[cfe-dev] [Analyzer] Does SymbolicRegion preserve the structure of its associated memory?
scott constable via cfe-dev
cfe-dev at lists.llvm.org
Tue Aug 25 06:20:29 PDT 2015
Ted,
I'm doing an taint-like analysis which requires reasoning across
translation units, so I'm doing a phase 1 analysis where I output summary
information for each translation unit, and then a phase 2 analysis where I
use that summary information to produce bug reports. For instance, if I
have the following code:
// TU.h
struct MyStruct {
int a;
int b;
int c;
};
void foo(MyStruct &s);
// TU1.cpp
#include TU.h
void bar() {
MyStruct t {1, 2, 3};
foo(t);
}
// TU2.cpp
#include TU.h
void foo(MyStruct &s) {
...
}
For whatever reason, during the analysis of TU1.cpp t.b's memory might
become "tainted". When bar() calls foo(), this taint information is written
to a summary text file. In phase 2, at the very beginning of the analysis
of TU2.cpp, I load the summary information from phase 1, and observe that a
call was made to foo such that s.b should be treated as tainted. So I would
like to mark s.b's memory as such.
I don't think that getFieldRegion() is what I'm looking for, because (I
believe) it does not update the program state with the construction of the
new FieldRegion.
Thanks for your help,
~Scott
On Tue, Aug 25, 2015 at 12:49 AM, Ted Kremenek via cfe-dev <
cfe-dev at lists.llvm.org> wrote:
> Hi Scott,
>
> Subregion relationships are one-to-many, and they are constructed lazily
> as memory can be arbitrary re-interpreted when analyzing a path because of
> casts, etc. If you want to model a binding to ‘MyStruct’, you can
> construct the FieldRegion yourself using MemRegionManager’s
> getFieldRegion(), but I don’t know if that’s the solution you are looking
> for here.
>
> Can you explain what you are trying to do in more detail? I may be able
> to help you better with more specifics.
>
> Ted
>
> > On Aug 24, 2015, at 1:59 PM, scott constable via cfe-dev <
> cfe-dev at lists.llvm.org> wrote:
> >
> > Hi All,
> >
> > Suppose I'm analyzing the following code:
> >
> > struct MyStruct {
> > int a;
> > int b;
> > int c;
> > };
> >
> > void foo(MyStruct &s) {
> > ...
> > }
> >
> > Furthermore, suppose that I would like to annotate s.b's memory in the
> program state, without also annotating s.a and s.c. When I retrieve the
> region referenced by s, I observe that it is a SymbolicRegion, which is to
> be expected. I cannot, however, see any way to reason about any of its
> SubRegions individually, in this case s.a, s.b, and s.c.
> >
> > I understand that SymbolicRegions are supposed to represent memory
> regions whose values the analyzer cannot properly model. But it still
> should be able to recognize that from foo's point of view, s has a
> well-defined structure with three FieldRegions, though their values must be
> symbolic.
> >
> > Any help would be very much appreciated.
> >
> > ~Scott Constable
> > _______________________________________________
> > cfe-dev mailing list
> > cfe-dev at lists.llvm.org
> >
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.llvm.org_cgi-2Dbin_mailman_listinfo_cfe-2Ddev&d=BQIGaQ&c=eEvniauFctOgLOKGJOplqw&r=UVc407_CCx3FapxjS2xZ9jo4Q91upSGpJHRF8fPPYVY&m=McTLqDaevUEYvxyK7t8Q3qCLtLWFZirALoa9unrrrk0&s=21oO0iFZerhi2RxOUTvRUM_o9LWvt91q4Uz6S6YzmS8&e=
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150825/8d7afa6c/attachment.html>
More information about the cfe-dev
mailing list