VTA Callgraph (#794)

* iterative Tarjan Algorithm implemenmted

* SCCGeneric.h finished

* typeAssignmentGraph ported

* SCCGeneric.h, TypeTraits.h and TypeAssignmentGraph.h updated

* updated template types

* error corrections

* minor corrections

* SCCGeneric.h corrections

* SCC Tests added and VTACallGraphTest ported

* AnalysisConfig.h modified

* new test case in SCCGenericTest.cpp

* Update TAG, SCCs, and AdjacencyList to use TypedVector

* Update TAG to llvm::DIType instead of llvm::Type + fix VTACallGraphTest with opaque pointers

* Add call-graph tool to generate call-graphs for arbitrary LLVM IR files + compute CG statistics

* Add resolver-based TAG construction

* Fix SCCGenericTest

* Refine the concepts for GraphTraits + add some comments

* Some cleanup

* Add ground-truth to SCCGenericTest + fix error in Compressor introduced by merge + mino

* Some cleanup + some comments

* Adapt VTACallGraphTest to TestingSrcLocation + measure timing in call-graph tool  + some cleanup

* Fix AdjacencyList with TypedVector

* Fix stack-use-after-scope in TypedVector::operator[], materialized in minimizeGraph()

* some cleanup

* Replace Tarjan's algorithm with Pearce's algorithm for computing SCCs. This let's us compute SCCs and topological sorting in a single pass over the graph and also gets rid of the recursion

* Also test recursive version of SCC computation

* Use AliasIterator in VTA call-graph analysis

* minors

---------

Co-authored-by: bulletSpace <erik.binder@hotmail.com>

Author: fabianbs96

BreakingChanges.md

@@ -2,6 +2,9 @@
 
 ## development HEAD
 
+- The `AdjacencyList` struct now now has one more template argument to denote the intege-like `vertex_t` type. It is the second template argument (which previously was the EdgeType). The edge-type is now denoted by the *third* template argument.
+- The `AdjacencyList` switches from using `llvm::NoneType` as empty-node marker to `psr::EmptyType` for forward-compatibility with LLVM-16 that removes `llvm::NoneType`.
+
 - Removed `SpecialSummaries`.
 - Removed `Hexastore` and the corresponding database queries.
 - Removed `LLVMTypeHierarchy` (and `LLVMTypeHierarchyData`), which is superceeded by `DIBasedTypeHierarchy`.

cmake/phasar_macros.cmake

@@ -361,7 +361,7 @@ function(add_phasar_library name)
   endif()
 endfunction(add_phasar_library)
 
-macro(subdirlist result curdir)
+function(subdirlist result curdir)
   file(GLOB children RELATIVE ${curdir} ${curdir}/*)
   set(dirlist "")
 
@@ -371,5 +371,5 @@ macro(subdirlist result curdir)
     endif()
   endforeach()
 
-  set(${result} ${dirlist})
-endmacro(subdirlist)
+  set(${result} ${dirlist} PARENT_SCOPE)
+endfunction(subdirlist)

include/phasar/PhasarLLVM/ControlFlow.h

@@ -20,5 +20,6 @@
 #include "phasar/PhasarLLVM/ControlFlow/Resolver/OTFResolver.h"
 #include "phasar/PhasarLLVM/ControlFlow/Resolver/RTAResolver.h"
 #include "phasar/PhasarLLVM/ControlFlow/Resolver/Resolver.h"
+#include "phasar/PhasarLLVM/ControlFlow/Resolver/VTAResolver.h"
 
 #endif // PHASAR_PHASARLLVM_CONTROLFLOW_H

include/phasar/PhasarLLVM/ControlFlow/EntryFunctionUtils.h

@@ -26,6 +26,9 @@ getEntryFunctions(const LLVMProjectIRDB &IRDB,
 [[nodiscard]] std::vector<llvm::Function *>
 getEntryFunctionsMut(LLVMProjectIRDB &IRDB,
                      llvm::ArrayRef<std::string> EntryPoints);
+
+[[nodiscard]] std::vector<std::string>
+getDefaultEntryPoints(const LLVMProjectIRDB &IRDB);
 } // namespace psr
 
