svf-tools 1.0.1235 → 1.0.1237

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "svf-tools",
-  "version": "1.0.1235",
+  "version": "1.0.1237",
   "description": "* <b>[TypeClone](https://github.com/SVF-tools/SVF/wiki/TypeClone) published in our [ECOOP paper](https://yuleisui.github.io/publications/ecoop20.pdf) is now available in SVF </b> * <b>SVF now uses a single script for its build. Just type [`source ./build.sh`](https://github.com/SVF-tools/SVF/blob/master/build.sh) in your terminal, that's it!</b> * <b>SVF now supports LLVM-10.0.0! </b> * <b>We thank [bsauce](https://github.com/bsauce) for writing a user manual of SVF ([link1](https://www.jianshu.com/p/068a08ec749c) and [link2](https://www.jianshu.com/p/777c30d4240e)) in Chinese </b> * <b>SVF now supports LLVM-9.0.0 (Thank [Byoungyoung Lee](https://github.com/SVF-tools/SVF/issues/142) for his help!). </b> * <b>SVF now supports a set of [field-sensitive pointer analyses](https://yuleisui.github.io/publications/sas2019a.pdf). </b> * <b>[Use SVF as an external lib](https://github.com/SVF-tools/SVF/wiki/Using-SVF-as-a-lib-in-your-own-tool) for your own project (Contributed by [Hongxu Chen](https://github.com/HongxuChen)). </b> * <b>SVF now supports LLVM-7.0.0. </b> * <b>SVF now supports Docker. [Try SVF in Docker](https://github.com/SVF-tools/SVF/wiki/Try-SVF-in-Docker)! </b> * <b>SVF now supports [LLVM-6.0.0](https://github.com/svf-tools/SVF/pull/38) (Contributed by [Jack Anthony](https://github.com/jackanth)). </b> * <b>SVF now supports [LLVM-4.0.0](https://github.com/svf-tools/SVF/pull/23) (Contributed by Jared Carlson. Thank [Jared](https://github.com/jcarlson23) and [Will](https://github.com/dtzWill) for their in-depth [discussions](https://github.com/svf-tools/SVF/pull/18) about updating SVF!) </b> * <b>SVF now supports analysis for C++ programs.</b> <br />",
   "main": "index.js",
   "scripts": {

package/svf/include/AE/Core/AbstractState.h

@@ -352,7 +352,7 @@ public:
     /// freed addresses intact. Used when building a cycle snapshot so the
     /// ValVar set is controlled by the caller rather than whatever was
     /// cached at the seed node.
-    void clearVars()
+    void clearValVars()
     {
         _varToAbsVal.clear();
     }

package/svf/include/AE/Svfexe/AbstractInterpretation.h

@@ -149,6 +149,11 @@ public:
         svfStateMgr->updateAbstractState(node, state);
     }
 
+    inline bool hasAbsValue(const SVFVar* var, const ICFGNode* node)
+    {
+        return svfStateMgr->hasAbstractValue(var, node);
+    }
+
     inline const AbstractValue& getAbsValue(const SVFVar* var, const ICFGNode* node)
     {
         return svfStateMgr->getAbstractValue(var, node);
@@ -180,6 +185,30 @@ private:
     /// Handle a WTO cycle (loop or recursive function) using widening/narrowing iteration
     virtual void handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller = nullptr);
 
+    // ---- Semi-sparse cycle helpers ----
+    // ValVars whose def-site is inside the cycle but NOT cycle_head do not
+    // flow through cycle_head's merge in semi-sparse mode, so the around-merge
+    // widening cannot observe them.  getFullCycleHeadState pulls these ValVars
+    // into a single AbstractState snapshot so widen/narrow can treat ValVars
+    // and ObjVars uniformly; after widen/narrow we scatter the ValVars back
+    // to their def-sites.
+
+    /// Build a full cycle-head AbstractState: the ObjVars currently at
+    /// cycle_head combined with every cycle ValVar pulled from its
+    /// def-site.  Skips ValVars without a stored value to avoid the
+    /// top-fallback contamination.  In dense mode this is equivalent to
+    /// trace[cycle_head] since ValVars already live there.
+    AbstractState getFullCycleHeadState(const ICFGCycleWTO* cycle);
+
+    /// Widen prev with cur; write the widened state to trace[cycle_head]
+    /// and scatter its ValVars back to their def-sites.  Returns true
+    /// when the widened result equals prev (fixpoint).
+    bool widenCycleState(const AbstractState& prev, const AbstractState& cur,
+                         const ICFGCycleWTO* cycle);
+    /// Narrow prev with cur; write the narrowed state back and scatter.
+    bool narrowCycleState(const AbstractState& prev, const AbstractState& cur,
+                          const ICFGCycleWTO* cycle);
+
     /// Handle a function body via worklist-driven WTO traversal starting from funEntry
     void handleFunction(const ICFGNode* funEntry, const CallICFGNode* caller = nullptr);
 

