[cfe-dev] [StaticAnalyzer] How to allocate SymbolRef for values passed through function parameters

Tue May 23 01:43:23 PDT 2017

Hello Haowei,

After call to request(), both values of fd1 and fd2 should become 
symbolic. This is because its body is not available in the current 
translation unit so the analyzer invalidates the values of argument 
pointers. I can see this behaviour while reproducing your test - both 
fd1 and fd2 are assigned with SymbolConjured.
This behaviour you observe looks strange. Do you try to perform 
evalCall() on request() function? If so, you could forgot to invalidate 
the arguments. Could you post your checker here?

23.05.2017 03:21, Haowei Wu via cfe-dev пишет:
> Hi,
>
> I am new to clang and I am developing a checker to detect resource 
> leaks that is similar to the SimpleStreamChecker except that the 
> target function is passing its return value through parameters. The 
> example code would be like:
>
> int request(int * arg1, int * arg2);
> int release(int arg1);
> void foo() {
>    int fd1 = 0, fd2 = 0;
>    request(&fd1, &fd2);
>
>    // ..... some unrelated code
>
>    release(fd1);
>    release(fd2);
> }
>
>
> Here, the integer fd1 and fd2 are resource descriptors that should be 
> assigned with unique integer values after the "request(&fd1, &fd2)" 
> call. The resource will be leaked if someone forgot to call 
> "release(fd)" on a resource descriptor.
>
> The problem is , if I use the "Call.getArgSVal(0)" on the calls to 
>  the "release(fd1)" or "release(fd2)"  function, I only get a 
> "ConcreteInt" which is the value "0" that I assigned in the 
> initializer instead of a SVal with a SymbolRef. In this case, I cannot 
> determine if the value in "fd1" is the same value that is assigned 
> after the call to the "request(&fd1, &fd2)".
>
> The original SimpleStreamChecker does not have this issue because the 
> file descriptor (to be precise, it is FILE *) used in "FILE *F = 
> fopen("mylog.txt", "w");" is passed through the return value instead 
> of parameter. In this case, clang will allocate a SymbolRef for "F". 
> And it will be the same one if I call 
> "Call.getReturnValue().getAsSymbol()" on a "fclose(F)".
>
> My question is, is there anyway to allocate SymbolRef to the variables 
> pointed by arg1 and arg2 manually in the checkPreCall for the "int 
> request(int * arg1, int * arg2)"? So in checkPostCall for "int 
> release(int arg1);" I can use "Call.getReturnValue().getAsSymbol()" to 
> check if the SymbolRef of "arg1" is the same one that allocated in 
> "int request(int * arg1, int * arg2)"?
>
> Thanks for any help,
> Haowei
>
>
>
>
>
>
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-- 
Best regards,
Aleksei Sidorin,
SRR, Samsung Electronics

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170523/d860e59a/attachment.html>