[cfe-dev] Question about checkRegionChanges in static analyzer
Li Kan via cfe-dev
cfe-dev at lists.llvm.org
Mon Mar 12 16:49:12 PDT 2018
I am trying to make the checker work for pointer escape. Since I track the
status of objects using MemRegion, so I am using checkRegionChanges. I've
observed something weird.
Suppose I have free functions whose definitions are not seen by current TU:
void f(const S*); void g(S*);
1. Suppose I have
S s;
f(&s);
Then in checkRegionChanges, `s`'s region will appear in `explicit_regions`
but not `regions`.
2. Suppose I have
S s;
g(&s);
Then in checkRegionChanges, `s`'s region will appear in both
`explicit_regions` and `regions`.
Based on the above observations, if I want to remove `s` from GDM in case 2
but not 1, then I need to iterate over all entries in GDM and remove the
ones that are sub-regions of any one in `region` variable, not
`explicit_regions` variable. However, this doesn't work for the following
case
3. If I have struct T { S s; D d; }; and U has some non-const member void
D::h(); for the following call:
T t;
t.d.h();
Then in checkRegionChanges, `t.d` is in explicit_regions and `t` is in
regions. So `t.s` will be removed from GDM if I check 'regions' variable,
which is incorrect.
My question is, is case 1 a bug or a feature that `s` appears in
`explicit_regions`? If it is by design, how what is the blessed way to
distinguish the above cases? Thanks.
BTW: the code that causes the behavior is
https://clang.llvm.org/doxygen/RegionStore_8cpp_source.html#l01256
if (const MemRegion *R = V.getAsRegion()) {
if (TopLevelRegions)
TopLevelRegions->push_back(R);
W.AddToWorkList(R);
continue;
}
All regions are added to TopLevelRegions, without checking
RegionAndSymbolInvalidationTraits::TK_PreserveContents.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180312/acc63869/attachment.html>
More information about the cfe-dev
mailing list