Comments (7)
It works for me for both analyses (-fspta and -ander). You could try the below code:
extern void MAYALIAS(void*,void*);
int *a;
int main()
{
int b = 0;
a = &b;
MAYALIAS(a,&b);
return 0;
}
clang -S -c -emit-llvm ex.c -o ex.ll
wpa -fspta ex.ll
[FlowSensitive] Checking MAYALIAS
SUCCESS :MAYALIAS check <id:18, id:12> at ()
from svf.
Thanks for your reply! I'm able to reproduce this, and the resulting PAG is here:
WPA says:
[FlowSensitive] Checking _Z8MAYALIASPvS_
SUCCESS :_Z8MAYALIASPvS_ check <id:19, id:20> at ()
I can see that node 19 and node 20 is created as alias of a
and &b
, and SVF says they are aliases.
I'm wondering why SVF needs this to work. Also, can I analyze this program without modifying its source code?
from svf.
Here is another finding: using -ander
will make pts{5} = {13}, even node 5 is not a ValVar. Using -fspta
gives a empty pts for node 5.
FYI, I'm interested in which object a
points to, and I come up with 2 possible way:
- Check the PTS of node 5. But
FlowSensitive
generates an empty PTS. - Check the aliases of node 5. But
FlowSensitive
does not show any alias.
Even when I add MAYALIAS
query (and any other function calls will work), I will have to traverse the PAG to actually get the new nodes created for function calls (node 19 and 20 in the example above), and then I can finally check they are aliases. But there is still no easy way to know I should run alias(19, 20)
...
from svf.
Here is another finding: using
-ander
will make pts{5} = {13}, even node 5 is not a ValVar. Using-fspta
gives a empty pts for node 5.
If node 5 is a top-level pointer, it is fine to query its points-to using pts(5), but if it is an address taken object, you should query using a location id pts(5, loc).
FYI, I'm interested in which object
a
points to, and I come up with 2 possible way:
- Check the PTS of node 5. But
FlowSensitive
generates an empty PTS.- Check the aliases of node 5. But
FlowSensitive
does not show any alias.Even when I add
MAYALIAS
query (and any other function calls will work), I will have to traverse the PAG to actually get the new nodes created for function calls (node 19 and 20 in the example above), and then I can finally check they are aliases. But there is still no easy way to know I should runalias(19, 20)
...
from svf.
I would suggest a simple way of always querying top-level pointers but not address-taken objects. You could do that when an object is loaded to a pointer so you could query that pointer. In fact, only top-level pointers/registers are used for aliases and queries in real code.
from svf.
If node 5 is a top-level pointer, it is fine to query its points-to using pts(5)
Here node 5 is in the PAG above, and that does represent a top-level pointer, i.e., int *a
in code.
but if it is an address taken object, you should query using a location id pts(5, loc)
Sorry, I did not really get what "location id" is (I guess it's something like context?). As far as I know, performing wpa does not take context as argument when checking pts, since there is only one final result.
I would suggest a simple way of always querying top-level pointers but not address-taken objects.
That is exactly what I did. However, using -fspta
on top-level pointers gives an unexpected result:
# manual breakpoint set after PTA is done
$ gdb --args wpa -stat=false -ander global-ptr.bc
(gdb) p _pta->getPts(5).count()
$1 = 1
# top level pointer points to stack variable
(gdb) p *_pta->getPts(5).begin()
$2 = 13
$ gdb --args wpa -stat=false -fspta global-ptr.bc
# top level variable points to nothing
(gdb) p _pta->getPts(5).count()
$1 = 0
I'm expecting -ander
and -fspta
to give the same result on getPts(5)
, but they do not.
Sorry if I've mixed things up in previous posts. I hope now the question is a little clearer.
from svf.
Node 5 can't be queried using pts(5) as it is an object which can be defined multiple times at different program points/locations.
You could only use the below APIs to get their pts:
getDFInPtsSet
getDFOutPtsSet
from svf.
Related Issues (20)
- Failed when using `getLLVMValue()` on Value got from `IntraICFGNode->getInst()` HOT 1
- Type inference failure for linked list HOT 1
- SVF::FlowSensitive analyze failed HOT 3
- Same Node but with Different Source Loc in -vfspta Pointer Analysis HOT 3
- Querying WPAPass APIs using LLVM Value* and CallInst* HOT 4
- It seems PTA results of -sfrander have some pts-elements missing compared with -nander? HOT 2
- Doubts about using contextDDA to run small projects exceeding budget
- Failed to generate the correct MemorySSA when using TypeAnalysis HOT 4
- Incorrect alias result using -sfrander HOT 3
- Does SVF have a version that supports llvm15? HOT 1
- Alias analysis bug with compilation flags -O1 -Xclang -disable-O0-optnone HOT 7
- SVF Global not found HOT 11
- How to get point-to set? HOT 2
- Testing memory leaks in LLVM IR generated from Rust language but throwing an error. HOT 7
- Questions about overflow detection HOT 2
- An error occurred while testing abstract execution HOT 5
- How to get the llvm::Function corresponding to SVFFunction? HOT 2
- Successor of BranchStmt can be confused HOT 10
- Question about branchID? HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from svf.