Question about interpreting results of analysis
Opened this issue · 1 comments
Hello,
I am attempting to use cclyzer-souffle to find out the points-to sets of some field variables in a class. I have successfully installed cclyzer-souffle and I have also ran it, but I have some problems understanding the output. Can someone help me? I believe that cclyzer-souffle may still be under active development, so if this it is the case that it is not ready for my use case, then I understand.
So, I am attempting to find out what these fields point to
class VALIDATORS_EXPORT FieldValueMap : public XMemory
{
private:
ValueVectorOf<IC_Field*>* fFields;
ValueVectorOf<DatatypeValidator*>* fValidators;
RefArrayVectorOf<XMLCh>* fValues;
}I have reduced the class to the relevant fields, but do let me know if there is more information that I can provide to make the example clearer.
I have compiled this class to a human readable llvm-ir file and I believe that the fields are represented here:
%"class.xercesc_2_7::FieldValueMap" = type { %"class.xercesc_2_7::ValueVectorOf"*, %"class.xercesc_2_7::ValueVectorOf.0"*, %"class.xercesc_2_7::RefArrayVectorOf"*, %"class.xercesc_2_7::MemoryManager"* }
Now, there is a method that just deletes these fields:
void FieldValueMap::cleanUp()
{
delete fFields;
delete fValidators;
delete fValues;
}
I believe I can get the information about which abstract memory location these fields point to by looking at the llvm-ir in this method and then looking at the results/ directory and finding out the appropriate relation for these variables.
Here is the llvm-ir:
; Function Attrs: noinline nounwind optnone uwtable
define dso_local void @xercesc_2_7::FieldValueMap::cleanUp()(%"class.xercesc_2_7::FieldValueMap"* %0) #1 align 2 !dbg !1286 {
%2 = alloca %"class.xercesc_2_7::FieldValueMap"*, align 8
store %"class.xercesc_2_7::FieldValueMap"* %0, %"class.xercesc_2_7::FieldValueMap"** %2, align 8
call void @llvm.dbg.declare(metadata %"class.xercesc_2_7::FieldValueMap"** %2, metadata !1287, metadata !DIExpression()), !dbg !1288
%3 = load %"class.xercesc_2_7::FieldValueMap"*, %"class.xercesc_2_7::FieldValueMap"** %2, align 8
%4 = getelementptr inbounds %"class.xercesc_2_7::FieldValueMap", %"class.xercesc_2_7::FieldValueMap"* %3, i32 0, i32 0, !dbg !1289
%5 = load %"class.xercesc_2_7::ValueVectorOf"*, %"class.xercesc_2_7::ValueVectorOf"** %4, align 8, !dbg !1289
%6 = icmp eq %"class.xercesc_2_7::ValueVectorOf"* %5, null, !dbg !1290
br i1 %6, label %9, label %7, !dbg !1290
7: ; preds = %1
call void @xercesc_2_7::ValueVectorOf<xercesc_2_7::IC_Field*>::~ValueVectorOf()(%"class.xercesc_2_7::ValueVectorOf"* %5) #9, !dbg !1290
%8 = bitcast %"class.xercesc_2_7::ValueVectorOf"* %5 to i8*, !dbg !1290
call void @xercesc_2_7::XMemory::operator delete(void*)(i8* %8) #9, !dbg !1290
br label %9, !dbg !1290
// continues...
Now, I am not an expert in LLVM-IR, but from what I can understand, the argument to %5 is the pointer fFields and %8 is the field fFields casted to i8*.
I am running the context insensitive analysis and I see the following files which I believe may have the results I am interested in:
var_points_to.csv
gep_points_to.csv
But I cannot find the variables in these files. Can someone help me find out how to determine what fFields may point to?
Thanks and good work!
Hello!
I believe your understanding is right and you are looking at the right place.
It would be great if you could share a minimal version of the source code or the llvm-ir code so I can investigate the issue further.