All paths from source to destination function.

[Sailesh Sai Teja]

Hello, I am performing static analysis on a codebase and for that I am trying to find all the possible paths from function 'A' to function 'B' along with the conditions that are responsible while traversing that path. My input is a large llvm IR file which contains all the functions definitions.So if we consider the below toy example :- int functionA(int a) { if (a > 0) { return functionB(20, 50); } else { return functionC(100, 500); } } int functionB(int x, int y) { if(x > y){ return multiply(x, y); } else { return divide(y, x); } } int functionC(int x, int y) { if(y > 0){ return divide(x, y); } else { return multiply(y, x); } } int multiply(int a, int b){ return a*b; } int divide(int x, int y){ return x/y; } So lets say I want to trace the execution path from function "functionA" to function "divide", the following is the output I am expecting 1. "functionA && (a > 0) && (x < y) && divide" 2. "functionA && (a <= 0) && (y > 0) && divide" or it can be combined as "functionA && ((x < y) || (y > 0)) && divide" (if we ignore the variable a but it needn't be the case) I just want to know whether s2e is capable of performing such analysis (not exact as I knew I need to modify few things to arrive at the final solution but you get the gist). If yes, can you please provide some references and resources that I can look into. I also know s2e is based on klee so is it possible to make in work using klee? Thank you.

[Sailesh Sai Teja]

Hello, 

or it can be combined as "functionA && ((x < y) || (y > 0)) && divide" (if we ignore the variable a but it needn't be the case).

I just want to know whether s2e is capable of performing such analysis (not exact as I knew I need to modify few things to arrive at the final solution but you get the gist). If yes, can you please provide some references and resources that I can look into. I also know s2e is based on klee so is it possible to make in work using klee? 

Thank you.

[Vitaly Chipounov]

Hi,

You should use vanilla KLEE if you have LLVM IR available for your program. It will be much simpler to do static/dynamic analysis on that.

S2E translates x86 to LLVM, but the result is not suitable for static analysis (no type information, no visibility of the whole CFG, too much bloat, etc.). Moreover, S2E is a dynamic analysis platform.

S2E is best when there is no source code or when the program requires too much environment modeling in order to run, beyond what KLEE can support.

Vitaly 

--
You received this message because you are subscribed to the Google Groups "S2E Developer Forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to s2e-dev+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/s2e-dev/77376a71-5560-4581-83d7-92189a9ac79cn%40googlegroups.com.

[Sailesh Sai Teja]

Hey,

Thanks for writing back. So is the above mentioned analysis possible throught klee? because of all the examples, articles and videos I have seen that involved with klee, most of them are tracking a particular variable and then performing symbolic analysis on it which is not the use-case I am looking for. I want to track all the possible paths from one function to another function which sometimes doesn't involve passing of arguments.