SVFG does not use indirect call edges to join formal and actual parameters #1279
Comments
|
Did you try ‘wpa -ander -svfg ‘? |
|
I think you might have to update the svfg by calling its ‘updatecallgraph’ method to connect indirect edges |
I'm running equivalent code: auto *LLVMModuleSet = SVF::LLVMModuleSet::getLLVMModuleSet();
auto *SVFModule = LLVMModuleSet->buildSVFModule(M);
SVF::SVFIRBuilder Builder(SVFModule);
auto *PAG = Builder.build();
auto *Andersen = SVF::AndersenWaveDiff::createAndersenWaveDiff(PAG);
SVF::SVFGBuilder SvfBuilder(true);
SVF::SVFG *SVFG = SvfBuilder.buildFullSVFG(Andersen);
SVFG->updateCallGraph(Andersen);
// [...]
SVFG->dump("svfg");
// clean up memory
// delete SVFG;
SVF::AndersenWaveDiff::releaseAndersenWaveDiff();
SVF::SVFIR::releaseSVFIR();
SVF::LLVMModuleSet::getLLVMModuleSet()->dumpModulesToFile(".svf.bc");
SVF::LLVMModuleSet::releaseLLVMModuleSet();
I tried that but the result is the same. |
|
Could you change ‘ LLVMFuzzerTestOneInput’ to be ‘main’? |
|
I tried with the following but the result is the same. #include <stddef.h>
#include <stdint.h>
int myFunc(int A) {
// target
return A + 42;
}
// int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int main(int argc, char **argv) {
// if (Size < 1)
// return 1;
// int Type = Data[0];
if (argc < 2)
return 1;
int Type = argv[1][0];
// myFunc(Type);
int (*Fn)(int) = myFunc;
Fn(Type);
return 0;
} |
|
I am not available to debug now. The easiest way is to debug into ‘ updateCallGraph’ to see what is happening there. |
|
@jumormt could you have a quick Look at this issue? |
|
The issue seems to be related to these lines Lines 990 to 991 in a83aec2 Because the argument is not a pointer it does not connect it with the callsite parameter: I'm wondering, why does it need function arguments to be pointers in this case (i.e. calling the function indirectly) and does not have this requirement if the function is called directly? |
|
Yes, this is the problem and indirectly called function should be done the same way as the original SVFG |
Does it mean that |
|
I just tried to commend out the if branch that checks if the argument is a pointer and it seems to be working. |
|
Hi @acidghost , can you try this patch #1282 to check if it fixes your issue? |
|
@acidghost could you try the patch before I merge? |
|
Seems to be working also for larger examples. Thank you very much! I'll do more complex testing and reopen if I find something awry. |
|
Good! |
(fix issue #1279) connect actual to formal vfgnode for full svfg
I'm trying to use SVFG to compute a def-use graph in order to compute a thin backward interprocedural slice from a
Value.The following case produces an SVFG as I would expect:
The SVFG for the above example clearly shows a path from, e.g.,
LoadSVFGNode ID 18(bottom left in figure) to the 0th argument ofLLVMFuzzerTestOneInput:If I instead call the function indirectly:
Then the SVFG for this version does not link the actual and formal parameter of the indirectly called function:
I verified that the indirect call gets resolved correctly by PTA. What am I missing?
Bitcode: https://godbolt.org/z/rjM9ban1r.
The code I'm using to build the SVFG is the same as the example pass.
The text was updated successfully, but these errors were encountered: