in https://www.usenix.org/system/files/sec21-tan.pdf the authors do static analysis on LLVM IR of linux kernel (a pass for call graph construction, a pass for data flow analysis and alias analysis and ...). and in some other papers I see they do static analysis on LLVM IR and not the source code. my question is why they do their static analysis on LLVM IR? why they don't analyze the source code of linux kernel instead? (for example, they can construct the call graph with analyzing the source code but they construct it by analyzing the LLVM IR).
static analysis of linux kernel on source code or LLVM IR?
210 views Asked by saha At
1
There are 1 answers
Related Questions in LINUX-KERNEL
- Android kernel error: undefined reference to `get_hw_version_platform'
- Is there a need for BPF Linux namespace?
- Facing fatal errors while running "yum update" command on CentOS 7/Cloudlinux 7
- crash utility itself crashes while decoding kdump generated from null pointer dereference in kernel module
- How to compile the Linux kernel with -O0 for more detailed debug?
- Linux support for parallel Pixel data Image sensor
- Can't upgrade to newest version of linux-image-6.5.0-26-generic
- How to protect a page so that it cannot be write in mips arch?
- How to extract the .img file into normal kernel source file in the linux?
- Storage size of struct hash_desc desc; isn't known
- How can I intercept failed file openning calls?
- struct nameidata-Linux Kernel Module
- How to modify a 'struct msghdr' in Linux Kernel Module?
- How to allocate 500MB+ physically contiguous memory in a Linux kernel module and copy data to that memory from a userspace process?
- Hyper Threading: nosmt in grub configuration
Related Questions in STATIC-ANALYSIS
- Ansible role analysis with Checkov - facts evaluation?
- Flutter SonarQube: "The main branch has no lines of code."
- the expressionType and includePath of CDT parser
- Adding entry to program header table
- Static checker that number of arguments to python logging matches number of placeholders
- Why am I getting this error when using dataflow in Codeql
- How to disallow exception to curly_braces_in_flow_control_structures linter rule in dart?
- Security scan flagged local variable for heap inspection in C Function
- Is it possible to use Eclipse JDT static analysis for null annotations when compiling from the command line?
- Remove directory from sonar analyzer
- Sonar qube issue in using aes-256-cbc algoritm, stating Make sure that encrypting data is safe here
- Programming language/library that uses dataflow analysis to fetch only required data from the database
- Export comments from Fortify Software Security Center
- Changing lint configuration based on Cargo profile
- Can I reproduce eslint's "prefer-object-spread" rule using ast-grep?
Related Questions in LLVM-IR
- LLVM optimization of repeated calls to const function not working when present inside basic blocks only
- How to generate binary executable from linked LLVM IR of CUDA files?
- create a custom LLVM attribute
- InstCountPass not working on new LLVM Pass Manager
- llvm alias analysis cause a segmentation fault
- MLIR intermediate representation of a tensorflow model
- Dynamic Arrays in LLVM - Declaring a constant/global
- How can I use LLVM call a function with variable parameters in my std library
- How to manipulate mhlo attributes
- LLVM debug info does not show proper function's pretty name
- Generating Print function for LLVM IR
- LLVM Liveness Analysis for SSA registers
- Can LLVM Tools Identify Struct Fields Affected by File Content in IO Functions?
- How to make Spoq generate high-level specifications in Coq (not just AST) for the functions in LLVM IR
- Link LLVM Library Problems & Using clion & llvm & cmake to build IR Problems
Related Questions in CALL-GRAPH
- How can I integrate the Visual Studio Code (VSCode) Java Language Server into my project for the purpose of constructing a call graph
- What parameter or option in Pyan allows for the specification of the initial function when generating a callgraph?
- How to demangle a function name generated by opt with LLVM's c++filt and how to omit some intermediate nodes?
- Unable to run python package (viztracer) from terminal
- how to config PyCharm so it will show only functions that i wrote in "call hierarchy" (and not internal python functions)?
- How to generate a global function call graph for an entire C++ project
- Soot: How to analyze a java file in a package?
- static analysis of linux kernel on source code or LLVM IR?
- Doxygen call graph is not correct even though the preprocessing is correct
- cflow can't recognize function call in loop
- How does Call hierarchy graph work in eclipse?
- Generating a call graph with clang's -dot-callgraph with multiple cpp files, and a sed command
- Does CodeQL support edits on a call graph?
- How can a Callgraph detect malicious code?
- Constructing a complete control flow graph for Linux kernel
Popular Questions
- How do I undo the most recent local commits in Git?
- How can I remove a specific item from an array in JavaScript?
- How do I delete a Git branch locally and remotely?
- Find all files containing a specific text (string) on Linux?
- How do I revert a Git repository to a previous commit?
- How do I create an HTML button that acts like a link?
- How do I check out a remote Git branch?
- How do I force "git pull" to overwrite local files?
- How do I list all files of a directory?
- How to check whether a string contains a substring in JavaScript?
- How do I redirect to another webpage?
- How can I iterate over rows in a Pandas DataFrame?
- How do I convert a String to an int in Java?
- Does Python have a string 'contains' substring method?
- How do I check if a string contains a specific word?
Popular Tags
Trending Questions
- UIImageView Frame Doesn't Reflect Constraints
- Is it possible to use adb commands to click on a view by finding its ID?
- How to create a new web character symbol recognizable by html/javascript?
- Why isn't my CSS3 animation smooth in Google Chrome (but very smooth on other browsers)?
- Heap Gives Page Fault
- Connect ffmpeg to Visual Studio 2008
- Both Object- and ValueAnimator jumps when Duration is set above API LvL 24
- How to avoid default initialization of objects in std::vector?
- second argument of the command line arguments in a format other than char** argv or char* argv[]
- How to improve efficiency of algorithm which generates next lexicographic permutation?
- Navigating to the another actvity app getting crash in android
- How to read the particular message format in android and store in sqlite database?
- Resetting inventory status after order is cancelled
- Efficiently compute powers of X in SSE/AVX
- Insert into an external database using ajax and php : POST 500 (Internal Server Error)
Analyzing the LLVM IR simplifies analysis of the semantics of the program while analyzing the source code is needed to see what the program does in the terms of the programming language. What I mean is that the C expression
*xis definitely "performing an indirection" but it may or may not load or store to memory, for instance the larger expression&*xdoes not even though it contains*x. This sort of thing doesn't happen with LLVM IR. Every memory access is either aloadorstoreinstruction, or a memory access occurs inside a called function through acallinstruction. However ifxisNULLthen*xis still undefined behaviour even if the larger expression is&*x, and you won't be able to see that bug by looking only at the LLVM IR.LLVM also has a bunch of analysis built in, for instance LLVM already has the ability to build a call graph. Sometimes the call graph isn't immediately obvious from the source code and you need to run some optimizations to see what the callee is (or to remove dead code, eliminating function calls with it), and LLVM performs optimizations quite well too.