──Represents a return value node
+        VarargNode,       // ├──Represents a variadic argument node
+        DummyValNode,     // ├──Dummy node for uninitialized values
+        // │   └── ObjVar: Classes of object variable nodes
+        ObjNode,          // ├──Represents an object variable
+        GepObjNode,       // ├──Represents a GEP object variable
+        // │        └── BaseObjVar: Classes of base object nodes
+        BaseObjNode,      // ├──Represents a base object node
+        FunObjNode,       // ├──Types of function object
+        HeapObjNode,      // ├──Types of heap object
+        StackObjNode,     // ├──Types of stack object
+        DummyObjNode,     // ├──Dummy node for uninitialized objects
         // └────────
 
-        // ┌── VFGNodeKinds: Various Value Flow Graph (VFG) node kinds with operations
-        // │   ├── Represents a comparison operation
-        Cmp,
-        // │   ├── Represents a binary operation
-        BinaryOp,
-        // │   ├── Represents a unary operation
-        UnaryOp,
-        // │   ├── Represents a branch operation
-        Branch,
-        // │   ├── Dummy node for value propagation
-        DummyVProp,
-        // │   └── Represents a null pointer operation
-        NPtr,
-        // │   └── ArgumentVFGNodeKinds: Types of argument nodes in VFG
-        // │        ├── Represents a function return value
-        FRet,
-        // │        ├── Represents an argument return value
-        ARet,
-        // │        ├── Represents an argument parameter
-        AParm,
-        // │        └── FParm: Represents a function parameter
-        FParm,
-        // │   └── StmtVFGNodeKinds: Types of statement nodes in VFG
-        // │        ├── Represents an address operation
-        Addr,
-        // │        ├── Represents a copy operation
-        Copy,
-        // │        ├── Represents a GEP operation
-        Gep,
-        // │        ├── Represents a store operation
-        Store,
-        // │        └── Represents a load operation
-        Load,
-        // │   └── PHIVFGNodeKinds: Types of PHI nodes in VFG
-        // │        ├── Represents a type-based PHI node
-        TPhi,
-        // │        ├── Represents an intra-procedural PHI node
-        TIntraPhi,
-        // │        └── Represents an inter-procedural PHI node
-        TInterPhi,
-        // │   └── MRSVFGNodeKinds: Memory-related SVFG nodes
-        // │        ├── Function parameter input
-        FPIN,
-        // │        ├── Function parameter output
-        FPOUT,
-        // │        ├── Argument parameter input
-        APIN,
-        // │        └── Argument parameter output
-        APOUT,
-        // │        └── MSSAPHISVFGNodeKinds: Mem SSA PHI nodes for SVFG
-        // │            ├── Memory PHI node
-        MPhi,
-        // │            ├── Intra-procedural memory PHI node
-        MIntraPhi,
-        // │            └── MInterPhi: Inter-procedural memory PHI node
-        MInterPhi,
+        // ┌── VFGNode: Classes of Value Flow Graph (VFG) node kinds with operations
+        Cmp,              // ├──Represents a comparison operation
+        BinaryOp,         // ├──Represents a binary operation
+        UnaryOp,          // ├──Represents a unary operation
+        Branch,           // ├──Represents a branch operation
+        DummyVProp,       // ├──Dummy node for value propagation
+        NPtr,             // ├──Represents a null pointer operation
+        // │   └── ArgumentVFGNode: Classes of argument nodes in VFG
+        FRet,             // ├──Represents a function return value
+        ARet,             // ├──Represents an argument return value
+        AParm,            // ├──Represents an argument parameter
+        FParm,            // ├──Represents a function parameter
+        // │   └── StmtVFGNode: Classes of statement nodes in VFG
+        Addr,             // ├──Represents an address operation
+        Copy,             // ├──Represents a copy operation
+        Gep,              // ├──Represents a GEP operation
+        Store,            // ├──Represents a store operation
+        Load,             // ├──Represents a load operation
+        // │   └── PHIVFGNode: Classes of PHI nodes in VFG
+        TPhi,             // ├──Represents a type-based PHI node
+        TIntraPhi,        // ├──Represents an intra-procedural PHI node
+        TInterPhi,        // ├──Represents an inter-procedural PHI node
+        // │   └── MRSVFGNode: Classes of Memory-related SVFG nodes
+        FPIN,             // ├──Function parameter input
+        FPOUT,            // ├──Function parameter output
+        APIN,             // ├──Argument parameter input
+        APOUT,            // ├──Argument parameter output
+        // │        └── MSSAPHISVFGNode: Classes of Mem SSA PHI nodes for SVFG
+        MPhi,             // ├──Memory PHI node
+        MIntraPhi,        // ├──Intra-procedural memory PHI node
+        MInterPhi,        // ├──Inter-procedural memory PHI node
         // └────────
 
         // Additional specific graph node types
@@ -317,7 +278,7 @@ protected:
 
     static inline bool isSVFVarKind(GNodeK n)
     {
-        static_assert(DummyObjNode - ValNode == 10,
+        static_assert(DummyObjNode - ValNode == 12,
                       "The number of SVFVarKinds has changed, make sure the "
                       "range is correct");
 
@@ -334,18 +295,18 @@ protected:
 
     static inline bool isObjVarKinds(GNodeK n)
     {
-        static_assert(DummyObjNode - ObjNode == 4,
+        static_assert(DummyObjNode - ObjNode == 6,
                       "The number of ObjVarKinds has changed, make sure the "
                       "range is correct");
         return n <= DummyObjNode && n >= ObjNode;
     }
 
