Analyzing JumpTable index of LLVM IR code

Hello,

I am on the hook to analyze a piece of LLVM IR code with a single giant function produced by some other languages. So basically I will need to recover some CG and CFG information from that giant function following some knowledge on function entry points.

While in general that works for me, one problem is to analyze the JumpTable. So basically I am having a lot of basic blocks that end with or start from a JumpTable entry, something like:

.473:                                             ; preds = %.461, %JumpTable
  call void @check(i64* %gas.ptr, i64 12, i8* %jmpBuf)
  %210 = getelementptr i256, i256* %sp.473, i64 -2
  %211 = load i256, i256* %210, align 16
  %212 = getelementptr i256, i256* %sp.473, i64 -1
  %213 = load i256, i256* %212, align 16
  %214 = getelementptr i256, i256* %sp.473, i64 -2
  store i256 %213, i256* %214, align 16
  br label %JumpTable

.348:                                             ; preds = %.347, %JumpTable
  call void @check(i64* %gas.ptr, i64 9, i8* %jmpBuf)
  %133 = getelementptr i256, i256* %sp.348, i64 -1
  %134 = load i256, i256* %133, align 16
  br label %JumpTable

And here is how my JumpTable looks like:

JumpTable:                                        ; preds = %.473, %.348
  %target = phi i256 [ %134, %.348 ], [ %211, %.473 ]
  switch i256 %target, label %Exit [
    i256 66, label %.66
    i256 68, label %.68
    i256 79, label %.79
    i256 81, label %.81
    i256 92, label %.92
    i256 188, label %.188
    i256 202, label %.202
    i256 347, label %.347
    i256 348, label %.348
    i256 350, label %.350
    i256 432, label %.432
    i256 461, label %.461
    i256 473, label %.473
  ]

The problem is that right now when I traverse on the CFG, the succeeding blocks of the jump table would include ALL the basic blocks reachable by the JumpTable. In other words, I might get a very imprecise analysis results (yes, of course that’s “sound”).

So I am writing to ask whether it is feasible to do any “range” analysis to infer the value stored in the JumpTable index? For instance when traversing to BB .348, it would be great to know that pointer %134 can only be 5, or 6. Something like this.

Am I clear on this? Thank you for your help, and wish you a Happy New Year!

Best,
Irene