[cfe-dev] On heap variables and Clang SA
Bhargava Shastry
bshastry at sec.t-labs.tu-berlin.de
Tue Mar 17 06:50:08 PDT 2015
Hi,
On 03/17/2015 01:09 PM, Manuel Klimek wrote:
> How can you prove a comparison against garbage value from that code?
> Seems like somebody can set m_x to anything between the constructor and
> the call to method.
> If you want to catch this, you'll at least need:
> void f() {
> foo f;
> f.method();
> }
Apologies for having left out the crucial function that instantiates a
foo object. Agree that this is the missing piece.
> ... and then the SA needs to "inline" both the call to the constructor
> and the method call to see the problem.
My understanding is that, during symbolic execution, Clang SA ``visits"
function calls in the procedure under analysis. So, in the function void
f() above, Clang SA would metaphorically step into foo's constructor and
subsequently method() and prove garbage value in two steps i.e.,
Step 1. Call to f.method() from void f()
Step 2. Garbage value comparison in method()
Is inlining how Clang SA really does this? Afaik, Clang SA visits the
call graph for a translation unit in topological order. In the example,
this means, when void f() is being analyzed, both ctor declaration and
method declarations would be visited, no?
Regards,
Bhargava
--
Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Security in Telecommunications
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
phone: +49 30 8353 58235
More information about the cfe-dev
mailing list