11

I want to generate a Program Dependence Graph (PDG) from C source code. I found papers that explain how do it, but all used the commercial CodeSurfer tool.

Are there any free tools or open source projects that can do this job?

ftk
  • 614
  • 6
  • 11
user1283336
  • 297
  • 3
  • 8

2 Answers2

18

Frama-C is an Open Source static analysis platform with a slicer for C programs based on the computation of a Program Dependence Graph.

Note that slicing actual programs written in a real programming language such as C involves many special cases and concepts that are skimmed over in scientific publications. Still, I am confident that you won't find anything simpler than Frama-C's PDG computation, first because it is the only Open Source one available (that I know of), and second because any other PDG computation that handled C programs would have to solve the same problems and introduce the same concepts.

Here is one example:

int a, b, d, *p;

int f (int x) {
  return a + x;
}

int main (int c, char **v) {
  p = &b;
  a = 1;
  *p = 2;
  d = 3;
  c = f(b);
}

The command frama-c -pdg -pdg-dot graph -pdg-print t.c generates dot files graph.main.dot and graph.f.dot containing the PDG of main() and f() respectively.

You can use the dot program to pretty-print one of them thus: dot -Tpdf graph.main.dot > graph.pdf

The result is below:

PDG of main()

Note the edge from the node c = f(b); to the node *p = 2;. A PDG computation claiming to be useful for C programs must handle aliasing.

On the other hand, a slicer using this PDG to slice on the criterion “inputs of statement c = f(b);” would be able to remove d = 3;, which cannot influence the function call, even through the pointer access *p. Frama-C's slicer uses the dependencies indicated by the PDG to keep only the statements that are useful for the user-specified slicing criterion. For instance, the command frama-c -slice-wr c t.c -then-on 'Slicing export' -print produces the reduced program below, where the assignment to d has been removed:

/* Generated by Frama-C */
int a;
int b;
int *p;
int f_slice_1(int x)
{
  int __retres;
  __retres = a + x;
  return (__retres);
}

void main(int c)
{
  p = & b;
  a = 1;
  *p = 2;
  c = f_slice_1(b);
  return;
}
s.dallapalma
  • 1,225
  • 1
  • 12
  • 35
Pascal Cuoq
  • 79,187
  • 7
  • 161
  • 281
  • thank you very much for your remarkable help. I am beginning to learn how to use Frama-C . In the reference of Frama-C ,I can not find the meanning of the line in the graph.main.dot graph. What do the different line styles mean ? or is there any material about this. – user1283336 Mar 25 '12 at 02:40
  • @user1283336 There are 3 kinds of arrows: respectively data, control and address dependencies. The program `int a, b, *p; void main(int x, int y, int z) { p = &a; *p = x; if (y) b = z; } ` contains all 3 kinds of dependencies. Using the same commandlines as in the first example, you should have no difficulty recognizing which is which. There is no user-available description of the internals of the slicer, sorry, only an outside description of how to use it. – Pascal Cuoq Mar 25 '12 at 03:36
  • 1
    I think it must be `-pdg-dot` rather than `-dot-pdg` right? At least for me it worked only the former way – Paddre Jul 16 '16 at 16:54
  • 1
    The Documentation on Frama-c is very limited. Can you cover the meaning of OutRet, In1, InCrtl Nodes? I'm sure they are inter statement calls but what are their actual meanings. Does anyone have link to what each aspect of the graph means? (i.e relationship(link) colors, dotted lines, etc, node colors) – Quentin Mayo Oct 11 '16 at 22:18
  • @PascalCuoq Instead of dot -Tpdf graph.main.dot > graph.pdf pretty printing, Can we get the pdg of it as a graph object to use it later? – Jab Jun 20 '17 at 17:29
4

If you like to visualize the dependencies of methods calling each other and are using gcc then gcc's option -fdump-rtl-expand might be of interest to you.

For each source file you compile using the option -fdump-rtl-expand gcc will output a *.expand file.

Those files fed to the tool egypt produce graph(s) showing the method's dependencies.

alk
  • 69,737
  • 10
  • 105
  • 255
  • A PDG is a graph whose nodes are statements. See for instance http://www.grammatech.com/research/papers/slicing/slicingWhitepaper.html – Pascal Cuoq Mar 21 '12 at 22:18