Merge pull request #585 from secure-software-engineering/f-lcaSwift

intrinsicBinaryOp, GetElementPtr, and ExtractValue support for IDE LCA

Author: janniclas

.github/workflows/ci.yml

@@ -60,6 +60,7 @@ jobs:
           sudo apt download libclang-rt-14-dev
           sudo dpkg --force-all -i libclang-rt-14-dev*
 
+      - uses: swift-actions/setup-swift@v1
       - name: Building Phasar in ${{ matrix.build }} with ${{ matrix.compiler[0] }}
         env:
           BUILD_TYPE: ${{ matrix.build }}
@@ -72,6 +73,7 @@ jobs:
           cmake .. \
             -DCMAKE_BUILD_TYPE=$BUILD_TYPE \
             -DCMAKE_CXX_COMPILER=$CXX \
+            -DBUILD_SWIFT_TESTS=1 \
             -G Ninja
           cmake --build .
 

CMakeLists.txt

@@ -53,6 +53,13 @@ include("phasar_macros")
 
 option(PHASAR_BUILD_UNITTESTS "Build all tests (default is ON)" ON)
 
+option(BUILD_SWIFT_TESTS "Builds the Swift tests (Swift compiler has to be installed manually beforehand!)" OFF)
+if (BUILD_SWIFT_TESTS)
+  set(CMAKE_Swift_FLAGS_RELEASE "-g")
+  set(CMAKE_Swift_FLAGS_RELWITHDEBINFO "-g")
+  enable_language(Swift)
+endif(BUILD_SWIFT_TESTS)
+
 option(PHASAR_BUILD_OPENSSL_TS_UNITTESTS "Build OPENSSL typestate tests (require OpenSSL, default is OFF)" OFF)
 
 option(PHASAR_BUILD_IR "Build IR test code (default is ON)" ON)

include/phasar/PhasarLLVM/DataFlow/IfdsIde/LLVMFlowFunctions.h

@@ -386,6 +386,38 @@ template <typename Fn, typename Container = std::set<const llvm::Value *>,
               std::is_invocable_r_v<bool, Fn, const llvm::Value *>>>
 FlowFunctionPtrType<const llvm::Value *, Container>
 strongUpdateStore(const llvm::StoreInst *Store, Fn &&GeneratePointerOpIf) {
+  // Here we cheat a bit and "look through" the GetElementPtrInst to the
+  // targeted memory location.
+  const auto *BasePtrOp = Store->getPointerOperand()->stripPointerCasts();
+  if (BasePtrOp != Store->getPointerOperand()) {
+    struct StrongUpdateFlow
+        : public FlowFunction<const llvm::Value *, Container> {
+
+      StrongUpdateFlow(const llvm::Value *PointerOp,
+                       const llvm::Value *BasePtrOp, Fn &&GeneratePointerOpIf)
+          : PointerOp(PointerOp), BasePtrOp(BasePtrOp),
+            Pred(std::forward<Fn>(GeneratePointerOpIf)) {}
+
+      Container computeTargets(const llvm::Value *Source) override {
+        if (Source == PointerOp || Source == BasePtrOp) {
+          return {};
+        }
+        if (std::invoke(Pred, Source)) {
+          return {Source, PointerOp, BasePtrOp};
+        }
+        return {Source};
+      }
+
+      const llvm::Value *PointerOp;
+      const llvm::Value *BasePtrOp;
+      [[no_unique_address]] std::decay_t<Fn> Pred;
+    };
+
+    return std::make_shared<StrongUpdateFlow>(
+        Store->getPointerOperand(), BasePtrOp,
+        std::forward<Fn>(GeneratePointerOpIf));
+  }
+
   struct StrongUpdateFlow
       : public FlowFunction<const llvm::Value *, Container> {
 
