You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
323 lines
12 KiB
323 lines
12 KiB
SLEdge static analyzer
|
|
|
|
sledge SUBCOMMAND
|
|
|
|
The [-trace <spec>] argument of each subcommand enables debug tracing according to <spec>, which is a sequence of module and function names separated by + or -. For example, M-M.f enables all tracing in the M module except the M.f function. The <spec> value * enables all debug tracing.
|
|
|
|
=== subcommands ===
|
|
|
|
buck integration with Buck
|
|
. analyze analyze buck target
|
|
. bitcode report bitcode files in buck target
|
|
. link link buck target to LLVM bitcode
|
|
llvm integration with LLVM
|
|
. analyze analyze LLVM bitcode
|
|
. translate translate LLVM bitcode to LLAIR
|
|
. disassemble translate LLVM bitcode to LLAIR and print in textual form
|
|
analyze analyze LLAIR code
|
|
disassemble print LLAIR code in textual form
|
|
smt process SMT-LIB benchmarks
|
|
version print version information
|
|
help explain a given subcommand (perhaps recursively)
|
|
|
|
|
|
====== sledge buck ======
|
|
|
|
integration with Buck
|
|
|
|
sledge buck SUBCOMMAND
|
|
|
|
Code can be provided by a buck build target, such as //fully/qualified/build:target. The mechanism used to integrate with buck uses the arguments passed to the linker, so the target must specify a binary that will be linked, not for instance a library archive. Sledge passes the --config sledge.build=True flag to buck, which can be used to configure buck targets for sledge.
|
|
|
|
=== subcommands ===
|
|
|
|
analyze analyze buck target
|
|
bitcode report bitcode files in buck target
|
|
link link buck target to LLVM bitcode
|
|
help explain a given subcommand (perhaps recursively)
|
|
|
|
|
|
====== sledge buck analyze ======
|
|
|
|
analyze buck target
|
|
|
|
sledge buck analyze <target>
|
|
|
|
Analyze code in a buck target. This is a convenience wrapper for the sequence `sledge buck bitcode`; `sledge llvm translate`; `sledge analyze`.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-bound <int>] stop execution exploration at depth <int>
|
|
[-colors] enable printing in colors
|
|
[-domain <string>] select abstract domain; must be one of "sh" (default,
|
|
symbolic heap domain), "globals" (used-globals domain),
|
|
or "unit" (unit domain)
|
|
[-dump-query <int>] dump solver query <int> and halt
|
|
[-function-summaries] use function summaries (in development)
|
|
[-fuzzer] add a harness for libFuzzer targets
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-modules <file>] write list of bitcode files to <file>, or to standard
|
|
output if <file> is `-`
|
|
[-no-internalize] do not internalize all functions except the entry
|
|
points specified in the config file
|
|
[-no-models] do not add models for C/C++ runtime and standard
|
|
libraries
|
|
[-no-simplify-states] do not simplify states during symbolic execution
|
|
[-output <file>] write generated binary LLAIR to <file>
|
|
[-preanalyze-globals] pre-analyze global variables used by each function
|
|
[-report <file>] write report sexp to <file>, or to standard error if
|
|
"-"
|
|
[-stats] output performance statistics to stderr
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge buck bitcode ======
|
|
|
|
report bitcode files in buck target
|
|
|
|
sledge buck bitcode <target>
|
|
|
|
Build a buck target and report the included bitcode files.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-colors] enable printing in colors
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-modules <file>] write list of bitcode files to <file>, or to standard
|
|
output if <file> is `-`
|
|
[-report <file>] write report sexp to <file>, or to standard error if "-"
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge buck link ======
|
|
|
|
link buck target to LLVM bitcode
|
|
|
|
sledge buck link <target>
|
|
|
|
Link code in a buck target to a single LLVM bitcode module. This also internalizes all symbols except `main` and removes dead code.
|
|
|
|
=== flags ===
|
|
|
|
-bitcode-output <file> write linked bitcode to <file>
|
|
[-append-report] append to report file
|
|
[-colors] enable printing in colors
|
|
[-fuzzer] add a harness for libFuzzer targets
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-modules <file>] write list of bitcode files to <file>, or to standard
|
|
output if <file> is `-`
|
|
[-report <file>] write report sexp to <file>, or to standard error if
|
|
"-"
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge llvm ======
|
|
|
|
integration with LLVM
|
|
|
|
sledge llvm SUBCOMMAND
|
|
|
|
Code can be provided by one or more LLVM bitcode files.
|
|
|
|
=== subcommands ===
|
|
|
|
analyze analyze LLVM bitcode
|
|
translate translate LLVM bitcode to LLAIR
|
|
disassemble translate LLVM bitcode to LLAIR and print in textual form
|
|
help explain a given subcommand (perhaps recursively)
|
|
|
|
|
|
====== sledge llvm analyze ======
|
|
|
|
analyze LLVM bitcode
|
|
|
|
sledge llvm analyze <input> [<input> ...]
