I am looking for a tool that generates the call graph for an application and includes the kernel functions as well. More specifically, I'm interested to know how many times a function was called. Is there a way to do that with callgrind? Or any other suggestion?
Related
I am trying to tinker with some library code written in C++. A fairly complex application sits on top of the library. To tinker with the code, I often need to understand how a library function has been used throughout the codebase, and make sure that I am not breaking any downstream clients.
Suppose foo() is exported from my library's dll. In client code, bar() calls foo(), and baz() calls bar(). I need to make sure that bar and and baz both work after my changes. In my case, the call stack actually is quite deep, and not easy to manually trace because there is not one call stack, there are numerous ways my library function can land at the top of a call stack.
Using either Visual Studio, or g++, or clang, is there a way to generate a tree such that my library function is at the root, and the branches are all the various ways my function can land at the top of the call stack? I mean does such a feature already exist in one of the popular toolchains? If not, do you know any other way of generating such a tree?
I don't think any of the compilers have options to generate this information.
In the general case, there are many confounding factors that would make this very difficult:
If there's recursion in the code, then the tree you want is actually a graph/network with cycles.
Virtual methods, function pointers, and member function pointers probably make this the equivalent of the halting problem. If you have two concrete classes A and B that share a common base class that offers virtual method foo(), then you'd have to do exhaustive analysis to determine whether a particular call of foo() through a pointer or reference to the base class should be counted as a call to A::foo() or B::foo() or both. Ditto for the various flavors function pointers.
If you rely on system or other third-party libraries that can call back into your code, you'd better have source for them. For example, a Windows GUI program typically has window procedures that are called from system code, possibly in response to a call from your code into the system. Since you don't wouldn't have the windows sources, you'd have to assume that any and all of your callbacks could be called at any time, and thus your "tree" would have many roots.
The modern way to deal with this is not to analyze all the ways your library can be called, but to document all the ways it should be called. Build a test suite that calls the library in all the reasonable ways you want to support. Then you can tinker and then run your test suite to see if you've broken the library's contract. If, in integration testing, you find a client of the library that's broken by your changes, it indicates the test suite is incomplete or the client is calling the library in an unsupported way.
I use C++ to address the following task:
I'd like to get the list of all API functions, which are used by the particular process. It can be any Windows 7 process - 32 or 64 including system processes.
So far, the only solution I see - is to create a kernel driver to intercept all possible APIs, listen them for some time and check if particular process called them. It won't guarantee me full list of APIs of that process, but at least will give me some of them.
This method looks dangerous and not effective.
If there is any simpler way to deal with that task? If there is a way to get a full list of APIs of the process, not just the ones called during some time?
Thank you.
No, it's not possible, at least in any meaningful or general sense.
I can write a program that (for example) takes interactive input from the user in the form of a string, then uses GetProcAddress to find the address of a function by that name, and invokes that function.
Note that although using interactive input to read function names is fairly unusual, reading them from some external file is quite a bit more common.
Also note that a kernel driver isn't really the correct place to look either. If you want to do this, you want to intercept at the level of the DLLs used by the program.
One possibility is to create a "shadow" DLL for every DLL to which the program links statically. Then if it calls LoadLibrary/GetProcAddress, you can dynamically intercept those calls to determine what functions it's calling in them, and so on.
This still won't get an absolute result, since it could (as outlined above) get data at runtime to find functions in one execution that it doesn't use in another.
If you want an existing tool to do (approximately) that, consider depends.exe. It's been around for quite a while, and works quite well.
I have a very large C++ program where certain low level functions should only be called from certain contexts or while taking specific precautions. I am looking for a tool that shows me which of these low-level functions are called by much higher level functions. I would prefer this to be visible in the IDE with some drop down or labeling, possibly in annotated source output, but any easier method than manually searching the call-graph will help.
This is a problem of static analysis and I'm not helped by a profiler.
I am mostly working on mac, linux is OK, and if something is only available on windows then I can live with that.
Update
Just having the call-graph does not make it that much quicker to answer the question, "does foo() potentially cause a call to x() y() or z()". (or I'm missing something about the call-graph tools, perhaps I need to write a program that traverses it to get a solution?)
There exists Clang Static Analyzer which uses LLVM which should also be present on OS X. Actually i'm of the opinion that this is integrated in Xcode. Anyway, there exists a GUI.
Furthermore there are several LLVM passes, where you can generate call graphs, but i'm not sure if this is what you want.
The tool Scientific Toolworks "Understand" tool is supposed to be able to produce call graphs for C and C++.
Doxygen also supposedly produces call graphs.
