feat: Add pcode-op bound and tweak computed valuation (#212)

* Add pcode-op bound and SimpleValue addresses

* Add Indirect variant to PcodeAddressLattice

Return Indirect for BranchInd/CallInd/Return transfer results and
store IndirectVarNode. Strengthen BasicLocationState from
valuation.indirect_writes, resolving to Const or Computed when possible.
Add formatting/Debug/LowerHex support and update ordering/join behavior.
Minor cleanup in BoundedBranchState PartialOrd and imports.

* Skip Top when strengthening and keep branch target

* fmt + clippy

Author: toolCHAINZ

jingle/src/analysis/cpa/lattice/pcode.rs

@@ -1,5 +1,6 @@
 use crate::analysis::cpa::lattice::JoinSemiLattice;
 use crate::analysis::cpa::state::{AbstractState, LocationState, MergeOutcome, Successor};
+use crate::analysis::valuation::SimpleValue;
 use crate::display::JingleDisplay;
 use crate::modeling::machine::cpu::concrete::ConcretePcodeAddress;
 use jingle_sleigh::{IndirectVarNode, PcodeOperation};
@@ -13,12 +14,14 @@ use std::iter::{empty, once};
 ///
 /// Variants:
 /// - `Const(addr)` — a concrete pcode address (like `FlatLattice::Value`)
-/// - `Computed(indirect)` — a location that may be computed from an indirect varnode
+/// - `Indirect(ivn)` — raw output of the transfer function for indirect branches
+/// - `Computed(sv)` — resolved by valuation strengthening
 /// - `Top` — unknown / multiple locations
 #[derive(Clone, PartialEq, Eq, Hash)]
 pub enum PcodeAddressLattice {
     Const(ConcretePcodeAddress),
-    Computed(IndirectVarNode),
+    Indirect(IndirectVarNode),
+    Computed(SimpleValue),
     Top,
 }
 
@@ -30,9 +33,8 @@ impl JingleDisplay for PcodeAddressLattice {
     ) -> std::fmt::Result {
         match self {
             PcodeAddressLattice::Const(addr) => write!(f, "{:x}", addr),
-            PcodeAddressLattice::Computed(indirect_var_node) => {
-                indirect_var_node.fmt_jingle(f, info)
-            }
+            PcodeAddressLattice::Indirect(ivn) => ivn.fmt_jingle(f, info),
+            PcodeAddressLattice::Computed(sv) => sv.fmt_jingle(f, info),
             PcodeAddressLattice::Top => write!(f, "Top"),
         }
     }
@@ -45,6 +47,10 @@ impl Debug for PcodeAddressLattice {
                 .debug_tuple("PcodeAddressLattice::Const")
                 .field(&format_args!("{:x}", a))
                 .finish(),
+            PcodeAddressLattice::Indirect(ivn) => f
+                .debug_tuple("PcodeAddressLattice::Indirect")
+                .field(&format_args!("{:?}", ivn))
+                .finish(),
             PcodeAddressLattice::Computed(c) => f
                 .debug_tuple("PcodeAddressLattice::Computed")
                 .field(&format_args!("{:?}", c))
@@ -60,9 +66,11 @@ impl LowerHex for PcodeAddressLattice {
             // Delegate to the inner `ConcretePcodeAddress` LowerHex implementation
             // so `{:#x}` / `{:x}` on `PcodeAddressLattice::Const` prints the expected hex form.
             PcodeAddressLattice::Const(a) => write!(f, "PcodeAddressLattice::Const({:x})", a),
-            // Computed values don't have a natural hex representation; fall back to debug.
-            PcodeAddressLattice::Computed(c) => {
-                write!(f, "PcodeAddressLattice::Computed({:?})", c)
+            PcodeAddressLattice::Indirect(ivn) => {
+                write!(f, "PcodeAddressLattice::Indirect({:x})", ivn)
+            }
+            PcodeAddressLattice::Computed(sv) => {
+                write!(f, "PcodeAddressLattice::Computed({:x})", sv)
             }
             PcodeAddressLattice::Top => write!(f, "PcodeAddressLattice::Top"),
         }
@@ -103,14 +111,21 @@ impl PartialOrd for PcodeAddressLattice {
                     None
                 }
             }
+            (Self::Indirect(x), Self::Indirect(y)) => {
+                if x == y {
+                    Some(Ordering::Equal)
+                } else {
+                    None
+                }
+            }
             (Self::Computed(x), Self::Computed(y)) => {
                 if x == y {
                     Some(Ordering::Equal)
                 } else {
                     None
                 }
             }
-            // Different kinds (Const vs Computed) are incomparable
+            // Different kinds are incomparable
             _ => None,
         }
     }
@@ -120,26 +135,24 @@ impl JoinSemiLattice for PcodeAddressLattice {
     fn join(&mut self, other: &Self) {
         // Match on references to avoid moving out of `self` while inspecting it.
         match (&*self, other) {
-            (Self::Top, _) => *self = Self::Top,
-            (_, Self::Top) => *self = Self::Top,
+            (Self::Top, _) | (_, Self::Top) => *self = Self::Top,
             (Self::Const(a), Self::Const(b)) => {
-                if a == b {
-                    // keep the same concrete value
-                } else {
+                if a != b {
                     *self = Self::Top;
                 }
             }
-            (Self::Computed(x), Self::Computed(y)) => {
-                if x == y {
-                    // keep the same computed descriptor
-                } else {
+            (Self::Indirect(x), Self::Indirect(y)) => {
+                if x != y {
                     *self = Self::Top;
                 }
             }
-            // Mixing Const and Computed -> unknown
-            _ => {
-                *self = Self::Top;
+            (Self::Computed(x), Self::Computed(y)) => {
+                if x != y {
+                    *self = Self::Top;
+                }
             }
+            // Mixing different kinds -> unknown
+            _ => *self = Self::Top,
         };
     }
 }
@@ -161,15 +174,16 @@ impl AbstractState for PcodeAddressLattice {
             PcodeOperation::BranchInd { input }
             | PcodeOperation::CallInd { input }
             | PcodeOperation::Return { input } => {
-                return once(PcodeAddressLattice::Computed(input.clone())).into();
+                return once(PcodeAddressLattice::Indirect(input.clone())).into();
             }
             _ => {}
         }
 
