svf-tools 1.0.1231 → 1.0.1233

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1231",
+  "version": "1.0.1233",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/Graphs/VFG.h

@@ -597,13 +597,11 @@ protected:
         /// do not set def here, this node is not a variable definition
     }
     /// Add a formal parameter VFG node
-    inline void addFormalParmVFGNode(const ValVar* fparm, const FunObjVar* fun, CallPESet& callPEs)
+    inline void addFormalParmVFGNode(const ValVar* fparm, const FunObjVar* fun, const CallPE* callPE)
     {
         FormalParmVFGNode* sNode = new FormalParmVFGNode(totalVFGNode++,fparm,fun);
         addVFGNode(sNode, pag->getICFG()->getFunEntryICFGNode(fun));
-        for(CallPESet::const_iterator it = callPEs.begin(), eit=callPEs.end();
-                it!=eit; ++it)
-            sNode->addCallPE(*it);
+        sNode->setCallPE(callPE);
 
         setDef(fparm,sNode);
         SVFVarToFormalParmMap[fparm] = sNode;

package/svf/include/Graphs/VFGNode.h

@@ -1028,12 +1028,12 @@ class FormalParmVFGNode : public ArgumentVFGNode
 {
 private:
     const FunObjVar* fun;
-    CallPESet callPEs;
+    const CallPE* callPE;
 
 public:
     /// Constructor
     FormalParmVFGNode(NodeID id, const ValVar* n, const FunObjVar* f):
-        ArgumentVFGNode(id, n, FParm),  fun(f)
+        ArgumentVFGNode(id, n, FParm),  fun(f), callPE(nullptr)
     {
     }
 
@@ -1048,20 +1048,15 @@ public:
     {
         return fun;
     }
-    /// Return call edge
-    inline void addCallPE(const CallPE* call)
+    /// Set the (single, phi-like) CallPE for this formal parameter
+    inline void setCallPE(const CallPE* call)
     {
-        callPEs.insert(call);
+        callPE = call;
     }
-    /// Call edge iterator
-    ///@{
-    inline CallPESet::const_iterator callPEBegin() const
-    {
-        return callPEs.begin();
-    }
-    inline CallPESet::const_iterator callPEEnd() const
+    /// Return the CallPE (phi-like, merges all actual params)
+    inline const CallPE* getCallPE() const
     {
-        return callPEs.end();
+        return callPE;
     }
     //@}
 

package/svf/include/SVFIR/SVFIR.h

@@ -57,6 +57,7 @@ public:
     typedef std::vector<const SVFStmt*> SVFStmtList;
     typedef std::vector<const ValVar*> ValVarList;
     typedef Map<const SVFVar*,PhiStmt*> PHINodeMap;
+    typedef Map<const SVFVar*,CallPE*> FParmToCallPEMap;
     typedef Map<const FunObjVar*,ValVarList> FunToArgsListMap;
     typedef Map<const CallICFGNode*,ValVarList> CSToArgsListMap;
     typedef Map<const RetICFGNode*,const ValVar*> CSToRetMap;
@@ -84,6 +85,7 @@ private:
     MemObjToFieldsMap memToFieldsMap;	///< Map a mem object id to all its fields
     SVFStmtSet globSVFStmtSet;	///< Global PAGEdges without control flow information
     PHINodeMap phiNodeMap;	///< A set of phi copy edges
+    FParmToCallPEMap fParmToCallPEMap; ///< Map a formal param to its CallPE
     FunToArgsListMap funArgsListMap;	///< Map a function to a list of all its formal parameters
     CSToArgsListMap callSiteArgsListMap;	///< Map a callsite to a list of all its actual parameters
     CSToRetMap callSiteRetMap;	///< Map a callsite to its callsite returns PAGNodes
@@ -353,6 +355,12 @@ public:
     {
         return phiNodeMap.find(node) != phiNodeMap.end();
     }
+    /// Get the CallPE for a formal parameter (phi-like, nullptr if not found)
+    inline CallPE* getCallPEForFormalParm(const SVFVar* param) const
+    {
+        auto it = fParmToCallPEMap.find(param);
+        return it != fParmToCallPEMap.end() ? it->second : nullptr;
+    }
 
