search

plast-lab / cclyzer-souffle

CClyzer port to souffle lang
MIT License
18 stars 8 forks source link

Question about interpreting results of analysis #9

Open efferifick opened 3 years ago

efferifick commented 3 years ago

Hello,

I am attempting to use cclyzer-souffle to find out the points-to sets of some field variables in a class. I have successfully installed cclyzer-souffle and I have also ran it, but I have some problems understanding the output. Can someone help me? I believe that cclyzer-souffle may still be under active development, so if this it is the case that it is not ready for my use case, then I understand.

So, I am attempting to find out what these fields point to

class VALIDATORS_EXPORT FieldValueMap : public XMemory
{
private:
    ValueVectorOf<IC_Field*>*          fFields;
    ValueVectorOf<DatatypeValidator*>* fValidators;
    RefArrayVectorOf<XMLCh>*           fValues;
}

I have reduced the class to the relevant fields, but do let me know if there is more information that I can provide to make the example clearer.

I have compiled this class to a human readable llvm-ir file and I believe that the fields are represented here:

%"class.xercesc_2_7::FieldValueMap" = type { %"class.xercesc_2_7::ValueVectorOf"*, %"class.xercesc_2_7::ValueVectorOf.0"*, %"class.xercesc_2_7::RefArrayVectorOf"*, %"class.xercesc_2_7::MemoryManager"* }

Now, there is a method that just deletes these fields:

void FieldValueMap::cleanUp()
{
    delete fFields;
    delete fValidators;
    delete fValues;
}

I believe I can get the information about which abstract memory location these fields point to by looking at the llvm-ir in this method and then looking at the results/ directory and finding out the appropriate relation for these variables.

Here is the llvm-ir:

; Function Attrs: noinline nounwind optnone uwtable
define dso_local void @xercesc_2_7::FieldValueMap::cleanUp()(%"class.xercesc_2_7::FieldValueMap"* %0) #1 align 2 !dbg !1286 {
  %2 = alloca %"class.xercesc_2_7::FieldValueMap"*, align 8
  store %"class.xercesc_2_7::FieldValueMap"* %0, %"class.xercesc_2_7::FieldValueMap"** %2, align 8
  call void @llvm.dbg.declare(metadata %"class.xercesc_2_7::FieldValueMap"** %2, metadata !1287, metadata !DIExpression()), !dbg !1288
  %3 = load %"class.xercesc_2_7::FieldValueMap"*, %"class.xercesc_2_7::FieldValueMap"** %2, align 8
  %4 = getelementptr inbounds %"class.xercesc_2_7::FieldValueMap", %"class.xercesc_2_7::FieldValueMap"* %3, i32 0, i32 0, !dbg !1289
  %5 = load %"class.xercesc_2_7::ValueVectorOf"*, %"class.xercesc_2_7::ValueVectorOf"** %4, align 8, !dbg !1289
  %6 = icmp eq %"class.xercesc_2_7::ValueVectorOf"* %5, null, !dbg !1290
  br i1 %6, label %9, label %7, !dbg !1290

7:                                                ; preds = %1
  call void @xercesc_2_7::ValueVectorOf<xercesc_2_7::IC_Field*>::~ValueVectorOf()(%"class.xercesc_2_7::ValueVectorOf"* %5) #9, !dbg !1290
  %8 = bitcast %"class.xercesc_2_7::ValueVectorOf"* %5 to i8*, !dbg !1290
  call void @xercesc_2_7::XMemory::operator delete(void*)(i8* %8) #9, !dbg !1290
  br label %9, !dbg !1290

// continues...

Now, I am not an expert in LLVM-IR, but from what I can understand, the argument to %5 is the pointer fFields and %8 is the field fFields casted to i8*.

I am running the context insensitive analysis and I see the following files which I believe may have the results I am interested in:

var_points_to.csv
gep_points_to.csv

But I cannot find the variables in these files. Can someone help me find out how to determine what fFields may point to?

Thanks and good work!

ktrianta commented 3 years ago

Hello!

I believe your understanding is right and you are looking at the right place.

It would be great if you could share a minimal version of the source code or the llvm-ir code so I can investigate the issue further.