[cfe-dev] Clang Static Analyzer not taking all paths
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Thu Mar 8 15:43:44 PST 2018
The analyzer's method never gives a guarantee to explore all paths, as
there may potentially be infinitely many paths or a finite but
hyper-exponentially exploding amount of paths. However, this example
seems to start working after we've recently changed path exploration
order in svn r326157 "[analyzer] Switch the default exploration strategy
to priority queue based on coverage":
$ clang (...) --analyze -Xclang -analyzer-config -Xclang
exploration_strategy=dfs main.c
$ clang (...) --analyze main.c
main.c:202:43: warning: The left operand of '==' is a garbage value
if (h_state.new_challenge_handler == NULL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
On 08/03/2018 7:18 AM, via cfe-dev wrote:
> Hi,
>
> I ran the CSA on the CGC HackMan challenge:
> https://github.com/trailofbits/cb-multios/blob/master/challenges/HackMan/src/main.c
>
>
> Starting from line 190, there is an uninitialized read:
>
> ...
> while (1)
> {
> error = 0;
> if (win || cgc_strlen(h_state.word) == 0)
> goto new_chal;
> ...
> new_chal:
> if (h_state.new_challenge_handler == NULL)
> h_state.new_challenge_handler = cgc_new_challenge;
> ...
>
> CSA does not find this uninitialized read, however if a "if (!win);"
> is placed before the loop, it is found.
>
> Can anyone tell me why?
>
> Thanks,
> Nils
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
More information about the cfe-dev
mailing list