     /// Function has arguments list
     inline bool hasFunArgsList(const FunObjVar* func) const
@@ -911,7 +919,7 @@ private:
     /// Add Store edge
     StoreStmt* addStoreStmt(NodeID src, NodeID dst, const ICFGNode* val);
     void addStoreStmt(StoreStmt* edge, SVFVar* src, SVFVar* dst);
-    /// Add Call edge
+    /// Add Call edge (phi-like: merges actual params from all call sites into formal param)
     CallPE* addCallPE(NodeID src, NodeID dst, const CallICFGNode* cs,
                       const FunEntryICFGNode* entry);
     void addCallPE(CallPE* edge, SVFVar* src, SVFVar* dst);

package/svf/include/SVFIR/SVFStatements.h

@@ -335,10 +335,8 @@ public:
                edge->getEdgeKind() == SVFStmt::Copy ||
                edge->getEdgeKind() == SVFStmt::Store ||
                edge->getEdgeKind() == SVFStmt::Load ||
-               edge->getEdgeKind() == SVFStmt::Call ||
                edge->getEdgeKind() == SVFStmt::Ret ||
                edge->getEdgeKind() == SVFStmt::Gep ||
-               edge->getEdgeKind() == SVFStmt::ThreadFork ||
                edge->getEdgeKind() == SVFStmt::ThreadJoin;
     }
     static inline bool classof(const GenericPAGEdgeTy* edge)
@@ -347,10 +345,8 @@ public:
                edge->getEdgeKind() == SVFStmt::Copy ||
                edge->getEdgeKind() == SVFStmt::Store ||
                edge->getEdgeKind() == SVFStmt::Load ||
-               edge->getEdgeKind() == SVFStmt::Call ||
                edge->getEdgeKind() == SVFStmt::Ret ||
                edge->getEdgeKind() == SVFStmt::Gep ||
-               edge->getEdgeKind() == SVFStmt::ThreadFork ||
                edge->getEdgeKind() == SVFStmt::ThreadJoin;
     }
     //@}
@@ -693,67 +689,6 @@ public:
 };
 
 
-/*!
- * Call
- */
-class CallPE: public AssignStmt
-{
-    friend class GraphDBClient;
-
-private:
-    CallPE(const CallPE&);         ///< place holder
-    void operator=(const CallPE&); ///< place holder
-
-    const CallICFGNode* call;      /// the callsite statement calling from
-    const FunEntryICFGNode* entry; /// the function exit statement calling to
-
-public:
-    /// Methods for support type inquiry through isa, cast, and dyn_cast:
-    //@{
-    static inline bool classof(const CallPE*)
-    {
-        return true;
-    }
-    static inline bool classof(const SVFStmt* edge)
-    {
-        return edge->getEdgeKind() == SVFStmt::Call ||
-               edge->getEdgeKind() == SVFStmt::ThreadFork;
-    }
-    static inline bool classof(const GenericPAGEdgeTy* edge)
-    {
-        return edge->getEdgeKind() == SVFStmt::Call ||
-               edge->getEdgeKind() == SVFStmt::ThreadFork;
-    }
-    //@}
-
-    /// constructor
-    CallPE(SVFVar* s, SVFVar* d, const CallICFGNode* i,
-           const FunEntryICFGNode* e, GEdgeKind k = SVFStmt::Call);
-
-    /// Get method for the call instruction
-    //@{
-    inline const CallICFGNode* getCallInst() const
-    {
-        return call;
-    }
-    inline const CallICFGNode* getCallSite() const
-    {
-        return call;
-    }
-    inline const FunEntryICFGNode* getFunEntryICFGNode() const
-    {
-        return entry;
-    }
-    //@}
-
-    const ValVar* getRHSVar() const;
-    const ValVar* getLHSVar() const;
-    const ValVar* getSrcNode() const;
-    const ValVar* getDstNode() const;
-
-    virtual const std::string toString() const override;
-};
-
 /*!
  * Return
  */
@@ -850,12 +785,14 @@ public:
     static inline bool classof(const SVFStmt* node)
     {
         return node->getEdgeKind() == Phi || node->getEdgeKind() == Select ||
-               node->getEdgeKind() == BinaryOp || node->getEdgeKind() == Cmp;
+               node->getEdgeKind() == BinaryOp || node->getEdgeKind() == Cmp ||
+               node->getEdgeKind() == Call || node->getEdgeKind() == ThreadFork;
     }
     static inline bool classof(const GenericPAGEdgeTy* node)
     {
         return node->getEdgeKind() == Phi || node->getEdgeKind() == Select ||
-               node->getEdgeKind() == BinaryOp || node->getEdgeKind() == Cmp;
+               node->getEdgeKind() == BinaryOp || node->getEdgeKind() == Cmp ||
+               node->getEdgeKind() == Call || node->getEdgeKind() == ThreadFork;
     }
     //@}
     /// Operands and result at a BinaryNode e.g., p = q + r, `p` is resVar and
@@ -891,6 +828,81 @@ public:
     //@}
 };
 
