Skip to content

[WIP]Add sparse abstract execution with def-use driven state propagation#1796

Open
bjjwwang wants to merge 1 commit intoSVF-tools:masterfrom
bjjwwang:worklist2
Open

[WIP]Add sparse abstract execution with def-use driven state propagation#1796
bjjwwang wants to merge 1 commit intoSVF-tools:masterfrom
bjjwwang:worklist2

Conversation

@bjjwwang
Copy link
Copy Markdown
Contributor

@bjjwwang bjjwwang commented Mar 3, 2026
edited
Loading

Implement sparse mode (-sparse flag) for Abstract Interpretation that propagates only needed variables instead of full abstract states:

  • APIs:
      const ICFGNode* getDefICFGNode(const ValVar* var)
    {
        assert(Options::SparseAE() && "getDefICFGNode is only for sparse mode");
        return var->getICFGNode();
    }

    /// Get the definition ICFG nodes of an address-taken variable (sparse mode only)
    const std::vector<const ICFGNode*>& getDefICFGNodes(const ObjVar* var)
    {
        assert(Options::SparseAE() && sparseDefUse && "getDefICFGNodes is only for sparse mode");
        return sparseDefUse->getDefICFGNodes(var->getId());
    }

    /// Get top-level ValVars accessed at an ICFG node (sparse mode only)
    std::vector<const ValVar*> getValVars(const ICFGNode* node);

    /// Get address-taken ObjVars accessed at an ICFG node via points-to (sparse mode only)
    std::vector<const ObjVar*> getObjVars(const ICFGNode* node);

    /// Get all SVFVars (ValVars + ObjVars) accessed at an ICFG node (sparse mode only)
    std::vector<const SVFVar*> getSVFVars(const ICFGNode* node);

    /// Retrieve abstract value at the definition site of a top-level variable
    AbstractValue getAbstractValue(const ValVar* var);

    /// Retrieve abstract value at the definition sites of an address-taken variable (join all defs)
    AbstractValue getAbstractValue(const ObjVar* var);

    /// Retrieve abstract value at the definition site(s) of an SVF variable (dispatches to ValVar/ObjVar)
    AbstractValue getAbstractValue(const SVFVar* var);

    /// Build an AbstractState from definition sites of multiple top-level variables
    AbstractState getAbstractState(const std::vector<const ValVar*>& vars);

    /// Build an AbstractState from definition sites of multiple address-taken variables
    AbstractState getAbstractState(const std::vector<const ObjVar*>& vars);

    /// Build an AbstractState from definition sites of multiple SVF variables
    AbstractState getAbstractState(const std::vector<const SVFVar*>& vars);
  • Add SparseDefUse: maps ObjVars to their StoreStmt definition ICFGNodes
  • Add sparseStatePropagate: fetches ValVars from SSA def sites and ObjVars from StoreStmt def sites (with global node fallback for constants/AddrStmt)
  • Add getAbstractState(ICFGNode*): unified pure-query API replacing getAbsStateFromTrace
  • Fix IntervalValue operator<< signed overflow: use (s64_t)1 with threshold 63

CI Result

including ae-sparse, ae-overflow-sparse and ae-null-deref sparse

Wait a second, I'll attach.

@bjjwwang bjjwwang changed the title Add sparse abstract execution with def-use driven state propagation [WIP]Add sparse abstract execution with def-use driven state propagation Mar 3, 2026
@bjjwwang bjjwwang force-pushed the worklist2 branch 3 times, most recently from 676d919 to 1fdfa44 Compare March 3, 2026 02:36
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 3, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 18.95425% with 248 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.47%. Comparing base (a64b0ef) to head (e676d5f).
⚠️ Report is 35 commits behind head on master.

Files with missing lines Patch % Lines
svf/lib/AE/Svfexe/AbstractInterpretation.cpp 16.20% 150 Missing ⚠️
svf/lib/AE/Svfexe/PreAnalysis.cpp 0.00% 52 Missing ⚠️
svf/lib/AE/Svfexe/AEDetector.cpp 16.00% 21 Missing ⚠️
svf/lib/AE/Svfexe/SparseDefUse.cpp 0.00% 8 Missing ⚠️
svf/lib/AE/Svfexe/AbsExtAPI.cpp 68.18% 7 Missing ⚠️
svf/include/AE/Svfexe/SparseDefUse.h 0.00% 5 Missing ⚠️
svf/include/AE/Svfexe/PreAnalysis.h 0.00% 3 Missing ⚠️
svf/include/AE/Core/AbstractState.h 66.66% 1 Missing ⚠️
svf/include/AE/Svfexe/AbstractInterpretation.h 66.66% 1 Missing ⚠️

