<html><head><meta http-equiv="Content-Type" content="text/html charset=iso-8859-1"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Jan 17, 2013, at 5:33 AM, Karthik Bhat <<a href="mailto:blitz.opensource@gmail.com">blitz.opensource@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">Thanks Anna.. Can you suggest me some place were i can find document for static analyzer core module. I found many documents for checkers and how to write checkers, but couldn't find document explaining functioning of static analyzer core.<div>
<br></div></blockquote><div><br></div><div>Unfortunately, there is not much documentation about the analyzer core yet (code is our documentation). The only additional documentation I know of is in clang/docs/analyzer; specifically, we have the IPA.txt there, which describes how we approach cross function analyzes. You could also search the archives from this list (in particular, emails from Ted Kremenek). </div><div><br></div><div>The analyzer utilizes the idea of path-sensitive dataflow analysis, which can be tackled with different specific techniques, but they all boil down to trying to compute a set of reachable program states. Our LLVM Dev meeting talk Building a Checker in 24 Hours gives a very high level overview of how it works (<a href="http://llvm.org/devmtg/2012-11/">http://llvm.org/devmtg/2012-11/</a>). Here are some relevant academic papers, but there are many more papers in the area, and the analyzer is inspired by many of them:</div><div> A System and Language for Building System-Specific, Static Analyses (Hallem et al)<br> Precise interprocedural dataflow analysis via graph reachability (Reps et al)<br><br></div><div>As I had mentioned, cross translation unit analyzes is a huge project; for example, it would most likely take more than a year to complete. However, it can be split into subtasks. There are also many other directions for improving the analyzer core.</div><div><br></div><div>Please, feel free to ask questions.</div>Anna.</div><div><br><blockquote type="cite"><div>Any help appreciated. </div><div><br></div><div>Thanks<br><br><div class="gmail_quote">On Tue, Jan 15, 2013 at 12:43 AM, Anna Zaks <span dir="ltr"><<a href="mailto:ganna@apple.com" target="_blank">ganna@apple.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto; "><div class="im"><br>
On Jan 14, 2013, at 1:52 AM, Karthik Bhat <<a href="mailto:blitz.opensource@gmail.com">blitz.opensource@gmail.com</a>> wrote:<br>
<br>
> Hi All,<br>
><br>
> I was going through clang project and found static analyzer to be a quite useful tool. I would like to work and contribute on the same. I went through the code and developed few basic checkers(Socket stream checker etc) to start with.<br></div></blockquote></div></div></blockquote><div><br></div><div>It would be great if you plan to contribute those checkers back!</div><div><br></div><blockquote type="cite"><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; border-left-width: 1px; border-left-color: rgb(204, 204, 204); border-left-style: solid; padding-left: 1ex; position: static; z-index: auto; "><div class="im">
><br>
> I had a doubt which i wanted to clarify from the community.<br>
><br>
> If i'm not wrong Clang static tool currently supports only one translation unit at a time and so inter procedural analysis across translation unit is not supported.<br>
<br>
</div>That is correct.<br>
<div class="im"><br>
> Is there any plan to support the same in clang static analyzer?<br>
<br>
</div>This is something we would definitely like to address as it is one of the main missing pieces. I am not sure when we are going to address it.<br>
<div class="im"><br>
> What kind of infrastructure would be required in static analyzer core to support this feature?<br>
<br>
</div>We have not designed this in detail yet. However, this is going to be a lot of work. We would probably go with summary based approach, where one constructs summaries for the analyzed functions; the summaries are then used when modeling the calls.<br>
<div class="im"><br>
> Will it require detailed understanding of clang front end(AST etc)?<br>
><br>
<br>
</div>This project would require understanding the analyzer very well.<br>
<br>
> Thanks<br>
> Karthik<br>
><br>
><br>
><br>
> _______________________________________________<br>
> cfe-dev mailing list<br>
> <a href="mailto:cfe-dev@cs.uiuc.edu">cfe-dev@cs.uiuc.edu</a><br>
> <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
<br>
</blockquote></div><br></div>
</blockquote></div><br></body></html>