+/*!
+ * Call
+ * CallPE is a phi-like statement at function entry that merges actual parameters
+ * from all call sites into the formal parameter.
+ * e.g., formal_param = CallPE(actual1@callsite1, actual2@callsite2, ...)
+ */
+class CallPE: public MultiOpndStmt
+{
+    friend class GraphDBClient;
+
+public:
+    typedef std::vector<const CallICFGNode*> CallICFGNodeVec;
+
+private:
+    CallPE(const CallPE&);         ///< place holder
+    void operator=(const CallPE&); ///< place holder
+
+    CallICFGNodeVec opCallICFGNodes; /// each operand's call site
+    const FunEntryICFGNode* entry;   /// the function entry node
+
+public:
+    /// Methods for support type inquiry through isa, cast, and dyn_cast:
+    //@{
+    static inline bool classof(const CallPE*)
+    {
+        return true;
+    }
+    static inline bool classof(const SVFStmt* edge)
+    {
+        return edge->getEdgeKind() == SVFStmt::Call ||
+               edge->getEdgeKind() == SVFStmt::ThreadFork;
+    }
+    static inline bool classof(const GenericPAGEdgeTy* edge)
+    {
+        return edge->getEdgeKind() == SVFStmt::Call ||
+               edge->getEdgeKind() == SVFStmt::ThreadFork;
+    }
+    //@}
+
+    /// constructor
+    CallPE(ValVar* res, const OPVars& opnds,
+           const CallICFGNodeVec& icfgNodes,
+           const FunEntryICFGNode* e,
+           GEdgeKind k = SVFStmt::Call);
+
+    /// Add an operand (actual param) from a call site
+    void addOpVar(ValVar* op, const CallICFGNode* call)
+    {
+        opVars.push_back(op);
+        opCallICFGNodes.push_back(call);
+        assert(opVars.size() == opCallICFGNodes.size() &&
+               "Numbers of operands and their CallICFGNodes are not consistent?");
+    }
+
+    /// Return the CallICFGNode of the i-th operand
+    inline const CallICFGNode* getOpCallICFGNode(u32_t op_idx) const
+    {
+        return opCallICFGNodes.at(op_idx);
+    }
+
+    /// Return all call site ICFGNodes
+    inline const CallICFGNodeVec& getOpCallICFGNodes() const
+    {
+        return opCallICFGNodes;
+    }
+
+    /// Return the function entry node
+    inline const FunEntryICFGNode* getFunEntryICFGNode() const
+    {
+        return entry;
+    }
+
+    virtual const std::string toString() const override;
+};
+
 /*!
  * Phi statement (e.g., p = phi(q,r) which receives values from variables q and r from different paths)
  * it is typically at a joint point of the control-flow graph
@@ -1340,17 +1352,13 @@ public:
     //@}
 
     /// constructor
-    TDForkPE(SVFVar* s, SVFVar* d, const CallICFGNode* i,
-             const FunEntryICFGNode* entry)
-        : CallPE(s, d, i, entry, SVFStmt::ThreadFork)
+    TDForkPE(ValVar* res, const OPVars& opnds,
+             const CallICFGNodeVec& icfgNodes,
+             const FunEntryICFGNode* e)
+        : CallPE(res, opnds, icfgNodes, e, SVFStmt::ThreadFork)
     {
     }
 
-    const ValVar* getRHSVar() const;
-    const ValVar* getLHSVar() const;
-    const ValVar* getSrcNode() const;
-    const ValVar* getDstNode() const;
-
     virtual const std::string toString() const;
 
 };

package/svf/include/SVFIR/SVFVariables.h

@@ -2229,16 +2229,34 @@ class BasicBlockValVar: public ValVar
     friend class GraphDBClient;
 
 public:
-    static inline bool classof(const BasicBlockValVar*) { return true; }
-    static inline bool classof(const SVFVar* node) { return node->getNodeKind() == SVFVar::BasicBlockValNode; }
-    static inline bool classof(const ValVar* node) { return node->getNodeKind() == SVFVar::BasicBlockValNode; }
-    static inline bool classof(const GenericPAGNodeTy* node) { return node->getNodeKind() == SVFVar::BasicBlockValNode; }
-    static inline bool classof(const SVFValue* node) { return node->getNodeKind() == SVFVar::BasicBlockValNode; }
+    static inline bool classof(const BasicBlockValVar*)
+    {
+        return true;
+    }
+    static inline bool classof(const SVFVar* node)
+    {
+        return node->getNodeKind() == SVFVar::BasicBlockValNode;
+    }
+    static inline bool classof(const ValVar* node)
+    {
+        return node->getNodeKind() == SVFVar::BasicBlockValNode;
+    }
+    static inline bool classof(const GenericPAGNodeTy* node)
+    {
+        return node->getNodeKind() == SVFVar::BasicBlockValNode;
+    }
+    static inline bool classof(const SVFValue* node)
+    {
+        return node->getNodeKind() == SVFVar::BasicBlockValNode;
+    }
 
