search

SVF-tools / SVF

Static Value-Flow Analysis Framework for Source Code
http://svf-tools.github.io/SVF/
Other
1.35k stars 427 forks source link

pointer analysis #48

Open zyw-nine opened 6 years ago

zyw-nine commented 6 years ago

how can I get the results of pointer analysis? I want to analysis something from the results (eg. a struct to store the information), I didn't need the .dot file.

if I want to write a flow and field insensitive pointer analysis, can you tell me the detail, I don't know how to make and run the file that I write.

yuleisui commented 6 years ago

Hello,

1) Using an existing pointer analysis. The following gives you the most intuitive way to get the results of a flow-insensitive and field-sensitive pointer analysis (Andersen's analysis)

AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(svfModule);
ander->getPts(NodeID)

NodeID here represents a node (pointer variable) on PAG (refer to our wiki at https://github.com/SVF-tools/SVF/wiki/Technical-documentation#12-program-assignment-graph-pag). Every pointer operand of an instruction (e.g., store or load) maps to a PAG Node. "ander->getPts(NodeID)" return a set of objects corresponding to LLVM allocation sites (Alloca, Global or heap allocations).

You may also wish to refer this thread in creating and using pointer analysis for indirect calls https://github.com/SVF-tools/SVF/issues/37

2) Writing a pointer analysis You can create a new cpp file under the folder of "lib/WPA" and follow the following wiki to create a pointer analysis of your own.

https://github.com/SVF-tools/SVF/wiki/Write-a-flow--and-field---insensitive-pointer-analysis

zyw-nine commented 6 years ago

Thank you@yuleisui

zhaogang92 commented 6 years ago

I am wondering if AndersenWaveDiffWithType is more precise than AndersenWave and FlowSensitive. I used these to check if an operand in LLVM IR can point to a heap memory object (at least one heap object in its points-to set). With AndersenWaveDiffWithType I got much less such operands. This is unexpected to me. I don't know where I am wrong.

yuleisui commented 6 years ago

Yes, AndersenWaveDiffWithType is more precise given the type information is correctly reflected on LLVM IR.

zhaogang92 commented 6 years ago

Do you mean it may not be conservative?

yuleisui commented 6 years ago

Type information in C is OK so far. However, for C++, LLVM may not reflect the correct type information for classes since all types will be flattened base on bits after lowing IR.

Take a look at this: http://lists.llvm.org/pipermail/llvm-dev/2016-May/100139.html

Have you found any issue using AndersenWaveDiffWithType?

zhaogang92 commented 6 years ago

I used it to check if an operand may point to a heap object for bzip2 (if its points-to set contains at least one heap object). If I use FlowSensitive PTA, I get 3848 such operands. But if I use AndersenWaveDiffWithType PTA, I only get 269 such operands. Such a reduction is not very reasonable to me. So I am wondering it is really conservative?

yuleisui commented 6 years ago

You may wish to use the default AndersonWaveDiff solver. The diffWaveAnderseWithType is a new solver particularly for C++. It may not be converative as explained.

zhaogang92 commented 6 years ago

OK. Thanks for explanation!