@@ -431,10 +463,38 @@ strongUpdateStore(const llvm::StoreInst *Store, Fn &&GeneratePointerOpIf) {
 template <typename Container = std::set<const llvm::Value *>>
 FlowFunctionPtrType<const llvm::Value *, Container>
 strongUpdateStore(const llvm::StoreInst *Store) {
+  // Here we cheat a bit and "look through" the GetElementPtrInst to the
+  // targeted memory location.
+  const auto *BasePtrOp = Store->getPointerOperand()->stripPointerCasts();
+  if (BasePtrOp != Store->getPointerOperand()) {
+    struct StrongUpdateFlow
+        : public FlowFunction<const llvm::Value *, Container> {
+
+      StrongUpdateFlow(const llvm::StoreInst *Store,
+                       const llvm::Value *BasePtrOp) noexcept
+          : Store(Store), BasePtrOp(BasePtrOp) {}
+
+      Container computeTargets(const llvm::Value *Source) override {
+        if (Source == Store->getPointerOperand() || Source == BasePtrOp) {
+          return {};
+        }
+        if (Source == Store->getValueOperand()) {
+          return {Source, Store->getPointerOperand(), BasePtrOp};
+        }
+        return {Source};
+      }
+
+      const llvm::StoreInst *Store;
+      const llvm::Value *BasePtrOp;
+    };
+
+    return std::make_shared<StrongUpdateFlow>(Store, BasePtrOp);
+  }
+
   struct StrongUpdateFlow
       : public FlowFunction<const llvm::Value *, Container> {
 
-    StrongUpdateFlow(const llvm::StoreInst *Store) : Store(Store) {}
+    StrongUpdateFlow(const llvm::StoreInst *Store) noexcept : Store(Store) {}
 
     Container computeTargets(const llvm::Value *Source) override {
       if (Source == Store->getPointerOperand()) {

include/phasar/PhasarLLVM/DataFlow/IfdsIde/LLVMZeroValue.h

@@ -49,12 +49,13 @@ class LLVMZeroValue : public llvm::GlobalVariable {
     return LLVMZeroValueInternalName;
   }
 
-  static bool isLLVMZeroValue(const llvm::Value *V) {
-    return V == getInstance();
-  }
-
   // Do not specify a destructor (at all)!
   static const LLVMZeroValue *getInstance();
+
+  // NOLINTNEXTLINE(readability-identifier-naming)
+  static constexpr auto isLLVMZeroValue = [](const llvm::Value *V) {
+    return V == getInstance();
+  };
 };
 } // namespace psr
 

include/phasar/PhasarLLVM/DataFlow/IfdsIde/Problems/IDELinearConstantAnalysis.h

@@ -65,13 +65,11 @@ class IDELinearConstantAnalysis
     std::string SrcNode;
     std::map<std::string, l_t> VariableToValue;
     std::vector<n_t> IRTrace;
-    void print(llvm::raw_ostream &OS);
+    void print(llvm::raw_ostream &OS) const;
     inline bool operator==(const LCAResult &Rhs) const {
       return SrcNode == Rhs.SrcNode && VariableToValue == Rhs.VariableToValue &&
              IRTrace == Rhs.IRTrace;
     }
-
-    operator std::string() const;
   };
 
   using lca_results_t = std::map<std::string, std::map<unsigned, LCAResult>>;
@@ -91,6 +89,8 @@ class IDELinearConstantAnalysis
   getCallToRetFlowFunction(n_t CallSite, n_t RetSite,
                            llvm::ArrayRef<f_t> Callees) override;
 
+  FlowFunctionPtrType getSummaryFlowFunction(n_t Curr, f_t CalleeFun) override;
+
   [[nodiscard]] InitialSeeds<n_t, d_t, l_t> initialSeeds() override;
 
   [[nodiscard]] d_t createZeroValue() const;
@@ -116,6 +116,10 @@ class IDELinearConstantAnalysis
                            d_t RetSiteNode,
                            llvm::ArrayRef<f_t> Callees) override;
 
+  std::shared_ptr<EdgeFunction<l_t>>
+  getSummaryEdgeFunction(n_t Curr, d_t CurrNode, n_t Succ,
+                         d_t SuccNode) override;
+
   std::shared_ptr<EdgeFunction<l_t>> allTopFunction() override;
 
