similar to: IR to binary address mapping

Hi However, frontend may also do various operations on the source code and one line number and column number could map to more than one binary address. Why LLVM IR cannot? Regrads Muhui 2018-06-12 23:18 GMT+08:00 mayuyu.io <admin at mayuyu.io>: > In theory that’s not exactly possible/accurate. Due to various operations > in the Backend like Instruction Legalization, one IR

Hi Paul Thanks for your comments. Suppose I can generate the control flow graph via LLVM Pass or the default option like '-dot-cfg' with opt. However, the control flow graph is based on llvm IR level. I would like to have a control flow graph based on binary level. Thus, I want to map the IR to binary address. As far as I know, we used to use the debug information to map the IR to source

Hi I need a concolic execution framework based on LLVM. As far as I know, KLEE might be the best choice. However, KLEE(the stable version) is based on LLVM 3.4. I compiled my code with the latest LLVM, whose version is 7.0. Anyone know whether the bitcode could be used by KLEE. Or do I have to compile with the old version of LLVM again. Furthermore, if you have any other concolic execution

I'm not familiar with the target instruction set, but if "MOV PC, R0" is not a return instruction, I'm guessing that the sequence starting at A39C is a dispatch through a jump table. The jump table would be considered part of the instruction stream and included in the scope of the line table. This is not a case where you would see end_sequence; my mistake. The line table does

There should be a line-table entry for the end of the function, which appears to be missing from the dump you provided. llvm-dwarfdump should report this address with 'end_sequence' in the Flags. Are you using a different dumper? I am not sure but my guess would be that inline data is not represented in the line table. The line table's primary purpose is to inform the debugger

Hi David Thank you very much for your suggestions. ScopeLine works well. It could represent the start of a function. Do you know whether I can get the start column of this function? Many Thanks Regards Muhui 2018-05-30 3:25 GMT+08:00 David Blaikie <dblaikie at gmail.com>: > > > On Tue, May 29, 2018 at 5:25 AM Muhui Jiang via llvm-dev < > llvm-dev at lists.llvm.org>

Hi I write a LLVM function pass. The pass will loop the basicblock in the function, check the instruction's type with dyn_cast<switchinst>, print the instruction and the basicblock's successors. I think it is not very complex. My bitcode file is about 30M. My CPU is i7-7700(3.6GHz). It has been running for 60 hours but it is still running. I am not sure whether this is a normal

Hi I am using LLVM to help me do some code analysis. I wrote a LLVM Function Pass to help me to generate some information. I use the code below to get the source line information for every instruction. for (BasicBlock &BB : F){ for(Instruction &I: BB){ DILocation* Loc = I.getDebugLoc().get(); unsigned Line = Loc->getLine() } } I think the function's first

Hi My goal is that given a binary and the corresponding input. I want to know what IR level basic blocks are covered. I need the detail information, which is the set of all the covered BBs rather than just a number. I want to know whether there are some tools that can support this requirements. If not, I think maybe instrumentation can helps. However, I do not know too much about this. Any

Hi paulr Thanks for your reply. Though DWARF info give me the code address ranges, there might be inline data. If so, how to handle this case? As for the dwarf line table. Sometimes, the source line might be zero. Do you know why? If all instructions should be describe in the line table, I think analyzing Dwarf line table is enough to get all the instructions addresses. Do you agree? I would

On Tue, May 29, 2018 at 5:25 AM Muhui Jiang via llvm-dev < llvm-dev at lists.llvm.org> wrote: > Hi > > I am using LLVM to help me do some code analysis. I wrote a LLVM Function > Pass to help me to generate some information. I use the code below to get > the source line information for every instruction. > > for (BasicBlock &BB : F){ > for(Instruction &I:

On 6/15/2018 11:58 AM, Muhui Jiang wrote: > Is it possible to dump both the frame setup/cleanup MIR and the MIR I > have at this moment? You can dump the MIR after each pass with -mllvm -print-after-all. Look for "Prologue/Epilogue Insertion". -Krzysztof -- Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, hosted by The Linux Foundation

Hi Krzysztof Thank you very much for your quick and clear reply. I know that MIR may not match hardware instructions directly. However, I think the semantics should be similar. For example, the first instruction is a store-multiple instruction in ARM. I think the first four MIR I shown should have the similar semantics with the first three hardware instructions. I still cannot see the

Hi Alex Thanks for your email. But it seems not work. I removed the -fsanitize=address flag. The global buffer overflow message doesn't show. However, no *.sancov file is created after I run perlbench. Thus, I could not get the BB coverage. Do you have any ideas? Many Thanks Regards Muhui Alexander Potapenko <glider at google.com> 于2018年9月5日周三 下午7:14写道： > Hi Muhui, > > If

On 5/29/2018 7:59 AM, Muhui Jiang via llvm-dev wrote: > So the reason why basic blocks can contain function calls is because of > code inlining? Not really. Basic blocks are units of code in a context of a specific function. When execution reaches a function call, it will go outside of the current function for some time, but then it will return back to the instruction following the

Hi I am using LLVM Pass combined with dwarf debug information to get all the function's start address. My steps are below: First, I write the function pass to get the start line of each function, which is finished. Then, based on the start line of every single function, I try to query the specific line from the dwarf's line binary table, which is generated with llvm-dwarfdump

Hi Actually, No particular reason. I just think this might be a solution, then I use think kind of method. Querying the symbol table would be a good choice, but I prefer to use LLVM and dwarf information. I am sorry that I am not familiar with debug_info. But thanks to your suggestions. I would like to try to solve it with debug_info. It seems work according to your comments By the way, I am

Hi I would like to use clang to cross compile the ARM binary. I hope the target binary contains both arm and thumb instruction sets. I use the flag -mhwdiv=arm,thumb. I compiled several binaries. However, I found that the thumb mode instructions are few. Even for very big program like gcc. The number of thumb mode instruction is less than 100. I get the ground truth from the mapping table.

Hi I was wondering whether there are any methods to know what part of the target binary is code. I have some ideas and hope to get your comments. I would like to use LLVM's source level debugging information to extract the source lines belonging to every functions. Then use the dwarf mapping table to transfer the source level information to binary address. Are there any better methods?

Hi Nowadays I am using LLVM to do ARM binary analysis. I was wondering is llvm available to provide some debugging information on the mode of ARM. For example, llvm-dwarfdump could dump some instructions information for debugging. Is it able to know the mode for each instruction? Or we may write some llvm pass to help us to know the instruction mode? Any suggestions are welcomed. Many Thanks