-    static inline bool isFIObjVarKinds(GNodeK n)
+    static inline bool isBaseObjVarKinds(GNodeK n)
     {
-        static_assert(FunObjNode - FIObjNode == 1,
-                      "The number of FIObjVarKinds has changed, make sure the "
+        static_assert(DummyObjNode - BaseObjNode == 4,
+                      "The number of BaseObjVarKinds has changed, make sure the "
                       "range is correct");
-        return n <= FunObjNode && n >= FIObjNode;
+        return n <= DummyObjNode && n >= BaseObjNode;
     }
 
     static inline bool isVFGNodeKinds(GNodeK n)

package/svf/include/MemoryModel/PointerAnalysis.h

@@ -304,9 +304,7 @@ public:
     //@{
     inline bool isHeapMemObj(NodeID id) const
     {
-        const MemObj* mem = pag->getObject(id);
-        assert(mem && "memory object is null??");
-        return mem->isHeap();
+        return pag->getBaseObject(id) && SVFUtil::isa<HeapObjVar, DummyObjVar>(pag->getBaseObject(id));
     }
 
     inline bool isArrayMemObj(NodeID id) const
@@ -321,7 +319,7 @@ public:
     ///@{
     inline bool isFIObjNode(NodeID id) const
     {
-        return (SVFUtil::isa<FIObjVar>(pag->getGNode(id)));
+        return (SVFUtil::isa<BaseObjVar>(pag->getGNode(id)));
     }
     inline NodeID getBaseObjVar(NodeID id)
     {

package/svf/include/SVFIR/SVFFileSystem.h

@@ -166,7 +166,7 @@ class ValVar;
 class ObjVar;
 class GepValVar;
 class GepObjVar;
-class FIObjVar;
+class BaseObjVar;
 class RetPN;
 class VarArgPN;
 class DummyValVar;
@@ -456,7 +456,7 @@ private:
     cJSON* contentToJson(const ObjVar* var);
     cJSON* contentToJson(const GepValVar* var);
     cJSON* contentToJson(const GepObjVar* var);
-    cJSON* contentToJson(const FIObjVar* var);
+    cJSON* contentToJson(const BaseObjVar* var);
     cJSON* contentToJson(const RetPN* var);
     cJSON* contentToJson(const VarArgPN* var);
     cJSON* contentToJson(const DummyValVar* var);
@@ -1231,7 +1231,7 @@ private:
     void fill(const cJSON*& fieldJson, ObjVar* var);
     void fill(const cJSON*& fieldJson, GepValVar* var);
     void fill(const cJSON*& fieldJson, GepObjVar* var);
-    void fill(const cJSON*& fieldJson, FIObjVar* var);
+    void fill(const cJSON*& fieldJson, BaseObjVar* var);
     void fill(const cJSON*& fieldJson, RetPN* var);
     void fill(const cJSON*& fieldJson, VarArgPN* var);
     void fill(const cJSON*& fieldJson, DummyValVar* var);

package/svf/include/SVFIR/SVFIR.h

@@ -401,6 +401,17 @@ public:
         else
             return nullptr;
     }
+
+    inline const BaseObjVar* getBaseObject(NodeID id) const
+    {
+        const SVFVar* node = getGNode(id);
+        if(const GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(node))
+            return SVFUtil::dyn_cast<BaseObjVar>(
+                       getGNode(gepObjVar->getBaseNode()));
+        else
+            return SVFUtil::dyn_cast<BaseObjVar>(node);
+    }
+
     inline const MemObj*getObject(const ObjVar* node) const
     {
         return node->getMemObj();
@@ -565,6 +576,30 @@ private:
         return addFIObjNode(mem);
     }
 
+    /**
+     * Creates and adds a heap object node to the SVFIR
+     */
+    inline NodeID addHeapObjNode(const SVFValue* val, const SVFFunction* f, NodeID i)
+    {
+        const MemObj* mem = getMemObj(val);
+        assert(mem->getId() == i && "not same object id?");
+        memToFieldsMap[i].set(i);
+        HeapObjVar *node = new HeapObjVar(f, val->getType(), i, mem);
+        return addObjNode(val, node, i);
+    }
+
+    /**
+     * Creates and adds a stack object node to the SVFIR
+     */
+    inline NodeID addStackObjNode(const SVFValue* val, const SVFFunction* f, NodeID i)
+    {
+        const MemObj* mem = getMemObj(val);
+        assert(mem->getId() == i && "not same object id?");
+        memToFieldsMap[i].set(i);
+        StackObjVar *node = new  StackObjVar(f, val->getType(), i, mem);
+        return addObjNode(val, node, i);
+    }
+
     NodeID addFunObjNode(const CallGraphNode* callGraphNode, NodeID id);
     /// Add a unique return node for a procedure
     inline NodeID addRetNode(const CallGraphNode* callGraphNode, NodeID i)

package/svf/include/SVFIR/SVFVariables.h

@@ -58,7 +58,7 @@ public:
     /// Vararg: unique node for vararg parameter
     /// GepValNode: temporary gep value node for field sensitivity
     /// GepValNode: temporary gep obj node for field sensitivity
-    /// FIObjNode: for field insensitive analysis
+    /// BaseObjNode: for field insensitive analysis
     /// DummyValNode and DummyObjNode: for non-llvm-value node
     typedef GNodeK PNODEK;
     typedef s64_t GEdgeKind;
@@ -68,6 +68,7 @@ protected:
     SVFStmt::KindToSVFStmtMapTy InEdgeKindToSetMap;
     SVFStmt::KindToSVFStmtMapTy OutEdgeKindToSetMap;
     bool isPtr;	/// whether it is a pointer (top-level or address-taken)
+    const SVFFunction* func; /// function containing this variable
 