     BasicBlockValVar(NodeID i, const SVFType* svfType)
         : ValVar(i, svfType, nullptr, BasicBlockValNode) {}
 
-    inline const std::string getValueName() const { return "basicBlockVal"; }
+    inline const std::string getValueName() const
+    {
+        return "basicBlockVal";
+    }
     virtual const std::string toString() const;
 };
 
@@ -2253,16 +2271,34 @@ class AsmPCValVar: public ValVar
     friend class GraphDBClient;
 
 public:
-    static inline bool classof(const AsmPCValVar*) { return true; }
-    static inline bool classof(const SVFVar* node) { return node->getNodeKind() == SVFVar::AsmPCValNode; }
-    static inline bool classof(const ValVar* node) { return node->getNodeKind() == SVFVar::AsmPCValNode; }
-    static inline bool classof(const GenericPAGNodeTy* node) { return node->getNodeKind() == SVFVar::AsmPCValNode; }
-    static inline bool classof(const SVFValue* node) { return node->getNodeKind() == SVFVar::AsmPCValNode; }
+    static inline bool classof(const AsmPCValVar*)
+    {
+        return true;
+    }
+    static inline bool classof(const SVFVar* node)
+    {
+        return node->getNodeKind() == SVFVar::AsmPCValNode;
+    }
+    static inline bool classof(const ValVar* node)
+    {
+        return node->getNodeKind() == SVFVar::AsmPCValNode;
+    }
+    static inline bool classof(const GenericPAGNodeTy* node)
+    {
+        return node->getNodeKind() == SVFVar::AsmPCValNode;
+    }
+    static inline bool classof(const SVFValue* node)
+    {
+        return node->getNodeKind() == SVFVar::AsmPCValNode;
+    }
 
     AsmPCValVar(NodeID i, const SVFType* svfType)
         : ValVar(i, svfType, nullptr, AsmPCValNode) {}
 
-    inline const std::string getValueName() const { return "asmPCVal"; }
+    inline const std::string getValueName() const
+    {
+        return "asmPCVal";
+    }
     virtual const std::string toString() const;
 };
 

package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp

@@ -1222,12 +1222,24 @@ void AbstractInterpretation::updateStateOnPhi(const PhiStmt *phi)
 }
 
 
+/// Handle CallPE: phi-like merging of actual parameters from all call sites
+/// into the formal parameter at FunEntryICFGNode (e.g., formal = join(actual1@cs1, actual2@cs2, ...))
 void AbstractInterpretation::updateStateOnCall(const CallPE *callPE)
 {
     AbstractState& as = getAbstractState(callPE->getICFGNode());
-    NodeID lhs = callPE->getLHSVarID();
-    NodeID rhs = callPE->getRHSVarID();
-    as[lhs] = as[rhs];
+    NodeID res = callPE->getResID();
+    AbstractValue rhs;
+    for (u32_t i = 0; i < callPE->getOpVarNum(); i++)
+    {
+        NodeID curId = callPE->getOpVarID(i);
+        const ICFGNode* opICFGNode = callPE->getOpCallICFGNode(i);
+        if (hasAbstractState(opICFGNode))
+        {
+            AbstractState& opAs = getAbstractState(opICFGNode);
+            rhs.join_with(opAs[curId]);
+        }
+    }
+    as[res] = rhs;
 }
 
 void AbstractInterpretation::updateStateOnRet(const RetPE *retPE)

package/svf/lib/Graphs/ConsG.cpp

@@ -86,8 +86,9 @@ void ConstraintGraph::buildCG()
     for (SVFStmt::SVFStmtSetTy::iterator iter = calls.begin(), eiter =
                 calls.end(); iter != eiter; ++iter)
     {
-        const CallPE* edge = SVFUtil::cast<CallPE>(*iter);
-        addCopyCGEdge(edge->getRHSVarID(),edge->getLHSVarID());
+        const CallPE* callPE = SVFUtil::cast<CallPE>(*iter);
+        for(u32_t i = 0; i < callPE->getOpVarNum(); i++)
+            addCopyCGEdge(callPE->getOpVarID(i), callPE->getResID());
     }
 
     SVFStmt::SVFStmtSetTy& rets = getSVFStmtSet(SVFStmt::Ret);
@@ -102,8 +103,9 @@ void ConstraintGraph::buildCG()
     for (SVFStmt::SVFStmtSetTy::iterator iter = tdfks.begin(), eiter =
                 tdfks.end(); iter != eiter; ++iter)
     {
-        const TDForkPE* edge = SVFUtil::cast<TDForkPE>(*iter);
-        addCopyCGEdge(edge->getRHSVarID(),edge->getLHSVarID());
+        const TDForkPE* forkPE = SVFUtil::cast<TDForkPE>(*iter);
+        for(u32_t i = 0; i < forkPE->getOpVarNum(); i++)
+            addCopyCGEdge(forkPE->getOpVarID(i), forkPE->getResID());
     }
 
