Write a source sink analyzer - SVF-tools/SVF GitHub Wiki

Writing a source-sink analyzer becomes fairly easy on top of our interprocedure sparse value-flow graph. You may wish to refer to detailed code implementation in LeakChecker.cpp and ProgSlice.cpp as an example.

To compute boolean value-flow guards, we use CUDD-2.5.0 package (Binary Decision Diagrams (BDDs)) to encode path conditions.

  1. First, we need to build SVFG using Andersen's pointer analysis
PAGBuilder builder;
SaberSVFGBuilder memSSA;
PAG* pag = builder.build(module);
AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(pag);
SVFG* svfg =  memSSA.buildPTROnlySVFG(ander);    /// memSSA.buildFullSVFGWithoutOPT(ander) to build SVFG with scalar variables.
  1. Then, we choose a set of candidate source and sink SVFGNodes
// Simple code to iterate from a SVFGNode on SVFG
for(SVFGNode::const_iterator it = node->OutEdgeBegin(), eit = node->OutEdgeEnd(); it!=eit; ++it) {
}
  1. Finally, we perform an all-path reachable analysis using AllPathReachableSolve method (ProgSlice class) to compute value-flow guards via the following three methods iteratively until a fixed point is reached.
  • ComputeInterCallVFGGuard
  • ComputeInterRetVFGGuard
  • ComputeIntraVFGGuard