package/svf/include/AE/Svfexe/AbstractStateManager.h

@@ -66,6 +66,19 @@ public:
     /// Dispatch to ValVar or ObjVar overload (checks ObjVar first due to inheritance).
     const AbstractValue& getAbstractValue(const SVFVar* var, const ICFGNode* node);
 
+    /// Check whether a ValVar has a real stored value reachable by
+    /// getAbstractValue.  Unlike getAbstractValue, this is side-effect free
+    /// and does NOT treat the final top-fallback as "present" — so callers
+    /// that plan to write the fetched value back (e.g. cycle widen/narrow)
+    /// can distinguish a genuine stored value from the top sentinel.
+    bool hasAbstractValue(const ValVar* var, const ICFGNode* node) const;
+
+    /// Check whether an ObjVar has a stored value at node.
+    bool hasAbstractValue(const ObjVar* var, const ICFGNode* node) const;
+
+    /// Dispatch to ValVar or ObjVar overload.
+    bool hasAbstractValue(const SVFVar* var, const ICFGNode* node) const;
+
     /// Write a top-level variable's abstract value into abstractTrace[node].
     void updateAbstractValue(const ValVar* var, const AbstractValue& val, const ICFGNode* node);
 
@@ -138,8 +151,14 @@ public:
     //  Direct Trace Access (for merge, fixpoint, etc.)
     // ===----------------------------------------------------------------------===//
 
-    Map<const ICFGNode*, AbstractState>& getTrace() { return abstractTrace; }
-    AbstractState& operator[](const ICFGNode* node) { return abstractTrace[node]; }
+    Map<const ICFGNode*, AbstractState>& getTrace()
+    {
+        return abstractTrace;
+    }
+    AbstractState& operator[](const ICFGNode* node)
+    {
+        return abstractTrace[node];
+    }
 
     // ===----------------------------------------------------------------------===//
     //  Def/Use site queries (sparsity-aware)

package/svf/include/AE/Svfexe/PreAnalysis.h

@@ -80,10 +80,10 @@ public:
 
     /// Look up the ValVar id set of a WTO cycle. Returns nullptr if the
     /// cycle is unknown (e.g. dense mode, where the map is never built).
-    const Set<NodeID>* getCycleValVars(const ICFGCycleWTO* cycle) const
+    const Set<const ValVar*> getCycleValVars(const ICFGCycleWTO* cycle) const
     {
         auto it = cycleToValVars.find(cycle);
-        return it == cycleToValVars.end() ? nullptr : &it->second;
+        return it == cycleToValVars.end() ? Set<const ValVar*>() : it->second;
     }
 
 private:
@@ -98,7 +98,7 @@ private:
     /// Pre-computed (semi-sparse only) map from a WTO cycle to the IDs of
     /// every ValVar whose def-site is inside that cycle, including all
     /// nested sub-cycles. Empty in dense mode.
-    Map<const ICFGCycleWTO*, Set<NodeID>> cycleToValVars;
+    Map<const ICFGCycleWTO*, Set<const ValVar*>> cycleToValVars;
 };
 
