[cfe-dev] usage of clang in an university project

Nuno Lopes nunoplopes at sapo.pt
Sun Nov 18 09:39:34 PST 2007 

Hi again,

Sorry for my late response, but I've been busy with other stuff.
I'm writing firstly to make sure I want to do sane things and that they are 
doable with current clang's CFG infrastructure.


For example, one of the errors I would like to detect is the following (from 
a patch that fixed a crash in PHP):

- if (ZEND_NUM_ARGS() != 5 || zend_get_parameters_ex(4, &domain, &msgid1, 
&msgid2, &count, &category) == FAILURE) {
+ if (ZEND_NUM_ARGS() != 5 || zend_get_parameters_ex(5, &domain, &msgid1, 
&msgid2, &count, &category) == FAILURE) {
  WRONG_PARAM_COUNT;
  }

(ZEND_NUM_ARGS() is just an int variable).

My question is how can I track those values? I think that tracking them in a 
more general way (e.g. var > 5; var2 < var1+3) needs a full SAT solver. But 
simplifying things, is this doable with the PersistentMap, for example?


Also I would like to find memory overflow bugs, like:
char dest[10];
if (size <= 11)
    memcpy(dest, input, size);

At the CallExpr, how do I know that 'size' is not sanitized correctly (i.e. 
size <= sizeof(dest))?


Also, from which example of the Analysis dir should I base my code?


Thanks in advance,
Nuno


----- Original Message ----- 
>> Nuno,
>>
>> Currently clang has support for building CFGs from ASTs, and there is  a
>> fairly generic dataflow solver in place for doing flow-sensitive 
>> dataflow
>> analyses (both forward and backward).  Currently there is an
>> implementations of both live variable analysis and uninitialized  values
>> analysis built on this solver.  I won't attest that the  framework (or 
>> the
>> analyses built on it) is bug-free, nor that it is in  the final form it
>> eventually will be in, but it certainly implements  most of the
>> boilerplate for iterating over statements, merging  dataflow values, etc.
>> We of course would welcome feedback if you  decided to use this part of
>> clang, as the goal is to make that part of  clang very powerful but also
>> easy to use.
>>
>> I'm more than happy to provide support if you are interested in using
>> this part of clang.  I'm afraid that documentation is limited for this
>> part of clang, although I do plan on trying to remedy this problem (at
>> least partially) in the short term.
>>
>> Ted
>
> Thank you. I'll certainly try to use the CFG framework.
> I'll carefully read the Analysis directory files first and I'll get back 
> to
> you if (well, when) I have some question.
>
> Thanks,
> Nuno

More information about the cfe-dev mailing list