[cfe-dev] On heap variables and Clang SA

Tue Mar 17 07:00:05 PDT 2015

On Tue, Mar 17, 2015 at 2:50 PM Bhargava Shastry <
bshastry at sec.t-labs.tu-berlin.de> wrote:

> Hi,
>
> On 03/17/2015 01:09 PM, Manuel Klimek wrote:
> > How can you prove a comparison against garbage value from that code?
> > Seems like somebody can set m_x to anything between the constructor and
> > the call to method.
> > If you want to catch this, you'll at least need:
> > void f() {
> >   foo f;
> >   f.method();
> > }
>
> Apologies for having left out the crucial function that instantiates a
> foo object. Agree that this is the missing piece.
>
> > ... and then the SA needs to "inline" both the call to the constructor
> > and the method call to see the problem.
>
> My understanding is that, during symbolic execution, Clang SA ``visits"
> function calls in the procedure under analysis. So, in the function void
> f() above, Clang SA would metaphorically step into foo's constructor and
> subsequently method() and prove garbage value in two steps i.e.,
>

Yes, that's what the SA calls "inlining". I agree that it's confusing :)

>
> Step 1. Call to f.method() from void f()
> Step 2. Garbage value comparison in method()
>
> Is inlining how Clang SA really does this? Afaik, Clang SA visits the
> call graph for a translation unit in topological order. In the example,
> this means, when void f() is being analyzed, both ctor declaration and
> method declarations would be visited, no?
>

Well, it depends. Whether the SA drills into a function depends on many
things.

>
>
> Regards,
> Bhargava
>
> --
> Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
> Security in Telecommunications
> TU Berlin / Telekom Innovation Laboratories
> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
> phone: +49 30 8353 58235
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150317/6f72402c/attachment.html>