return max field for ptr type

svf-llvm/include/SVF-LLVM/SymbolTableBuilder.h

@@ -88,7 +88,7 @@ class SymbolTableBuilder
     std::unique_ptr<TypeInference> & getTypeInference();
 
     /// Forward collect all possible infer sites starting from a value
-    const Type* getOrInferLLVMObjType(const Value *startValue);
+    const Type* fwGetOrInferLLVMObjType(const Value *startValue);
 
     /// Get the reference type of heap/static object from an allocation site.
     //@{

svf-llvm/include/SVF-LLVM/TypeInference.h

@@ -36,13 +36,19 @@ namespace SVF {
 class TypeInference {
 
 public:
-    typedef Map<const Value *, Set<const Value *>> ValueToInferSites;
+    typedef Set<const Value *> ValueSet;
+    typedef Map<const Value *, ValueSet> ValueToValueSet;
+    typedef ValueToValueSet ValueToInferSites;
+    typedef ValueToValueSet ValueToSources;
     typedef Map<const Value *, const Type *> ValueToType;
+    typedef std::pair<const Value *, bool> ValueBoolPair;
+
 
 private:
     static std::unique_ptr<TypeInference> _typeInference;
     ValueToInferSites _valueToInferSites; // value inference site cache
     ValueToType _valueToType; // value type cache
+    ValueToSources _valueToSources; // value type cache
 
     explicit TypeInference() = default;
 
@@ -59,7 +65,10 @@ class TypeInference {
     }
 
     /// Forward collect all possible infer sites starting from a value
-    const Type *getOrInferLLVMObjType(const Value *startValue);
+    const Type *fwGetOrInferLLVMObjType(const Value *startValue);
+
+    /// Backward collect all possible sources starting from a value
+    Set<const Value*> bwGetOrfindSourceVals(const Value * startValue);
 
     /// Validate type inference
     void validateTypeCheck(const CallBase *cs);
@@ -68,12 +77,16 @@ class TypeInference {
 
     void typeDiffTest(const PointerType *oPTy, const Type *iTy, const Value *val);
 
+    /// Default type
+    const Type *defaultTy(const Value *val);
 
-protected:
+private:
     static const Type *infersiteToType(const Value *val);
 
-    /// Default type
-    const Type *defaultTy(const Value *val);
+    inline bool isSourceVal(const Value* val) const {
+        return LLVMUtil::isObject(val);
+    }
+
 };
 }
 #endif //SVF_TYPEINFERENCE_H

svf-llvm/lib/CHGBuilder.cpp

@@ -679,7 +679,7 @@ std::string CHGBuilder::getClassNameOfThisPtr(const CallBase* inst)
     {
         const Value* thisPtr = LLVMUtil::getVCallThisPtr(inst);
         if (const PointerType *ptrTy = SVFUtil::dyn_cast<PointerType>(thisPtr->getType())) {
-            const Type *objTy = TypeInference::getTypeInference()->getOrInferLLVMObjType(thisPtr);
+            const Type *objTy = TypeInference::getTypeInference()->fwGetOrInferLLVMObjType(thisPtr);
             TypeInference::getTypeInference()->typeDiffTest(ptrTy, objTy, thisPtr);
             // TODO: getPtrElementType need type inference
             if (const StructType *st = SVFUtil::dyn_cast<StructType>(getPtrElementType(ptrTy))) {

svf-llvm/lib/SVFIRExtAPI.cpp

@@ -44,7 +44,9 @@ const Type* SVFIRBuilder::getBaseTypeAndFlattenedFields(const Value* V, std::vec
 {
     assert(V);
     const Value* value = getBaseValueForExtArg(V);
-    const Type *objType = TypeInference::getTypeInference()->getOrInferLLVMObjType(value);
+//    Set<const Value *> sources = TypeInference::getTypeInference()->bwGetOrfindSourceVals(value);
+
+    const Type *objType = TypeInference::getTypeInference()->fwGetOrInferLLVMObjType(value);
     u32_t numOfElems = pag->getSymbolInfo()->getNumOfFlattenElements(LLVMModuleSet::getLLVMModuleSet()->getSVFType(objType));
     /// use user-specified size for this copy operation if the size is a constaint int
     if(szValue && SVFUtil::isa<ConstantInt>(szValue))

