[cfe-dev] Checking if a ParmVarDecl is null in a Checker

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Tue Apr 24 16:44:22 PDT 2018


Hmm, ok, the problem may also be there:

> (void)outError; // Added as a precaution in reference to 
> <http://lists.llvm.org/pipermail/cfe-dev/2017-April/053510.html>

Because in this case you're still doing your check *after* the 
precaution code which is the last use of the variable.

You might want to move (or rather duplicate) your check into 
checkDeadSymbols(). Because once the symbol is dead, there's no way the 
program would be able to constrain it or initialize the memory it points 
to. So you can warn immediately when the symbol is dead, based on the 
information that's already available, assuming that we're still within 
the function of interest.

I believe that the check in checkEndFunction is still necessary in case 
the function of interest is also inlined during analysis, because in 
this case the symbol may remain alive for a separate reason (still 
referenced by the caller).

Note - this is a guess, i didn't actually look at how it works. The 
easiest way for you to understand that is to dump the "exploded graph" 
and see everything for yourself, as explained in 
http://clang-analyzer.llvm.org/checker_dev_manual.html#visualizing

On 4/24/18 4:31 PM, Timothy J. Wood wrote:
>
>> On Apr 24, 2018, at 4:03 PM, Artem Dergachev <noqnoqneo at gmail.com> wrote:
>>
>> LV in your code would represent the address of variable "outError" on the stack. It will always be non-null, but that's not the value you're looking for. You need to load from the variable:
>>
>>    SVal RV = State->getSVal(LV, OutError->getType());
>>
>> ...or something like that.
> Ah, I was wondering if that was the case. But trying this:
>
> 	   class Loc LV = State->getLValue(OutError, LocCtxt);
> 	   SVal RV = State->getSVal(LV, OutError->getType());
> 	   llvm::errs() << "  checking null on " << RV << "\n";
> 	   ConditionTruthVal IsNull = State->isNull(RV);
> 	    llvm::errs() << "  IsNull.isUnderconstrained() = " << IsNull.isUnderconstrained() << "\n";
>
> On the branch where outError is NULL, I get:
>
>    checking null on &SymRegion{reg_$1<NSError ** outError>}
>    IsNull.isUnderconstrained() = 1
>
>> You might find my old workbook moderately useful: https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf
>>
>> Probably also http://lists.llvm.org/pipermail/cfe-dev/2017-June/054084.html because it's slightly more correct in some places.
> Thanks — looks like there is lots of good background info there!
>
> -tim
>



More information about the cfe-dev mailing list