 } // End namespace SVF

package/svf/lib/AE/Svfexe/AEDetector.cpp

@@ -58,7 +58,7 @@ void BufOverflowDetector::detect(const ICFGNode* node)
                 const AbstractValue& lhsVal = ae.getAbsValue(gep->getLHSVar(), node);
                 const AbstractValue& rhsVal = ae.getAbsValue(gep->getRHSVar(), node);
                 updateGepObjOffsetFromBase(node, lhsVal.getAddrs(), rhsVal.getAddrs(),
-                    ae.getStateMgr()->getGepByteOffset(gep));
+                                           ae.getStateMgr()->getGepByteOffset(gep));
 
                 const AddressValue& objAddrs = rhsVal.getAddrs();
                 for (const auto& addr : objAddrs)

package/svf/lib/AE/Svfexe/AbstractInterpretation.cpp

@@ -205,6 +205,7 @@ bool AbstractInterpretation::mergeStatesFromPredecessors(const ICFGNode* node)
 {
     // Collect all feasible predecessor states, then merge at the end.
     AbstractState merged;
+    bool hasFeasiblePred = false;
 
     for (auto& edge : node->getInEdges())
     {
@@ -218,16 +219,21 @@ bool AbstractInterpretation::mergeStatesFromPredecessors(const ICFGNode* node)
             {
                 AbstractState predState = getAbsState(pred);
                 if (isBranchFeasible(intraCfgEdge, predState))
+                {
                     merged.joinWith(predState);
+                    hasFeasiblePred = true;
+                }
             }
             else
             {
                 merged.joinWith(getAbsState(pred));
+                hasFeasiblePred = true;
             }
         }
         else if (SVFUtil::isa<CallCFGEdge>(edge))
         {
             merged.joinWith(getAbsState(pred));
+            hasFeasiblePred = true;
         }
         else if (SVFUtil::isa<RetCFGEdge>(edge))
         {
@@ -235,6 +241,7 @@ bool AbstractInterpretation::mergeStatesFromPredecessors(const ICFGNode* node)
             {
             case TOP:
                 merged.joinWith(getAbsState(pred));
+                hasFeasiblePred = true;
                 break;
             case WIDEN_ONLY:
             case WIDEN_NARROW:
@@ -242,14 +249,17 @@ bool AbstractInterpretation::mergeStatesFromPredecessors(const ICFGNode* node)
                 const RetICFGNode* returnSite = SVFUtil::dyn_cast<RetICFGNode>(node);
                 const CallICFGNode* callSite = returnSite->getCallICFGNode();
                 if (hasAbsState(callSite))
+                {
                     merged.joinWith(getAbsState(pred));
+                    hasFeasiblePred = true;
+                }
                 break;
             }
             }
         }
     }
 
-    if (merged.getVarToVal().empty() && merged.getLocToVal().empty())
+    if (!hasFeasiblePred)
         return false;
 
     updateAbsState(node, merged);
@@ -859,6 +869,96 @@ void AbstractInterpretation::handleFunCall(const CallICFGNode *callNode)
 ///       int factorial(int n) { return n <= 1 ? 1 : n * factorial(n-1); }
 ///       factorial(5) -> returns [10000, 10000] (precise after narrowing)
 
