Flow sensitivity does not work for indirect function call resolution

[TrivikramAT]

In this small toy program, I am trying to track the sources for a variable in an indirectly-called function.

typedef struct test_struct {
   int a;
   int b;
   int c;
}test_struct;

void f1(void *arg)
{
   test_struct *pS = (test_struct *)arg;
   if(pS->a)
      printf("Test a");
}
void f2(void *arg)
{
   test_struct *pS = (test_struct *)arg;
   if(pS->b)
      printf("Test b");
}

void redirection(void (*func)(void *), void *arg)
{
   (*func)(arg);
}

int main(int argc, char **argv)
{
   test_struct S;

   S.a = -1; S.b = -2; S.c = -3;
   redirection(f1, &S);

   // overwrite
   S.a = 10; S.b = 20;S.c = 30;
   redirection(f2, &S);

   return 0;
}

Ideally, in function f1, the only source for "pS->a" must be the statement S.a = -1;. Similarly, the source for "pS->b" must be S.b = 20;
But when I use FlowSensitive pointer analysis and generate the SVFG, I can see that flow sensitivity is not maintained for the function pointer. Therefore, the sources for the above two variables are calculated wrongly.
Sources for the statement if(pS->a) --> S.a = -1; and S.a = 10;
Sources for the statement if(pS->b) --> S.b = -2; and S.b = 20;

Could you let me know if there are any APIs in SVF that can support this functionality correctly? I'm currently using the following APIs for pointer analysis:

    SVFIRBuilder builder(svfModule);
    SVFIR* pag = builder.build();
    FlowSensitive* fspta = FlowSensitive::createFSWPA(pag);

[LegalZhang]

Hi, I will take a look.

[yuleisui]

@TrivikramAT could you shorten your example to make it as small as possible to reproduce the issue?

[TrivikramAT]

Hello,
Here is the shortened version. The function address needs to be passed as an argument in order to reproduce the issue, so I could not shorten it further.

void f1(int *arg)
{/* dummy func */}

void f2(int *arg)
{
   if(*arg)
      printf("Test a2");
}

void redirection(void (*func)(int *), int *arg)
{
   (*func)(arg);
}

int main(int argc, char **argv)
{
   int a;
   a = -1;
   redirection(f1, &a);

   // overwrite
   a = 2;
   redirection(f2, &a);
   
   return 0;
}

The issue is that in the SVFG, there is a value flow path from:
store i32 -1, i32* %6, align 4 (line 18) --> %5 = icmp ne i32 %4, 0 (line 6)
and also
store i32 2, i32* %6, align 4 (line 22) --> %5 = icmp ne i32 %4, 0 (line 6)

[yuleisui]

We have just tested your case. This is no problem with the current flow-sensitive but context-insensitive SVFG, but you may need a context-sensitive analysis/traversal to distinguish the two call paths main (first callsite)->redirection-> f1 and `main (first callsite)->redirection-> f1'. If your analysis could distinguish these two, it should be precise enough for your case.

[TrivikramAT]

I just want to clarify....
Do you mean I need to use a context-sensitive pointer analysis and plug that into SVF?
Or
Do you mean I need to do a context-sensitive traversal of the SVFG that is generated?

[yuleisui]

context-sensitive traversal on the SVFG