     /// Constructor to create an empty object (for deserialization)
     SVFVar(NodeID i, PNODEK k) : GenericPAGNodeTy(i, k), value{} {}
@@ -117,16 +118,29 @@ public:
     // TODO: (Optimization) Should it return const reference instead of value?
     virtual const std::string getValueName() const = 0;
 
-    /// Return the function that this SVFVar resides in. Return nullptr if it is a global or constantexpr node
+    /// Return the function containing this SVFVar
+    /// @return The SVFFunction containing this variable, or nullptr if it's a global/constant expression
     virtual inline const SVFFunction* getFunction() const
     {
+        // Return cached function if available
+        if(func) return func;
+
+        // If we have an associated LLVM value, check its parent function
         if (value)
         {
+            // For instructions, return the function containing the parent basic block
             if (auto inst = SVFUtil::dyn_cast<SVFInstruction>(value))
+            {
                 return inst->getParent()->getParent();
+            }
+            // For function arguments, return their parent function
             else if (auto arg = SVFUtil::dyn_cast<SVFArgument>(value))
+            {
                 return arg->getParent();
+            }
         }
+
+        // Return nullptr for globals/constants with no parent function
         return nullptr;
     }
 
@@ -532,43 +546,43 @@ public:
  * Field-insensitive Gep Obj variable, this is dynamic generated for field sensitive analysis
  * Each field-insensitive gep obj node represents all fields of a MemObj (base)
  */
-class FIObjVar: public ObjVar
+class BaseObjVar : public ObjVar
 {
     friend class SVFIRWriter;
     friend class SVFIRReader;
 
 protected:
     /// Constructor to create empty ObjVar (for SVFIRReader/deserialization)
-    FIObjVar(NodeID i, PNODEK ty = FIObjNode) : ObjVar(i, ty) {}
+    BaseObjVar(NodeID i, PNODEK ty = BaseObjNode) : ObjVar(i, ty) {}
 
 public:
     ///  Methods for support type inquiry through isa, cast, and dyn_cast:
     //@{
-    static inline bool classof(const FIObjVar*)
+    static inline bool classof(const BaseObjVar*)
     {
         return true;
     }
     static inline bool classof(const ObjVar* node)
     {
-        return isFIObjVarKinds(node->getNodeKind());
+        return isBaseObjVarKinds(node->getNodeKind());
     }
     static inline bool classof(const SVFVar* node)
     {
-        return isFIObjVarKinds(node->getNodeKind());
+        return isBaseObjVarKinds(node->getNodeKind());
     }
     static inline bool classof(const GenericPAGNodeTy* node)
     {
-        return isFIObjVarKinds(node->getNodeKind());
+        return isBaseObjVarKinds(node->getNodeKind());
     }
     static inline bool classof(const SVFBaseNode* node)
     {
-        return isFIObjVarKinds(node->getNodeKind());
+        return isBaseObjVarKinds(node->getNodeKind());
     }
     //@}
 
     /// Constructor
-    FIObjVar(const SVFValue* val, NodeID i, const MemObj* mem,
-             PNODEK ty = FIObjNode)
+    BaseObjVar(const SVFValue* val, NodeID i, const MemObj* mem,
+               PNODEK ty = BaseObjNode)
         : ObjVar(val, i, mem, ty)
     {
     }
@@ -584,6 +598,127 @@ public:
     virtual const std::string toString() const;
 };
 
+
+/**
+ * @brief Class representing a heap object variable in the SVFIR
+ *
+ * This class models heap-allocated objects in the program analysis. It extends BaseObjVar
+ * to specifically handle heap memory locations.
+ */
+class HeapObjVar: public BaseObjVar
+{
+
+    friend class SVFIRWriter;
+    friend class SVFIRReader;
+
+protected:
+    /// Constructor to create heap object var
+    HeapObjVar(NodeID i, PNODEK ty = HeapObjNode) : BaseObjVar(i, ty) {}
+
+public:
+    ///  Methods for support type inquiry through isa, cast, and dyn_cast:
+    //@{
+    static inline bool classof(const HeapObjVar*)
+    {
+        return true;
+    }
+    static inline bool classof(const BaseObjVar* node)
+    {
+        return node->getNodeKind() == HeapObjNode;
+    }
+    static inline bool classof(const ObjVar* node)
+    {
+        return node->getNodeKind() == HeapObjNode;
+    }
+    static inline bool classof(const SVFVar* node)
+    {
+        return node->getNodeKind() == HeapObjNode;
+    }
+    static inline bool classof(const GenericPAGNodeTy* node)
+    {
+        return node->getNodeKind() == HeapObjNode;
+    }
+    static inline bool classof(const SVFBaseNode* node)
+    {
+        return node->getNodeKind() == HeapObjNode;
+    }
+    //@}
+
+    /// Constructor
+    HeapObjVar(const SVFFunction* func, const SVFType* svfType, NodeID i,
+               const MemObj* mem, PNODEK ty = HeapObjNode);
+
+    /// Return name of a LLVM value
+    inline const std::string getValueName() const
+    {
+        return " (heap base object)";
+    }
+
+    virtual const std::string toString() const;
+};
+
+
+/**
+ * @brief Represents a stack-allocated object variable in the SVFIR (SVF Intermediate Representation)
+ * @inherits BaseObjVar
+ *
+ * This class models variables that are allocated on the stack in the program.
+ * It provides type checking functionality through LLVM-style RTTI (Runtime Type Information)
+ * methods like classof.
+ */
+class StackObjVar: public BaseObjVar
+{
+
+    friend class SVFIRWriter;
+    friend class SVFIRReader;
+
+protected:
+    /// Constructor to create stack object var
+    StackObjVar(NodeID i, PNODEK ty = StackObjNode) : BaseObjVar(i, ty) {}
+
+public:
+    ///  Methods for support type inquiry through isa, cast, and dyn_cast:
+    //@{
+    static inline bool classof(const StackObjVar*)
+    {
+        return true;
+    }
+    static inline bool classof(const BaseObjVar* node)
+    {
+        return node->getNodeKind() == StackObjNode;
+    }
+    static inline bool classof(const ObjVar* node)
+    {
+        return node->getNodeKind() == StackObjNode;
+    }
+    static inline bool classof(const SVFVar* node)
+    {
+        return node->getNodeKind() == StackObjNode;
+    }
+    static inline bool classof(const GenericPAGNodeTy* node)
+    {
+        return node->getNodeKind() == StackObjNode;
+    }
+    static inline bool classof(const SVFBaseNode* node)
+    {
+        return node->getNodeKind() == StackObjNode;
+    }
+    //@}
+
+    /// Constructor
+    StackObjVar(const SVFFunction* f, const SVFType* svfType, NodeID i,
+                const MemObj* mem, PNODEK ty = StackObjNode);
+
+    /// Return name of a LLVM value
+    inline const std::string getValueName() const
+    {
+        return " (stack base object)";
+    }
+
+    virtual const std::string toString() const;
+};
+
+
 class CallGraphNode;
 
 class FunValVar : public ValVar
@@ -625,16 +760,12 @@ public:
 
     /// Constructor
     FunValVar(const CallGraphNode* cgn, NodeID i, const ICFGNode* icn,
-              PNODEK ty = FunValNode)
-        : ValVar(nullptr, i, ty, icn), callGraphNode(cgn)
-    {
-
-    }
+              PNODEK ty = FunValNode);
 
     virtual const std::string toString() const;
 };
 
-class FunObjVar : public FIObjVar
+class FunObjVar : public BaseObjVar
 {
     friend class SVFIRWriter;
     friend class SVFIRReader;
@@ -644,7 +775,7 @@ private:
 
 private:
     /// Constructor to create empty ObjVar (for SVFIRReader/deserialization)
-    FunObjVar(NodeID i, PNODEK ty = FunObjNode) : FIObjVar(i, ty) {}
+    FunObjVar(NodeID i, PNODEK ty = FunObjNode) : BaseObjVar(i, ty) {}
 
 public:
     ///  Methods for support type inquiry through isa, cast, and dyn_cast:
@@ -653,7 +784,7 @@ public:
     {
         return true;
     }
-    static inline bool classof(const FIObjVar* node)
+    static inline bool classof(const BaseObjVar* node)
     {
         return node->getNodeKind() == FunObjNode;
     }
@@ -840,14 +971,14 @@ public:
 /*
  * Dummy object variable
  */
-class DummyObjVar: public ObjVar
+class DummyObjVar: public BaseObjVar
 {
     friend class SVFIRWriter;
     friend class SVFIRReader;
 
 private:
     /// Constructor to create empty DummyObjVar (for SVFIRReader/deserialization)
-    DummyObjVar(NodeID i) : ObjVar(i, DummyObjNode) {}
+    DummyObjVar(NodeID i) : BaseObjVar(i, DummyObjNode) {}
 
 public:
     //@{ Methods for support type inquiry through isa, cast, and dyn_cast:
@@ -876,7 +1007,7 @@ public:
 
     /// Constructor
     DummyObjVar(NodeID i, const MemObj* m, PNODEK ty = DummyObjNode)
-        : ObjVar(nullptr, i, m, ty)
+        : BaseObjVar(nullptr, i, m, ty)
     {
     }
 

package/svf/include/Util/SVFUtil.h

@@ -374,8 +374,6 @@ bool isHeapAllocExtCallViaRet(const CallICFGNode* cs);
 
 bool isHeapAllocExtCall(const ICFGNode* cs);
 
-
-
 //@}
 
 u32_t getHeapAllocHoldingArgPosition(const CallICFGNode* cs);

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -316,8 +316,8 @@ IntervalValue BufOverflowDetector::getAccessOffset(SVF::AbstractState& as, SVF::
     SVFIR* svfir = PAG::getPAG();
     auto obj = svfir->getGNode(objId);
 
-    // if the object is a FIObjVar, return the byte offset directly
-    if (SVFUtil::isa<FIObjVar>(obj))
+    // if the object is a BaseObjVar, return the byte offset directly
+    if (SVFUtil::isa<BaseObjVar>(obj))
     {
         return as.getByteOffset(gep);
     }
@@ -351,8 +351,8 @@ void BufOverflowDetector::updateGepObjOffsetFromBase(SVF::AddressValue gepAddrs,
     {
         NodeID objId = AbstractState::getInternalID(objAddr);
         auto obj = svfir->getGNode(objId);
-        // if the object is a FIObjVar, add the offset directly
-        if (SVFUtil::isa<FIObjVar>(obj))
+        // if the object is a BaseObjVar, add the offset directly
+        if (SVFUtil::isa<BaseObjVar>(obj))
         {
             for (const auto& gepAddr : gepAddrs)
             {
@@ -491,7 +491,7 @@ bool BufOverflowDetector::canSafelyAccessMemory(AbstractState& as, const SVF::SV
         }
         else
         {
-            // if the object is a FIObjVar, get the offset directly
+            // if the object is a BaseObjVar, get the offset directly
             offset = len;
         }
         // if the offset is greater than the size, return false

