<div dir="ltr"><div style="font-size:14px"> <font color="#38761d"> It depends what you expect exactly. What would be the ideal output for you on the example you provided before?</font></div><div style="font-size:14px"><font color="#38761d"> Also what is the use-case? (I.e. *why* do you want this information).</font></div><div style="font-size:14px"><font color="#38761d"><br></font></div><div style="font-size:14px"><font color="#000000">I want to collect the array index manipulation frequency in a loop from a function. I recently have read a paper named "Dowsing for Overflows: A guided Fuzzer to Find Buffer Boundary Violations". It says the array index manipulations are related to buffer violations so I want to implement it since I can't get source code from writer. What the paper has analysed is LLVM bitcode and this is the reason that I post this problem. Is there any solution?</font></div></div><div class="gmail_extra"><br><div class="gmail_quote">2016-07-22 11:48 GMT+08:00 Mehdi Amini <span dir="ltr"><<a href="mailto:mehdi.amini@apple.com" target="_blank">mehdi.amini@apple.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><span class=""><blockquote type="cite"><div>On Jul 21, 2016, at 8:28 PM, Qingkun Meng <<a href="mailto:mengqingkun1988@gmail.com" target="_blank">mengqingkun1988@gmail.com</a>> wrote:</div><br><div><div dir="ltr"><div><div><span style="font-size:14px">>if you are interested about what gets actually *executed*, some of these computation will be folded in the addressing mode depending on the architecture</span><span style="font-size:14px"><br></span></div><div><span style="font-size:14px"><br></span></div><div><span style="font-size:14px">If I just want to collect array index manipulation lexically, is there any reliable solution?</span></div></div></div></div></blockquote><div><br></div></span><div>It depends what you expect exactly. What would be the ideal output for you on the example you provided before?</div><div>Also what is the use-case? (I.e. *why* do you want this information).</div><br></div><div><span class=""><br><blockquote type="cite"><div><div dir="ltr"><div><div><span style="font-size:14px"><br></span></div><div><span style="font-size:14px">By noting this</span></div><span style="font-size:14px">>Some people are doing these kind of analyses using debug info to map back to the source code</span><br><div class="gmail_extra">do you mean reversing to source code from LLVM IR? Is there any open source project? I am very appreciated you could refer it to me.</div></div></div></div></blockquote><div><br></div></span><div>I meant debug information as what clang generates with -g.</div><div>For instance, try with a simple example:</div><div><br></div><div>$ cat test.c<br>int foo(int a, int b) {<br> return a + b;<br>}<br><br></div><div>And look at the difference in the output when compiled with -g or not (i.e. `clang -emit-llvm -S test.c -O3 -o -` and `clang -emit-llvm -S test.c -O3 -o - -g`).</div><div>In the first you’ll get something like:</div><div><br></div><div>define i32 @foo(i32, i32) #0 {<br> %3 = add nsw i32 %1, %0<br> ret i32 %3<br>}</div><div><br></div><div>while in the second case it will look like (stripped to keep only the relevant informations):</div><div><br></div><div>define i32 @foo(i32, i32) #0 !dbg !7 {<br> tail call void @llvm.dbg.value(metadata i32 %0, i64 0, metadata !12, metadata !14), !dbg !15<br> tail call void @llvm.dbg.value(metadata i32 %1, i64 0, metadata !13, metadata !14), !dbg !16<br> %3 = add nsw i32 %1, %0, !dbg !17<br> ret i32 %3, !dbg !18<br>}<br>[…]</div><div>!1 = !DIFile(filename: "test.c", directory: “…")</div><div>[…]<br>!7 = distinct !DISubprogram(name: "foo", scope: !1, file: !1, line: 1, type: !8, isLocal: false, isDefinition: true, scopeLine: 1, flags: DIFlagPrototyped, isOptimized: true, unit: !0, variables: !11)</div><div>[….]<br>!12 = !DILocalVariable(name: "a", arg: 1, scope: !7, file: !1, line: 1, type: !10)<br>!13 = !DILocalVariable(name: "b", arg: 2, scope: !7, file: !1, line: 1, type: !10)<br>!14 = !DIExpression()<br>!15 = !DILocation(line: 1, column: 13, scope: !7)<br>!16 = !DILocation(line: 1, column: 20, scope: !7)<br>!17 = !DILocation(line: 2, column: 12, scope: !7)<br>!18 = !DILocation(line: 2, column: 3, scope: !7)<br><br></div><div><br></div><div>Now from there you can analyze the IR and see that there is an addition for two values (%0 and %1), and the calls to llvm.dbg.value points you to some information about these variables (name, type, source location).</div><div><br></div><div>— </div><span class="HOEnZb"><font color="#888888"><div>Mehdi</div></font></span><span class=""><div><br></div><br><div><br></div><div><br></div><div><br></div><br><blockquote type="cite"><div><div dir="ltr"><div class="gmail_extra"><br></div><div class="gmail_extra"><br><div class="gmail_quote">2016-07-22 6:38 GMT+08:00 Mehdi Amini <span dir="ltr"><<a href="mailto:mehdi.amini@apple.com" target="_blank">mehdi.amini@apple.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex"><span><br>
> On Jul 21, 2016, at 5:07 AM, Qingkun Meng via llvm-dev <<a href="mailto:llvm-dev@lists.llvm.org" target="_blank">llvm-dev@lists.llvm.org</a>> wrote:<br>
><br>
><br>
> Hi there,<br>
><br>
> I am a newbie of llvm and here is my question situation. Assume that there is a function F which contains a loop named L, a array b[100]. I want to collect the statistical information of array index operation op(i) (take add and mul simply) of i in the loop L. Pseudocode lists below.<br>
><br>
> void F(arg1, arg2){<br>
> int b[100];<br>
> for(int i=0; i<n; i++){<br>
> op1(i);<br>
> op2(i);<br>
> ......<br>
> b[op1(i)]=n1;<br>
> b[op2(i)]=n2; // n1 and n2 are just common constants<br>
> }<br>
> }<br>
><br>
> The code fragment is compiled to LLVM IR, I want to collect how many times are operations (like add and mul) put on i. However the operations are not easily obtained because there are many temp variables mix the variable trace. Does anyone have ideas to solve this or some open source project do this job?<br>
<br>
</span>In short: there is no reliable way in the absolute. The optimizer will make transformations that completely loses any relationship with the source-code. Also if you are interested about what gets actually *executed*, some of these computation will be folded in the addressing mode depending on the architecture.<br>
<br>
Some people are doing these kind of analyses using debug info to map back to the source code, it may be enough if you don’t need precise results or results that are accurate with respect to the final optimized binary instruction stream.<br>
<br>
—<br>
<span><font color="#888888">Mehdi<br>
<br>
</font></span></blockquote></div><br></div></div>
</div></blockquote></span></div><br></div></blockquote></div><br></div>