I don't have any experience with either of these, but some harsh opinions. You need to keep in mind that I'm a vendor of another tool, so take this opinion with a big grain of salt.
I have experience building reasonably accurate call graphs for massive C systems (25 million lines) with 250,000 functions.
One issue I encounter in building a realistic call graph are indirect function calls, and for C++, overloaded method function calls. In big systems, there are a lot of both of these. To determine what gets called when FOO gets invoked, your tool has to have to deep semantic understanding of how the compiler/language resolves an overloaded call, and for indirect function calls, a reasonably precise determination of what a function pointer might actually point-to in a big system. If you don't get these reasonably right, your call graph will contain a lot of false positives (e.g., bogus claims of A calls B), and on scale false positives are a disaster.
For C++, you must have what amounts to the full compiler front end. Neither Understand or Doxygen have this, so I don't see how they can actually understand C++'s overloading/Koenig lookup rules. Neither Understand or Doxygen make any attempt that I know of to reason about indirect function calls.
Our DMS Software Reengineering Toolkit does build calls graphs for C reasonably well, even with indirect function pointers, using a C-language precise front end.
We have C++ language precise front end, and it does the overload resolution correctly (to the extent the C++ committee agrees on it, and we understand what they said, and what the individual compilers do [they don't always agree]), and we have something like Doxygen that shows this information. We don't presently have function pointer analysis for C++ but we are working on it (we have full control flow graphs within methods and that's a big step).
I understand CLANG has some option for computing call graphs, and I'd expect that to be accurate on overloads since Clang is essentially a C++ compiler implemented with a bunch of components. I don't know what, if anything Clang does to analyze function pointers.
I want to parse current c++ files in a project and list out all the methods/functions in it and then generate the function call and caller trees.
F.g. you can refer how doxygen generates the call tree.
I have checked gccxml but it doesn't list the functions called from another function.
Please suggest me some lightweight tools (open source) which I can use it.
thanks!
The static call tree isn't necessarily the runtime call tree. Callbacks and virtual functions muddy the water. So static analysis can only give you part of the answer.
The only way I've ever been able to get a reliable call tree was to run gprof on the compiled executable. The output can be massaged into a very accurate call tree.
gccxml, currently, essentially ignores function bodies (including calls to other functions). A good overview of C++ parsing options currently available is here -- not necessarily a bearer of good news, but recommended reading.
You mention Doxygen. Why not use that?
I probably misunderstood , but visual studio have something similar.
Right Click a function and select Call Browser.
It's impossible to provide a full call tree analysis for an application that's dependent on asynchronous event reception. This is way we have test. Even in the simplest cases where the application is fully deterministic this could be a relatively daunting task and I would argue provide marginal value. Then how would you analyze the results? To what effect?
I was wondering if its possible / anyone knows any tools out there to compare the execution of two related programs (for example, assignments on a class) to see how similar they are. For example, not to compare the names of functions, but how they use syscalls. One silly case of this would be testing if a C string is printed as (see example below) in more than one case one separate program.
printf("%s",str)
Or as
for (i=0;i<len;i++) printf("%c",str[i]);
I havenĀ“t put much thought into this, but i would imagine that strace / ltrace (maybe even oprofile) would be a good starting point. Particularly, this is for UNIX C / C++ programs.
Thanks.
If you have access to the source code of the two programs, you may build a graph of the functions (each function is a node, and there is an edge from A to B if A calls B()), and compute some graph similarity metrics. This will catch a source code copy made by renaming and reorganizing.
An initial idea would be to use ltrace and strace to log the calls and then use diff on the logs. This would obviously only cover the library an system calls. If you need a more fine granular logging, the oprofile might help.
If you have access to the source code you could instrument your code by compiling it with profiling information and then parse the gcov output after the runs. A pure static source code analysis may be sufficient if your code is not taking different routes depending on external data/state.
I think you can do this kind of thing using valgrind.
A finer-grained version (and depending on what is the access to the program source and what you exactly want in terms of comparison) would be to use kprobes.
Kernel Dynamic Probes (Kprobes) provides a lightweight interface for kernel modules to implant probes and register corresponding probe handlers. A probe is an automated breakpoint that is implanted dynamically in executing (kernel-space) modules without the need to modify their underlying source. Probes are intended to be used as an ad hoc service aid where minimal disruption to the system is required. They are particularly advocated in production environments where the use of interactive debuggers is undesirable. Kprobes also has substantial applicability in test and development environments. During test, faults may be injected or simulated by the probing module. In development, debugging code (for example a printk) may be easily inserted without having to recompile to module under test.