Fix Callgraph by filtering out impossible virtual call targets (#586)

fabianbs96 · web-flow · commit ef202dc8ba53 · 2023-02-16T19:38:03.000+01:00
diff --git a/include/phasar/PhasarLLVM/ControlFlow/Resolver/Resolver.h b/include/phasar/PhasarLLVM/ControlFlow/Resolver/Resolver.h
@@ -39,11 +39,16 @@ enum class CallGraphAnalysisType;
 class LLVMBasedICFG;
 class LLVMPointsToInfo;
 
-std::optional<unsigned> getVFTIndex(const llvm::CallBase *CallSite);
+[[nodiscard]] std::optional<unsigned>
+getVFTIndex(const llvm::CallBase *CallSite);
 
-const llvm::StructType *getReceiverType(const llvm::CallBase *CallSite);
+[[nodiscard]] const llvm::StructType *
+getReceiverType(const llvm::CallBase *CallSite);
 
-std::string getReceiverTypeName(const llvm::CallBase &CallSite);
+[[nodiscard]] std::string getReceiverTypeName(const llvm::CallBase *CallSite);
+
+[[nodiscard]] bool isConsistentCall(const llvm::CallBase *CallSite,
+                                    const llvm::Function *DestFun);
 
 class Resolver {
 protected:
diff --git a/lib/PhasarLLVM/ControlFlow/Resolver/OTFResolver.cpp b/lib/PhasarLLVM/ControlFlow/Resolver/OTFResolver.cpp
@@ -10,6 +10,7 @@
 #include "phasar/PhasarLLVM/ControlFlow/Resolver/OTFResolver.h"
 
 #include "phasar/PhasarLLVM/ControlFlow/LLVMBasedICFG.h"
+#include "phasar/PhasarLLVM/ControlFlow/Resolver/Resolver.h"
 #include "phasar/PhasarLLVM/TypeHierarchy/LLVMTypeHierarchy.h"
 #include "phasar/PhasarLLVM/Utils/LLVMShorthands.h"
 #include "phasar/Utils/Logger.h"
@@ -114,7 +115,8 @@ auto OTFResolver::resolveVirtualCall(const llvm::CallBase *CallSite)
               }
               const auto *Callee = VFs[VtableIndex];
               if (Callee == nullptr || !Callee->hasName() ||
-                  Callee->getName() == LLVMTypeHierarchy::PureVirtualCallName) {
+                  Callee->getName() == LLVMTypeHierarchy::PureVirtualCallName ||
+                  !isConsistentCall(CallSite, Callee)) {
                 continue;
               }
               PossibleCallTargets.insert(Callee);
@@ -130,96 +132,93 @@ auto OTFResolver::resolveVirtualCall(const llvm::CallBase *CallSite)
 
 auto OTFResolver::resolveFunctionPointer(const llvm::CallBase *CallSite)
     -> FunctionSetTy {
+  if (!CallSite->getCalledOperand()) {
+    return {};
+  }
+
   FunctionSetTy Callees;
-  if (CallSite->getCalledOperand() &&
-      CallSite->getCalledOperand()->getType()->isPointerTy()) {
-    if (const auto *FTy = llvm::dyn_cast<llvm::FunctionType>(
-            CallSite->getCalledOperand()->getType()->getPointerElementType())) {
 
-      auto PTS = PT.getAliasSet(CallSite->getCalledOperand(), CallSite);
+  auto PTS = PT.getAliasSet(CallSite->getCalledOperand(), CallSite);
 
-      llvm::SmallVector<const llvm::GlobalVariable *, 2> GlobalVariableWL;
-      llvm::SmallVector<const llvm::ConstantAggregate *> ConstantAggregateWL;
-      llvm::SmallPtrSet<const llvm::ConstantAggregate *, 4>
-          VisitedConstantAggregates;
+  llvm::SmallVector<const llvm::GlobalVariable *, 2> GlobalVariableWL;
+  llvm::SmallVector<const llvm::ConstantAggregate *> ConstantAggregateWL;
+  llvm::SmallPtrSet<const llvm::ConstantAggregate *, 4>
+      VisitedConstantAggregates;
 
-      for (const auto *P : *PTS) {
-        if (!llvm::isa<llvm::Constant>(P)) {
-          continue;
-        }
+  for (const auto *P : *PTS) {
+    if (!llvm::isa<llvm::Constant>(P)) {
+      continue;
+    }
 
-        GlobalVariableWL.clear();
-        ConstantAggregateWL.clear();
+    GlobalVariableWL.clear();
+    ConstantAggregateWL.clear();
 
-        if (P->getType()->isPointerTy() &&
-            P->getType()->getPointerElementType()->isFunctionTy()) {
-          if (const auto *F = llvm::dyn_cast<llvm::Function>(P)) {
-            if (matchesSignature(F, FTy, false)) {
-              Callees.insert(F);
-            }
-          }
+    if (P->getType()->isPointerTy() &&
+        P->getType()->getPointerElementType()->isFunctionTy()) {
+      if (const auto *F = llvm::dyn_cast<llvm::Function>(P)) {
+        if (isConsistentCall(CallSite, F)) {
+          Callees.insert(F);
         }
+      }
+    }
 
-        if (const auto *GVP = llvm::dyn_cast<llvm::GlobalVariable>(P)) {
-          GlobalVariableWL.push_back(GVP);
-        } else if (const auto *CE = llvm::dyn_cast<llvm::ConstantExpr>(P)) {
-          for (const auto &Op : CE->operands()) {
-            if (const auto *GVOp = llvm::dyn_cast<llvm::GlobalVariable>(Op)) {
-              GlobalVariableWL.push_back(GVOp);
-            }
-          }
+    if (const auto *GVP = llvm::dyn_cast<llvm::GlobalVariable>(P)) {
+      GlobalVariableWL.push_back(GVP);
+    } else if (const auto *CE = llvm::dyn_cast<llvm::ConstantExpr>(P)) {
+      for (const auto &Op : CE->operands()) {
+        if (const auto *GVOp = llvm::dyn_cast<llvm::GlobalVariable>(Op)) {
+          GlobalVariableWL.push_back(GVOp);
         }
+      }
+    }
 
-        if (GlobalVariableWL.empty()) {
-          continue;
-        }
+    if (GlobalVariableWL.empty()) {
+      continue;
+    }
 
-        for (const auto *GV : GlobalVariableWL) {
-          if (!GV->hasInitializer()) {
-            continue;
-          }
-          const auto *InitConst = GV->getInitializer();
-          if (const auto *InitConstAggregate =
-                  llvm::dyn_cast<llvm::ConstantAggregate>(InitConst)) {
-            ConstantAggregateWL.push_back(InitConstAggregate);
+    for (const auto *GV : GlobalVariableWL) {
+      if (!GV->hasInitializer()) {
+        continue;
+      }
+      const auto *InitConst = GV->getInitializer();
+      if (const auto *InitConstAggregate =
+              llvm::dyn_cast<llvm::ConstantAggregate>(InitConst)) {
+        ConstantAggregateWL.push_back(InitConstAggregate);
+      }
+    }
+
+    VisitedConstantAggregates.clear();
+
+    while (!ConstantAggregateWL.empty()) {
+      const auto *ConstAggregateItem = ConstantAggregateWL.pop_back_val();
+      // We may have already processed the item, avoid an infinite loop
+      if (!VisitedConstantAggregates.insert(ConstAggregateItem).second) {
+        continue;
+      }
+      for (const auto &Op : ConstAggregateItem->operands()) {
+        if (const auto *CE = llvm::dyn_cast<llvm::ConstantExpr>(Op)) {
+          if (CE->getType()->isPointerTy() && CE->isCast()) {
+            if (const auto *F =
+                    llvm::dyn_cast<llvm::Function>(CE->getOperand(0));
+                F && isConsistentCall(CallSite, F)) {
+              Callees.insert(F);
+            }
           }
         }
 