     SVFStmt::SVFStmtSetTy& tdjns = getSVFStmtSet(SVFStmt::ThreadJoin);

package/svf/lib/Graphs/ICFG.cpp

@@ -444,17 +444,7 @@ void ICFG::updateCallGraph(CallGraph* callgraph)
             {
                 FunEntryICFGNode* calleeEntryNode = getFunEntryBlock(callee);
                 FunExitICFGNode* calleeExitNode = getFunExitBlock(callee);
-                if(ICFGEdge* callEdge = addCallEdge(callBlockNode, calleeEntryNode))
-                {
-                    for (const SVFStmt *stmt : callBlockNode->getSVFStmts())
-                    {
-                        if(const CallPE *callPE = SVFUtil::dyn_cast<CallPE>(stmt))
-                        {
-                            if(callPE->getFunEntryICFGNode() == calleeEntryNode)
-                                SVFUtil::cast<CallCFGEdge>(callEdge)->addCallPE(callPE);
-                        }
-                    }
-                }
+                addCallEdge(callBlockNode, calleeEntryNode);
                 if(ICFGEdge* retEdge = addRetEdge(calleeExitNode, retBlockNode))
                 {
                     for (const SVFStmt *stmt : retBlockNode->getSVFStmts())

package/svf/lib/Graphs/IRGraph.cpp

@@ -514,7 +514,7 @@ struct DOTGraphTraits<IRGraph*> : public DefaultDOTGraphTraits
         assert(edge && "No edge found!!");
         if(const CallPE* calledge = SVFUtil::dyn_cast<CallPE>(edge))
         {
-            return calledge->getCallSite()->getSourceLoc();
+            return calledge->getFunEntryICFGNode()->getSourceLoc();
         }
         else if(const RetPE* retedge = SVFUtil::dyn_cast<RetPE>(edge))
         {

package/svf/lib/Graphs/VFG.cpp

@@ -499,7 +499,8 @@ void VFG::addVFGNodes()
                 forks.end(); iter != eiter; ++iter)
     {
         TDForkPE* forkedge = SVFUtil::cast<TDForkPE>(*iter);
-        addActualParmVFGNode(forkedge->getRHSVar(),forkedge->getCallSite());
+        for(u32_t i = 0; i < forkedge->getOpVarNum(); i++)
+            addActualParmVFGNode(forkedge->getOpVar(i), forkedge->getOpCallICFGNode(i));
     }
 
     // initialize actual parameter nodes
@@ -538,18 +539,8 @@ void VFG::addVFGNodes()
             if (isInterestedSVFVar(param) == false || hasBlackHoleConstObjAddrAsDef(param))
                 continue;
 
-            CallPESet callPEs;
-            if (param->hasIncomingEdges(SVFStmt::Call))
-            {
-                for (SVFStmt::SVFStmtSetTy::const_iterator cit = param->getIncomingEdgesBegin(SVFStmt::Call), ecit =
-                            param->getIncomingEdgesEnd(SVFStmt::Call); cit != ecit; ++cit)
-                {
-                    CallPE* callPE = SVFUtil::cast<CallPE>(*cit);
-                    if (isInterestedSVFVar(callPE->getRHSVar()))
-                        callPEs.insert(callPE);
-                }
-            }
-            addFormalParmVFGNode(param,func,callPEs);
+            const CallPE* callPE = pag->getCallPEForFormalParm(param);
+            addFormalParmVFGNode(param,func,callPE);
         }
 
         if (func->isVarArg())
@@ -558,18 +549,8 @@ void VFG::addVFGNodes()
             if (isInterestedSVFVar(varParam) == false || hasBlackHoleConstObjAddrAsDef(varParam))
                 continue;
 
-            CallPESet callPEs;
-            if (varParam->hasIncomingEdges(SVFStmt::Call))
-            {
-                for(SVFStmt::SVFStmtSetTy::const_iterator cit = varParam->getIncomingEdgesBegin(SVFStmt::Call),
-                        ecit = varParam->getIncomingEdgesEnd(SVFStmt::Call); cit!=ecit; ++cit)
-                {
-                    CallPE* callPE = SVFUtil::cast<CallPE>(*cit);
-                    if(isInterestedSVFVar(callPE->getRHSVar()))
-                        callPEs.insert(callPE);
-                }
-            }
-            addFormalParmVFGNode(varParam,func,callPEs);
+            const CallPE* varCallPE = pag->getCallPEForFormalParm(varParam);
+            addFormalParmVFGNode(varParam,func,varCallPE);
         }
     }
 
