[cfe-dev] [StaticAnalyzer] Threshold on number of checks

Gupta Nikhil via cfe-dev cfe-dev at lists.llvm.org
Tue Aug 1 07:25:11 PDT 2017 

Thanks Stefan,

The bug is being caught now. Our present use case favors precision over speed so this would solve our problem.

 

From: Stefan Ciobaca [mailto:stefan.ciobaca at gmail.com] 
Sent: Monday, July 31, 2017 3:59 PM
To: Gupta Nikhil <nikhgupt at codeaurora.org>
Cc: cfe-dev at lists.llvm.org
Subject: Re: [cfe-dev] [StaticAnalyzer] Threshold on number of checks

 

Hello,

 

you are probably seeing this behavior as a result of the maximum number of times a loop is unrolled during the symbolic execution of the program (by default, 4 times).


You can change the unroll limit with the following command line argument:

 

clang -cc1 -analyze -analyzer-max-loop 100 -analyzer-checker=core [...]

 

The command above will change the unroll limit to 100 (however, you will probably see performance issues). The loop widening project ( <http://lists.llvm.org/pipermail/cfe-dev/2017-March/053060.html> http://lists.llvm.org/pipermail/cfe-dev/2017-March/053060.html) might help with your issue once finished.

Best,
Stefan

 

On Mon, Jul 31, 2017 at 11:26 PM, Gupta Nikhil via cfe-dev <cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org> > wrote:

Hi,

I have a trivial case where the Static Analyzer is not catching a double free bug:

==============
  char *s;

  for(int i = 0; i < 4; i++)

 {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

However, if I change the code to:

 

==============
  char *s;

  for(int i = 0; i < 3; i++)

  {

     s = (char*)malloc(10);

     free(s);

  }

  free(s);

================

A double free warning is thrown.

 

 

On exploring this further, I noticed that the function MallocChecker::FreeMemAux is called no more than 4 times. Ie: I can place as many “free(s)” after the last one in the first code chunk and it will never be caught.

Its calling method MallocChecker::CheckPostStmt seems to be limited to being called a maximum of 8 times.

 

Is there a threshold set on the number of times a checker can be called? If so, can that be tweaked?

 

Thanks in advance!

 

Regards,

Nikhil


_______________________________________________
cfe-dev mailing list
cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org> 
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170801/ef3c112d/attachment.html>

More information about the cfe-dev mailing list