<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hey,</div><br><div><div>On 15 Jan 2013, at 19:30, Jordan Rose <<a href="mailto:jordan_rose@apple.com">jordan_rose@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Jan 15, 2013, at 7:21 , Richard <<a href="mailto:tarka.t.otter@googlemail.com">tarka.t.otter@googlemail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Hi Jordan,</div><br><div><div>On 15 Jan 2013, at 03:44, Jordan Rose <<a href="mailto:jordan_rose@apple.com">jordan_rose@apple.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><meta http-equiv="Content-Type" content="text/html charset=windows-1252"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>That's not quite going to work -- what if I explicitly spell out my comparison?</div><div><br></div><div></div><blockquote type="cite"><div>if (MyWeakFunction == NULL) {</div><div>}</div></blockquote><div><br></div>In this case, SimpleConstraintManager won't go through your new assumeLocSymbol.<div><br></div><div>...although actually, it won't make it there at all, because SimpleSValBuilder::evalBinOpLL folds null comparisons against non-symbolic regions. That's actually easy enough to fix, though, and if you do that this might actually work.</div></div></blockquote><div><br></div><div>I am not sure I follow you here. Why will this not work? On line 646 of SimpleSValBuilder we have:</div><div><br></div><div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "><span style="color: #bb2ca2">if</span> (SymbolRef lSym = lhs.getAsLocSymbol())</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "> <span style="color: #bb2ca2">return</span> MakeSymIntVal(lSym, op, rInt->getValue(), resultTy);</div></div><div><br></div><div>The metadata symbol will be returned here by getAsLocSymbol() and everything proceeds as expected. Testing this on the following trivial code shows a divide by zero warning for both branches of the IfStmt:</div><div><br></div><div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "><span style="color: #bb2ca2">int</span> myFunc() <span style="color: #bb2ca2">__attribute__</span>((weak_import));</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "><span style="color: #bb2ca2">int</span> main(<span style="color: #bb2ca2">int</span> argc, <span style="color: #bb2ca2">char</span> *argv[])</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; ">{</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "> <span style="color: #bb2ca2">if</span> (myFunc == <span style="color: #bb2ca2">NULL</span>) {</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "> <span style="color: #272ad8">1</span> / <span style="color: #272ad8">0</span>;</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "> } <span style="color: #bb2ca2">else</span> {</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "> <span style="color: #272ad8">1</span> / <span style="color: #272ad8">0</span>;</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; "> }</div><div style="margin: 0px; font-size: 14px; font-family: Monaco; color: rgb(187, 44, 162); "><span style=""> </span>return<span style=""> </span><span style="color: #272ad8">0</span><span style="">;</span></div><div style="margin: 0px; font-size: 14px; font-family: Monaco; ">}</div></div></div></div></blockquote><div><br></div><div>Oops! I missed your changed to SVals.cpp. (This is what I get for reviewing patches by sight only.)</div><div><br></div><div>I am a little concerned about getAsLocSymbol <i>always</i> returning the metadata symbol, but maybe it's okay. I need to go trace through the ramifications of that. My idea was to only produce the metadata symbol when we are sure we are doing a comparison (or a cast to bool, I suppose), since right now there's no way to go from the symbol <i>back</i> to the region (wrapping the symbol in a SymbolicRegion would be incorrect).</div><div><br></div></div></div></blockquote><div><br></div><div>Is it not possible to get the region back from the symbol using getRegion()? </div><div><br></div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div>Oh, and metadata symbols also die unless some checker specifically requests to keep them alive. I'm wondering now if the current behavior of SymbolExtent (immutable, lasts as long as the base region, only as path-specific as their region) is, in fact, closer to the desired behavior here than metadata symbols (invalidatable, path-sensitive, only lasts as long as someone is interested). If this is the case, maybe SymbolExtent should be made more generic.</div><div><br></div><div>(Sorry for giving you a runaround here. I'm not sure what the right thing to do is...I just want to avoid "new symbols" being the solution to every problem, and at the same time make sure that the existing symbols have well-defined semantics.)</div><div><br></div></div></blockquote><div><br></div><div>OK, I was under the impression that a SymbolMetadata would stay alive as long as the MemRegion was, but I see that is incorrect in the docs. I would confess to not exactly being an expert on the Symbol class hierarchy, but it seems to me that SymbolExtent is not the right thing to use here. It has the properties we want, but as you mentioned before, it represents the size of a region. This seems an odd symbol to be using to represent a possible NULL pointer to a function. What about using a SymbolRegionValue here?</div></div></blockquote><div><br></div><div>Heh. A bit of history: I added both SymbolExtent and SymbolMetadata. Originally I had hoped they'd be able to use the same kind of symbol, but it turned out that extents being non-invalidatable and metadata being somewhat volatile made it hard to unify the two. If we changed the symbol hierarchy now, we'd rename SymbolExtent -- it'd be something like SymbolRegionMetadata and SymbolRegionContentsMetadata, except those names are ugly.</div><div><br></div><div>The other symbols have single, well-defined purposes, and I'd rather not overload them:</div><div>- SymbolRegionValue represents the contents of a MemRegion, i.e. the value of a parameter or global variable.</div><div>- SymbolDerived represents the contents of a subregion of a SymbolicRegion, e.g. the third field in a struct passed by value.</div><div><div>- SymbolConjured represents the value of an expression that the analyzer can't evaluate (usually a call expression).</div><div><br></div><div>I/we sometimes cheat and reuse SymbolConjured because it's so flexible, but mostly it's good to stick to these uses. And...</div><div><br></div><div>- SymbolExtent is (currently) a single-purpose symbol used to represent the size (in bytes) of a region whose size is not statically known (i.e. by the compiler).</div><div>- SymbolMetadata is a general-purpose symbol used to represent invalidatable metadata associated with a particular region.</div><div><br></div><div>(I realize all of this should be added to / clarified in our docs.)</div><div><br></div></div><br></div></div></blockquote><div><br></div><div>SymbolExtent it is then, what do you think of the attached patch? I have changed the QualType of the symbol when it is wrapping a weak FunctionTextRegion to a function pointer type, is this sufficient?</div><br><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><div><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><blockquote type="cite"><div style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">- The initialization of FunctionTextRegion's WeakSym can happen in the constructor initializers rather than the body.</div></blockquote><div><br></div><div>Ja, I wanted to do this, but it seemed like a bit of a chicken and egg thing. To create the symbol requires knowing the FunctionTextRegion in its constructor, so how does the FunctionTextRegion have the symbol in its constructor, without passing it the SymbolManager so it can create the symbol itself, which also seemed a bit odd. Or am I being stupid?</div></div></blockquote><div><br></div><div>Ha, I just meant the initialization to NULL. I didn't think through whether it was possible to push the creation of the weak symbol into the constructor.</div><div><br></div>Jordan</div><br></div></blockquote></div><br><div>Then I was being stupid, no easy fix for that unfortunately :|</div><div><br></div><div>Richard</div><div><br></div><div></div></body></html>