-        VisitedConstantAggregates.clear();
-
-        while (!ConstantAggregateWL.empty()) {
-          const auto *ConstAggregateItem = ConstantAggregateWL.pop_back_val();
-          // We may have already processed the item, avoid an infinite loop
-          if (!VisitedConstantAggregates.insert(ConstAggregateItem).second) {
+        if (const auto *F = llvm::dyn_cast<llvm::Function>(Op)) {
+          if (isConsistentCall(CallSite, F)) {
+            Callees.insert(F);
+          }
+        } else if (auto *CA = llvm::dyn_cast<llvm::ConstantAggregate>(Op)) {
+          ConstantAggregateWL.push_back(CA);
+        } else if (auto *GV = llvm::dyn_cast<llvm::GlobalVariable>(Op)) {
+          if (!GV->hasInitializer()) {
             continue;
           }
-          for (const auto &Op : ConstAggregateItem->operands()) {
-            if (const auto *CE = llvm::dyn_cast<llvm::ConstantExpr>(Op)) {
-              if (CE->getType()->isPointerTy() &&
-                  CE->getType()->getPointerElementType() == FTy &&
-                  CE->isCast()) {
-                if (const auto *F =
-                        llvm::dyn_cast<llvm::Function>(CE->getOperand(0))) {
-                  Callees.insert(F);
-                }
-              }
-            }
-
-            if (const auto *F = llvm::dyn_cast<llvm::Function>(Op)) {
-              if (matchesSignature(F, FTy, false)) {
-                Callees.insert(F);
-              }
-            } else if (auto *CA = llvm::dyn_cast<llvm::ConstantAggregate>(Op)) {
-              ConstantAggregateWL.push_back(CA);
-            } else if (auto *GV = llvm::dyn_cast<llvm::GlobalVariable>(Op)) {
-              if (!GV->hasInitializer()) {
-                continue;
-              }
-              if (auto *GVCA = llvm::dyn_cast<llvm::ConstantAggregate>(
-                      GV->getInitializer())) {
-                ConstantAggregateWL.push_back(GVCA);
-              }
-            }
+          if (auto *GVCA = llvm::dyn_cast<llvm::ConstantAggregate>(
+                  GV->getInitializer())) {
+            ConstantAggregateWL.push_back(GVCA);
           }
         }
       }
diff --git a/lib/PhasarLLVM/ControlFlow/Resolver/Resolver.cpp b/lib/PhasarLLVM/ControlFlow/Resolver/Resolver.cpp
@@ -38,9 +38,7 @@
 #include <optional>
 #include <set>
 
-namespace psr {
-
-std::optional<unsigned> getVFTIndex(const llvm::CallBase *CallSite) {
+std::optional<unsigned> psr::getVFTIndex(const llvm::CallBase *CallSite) {
   // deal with a virtual member function
   // retrieve the vtable entry that is called
   const auto *Load =
@@ -59,7 +57,7 @@ std::optional<unsigned> getVFTIndex(const llvm::CallBase *CallSite) {
   return std::nullopt;
 }
 
-const llvm::StructType *getReceiverType(const llvm::CallBase *CallSite) {
+const llvm::StructType *psr::getReceiverType(const llvm::CallBase *CallSite) {
   if (CallSite->arg_empty() ||
       (CallSite->hasStructRetAttr() && CallSite->arg_size() < 2)) {
     return nullptr;
@@ -86,25 +84,42 @@ const llvm::StructType *getReceiverType(const llvm::CallBase *CallSite) {
   return nullptr;
 }
 
-std::string getReceiverTypeName(const llvm::CallBase *CallSite) {
+std::string psr::getReceiverTypeName(const llvm::CallBase *CallSite) {
   const auto *RT = getReceiverType(CallSite);
   if (RT) {
     return RT->getName().str();
   }
   return "";
 }
 
+bool psr::isConsistentCall(const llvm::CallBase *CallSite,
+                           const llvm::Function *DestFun) {
+  if (CallSite->arg_size() < DestFun->arg_size()) {
+    return false;
+  }
+  if (CallSite->arg_size() != DestFun->arg_size() && !DestFun->isVarArg()) {
+    return false;
+  }
+  if (!matchesSignature(DestFun, CallSite->getFunctionType(), false)) {
+    return false;
+  }
+  return true;
+}
+
+namespace psr {
+
 Resolver::Resolver(LLVMProjectIRDB &IRDB) : IRDB(IRDB), TH(nullptr) {}
 
 Resolver::Resolver(LLVMProjectIRDB &IRDB, LLVMTypeHierarchy &TH)
     : IRDB(IRDB), TH(&TH) {}
 
 const llvm::Function *
 Resolver::getNonPureVirtualVFTEntry(const llvm::StructType *T, unsigned Idx,
-                                    const llvm::CallBase * /*CallSite*/) {
+                                    const llvm::CallBase *CallSite) {
   if (TH && TH->hasVFTable(T)) {
     const auto *Target = TH->getVFTable(T)->getFunction(Idx);
-    if (Target && Target->getName() != "__cxa_pure_virtual") {
+    if (Target && Target->getName() != LLVMTypeHierarchy::PureVirtualCallName &&
+        isConsistentCall(CallSite, Target)) {
       return Target;
     }
   }
@@ -133,7 +148,7 @@ auto Resolver::resolveFunctionPointer(const llvm::CallBase *CallSite)
     if (const auto *FTy = llvm::dyn_cast<llvm::FunctionType>(
             CallSite->getCalledOperand()->getType()->getPointerElementType())) {
       for (const auto *F : IRDB.getAllFunctions()) {
-        if (matchesSignature(F, FTy)) {
+        if (isConsistentCall(CallSite, F)) {
           CalleeTargets.insert(F);
         }
       }
