svf-tools 1.0.1199 → 1.0.1201

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1199",
+  "version": "1.0.1201",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -32,6 +32,7 @@
 #include "AE/Core/AbstractState.h"
 #include "AE/Core/ICFGWTO.h"
 #include "AE/Svfexe/AEDetector.h"
+#include "AE/Svfexe/PreAnalysis.h"
 #include "AE/Svfexe/AbsExtAPI.h"
 #include "Util/SVFBugReport.h"
 #include "Util/SVFStat.h"
@@ -111,8 +112,6 @@ class AbstractInterpretation
     friend class NullptrDerefDetector;
 
 public:
-    typedef SCCDetection<CallGraph*> CallGraphSCC;
-
     /*
      * For recursive test case
      * int demo(int a) {
@@ -189,9 +188,6 @@ private:
     /// Global ICFGNode is handled at the entry of the program,
     virtual void handleGlobalNode();
 
-    /// Compute IWTO for each function partition entry
-    void initWTO();
-
     /**
      * Check if execution state exist by merging states of predecessor nodes
      *
@@ -260,13 +256,6 @@ private:
      */
     std::vector<const ICFGNode*> getNextNodesOfCycle(const ICFGCycleWTO* cycle) const;
 
-    /**
-     * Recursively collect cycle heads from nested WTO components
-     *
-     * @param comps The list of WTO components to collect cycle heads from
-     */
-    void collectCycleHeads(const std::list<const ICFGWTOComp*>& comps);
-
     /**
      * handle SVF Statement like CmpStmt, CallStmt, GepStmt, LoadStmt, StoreStmt, etc.
      *
@@ -333,10 +322,7 @@ private:
     CallGraph* callGraph;
     AEStat* stat;
 
-    Map<const FunObjVar*, const ICFGWTO*> funcToWTO;
-    Set<std::pair<const CallICFGNode*, NodeID>> nonRecursiveCallSites;
-    Set<const FunObjVar*> recursiveFuns;
-    Map<const ICFGNode*, const ICFGCycleWTO*> cycleHeadToCycle;
+    PreAnalysis* preAnalysis{nullptr};
 
 
     bool hasAbsStateFromTrace(const ICFGNode* node)
@@ -353,8 +339,7 @@ private:
     virtual bool isExtCall(const CallICFGNode* callNode);
     virtual void handleExtCall(const CallICFGNode* callNode);
     virtual bool isRecursiveFun(const FunObjVar* fun);
-    virtual bool isRecursiveCall(const CallICFGNode* callNode);
-    virtual void recursiveCallPass(const CallICFGNode *callNode);
+    virtual void handleRecursiveCall(const CallICFGNode *callNode);
     virtual bool isRecursiveCallSite(const CallICFGNode* callNode, const FunObjVar *);
     virtual void handleFunCall(const CallICFGNode* callNode);
 

package/svf/include/AE/Svfexe/PreAnalysis.h

@@ -0,0 +1,81 @@
+//===- PreAnalysis.h -- Pre-Analysis for Abstract Interpretation----------//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+/*
+ * PreAnalysis.h
+ *
+ *  Created on: Feb 25, 2026
+ *      Author: Jiawei Wang
+ *
+ * This file provides a pre-analysis phase for Abstract Interpretation.
+ * It runs Andersen's pointer analysis and builds WTO (Weak Topological Order)
+ * for each function before the main abstract interpretation.
+ */
+
+#ifndef INCLUDE_AE_SVFEXE_PREANALYSIS_H_
+#define INCLUDE_AE_SVFEXE_PREANALYSIS_H_
+
+#include "SVFIR/SVFIR.h"
+#include "Graphs/ICFG.h"
+#include "Graphs/CallGraph.h"
+#include "Graphs/SCC.h"
+#include "AE/Core/ICFGWTO.h"
+#include "WPA/Andersen.h"
+
+namespace SVF
+{
+
+class PreAnalysis
+{
+public:
+    typedef SCCDetection<CallGraph*> CallGraphSCC;
+
+    PreAnalysis(SVFIR* pag, ICFG* icfg);
+    virtual ~PreAnalysis();
+
+    /// Accessors for Andersen's results
+    AndersenWaveDiff* getPointerAnalysis() const { return pta; }
+    CallGraph* getCallGraph() const { return callGraph; }
+    CallGraphSCC* getCallGraphSCC() const { return callGraphSCC; }
+
+    /// Build WTO for each function using call graph SCC
+    void initWTO();
+
+    /// Accessors for WTO data
+    const Map<const FunObjVar*, const ICFGWTO*>& getFuncToWTO() const
+    {
+        return funcToWTO;
+    }
+
+private:
+    SVFIR* svfir;
+    ICFG* icfg;
+    AndersenWaveDiff* pta;
+    CallGraph* callGraph;
+    CallGraphSCC* callGraphSCC;
+
+    Map<const FunObjVar*, const ICFGWTO*> funcToWTO;
+};
+
+} // End namespace SVF
+
+#endif /* INCLUDE_AE_SVFEXE_PREANALYSIS_H_ */

package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp

@@ -48,6 +48,12 @@ void AbstractInterpretation::runOnModule(ICFG *_icfg)
     svfir = PAG::getPAG();
     utils = new AbsExtAPI(abstractTrace);
 
+    // Run Andersen's pointer analysis and build WTO
+    preAnalysis = new PreAnalysis(svfir, icfg);
+    callGraph = preAnalysis->getCallGraph();
+    icfg->updateCallGraph(callGraph);
+    preAnalysis->initWTO();
+
     /// collect checkpoint
     collectCheckPoint();
 
@@ -63,103 +69,13 @@ void AbstractInterpretation::runOnModule(ICFG *_icfg)
 
 AbstractInterpretation::AbstractInterpretation()
 {
-    AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(svfir);
-    callGraph = ander->getCallGraph();
     stat = new AEStat(this);
 }
 /// Destructor
 AbstractInterpretation::~AbstractInterpretation()
 {
     delete stat;
-    for (auto it: funcToWTO)
-        delete it.second;
-}
-
-/**
- * @brief Recursively collect cycle heads from nested WTO components
- *
- * This helper function traverses the WTO component tree and builds the cycleHeadToCycle
- * map, which maps each cycle head node to its corresponding ICFGCycleWTO object.
- * This enables efficient O(1) lookup of cycles during analysis.
- */
-void AbstractInterpretation::collectCycleHeads(const std::list<const ICFGWTOComp*>& comps)
-{
-    for (const ICFGWTOComp* comp : comps)
-    {
-        if (const ICFGCycleWTO* cycle = SVFUtil::dyn_cast<ICFGCycleWTO>(comp))
-        {
-            cycleHeadToCycle[cycle->head()->getICFGNode()] = cycle;
-            // Recursively collect nested cycle heads
-            collectCycleHeads(cycle->getWTOComponents());
-        }
-    }
-}
-
-void AbstractInterpretation::initWTO()
-{
-    AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(svfir);
-    CallGraphSCC* callGraphScc = ander->getCallGraphSCC();
-    callGraphScc->find();
-    // Iterate through the call graph
-    for (auto it = callGraph->begin(); it != callGraph->end(); it++)
-    {
-        // Check if the current function is part of a cycle
-        if (callGraphScc->isInCycle(it->second->getId()))
-            recursiveFuns.insert(it->second->getFunction()); // Mark the function as recursive
-
-        // Calculate ICFGWTO for each function/recursion
-        const FunObjVar *fun = it->second->getFunction();
-        if (fun->isDeclaration())
-            continue;
-
-        NodeID repNodeId = callGraphScc->repNode(it->second->getId());
-        auto cgSCCNodes = callGraphScc->subNodes(repNodeId);
-
-        // Identify if this node is an SCC entry (nodes who have incoming edges
-        // from nodes outside the SCC). Also identify non-recursive callsites.
-        bool isEntry = false;
-        if (it->second->getInEdges().empty())
-            isEntry = true;
-        for (auto inEdge: it->second->getInEdges())
-        {
-            NodeID srcNodeId = inEdge->getSrcID();
-            if (!cgSCCNodes.test(srcNodeId))
-            {
-                isEntry = true;
-                const CallICFGNode *callSite = nullptr;
-                if (inEdge->isDirectCallEdge())
-                    callSite = *(inEdge->getDirectCalls().begin());
-                else if (inEdge->isIndirectCallEdge())
-                    callSite = *(inEdge->getIndirectCalls().begin());
-                else
-                    assert(false && "CallGraphEdge must "
-                           "be either direct or indirect!");
-
-                nonRecursiveCallSites.insert(
-                {callSite, inEdge->getDstNode()->getFunction()->getId()});
-            }
-        }
-
-        // Compute IWTO for the function partition entered from each partition entry
-        if (isEntry)
-        {
-            Set<const FunObjVar*> funcScc;
-            for (const auto& node: cgSCCNodes)
-            {
-                funcScc.insert(callGraph->getGNode(node)->getFunction());
-            }
-            ICFGWTO* iwto = new ICFGWTO(icfg->getFunEntryICFGNode(fun), funcScc);
-            iwto->init();
-            funcToWTO[it->second->getFunction()] = iwto;
-        }
-    }
-
-    // Build cycleHeadToCycle map for all functions
-    // This maps cycle head nodes to their corresponding WTO cycles for efficient lookup
-    for (auto& [func, wto] : funcToWTO)
-    {
-        collectCycleHeads(wto->getWTOComponents());
-    }
+    delete preAnalysis;
 }
 
