Writing a source-sink analyzer becomes fairly easy on top of our interprocedure sparse value-flow graph. You may wish to refer to detailed code implementation in LeakChecker.cpp and ProgSlice.cpp as an example.

To compute boolean value-flow guards, we use CUDD-2.5.0 package (Binary Decision Diagrams (BDDs)) to encode path conditions.

1. First, we need to build SVFG using Andersen's pointer analysis

PAGBuilder builder;
SaberSVFGBuilder memSSA;
PAG* pag = builder.build(module);
AndersenWaveDiff* ander = AndersenWaveDiff::createAndersenWaveDiff(pag);
SVFG* svfg =  memSSA.buildPTROnlySVFG(ander);    /// memSSA.buildFullSVFGWithoutOPT(ander) to build SVFG with scalar variables.

2. Then, we choose a set of candidate source and sink SVFGNodes

// Simple code to iterate from a SVFGNode on SVFG
for(SVFGNode::const_iterator it = node->OutEdgeBegin(), eit = node->OutEdgeEnd(); it!=eit; ++it) {
}

3. Finally, we perform an all-path reachable analysis using AllPathReachableSolve method (ProgSlice class) to compute value-flow guards via the following three methods iteratively until a fixed point is reached.

• ComputeInterCallVFGGuard
• ComputeInterRetVFGGuard
• ComputeIntraVFGGuard