svf-llvm/lib/SymbolTableBuilder.cpp

@@ -575,8 +575,8 @@ std::unique_ptr<TypeInference> & SymbolTableBuilder::getTypeInference() {
 }
 
 
-const Type* SymbolTableBuilder::getOrInferLLVMObjType(const Value *startValue) {
-    return getTypeInference()->getOrInferLLVMObjType(startValue);
+const Type* SymbolTableBuilder::fwGetOrInferLLVMObjType(const Value *startValue) {
+    return getTypeInference()->fwGetOrInferLLVMObjType(startValue);
 }
 
 /*!
@@ -597,15 +597,15 @@ const Type* SymbolTableBuilder::inferTypeOfHeapObjOrStaticObj(const Instruction
                 originalPType = newTy;
             }
         }
-        inferedType = getOrInferLLVMObjType(startValue);
+        inferedType = fwGetOrInferLLVMObjType(startValue);
     }
     else if(SVFUtil::isHeapAllocExtCallViaArg(svfinst))
     {
         const CallBase* cs = LLVMUtil::getLLVMCallSite(inst);
         int arg_pos = SVFUtil::getHeapAllocHoldingArgPosition(SVFUtil::getSVFCallSite(svfinst));
         const Value* arg = cs->getArgOperand(arg_pos);
         originalPType = SVFUtil::dyn_cast<PointerType>(arg->getType());
-        inferedType = getOrInferLLVMObjType(startValue = arg);
+        inferedType = fwGetOrInferLLVMObjType(startValue = arg);
     }
     else
     {
@@ -802,26 +802,19 @@ u32_t SymbolTableBuilder::analyzeHeapAllocByteSize(const Value* val)
  */
 u32_t SymbolTableBuilder::analyzeHeapObjType(ObjTypeInfo* typeinfo, const Value* val)
 {
-    if(const Value* castUse = getFirstUseViaCastInst(val))
-    {
-        typeinfo->setFlag(ObjTypeInfo::HEAP_OBJ);
-        analyzeObjType(typeinfo,castUse);
-        const Type* objTy = LLVMModuleSet::getLLVMModuleSet()->getLLVMType(typeinfo->getType());
-        if(SVFUtil::isa<ArrayType>(objTy))
+    typeinfo->setFlag(ObjTypeInfo::HEAP_OBJ);
+    analyzeObjType(typeinfo, val);
+    const Type* objTy = LLVMModuleSet::getLLVMModuleSet()->getLLVMType(typeinfo->getType());
+    if(SVFUtil::isa<ArrayType>(objTy))
+        return getNumOfElements(objTy);
+    else if(const StructType* st = SVFUtil::dyn_cast<StructType>(objTy))
+    {
+        /// For an C++ class, it can have variant elements depending on the vtable size,
+        /// Hence we only handle non-cpp-class object, the type of the cpp class is treated as default PointerType
+        if(classTyHasVTable(st))
+            typeinfo->resetTypeForHeapStaticObj(LLVMModuleSet::getLLVMModuleSet()->getSVFType(TypeInference::getTypeInference()->defaultTy(val)));
+        else
             return getNumOfElements(objTy);
-        else if(const StructType* st = SVFUtil::dyn_cast<StructType>(objTy))
-        {
-            /// For an C++ class, it can have variant elements depending on the vtable size,
-            /// Hence we only handle non-cpp-class object, the type of the cpp class is treated as PointerType at the cast site
-            if(classTyHasVTable(st))
-                typeinfo->resetTypeForHeapStaticObj(LLVMModuleSet::getLLVMModuleSet()->getSVFType(castUse->getType()));
-            else
-                return getNumOfElements(objTy);
-        }
-    }
-    else
-    {
-        typeinfo->setFlag(ObjTypeInfo::HEAP_OBJ);
     }
     return typeinfo->getMaxFieldOffsetLimit();
 }

svf-llvm/lib/TypeInference.cpp

@@ -100,19 +100,101 @@ const Type *TypeInference::infersiteToType(const Value *val) {
     }
 }
 