❌ Your project check has failed because the head coverage (63.47%) is below the target coverage (63.50%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##           master    #1796      +/-   ##
==========================================
- Coverage   64.08%   63.47%   -0.62%     
==========================================
  Files         245      247       +2     
  Lines       24637    24885     +248     
  Branches     4657     4727      +70     
==========================================
+ Hits        15789    15795       +6     
- Misses       8848     9090     +242
Files with missing lines Coverage Δ
svf/include/AE/Core/IntervalValue.h 71.09% <100.00%> (ø)
svf/include/AE/Svfexe/AEDetector.h 97.87% <100.00%> (ø)
svf/include/AE/Core/AbstractState.h 84.84% <66.66%> (-1.09%) ⬇️
svf/include/AE/Svfexe/AbstractInterpretation.h 95.23% <66.66%> (ø)
svf/include/AE/Svfexe/PreAnalysis.h 40.00% <0.00%> (-60.00%) ⬇️
svf/include/AE/Svfexe/SparseDefUse.h 0.00% <0.00%> (ø)
svf/lib/AE/Svfexe/AbsExtAPI.cpp 89.33% <68.18%> (-1.52%) ⬇️
svf/lib/AE/Svfexe/SparseDefUse.cpp 0.00% <0.00%> (ø)
svf/lib/AE/Svfexe/AEDetector.cpp 78.21% <16.00%> (-6.96%) ⬇️
svf/lib/AE/Svfexe/PreAnalysis.cpp 31.57% <0.00%> (-68.43%) ⬇️
... and 1 more
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

yuleisui
yuleisui reviewed Mar 3, 2026
View reviewed changes
Comment thread svf/lib/AE/Svfexe/AbsExtAPI.cpp
#define SSE_FUNC_PROCESS(LLVM_NAME ,FUNC_NAME) \
auto sse_##FUNC_NAME = [this](const CallICFGNode *callNode) { \
/* run real ext function */ \
AbstractState& as = getAbsStateFromTrace(callNode); \
Copy link
Copy Markdown
Collaborator

@yuleisui yuleisui Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can keep the name "getAbsStateFromTrace"?

Copy link
Copy Markdown
Collaborator

@yuleisui yuleisui Mar 3, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please change getAbsStateFromTrace to getAbsState and also update wiki page of AE here:

https://github.com/SVF-tools/Software-Security-Analysis/wiki/AE-CPP-APIs#assignment-3

https://github.com/SVF-tools/Software-Security-Analysis/wiki/AE-Python-APIs#assignment-3

@claude
Add sparse abstract interpretation with def-use driven state propagation
e676d5f 
Introduces sparse mode (-sparse flag) for Abstract Interpretation that
propagates only needed variable states at each ICFG node, instead of
copying full abstract states from predecessors.

Key components:
- SparseDefUse: maps address-taken ObjVars to their StoreStmt def sites
- getValVars/getObjVars/getSVFVars: collect variables needed at each node
- getAbstractValue(ValVar/ObjVar/SVFVar): fetch values from SSA def sites
- getAbstractState(vector<ValVar*/ObjVar*/SVFVar*>): build sparse states
- sparseStatePropagate: orchestrates sparse fetch before node handling
- Widen set: PreAnalysis computes variables defined in each loop body,
  ensuring all loop-modified variables participate in widening/narrowing
- Fix IntervalValue operator<< signed overflow (1<<31 in 32-bit int)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
bjjwwang pushed a commit to bjjwwang/SVF that referenced this pull request Mar 14, 2026
@claude
feat: implement sparse abstract interpretation with flow-insensitive …
90b2b47 
…def-use

Replace SVFG-based sparse propagation with a simpler flow-insensitive
SparseDefUse approach (per PR SVF-tools#1796 pattern). In sparse mode (-sparse-ae),
each ICFG node pulls only the variables it needs from their definition sites
instead of propagating full states along all edges.

Key changes:
- PreAnalysis: remove SVFG dependency, add buildObjDefTable() that scans
  all StoreStmts to build objId→[defNodes] map
- AbstractInterpretation: add buildSparseState() (pull from def-sites) and
  collectNeededVars() (gather RHS variables per statement type)
- AbstractState: const accessors use find() instead of at() for safety
- Remove propagateObjVarAbsVal (dead code after SVFG removal)

Results: 198/342 tests pass (58%), 98.1% state var size reduction.
Remaining failures are due to flow-insensitive ObjVar joins and missing
branch refinement — expected limitations of this approach.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@yuleisui yuleisui yuleisui left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bjjwwang @yuleisui