[cfe-dev] How to handle control flow stmt in path sensitive way?

Pengfei Wang via cfe-dev cfe-dev at lists.llvm.org
Fri Dec 11 02:18:39 PST 2015


Hello,

I am writing a taint tracking checker of clang static analyzer,  and
currently I need to do something when a branch is finished being analyzed.
Aka I need to know when the symbolic execution reaches the end of an If
code block or Else code block. Like the following example:

1  if(a >1){

2     b = a + 1;

3     c = a + 2;

4 }

5 else{

6    b = a + 3;

7    c = a + 4;

8 }

How can I notice that the symbolic execution reaches line 4 and line 8? Can
the callbacks in the static analyzer checker do this?

 I have tried the CompoundStmt, but it didn't work in the callback function
CheckPostStmt<CompoundStmt>, and neither did the BlockExpr work.

It seems that the control flow stmt can only be analyzed in a
path-insensitive way, such as using the ASTDecl and ASTCodeBody callbacks.
Can I handle the IfStmt or ForStmt in a path-sensitive way  to achieve this
goal? Thank you!


Best

Pengfei
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20151211/a4d6252f/attachment.html>


More information about the cfe-dev mailing list