Search code examples

Generating Define-Use Paths for C Code coverage analysis

How is it possible to generate uncovered Define-Use Paths for C Code (using e.g. gcc). As I saw this subject is only academic. (unlike line coverage)



  • You need a tool that can determine for every definition, all the possible uses (e.g., computes Def-Use pairs) in the code, associate with each Def-Use pair the variable defined and the program location (file, line, column) of Def and Use points.

    Then for each def-use pair, you need to add instrumentation ("probes") to the program that records the use of that def-use pair, when it gets used (usually near the use), as some kind of boolean variable specific to that def-use pair. Because there are lot of these it is useful to organize the individual booleans as a boolean array. (Obvious optimization to minimize the number inserted probes: a basic block, when executed, will satisfy many def-use pairs; a boolean representing execution of the basic block [block coverage] can stand in as set of def-use pairs. I'm sure there are other similar optimizations.).

    After running the program, one has to dump these boolean variables, compute the actual def-use information (e.g., including using the block coverage data), and then display it.

    A standard scheme for modifying the program to do this with source-to-source program transformations. My paper Branch Coverage for Arbitrary Languages Made Easy shows how to do this with our DMS Software Reengineering Toolkit and its style of rewrite rules. The paper focuses on branch (block) coverage, but the instrumentation aspect is fine. A typical transformation rule used looks like this:

    rule mark_if_then_else(condition:expression; tstmt:statement; estmt:statement)=
       “if (\condition) \tstmt else \estmt;”
    rewrites to
       “if (\condition)
           { visited[\new_place\(\tstmt\)]=1;
           { visited[\new_place\(\estmt\)]=1;

    This rule modifies and if-then-else construct to collect "visited" booleans for each conditionally executed block (then and else clauses) generating a new index for each new block. The \xxxx means "an arbitrary code structure of syntax type ssss if the transformation rule signature (first line) declares ssss:xxxx. You can see more information on the precise syntax and meaning of the DMS rewrite rules here.

    It turns out getting def-use information is hard; you need what amounts to a compiler front end thus OP's mention of GCC. GCC won't do source-to-source transformations but you can get essentially the same effect with source-to-binary transformations as gcov does, by modifying the GCC sources with procedural code to add the probes. In general, though, GCC doesn't want to help you do this kind of custom instrumentation.

    I don't know, but I'm pretty sure Clang computes def-use information. It is possible to do source to source transformations with Clang but I have no experience with that.

    I do know that our DMS does compute def-use information for C and C++. That and its ability to do source-to-source transformations would make building a def-use coverage tool technically straightforward. (Not asked, but DMS also computes control flows, so one could also do path coverage straightforwardly.)

    Then there is the problem of building a display tool. You need something that can show the def use pairs and their status, probably associated with/superimposed on the the code so it is easy to understand each def and use. So you need to record line and column-precise information about the location of each def and use. I don't think you can get that from GCC; it doesn't have that information in the binary, but maybe it has it in the its constructed AST. You can get column information from DMS and Clang (I think).