@@ -802,12 +783,17 @@ void VFG::connectDirectVFGEdges()
         }
         else if(FormalParmVFGNode* formalParm = SVFUtil::dyn_cast<FormalParmVFGNode>(node))
         {
-            for(CallPESet::const_iterator it = formalParm->callPEBegin(), eit = formalParm->callPEEnd();
-                    it!=eit; ++it)
+            if(const CallPE* callPE = formalParm->getCallPE())
             {
-                const CallICFGNode* cs = (*it)->getCallSite();
-                ActualParmVFGNode* acutalParm = getActualParmVFGNode((*it)->getRHSVar(),cs);
-                addInterEdgeFromAPToFP(acutalParm,formalParm,getCallSiteID(cs, formalParm->getFun()));
+                for(u32_t i = 0; i < callPE->getOpVarNum(); i++)
+                {
+                    if(isInterestedSVFVar(callPE->getOpVar(i)))
+                    {
+                        const CallICFGNode* cs = callPE->getOpCallICFGNode(i);
+                        ActualParmVFGNode* acutalParm = getActualParmVFGNode(callPE->getOpVar(i), cs);
+                        addInterEdgeFromAPToFP(acutalParm,formalParm,getCallSiteID(cs, formalParm->getFun()));
+                    }
+                }
             }
         }
         else if(FormalRetVFGNode* calleeRet = SVFUtil::dyn_cast<FormalRetVFGNode>(node))
@@ -836,9 +822,16 @@ void VFG::connectDirectVFGEdges()
                     forks.end(); iter != eiter; ++iter)
         {
             TDForkPE* forkedge = SVFUtil::cast<TDForkPE>(*iter);
-            ActualParmVFGNode* acutalParm = getActualParmVFGNode(forkedge->getRHSVar(),forkedge->getCallSite());
-            FormalParmVFGNode* formalParm = getFormalParmVFGNode(forkedge->getLHSVar());
-            addInterEdgeFromAPToFP(acutalParm,formalParm,getCallSiteID(forkedge->getCallSite(), formalParm->getFun()));
+            FormalParmVFGNode* formalParm = getFormalParmVFGNode(forkedge->getRes());
+            for(u32_t i = 0; i < forkedge->getOpVarNum(); i++)
+            {
+                if(isInterestedSVFVar(forkedge->getOpVar(i)))
+                {
+                    const CallICFGNode* cs = forkedge->getOpCallICFGNode(i);
+                    ActualParmVFGNode* acutalParm = getActualParmVFGNode(forkedge->getOpVar(i), cs);
+                    addInterEdgeFromAPToFP(acutalParm,formalParm,getCallSiteID(cs, formalParm->getFun()));
+                }
+            }
         }
         /// add join edge
         SVFStmt::SVFStmtSetTy& joins = getSVFStmtSet(SVFStmt::ThreadJoin);

package/svf/lib/SVFIR/PAGBuilderFromFile.cpp

@@ -231,7 +231,7 @@ void PAGBuilderFromFile::addEdge(NodeID srcID, NodeID dstID,
     else if (edge == "variant-gep")
         pag->addVariantGepStmt(srcID, dstID, AccessPath(offsetOrCSId));
     else if (edge == "call")
-        pag->addEdge(srcNode, dstNode, new CallPE(srcNode, dstNode, nullptr, nullptr));
+        pag->addEdge(srcNode, dstNode, new CallPE(SVFUtil::cast<ValVar>(dstNode), {SVFUtil::cast<ValVar>(srcNode)}, {nullptr}, nullptr));
     else if (edge == "ret")
         pag->addEdge(srcNode, dstNode, new RetPE(srcNode, dstNode, nullptr,nullptr));
     else if (edge == "cmp")

package/svf/lib/SVFIR/SVFIR.cpp

@@ -305,26 +305,33 @@ void SVFIR::addStoreStmt(StoreStmt* edge, SVFVar* src, SVFVar* dst)
 }
 
