Find targets of indirect call sites

Hi,

I would like to find the targets of indirect callsties. The callsite
and the targets may be located in different functions or in different
modules.

Any hint or suggestion would be much appreciated.

Thanks.

So, you are trying to find out what the initialization of a function pointer is?

Surely that’s not always possible: there may be runtime conditional code that sets the function pointer, based on external inputs (user-input, reading from file, command-line arguments, etc). And it becomes almost impossible for callbacks that are supplied to a library from the library user’s code.

This has been discussed many times before, so looking over the archive of this mailing list would perhaps provide some further information.

Hi,

Hi,

I would like to find the targets of indirect callsties. The callsite
and the targets may be located in different functions or in different
modules.

LLVM does not provide such feature.

Any hint or suggestion would be much appreciated.

You could use the poolalloc project [1]. It includes DSA which allows to
find a list a potential targets of an indirect call. It is worth noting,
however, that such process is an over-approximation, and can be
sometimes incomplete (e.g. indirect call to another module, loss of
precision).

Also, John Criswell mentioned multiple issues [2] regarding the loss of
precision of DSA, because of assumptions it made on the LLVM IR when it
was originally written.llvm

Anyway, I managed to make the current version of poolalloc works with
LLVM 3.7, and some minor patches (but I think DSA can be built on its
own without modifications).

[1] https://github.com/llvm-mirror/poolalloc
[2] http://lists.llvm.org/pipermail/llvm-dev/2015-May/085359.html