Comments (2)
I've realized that the option --devirt-functions
was not using LLVM DSA to resolve indirect calls. It did that in the past but it was changed some time ago. Instead, it was using types to resolve calls. I also realized there were some bugs.
I've committed some changes and changed the option --devirt-functions
. Please read the message of the commit 4c1edd2
Coming back to your example. I modified it a bit so that x
is not dead, otherwise LLVM might be too smart:
extern void __CRAB_assert(int);
int a (void);
int b (void);
int main(int argc, char** argv) {
int (*p) (void);
if (argc == 1)
p = a;
else
p = b;
int x = p();
__CRAB_assert(x>=5);
return 0;
}
int a() {return 10;}
int b() {return 5;}
You can analyze this program using the command
crabllvm.py -O0 --devirt-functions=types --crab-inter --crab-check=assert ../test.c
You can add the option -oll=test.ll
to see the LLVM bitcode that it's actually analyzed. If you open test.ll
you will see how indirect calls are translated to a bunch of direct calls.
The crab-llvm output should be something like this:
@V_5:int declare main(argc:int)
_1:
/**
INVARIANTS: ({}, {})
**/
_3 = call seahorn.bounce();
_4 = (-_3 <= -5);
assert (_4);
@V_5 = 0;
return @V_5;
/**
INVARIANTS: ({_4 -> true}, {@V_5 -> [0, 0], _3 -> [5, 10]})
**/
@V_7:int declare a()
_ret:
/**
INVARIANTS: ({}, {})
**/
@V_7 = 10;
return @V_7;
/**
INVARIANTS: ({}, {@V_7 -> [10, 10]})
**/
@V_8:int declare b()
_ret:
/**
INVARIANTS: ({}, {})
**/
@V_8 = 5;
return @V_8;
/**
INVARIANTS: ({}, {@V_8 -> [5, 5]})
**/
UnifiedRetVal:int declare seahorn.bounce()
entry:
/**
INVARIANTS: ({}, {})
**/
havoc(sc1);
/**
INVARIANTS: ({}, {})
**/
goto __@bb_1,__@bb_2;
__@bb_1:
goto b;
b:
/**
INVARIANTS: ({}, {})
**/
_1 = call b();
UnifiedRetVal = _1;
/**
INVARIANTS: ({}, {UnifiedRetVal -> [5, 5], _1 -> [5, 5]})
**/
goto UnifiedReturnBlock;
UnifiedReturnBlock:
/**
INVARIANTS: ({}, {UnifiedRetVal -> [5, 10]})
**/
return UnifiedRetVal;
/**
INVARIANTS: ({}, {UnifiedRetVal -> [5, 10]})
**/
__@bb_2:
goto a;
a:
/**
INVARIANTS: ({}, {})
**/
_0 = call a();
UnifiedRetVal = _0;
/**
INVARIANTS: ({}, {UnifiedRetVal -> [10, 10], _0 -> [10, 10]})
**/
goto UnifiedReturnBlock;
************** ANALYSIS RESULTS ****************
1 Number of total safe checks
0 Number of total error checks
0 Number of total warning checks
************** ANALYSIS RESULTS END*************
The output consists of the CFGs for each function analyzed by Crab and the invariants inferred by Crab that hold at the entry and at the exit of each block. There is a function here called seahorn.bounce
that it was not in the original program. That function is how the option --devirt-functions=types
translates an indirect call to multiple direct calls.
In this case, using the option --devirt-functions=dsa
wouldn't make a difference. Let us try now to analyze this slightly different program:
extern void __CRAB_assert(int);
int a (void);
int b (void);
int c (void);
int d (void);
int main(int argc, char** argv) {
int (*p) (void);
int (*q) (void);
if (argc == 1) {
p = a;
q = c;
} else {
p = b;
q = d;
}
int x = p();
int y = q();
__CRAB_assert(x>= 5);
__CRAB_assert(y>= 15);
return 0;
}
int a() {return 10;}
int b() {return 5;}
int c() {return 15;}
int d() {return 20;}
With the command crabllvm.py -O0 --devirt-functions=types --crab-inter --crab-check=assert test.c
the output would be:
....
************** ANALYSIS RESULTS ****************
1 Number of total safe checks
0 Number of total error checks
1 Number of total warning checks
************** ANALYSIS RESULTS END*************
But, if you try the command:
crabllvm.py -O0 --devirt-functions=dsa --crab-inter --crab-check=assert test.c
The output is
....
************** ANALYSIS RESULTS ****************
2 Number of total safe checks
0 Number of total error checks
0 Number of total warning checks
************** ANALYSIS RESULTS END*************
Again, use the option -oll=test.ll
to see the generated LLVM bitcode and convince yourself how indirect calls are handled by types
and dsa
.
from clam.
Hi @caballa !
Thank you very much for your support.
I guess this tool is exactly what I am looking for :)
from clam.
Related Issues (20)
- Clam Error on LLVM IR translation to CrabIR
- Regression test error HOT 8
- Question about clam API compile error HOT 4
- Inconsistent number of warnings in clam
- Missing Warning HOT 1
- CMake Error: Clam/py/setup.py.in file missing HOT 2
- questions about LLVM versions HOT 2
- Inconsistent number of warnings in clam
- Error Encountered in Clam with Context-Sensitive Heap Analysis: Mismatch in Input Count HOT 1
- Clam missing a warning HOT 1
- Clam unexpectly reporting assertion failures HOT 1
- Compilation fails using llvm 14.0.6 HOT 1
- Crab giving an inconsistent number of warnings HOT 1
- Problem in the translation from LLVM to CrabIR HOT 1
- Clam missing a warning HOT 1
- Clam missing a warning about an unsafe assertion HOT 1
- Are there any artifacts or repositories that use clam to test SV-COMP benchmark? HOT 2
- No support for pk and oct domain analysis of master branch HOT 2
- Null-dereference in CFGBuilder HOT 1
- Accessing Datalayout when it changed on ClamQueryCache HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from clam.