Connection between SVFG and Call Graph?

[2ck]

Hello,

I am working with code based on this example. When we have found a value Value* val = pNode->getValue();, is it possible to get the call path from the PTACallGraph that results in the retrieval of that value?

[yuleisui]

Hello,

See below:

(1) get the LLVM function of this PAGNode. pNode->getFunction() (assume this value is an instruction here). (2) retrieve the SVFFuntion via getSVFFunction in SVFmodule.h (3) get its PTACallGraphNode via getCallGraphNode in PTACallGraph.h (4) traverse against the incoming edge to this callgraph node on the callgraph to obtain the call path.

[2ck]

Thank you for your quick reply. However, iterating over the callgraph does not seem to allow for distinction when the same function is called by multiple different parents, unless I am missing something?

[yuleisui]

Yes, there can be multiple call edges between two nodes PTACallgraph. You will need to iterate the incoming edges and collect their callsite information (CallBlockNode in SVF) to form a call path.

[2ck]

My description of my goal may have been unclear. I have prepared an example repository to show what I mean. Running the code on the analysis test file results in this callgraph.

The problem occurs when we find a value in a PAGNode and get the PTACallGraphNode corresponding to the PAGNode's function. By iterating over its incoming edges we get multiple paths with no connection to the value we originally found. Example output:

Value: @.str = private unnamed_addr constant [2 x i8] c"a\00", align 1
path 0: 
        |--  call void @foo(i8* %3)
        ---  call void @other(i8* %4)
        ---main|
path 1: 
        |--  call void @foo(i8* %2)
        ---main|
path 2: 
        |--  call void @foo(i8* %3)
        ---main|

Is there a way to get the one callpath corresponding to the found value instead of all possible callpaths of the function?