package/svf/lib/DDA/ContextDDA.cpp

@@ -336,7 +336,9 @@ bool ContextDDA::isHeapCondMemObj(const CxtVar& var, const StoreSVFGNode*)
 {
     const MemObj* mem = _pag->getObject(getPtrNodeID(var));
     assert(mem && "memory object is null??");
-    if (mem->isHeap())
+    const BaseObjVar* baseVar = _pag->getBaseObject(getPtrNodeID(var));
+    assert(baseVar && "base object is null??");
+    if (SVFUtil::isa<HeapObjVar, DummyObjVar>(baseVar))
     {
         if (!mem->getValue())
         {

package/svf/lib/DDA/FlowDDA.cpp

@@ -176,9 +176,8 @@ PointsTo FlowDDA::processGepPts(const GepSVFGNode* gep, const PointsTo& srcPts)
 /// (4) not involved in recursion
 bool FlowDDA::isHeapCondMemObj(const NodeID& var, const StoreSVFGNode*)
 {
-    const MemObj* mem = _pag->getObject(getPtrNodeID(var));
-    assert(mem && "memory object is null??");
-    if(mem->isHeap())
+    const BaseObjVar* pVar = _pag->getBaseObject(getPtrNodeID(var));
+    if(pVar && SVFUtil::isa<HeapObjVar, DummyObjVar>(pVar))
     {
 //        if(const Instruction* mallocSite = SVFUtil::dyn_cast<Instruction>(mem->getValue())) {
 //            const SVFFunction* fun = mallocSite->getParent()->getParent();

package/svf/lib/Graphs/ConsG.cpp

@@ -811,7 +811,7 @@ struct DOTGraphTraits<ConstraintGraph*> : public DOTGraphTraits<SVFIR*>
         {
             if(SVFUtil::isa<GepObjVar>(node))
                 return "shape=doubleoctagon";
-            else if(SVFUtil::isa<FIObjVar>(node))
+            else if(SVFUtil::isa<BaseObjVar>(node))
                 return "shape=box3d";
             else if (SVFUtil::isa<DummyObjVar>(node))
                 return "shape=tab";

package/svf/lib/Graphs/IRGraph.cpp

@@ -174,7 +174,7 @@ struct DOTGraphTraits<IRGraph*> : public DefaultDOTGraphTraits
         {
             if(SVFUtil::isa<GepObjVar>(node))
                 return "shape=doubleoctagon";
-            else if(SVFUtil::isa<FIObjVar>(node))
+            else if(SVFUtil::isa<BaseObjVar>(node))
                 return "shape=box3d";
             else if (SVFUtil::isa<DummyObjVar>(node))
                 return "shape=tab";

package/svf/lib/MSSA/MemRegion.cpp

@@ -577,13 +577,15 @@ bool MRGenerator::isNonLocalObject(NodeID id, const SVFFunction* curFun) const
     const MemObj* obj = pta->getPAG()->getObject(id);
     assert(obj && "object not found!!");
     /// if the object is heap or global
-    if(obj->isGlobalObj() || obj->isHeap())
+    const BaseObjVar* pVar = pta->getPAG()->getBaseObject(id);
+    assert(pVar && "object not found!");
+    if(obj->isGlobalObj() || SVFUtil::isa<HeapObjVar, DummyObjVar>(pVar))
         return true;
     /// or if the local variable of its callers
     /// or a local variable is in function recursion cycles
-    else if(obj->isStack())
+    else if(SVFUtil::isa<StackObjVar>(pVar))
     {
-        if(const SVFFunction* svffun = pta->getPAG()->getGNode(id)->getFunction())
+        if(const SVFFunction* svffun = pVar->getFunction())
         {
             if(svffun!=curFun)
                 return true;

package/svf/lib/MemoryModel/PointerAnalysis.cpp

@@ -133,9 +133,9 @@ void PointerAnalysis::initialize()
  */
 bool PointerAnalysis::isLocalVarInRecursiveFun(NodeID id) const
 {
-    const MemObj* obj = pag->getObject(id);
-    assert(obj && "object not found!!");
-    if(obj->isStack())
+    const BaseObjVar* baseObjVar = pag->getBaseObject(id);
+    assert(baseObjVar && "base object not found!!");
+    if(SVFUtil::isa<StackObjVar>(baseObjVar))
     {
         if(const SVFFunction* svffun = pag->getGNode(id)->getFunction())
         {

package/svf/lib/MemoryModel/PointerAnalysisImpl.cpp

@@ -362,7 +362,7 @@ void BVDataPTAImpl::readGepObjVarMapFromFile(std::ifstream& F)
             const MemObj* obj = nullptr;
             if (GepObjVar* gepObjVar = SVFUtil::dyn_cast<GepObjVar>(node))
                 obj = gepObjVar->getMemObj();
-            else if (FIObjVar* baseNode = SVFUtil::dyn_cast<FIObjVar>(node))
+            else if (BaseObjVar* baseNode = SVFUtil::dyn_cast<BaseObjVar>(node))
                 obj = baseNode->getMemObj();
             else if (DummyObjVar* baseNode = SVFUtil::dyn_cast<DummyObjVar>(node))
                 obj = baseNode->getMemObj();

package/svf/lib/SVFIR/SVFFileSystem.cpp

@@ -218,11 +218,13 @@ cJSON* SVFIRWriter::virtToJson(const SVFVar* var)
         CASE(VarargNode, VarArgPN);
         CASE(GepValNode, GepValVar);
         CASE(GepObjNode, GepObjVar);
-        CASE(FIObjNode, FIObjVar);
+        CASE(BaseObjNode, BaseObjVar);
         CASE(DummyValNode, DummyValVar);
         CASE(DummyObjNode, DummyObjVar);
         CASE(FunObjNode, FunObjVar);
         CASE(FunValNode, FunValVar);
+        CASE(HeapObjNode, HeapObjVar);
+        CASE(StackObjNode, StackObjVar);
 #undef CASE
     }
 }
@@ -341,7 +343,7 @@ cJSON* SVFIRWriter::contentToJson(const GepObjVar* var)
     return root;
 }
 