   // Helper functions

lib/PhasarLLVM/DataFlow/IfdsIde/Problems/IDELinearConstantAnalysis.cpp

@@ -30,6 +30,7 @@
 #include "llvm/IR/InstrTypes.h"
 #include "llvm/IR/Instruction.h"
 #include "llvm/IR/Instructions.h"
+#include "llvm/IR/IntrinsicInst.h"
 #include "llvm/IR/LLVMContext.h"
 #include "llvm/IR/Type.h"
 #include "llvm/IR/Value.h"
@@ -296,20 +297,25 @@ IDELinearConstantAnalysis::getNormalFlowFunction(n_t Curr, n_t /*Succ*/) {
     d_t ValueOp = Store->getValueOperand();
     // Case I: Storing a constant integer.
     if (llvm::isa<llvm::ConstantInt>(ValueOp)) {
-      // return Identity<d_t>::getInstance();
-      return strongUpdateStore(Store, [](d_t Source) {
-        return LLVMZeroValue::isLLVMZeroValue(Source);
-      });
+      return strongUpdateStore(Store, LLVMZeroValue::isLLVMZeroValue);
     }
+
     // Case II: Storing an integer typed value.
     if (ValueOp->getType()->isIntegerTy()) {
       return strongUpdateStore(Store);
     }
   }
+
+  if (const auto *GEP = llvm::dyn_cast<llvm::GetElementPtrInst>(Curr)) {
+    if (GEP->getResultElementType()->isIntegerTy()) {
+      const auto *Op = GEP->getPointerOperand();
+      return generateFlow(GEP, Op);
+    }
+  }
   // check load instructions
   if (const auto *Load = llvm::dyn_cast<llvm::LoadInst>(Curr)) {
     // only consider i32 load
-    if (Load->getPointerOperandType()->getPointerElementType()->isIntegerTy()) {
+    if (Load->getType()->isIntegerTy()) {
       return generateFlowIf<d_t>(Load, [Load](d_t Source) {
         return Source == Load->getPointerOperand();
       });
@@ -327,6 +333,21 @@ IDELinearConstantAnalysis::getNormalFlowFunction(n_t Curr, n_t /*Succ*/) {
               llvm::isa<llvm::ConstantInt>(Rop));
     });
   }
+
+  if (const auto *Extract = llvm::dyn_cast<llvm::ExtractValueInst>(Curr)) {
+    const auto *Agg = Extract->getAggregateOperand();
+
+    /// We are extracting the result of a BinaryOpIntrinsic
+    /// The first parameter holds the resulting integer if
+    /// no error occured during the operation
+    if (const auto *BinIntrinsic =
+            llvm::dyn_cast<llvm::BinaryOpIntrinsic>(Agg)) {
+      if (Extract->getType()->isIntegerTy()) {
+        return generateFlow<d_t>(Curr, Agg);
+      }
+    }
+  }
+
   return identityFlow<d_t>();
 }
 
@@ -417,6 +438,25 @@ IDELinearConstantAnalysis::initialSeeds() {
   return Seeds;
 }
 
+IDELinearConstantAnalysis::FlowFunctionPtrType
+IDELinearConstantAnalysis::getSummaryFlowFunction(n_t Curr, f_t /*CalleeFun*/) {
+
+  if (const auto *BinIntrinsic =
+          llvm::dyn_cast<llvm::BinaryOpIntrinsic>(Curr)) {
+    auto *Lop = BinIntrinsic->getLHS();
+    auto *Rop = BinIntrinsic->getRHS();
+
+    return generateFlowIf<d_t>(BinIntrinsic, [this, Lop, Rop](d_t Source) {
+      /// Intentionally include nonlinear operations here for being able to
+      /// explicitly set them to BOTTOM in the edge function
+      return (Lop == Source) || (Rop == Source) ||
+             (isZeroValue(Source) && llvm::isa<llvm::ConstantInt>(Lop) &&
+              llvm::isa<llvm::ConstantInt>(Rop));
+    });
+  }
+  return nullptr;
+}
+
 IDELinearConstantAnalysis::d_t
 IDELinearConstantAnalysis::createZeroValue() const {
   // create a special value to represent the zero value!
@@ -538,6 +578,29 @@ IDELinearConstantAnalysis::getCallToRetEdgeFunction(
   return EdgeIdentity<l_t>::getInstance();
 }
 
