[cfe-dev] Reporting a bug found at EndPath at its correct location

Jordan Rose jordan_rose at apple.com
Mon Sep 16 18:13:52 PDT 2013


I hate to say this, but you're not going to be able to do this as a usual path-sensitive check. The main analyzer checkers are good at finding "is X true on any path", but not so good at "is X true on all paths". There are plenty of cases where the analyzer might not explore all possible paths:

- The function is too big.
- There's a construct the analyzer can't model (try-catch)
- For efficiency, simplifying assumptions have been made that won't be true in real life.
- For efficiency, not all functions are analyzed as top-level, which means certain paths might not be taken due to known argument values.

And there are cases where the general rule isn't going to help:

- The region being stored to isn't a local variable.
- The address of the region escapes but not the region itself.

I think what you want is something more like the current DeadStoresChecker, which uses custom transfer functions to walk the CFG and detect if a store ever goes unread. It's flow-sensitive, not path sensitive, but is there anything in particular that you want it to do that it doesn't already?

Jordan


On Sep 16, 2013, at 7:31 , YuvalShahar <yuval.shahar.007 at gmail.com> wrote:

> I am trying to solve a problem LIKE "unused variables": A symbol is assigned
> a value and the value is never used.
> 
> For such a problem I need to track:
>  Assignments: mark LHS as "assigned a value".
>  Statements: for each symbol used in the expression, remove its "assigned a
> value" property.
>  EndPath: report each symbol that is marked "assigned a value".
> 
> The problem is that the report appears at the end of the path and not at the
> point of the assignment.
> 
> On attempting to solve this problem I tried:
>  Assignments: mark LHS as "assigned a value"; attach an ExplodedNode
> marking the assignment location.
>  Statements: for each symbol used in the expression, remove its "assigned a
> value" property.
>  EndPath: report each symbol that is marked "assigned a value", using the
> previously attached ExplodedNode.
> 
> I would like to hear your opinions about these reporting scheme:
> - Would this scheme work?
> - Is it expensive in memory?
> - Is there a preferred scheme?
> 
> Thanks.
> 
> 
> 
> 
> --
> View this message in context: http://clang-developers.42468.n3.nabble.com/Reporting-a-bug-found-at-EndPath-at-its-correct-location-tp4034472.html
> Sent from the Clang Developers mailing list archive at Nabble.com.
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130916/f32880a0/attachment.html>


More information about the cfe-dev mailing list