|
| 1 | +[CPROVER Manual TOC](../../) |
| 2 | + |
| 3 | +## Memory Analyzer |
| 4 | + |
| 5 | +The memory analyzer is a front-end for running and querying GDB in order to |
| 6 | +obtain a state of the input program. The GDB is not needed to be executed |
| 7 | +directly but is rather used as a back-end for the memory analysis. A common |
| 8 | +application would be to obtain a snapshot of a program under analysis at a |
| 9 | +particular state of execution. Such a snapshot could be useful on its own: to |
| 10 | +query about values of particular variables. Furthermore, since that snapshot is |
| 11 | +a state of a valid concrete execution, it can also be used for subsequent |
| 12 | +analyses. |
| 13 | + |
| 14 | +## Usage |
| 15 | + |
| 16 | +We assume that the user wants to inspect a binary executable compiled with |
| 17 | +debugging symbols and a symbol table information understandable by CBMC, e.g. |
| 18 | +(having `goto-gcc` on the `PATH`): |
| 19 | + |
| 20 | +```sh |
| 21 | +$ goto-gcc -g input_program.c -o input_program_exe |
| 22 | +``` |
| 23 | + |
| 24 | +Calling `goto-gcc` instead of simply compiling with `gcc` produces an ELF binary |
| 25 | +with a goto section that contains the goto model (goto program + symbol table) |
| 26 | +[goto-cc-variants](../goto-cc/variants/). |
| 27 | + |
| 28 | +The memory analyzer supports two workflows to initiate the GDB with user code: |
| 29 | +either to run the code from a core-file or up to a break-point. If the user |
| 30 | +already has a core-file, they can specify it with the option `--core-file cf`. |
| 31 | +If the user knows the point of their program from where they want to run the |
| 32 | +analysis, they can specify it with the option `--breakpoint bp`. Only one of |
| 33 | +core-file/break-point option can be used. |
| 34 | + |
| 35 | +The tool also expects a comma-separated list of symbols to be analysed |
| 36 | +`--symbols s1, s2, ..`. Given its dependence on GDB, `memory-analyzer` is a |
| 37 | +Unix-only tool. The tool calls `gdb` to obtain the snapshot which is why the |
| 38 | +`-g` option is necessary for the program symbols to be visible. |
| 39 | + |
| 40 | +Take for example the following program: |
| 41 | + |
| 42 | +```C |
| 43 | +// main.c |
| 44 | +void checkpoint() {} |
| 45 | + |
| 46 | +int array[] = {1, 2, 3}; |
| 47 | + |
| 48 | +int main() |
| 49 | +{ |
| 50 | + array[1] = 4; |
| 51 | + |
| 52 | + checkpoint(); |
| 53 | + |
| 54 | + return 0; |
| 55 | +} |
| 56 | +``` |
| 57 | +
|
| 58 | +Say we are interested in the evaluation of `array` at the call-site of |
| 59 | +`checkpoint`. We compile the program with |
| 60 | +
|
| 61 | +```sh |
| 62 | +$ goto-gcc -g main.c -o main_exe |
| 63 | +``` |
| 64 | + |
| 65 | +And then we call `memory-analyzer` with: |
| 66 | + |
| 67 | +```sh |
| 68 | +$ memory-analyzer --breakpoint checkpoint --symbols array main_exe |
| 69 | +``` |
| 70 | + |
| 71 | +to obtain as output the human readable list of values for each requested symbol: |
| 72 | + |
| 73 | +``` |
| 74 | +{ |
| 75 | + array = { 1, 4, 3 }; |
| 76 | +} |
| 77 | +``` |
| 78 | + |
| 79 | +The above option is useful for the user and their preliminary analysis but does |
| 80 | +not contain enough information for further computer-based analyses. To that end, |
| 81 | +memory analyzer has an option to request the result to be a snapshot of the |
| 82 | +whole symbol table `--symtab-snapshot`. Finally, to obtain an output in JSON |
| 83 | +format, e.g. for further analyses by `goto-harness` pass the additional option |
| 84 | +`--json-ui`. |
| 85 | + |
| 86 | +```sh |
| 87 | +$ memory-analyzer --symtab-snapshot --json-ui \ |
| 88 | +--breakpoint checkpoint --symbols array main_exe > snapshot.json |
| 89 | +``` |
0 commit comments