search

SVF-tools / SVF

Static Value-Flow Analysis Framework for Source Code
http://svf-tools.github.io/SVF/
Other
1.43k stars 435 forks source link

Question about using this tool #81

Open evans14641 opened 6 years ago

evans14641 commented 6 years ago

Hi

This is an interesting work and I want to use it for some interesting analysis. However, I have no idea where to start. My goal is to find the value flow dependency between two variables:

example:

foo() { int a = 1; bar(a); }

bar(int a) { int b = a + 1; }

If I want to find the data dependency between a and b, how should I do? Which file should I refer to for more information?

Thanks

yuleisui commented 6 years ago

Have you taken a look at our wiki: https://github.com/SVF-tools/SVF/wiki/Analyze-a-Simple-C-Program

SVF can generate program dependence graphs for pointer-related variables (rather than scalars). https://github.com/SVF-tools/SVF/wiki/Analyze-a-Simple-C-Program#10-value-flow-graph https://github.com/SVF-tools/SVF/wiki/Technical-documentation#32-sparse-value-flow-graph-svfg

For your case, if you want scalar variables def-use (value-flows), LLVM's internal def-use can provide you with the answer. http://llvm.org/docs/ProgrammersManual.html#iterating-over-def-use-use-def-chains

evans14641 commented 6 years ago

Thanks for the reply.

I think I did not describe it clearly I tried the def-use of LLVM, it just gave me useless information.

What I want to do is to find variables that depend on one specific variable. I think this can be done with static taint analysis.

For example: %s.addr = alloca float, align 4 %kernel.addr = alloca float, align 8 %windowsize.addr = alloca i32, align 8 %i = alloca i32, align 4 %center = alloca i32, align 4 %x = alloca float, align 4 %fx = alloca float, align 4 %sum = alloca float, align 4 store float %s, float %s.addr, align 4 store float %kernel, float %kernel.addr, align 8 store i32 %windowsize, i32 %windowsize.addr, align 8 store float 0.000000e+00, float %sum, align 4 %0 = load float, float %s.addr, align 4 %conv = fpext float %0 to double %mul = fmul double 2.500000e+00, %conv %call = call double @ceil(double %mul) #10 %mul1 = fmul double 2.000000e+00, %call %add = fadd double 1.000000e+00, %mul1 %conv2 = fptosi double %add to i32 %1 = load i32*, i32 %windowsize.addr, align 8 store i32 %conv2, i32 %1, align 4 %2 = load i32, i32 %windowsize.addr, align 8 %3 = load i32, i32 %2, align 4 %div = sdiv i32 %3, 2 store i32 %div, i32 %center, align 4 %4 = load i32*, i32 %windowsize.addr, align 8 %5 = load i32, i32 %4, align 4 %conv3 = sext i32 %5 to i64 %call4 = call noalias i8 @calloc(i64 %conv3, i64 4) #9 %6 = bitcast i8 %call4 to float %7 = load float, float %kernel.addr, align 8 store float %6, float %7, align 8 %cmp = icmp eq float* %6, null

I want to know whether kernel's value depends on s, the answer is yes for this example. I was wondering whether SVF can help me to do it.

Thanks