[cfe-commits] [PATCH] Set region size in GRRegionVals transfer function

Ted Kremenek kremenek at apple.com
Thu Nov 6 19:46:54 PST 2008

On Nov 6, 2008, at 7:06 PM, Zhongxing Xu wrote:

> The nice thing about this approach is that it piggybacks on NonLoc.   
> This means it can represent extents whose size is an integer  
> constant, a symbol, an expression (e.g., $1 + 2), unknown extents,  
> etc.
> I like this approach. It is similar to my original thought: an  
> Extent is just a NonLoc. BTW, what is ElementSizeBits for? Does it  
> describe the size of element of array or the number of elements in  
> an array?

It is the size, in bits, of one element.  This would be used by  
getElementsSize() (which maybe should be named getSizeInElements();  
same for getSizeInBytes(), getSizeInBits()).

> The extent for a variable is obvious while the extent for a malloced  
> region is not. We should make it clear whether we want all the  
> extent data be maintained by the GDM. If so, whether we do the lazy  
> mapping or eager mapping.

I think we can take a hybrid approach; ultimately it is up to an  
implementation of StoreManager, since it knows what extents it wants  
to manage/reason about.  Whether or not we even use the GDM is up to a  
particular implementation of StoreManager.

A VarRegion has an obvious extent that a StoreManager can return  
without have to store anything explicitly in a map.  A malloced region  
would need to have the StoreManager be informed of the extent, either  
through setExtent, or when the region is created.

> Calling setExtent() after we create a new region everytime is the  
> eager approach. Setting the extent after the first time we query for  
> it is the lazy approach.
> But there is a problem with the lazy approach. Note that for a  
> getExtent() we not only return the extent but also need to return a  
> new GRState, because we might add a new GDM mapping for the extent.

My thought was that the lazy approach would only apply when the extent  
is obvious.  That is, there is enough information, embedded in the  
region itself, to not have to explicitly record it in a side map.  We  
only need a side map for regions whose extents are not so obvious.

By lazy, we're just talking about whether or not the extent is in a  
side map, but that really is an implementation detail of how a  
StoreManager object retrieves the extent for a region.  Consider a few  

(a) We want the extent for a VarRegion.  No side information needed.   
Just use (within StoreManager::getExtent) the ASTContext object to  
determine the size of the variable for the VarRegion.  The same goes  
for most of the Typed Regions.

(b) We create a new region to represent some piece of dynamically  
allocated memory.  We can:

(1) use setExtent(), after we create the region, to explicitly  
register the extent of the region in GRState.  This seems fine, as  
this would just get bundled up for the transfer function logic for  
malloc(), alloca(), etc.

(2) The literal act of creating the region also returns a new GRState  
object with the extent in the GRState (if it is needed).

I personally like (b1), since (b2) requires a client to reason about  
both using  new GRState object and the extent.  Using GRStateRef  
simplifies things, but I can see this being the source of subtle bugs.

The nice thing about (b1) is that it transfers some of the  
responsibility of reasoning about extents to clients who know about  
functions that create blocks of memory with extents.  There are a ton  
of different allocator functions, etc., that can conceptually create  
regions with extents.  No StoreManager should know about these  
functions.  So, for cases where an analysis/checker has specific  
knowledge about the extent of a region, it can inform StoreManager  
about it using setExtent().

I actually don't think a hybrid approach is not all that difficult to  
implement.  A switch statement on the kind of a region should be  
enough to determine when we can determine the extent of a region  
simply from the MemRegion object itself or we need to look in a side  

More information about the cfe-commits mailing list