-cJSON* SVFIRWriter::contentToJson(const FIObjVar* var)
+cJSON* SVFIRWriter::contentToJson(const BaseObjVar* var)
 {
     return contentToJson(static_cast<const ObjVar*>(var));
 }
@@ -1621,7 +1623,7 @@ SVFVar* SVFIRReader::createPAGNode(NodeID id, GNodeK kind)
         CASE(VarargNode, VarArgPN);
         CASE(GepValNode, GepValVar);
         CASE(GepObjNode, GepObjVar);
-        CASE(FIObjNode, FIObjVar);
+        CASE(BaseObjNode, BaseObjVar);
         CASE(DummyValNode, DummyValVar);
         CASE(DummyObjNode, DummyObjVar);
 #undef CASE
@@ -1903,7 +1905,7 @@ void SVFIRReader::virtFill(const cJSON*& fieldJson, SVFVar* var)
         CASE(VarargNode, VarArgPN);
         CASE(GepValNode, GepValVar);
         CASE(GepObjNode, GepObjVar);
-        CASE(FIObjNode, FIObjVar);
+        CASE(BaseObjNode, BaseObjVar);
         CASE(DummyValNode, DummyValVar);
         CASE(DummyObjNode, DummyObjVar);
 #undef CASE
@@ -1944,7 +1946,7 @@ void SVFIRReader::fill(const cJSON*& fieldJson, GepObjVar* var)
     JSON_READ_FIELD_FWD(fieldJson, var, base);
 }
 
-void SVFIRReader::fill(const cJSON*& fieldJson, FIObjVar* var)
+void SVFIRReader::fill(const cJSON*& fieldJson, BaseObjVar* var)
 {
     fill(fieldJson, static_cast<ObjVar*>(var));
 }

package/svf/lib/SVFIR/SVFIR.cpp

@@ -403,7 +403,7 @@ NodeID SVFIR::getGepObjVar(NodeID id, const APOffset& apOffset)
     SVFVar* node = pag->getGNode(id);
     if (GepObjVar* gepNode = SVFUtil::dyn_cast<GepObjVar>(node))
         return getGepObjVar(gepNode->getMemObj(), gepNode->getConstantFieldIdx() + apOffset);
-    else if (FIObjVar* baseNode = SVFUtil::dyn_cast<FIObjVar>(node))
+    else if (BaseObjVar* baseNode = SVFUtil::dyn_cast<BaseObjVar>(node))
         return getGepObjVar(baseNode->getMemObj(), apOffset);
     else if (DummyObjVar* baseNode = SVFUtil::dyn_cast<DummyObjVar>(node))
         return getGepObjVar(baseNode->getMemObj(), apOffset);
@@ -468,7 +468,7 @@ NodeID SVFIR::addFIObjNode(const MemObj* obj)
     //assert(findPAGNode(i) == false && "this node should not be created before");
     NodeID base = obj->getId();
     memToFieldsMap[base].set(obj->getId());
-    FIObjVar *node = new FIObjVar(obj->getValue(), obj->getId(), obj);
+    BaseObjVar*node = new BaseObjVar(obj->getValue(), obj->getId(), obj);
     return addObjNode(obj->getValue(), node, obj->getId());
 }
 
@@ -689,7 +689,7 @@ bool SVFIR::isValidTopLevelPtr(const SVFVar* node)
         if (isValidPointer(node->getId()))
         {
             // TODO: after svf value is removed, we use type to determine top level ptr
-            if (SVFUtil::isa<RetPN>(node) || SVFUtil::isa<VarArgPN>(node) || SVFUtil::isa<FunValVar>(node))
+            if (SVFUtil::isa<RetPN, VarArgPN, FunValVar, HeapObjVar, StackObjVar>(node))
             {
                 return true;
             }

package/svf/lib/SVFIR/SVFVariables.cpp

@@ -40,7 +40,7 @@ using namespace SVFUtil;
  * SVFVar constructor
  */
 SVFVar::SVFVar(const SVFValue* val, NodeID i, PNODEK k) :
-    GenericPAGNodeTy(i,k), value(val)
+    GenericPAGNodeTy(i,k), value(val), func(nullptr)
 {
     assert( ValNode <= k && k <= DummyObjNode && "new SVFIR node kind?");
     switch (k)
@@ -52,12 +52,6 @@ SVFVar::SVFVar(const SVFValue* val, NodeID i, PNODEK k) :
         isPtr = val->getType()->isPointerTy();
         break;
     }
-    case RetNode:
-    case FunObjNode:
-    {
-        // to be completed in derived class
-        break;
-    }
     case FunValNode:
     case VarargNode:
     case DummyValNode:
@@ -67,7 +61,7 @@ SVFVar::SVFVar(const SVFValue* val, NodeID i, PNODEK k) :
     }
     case ObjNode:
     case GepObjNode:
-    case FIObjNode:
+    case BaseObjNode:
     case DummyObjNode:
     {
         isPtr = true;
@@ -75,6 +69,14 @@ SVFVar::SVFVar(const SVFValue* val, NodeID i, PNODEK k) :
             isPtr = val->getType()->isPointerTy();
         break;
     }
+    case RetNode:
+    case FunObjNode:
+    case HeapObjNode:
+    case StackObjNode:
+    {
+        // to be completed in derived class
+        break;
+    }
     default:
         assert(false && "var not handled");
         break;
@@ -172,11 +174,11 @@ const std::string GepObjVar::toString() const
     return rawstr.str();
 }
 