         match self {
             PcodeAddressLattice::Const(a) => a.transfer(op).into_iter().map(Self::Const).into(),
-            PcodeAddressLattice::Computed(_) => empty().into(),
-            PcodeAddressLattice::Top => empty().into(),
+            PcodeAddressLattice::Indirect(_)
+            | PcodeAddressLattice::Computed(_)
+            | PcodeAddressLattice::Top => empty().into(),
         }
     }
 }
@@ -181,9 +195,9 @@ impl LocationState for PcodeAddressLattice {
     ) -> Option<crate::analysis::pcode_store::PcodeOpRef<'a>> {
         match self {
             PcodeAddressLattice::Const(a) => t.get_pcode_op_at(a),
-            // If the location is computed or top, we cannot directly get a concrete op
-            PcodeAddressLattice::Computed(_) => None,
-            PcodeAddressLattice::Top => None,
+            PcodeAddressLattice::Indirect(_)
+            | PcodeAddressLattice::Computed(_)
+            | PcodeAddressLattice::Top => None,
         }
     }
 
@@ -198,9 +212,8 @@ impl Display for PcodeAddressLattice {
             PcodeAddressLattice::Const(concrete_pcode_address) => {
                 write!(f, "{:x}", concrete_pcode_address)
             }
-            PcodeAddressLattice::Computed(indirect_var_node) => {
-                write!(f, "{:x}", indirect_var_node)
-            }
+            PcodeAddressLattice::Indirect(ivn) => write!(f, "{}", ivn),
+            PcodeAddressLattice::Computed(sv) => write!(f, "{}", sv),
             PcodeAddressLattice::Top => write!(f, "Top"),
         }
     }

jingle/src/analysis/location/basic/state.rs

@@ -2,6 +2,7 @@ use std::{
     borrow::Borrow,
     cmp::Ordering,
     fmt::{Display, LowerHex},
+    hash::Hash,
     iter::{empty, once},
 };
 
@@ -16,7 +17,7 @@ use crate::{
             state::{AbstractState, LocationState, MergeOutcome, Successor},
         },
         location::basic::BasicLocationAnalysis,
-        valuation::SimpleValuationState,
+        valuation::{SimpleValuationState, SimpleValue},
     },
     modeling::machine::{MachineState, cpu::concrete::ConcretePcodeAddress},
     register_strengthen,
@@ -178,13 +179,20 @@ impl LocationState for BasicLocationState {
 
