[cfe-dev] checkBind: distinguish between MemRegionVal/ElementRegion
Jordan Rose
jordan_rose at apple.com
Wed May 7 21:02:18 PDT 2014
Hello, Aitor. I'm afraid you're still getting SVals, symbols, and MemRegions somewhat mixed up. They are not interchangeable. Have you watched our presentation on writing a checker yet? (Linked here: http://clang-analyzer.llvm.org/checker_dev_manual.html) I'm sorry it's not really incorporated into the rest of the Checker Development Manual, but the video is probably still the clearest introduction to analyzer core concepts that we have.
> 1) To test if Loc is a MemRegionVal I use the following, but there's something wrong I can't figure out (it doesn't compile), and I'm stuck (as far as I know, MemRegionVal is a subclass of SVal):
>
> if (clang::isa<loc::MemRegionVal>(Loc)) ...
This is a bit mundane—you can only use isa<> on pointers and references, but SVals are passed around by value. As you discovered, you can use getAs.
> SymbolRef sym = L->getAsLocSymbol();
> SymbolRef sym = VLoc.getAsLocSymbol();
> SymbolRef sym = VLoc.getAsSymbol();
The second one will handle everything the first one handles, as well as locations cast to integer values (like "(intptr_t)&x"). The last one will also give you back symbols for non-location values. But not all memory regions are based on symbols (a local variable does not need a symbol), and of course not all symbolic values are memory regions (the result of random() is an integer).
> 2) ElementRegion doesn't belong to the SVal class hierarchy. How can I know if Loc is an ElementRegin?
That's not really a good question. What you really want to know is if a given location is within a constant string region. That's a much simpler question.
// Does this value represent the address of a region?
const MemRegion *MR = V.getAsRegion();
if (!MR)
return;
bool isString = isa<StringRegion>(MR->getBaseRegion());
This isn't going to cover all use cases, but it does cover this one much more nicely than trying to pattern-match on ElementRegion.
(Finally, of course, -fconst-strings is a much safer way to handle this kind of issue, but that doesn't help if you have an existing codebase.)
Jordan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140507/3190d576/attachment.html>
More information about the cfe-dev
mailing list