<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div>Hey Jordan,</div><div><br></div><div>I realise SymbolExtent is the wrong symbol class to use, it was just a quick hack to see how much more work was involved in getting the analyser to assume false on function decls. Not very much it turned out. I guess a new SymExpr subclass is needed. </div><div><br></div><div>The bit I am not clear on is where the analyser calls a function, where I would need to add code to handle this new symbol type. Apologies if this is a stupid question, I had a dig through ExprEngine, but did not find what I was looking for. Is it VisitCast?</div><div><br></div><div>Ta.</div><div><br>On 3 Jan 2013, at 20:22, Jordan Rose <<a href="mailto:jordan_rose@apple.com">jordan_rose@apple.com</a>> wrote:<br><br></div><blockquote type="cite"><div><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div>SymbolExtent isn't really meant for this; it's supposed to represent the metadata of how large an allocation is in memory. Doing this is basically like changing "return func" to "return sizeof(*func)", except that functions don't really have valid sizes anyway. You really can't put an extent symbol (type size_t) into a loc::MemRegionVal (some kind of pointer-ish thing).</div><div><br></div><div>In practice, this lets you do the null test, but won't actually let the analyzer call the function, which is no good.</div><div><br></div><div>I don't have any other immediate insights to offer. We just don't have values that can represent <i>either</i> null <i>or</i> a specific function at this time. You might be able to fake it for now by adding a pre-visit check for CastExprs of type CK_FunctionToPointerDecay, and eagerly splitting the path whenever someone references a weak function.</div><div><br></div><div>Jordan</div><div><br></div><br><div><div>On Jan 3, 2013, at 10:03 , Richard <<a href="mailto:tarka.t.otter@googlemail.com">tarka.t.otter@googlemail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>I had a quick attempt at this, by creating a SymbolExtent of a weak function decl code region and creating a SymbolicRegion with that. This actually fixes the checker I was writing, which is nice. I am not sure if I understand fully the implications of doing this however. Where does the SymbolicRegion need to be constrained back to a FunctionTextRegion?</div><div><br></div><div><div>Index: Core/SValBuilder.cpp</div><div>===================================================================</div><div>--- Core/SValBuilder.cpp<span class="Apple-tab-span" style="white-space:pre"> </span>(revision 171384)</div><div>+++ Core/SValBuilder.cpp<span class="Apple-tab-span" style="white-space:pre"> </span>(working copy)</div><div>@@ -190,7 +190,13 @@</div><div> }</div><div> </div><div> DefinedSVal SValBuilder::getFunctionPointer(const FunctionDecl *func) {</div><div>- return loc::MemRegionVal(MemMgr.getFunctionTextRegion(func));</div><div>+ const FunctionTextRegion *Region = MemMgr.getFunctionTextRegion(func);</div><div>+ if (func->isWeak()) {</div><div>+ const SymbolExtent *Sym = SymMgr.getExtentSymbol(Region);</div><div>+ return loc::MemRegionVal(MemMgr.getSymbolicRegion(Sym));</div><div>+ }</div><div>+ </div><div>+ return loc::MemRegionVal(Region);</div><div> }</div><div> </div><div> DefinedSVal SValBuilder::getBlockPointer(const BlockDecl *block,</div></div><br><div><div>On 20 Dec 2012, at 19:31, Ted Kremenek <<a href="mailto:kremenek@apple.com">kremenek@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><div>On Dec 20, 2012, at 10:14 AM, Jordan Rose <<a href="mailto:jordan_rose@apple.com">jordan_rose@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><span style="font-family: Helvetica; font-size: medium; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: 2; text-align: -webkit-auto; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; display: inline !important; float: none; ">The problem is that functions are represented by FunctionTextRegions. As you noticed, our design is that only SymbolicRegions can represent NULL—all other regions are known to have an address. However, this is not true for weak symbols (functions or otherwise). In order to get this right, we probably need to enhance the analyzer to treat weak extern symbols like references, and then automatically dereference them upon use.</span></blockquote></div><br><div>I don't think the "references" analogy is quite right. Functions are already modeled in the AST using function pointers, and they are dereferenced during a function call. We could possibly model weak-linked functions using SymbolicRegions, that are then later constrained to alias a specific FunctionTextRegion. Aliasing is something we need to handle better anyway, and I think this would nicely fit into that model.</div></div></blockquote></div><br></div></blockquote></div><br></div></blockquote></body></html>