search

SVF-tools / SVF

Static Value-Flow Analysis Framework for Source Code
http://svf-tools.github.io/SVF/
Other
1.41k stars 438 forks source link

Question about applying SVF to real world large programs #1505

Open shoong98 opened 2 months ago

shoong98 commented 2 months ago

Hello, I'm a student studying program analysis. I'm really appreciate that these tools and learning materials are helping me a lot.

I'd like to ask a question about applying SVF to large programs, such as Chromium and Firefox.

I am currently building the chromium code as a single bitcode and applying SVF's wpa tool (with AndersenWaveDiff), but the analysis does not end for a very long time.

Is there a way to analyze such a large program by applying pointer analysis?

I searched for related materials and found that @yuleisui wrote a paper like the one below and tested it with Chromium.

https://yuleisui.github.io/publications/issta17.pdf

Is there any way to apply this to current SVF?

Thank you in advance for reading and answering my question.

zz-fz-john commented 2 months ago

Applying andersenWaveDiff analysis on large program will spend long time and use large memory ,I recently use SVF to analysis arducopter on a server equiped with 192 GB memory and 24 core.It spent about 1 hour to get final result .So, I think that the analysis does not end for a very long time is nomal.

shoong98 commented 2 months ago

Thanks for your reply, @zz-fz-john . I expected that it would take a long time if I used Andersen's pointer analysis as is, and indeed my server machine has 512GB of memory, but the analysis failed. So I'm looking for a way to apply pointer analysis to Chromium while maintaining scalability and ensuring a certain level of precision. (to resolve indirect calls) So is there no way to achieve this for large applications like chromium in SVF? Or, if there is a way to perform partial analysis on the pointers involved when an indirect call occurs, I would appreciate it.

yuleisui commented 2 months ago

you could try to reduce the number of Andersen's iterations by limiting the indirect call edges during solving. This will lead to less sound results. wpa -ander -ind-call-limit=0 *.bc

shoong98 commented 2 months ago

Thanks for the answer.

I have some more questions about this large program analysis.

  1. I also need to use value flow graph (SVFG) to trace some flow from specific point (e.g., return value of a function). Then, can I use the option -ind-call-limit=0 for this case? If not possible, can I make it do pointer analysis for only the parts I want, rather than the entire program?

  2. What do you think about using type-based pointer analysis in my case rather than andersen's pointer analysis?