Re: [DynInst_API:] Static Taint Analysis using Dyninst

[Xiaozhu Meng <xmeng@xxxxxxxxxxx>]

ÂÂÂÂÂ cout << (out.type() == Absloc::Unknown) << endl;

In the above line, out is in type of class AbsRegion, which represents one or multiple abstract locations. When we know a AbsRegion represents a definite abstract location, its type is set to be unknown (I know this is a little bit strange...). What you want is to get the type of the abstraction location of the AbsRegion. So, if you change it to

cout << (out.absloc().type() == Absloc::Heap) << endl;

You should see the expected results.

  ÂÂ
ÂÂÂÂÂ Result_t symRet;
ÂÂÂÂÂ SymEval::expand(slice, symRet);

ÂÂÂÂÂ AST::Ptr pcExp = symRet[assignment];

ÂÂÂÂÂ cout << "number of children of root AST node in sliced graph: " << pcExp->numChildren() << endl;

ÂÂÂÂÂ //just visits AST nodes and prints the formatted version of a node
ÂÂÂÂÂ ConstVisitor cv;
ÂÂÂÂÂ pcExp->accept(&cv);
ÂÂÂ }
}

As I mentioned in my previous email, you do not want to expand this slice graph into symbolic expressions to examine the contents of a slice graph. In your case, the interesting instruction moves a constant into a stack location. When you convert it to a symbolic _expression_, its left side is the stack location and its right side is an AST, whose root node is a constant value and has no children. That's why you keep seeing that the number of children is zero.Â

Your code does not try to traverse the slice graph. Let me provide you a small example of how to traverse the slice graph:

NodeIterator nbegin, nend;

slice->allNodes(nbegin, nend);

for (; nbegin != nend; ++nbegin) {

  SliceNode::Ptr node = boost::static_pointer_cast<SliceNode>(*nbegin);

  // Do you own analysis to a node in the slice graph

}

You can look at the Section 4.6 to see how to get the entry nodes or exit nodes of a graph and Section 4.7 to see how to get the edges of a node.

Thanks,

--Xiaozhu