 #endif // PHASAR_PHASARLLVM_UTILS_ENTRYFUNCTIONUTILS_H

include/phasar/PhasarLLVM/ControlFlow/LLVMBasedCFG.h

@@ -18,6 +18,8 @@
 #include "llvm/IR/InstrTypes.h"
 #include "llvm/IR/Instructions.h"
 
+#include "nlohmann/json.hpp"
+
 namespace llvm {
 class Function;
 } // namespace llvm

include/phasar/PhasarLLVM/ControlFlow/LLVMBasedCallGraphBuilder.h

@@ -21,29 +21,66 @@ class DIBasedTypeHierarchy;
 class LLVMVFTableProvider;
 class Resolver;
 
+/// Constructs a call-graph using the given CGResolver to resolve indirect
+/// calls.
+///
+/// Uses a fixpoint iteration, if
+/// `CGResolver.mutatesHelperAnalysisInformation()` returns true and the
+/// soundness S is not Soundness::Unsound.
+///
+/// \param IRDB The IR code where the call-graph should be based on
+/// \param CGResolver The resolver to use for resolving indirect calls.
+/// \param EntryPoints The functions, where the call-graph construction should
+/// start. The resulting call-graph will only contain functions that are
+/// (transitively) reachable from the entry-points.
+/// \param S The soundness level. May be used to trade soundness for
+/// performance.
 [[nodiscard]] LLVMBasedCallGraph
-buildLLVMBasedCallGraph(LLVMProjectIRDB &IRDB, CallGraphAnalysisType CGType,
+buildLLVMBasedCallGraph(const LLVMProjectIRDB &IRDB, Resolver &CGResolver,
                         llvm::ArrayRef<const llvm::Function *> EntryPoints,
-                        DIBasedTypeHierarchy &TH, LLVMVFTableProvider &VTP,
-                        LLVMAliasInfoRef PT = nullptr,
                         Soundness S = Soundness::Soundy);
 
+/// Constructs a call-graph using the given CGResolver to resolve indirect
+/// calls.
+///
+/// Uses a fixpoint iteration, if
+/// `CGResolver.mutatesHelperAnalysisInformation()` returns true and the
+/// soundness S is not Soundness::Unsound.
+///
+/// \param IRDB The IR code where the call-graph should be based on
+/// \param CGResolver The resolver to use for resolving indirect calls.
+/// \param EntryPoints Names of the functions, where the call-graph construction
+/// should start. The resulting call-graph will only contain functions that are
+/// (transitively) reachable from the entry-points.
+/// \param S The soundness level. May be used to trade soundness for
+/// performance.
 [[nodiscard]] LLVMBasedCallGraph
 buildLLVMBasedCallGraph(const LLVMProjectIRDB &IRDB, Resolver &CGResolver,
-                        llvm::ArrayRef<const llvm::Function *> EntryPoints,
+                        llvm::ArrayRef<std::string> EntryPoints,
                         Soundness S = Soundness::Soundy);
 
+/// Kept for compatibility with LLVMBasedICFG. See the constructor of
+/// LLVMBasedICFG::LLVMBasedICFG(LLVMProjectIRDB *, CallGraphAnalysisType,
+/// llvm::ArrayRef<std::string>, DIBasedTypeHierarchy *, LLVMAliasInfoRef,
+/// Soundness, bool) for more information.
 [[nodiscard]] LLVMBasedCallGraph
 buildLLVMBasedCallGraph(LLVMProjectIRDB &IRDB, CallGraphAnalysisType CGType,
-                        llvm::ArrayRef<std::string> EntryPoints,
+                        llvm::ArrayRef<const llvm::Function *> EntryPoints,
                         DIBasedTypeHierarchy &TH, LLVMVFTableProvider &VTP,
                         LLVMAliasInfoRef PT = nullptr,
                         Soundness S = Soundness::Soundy);
 