|
|
|
|
Analyze code in one or more LLVM bitcode files. This is a convenience wrapper for the sequence `sledge llvm translate`; `sledge analyze`.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-bound <int>] stop execution exploration at depth <int>
|
|
[-colors] enable printing in colors
|
|
[-domain <string>] select abstract domain; must be one of "sh" (default,
|
|
symbolic heap domain), "globals" (used-globals domain),
|
|
or "unit" (unit domain)
|
|
[-dump-query <int>] dump solver query <int> and halt
|
|
[-function-summaries] use function summaries (in development)
|
|
[-fuzzer] add a harness for libFuzzer targets
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-no-internalize] do not internalize all functions except the entry
|
|
points specified in the config file
|
|
[-no-models] do not add models for C/C++ runtime and standard
|
|
libraries
|
|
[-no-simplify-states] do not simplify states during symbolic execution
|
|
[-output <file>] write generated binary LLAIR to <file>
|
|
[-preanalyze-globals] pre-analyze global variables used by each function
|
|
[-report <file>] write report sexp to <file>, or to standard error if
|
|
"-"
|
|
[-stats] output performance statistics to stderr
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge llvm translate ======
|
|
|
|
translate LLVM bitcode to LLAIR
|
|
|
|
sledge llvm translate <input> [<input> ...]
|
|
|
|
Translate one or more LLVM bitcode files to LLAIR. Each <input> filename may be either: an LLVM bitcode file, in binary (.bc) or textual (.ll) form; or of the form @<argsfile>, where <argsfile> names a file containing one <input> per line.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-colors] enable printing in colors
|
|
[-fuzzer] add a harness for libFuzzer targets
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-no-internalize] do not internalize all functions except the entry points
|
|
specified in the config file
|
|
[-no-models] do not add models for C/C++ runtime and standard libraries
|
|
[-output <file>] write generated binary LLAIR to <file>
|
|
[-report <file>] write report sexp to <file>, or to standard error if "-"
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge llvm disassemble ======
|
|
|
|
translate LLVM bitcode to LLAIR and print in textual form
|
|
|
|
sledge llvm disassemble <input> [<input> ...]
|
|
|
|
The <input> file must be LLVM bitcode.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-colors] enable printing in colors
|
|
[-fuzzer] add a harness for libFuzzer targets
|
|
[-llair-output <file>] write generated textual LLAIR to <file>, or to
|
|
standard output if omitted
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-no-internalize] do not internalize all functions except the entry
|
|
points specified in the config file
|
|
[-no-models] do not add models for C/C++ runtime and standard
|
|
libraries
|
|
[-output <file>] write generated binary LLAIR to <file>
|
|
[-report <file>] write report sexp to <file>, or to standard error if
|
|
"-"
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge analyze ======
|
|
|
|
analyze LLAIR code
|
|
|
|
sledge analyze <input>
|
|
|
|
The <input> file must be binary LLAIR, such as produced by `sledge translate`.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-bound <int>] stop execution exploration at depth <int>
|
|
[-colors] enable printing in colors
|
|
[-domain <string>] select abstract domain; must be one of "sh" (default,
|
|
symbolic heap domain), "globals" (used-globals domain),
|
|
or "unit" (unit domain)
|
|
[-dump-query <int>] dump solver query <int> and halt
|
|
[-function-summaries] use function summaries (in development)
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-no-simplify-states] do not simplify states during symbolic execution
|
|
[-preanalyze-globals] pre-analyze global variables used by each function
|
|
[-report <file>] write report sexp to <file>, or to standard error if
|
|
"-"
|
|
[-stats] output performance statistics to stderr
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge disassemble ======
|
|
|
|
print LLAIR code in textual form
|
|
|
|
sledge disassemble <input>
|
|
|
|
The <input> file must be LLAIR code, as produced by `sledge llvm translate`.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-colors] enable printing in colors
|
|
[-llair-output <file>] write generated textual LLAIR to <file>, or to
|
|
standard output if omitted
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-report <file>] write report sexp to <file>, or to standard error if
|
|
"-"
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge smt ======
|
|
|
|
process SMT-LIB benchmarks
|
|
|
|
sledge smt <input>
|
|
|
|
The <input> file is interpreted as an SMT-LIB 2 benchmark.
|
|
|
|
=== flags ===
|
|
|
|
[-append-report] append to report file
|
|
[-colors] enable printing in colors
|
|
[-margin <cols>] wrap debug tracing at <cols> columns
|
|
[-report <file>] write report sexp to <file>, or to standard error if "-"
|
|
[-trace <spec>] enable debug tracing
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge version ======
|
|
|
|
print version information
|
|
|
|
sledge version
|
|
|
|
=== flags ===
|
|
|
|
[-build-info] print build info for this build
|
|
[-version] print the version of this build
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|
|
|
|
====== sledge help ======
|
|
|
|
explain a given subcommand (perhaps recursively)
|
|
|
|
sledge help [SUBCOMMAND]
|
|
|
|
=== flags ===
|
|
|
|
[-expand-dots] expand subcommands in recursive help
|
|
[-flags] show flags as well in recursive help
|
|
[-recursive] show subcommands of subcommands, etc.
|
|
[-help] print this help text and exit
|
|
(alias: -?)
|
|
|