SVF
SVF copied to clipboard
SVF-tools
Incorrect alias for flow sensitive
#define TESTNUM 4
typedef struct global_struct { int x, y, r1, r2; } global_struct_t;
global_struct_t *g_str;
void thread0() { g_str[1].x = 1; g_str[1].y = 1; }
void thread1() { g_str[1].r1 = g_str[1].y; g_str[1].r2 = g_str[1].x; }
int (*fun_array[2])() = { (void *)thread0, (void *)thread1 };
int main() { g_str = (global_struct_t *)malloc(sizeof(global_struct_t) * TESTNUM); pthread_t t1, t2; pthread_create(&t1, NULL, (void *)fun_array[0], NULL); pthread_create(&t2, NULL, (void *)fun_array[1], NULL);
pthread_join(t1, NULL);
pthread_join(t2, NULL);
return 0;
}
Here is the testcase. Run by: wpa -fspta ./testcase.bc
g_str[1].x in thread0 and thread1 cannot be recognized as Alias. But when I change g_str from struct array to a struct, then everything is ok.
Can you try to simplify this program as much as possible and upload the BC file too?
Just follow up on this g_str[1].x in thread0 and thread1 is indeed accessing the same memory. I don't think any problem with SVF. Could you add MAYALIAS() stub function to let us know your concerns, similar as https://github.com/SVF-tools/Test-Suite/blob/master/src/basic_c_tests/CI-global.c
It looks like MAYALIAS can only be used for two values in ONE function, however, test values in my case are in two functions. I have no idea how to add MAYALIAS ...
You can assign one to a global and then test the alias of global and the other one in one function.
I change the case as follows,
#include "aliascheck.h"
#include <stdio.h>
#include <pthread.h>
#include <unistd.h>
#include <stdlib.h>
#define TESTNUM 4
typedef struct global_struct {
int x, y, r1, r2;
} global_struct_t;
global_struct_t *g_str;
int *g_x;
void thread0()
{
g_str[1].x = 1;
g_str[1].y = 1;
g_x = &g_str[1].x;
}
void thread1()
{
g_str[1].r1 = g_str[1].y;
g_str[1].r2 = g_str[1].x;
int *tmp_x = &g_str[1].x;
MAYALIAS(g_x,tmp_x);
}
int (*fun_array[2])() = { (void *)thread0, (void *)thread1 };
int main()
{
g_str = (global_struct_t *)malloc(sizeof(global_struct_t) * TESTNUM);
pthread_t t1, t2;
pthread_create(&t1, NULL, (void *)fun_array[0], NULL);
pthread_create(&t1, NULL, (void *)fun_array[1], NULL);
pthread_join(t1, NULL);
pthread_join(t2, NULL);
return 0;
}
Still failed.
Maybe something wrong with function pointers. When I change pthread_create(&t1, NULL, (void *)fun_array[0], NULL); to pthread_create(&t1, NULL, thread0, NULL);, then succeed.
Sorry that I cannot upload bc from website and may send to you by my colleague next week.
I just had a try on my side. If you use Andersen's analysis (flow-insensitive). wpa -ander *.bc It works fine for both cases, you pointed out. Hence, no problem with SVF's analysis on function pointers or struct arrays.
However, you were using flow-sensitive analysis (not the one under MTA folder), which currently does not support thread-sensitive flow-sensitive analysis. In addition, your case also does not guarantee aliases under the flow-sensitive thread interleaving scenario. Because g_x can be a null pointer (thus is not aliased with tmp_x) when thread1() executes before thread0().
Many thanks! Do you have any plan to support thread-sensitive flow-sensitive analysis ?
Another problem is that analyzing spdk_tgt.bc (sent by my colleague) by flow sensitive hangs for over 4 hours and coredump. Maybe it is another issue...
I don't see any problems with SVF so far. Where is the spdk_tgt.bc? Do you have enough memory (say 128 or 256GB)? If not the system, will kill your process once after a long run.