fix VTables for collapsed types. llvm-link collapsed multiple C++ types with identical members to one single LLVM type. The current virtual function call resolution then only considers the VTable of the LLVM type that represents all of the collapsed type. Now, we look for all VTables that the function pointer aliases with and extract the possible callees from them.

Martin Mory · Martin Mory · commit b8cb1b9cc181 · 2022-05-06T13:36:17.000+02:00
diff --git a/include/phasar/PhasarLLVM/TypeHierarchy/LLVMVFTable.h b/include/phasar/PhasarLLVM/TypeHierarchy/LLVMVFTable.h
@@ -19,6 +19,7 @@
 
 namespace llvm {
 class Function;
+class ConstantStruct;
 } // namespace llvm
 
 namespace psr {
@@ -84,6 +85,9 @@ class LLVMVFTable : public VFTable<const llvm::Function *> {
   end() const {
     return VFT.end();
   };
+
+  [[nodiscard]] static std::vector<const llvm::Function *>
+  getVFVectorFromIRVTable(const llvm::ConstantStruct *);
 };
 
 } // namespace psr
diff --git a/lib/PhasarLLVM/ControlFlow/Resolver/OTFResolver.cpp b/lib/PhasarLLVM/ControlFlow/Resolver/OTFResolver.cpp
@@ -105,29 +105,34 @@ auto OTFResolver::resolveVirtualCall(const llvm::CallBase *CallSite)
 
   const llvm::Value *Receiver = CallSite->getArgOperand(0);
 
-  // Use points-to information to resolve the indirect call
-  auto AllocSites = PT.getReachableAllocationSites(Receiver);
-  auto PossibleAllocatedTypes = getReachableTypes(*AllocSites);
-
-  // Now we must check if we have found some allocated struct types
-  set<const llvm::StructType *> PossibleTypes;
-  for (const auto *Type : PossibleAllocatedTypes) {
-    if (const auto *StructType =
-            llvm::dyn_cast<llvm::StructType>(stripPointer(Type))) {
-      PossibleTypes.insert(StructType);
-    }
-  }
+  if (CallSite->getCalledOperand() &&
+      CallSite->getCalledOperand()->getType()->isPointerTy()) {
+    if (const auto *FTy = llvm::dyn_cast<llvm::FunctionType>(
+            CallSite->getCalledOperand()->getType()->getPointerElementType())) {
 
-  for (const auto *PossibleTypeStruct : PossibleTypes) {
-    const auto *Target =
-        getNonPureVirtualVFTEntry(PossibleTypeStruct, VtableIndex, CallSite);
-    if (Target) {
-      PossibleCallTargets.insert(Target);
+      auto PTS = PT.getPointsToSet(CallSite->getCalledOperand(), CallSite);
+      for (const auto *P : *PTS) {
+        if (auto *PGV = llvm::dyn_cast<llvm::GlobalVariable>(P)) {
+          if (PGV->hasName() && PGV->getName().startswith("_ZTV") &&
+              PGV->hasInitializer()) {
+            if (auto *PCS = llvm::dyn_cast<llvm::ConstantStruct>(
+                    PGV->getInitializer())) {
+              auto VFs = LLVMVFTable::getVFVectorFromIRVTable(PCS);
+              if (VtableIndex < 0 || VtableIndex >= VFs.size()) {
+                continue;
+              }
+              auto *Callee = VFs[VtableIndex];
+              if (Callee == nullptr || !Callee->hasName() ||
+                  Callee->getName() == "__cxa_pure_virtual") {
+                continue;
+              }
+              PossibleCallTargets.insert(Callee);
+            }
+          }
+        }
+      }
     }
   }
-  if (PossibleCallTargets.empty()) {
-    return CHAResolver::resolveVirtualCall(CallSite);
-  }
 
   return PossibleCallTargets;
 }
diff --git a/lib/PhasarLLVM/TypeHierarchy/LLVMTypeHierarchy.cpp b/lib/PhasarLLVM/TypeHierarchy/LLVMTypeHierarchy.cpp
@@ -203,29 +203,7 @@ LLVMTypeHierarchy::getVirtualFunctions(const llvm::Module &M,
       }
       if (const auto *I =
               llvm::dyn_cast<llvm::ConstantStruct>(TI->getInitializer())) {
-        for (const auto &Op : I->operands()) {
-          if (auto *CA = llvm::dyn_cast<llvm::ConstantArray>(Op)) {
-            for (auto &COp : CA->operands()) {
-              if (auto *CE = llvm::dyn_cast<llvm::ConstantExpr>(COp)) {
-                std::unique_ptr<llvm::Instruction, decltype(&deleteValue)> AsI(
-                    CE->getAsInstruction(), &deleteValue);
-                if (auto *BC = llvm::dyn_cast<llvm::BitCastInst>(AsI.get())) {
-                  // if the entry is a GlobalAlias, get its Aliasee
-                  auto *ENTRY = BC->getOperand(0);
-                  while (auto *GA = llvm::dyn_cast<llvm::GlobalAlias>(ENTRY)) {
-                    ENTRY = GA->getAliasee();
-                  }
-
-                  if (ENTRY->hasName()) {
-                    if (auto *F = M.getFunction(ENTRY->getName())) {
-                      VFS.push_back(F);
-                    }
-                  }
-                }
-              }
-            }
-          }
-        }
+        VFS = LLVMVFTable::getVFVectorFromIRVTable(I);
       }
     }
   }
diff --git a/lib/PhasarLLVM/TypeHierarchy/LLVMVFTable.cpp b/lib/PhasarLLVM/TypeHierarchy/LLVMVFTable.cpp
@@ -12,6 +12,8 @@
 #include <utility>
 
 #include "llvm/IR/Function.h"
+#include "llvm/IR/GlobalAlias.h"
+#include "llvm/IR/Operator.h"
 
 #include "phasar/PhasarLLVM/TypeHierarchy/LLVMVFTable.h"
 
@@ -48,4 +50,33 @@ nlohmann::json LLVMVFTable::getAsJson() const {
   return J;
 }
 
+std::vector<const llvm::Function *>
+LLVMVFTable::getVFVectorFromIRVTable(const llvm::ConstantStruct *VT) {
+  std::vector<const llvm::Function *> VFS;
+  for (const auto &Op : VT->operands()) {
+    if (auto *CA = llvm::dyn_cast<llvm::ConstantArray>(Op)) {
+      for (auto It = CA->operands().begin() + 2; It != CA->operands().end();
+           ++It) {
+        auto &COp = *It;
+        if (auto *CE = llvm::dyn_cast<llvm::ConstantExpr>(COp)) {
+          if (auto *BC = llvm::dyn_cast<llvm::BitCastOperator>(CE)) {
+            // if the entry is a GlobalAlias, get its Aliasee
+            auto *ENTRY = BC->getOperand(0);
+            while (auto *GA = llvm::dyn_cast<llvm::GlobalAlias>(ENTRY)) {
+              ENTRY = GA->getAliasee();
+            }
+            auto *F = llvm::dyn_cast<llvm::Function>(ENTRY);
+            VFS.push_back(F);
+          } else {
+            VFS.push_back(nullptr);
+          }
+        } else {
+          VFS.push_back(nullptr);
+        }
+      }
+    }
+  }
+  return VFS;
+}
+
 } // namespace psr
