Taras’ Blog

It is difficult to follow error messages from control-flow analyzing tools. After struggling to visualize what I was debugging, I added a a native JavaScript function to graph the CFG and display the current path through it.

Now debugging control flow errors is as easy as looking at a (sometimes giant) picture of this function. The red represents the current flow and gray indicates flows that the script deemed correct.

Recipe

In this example I am checking that control flows through a particular point in the code (from line 1128 into line 1200). Since dos only deals with variables I added variables that it can match to the AST.

I added DFLOW_START to line 1127, DFLOW_STOP to line 1200 and produced my .i files with make CC=”gcc -DFLOW_START=’{int __flow_start;}’ -DFLOW_STOP=’{int __flow_start=1;}’” jsarray.i

Then I ran dos with the tiny analysis script: ./dos -dos-javascript ensure_out.js -o-lang GNU_C ~/work/ff-build/js/src/jsarray.i

Future Work
This should allow function-local dead code detection. Once dos is mature enough for function-local CFG traversals it will be interesting(but challenging) to try to expand this to detect dead functions or classes in Mozilla.

Trackback URI | Comments RSS