+Set<const Value*> TypeInference::bwGetOrfindSourceVals(const Value* startValue) {
+
+    // consult cache
+    auto tIt = _valueToSources.find(startValue);
+    if (tIt != _valueToSources.end()) {
+        WARN_IFNOT(!tIt->second.empty(), "empty type:" + VALUE_WITH_DBGINFO(startValue));
+        return !tIt->second.empty() ? tIt->second : Set<const Value*>({startValue});
+    }
+
+    // simulate the call stack, the second element indicates whether we should update valueTypes for current value
+    FILOWorkList<ValueBoolPair> workList;
+    Set<ValueBoolPair> visited;
+    workList.push({startValue, false});
+    while (!workList.empty()) {
+        auto curPair = workList.pop();
+        if (visited.count(curPair)) continue;
+        visited.insert(curPair);
+        const Value *curValue = curPair.first;
+        bool canUpdate = curPair.second;
+
+        Set<const Value*> sources;
+        auto insertSource = [&sources, &canUpdate](const Value *source) {
+            if (canUpdate) sources.insert(source);
+        };
+        auto insertSourcesOrPushWorklist = [this, &sources, &workList, &canUpdate](const auto &pUser) {
+            auto vIt = _valueToSources.find(pUser);
+            if (canUpdate) {
+                if (vIt != _valueToSources.end()) {
+                    sources.insert(vIt->second.begin(), vIt->second.end());
+                }
+            } else {
+                if (vIt == _valueToSources.end()) workList.push({pUser, false});
+            }
+        };
+
+        if (!canUpdate && !_valueToSources.count(curValue)) {
+            workList.push({curValue, true});
+        }
+
+        if(isSourceVal(curValue)) {
+            insertSource(curValue);
+        } else if (const BitCastInst *bitCastInst = SVFUtil::dyn_cast<BitCastInst>(curValue)) {
+            Value *prevVal = bitCastInst->getOperand(1);
+            insertSourcesOrPushWorklist(prevVal);
+        } else if (const PHINode *phiNode = SVFUtil::dyn_cast<PHINode>(curValue)) {
+            for (u32_t i = 1; i < phiNode->getNumOperands(); ++i) {
+                insertSourcesOrPushWorklist(phiNode->getOperand(i));
+            }
+        } else if (const LoadInst *loadInst = SVFUtil::dyn_cast<LoadInst>(curValue)) {
+            for (const auto &use: loadInst->getPointerOperand()->uses()) {
+                if (const StoreInst *storeInst = SVFUtil::dyn_cast<StoreInst>(use.getUser())) {
+                    if (storeInst->getPointerOperand() == loadInst) {
+                        insertSourcesOrPushWorklist(storeInst->getValueOperand());
+                    }
+                }
+            }
+        } else if (const Argument *argument = SVFUtil::dyn_cast<Argument>(curValue)) {
+            for (const auto &use: argument->getParent()->uses()) {
+                if (const CallBase *callBase = SVFUtil::dyn_cast<CallBase>(use.getUser())) {
+                    insertSourcesOrPushWorklist(callBase->getArgOperand(argument->getArgNo()));
+                }
+            }
+        } else if (const CallBase *callBase = SVFUtil::dyn_cast<CallBase>(curValue)) {
+            ABORT_IFNOT(!callBase->doesNotReturn(), "callbase does not return:" + VALUE_WITH_DBGINFO(callBase));
+            if (Function *callee = callBase->getCalledFunction()) {
+                if (!callee->isDeclaration()) {
+                    const SVFFunction *svfFunc = LLVMModuleSet::getLLVMModuleSet()->getSVFFunction(callee);
+                    const Value *pValue = LLVMModuleSet::getLLVMModuleSet()->getLLVMValue(svfFunc->getExitBB()->back());
+                    const ReturnInst *retInst = SVFUtil::dyn_cast<ReturnInst>(pValue);
+                    ABORT_IFNOT(retInst && retInst->getReturnValue(), "not return inst?");
+                    insertSourcesOrPushWorklist(retInst->getReturnValue());
+                }
+            }
+        }
+        if (canUpdate) {
+            _valueToSources[curValue] = SVFUtil::move(sources);
+        }
+    }
+    Set<const Value*> srcs = _valueToSources[startValue];
+    if (srcs.empty()) {
+        srcs = {startValue};
+        WARN_MSG("Using default type, trace ID is " + std::to_string(traceId) + ":" + VALUE_WITH_DBGINFO(startValue));
+    }
+    return srcs;
+}
+
 const Type *TypeInference::defaultTy(const Value *val) {
     ABORT_IFNOT(val, "val cannot be null");
-    // heap has a default type of 8-bit integer type
-    if(SVFUtil::isa<Instruction>(val) && SVFUtil::isHeapAllocExtCallViaRet(LLVMModuleSet::getLLVMModuleSet()->getSVFInstruction(SVFUtil::cast<Instruction>(val))))
-        return Type::getInt8Ty(LLVMModuleSet::getLLVMModuleSet()->getContext());
-    // otherwise we return a pointer type in the default address space
     return PointerType::getUnqual(LLVMModuleSet::getLLVMModuleSet()->getContext());
 }
 /*!
  * Forward collect all possible infer sites starting from a value
  * @param startValue
  */
-const Type *TypeInference::getOrInferLLVMObjType(const Value *startValue) {
+const Type *TypeInference::fwGetOrInferLLVMObjType(const Value *startValue) {
     // consult cache
     auto tIt = _valueToType.find(startValue);
     if (tIt != _valueToType.end()) {
@@ -123,7 +205,6 @@ const Type *TypeInference::getOrInferLLVMObjType(const Value *startValue) {
     INC_TRACE();
 
