SUPA
SUPA copied to clipboard
SVF-tools
Tell the different objects from custom alloc functions with SUPA
Hi Yulei, As we discussed in https://github.com/SVF-tools/SVF/issues/109, I tried SUPA for context-sensitive analysis with code below:
#include <stdlib.h>
void my_malloc(char ** p,unsigned size){
*p = malloc(size);
}
void use1(char *s1){
char c1 = s1[0];
}
void use2(char *s2){
char c2 = s2[1];
}
void f(void){
char *p1,*p2,*p3,*p4,*p5,*p6;
p1 = malloc(1);
p2 = malloc(2);
my_malloc(&p3,3);
my_malloc(&p4,4);
p5 = p3;
p6 = p4;
use1(p5);
use2(p6);
}
I used wpa to get the constraint graph as below.
Then I used
dvf -cxt -query=all -maxcxt=3 -cxtbg=10000 -flowbg=10000 -print-query-pts alloc_test.bc
to get points to result.
......
##<> Source Loc:
Ptr 81 PointsTo: { 18 }
!!Target NodeID 18 [<call> Source Loc: ]
##<> Source Loc:
Ptr 83 PointsTo: { 18 }
!!Target NodeID 18 [<call> Source Loc: ]
##<> Source Loc:
Ptr 85 PointsTo: { 18 }
!!Target NodeID 18 [<call> Source Loc: ]
##<> Source Loc:
Ptr 87 PointsTo: { 18 }
!!Target NodeID 18 [<call> Source Loc: ]
From the result above, I saw Ptr 81,83,85,87 all point to PagNode 18, which makes them aliases. But pointer p5 and p6 should not be aliases.
Is that supposed to be right? Or am I doing something wrong here?
-print-query-pts will print insensitive results. For context-sensitive analysis please use https://github.com/SVF-tools/SVF/blob/ab806b876e1e6ec1e7fb32eb5052881aa62775d8/include/MemoryModel/PointerAnalysis.h#L374
to obtain points-to targets together with their calling contexts.
For your case, you may wish to refer to alias function to get the non-alias results:
https://github.com/SVF-tools/SUPA/blob/312490217a694ce7fde84649e0bb3ab2bc2f8d13/lib/DDA/DDAPass.cpp#L279