 /// Collect entry point functions for analysis.
@@ -200,8 +116,6 @@ std::deque<const FunObjVar*> AbstractInterpretation::collectProgEntryFuns()
 /// Program entry - analyze from all entry points (multi-entry analysis is the default)
 void AbstractInterpretation::analyse()
 {
-    initWTO();
-
     // Always use multi-entry analysis from all entry points
     analyzeFromAllProgEntries();
 }
@@ -814,8 +728,8 @@ std::vector<const ICFGNode*> AbstractInterpretation::getNextNodesOfCycle(const I
  */
 void AbstractInterpretation::handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller)
 {
-    auto it = funcToWTO.find(funEntry->getFun());
-    if (it == funcToWTO.end())
+    auto it = preAnalysis->getFuncToWTO().find(funEntry->getFun());
+    if (it == preAnalysis->getFuncToWTO().end())
         return;
 
     // Push all top-level WTO components into the worklist in WTO order
@@ -872,21 +786,11 @@ void AbstractInterpretation::handleExtCall(const CallICFGNode *callNode)
 /// Check if a function is recursive (part of a call graph SCC)
 bool AbstractInterpretation::isRecursiveFun(const FunObjVar* fun)
 {
-    return recursiveFuns.find(fun) != recursiveFuns.end();
-}
-
-/// Check if a call node calls a recursive function
-bool AbstractInterpretation::isRecursiveCall(const CallICFGNode *callNode)
-{
-    const FunObjVar *callfun = callNode->getCalledFunction();
-    if (!callfun)
-        return false;
-    else
-        return isRecursiveFun(callfun);
+    return preAnalysis->getPointerAnalysis()->isInRecursion(fun);
 }
 
 /// Handle recursive call in TOP mode: set all stores and return value to TOP
-void AbstractInterpretation::recursiveCallPass(const CallICFGNode *callNode)
+void AbstractInterpretation::handleRecursiveCall(const CallICFGNode *callNode)
 {
     AbstractState& as = getAbsStateFromTrace(callNode);
     setTopToObjInRecursion(callNode);
@@ -905,12 +809,12 @@ void AbstractInterpretation::recursiveCallPass(const CallICFGNode *callNode)
     abstractTrace[retNode] = as;
 }
 
-/// Check if a call is a recursive callsite (within same SCC, not entry call from outside)
+/// Check if caller and callee are in the same CallGraph SCC (i.e. a recursive callsite)
 bool AbstractInterpretation::isRecursiveCallSite(const CallICFGNode* callNode,
         const FunObjVar* callee)
 {
-    return nonRecursiveCallSites.find({callNode, callee->getId()}) ==
-           nonRecursiveCallSites.end();
+    const FunObjVar* caller = callNode->getCaller();
+    return preAnalysis->getPointerAnalysis()->inSameCallGraphSCC(caller, callee);
 }
 
 /// Get callee function: directly for direct calls, via pointer analysis for indirect calls
@@ -1013,7 +917,7 @@ void AbstractInterpretation::handleFunCall(const CallICFGNode *callNode)
     }
 