-const std::string FIObjVar::toString() const
+const std::string BaseObjVar::toString() const
 {
     std::string str;
     std::stringstream rawstr(str);
-    rawstr << "FIObjVar ID: " << getId() << " (base object)";
+    rawstr << "BaseObjVar ID: " << getId() << " (base object)";
     if (Options::ShowSVFIRValue())
     {
         rawstr << "\n";
@@ -185,6 +187,57 @@ const std::string FIObjVar::toString() const
     return rawstr.str();
 }
 
+HeapObjVar::HeapObjVar(const SVFFunction* f, const SVFType* svfType, NodeID i,
+                       const MemObj* mem, PNODEK ty)
+    : BaseObjVar(mem->getValue(), i, mem, ty)
+{
+    isPtr = svfType->isPointerTy();
+    func = f;
+}
+
+const std::string HeapObjVar::toString() const
+{
+    std::string str;
+    std::stringstream rawstr(str);
+    rawstr << "HeapObjVar ID: " << getId();
+    if (Options::ShowSVFIRValue())
+    {
+        rawstr << "\n";
+        rawstr << valueOnlyToString();
+    }
+    return rawstr.str();
+}
+
+StackObjVar::StackObjVar(const SVFFunction* f, const SVFType* svfType, NodeID i,
+                         const MemObj* mem, PNODEK ty)
+    : BaseObjVar(mem->getValue(), i, mem, ty)
+{
+    isPtr = svfType->isPointerTy();
+    func = f;
+}
+
+const std::string StackObjVar::toString() const
+{
+    std::string str;
+    std::stringstream rawstr(str);
+    rawstr << "StackObjVar ID: " << getId();
+    if (Options::ShowSVFIRValue())
+    {
+        rawstr << "\n";
+        rawstr << valueOnlyToString();
+    }
+    return rawstr.str();
+}
+
+
+
+FunValVar::FunValVar(const CallGraphNode* cgn, NodeID i, const ICFGNode* icn,
+                     PNODEK ty)
+    : ValVar(cgn->getFunction(), i, ty, icn), callGraphNode(cgn)
+{
+    isPtr = cgn->getFunction()->getType()->isPointerTy();
+}
+
 const std::string FunValVar::toString() const
 {
     std::string str;
@@ -200,7 +253,7 @@ const std::string FunValVar::toString() const
 
 FunObjVar::FunObjVar(const CallGraphNode* cgNode, NodeID i, const MemObj* mem,
                      PNODEK ty)
-    : FIObjVar(nullptr, i, mem, ty), callGraphNode(cgNode)
+    : BaseObjVar(mem->getValue(), i, mem, ty), callGraphNode(cgNode)
 {
     isPtr = callGraphNode->getFunction()->getType()->isPointerTy();
 }

package/svf/lib/Util/SVFStat.cpp

@@ -142,10 +142,16 @@ void SVFStat::performStat()
                 numOfFunction++;
             if(mem->isGlobalObj())
                 numOfGlobal++;
-            if(mem->isStack())
+            if (pag->getBaseObject(obj->getId()) &&
+                    SVFUtil::isa<StackObjVar>(
+                        pag->getBaseObject(obj->getId())))
                 numOfStack++;
-            if(mem->isHeap())
+            if (pag->getBaseObject(obj->getId()) &&
+                    SVFUtil::isa<HeapObjVar, DummyObjVar>(
+                        pag->getBaseObject(obj->getId())))
+            {
                 numOfHeap++;
+            }
             if(mem->isVarArray())
                 numOfHasVarArray++;
             if(mem->isVarStruct())

package/svf/lib/WPA/AndersenSFR.cpp

@@ -136,7 +136,7 @@ void AndersenSFR::fieldExpand(NodeSet& initials, APOffset offset, NodeBS& stride
             APOffset initOffset;
             if (GepObjVar *gepNode = SVFUtil::dyn_cast<GepObjVar>(initPN))
                 initOffset = gepNode->getConstantFieldIdx();
-            else if (SVFUtil::isa<FIObjVar, DummyObjVar>(initPN))
+            else if (SVFUtil::isa<BaseObjVar, DummyObjVar>(initPN))
                 initOffset = 0;
             else
             {

package/svf-llvm/include/SVF-LLVM/LLVMUtil.h

@@ -360,6 +360,9 @@ inline bool isHeapAllocExtCall(const Instruction *inst)
     return isHeapAllocExtCallViaRet(inst) || isHeapAllocExtCallViaArg(inst);
 }
 
+// Check if a given value represents a heap object.
+bool isHeapObj(const Value* val);
+
 /// Whether an instruction is a callsite in the application code, excluding llvm intrinsic calls
 bool isNonInstricCallSite(const Instruction* inst);
 

package/svf-llvm/lib/LLVMUtil.cpp

@@ -646,6 +646,30 @@ bool LLVMUtil::isHeapAllocExtCallViaArg(const Instruction* inst)
     }
 }
 
