SMAT-Lab / Scalpel

Scalpel: The Python Static Analysis Framework
Apache License 2.0
298 stars 46 forks source link

Relationship between CFG and call graph #127

Open ShayYaari opened 5 months ago

ShayYaari commented 5 months ago

Hello,

First I want to thank you so much for your hard and amazing work in this project! As I'm new to static analysis and a beginner in using this project, I have 2 questions:

  1. I'm trying to use both the CFG and the call graph analyses together and I'm wondering if there is an easy way to go from one to another. For example, given a ast.Call statement in one of the CFG blocks statements, to find its node in the call graph. In the other way, given a node in the call graph, find its block and ast.Call in the CFG.

  2. I'm trying to work on an application to analyze and evaluate arguments in a specific function call in my program. Given a function in the call graph,I want to try and analyze the paths to its call and heuristically evaluate the arguments it is called with. It seems as I can find some data in the SSA, CFG and call graph that help to create some sort of an algorithm to find the paths and evaluate. However I'm not sure if there is better known approach to do so or some already implemented algorithms / research on this. Do you have some suggestions for me where can I find more information, or your recommendation?

Thanks!

Jarvx commented 5 months ago

Hi Shay Yaari,

Thank you for the help.

  1. This is an initial plan, to develop a bundled call graph for the CFG module. however, the development is rather behind this plan.
  2. This is not difficult to implement. One example should be Exploring Hyperparameter Usage and Tuning in Machine Learning Research, the author used the SSA module to collect values for ML API calls.

Please email me if you still have any questions or feel free to make PRs.

best regards

ShayYaari commented 5 months ago

Thanks @Jarvx for you quick response!

Regarding 2, are the examples you are referring to (as the one you mentioned) are always based on ML? Or are there examples of algorithms that take these graphs and SSA and on top of it in a deterministic / iterative way analyzes calls arguments?

Jarvx commented 5 months ago

I am not sure because I did not look into their code implementation, nor am I on the paper author list. but according to the paper, they used the SSA module as part of their artifact.

The paper seems to only handle ML APIs.