Thanks Anna for the prompt replies. Will go through those documents.<div><br></div><div>Sure will contribute the checkers after refining it a bit. It is a simple SocketStream checker (checks socket open/close issues etc) inspired by SimpleStream checker from Building a Checker in 24 Hours video</div>
<div><br></div><div>I had one more query currently we terminate analysis of a path as soon as we detect a critical bug. (for e.g.) in the code -</div><div><br></div><div>int one =1;</div><div>int zero = 0;</div><div><br>
</div><div>int k = one/zero;</div><div><br></div><div>// Some other bugs</div><div><br></div><div>In the above code we are generating a sink node as soon as we see a divbyzero and do not analyse other bugs along the path. </div>
<div>Since static analysis of large code usually takes a lot of time is it not a good idea to report as much bugs as possible on a particular path?</div><div><br></div><div>For e.g in the above code instead of creating a sink node for divide by zero can we assign value for k as unknown and continue simulation?</div>
<div><br></div><div>I tried the same by modifying evalBinOp function and creating a transition node instead of sink node -</div><div><br></div><div><div> if ((op == BO_Div || op == BO_Rem ||op == BO_DivAssign ||op == BO_RemAssign) && rhs.isZeroConstant()) // in case of div by zero assign result as unknown and continue execution</div>
<div><span class="Apple-tab-span" style="white-space:pre"> </span> return UnknownVal();</div></div><div><br></div><div>so that if we have a divide operation with rhs as 0 assign the result as unknown and continue simulation to detect other bugs on the path.</div>
<div><br></div><div>Thanks</div><div><br></div><div><br><div class="gmail_quote">On Fri, Jan 18, 2013 at 12:29 AM, Anna Zaks <span dir="ltr"><<a href="mailto:ganna@apple.com" target="_blank">ganna@apple.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><div class="im"><div>On Jan 17, 2013, at 5:33 AM, Karthik Bhat <<a href="mailto:blitz.opensource@gmail.com" target="_blank">blitz.opensource@gmail.com</a>> wrote:</div>
<br><blockquote type="cite">Thanks Anna.. Can you suggest me some place were i can find document for static analyzer core module. I found many documents for checkers and how to write checkers, but couldn't find document explaining functioning of static analyzer core.<div>
<br></div></blockquote><div><br></div></div><div>Unfortunately, there is not much documentation about the analyzer core yet (code is our documentation). The only additional documentation I know of is in clang/docs/analyzer; specifically, we have the IPA.txt there, which describes how we approach cross function analyzes. You could also search the archives from this list (in particular, emails from Ted Kremenek). </div>
<div><br></div><div>The analyzer utilizes the idea of path-sensitive dataflow analysis, which can be tackled with different specific techniques, but they all boil down to trying to compute a set of reachable program states. Our LLVM Dev meeting talk Building a Checker in 24 Hours gives a very high level overview of how it works (<a href="http://llvm.org/devmtg/2012-11/" target="_blank">http://llvm.org/devmtg/2012-11/</a>). Here are some relevant academic papers, but there are many more papers in the area, and the analyzer is inspired by many of them:</div>
<div> A System and Language for Building System-Specific, Static Analyses (Hallem et al)<br> Precise interprocedural dataflow analysis via graph reachability (Reps et al)<br><br></div><div>As I had mentioned, cross translation unit analyzes is a huge project; for example, it would most likely take more than a year to complete. However, it can be split into subtasks. There are also many other directions for improving the analyzer core.</div>
<div><br></div><div>Please, feel free to ask questions.</div>Anna.</div><div><div class="im"><br><blockquote type="cite"><div>Any help appreciated. </div><div><br></div><div>Thanks<br><br><div class="gmail_quote">On Tue, Jan 15, 2013 at 12:43 AM, Anna Zaks <span dir="ltr"><<a href="mailto:ganna@apple.com" target="_blank">ganna@apple.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div><br>
On Jan 14, 2013, at 1:52 AM, Karthik Bhat <<a href="mailto:blitz.opensource@gmail.com" target="_blank">blitz.opensource@gmail.com</a>> wrote:<br>
<br>
> Hi All,<br>
><br>
> I was going through clang project and found static analyzer to be a quite useful tool. I would like to work and contribute on the same. I went through the code and developed few basic checkers(Socket stream checker etc) to start with.<br>
</div></blockquote></div></div></blockquote><div><br></div></div><div>It would be great if you plan to contribute those checkers back!</div><div class="im"><div><br></div><blockquote type="cite"><div><div class="gmail_quote">
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><div>
><br>
> I had a doubt which i wanted to clarify from the community.<br>
><br>
> If i'm not wrong Clang static tool currently supports only one translation unit at a time and so inter procedural analysis across translation unit is not supported.<br>
<br>
</div>That is correct.<br>
<div><br>
> Is there any plan to support the same in clang static analyzer?<br>
<br>
</div>This is something we would definitely like to address as it is one of the main missing pieces. I am not sure when we are going to address it.<br>
<div><br>
> What kind of infrastructure would be required in static analyzer core to support this feature?<br>
<br>
</div>We have not designed this in detail yet. However, this is going to be a lot of work. We would probably go with summary based approach, where one constructs summaries for the analyzed functions; the summaries are then used when modeling the calls.<br>
<div><br>
> Will it require detailed understanding of clang front end(AST etc)?<br>
><br>
<br>
</div>This project would require understanding the analyzer very well.<br>
<br>
> Thanks<br>
> Karthik<br>
><br>
><br>
><br>
> _______________________________________________<br>
> cfe-dev mailing list<br>
> <a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a><br>
> <a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
<br>
</blockquote></div><br></div>
</blockquote></div></div><br></div></blockquote></div><br></div>