SVF icon indicating copy to clipboard operation
SVF copied to clipboard

Published 20 hours ago verified publisher icon SVF-tools

Mapping Analysis Results to Source Code

Open lorenz9314 opened this issue 1 year ago • 3 comments

Hello and thanks for this great framework! I would like to map the results of a flow sensitive analysis back to it's original source code and have been wondering, how to best approach this task. Ideally I'd like to annotate each pointer variable in the code with it's respective points-to sets or, alternatively, it's aliases. Can I use the PAG for this or do I have to use the SVFG? And how would I best retrieve this kind of information from either of these graphs, considering the fact that I am interested in the pts/alias sets of the original C/C++ source code. Any help is greatly appreciated. Thank you very much!

lorenz9314 avatar Oct 05 '23 13:10 lorenz9314

You may wish to take a look at here for LLVM IR to source code mapping: https://github.com/SVF-tools/SVF/blob/2b683e0157922d5f7c6a32eb5db73938d8d11895/svf-llvm/lib/LLVMUtil.cpp#L667

Here is an example to use SVF including PAG, SVFG and more: https://github.com/SVF-tools/SVF-example

yuleisui avatar Oct 05 '23 13:10 yuleisui

Thank you very much for your swift reply! I have studied the example code and a lot of the other resources. A few questions remain however (sorry if the answers to these are obvious). Am I right in my understanding of the SVFG that it models all def-use relations between all name or address taken pointer variables of a given program? If so, could I then, from the SVFG:

  1. Gather the set of all addr nodes A.
  2. For each addr node aj in A: Create a corresponding set Sj of instructions reachable (directly or indirectly) by aj.
  3. For each aj in A and corresponding set Sj, map instructions i in I, the set of all instructions, to the set of addr nodes A', subset of A, that can reach i.

Would "i maps to A'" then correspond to the statement that the instruction at i uses or defines any of the values allocated at any of the a' in A'? Or did I get this wrong?

Thank you very much!

lorenz9314 avatar Oct 10 '23 10:10 lorenz9314

I think your question is related to set operations not necessarily SVF usages. You can get all the addresses or objects A’ if you have address to instruction set mapping, that is not hard to get when travelling from each address object on SVFG.

yuleisui avatar Oct 10 '23 12:10 yuleisui