[cfe-dev] [analyzer] constructing svals

Jordan Rose jordan_rose at apple.com
Fri Feb 28 09:54:33 PST 2014 

Hi, Michael. The analyzer tracks the values of expressions in a map from Expr* (actually Stmt*) to SVal called the Environment, which is part of the ProgramState. In order to keep the Environment small, expressions that have already been evaluated are cleared out of the current state at certain points in the program. That means you can't rely on being able to get the value of anything other than your immediate subexpressions.

The next logical step is to try to move backwards through the ExplodedGraph until you find a node that still references the expression you want to look at. However, that's not guaranteed to be present, either: ExplodedNodes are trimmed out of the graph unless they are "interesting" in some way (for example, they have been generated by a checker and may be referenced in a bug report later). So you can't rely on any node still referencing the value of a particular expression several steps down the line—only immediate subexpressions.

Is there anything in particular you're trying to do here, or was it just experimentation that didn't pan out?

Jordan


On Feb 27, 2014, at 16:17 , Michael Katelman <katelman at gmail.com> wrote:

> I'm having some trouble understanding exactly under what circumstances I can construct a "known" sval for various expressions.
> 
> Here's a concrete example that I ran into and was surprised about:
> 
> int f(float x){
>   return (int)x;
> }
> 
> int main(int argc, char** argv){
>    int x = -1;
>    f(x);
>    return 0;
> }
> 
> I then created a checker that registered for the PreCall check. When checkPreCall was invoked, Call.getArgSVal(0) is unknown, which makes sense to me because the system doesn't reason about floating-point, however, I was surprised that this also results in an unknown value (regardless of it's overall sensibility):
> 
> C.getState()->getSVal(dyn_cast<ImplicitCastExpr>(Call.getArgExpr(0)->getSubExpr()))
> 
> Indeed, if I change the definition of f so that it becomes:
> 
> int f(int x){
>   return x;
> }
> 
> Then Call.getArgSVal(0) is known and insofar as I can tell should be equivalent to the above in the earlier context. I'd be interested to understand why that's not the case and in general what expressions can be converted to usable svals during the check calls.
> 
> Thanks!
> 
> -Mike
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140228/44074f73/attachment.html>

More information about the cfe-dev mailing list