+/**
+ * Check if a given value represents a heap object.
+ *
+ * @param val The value to check.
+ * @return True if the value represents a heap object, false otherwise.
+ */
+bool LLVMUtil::isHeapObj(const Value* val)
+{
+    // Check if the value is an argument in the program entry function
+    if (ArgInProgEntryFunction(val))
+    {
+        // Return true if the value does not have a first use via cast instruction
+        return !getFirstUseViaCastInst(val);
+    }
+    // Check if the value is an instruction and if it is a heap allocation external call
+    else if (SVFUtil::isa<Instruction>(val) &&
+             LLVMUtil::isHeapAllocExtCall(SVFUtil::cast<Instruction>(val)))
+    {
+        return true;
+    }
+    // Return false if none of the above conditions are met
+    return false;
+}
+
 bool LLVMUtil::isNonInstricCallSite(const Instruction* inst)
 {
     bool res = false;

package/svf-llvm/lib/SVFIRBuilder.cpp

@@ -214,15 +214,21 @@ void SVFIRBuilder::initialiseNodes()
     pag->addBlackholePtrNode();
     addNullPtrNode();
 
+    // Iterate over all value symbols in the symbol table
     for (SymbolTableInfo::ValueToIDMapTy::iterator iter =
                 symTable->valSyms().begin(); iter != symTable->valSyms().end();
             ++iter)
     {
+        // Debug output for adding value node
         DBOUT(DPAGBuild, outs() << "add val node " << iter->second << "\n");
+
+        // Skip blackhole and null pointer symbols
         if(iter->second == symTable->blkPtrSymID() || iter->second == symTable->nullPtrSymID())
             continue;
 
         const ICFGNode* icfgNode = nullptr;
+
+        // Check if the value is an instruction and get its ICFG node
         if (const Instruction* inst =
                     SVFUtil::dyn_cast<Instruction>(llvmModuleSet()->getLLVMValue(iter->first)))
         {
@@ -232,30 +238,59 @@ void SVFIRBuilder::initialiseNodes()
             }
         }
 
+        // Check if the value is a function and get its call graph node
         if (const Function* func =
                     SVFUtil::dyn_cast<Function>(llvmModuleSet()->getLLVMValue(iter->first)))
         {
             const CallGraphNode* cgn = llvmModuleSet()->getCallGraphNode(func);
+            // add value node representing the function
             pag->addFunValNode(cgn, iter->second, icfgNode);
         }
         else
         {
+            // Add value node to PAG
             pag->addValNode(iter->first, iter->second, icfgNode);
         }
     }
 
+    // Iterate over all object symbols in the symbol table
     for (SymbolTableInfo::ValueToIDMapTy::iterator iter =
                 symTable->objSyms().begin(); iter != symTable->objSyms().end();
             ++iter)
     {
+        // Debug output for adding object node
         DBOUT(DPAGBuild, outs() << "add obj node " << iter->second << "\n");
+
+        // Skip blackhole and constant symbols
         if(iter->second == symTable->blackholeSymID() || iter->second == symTable->constantSymID())
             continue;
-        if (const Function* func = SVFUtil::dyn_cast<Function>(
-                                       llvmModuleSet()->getLLVMValue(iter->first)))
+
+        // Get the LLVM value corresponding to the symbol
+        const Value* llvmValue = llvmModuleSet()->getLLVMValue(iter->first);
+
+        // Check if the value is a function and add a function object node
+        if (const Function* func = SVFUtil::dyn_cast<Function>(llvmValue))
         {
             pag->addFunObjNode(llvmModuleSet()->getCallGraphNode(func), iter->second);
         }
+        // Check if the value is a heap object and add a heap object node
+        else if (LLVMUtil::isHeapObj(llvmValue))
+        {
+            const SVFFunction* f =
+                SVFUtil::cast<SVFInstruction>(iter->first)->getFunction();
+            pag->addHeapObjNode(iter->first, f, iter->second);
+            llvmModuleSet()->setValueAttr(llvmValue,pag->getGNode(iter->second));
+        }
+        // Check if the value is an alloca instruction and add a stack object node
+        else if (SVFUtil::isa<AllocaInst>(llvmValue))
+        {
+            const SVFFunction* f =
+                SVFUtil::cast<SVFInstruction>(iter->first)->getFunction();
+            pag->addStackObjNode(iter->first, f, iter->second);
+            llvmModuleSet()->setValueAttr(llvmValue,
+                                          pag->getGNode(iter->second));
+        }
+        // Add a generic object node for other types of values
         else
         {
             pag->addObjNode(iter->first, iter->second);
@@ -1347,7 +1382,7 @@ void SVFIRBuilder::setCurrentBBAndValueForPAGEdge(PAGEdge* edge)
     {
         const SVFFunction* srcFun = edge->getSrcNode()->getFunction();
         const SVFFunction* dstFun = edge->getDstNode()->getFunction();
-        if(srcFun!=nullptr && !SVFUtil::isa<RetPE>(edge) && !SVFUtil::isa<SVFFunction>(edge->getSrcNode()->getValue()))
+        if(srcFun!=nullptr && !SVFUtil::isa<RetPE>(edge) && edge->getSrcNode()->hasValue() && !SVFUtil::isa<SVFFunction>(edge->getSrcNode()->getValue()))
         {
             assert(srcFun==curInst->getFunction() && "SrcNode of the PAGEdge not in the same function?");
         }