+std::shared_ptr<EdgeFunction<IDELinearConstantAnalysis::l_t>>
+IDELinearConstantAnalysis::getSummaryEdgeFunction(n_t Curr, d_t CurrNode,
+                                                  n_t /*Succ*/, d_t SuccNode) {
+
+  if (const auto *BinIntrinsic =
+          llvm::dyn_cast<llvm::BinaryOpIntrinsic>(Curr)) {
+    auto *Lop = BinIntrinsic->getLHS();
+    auto *Rop = BinIntrinsic->getRHS();
+    unsigned OP = BinIntrinsic->getBinaryOp();
+
+    // For non linear constant computation we propagate bottom
+    if ((CurrNode == Lop && !llvm::isa<llvm::ConstantInt>(Rop)) ||
+        (CurrNode == Rop && !llvm::isa<llvm::ConstantInt>(Lop))) {
+      return AllBottom<l_t>::getInstance();
+    }
+
+    if (Curr == SuccNode && CurrNode != SuccNode) {
+      return std::make_shared<lca::BinOp>(OP, Lop, Rop, CurrNode);
+    }
+  }
+  return EdgeIdentity<l_t>::getInstance();
+}
+
 std::shared_ptr<EdgeFunction<IDELinearConstantAnalysis::l_t>>
 IDELinearConstantAnalysis::allTopFunction() {
   return std::make_shared<AllTop<l_t>>();
@@ -709,13 +772,7 @@ IDELinearConstantAnalysis::getLCAResults(SolverResults<n_t, d_t, l_t> SR) {
   return AggResults;
 }
 
-void IDELinearConstantAnalysis::LCAResult::print(llvm::raw_ostream &OS) {
-  OS << this;
-}
-
-IDELinearConstantAnalysis::LCAResult::operator std::string() const {
-  std::string Buffer;
-  llvm::raw_string_ostream OS(Buffer);
+void IDELinearConstantAnalysis::LCAResult::print(llvm::raw_ostream &OS) const {
   OS << "Line " << LineNr << ": " << SrcNode << '\n';
   OS << "Var(s): ";
   for (auto It = VariableToValue.begin(); It != VariableToValue.end(); ++It) {
@@ -728,7 +785,6 @@ IDELinearConstantAnalysis::LCAResult::operator std::string() const {
   for (const auto *Ir : IRTrace) {
     OS << "  " << llvmIRToString(Ir) << '\n';
   }
-  return Buffer;
 }
 
 } // namespace psr

test/CMakeLists.txt

@@ -1,2 +1,5 @@
 add_subdirectory(llvm_test_code)
 add_subdirectory(text_test_code)
+if(BUILD_SWIFT_TESTS)
+    add_subdirectory(llvm_swift_test_code)
+endif()

test/llvm_swift_test_code/CMakeLists.txt

@@ -0,0 +1 @@
+add_subdirectory(linear_constant)

test/llvm_swift_test_code/linear_constant/CMakeLists.txt

@@ -0,0 +1,9 @@
+file(GLOB lca_files *.swift)
+
+set(SWIFT_COMPILE_IR_FLAGS -emit-ir -suppress-warnings -g -parse-as-library -Onone -Xfrontend -disable-llvm-optzns -Xfrontend -disable-swift-specific-llvm-optzns)
+
+foreach(TEST_SRC ${lca_files})
+  get_filename_component(TEST_SRC_FILE ${TEST_SRC} NAME_WE)
+  add_executable(${TEST_SRC_FILE}.ll ${TEST_SRC})
+  target_compile_options(${TEST_SRC_FILE}.ll PRIVATE ${SWIFT_COMPILE_IR_FLAGS})
+endforeach(TEST_SRC)

test/llvm_swift_test_code/linear_constant/basic_swift_01.swift

@@ -0,0 +1,16 @@
+@main
+struct MyMain {
+
+    static func main() {
+        // The code of this method can't be directly placed inside
+        // the main function or it would be removed by the compiler
+        // due to mandatory optimizations.
+        var _ = simpleAdd(x: 1)
+    }
+
+    static func simpleAdd(x: Int) -> Int {
+        var a = x
+        var b = a + 41
+        return b
+    }
+}