 impl BasicLocationState {
     pub fn strengthen_from_valuation(&mut self, v: &SimpleValuationState) {
-        if let PcodeAddressLattice::Computed(indirect_var_node) = &self.inner {
-            let ptr_value = v.get_value(indirect_var_node.pointer_location());
-            if let Some(value) = ptr_value {
-                if let Some(v) = value.as_const_value() {
-                    self.inner = PcodeAddressLattice::Const(ConcretePcodeAddress::from(v as u64))
+        if let PcodeAddressLattice::Indirect(ivn) = &self.inner {
+            if let Some(value) = v.get_value(ivn.pointer_location()) {
+                if matches!(value, SimpleValue::Top) {
+                    // Top carries no useful info; Indirect(ivn) is more informative.
+                    return;
+                }
+                if let Some(addr) = value.as_const_value() {
+                    self.inner =
+                        PcodeAddressLattice::Const(ConcretePcodeAddress::from(addr as u64));
+                } else {
+                    self.inner = PcodeAddressLattice::Computed(value.clone());
                 }
             }
+            // No info → leave as Indirect (two paths with no valuation are genuinely equal)
         }
     }
 }
@@ -195,15 +203,17 @@ impl CfgState for BasicLocationState {
     fn new_const(&self, i: &jingle_sleigh::SleighArchInfo) -> Self::Model {
         match &self.inner {
             PcodeAddressLattice::Const(addr) => MachineState::fresh_for_address(i, *addr),
-            // For computed or unknown locations, fall back to a generic fresh machine state.
-            PcodeAddressLattice::Computed(_) | PcodeAddressLattice::Top => MachineState::fresh(i),
+            PcodeAddressLattice::Indirect(_)
+            | PcodeAddressLattice::Computed(_)
+            | PcodeAddressLattice::Top => MachineState::fresh(i),
         }
     }
 
     fn model_id(&self) -> String {
         match &self.inner {
             PcodeAddressLattice::Const(a) => a.model_id(),
             PcodeAddressLattice::Top => "State_Top_".to_string(),
+            PcodeAddressLattice::Indirect(_) => "State_Indirect_".to_string(),
             PcodeAddressLattice::Computed(_) => "State_Computed_".to_string(),
         }
     }

jingle/src/analysis/location/bound/mod.rs

@@ -14,10 +14,12 @@ use crate::modeling::machine::cpu::concrete::ConcretePcodeAddress;
 ///
 /// Use the provided constructors to choose the desired configuration.
 pub struct BoundedBranchAnalysis {
-    /// Optional maximum number of instructions to observe.
+    /// Maximum number of ISA instructions.
     max_instructions: Option<usize>,
-    /// Optional maximum number of branches to observe.
+    /// Maximum number of explicit ISA branches.
     max_branches: Option<usize>,
+    /// Maximum number of pcode steps
+    max_ops: Option<usize>,
 }
 
 impl BoundedBranchAnalysis {
@@ -26,6 +28,7 @@ impl BoundedBranchAnalysis {
         Self {
             max_instructions: None,
             max_branches: Some(max_branches),
+            max_ops: None,
         }
     }
 
@@ -34,15 +37,21 @@ impl BoundedBranchAnalysis {
         Self {
             max_instructions: Some(max_instructions),
             max_branches: None,
+            max_ops: None,
         }
     }
 
     /// Create an analysis with explicit optional bounds for instructions and branches.
     /// Use `None` for any bound you do not want to apply.
-    pub fn with_bounds(max_instructions: Option<usize>, max_branches: Option<usize>) -> Self {
+    pub fn with_bounds(
+        max_instructions: Option<usize>,
+        max_branches: Option<usize>,
+        max_ops: Option<usize>,
+    ) -> Self {
         Self {
             max_instructions,
             max_branches,
+            max_ops,
         }
     }
 
@@ -55,6 +64,10 @@ impl BoundedBranchAnalysis {
     pub fn max_instructions(&self) -> Option<usize> {
         self.max_instructions
     }
+
+    pub fn max_ops(&self) -> Option<usize> {
+        self.max_ops
+    }
 }
 
 impl ConfigurableProgramAnalysis for BoundedBranchAnalysis {
@@ -64,6 +77,6 @@ impl ConfigurableProgramAnalysis for BoundedBranchAnalysis {
 
 impl IntoState<BoundedBranchAnalysis> for ConcretePcodeAddress {
     fn into_state(self, c: &BoundedBranchAnalysis) -> BoundedBranchState {
-        BoundedBranchState::with_both_bounds(c.max_instructions, c.max_branches)
+        BoundedBranchState::with_all_bounds(c.max_instructions, c.max_branches, c.max_ops)
     }
 }