Skip to content

Write a source sink analyzer

Jump to bottom Edit New page
unsw-corg edited this page Jul 21, 2015 · 16 revisions

Writing a source-sink analyzer becomes fairly easy on top of our interprocedure sparse value-flow graph. Yyou may wish to refer to detailed code implementation in LeakCheck.cpp and ProgSlice.cpp as an example.

To compute boolean value-flow guards, we use CUDD-2.5.0 package (Binary Decision Diagrams (BDDs)) to encode path conditions.

  1. First, we need to build SVFG using Andersen's pointer analysis
PointerAnalysis* ander = AndersenWaveDiff::createAndersenWaveDiff(module);
svfg = new SVFGOPT(ptaCallGraph);
svfgbuilder.build(svfg,ander);
  1. Then, we choose a set of candidate source and sink SVFGNodes
Simple code to iterate from a SVFGNode on SVFG
for(SVFGNode::const_iterator it = node->OutEdgeBegin(), eit = node->OutEdgeEnd(); it!=eit; ++it) {
}
  1. Finally, we perform an all-path reachable analysis using AllPathReachableSolve method (ProgSlice class) to compute value-flow guards via the following three methods iteratively until a fixed point is reached.
  • ComputeInterCallVFGGuard
  • ComputeInterRetVFGGuard
  • ComputeIntraVFGGuard
Add a custom footer
Add a custom sidebar
Clone this wiki locally