+/// Kept for compatibility with LLVMBasedICFG. See the constructor of
+/// LLVMBasedICFG::LLVMBasedICFG(LLVMProjectIRDB *, CallGraphAnalysisType,
+/// llvm::ArrayRef<std::string>, DIBasedTypeHierarchy *, LLVMAliasInfoRef,
+/// Soundness, bool) for more information.
 [[nodiscard]] LLVMBasedCallGraph
-buildLLVMBasedCallGraph(const LLVMProjectIRDB &IRDB, Resolver &CGResolver,
+buildLLVMBasedCallGraph(LLVMProjectIRDB &IRDB, CallGraphAnalysisType CGType,
                         llvm::ArrayRef<std::string> EntryPoints,
+                        DIBasedTypeHierarchy &TH, LLVMVFTableProvider &VTP,
+                        LLVMAliasInfoRef PT = nullptr,
                         Soundness S = Soundness::Soundy);
+
 } // namespace psr
 
 #endif // PHASAR_PHASARLLVM_CONTROLFLOW_LLVMBASEDCALLGRAPHBUILDER_H

include/phasar/PhasarLLVM/ControlFlow/LLVMBasedICFG.h

@@ -64,10 +64,12 @@ class LLVMBasedICFG : public LLVMBasedCFG, public ICFGBase<LLVMBasedICFG> {
   /// \param EntryPoints The names of the functions to start with when
   /// incrementally building up the ICFG. For whole-program analysis of an
   /// executable use {"main"}.
-  /// \param TH The type-hierarchy implementation to use. Will be constructed
-  /// on-the-fly if nullptr, but required
+  /// \param TH The type-hierarchy implementation to use. Must be non-null, if
+  /// the selected call-graph analysis requires type-hierarchy information;
+  /// currently, this holds for the CHA and RTA algorithms.
   /// \param PT The points-to implementation to use. Will be constructed
-  /// on-the-fly if nullptr, but required
+  /// on-the-fly if nullptr, but required; currently, this holds for the OTF and
+  /// VTA algorithms.
   /// \param S The soundness level to expect from the analysis. Currently unused
   /// \param IncludeGlobals Properly include global constructors/destructors
   /// into the ICFG, if true. Requires to generate artificial functions into the

include/phasar/PhasarLLVM/ControlFlow/Resolver/PrecomputedResolver.h

@@ -0,0 +1,51 @@
+/******************************************************************************
+ * Copyright (c) 2025 Fabian Schiebel.
+ * All rights reserved. This program and the accompanying materials are made
+ * available under the terms of LICENSE.txt.
+ *
+ * Contributors:
+ *     Fabian Schiebel and others
+ *****************************************************************************/
+
+#ifndef PHASAR_PHASARLLVM_CONTROLFLOW_RESOLVER_PRECOMPUTEDRESOLVER_H
+#define PHASAR_PHASARLLVM_CONTROLFLOW_RESOLVER_PRECOMPUTEDRESOLVER_H
+
+#include "phasar/PhasarLLVM/ControlFlow/LLVMBasedCallGraph.h"
+#include "phasar/PhasarLLVM/ControlFlow/Resolver/Resolver.h"
+#include "phasar/Utils/MaybeUniquePtr.h"
+
+namespace psr {
+/// \brief A Resolver that uses a pre-computed call-graph to resolve indirect
+/// calls.
+///
+/// \note We eventually may want the LLVMBasedCallGraph to *be* a Resolver. This
+/// requires the concept of resolvers to generalize beyond LLVM. See
+/// <https://github.com/fabianbs96/phasar/tree/f-ResolverCombinators> for
+/// reference
+class PrecomputedResolver : public Resolver {
+public:
+  PrecomputedResolver(const LLVMProjectIRDB *IRDB,
+                      const LLVMVFTableProvider *VTP,
+                      MaybeUniquePtr<const LLVMBasedCallGraph> BaseCG);
+
+  [[nodiscard]] bool
+  mutatesHelperAnalysisInformation() const noexcept override {
+    return false;
+  }
+
+  void resolveVirtualCall(FunctionSetTy &PossibleTargets,
+                          const llvm::CallBase *CallSite) override {
+    resolveFunctionPointer(PossibleTargets, CallSite);
+  }
+
+  void resolveFunctionPointer(FunctionSetTy &PossibleTargets,
+                              const llvm::CallBase *CallSite) override;
+
+  [[nodiscard]] std::string str() const override;
+
+private:
+  MaybeUniquePtr<const LLVMBasedCallGraph> BaseCG;
+};
+} // namespace psr
+
+#endif

include/phasar/PhasarLLVM/ControlFlow/Resolver/Resolver.h

@@ -18,6 +18,7 @@
 #define PHASAR_PHASARLLVM_CONTROLFLOW_RESOLVER_RESOLVER_H_
 
 #include "phasar/PhasarLLVM/Pointer/LLVMAliasInfo.h"
+#include "phasar/Utils/MaybeUniquePtr.h"
 
 #include "llvm/ADT/DenseSet.h"
 #include "llvm/ADT/SmallVector.h"
@@ -109,12 +110,37 @@ class Resolver {
   [[nodiscard]] llvm::ArrayRef<const llvm::Function *>
   getAddressTakenFunctions();
 
-  [[nodiscard]] static std::unique_ptr<Resolver>
+  using BaseResolverProvider = llvm::function_ref<MaybeUniquePtr<Resolver>(
+      const LLVMProjectIRDB *IRDB, const LLVMVFTableProvider *VTP,
+      const DIBasedTypeHierarchy *TH, LLVMAliasInfoRef PT)>;
+
+  /// Factory function to create a Resolver that can be used to implement the
+  /// given call-graph analysis type.
+  ///
+  /// \param Ty Determines the Resolver subclass to instantiate
+  /// \param IRDB The IR code where the Resolver should be based on. Must not be
+  /// nullptr.
+  /// \param VTP A virtual-table-provider that is used to extract C++-VTables
+  /// from the IR. Must not be nullptr.
+  /// \param TH The type-hierarchy implementation to use. Must be non-null, if
+  /// the selected call-graph analysis requires type-hierarchy information;
+  /// currently, this holds for the CHA and RTA algorithms.
+  /// \param PT The points-to implementation to use. Will be constructed
+  /// on-the-fly if nullptr, but required; currently, this holds for the OTF and
+  /// VTA algorithms.
+  static std::unique_ptr<Resolver>
   create(CallGraphAnalysisType Ty, const LLVMProjectIRDB *IRDB,
          const LLVMVFTableProvider *VTP, const DIBasedTypeHierarchy *TH,
-         LLVMAliasInfoRef PT = nullptr);
+         LLVMAliasInfoRef PT = nullptr,
+         BaseResolverProvider GetBaseRes = nullptr);
 
 protected:
+  virtual void resolveVirtualCall(FunctionSetTy &PossibleTargets,
+                                  const llvm::CallBase *CallSite) = 0;
+
+  virtual void resolveFunctionPointer(FunctionSetTy &PossibleTargets,
+                                      const llvm::CallBase *CallSite);
+
   const llvm::Function *
   getNonPureVirtualVFTEntry(const llvm::DIType *T, unsigned Idx,
                             const llvm::CallBase *CallSite,
@@ -125,17 +151,12 @@ class Resolver {
     return psr::getNonPureVirtualVFTEntry(T, Idx, CallSite, *VTP, ReceiverType);
   }
 
+  // ---
+
   const LLVMProjectIRDB *IRDB{};
   const LLVMVFTableProvider *VTP{};
   std::optional<llvm::SmallVector<const llvm::Function *, 0>>
       AddressTakenFunctions{};
-
-protected:
-  virtual void resolveVirtualCall(FunctionSetTy &PossibleTargets,
-                                  const llvm::CallBase *CallSite) = 0;
-
-  virtual void resolveFunctionPointer(FunctionSetTy &PossibleTargets,
-                                      const llvm::CallBase *CallSite);
 };
 } // namespace psr
 

