- SVF now uses a single script for its build. Just type
./build.shin your terminal, that's it! - SVF now supports LLVM-10.0.0!
- We thank bsauce for writing a user manual of SVF (link1 and link2) in Chinese
- SVF now supports LLVM-9.0.0 (Thank Byoungyoung Lee for his help!).
- SVF now supports a set of field-sensitive pointer analyses.
- Use SVF as an external lib for your own project (Contributed by Hongxu Chen).
- SVF now supports LLVM-7.0.0.
- SVF now supports Docker. Try SVF in Docker!
- SVF now supports LLVM-6.0.0 (Contributed by Jack Anthony).
- SVF now supports LLVM-4.0.0 (Contributed by Jared Carlson. Thank Jared and Will for their in-depth discussions about updating SVF!)
- SVF now supports analysis for C++ programs.
We are looking for self-motivated PhD students and we welcome industry collaboration/sponsorship to improve SVF (Please contact [email protected] if you are interested)
SVF is a static tool that enables scalable and precise interprocedural dependence analysis for C and C++ programs. SVF allows value-flow construction and pointer analysis to be performed iteratively, thereby providing increasingly improved precision for both.
SVF accepts the points-to information generated by any pointer analysis (e.g., Andersen’s analysis) and constructs an interprocedural memory SSA form so that the def-use chains of both top-level and address-taken variables are captured. SVF is implemented on top of an industry-strength compiler LLVM (version 6.0.0). SVF contains a third party software package CUDD-2.5.0 (Binary Decision Diagrams (BDDs)), which is used to encode path conditions.
| About SVF | Setup Guide | User Guide | Developer Guide |
|---|---|---|---|
 |
 |
 |
 |
| Introducing SVF -- what it does and how we design it | A step by step setup guide to build SVF | Command-line options to run SVF, get analysis outputs, and test SVF with an example or PTABen | Detailed technical documentation and how to write your own analyses in SVF or use SVF as a lib for your tool |
We release SVF source code in the hope of benefiting others. You are kindly asked to acknowledge usage of the tool by citing some of our publications listed http://svf-tools.github.io/SVF, especially the following two:
@inproceedings{sui2016svf,
title={SVF: interprocedural static value-flow analysis in LLVM},
author={Sui, Yulei and Xue, Jingling},
booktitle={Proceedings of the 25th international conference on compiler construction},
pages={265--266},
year={2016},
organization={ACM}
}
@article{sui2014detecting,
title={Detecting memory leaks statically with full-sparse value-flow analysis},
author={Sui, Yulei and Ye, Ding and Xue, Jingling},
journal={IEEE Transactions on Software Engineering},
volume={40},
number={2},
pages={107--122},
year={2014},
publisher={IEEE}
}
Our static reachability tool is implemented at tools/Reach. To build, execute the SVF build process above. Once built, you can locate the executable at BUILD_DIR/bin/svf-reach.
To use the tool, we require a .bc file for both the executable we want to calculate reachability from, and all of its dependendant libraries. Our dep-trace tool aids in building a .bc for all of an application's dependencies. Note that for the tool calculates reachability per linkage module, which mostly corresponds to a shared library.
Currently, on fir07, we have pre-built .bc files for a few packages. /data3/pkg-debloating/wllvm-build/wget-src-out/wllvm-bc/ contains .bc files for wget and its dependencies. The following is an example to use the tool to calculate dependencies reachable from wget main function:
BUILD_DIR/bin/svf-reach -t type $HOME/dep-trace/srcs/wllvm-build/wget-src-out/wllvm-bc/*.b
The above uses class-hierarchy analysis (-t type) option. To use the more precise but slower andersen wave difference analysis, pass the anders option instead:
BUILD_DIR/bin/svf-reach -t anders $HOME/dep-trace/srcs/wllvm-build/wget-src-out/wllvm-bc/*.bc
Lastly, because libraries opened with dlopen and invoked with dlsym are tricky to trace with static analysis, we have a separate way to trace their usage. We create a module file that includes a list of bc files (shared libraries) where each library will be used as a starting point (including the main function). Each line in the file should name a .bc module with a path as the same path used as input to the tool. For example, lets say we create m1.txt:
$HOME/dep-trace/srcs/wllvm-build/wget-src-out/wllvm-bc/libacl.so.1.bc
$HOME/dep-trace/srcs/wllvm-build/wget-src-out/wllvm-bc/libidn2.so.0.bc
And run as:
BUILD_DIR/bin/svf-reach -t type -m m1.txt $HOME/dep-trace/srcs/wllvm-build/wget-src-out/wllvm-bc/*.bc