[llvm-dev] Analyzing JumpTable index of LLVM IR code

div code via llvm-dev llvm-dev at lists.llvm.org
Sun Dec 30 06:49:08 PST 2018 

Hello,

I am on the hook to analyze a piece of LLVM IR code with a single giant
function produced by some other languages. So basically I will need to
recover some CG and CFG information from that giant function following some
knowledge on function entry points.

While in general that works for me, one problem is to analyze the
JumpTable. So basically I am having a lot of basic blocks that end with or
start from a JumpTable entry, something like:

.473:                                             ; preds = %.461, %JumpTable
  call void @check(i64* %gas.ptr, i64 12, i8* %jmpBuf)
  %210 = getelementptr i256, i256* %sp.473, i64 -2
  %211 = load i256, i256* %210, align 16
  %212 = getelementptr i256, i256* %sp.473, i64 -1
  %213 = load i256, i256* %212, align 16
  %214 = getelementptr i256, i256* %sp.473, i64 -2
  store i256 %213, i256* %214, align 16
  br label %JumpTable



.348:                                             ; preds = %.347, %JumpTable
  call void @check(i64* %gas.ptr, i64 9, i8* %jmpBuf)
  %133 = getelementptr i256, i256* %sp.348, i64 -1
  %134 = load i256, i256* %133, align 16
  br label %JumpTable


And here is how my JumpTable looks like:

JumpTable:                                        ; preds = %.473, %.348
  %target = phi i256 [ %134, %.348 ], [ %211, %.473 ]
  switch i256 %target, label %Exit [
    i256 66, label %.66
    i256 68, label %.68
    i256 79, label %.79
    i256 81, label %.81
    i256 92, label %.92
    i256 188, label %.188
    i256 202, label %.202
    i256 347, label %.347
    i256 348, label %.348
    i256 350, label %.350
    i256 432, label %.432
    i256 461, label %.461
    i256 473, label %.473
  ]


The problem is that right now when I traverse on the CFG, the succeeding
blocks of the jump table would include ALL the basic blocks reachable by
the JumpTable. In other words, I might get a very imprecise analysis
results (yes, of course that's "sound").

So I am writing to ask whether it is feasible to do any "range" analysis to
infer the value stored in the JumpTable index? For instance when traversing
to BB .348, it would be great to know that pointer %134 can only be 5, or
6. Something like this.

Am I clear on this? Thank you for your help, and wish you a Happy New Year!

Best,
Irene
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20181230/61ad2268/attachment.html>

More information about the llvm-dev mailing list