 /*!
- * Add Call edge
+ * Add Call edge (phi-like: merges actual params from all call sites into formal param)
  */
 CallPE* SVFIR::addCallPE(NodeID src, NodeID dst, const CallICFGNode* cs, const FunEntryICFGNode* entry)
 {
-    SVFVar* srcNode = getGNode(src);
-    SVFVar* dstNode = getGNode(dst);
-    if(hasLabeledEdge(srcNode,dstNode, SVFStmt::Call, cs))
-        return nullptr;
-    else
+    ValVar* opNode = const_cast<ValVar*>(getValVar(src));
+    ValVar* resNode = const_cast<ValVar*>(getValVar(dst));
+    FParmToCallPEMap::iterator it = fParmToCallPEMap.find(resNode);
+    // if first operand, create a new CallPE, otherwise add the operand to the existing CallPE
+    if(it == fParmToCallPEMap.end())
     {
-        CallPE* callPE = new CallPE(srcNode, dstNode, cs,entry);
-        addCallPE(callPE,srcNode,dstNode);
+        CallPE* callPE = new CallPE(resNode, {opNode}, {cs}, entry);
+        addCallPE(callPE, opNode, resNode);
         return callPE;
     }
+    else
+    {
+        it->second->addOpVar(opNode, cs);
+        /// return null if we already added this CallPE
+        return nullptr;
+    }
 }
 
 void SVFIR::addCallPE(CallPE* edge, SVFVar* src, SVFVar* dst)
 {
     addToStmt2TypeMap(edge);
-    addEdge(src,dst, edge);
+    addEdge(src, dst, edge);
+    fParmToCallPEMap[dst] = edge;
 }
 
 /*!
@@ -366,16 +373,23 @@ SVFStmt* SVFIR::addBlackHoleAddrStmt(NodeID node)
  */
 TDForkPE* SVFIR::addThreadForkPE(NodeID src, NodeID dst, const CallICFGNode* cs, const FunEntryICFGNode* entry)
 {
-    SVFVar* srcNode = getGNode(src);
-    SVFVar* dstNode = getGNode(dst);
-    if(hasLabeledEdge(srcNode,dstNode, SVFStmt::ThreadFork, cs))
-        return nullptr;
-    else
+    ValVar* opNode = const_cast<ValVar*>(getValVar(src));
+    ValVar* resNode = const_cast<ValVar*>(getValVar(dst));
+    FParmToCallPEMap::iterator it = fParmToCallPEMap.find(resNode);
+    // if first operand, create a new TDForkPE, otherwise add the operand to the existing TDForkPE
+    if(it == fParmToCallPEMap.end())
     {
-        TDForkPE* forkPE = new TDForkPE(srcNode, dstNode, cs, entry);
-        addCallPE(forkPE,srcNode,dstNode);
+        TDForkPE* forkPE = new TDForkPE(resNode, {opNode}, {cs}, entry);
+        addToStmt2TypeMap(forkPE);
+        addEdge(opNode, resNode, forkPE);
+        fParmToCallPEMap[resNode] = forkPE;
         return forkPE;
     }
+    else
+    {
+        it->second->addOpVar(opNode, cs);
+        return nullptr;
+    }
 }
 
 /*!

package/svf/lib/SVFIR/SVFStatements.cpp

@@ -242,7 +242,14 @@ const std::string CallPE::toString() const
 {
     std::string str;
     std::stringstream rawstr(str);
-    rawstr << "CallPE: [Var" << getLHSVarID() << " <-- Var" << getRHSVarID() << "]\t";
+    rawstr << "CallPE: [Var" << getResID() << " <-- (";
+    for (u32_t i = 0; i < getOpVarNum(); i++)
+    {
+        rawstr << "[Var" << getOpVarID(i) << ", ICFGNode" << getOpCallICFGNode(i)->getId() << "]";
+        if (i + 1 < getOpVarNum())
+            rawstr << ", ";
+    }
+    rawstr << ")]  ";
     if (Options::ShowSVFIRValue())
     {
         rawstr << "\n";
@@ -268,7 +275,14 @@ const std::string TDForkPE::toString() const
 {
     std::string str;
     std::stringstream rawstr(str);
-    rawstr << "TDForkPE: [Var" << getLHSVarID() << " <-- Var" << getRHSVarID() << "]\t";
+    rawstr << "TDForkPE: [Var" << getResID() << " <-- (";
+    for (u32_t i = 0; i < getOpVarNum(); i++)
+    {
+        rawstr << "[Var" << getOpVarID(i) << ", ICFGNode" << getOpCallICFGNode(i)->getId() << "]";
+        if (i + 1 < getOpVarNum())
+            rawstr << ", ";
+    }
+    rawstr << ")]  ";
     if (Options::ShowSVFIRValue())
     {
         rawstr << "\n";
@@ -375,22 +389,6 @@ const ValVar* GepStmt::getDstNode() const
     return getLHSVar();
 }
 
-const ValVar* CallPE::getRHSVar() const
-{
-    return cast<ValVar>(SVFStmt::getSrcNode());
-}
-const ValVar* CallPE::getLHSVar() const
-{
-    return cast<ValVar>(SVFStmt::getDstNode());
-}
-const ValVar* CallPE::getSrcNode() const
-{
-    return getRHSVar();
-}
-const ValVar* CallPE::getDstNode() const
-{
-    return getLHSVar();
-}
 
 const ValVar* RetPE::getRHSVar() const
 {
@@ -409,22 +407,6 @@ const ValVar* RetPE::getDstNode() const
     return getLHSVar();
 }
 
