[cfe-dev] On heap variables and Clang SA

Tue Mar 17 08:02:31 PDT 2015

On Tue, Mar 17, 2015 at 4:00 PM Bhargava Shastry <
bshastry at sec.t-labs.tu-berlin.de> wrote:

> On a tangent, does Google use Clang SA on large codebases esp. Chromium
> that has a massive C++ LoC count? If not, what are the top reasons for
> not doing so? Lack of C++ support seems to be the Google position on
> this [1] but am wondering if that is the only reason.
>

Yes, this is the only reason; we'd *love* to be able to use it. I already
shot considerable time and effort into trying to get this good enough, but
I think I'd need to spend another couple of weeks, which I currently just
don't have.

>
> [1]: https://code.google.com/p/chromium/wiki/ClangStaticAnalyzer
>
> Regards,
> Bhargava
>
> On 03/17/2015 03:00 PM, Manuel Klimek wrote:
> > On Tue, Mar 17, 2015 at 2:50 PM Bhargava Shastry
> > <bshastry at sec.t-labs.tu-berlin.de
> > <mailto:bshastry at sec.t-labs.tu-berlin.de>> wrote:
> >
> >     Hi,
> >
> >     On 03/17/2015 01:09 PM, Manuel Klimek wrote:
> >     > How can you prove a comparison against garbage value from that
> code?
> >     > Seems like somebody can set m_x to anything between the
> >     constructor and
> >     > the call to method.
> >     > If you want to catch this, you'll at least need:
> >     > void f() {
> >     >   foo f;
> >     >   f.method();
> >     > }
> >
> >     Apologies for having left out the crucial function that instantiates
> a
> >     foo object. Agree that this is the missing piece.
> >
> >     > ... and then the SA needs to "inline" both the call to the
> constructor
> >     > and the method call to see the problem.
> >
> >     My understanding is that, during symbolic execution, Clang SA
> ``visits"
> >     function calls in the procedure under analysis. So, in the function
> void
> >     f() above, Clang SA would metaphorically step into foo's constructor
> and
> >     subsequently method() and prove garbage value in two steps i.e.,
> >
> >
> > Yes, that's what the SA calls "inlining". I agree that it's confusing :)
> >
> >
> >
> >     Step 1. Call to f.method() from void f()
> >     Step 2. Garbage value comparison in method()
> >
> >     Is inlining how Clang SA really does this? Afaik, Clang SA visits the
> >     call graph for a translation unit in topological order. In the
> example,
> >     this means, when void f() is being analyzed, both ctor declaration
> and
> >     method declarations would be visited, no?
> >
> >
> > Well, it depends. Whether the SA drills into a function depends on many
> > things.
> >
> >
> >
> >
> >     Regards,
> >     Bhargava
> >
> >     --
> >     Bhargava Shastry <bshastry at sec.t-labs.tu-__berlin.de
> >     <mailto:bshastry at sec.t-labs.tu-berlin.de>>
> >     Security in Telecommunications
> >     TU Berlin / Telekom Innovation Laboratories
> >     Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
> >     phone: +49 30 8353 58235
> >
>
> --
> Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
> Security in Telecommunications
> TU Berlin / Telekom Innovation Laboratories
> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
> phone: +49 30 8353 58235
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150317/dc1d6e9b/attachment.html>