+// ---------------------------------------------------------------------------
+// Semi-sparse cycle helpers
+// ---------------------------------------------------------------------------
+//
+// In semi-sparse mode, ValVars live at their def-sites and do not flow
+// through the cycle-head merge. The around-merge widening at cycle_head
+// therefore cannot observe ValVar growth across iterations (e.g. an
+// ArgValVar that a recursive CallPE keeps overwriting at the FunEntry).
+//
+// To fix that, handleLoopOrRecursion runs an extra cross-iter widening on
+// a snapshot that pulls every cycle ValVar into cycle_head's state. The set
+// of ValVar IDs per cycle is precomputed once after PreAnalysis::initWTO()
+// (initCycleValVars), bottom-up so nested cycles are handled before their
+// enclosing cycle.
+
+// --- Cycle state helpers (dense/sparse unified) ---
+
+AbstractState AbstractInterpretation::getFullCycleHeadState(const ICFGCycleWTO* cycle)
+{
+    const ICFGNode* cycle_head = cycle->head()->getICFGNode();
+    AbstractState snap;
+    if (hasAbsState(cycle_head))
+        snap = getAbsState(cycle_head);
+
+    if (Options::AESparsity() == AESparsity::SemiSparse)
+    {
+        const Set<const ValVar*>& valVars = preAnalysis->getCycleValVars(cycle);
+        if (valVars.empty())
+            return snap;  // dense path / no cycle ValVars: snap is already complete
+
+        // Semi-sparse: drop any stale ValVar entries cached at cycle_head and
+        // pull each cycle ValVar from its def-site.  ValVars without a stored
+        // value are skipped to avoid the top-fallback contamination.
+        snap.clearValVars();
+        for (const ValVar* v : valVars)
+        {
+            const ICFGNode* defSite = v->getICFGNode();
+            if (!defSite || !hasAbsValue(v, defSite)) continue;
+            snap[v->getId()] = getAbsValue(v, defSite);
+        }
+        return snap;
+    }
+    else
+    {
+        return snap;
+    }
+}
+
+
+bool AbstractInterpretation::widenCycleState(
+    const AbstractState& prev, const AbstractState& cur, const ICFGCycleWTO* cycle)
+{
+    AbstractState prev_copy = prev;
+    AbstractState next = prev_copy.widening(cur);
+    // Always write back (even at fixpoint) so cycle_head's trace holds the
+    // widened state for the upcoming narrowing phase.
+    const ICFGNode* cycle_head = cycle->head()->getICFGNode();
+    svfStateMgr->getTrace()[cycle_head] = next;
+    if (Options::AESparsity() == AESparsity::SemiSparse)
+    {
+        for (const auto& [id, val] : next.getVarToVal())
+        {
+            updateAbsValue(svfir->getSVFVar(id), val, cycle_head);
+        }
+    }
+    return next == prev;
+}
+
+bool AbstractInterpretation::narrowCycleState(
+    const AbstractState& prev, const AbstractState& cur, const ICFGCycleWTO* cycle)
+{
+    const ICFGNode* cycle_head = cycle->head()->getICFGNode();
+    if (!shouldApplyNarrowing(cycle_head->getFun()))
+        return true;
+    AbstractState prev_copy = prev;
+    AbstractState next = prev_copy.narrowing(cur);
+    if (next == prev)
+        return true;  // fixpoint
+    svfStateMgr->getTrace()[cycle_head] = next;
+    if (Options::AESparsity() == AESparsity::SemiSparse)
+    {
+        for (const auto& [id, val] : next.getVarToVal())
+        {
+            updateAbsValue(svfir->getSVFVar(id), val, cycle_head);
+        }
+    }
+    return false;
+}
+
+
 void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle, const CallICFGNode* caller)
 {
     const ICFGNode* cycle_head = cycle->head()->getICFGNode();
@@ -874,35 +974,29 @@ void AbstractInterpretation::handleLoopOrRecursion(const ICFGCycleWTO* cycle, co
     // Iterate until fixpoint with widening/narrowing on the cycle head.
     bool increasing = true;
     u32_t widen_delay = Options::WidenDelay();
-    auto& abstractTrace = svfStateMgr->getTrace();
     for (u32_t cur_iter = 0;; cur_iter++)
     {
         if (cur_iter >= widen_delay)
         {
-            // Save state before processing head
-            AbstractState prev_head_state = abstractTrace[cycle_head];
+            // getFullCycleHeadState handles dense (returns trace[cycle_head])
+            // and semi-sparse (collects ValVars from def-sites) uniformly.
+            AbstractState prev = getFullCycleHeadState(cycle);
 
-            // Process cycle head: merge from predecessors, then execute statements
             if (mergeStatesFromPredecessors(cycle_head))
                 handleICFGNode(cycle_head);
-            AbstractState cur_head_state = abstractTrace[cycle_head];
+            AbstractState cur = getFullCycleHeadState(cycle);
 
             if (increasing)
             {
-                abstractTrace[cycle_head] = prev_head_state.widening(cur_head_state);
-                if (abstractTrace[cycle_head] == prev_head_state)
+                if (widenCycleState(prev, cur, cycle))
                 {
-                    // Widening fixpoint reached; switch to narrowing phase.
                     increasing = false;
                     continue;
                 }
             }
             else
             {
-                if (!shouldApplyNarrowing(cycle_head->getFun()))
-                    break;
-                abstractTrace[cycle_head] = prev_head_state.narrowing(cur_head_state);
-                if (abstractTrace[cycle_head] == prev_head_state)
+                if (narrowCycleState(prev, cur, cycle))
                     break;
             }
         }

package/svf/lib/AE/Svfexe/AbstractStateManager.cpp

@@ -173,6 +173,71 @@ const AbstractValue& AbstractStateManager::getAbstractValue(const SVFVar* var, c
     abort();
 }
 
