|
| 1 | +.TH MEMORY-ANALYZER "1" "June 2022" "memory-analyzer-5.59.0" "User Commands" |
| 2 | +.SH NAME |
| 3 | +memory-analyzer \- Snapshot program state for symbolic analysis |
| 4 | +.SH SYNOPSIS |
| 5 | +.TP |
| 6 | +.B memory\-analyzer [\-?] [\-h] [\-\-help] |
| 7 | +show help |
| 8 | +.TP |
| 9 | +.B memory\-analyzer \-\-version |
| 10 | +show version |
| 11 | +.TP |
| 12 | +.B memory\-analyzer \-\-symbols \fIsymbol_list\fR [options] \fIbinary\fR |
| 13 | +analyze binary |
| 14 | +.SH DESCRIPTION |
| 15 | +\fBmemory\-analyzer\fR is a front-end that runs and queries \fBgdb\fR(1) in |
| 16 | +order to obtain a snapshot of the state of an input program at a particular |
| 17 | +program location. Such a snapshot could be useful on its own: to check the |
| 18 | +values of variables at a particular program location. Furthermore, since the |
| 19 | +snapshot is a state of a valid concrete execution, it can also be used for |
| 20 | +subsequent analyses. |
| 21 | +.PP |
| 22 | +In order to analyze a program with \fBmemory-analyzer\fR it needs to be compiled |
| 23 | +with \fBgoto-gcc\fR(1). This yields an \fBelf\fR(5) executable that also |
| 24 | +includes a \fIgoto-cc\fR section holding the goto model: |
| 25 | +.EX |
| 26 | +.IP |
| 27 | +goto\-gcc \-g input_program.c \-o input_program_exe |
| 28 | +.EE |
| 29 | +.PP |
| 30 | +\fBmemory\-analyzer\fR supports two ways of running \fBgdb\fR(1) on user code: |
| 31 | +either to run the code from a core-file or up to a break-point. If the user |
| 32 | +already has a core-file, they can specify it with the option |
| 33 | +\fB\-\-core\-file\fR \fIcf\fR. If the user knows the point of their program from |
| 34 | +where they want to run the analysis, they can specify it with the option |
| 35 | +\fB\-\-breakpoint\fR \fIbp\fR. Only one of core-file/break-point option can be |
| 36 | +used. |
| 37 | +.PP |
| 38 | +The tool also expects a comma-separated list of symbols to be analyzed via |
| 39 | +\fB\-\-symbols \fIs1\fR,\fIs2\fR,\fI...\fR. |
| 40 | +The tool invokes \fBgdb\fR(1) to obtain the snapshot which is why the \fB\-g\fR |
| 41 | +option is necessary when compiling for the program symbols to be visible. |
| 42 | +.PP |
| 43 | +Take for example the following program: |
| 44 | +.EX |
| 45 | +.IP |
| 46 | +// main.c |
| 47 | +void checkpoint() {} |
| 48 | +
|
| 49 | +int array[] = {1, 2, 3}; |
| 50 | +
|
| 51 | +int main() |
| 52 | +{ |
| 53 | + array[1] = 4; |
| 54 | + checkpoint(); |
| 55 | + return 0; |
| 56 | +} |
| 57 | +.EE |
| 58 | +.PP |
| 59 | +Say we are interested in the evaluation of \fIarray\fR at the call-site of |
| 60 | +\fIcheckpoint\fR. We compile the program with |
| 61 | +.EX |
| 62 | +.IP |
| 63 | +goto\-gcc \-g main.c \-o main_exe |
| 64 | +.EE |
| 65 | +.PP |
| 66 | +And then we call \fBmemory\-analyzer\fR with: |
| 67 | +.EE |
| 68 | +.IP |
| 69 | +memory-analyzer --breakpoint checkpoint --symbols array main_exe |
| 70 | +.PP |
| 71 | +to obtain as output the human readable list of values for each requested symbol: |
| 72 | +.EX |
| 73 | +.IP |
| 74 | +{ |
| 75 | + array = { 1, 4, 3 }; |
| 76 | +} |
| 77 | +.EE |
| 78 | +.PP |
| 79 | +The above result is useful for the user and their preliminary analysis but does |
| 80 | +not contain enough information for further automated analyses. To that end, |
| 81 | +memory analyzer has an option for the snapshot to be represented in the format |
| 82 | +of a symbol table (with \fB\-\-symtab\-snapshot\fR). Finally, to obtain an output in |
| 83 | +JSON format, e.g., for further analyses by \fBgoto\-harness\fR(1) the additional option |
| 84 | +\fB\-\-json\-ui\fR needs to be passed to \fBmemory\-analyzer\fR: |
| 85 | +.EX |
| 86 | +.IP |
| 87 | +memory-analyzer \-\-symtab-snapshot \-\-json-ui \-\-breakpoint checkpoint |
| 88 | + \-\-symbols array main_exe > snapshot.json |
| 89 | +.EE |
| 90 | +.SH OPTIONS |
| 91 | +.TP |
| 92 | +\fB\-\-core\-file\fR \fIfile_name\fR |
| 93 | +Analyze from core dump \fIfile_name\fR. |
| 94 | +.TP |
| 95 | +\fB\-\-breakpoint\fR \fIbreakpoint\fR |
| 96 | +Analyze from given breakpoint. |
| 97 | +.TP |
| 98 | +\fB\-\-symbols\fR \fIsymbol_list\fR |
| 99 | +List of symbols to analyze. |
| 100 | +.TP |
| 101 | +\fB\-\-symtab\-snapshot\fR |
| 102 | +Output snapshot as JSON symbol table that can be used with \fBsymtab2gb\fR(1). |
| 103 | +.TP |
| 104 | +\fB\-\-output\-file\fR \fIfile_name\fR |
| 105 | +Write snapshot to \fIfile_name\fR. |
| 106 | +.TP |
| 107 | +\fB\-\-json\-ui\fR |
| 108 | +Output snapshot in JSON format. |
| 109 | +.SH ENVIRONMENT |
| 110 | +All tools honor the TMPDIR environment variable when generating temporary |
| 111 | +files and directories. |
| 112 | +.SH BUGS |
| 113 | +If you encounter a problem please create an issue at |
| 114 | +.B https://github.com/diffblue/cbmc/issues |
| 115 | +.SH SEE ALSO |
| 116 | +.BR cbmc (1), |
| 117 | +.BR elf (5), |
| 118 | +.BR gdb (1), |
| 119 | +.BR goto-gcc (1), |
| 120 | +.BR goto-harness (1), |
| 121 | +.BR symtab2gb (1) |
| 122 | +.SH COPYRIGHT |
| 123 | +2019, Malte Mues, Diffblue |
0 commit comments