[cfe-dev] checkBind: distinguish between MemRegionVal/ElementRegion

Aitor San Juan aitor.sj at opendeusto.es
Wed May 7 05:00:31 PDT 2014 

Hello,

After a bit of research, I've concluded the following:

Bearing in mind this signature:

void checkBind(SVal VLoc, SVal Val, const Stmt *S, CheckerContext &C) const;

To solve questions #1 and #2 in my previous message as:

   Optional<Loc> L = VLoc.getAs<Loc>();
   if (L) {
      // VLoc is of type Loc
      if (Optional<loc::MemRegionVal> MR = L->getAs<loc::MemRegionVal>()) {
         // VLoc isa MemRegionVal
         const MemRegion *R = MR->getRegion()->StripCasts();
         // Are we dealing with an ElementRegion?
         if (const ElementRegion *ER = dyn_cast<ElementRegion>(R)) {
            // VLoc is an ElementRegion
         } else {
            // VLoc is NOT an ElementRegion
         }
      } else {
         // VLoc is NOT a MemRegionVal
      }

I'm a bit confused about SVals and SymbolRefs. I've read this thread (
http://lists.cs.uiuc.edu/pipermail/cfe-dev/2012-December/026641.html) which
is quite clarifying. I wonder what the difference is between the following
3 statements:

SymbolRef sym = L->getAsLocSymbol();
SymbolRef sym = VLoc.getAsLocSymbol();
SymbolRef sym = VLoc.getAsSymbol();

My goal is to be able to detect something like the following. For that, I'd
like the checker to store (as the checker's ProgramState info) a variable
name (symbol?). In the example below, when statement #1 is processed, the
checker should store "p" as a means of tracking "p" for future references.
Thus, the checker would be able to signal a warning when statement #2 is
processed:

1) p = "/tmp/file"; // p is declared as char *p;
2) *(p+3) = 'S';    // I'm aware this is undefined behavior

How can I get the symbolic value of variable "p"? I think the best is as a
SymbolRef (because depending on variables scope, I might come across with
another "p", but I'm unsure)

Any hint or suggestion would be highly appreciated.
Many thanks.



2014-05-05 11:09 GMT+02:00 Aitor San Juan <aitor.sj at opendeusto.es>:

> Hello,
>
> In a checker, I want to distinguish between these kinds of statements:
>
> 1) p = "/tmp/file"; // p is declared as char *p;
> 2) *(p+3) = 'S';    // I'm aware this is undefined behavior
>
> If I'm not wrong, I've decided that the best place to be aware of that is
> in a check::Bind event:
>
> void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const;
>
> In the first case above, the location Loc is a MemRegionVal, and in the
> 2nd, it is an ElementRegion.
>
> 1) To test if Loc is a MemRegionVal I use the following, but there's
> something wrong I can't figure out (it doesn't compile), and I'm stuck (as
> far as I know, MemRegionVal is a subclass of SVal):
>
> if (clang::isa<loc::MemRegionVal>(Loc)) ...
>
> 2) ElementRegion doesn't belong to the SVal class hierarchy. How can I
> know if Loc is an ElementRegin?
>
> Thanks a lot.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140507/f87d07cc/attachment.html>

More information about the cfe-dev mailing list