+// ===----------------------------------------------------------------------===//
+//  hasAbstractValue — side-effect-free existence check
+//
+//  Mirrors the lookup chain in getAbstractValue but stops short of the
+//  top-fallback.  Returns false when getAbstractValue would only be able
+//  to return top as a default.
+// ===----------------------------------------------------------------------===//
+
+bool AbstractStateManager::hasAbstractValue(const ValVar* var, const ICFGNode* node) const
+{
+    // Constants are always "present" (their value is intrinsic).
+    if (SVFUtil::isa<ConstIntValVar>(var) || SVFUtil::isa<ConstFPValVar>(var) ||
+            SVFUtil::isa<ConstNullPtrValVar>(var) || SVFUtil::isa<ConstDataValVar>(var))
+        return true;
+
+    u32_t id = var->getId();
+    bool semiSparse = Options::AESparsity() == AbstractInterpretation::AESparsity::SemiSparse;
+
+    // Dense mode: stored at the current node.
+    if (!semiSparse)
+    {
+        auto it = abstractTrace.find(node);
+        if (it != abstractTrace.end() &&
+                (it->second.inVarToValTable(id) || it->second.inVarToAddrsTable(id)))
+            return true;
+    }
+
+    // Semi-sparse (and dense fall-through): check the def-site.
+    const ICFGNode* defNode = var->getICFGNode();
+    if (defNode)
+    {
+        auto it = abstractTrace.find(defNode);
+        if (it != abstractTrace.end() && it->second.getVarToVal().count(id))
+            return true;
+
+        // Fallback for call-result ValVars: value lives at the RetICFGNode.
+        if (const CallICFGNode* callNode = SVFUtil::dyn_cast<CallICFGNode>(defNode))
+        {
+            const RetICFGNode* retNode = callNode->getRetICFGNode();
+            auto rit = abstractTrace.find(retNode);
+            if (rit != abstractTrace.end() && rit->second.getVarToVal().count(id))
+                return true;
+        }
+    }
+    return false;
+}
+
+bool AbstractStateManager::hasAbstractValue(const ObjVar* var, const ICFGNode* node) const
+{
+    auto it = abstractTrace.find(node);
+    if (it == abstractTrace.end())
+        return false;
+    u32_t objId = var->getId();
+    return it->second.getLocToVal().count(objId) != 0;
+}
+
+bool AbstractStateManager::hasAbstractValue(const SVFVar* var, const ICFGNode* node) const
+{
+    if (const ObjVar* objVar = SVFUtil::dyn_cast<ObjVar>(var))
+        return hasAbstractValue(objVar, node);
+    if (const ValVar* valVar = SVFUtil::dyn_cast<ValVar>(var))
+        return hasAbstractValue(valVar, node);
+    return false;
+}
+
 // ===----------------------------------------------------------------------===//
 //  Update Abstract Value
 // ===----------------------------------------------------------------------===//
@@ -520,3 +585,4 @@ const ICFGNode* AbstractStateManager::getDefSiteOfObjVar(const ObjVar* obj, cons
         return edge->getSrcNode();
     return nullptr;
 }
+

package/svf/lib/AE/Svfexe/PreAnalysis.cpp

@@ -129,7 +129,7 @@ void PreAnalysis::initCycleValVars()
     // map when we reach their enclosing cycle.
     for (const ICFGCycleWTO* cycle : cycles)
     {
-        Set<NodeID>& out = cycleToValVars[cycle];
+        Set<const ValVar*>& out = cycleToValVars[cycle];
 
         // Gather every ICFG node in this cycle (head + body singletons).
         // For nested sub-cycles, merge their already-computed sets instead.
@@ -154,7 +154,7 @@ void PreAnalysis::initCycleValVars()
                 else if (const MultiOpndStmt* m = SVFUtil::dyn_cast<MultiOpndStmt>(stmt))
                     lhs = m->getRes();
                 if (lhs)
-                    out.insert(lhs->getId());
+                    out.insert(lhs);
             }
             // FunEntryICFGNode owns ArgValVars (formal parameters) that have
             // no defining stmt at the entry — the CallPE lives on the caller
@@ -164,7 +164,7 @@ void PreAnalysis::initCycleValVars()
             {
                 for (const SVFVar* fp : fe->getFormalParms())
                     if (const ValVar* v = SVFUtil::dyn_cast<ValVar>(fp))
-                        out.insert(v->getId());
+                        out.insert(v);
             }
         }
     }