questions about pag and svfg

[yang-guangliang]

Hello,

I am quite new to svf, and just started learning svf from understanding this exmaple and its analysis results (https://github.com/svf-tools/SVF/wiki/Analyze-a-Simple-C-Program). Currently I have two concrete questions tormenting me:

1. In pag, svf perfectly constructs the whole graph to reflect the relationship between symbols and their corresonding object content. But I am confused about how to link pag with the points-to results and constraint graph:
   • In constraint graph (https://github.com/svf-tools/SVF/wiki/Analyze-a-Simple-C-Program), the content of the key nodes 22 and 24 seems quite confusing, because I found there was a circle between them. Thus, do Node 22 and Node 24 hold the same points-to set?

To answer this, I also searched related tutorial, and found this talk: https://llvm.org/devmtg/2016-03/Presentations/SVF_EUROLLVM2016.pdf The following picture seems to verify my thoughts. So is svf using the weak-update strategy?

• Since Node 22 and Node 24 are quite important, why not the points-to results relfect their content (i.e., points-to set)? The following results do not talk about node 22 and 24. So how to obtain their content?

2. In svfg, the def/use of stmts and objects is constructed, which is really easy to read. But I would like to know how to connect svfg and points-to results. For example, given a node, how to know its points-to set? Are their nodes linked based on their node IDs?

Best wishes, Guangliang

[yuleisui]

You are using Andersen's flow-insensitive analysis, so the analysis always performs weak updates (see slides here and here about the SVFIR)

To understand the contents of a PAGNode (or SVFVar), you can use its toString method to obtain and print the corresponding LLVM value.

You can also use the getPts(p) method from the pointer analysis to obtain the points-to set, which includes the set of object IDs for the variable p

[yang-guangliang]

Oh, I see. Thank you so much! I really appreciate it. I closed this issue.