     // Indirect call: use Andersen's call graph to get all resolved callees.
-    // The call graph was built during initWTO() by running Andersen's pointer analysis,
+    // The call graph was built during PreAnalysis::initWTO() by running Andersen's pointer analysis,
     // which over-approximates the set of possible targets for each indirect callsite.
     if (callGraph->hasIndCSCallees(callNode))
     {
@@ -1051,7 +955,7 @@ void AbstractInterpretation::handleFunCall(const CallICFGNode *callNode)
 /// Behavior depends on Options::HandleRecur():
 ///
 /// - TOP mode:
-///     Does not iterate. Calls recursiveCallPass() to set all stores and
+///     Does not iterate. Calls handleRecursiveCall() to set all stores and
 ///     return value to TOP immediately. This is the most conservative but fastest.
 ///     Example:
 ///       int factorial(int n) { return n <= 1 ? 1 : n * factorial(n-1); }
@@ -1074,13 +978,13 @@ void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle, co
 {
     const ICFGNode* cycle_head = cycle->head()->getICFGNode();
 
-    // TOP mode for recursive function cycles: use recursiveCallPass to set
+    // TOP mode for recursive function cycles: use handleRecursiveCall to set
     // all stores and return value to TOP, maintaining original semantics
     if (Options::HandleRecur() == TOP && isRecursiveFun(cycle_head->getFun()))
     {
         if (caller)
         {
-            recursiveCallPass(caller);
+            handleRecursiveCall(caller);
         }
         return;
     }

package/svf/lib/AE/Svfexe/PreAnalysis.cpp

@@ -0,0 +1,84 @@
+//===- PreAnalysis.cpp -- Pre-Analysis for Abstract Interpretation---------//
+//
+//                     SVF: Static Value-Flow Analysis
+//
+// Copyright (C) <2013->  <Yulei Sui>
+//
+
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+//
+//===----------------------------------------------------------------------===//
+
+/*
+ * PreAnalysis.cpp
+ *
+ *  Created on: Feb 25, 2026
+ *      Author: Jiawei Wang
+ */
+
+#include "AE/Svfexe/PreAnalysis.h"
+
+using namespace SVF;
+
+PreAnalysis::PreAnalysis(SVFIR* pag, ICFG* icfg)
+    : svfir(pag), icfg(icfg)
+{
+    pta = AndersenWaveDiff::createAndersenWaveDiff(svfir);
+    callGraph = pta->getCallGraph();
+    callGraphSCC = pta->getCallGraphSCC();
+}
+
+PreAnalysis::~PreAnalysis()
+{
+    for (auto& [func, wto] : funcToWTO)
+        delete wto;
+}
+
+void PreAnalysis::initWTO()
+{
+    callGraphSCC->find();
+
+    for (auto it = callGraph->begin(); it != callGraph->end(); it++)
+    {
+        const FunObjVar *fun = it->second->getFunction();
+        if (fun->isDeclaration())
+            continue;
+
+        NodeID repNodeId = callGraphSCC->repNode(it->second->getId());
+        auto cgSCCNodes = callGraphSCC->subNodes(repNodeId);
+
+        bool isEntry = false;
+        if (it->second->getInEdges().empty())
+            isEntry = true;
+        for (auto inEdge: it->second->getInEdges())
+        {
+            NodeID srcNodeId = inEdge->getSrcID();
+            if (!cgSCCNodes.test(srcNodeId))
+                isEntry = true;
+        }
+
+        if (isEntry)
+        {
+            Set<const FunObjVar*> funcScc;
+            for (const auto& node: cgSCCNodes)
+            {
+                funcScc.insert(callGraph->getGNode(node)->getFunction());
+            }
+            ICFGWTO* iwto = new ICFGWTO(icfg->getFunEntryICFGNode(fun), funcScc);
+            iwto->init();
+            funcToWTO[it->second->getFunction()] = iwto;
+        }
+    }
+
+}

package/svf-llvm/tools/AE/ae.cpp

@@ -878,10 +878,10 @@ int main(int argc, char** argv)
     LLVMModuleSet::getLLVMModuleSet()->buildSVFModule(moduleNameVec);
     SVFIRBuilder builder;
     SVFIR* pag = builder.build();
+    // Run Andersen's to resolve indirect calls, then update SVFIR with resolved targets.
+    // The Andersen singleton will be reused inside AbstractInterpretation::runOnModule().
     AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(pag);
-    CallGraph* callgraph = ander->getCallGraph();
-    builder.updateCallGraph(callgraph);
-    pag->getICFG()->updateCallGraph(callgraph);
+    builder.updateCallGraph(ander->getCallGraph());
     AbstractInterpretation& ae = AbstractInterpretation::getAEInstance();
     if (Options::BufferOverflowCheck())
         ae.addDetector(std::make_unique<BufOverflowDetector>());