include/phasar/PhasarLLVM/ControlFlow/Resolver/VTAResolver.h

@@ -0,0 +1,87 @@
+/******************************************************************************
+ * Copyright (c) 2025 Fabian Schiebel.
+ * All rights reserved. This program and the accompanying materials are made
+ * available under the terms of LICENSE.txt.
+ *
+ * Contributors:
+ *     Fabian Schiebel and others
+ *****************************************************************************/
+
+#ifndef PHASAR_PHASARLLVM_CONTROLFLOW_RESOLVER_VTARESOLVER_H
+#define PHASAR_PHASARLLVM_CONTROLFLOW_RESOLVER_VTARESOLVER_H
+
+#include "phasar/PhasarLLVM/ControlFlow/LLVMBasedCallGraph.h"
+#include "phasar/PhasarLLVM/ControlFlow/Resolver/Resolver.h"
+#include "phasar/PhasarLLVM/ControlFlow/VTA/TypePropagator.h"
+#include "phasar/PhasarLLVM/Pointer/LLVMAliasInfo.h"
+#include "phasar/Utils/Compressor.h"
+#include "phasar/Utils/MaybeUniquePtr.h"
+#include "phasar/Utils/SCCGeneric.h"
+
+#include "llvm/ADT/STLFunctionalExtras.h"
+
+namespace psr {
+
+class LLVMProjectIRDB;
+
+/// \brief A Resolver that uses a variant of the Variable Type Analysis to
+/// resolver indirect calls.
+///
+/// Uses debug-information to achieve better results with C++ virtual calls.
+/// Uses alias-information as fallback mechanism for when types don't help or
+/// are not found, e.g., to resolve function-pointer calls.
+///
+/// Requires a base-call-graph or at least a base-resolver to resolve indirect
+/// calls while constructing the type-assignment graph.
+class VTAResolver : public Resolver {
+public:
+  struct DefaultReachableFunctions {
+    void operator()(const LLVMProjectIRDB &IRDB,
+                    llvm::function_ref<void(const llvm::Function *)> WithFun);
+  };
+
+  /// Constructs a VTAResolver with a given pre-computed call-graph and
+  /// alias-information
+  ///
+  /// Builds the type-assignment graph and propagates allocated types through
+  /// it's SCCs.
+  explicit VTAResolver(const LLVMProjectIRDB *IRDB,
+                       const LLVMVFTableProvider *VTP, LLVMAliasIteratorRef AS,
+                       MaybeUniquePtr<const LLVMBasedCallGraph> BaseCG);
+
+  /// Constructs a VTAResolver with a given base-resolver (no base-call-graph)
+  /// and alias-information
+  /// Uses the optional parameter ReachableFunctions to consider only a subset
+  /// of all functions for building the type-assignment graph
+  ///
+  /// Builds the type-assignment graph and propagates allocated types through
+  /// it's SCCs.
+  explicit VTAResolver(
+      const LLVMProjectIRDB *IRDB, const LLVMVFTableProvider *VTP,
+      LLVMAliasIteratorRef AS, MaybeUniquePtr<Resolver> BaseRes,
+      llvm::function_ref<void(const LLVMProjectIRDB &,
+                              llvm::function_ref<void(const llvm::Function *)>)>
+          ReachableFunctions = DefaultReachableFunctions{});
+
+  [[nodiscard]] std::string str() const override;
+
+  [[nodiscard]] bool
+  mutatesHelperAnalysisInformation() const noexcept override {
+    return false;
+  }
+
+private:
+  void resolveVirtualCall(FunctionSetTy &PossibleTargets,
+                          const llvm::CallBase *CallSite) override;
+
+  void resolveFunctionPointer(FunctionSetTy &PossibleTargets,
+                              const llvm::CallBase *CallSite) override;
+
+  MaybeUniquePtr<Resolver> BaseResolver{};
+  vta::TypeAssignment TA{};
+  SCCHolder<vta::TAGNodeId> SCCs{};
+  Compressor<vta::TAGNode, vta::TAGNodeId> Nodes;
+};
+} // namespace psr
+
+#endif // PHASAR_PHASARLLVM_CONTROLFLOW_RESOLVER_VTARESOLVER_H