Aslp generating control flow branches by katrinafyi · Pull Request #188 · agle/bincaml

katrinafyi · 2026-06-22T08:46:05Z

ensures a pc increment on all straight-line control-flow paths by construction.

adds a new lib/transforms/aslp/aslp_lexpr.ml file for abstracting the builtin and local variables used by the aslp lifter.

this pr also renames some things, like now using aslp_diamond in place of aslp_state.

let%expect_test "lift: b.eq #1024" =
  let module I = (val Bincaml_ibi.from_generator (Aslp_state.empty_aslp_ids ()))
  in
  let x =
    lift_opcode
      (module I)
      ~address:(Bitvec.zero ~size:64)
      (Bitvec.of_string "0x54002000:bv32")
  in
  print_endline @@ Aslp_state.show_aslp_diamond x;
  [%expect
    {|
    { Aslp_state.blocks = "block_0"
      -> { Aslp_state.assume = None; stmts = []; succs = ["block_1"; "block_2"];
           has_pc_assign = false },
      "block_1"
      -> { Aslp_state.assume = (Some eq($PSTATE_Z, 0x1:bv1));
           stmts = [var BranchTaken:bool := true; $PC:bv64 := 0x400:bv64];
           succs = ["block_3"]; has_pc_assign = true },
      "block_2"
      -> { Aslp_state.assume = (Some boolnot(eq($PSTATE_Z, 0x1:bv1)));
           stmts =
           [($PC:bv64 := bvadd($PC, 0x4:bv32), var BranchTaken:bool := false)];
           succs = ["block_3"]; has_pc_assign = true },
      "block_3"
      -> { Aslp_state.assume = None; stmts = []; succs = []; has_pc_assign = true
           };
      entry = "block_0"; exit = "block_3" }
    |}]

dont need helper functions anymore

agle · 2026-06-23T05:33:22Z

+      |> Aslp_state.add_block ~pred:st.active ~name:f ~assume:ncond
+      |> Aslp_state.add_block ~pred:t ~name:m
+      |> Aslp_state.add_goto ~source:f ~target:m
+      |> Aslp_state.modify_block ~name:m ~f:(fun b ->


Put the Aslp_state local open outside of the sequence of maps :)

agle · 2026-06-23T05:42:37Z

-let gen_block_id = gen_block_id
-let gen_local_id = gen_local_id
+  let block_id = ID.name % ID.fresh ~name:"block" block_ids
+  and local_id = ID.name % ID.fresh ~name:"var" local_ids in


I always prefer ID.fresh ~name:"var" local_ids %> ID.name

agle · 2026-06-23T05:44:30Z

+      |> Aslp_state.add_block ~pred:st.active ~name:f ~assume:ncond
+      |> Aslp_state.add_block ~pred:t ~name:m
+      |> Aslp_state.add_goto ~source:f ~target:m
+      |> Aslp_state.modify_block ~name:m ~f:(fun b ->


agle · 2026-06-23T05:49:01Z

+    This is used to maintain the invariant that at every control flow point, the
+    [PC] variable is either assigned on all paths or assigned on no paths (from
+    the beginning of the instruction). *)
+let ensure_pc_consistency state ~left ~right ~join =


Mention guarantee from lifter that it won't assign PC twice.

katrinafyi added 15 commits June 22, 2026 14:26

sort out lexprs

06e1e8a

fix potential id clash because we were post-processing the unique IDs

b351ec6

dont need helper functions anymore

fill out bv op gens

e3f5545

has_pc_assign

ba30114

ensure pc consistcne

f7d5ece

add_goto

efcdda4

a gen branch might split a block down the middle :(

b493102

noncrashing

8b67661

propagate has_pc_assign

bc9430d

shared entry+exit

37d6e65

globalvar

1b5253e

fix scopes

4dfd54b

add aslp_lexpr lol

b96f50a

rename aslp_block to aslp_diamond

6ddb526

rename to diamond

e343d08

katrinafyi requested a review from agle as a code owner June 22, 2026 08:46

katrinafyi added 10 commits June 22, 2026 18:49

remove ~exit to avoid double increment

85e154b

use stringset and slightly smarter pc propagation

693dc1e

touch

f5a7ec6

touch

700ada1

x

45bc560

match on BranchTaken = true to detect has_pc_assign

15d8f33

avoid ref

c219370

simplify the branch types

dbe34b4

match on any assigns to branchtaken

af7fd51

" " PC

9b0393a

agle removed their request for review June 23, 2026 05:32

agle reviewed Jun 23, 2026

View reviewed changes

katrinafyi requested a review from agle June 23, 2026 05:38

agle approved these changes Jun 23, 2026

View reviewed changes

katrinafyi added 3 commits June 23, 2026 16:02

has_pc_assign assertion

84cd590

fix silly bug and add double PC assumption

12103ae

%>

e4fbb19

katrinafyi enabled auto-merge (squash) June 23, 2026 06:33

katrinafyi merged commit f2a9e3f into main Jun 23, 2026
9 checks passed

katrinafyi deleted the aslp-branches-2 branch June 23, 2026 06:43

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Aslp generating control flow branches#188

Aslp generating control flow branches#188
katrinafyi merged 28 commits into
mainfrom
aslp-branches-2

katrinafyi commented Jun 22, 2026 •

edited

Loading

Uh oh!

agle Jun 23, 2026

Uh oh!

agle Jun 23, 2026

Uh oh!

agle Jun 23, 2026

Uh oh!

agle Jun 23, 2026

Uh oh!

agle Jun 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

katrinafyi commented Jun 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

agle Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

agle Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

agle Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

agle Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

agle Jun 23, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

katrinafyi commented Jun 22, 2026 •

edited

Loading