-const ValVar* TDForkPE::getRHSVar() const
-{
-    return cast<ValVar>(SVFStmt::getSrcNode());
-}
-const ValVar* TDForkPE::getLHSVar() const
-{
-    return cast<ValVar>(SVFStmt::getDstNode());
-}
-const ValVar* TDForkPE::getSrcNode() const
-{
-    return getRHSVar();
-}
-const ValVar* TDForkPE::getDstNode() const
-{
-    return getLHSVar();
-}
 
 const ValVar* TDJoinPE::getRHSVar() const
 {
@@ -518,10 +500,16 @@ StoreStmt::StoreStmt(SVFVar* s, SVFVar* d, const ICFGNode* st)
 {
 }
 
-CallPE::CallPE(SVFVar* s, SVFVar* d, const CallICFGNode* i,
-               const FunEntryICFGNode* e, GEdgeKind k)
-    : AssignStmt(s, d, makeEdgeFlagWithCallInst(k, i)), call(i), entry(e)
+CallPE::CallPE(ValVar* res, const OPVars& opnds,
+               const CallICFGNodeVec& icfgNodes,
+               const FunEntryICFGNode* e,
+               GEdgeKind k)
+    : MultiOpndStmt(res, opnds,
+                    makeEdgeFlagWithAddionalOpnd(k, opnds.at(0))),
+      opCallICFGNodes(icfgNodes), entry(e)
 {
+    assert(opnds.size() == icfgNodes.size() &&
+           "Numbers of operands and their CallICFGNodes are not consistent?");
 }
 
 

package/svf-llvm/lib/SVFIRBuilder.cpp

@@ -1767,12 +1767,18 @@ void SVFIRBuilder::setCurrentBBAndValueForPAGEdge(PAGEdge* edge)
         {
             icfgNode = pag->getICFG()->getFunExitICFGNode(llvmMS->getFunObjVar(curInst->getFunction()));
         }
+        else if(const CallPE* callPE = SVFUtil::dyn_cast<CallPE>(edge))
+        {
+            /// CallPE is placed at FunEntryICFGNode (phi-like merging of actual params)
+            icfgNode = const_cast<FunEntryICFGNode*>(callPE->getFunEntryICFGNode());
+        }
+        else if(SVFUtil::isa<RetPE>(edge))
+        {
+            icfgNode = llvmMS->getRetICFGNode(SVFUtil::cast<Instruction>(curInst));
+        }
         else
         {
-            if(SVFUtil::isa<RetPE>(edge))
-                icfgNode = llvmMS->getRetICFGNode(SVFUtil::cast<Instruction>(curInst));
-            else
-                icfgNode = llvmMS->getICFGNode(SVFUtil::cast<Instruction>(curInst));
+            icfgNode = llvmMS->getICFGNode(SVFUtil::cast<Instruction>(curInst));
         }
     }
     else if (const Argument* arg = SVFUtil::dyn_cast<Argument>(curVal))
@@ -1801,10 +1807,15 @@ void SVFIRBuilder::setCurrentBBAndValueForPAGEdge(PAGEdge* edge)
     icfgNode->addSVFStmt(edge);
     if(const CallPE* callPE = SVFUtil::dyn_cast<CallPE>(edge))
     {
-        CallICFGNode* callNode = const_cast<CallICFGNode*>(callPE->getCallSite());
+        /// CallPE is phi-like at FunEntryICFGNode. Collect it on each CallCFGEdge
+        /// whose call site appears as an operand, so the edge knows which params are passed.
         FunEntryICFGNode* entryNode = const_cast<FunEntryICFGNode*>(callPE->getFunEntryICFGNode());
-        if(ICFGEdge* edge = pag->getICFG()->hasInterICFGEdge(callNode,entryNode, ICFGEdge::CallCF))
-            SVFUtil::cast<CallCFGEdge>(edge)->addCallPE(callPE);
+        for(u32_t i = 0; i < callPE->getOpVarNum(); i++)
+        {
+            CallICFGNode* callNode = const_cast<CallICFGNode*>(callPE->getOpCallICFGNode(i));
+            if(ICFGEdge* icfgEdge = pag->getICFG()->hasInterICFGEdge(callNode, entryNode, ICFGEdge::CallCF))
+                SVFUtil::cast<CallCFGEdge>(icfgEdge)->addCallPE(callPE);
+        }
     }
     else if(const RetPE* retPE = SVFUtil::dyn_cast<RetPE>(edge))
     {