     // simulate the call stack, the second element indicates whether we should update valueTypes for current value
-    typedef std::pair<const Value *, bool> ValueBoolPair;
     FILOWorkList<ValueBoolPair> workList;
     Set<ValueBoolPair> visited;
     workList.push({startValue, false});
@@ -259,7 +340,7 @@ const Type *TypeInference::getOrInferLLVMObjType(const Value *startValue) {
     const Type* type = _valueToType[startValue];
     if (type == nullptr) {
         type = getTypeInference()->defaultTy(startValue);
-        WARN_MSG("empty type, trace ID is " + std::to_string(traceId) + ":" + VALUE_WITH_DBGINFO(startValue));
+        WARN_MSG("Using default type, trace ID is " + std::to_string(traceId) + ":" + VALUE_WITH_DBGINFO(startValue));
     }
     return type;
 }
@@ -272,7 +353,7 @@ const Type *TypeInference::getOrInferLLVMObjType(const Value *startValue) {
 void TypeInference::validateTypeCheck(const CallBase *cs) {
     if (const Function *func = cs->getCalledFunction()) {
         if (func->getName().find(TYPEMALLOC) != std::string::npos) {
-            const Type *objType = getOrInferLLVMObjType(cs);
+            const Type *objType = fwGetOrInferLLVMObjType(cs);
             ConstantInt *pInt =
                     SVFUtil::dyn_cast<llvm::ConstantInt>(cs->getOperand(1));
             assert(pInt && "the second argument is a integer");