[cfe-dev] Static Analyzer: pointer alias assignment

Gábor Kozár kozargabor at gmail.com
Tue Jul 23 10:33:29 PDT 2013 

Hi Anna,

I'm building a checker that detects inconsistent pointer usages, for
example when a pointer is dereferenced, then along the same path is
null-checked (without its value changing in between, obviously). Code
example:

Foo* f = getFoo();
f->bar();

if(f) // warn
{ ... }

I want to be able to do this with aliases as well, for example:

Foo* f = getFoo();
f->bar();

Foo* g = f;
if(g) // warn
{ ... }

What I need is to be able to get the SVals representing 'f' and 'g' when
checkBind is called on the Foo* g = f; line. Currently, instead of 'f',
Clang gives me the value that was bound to 'f'.

Thanks for your help!


2013/7/23 Anna Zaks <ganna at apple.com>

>
> On Jul 23, 2013, at 9:21 AM, Gábor Kozár <kozargabor at gmail.com> wrote:
>
> During the analysis of a test code, the following two bindings happen
> (checkBind), with their respective source lines:
>
> (Bind: location <= value)
>
> Bind: &fp <= &SymRegion{conj_$4{struct Foo *}}
> Code: Foo* fp = getFooPtr();
>
> Bind: &ap <= &SymRegion{conj_$4{struct Foo *}}
> Code: Foo* ap = fp;
>
> In the second line, I need to detect that 'ap' is in fact the alias of
> 'fp'. Unfortunately, I cannot seem to find any way to get Clang SA to tell
> me that "&SymRegion{conj_$4{struct Foo *}}" is stored in "fp", which seems
> weird, because the source code is very clear.
>
>
> As you observe the two binds you see that the same value is stored in both.
>
> The analyzer does not perform alias analyzes as in it does not build sets
> of aliases. As it models the execution in presence of aliases, we did not
> find a need for the alias sets. Can you give a bit more background on why
> you need this info? Maybe your goal can be achieved differently?
>
>
> Some of the information I extracted, but is not really useful to me:
>  - original SVal: &SymRegion{conj_$4{struct Foo *}}
>  - getAsRegion(): SymRegion{conj_$4{struct Foo *}}
>  - state->getSVal(): &SymRegion{reg_$6<element{SymRegion{conj_$4{struct
> Foo *}},0 S32b,struct Foo *}>} -- in fact, I have no idea what this is
>  - getAsSymbol(): conj_$4{struct Foo *}
>
> As a workaround, I can keep track of this information myself, but there
> must be a built-in way to do this.
> Any help would be appreciated. Many thanks!
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130723/ce13462a/attachment.html>

More information about the cfe-dev mailing list