Comments (8)
yuleisui
commented on May 28, 2024
The type of an object is statically determined at its allocation site. The following might be something you want for an object:
SVF/include/MemoryModel/MemModel.h
Line 296 in f6d9758
from svf.
zyw-nine
commented on May 28, 2024
thank you !
from svf.
KihongHeo
commented on May 28, 2024
Hello,
May I ask a further question? By "statically determined", do you mean by LLVM or SVF?
%2 = call noalias i8* @malloc(i64 4)
This code does not tell us any type information of %2. How can SVF determine the type of %2? Do you get the type from bitcast and getelementptr?
from svf.
yuleisui
commented on May 28, 2024
The initial type is i8* and the actual type of the malloc object has been determined by later casting operations. The current SVF implementation will find the immediate dominated cast (if there is one) to determine the type. Note that SVF's Andersen's analysis is type-independent, which is purely constraint-based without caring about the malloc type. Interested users can also develop more precise type bags or filters to determine the type.
from svf.
KihongHeo
commented on May 28, 2024
Thanks.
If the analysis is type-independent, do you mean the analysis is also field-insensitive?
from svf.
yuleisui
commented on May 28, 2024
Type-independent is not a proper term. I would say independent for the heap allocations as they are allocated without types. SVF is field-sensitive as it derives field objects given the pointer types at the use sites such as getelementptr instructions. However, as I mentioned, if we treat multiple casts precisely, it is similar to heap clonings, one allocation can be assigned multiple types, so with type bags or cloning multiple objects, it will yield more precise results than treating one allocation as one object.
from svf.
yuleisui
commented on May 28, 2024
This is a very good question:) In LLVM IR, field accesses are through getelementptr, the base pointer has to be cast before accessing the field object. Hence, the initial malloc type (i8*) does not matter for the later Andersen's analysis. The o's type is always determined at a particular getelementptr instruction for field-sensitivity like the example below:
%2 = call noalias i8* @malloc(i64 4) // o
%3 = bit cast i8* to struct_A* %2
%4 = getelementptr %3, 2 // o's type becomes struct_A at the getelementptr use site
For type-based heap cloning on top of Andersen's analysis, one allocation is cloned to multiple objects under different castings to distinguish them for field accesses, reducing spurious aliases with improved precision. Please refer to our ECOOP paper: https://yuleisui.github.io/publications/ecoop20.pdf
from svf.
KihongHeo
commented on May 28, 2024
Thanks a lot.
from svf.
Related Issues (20)
- Does calling andersen analyze modify the .bc file? HOT 1
- memory leak report problem HOT 2
- strong update problem HOT 4
- May I ask if there are any relevant documents for MTA usage? HOT 3
- Is there a block-level ICFG in SVF? HOT 3
- point-to result does not change after assignment HOT 7
- Problem on callgraph generation accelaration HOT 8
- Is there an implementation in ICSE'18 HOT 1
- crash with opaque pointers HOT 5
- point to set is empty HOT 5
- Handling inttoptr in SVFIR HOT 5
- How to get type information for PAG node HOT 4
- some questions about complex nested struct HOT 3
- SVF::LLVMModuleSet::getLLVMModuleSet()->getMainLLVMModule() returns extapi.bc HOT 3
- Function data flow
- How does SVF handle external functions without entities during memory analysis? HOT 4
- load module failed HOT 1
- Abstract Execution Fails to Trace Correct Allocation Size HOT 2
- ExtAPI module cannot handle those functions with name mangling. HOT 5
- Assertion when using SVF on Ceph HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from svf.