Shared library globals cause unrelated functions to appear in value-flow due to common memory regions in MSSA

[hadi81]

Hello,

I am analyzing value-flow using SVF’s MSSA/SVFG and I am observing some imprecision caused by shared memory regions created from library globals.

Scenario

Consider the following simplified case:
Glob1 -> Func1 Glob2 -> Func2

However, both Func1 and Func2 call a common library function that internally uses some shared global variables.

For example:

Glob1 → Func1 → LibraryFunc → LibGlobal Glob2 → Func2 → LibraryFunc → LibGlobal

Because the library uses global variables internally, the MSSA construction creates memory regions that include these library globals.

Observation

When I inspect the MSSA dump, I see that:

• Func1 and Func2 share some memory regions
• These regions correspond to globals used inside the library
• As a result, both Func1 and Func2 appear in the value-flow of Glob1 through MR nodes, even though only Func1 actually affects Glob1.

I actually don't want Func2 to appear under Glob1 and Func1 to appear under Glob2.
Any suggestions?

[yuleisui]

Could you try option: -mem-par=distinct or -mem-par=inter-disjoint?

SVF/svf/lib/Util/Options.cpp

Lines 415 to 424 in 2d1419a

	const OptionMap<u32_t> Options::MemPar(
	"mem-par",
	"Memory region partition strategies (e.g., for SVFG construction)",
	MemSSA::MemPartition::IntraDisjoint,
	{
	{MemSSA::MemPartition::Distinct, "distinct", "memory region per each object"},
	{MemSSA::MemPartition::IntraDisjoint, "intra-disjoint", "memory regions partitioned based on each function"},
	{MemSSA::MemPartition::InterDisjoint, "inter-disjoint", "memory regions partitioned across functions"},
	}
	);

[hadi81]

I have tried all these options. I still get same result.

[hadi81]

I think the problem is related to points- to analysis. This is what is used to build memory regions in the first place.
Is there any way I can use context sensitive analysis for building SVFG?
As per the documentation, what I understand is that context sensitive analysis is only meant to be used on top of existing anderson or flow sensitive analysis just to refine results. Even if that is the case, how can I use it to refine my SVFG (e.g. how can I refine the memory regions inside MSSA before even constructing SVF).

[yuleisui]

Building SVFG using a context-sensitive points-to analysis will be very heavy. SVF does not have a scalable context-sensitive pointer analysis yet. I would suggest refining the built SVFG by using your own context-sensitive reachability analysis, which will be lightweight to achieve your aim.

[hadi81]

Thank you @yuleisui for the response.
refining the built SVFG by using your own context-sensitive reachability analysis
By this, do you mean writing my own context sensitive points-to analysis or or just use existing ContextDDA on top of SVFG to refine the reach-ability?
Also I will be interested in listening to ideas from the developer himself on how can I refine the SVFG using context sensitive analysis? What I have been doing so far is I check the points-to info in the MSSA nodes (FPIN, APIN), if it doesn't appear in context sensitive points-to analysis, I skip those nodes.