[cfe-dev] C++ analysis priorities

Jean-Daniel Dupas devlists at shadowlab.org
Fri Jan 13 15:47:31 PST 2012

Le 13 janv. 2012 à 23:28, Anna Zaks a écrit :

> Having annotations is something we are definitely interested in. 
> I think, one reason why we still do not have them is that designing expressive enough annotations is not a trivial task. Writing an effective checker for the most popular functions first would provide feedback on what they should be.
> Do you have examples on the specific scenarios on what you'd like to annotate (or are you mostly talking about the malloc/free like pairs)?

AFAIk, if this is for malloc/free pairs, you can use the ownership attributes (ownership_holds, ownership_returns, ownership_takes).

void __attribute((ownership_returns(malloc))) *malloc(size_t);
void __attribute((ownership_takes(malloc, 1))) free(void *);

If you have your own allocator that is not malloc based, you can use an other identifier.

void __attribute((ownership_returns(my_pool))) *my_malloc(size_t);
void __attribute((ownership_takes(my_pool, 1))) my_free(void *);

> Thanks,
> Anna.
> On Jan 13, 2012, at 10:55 AM, Ahmed Charles wrote:
>> Slightly off topic, but something I've been wondering for a while.
>> Without actually investing this, but instead just reading the list, it
>> seems that most of the checkers that are written are specific to known
>> functions. For example, the malloc checker works for known allocation
>> functions rather than arbitrary ones. Is there a reason why there isn't
>> an effort to make this more extensible so that any function that is
>> annotated to be an allocation function can benefit from the malloc
>> checker (other than the obvious issue of resources and prioritization)?
>> And similar for other checkers. I'm mostly interested in why this
>> possibility is never explicitly talked about.
>> From: Ted Kremenek
>> Sent: 1/11/2012 9:08 PM
>> To: Tom Care
>> Cc: cfe-dev at cs.uiuc.edu
>> Subject: Re: [cfe-dev] C++ analysis priorities
>> On Jan 11, 2012, at 5:47 PM, Tom Care wrote:
>>> Hi all,
>>> I'm looking at possibly contributing to C++ analysis support over the next few months as part of a master's project. I have a rough idea of things that need to be implemented, but I am not sure how to prioritise them. I am hoping that the community can assist me here - what is currently stopping your programs from being analyzed?
>>> My general goal is to implement features that will assist in analyzing the LLVM/Clang codebase, however looking at the current code it seems that existing support for some language features will have to be improved as well (eg ctor/dtors.)
>>> Thanks,
>>> Tom
>> Hi Tom,
>> I see that C++ support can grow in largely two directions:
>> (1) Core infrastructure, with interprocedural support for inlining C++
>> constructors/destructors to support RAII.  This entails a bunch of
>> intermediate infrastructure work to get there.
>> (2) Checkers.  Having C++-specific checkers will make the analyzer
>> more useful for C++ developers.  This could be as simple as catching
>> mismatches between new[] and delete/new and delete[], and many others,
>> including providing checkers for correct usage of widely used C++ APIs
>> (e.g., Boost).
>> I think both are worth making progress on, and to do (2) some progress
>> will likely need to be made on (1).
>> As far as infrastructure work, here are some areas that need work:
>> (a) Better representation of C++ constructor and destructor calls in
>> the CFG.  There is a bunch already there, but as it has been observed
>> on the list lately there are serious deficiencies and outright bugs.
>> Ideally we should be able to represent the complete initialization
>> logic of a constructor in the CFG, from calling the constructor of a
>> parent class to correctly sequencing the initializers.
>> Along this trajectory, there are various optimizations we can do to
>> the CFG representation itself to make it easier to represent
>> destructor calls.  What we do know is a bit complicated, IMO.
>> (b) ExprEngine "inlining" support for C++ constructors/destructors.
>> Interprocedural analysis is one area we would like to grow the
>> analyzer, and one technique to do that is to simply "inline" function
>> calls for function bodies that are available.  Some of this has been
>> prototyped in the analyzer already, and there is currently work on
>> making it more solid, at least for inlining simple functions.  Being
>> able to do this *well* for simple C++ objects that are used for RAII,
>> for example, will be really critical for making some checkers really
>> shine for C++.
>> (c) Support for additional C++ expressions.  In ExprEngine::Visit(),
>> you can see a whole bunch of C++ AST expression kinds that are simply
>> not handled, and halt static analysis altogether:
>>   case Stmt::CXXBindTemporaryExprClass:
>>   case Stmt::CXXCatchStmtClass:
>>   case Stmt::CXXDependentScopeMemberExprClass:
>>   case Stmt::CXXPseudoDestructorExprClass:
>>   case Stmt::CXXThrowExprClass:
>>   case Stmt::CXXTryStmtClass:
>>   case Stmt::CXXTypeidExprClass:
>>   case Stmt::CXXUuidofExprClass:
>>   case Stmt::CXXUnresolvedConstructExprClass:
>>   case Stmt::CXXScalarValueInitExprClass:
>>   case Stmt::DependentScopeDeclRefExprClass:
>>   case Stmt::UnaryTypeTraitExprClass:
>>   case Stmt::BinaryTypeTraitExprClass:
>>   case Stmt::ArrayTypeTraitExprClass:
>>   case Stmt::ExpressionTraitExprClass:
>>   case Stmt::UnresolvedLookupExprClass:
>>   case Stmt::UnresolvedMemberExprClass:
>>   case Stmt::CXXNoexceptExprClass:
>>   case Stmt::PackExpansionExprClass:
>>   case Stmt::SubstNonTypeTemplateParmPackExprClass:
>>   case Stmt::SEHTryStmtClass:
>>   case Stmt::SEHExceptStmtClass:
>>   case Stmt::SEHFinallyStmtClass:
>> Further, there are some AST expressions we handle, but don't do a good job:
>>  // We don't handle default arguments either yet, but we can fake it
>>   // for now by just skipping them.
>>   case Stmt::SubstNonTypeTemplateParmExprClass:
>>   case Stmt::CXXDefaultArgExprClass:
>> and support for C++ lambdas as they become real in Clang.
>> Infrastructure is only part of the story; ultimately people want to
>> find bugs.  Some possible checkers include:
>> (1) mismatched new/delete[] new[]/delete, or malloc() and delete, etc.
>> (2) productizing the invalid iterator checker
>> (3) making sure a destructor blows away everything a constructor
>> creates/initializes.  This is a hard one, but could be REALLY useful
>> if done well.  This could easily take up a good portion of your thesis
>> work, and would be interesting work to write about.
>> (4) Various checks for "Effective C++" rules.
>> (5) securely using std::string, i.e.
>> http://www.cert.org/archive/pdf/sd-bestpractices-strings060914.pdf
>> (6) CERT's C++ secure coding standard,
>> https://www.securecoding.cert.org/confluence/pages/viewpage.action?pageId=637,
>> lots of potential checks here, not all of them specific to c++, but
>> general goodness.
>> Cheers,
>> Ted
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-- Jean-Daniel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20120114/a6a5c0e6/attachment.html>

More information about the cfe-dev mailing list