<div dir="ltr">Hi Jordan,<div><br></div><div>I created a new SVal with the SValBuilder and then replaced the old SVal with the new one. </div><div><br></div><div>Now I have another question about MemRegion. Can I get the offset of a SubRegion to its SuperRegion? For an example, here is a struct object:</div>
<div>struct LayerOne {</div><div> int a;</div><div> char b;</div><div> int c;</div><div>} obj;</div><div>It's obvious that the obj.a's SuperRegion is obj. And so are obj.c's and obj.b's. More importantly, I know that the offset of obj.a to its SuperRegion(obj) equals 0, the offset of obj.b to its SuperRegion(obj) equals 4 and the offset of obj.c to its SuperRegion(obj) equals 8. So I wonder in Clang Static Analyzer, is there any functions or methods which developer can use to calculate the offsets of SubRegions to their SuperRegions? In other words, we can assume regionObjDotB is a MemRegion Object which stands for obj.b, is there any functions or methods like "regionObjDotB.getOffset()"? If no, how can I get the offsets of SubRegions to their SuperRegions? </div>
<div><br></div><div>In addition, I found a strange situation. Here are the codes.</div><div><div> 1<span style="white-space:pre-wrap"> </span>struct LayerOne {</div><div> 2<span style="white-space:pre-wrap"> </span> int a;</div>
<div> 3<span style="white-space:pre-wrap"> </span> int b;</div><div> 4<span style="white-space:pre-wrap"> </span>};</div><div> 5<span style="white-space:pre-wrap"> </span></div><div> 6<span style="white-space:pre-wrap"> </span>void func() {</div>
<div> 7<span style="white-space:pre-wrap"> </span> struct LayerOne obj;</div><div> 8<span style="white-space:pre-wrap"> </span> obj.a = 1;</div><div> 9<span style="white-space:pre-wrap"> </span> obj.b = 2;</div>
<div> 10<span style="white-space:pre-wrap"> </span> void* p = &obj;</div><div> 11<span style="white-space:pre-wrap"> </span> p = p + 4;</div><div> 12<span style="white-space:pre-wrap"> </span> *((int*)p) = 200; // here p points to obj.b actually</div>
<div> 13<span style="white-space:pre-wrap"> </span> p = p + 4;</div><div> 14<span style="white-space:pre-wrap"> </span> *((int*)p) = 99999; // here the area pointed by p is outside of obj! </div><div>
15<span style="white-space:pre-wrap"> </span>}</div></div><div><br></div><div>After the analyzer analyzed the BinaryOperator(assignment operator) in line 12, I got the dump information:</div><div><div>BinaryOperator 0x4d1b0d0 'int' '='</div>
<div>|-UnaryOperator 0x4d1b090 'int' lvalue prefix '*'</div><div>| `-ParenExpr 0x4d1b070 'int *'</div><div>| `-CStyleCastExpr 0x4d1b048 'int *' <BitCast></div><div>| `-ImplicitCastExpr 0x4d1b030 'void *' <LValueToRValue></div>
<div>| `-DeclRefExpr 0x4d1afc0 'void *' lvalue Var 0x4d1adc0 'p' 'void *'</div><div>`-IntegerLiteral 0x4d1b0b0 'int' 200</div><div>LHS_sval: &element{obj,0 S32b,int}</div><div>LHS_region: element{obj,0 S32b,int}</div>
<div>sval: 200 S32b</div><div>size: 4 S32b</div><div>space: StackLocalsSpaceRegion</div><div>Base_Region: obj</div><div>Super_Region: obj</div></div><div><br></div><div>From the dump information above, I can know that obj.b has been assigned a value of 200. Does S32b mean signed-32bit? And since the obj.b's offset is 4, why LHS_region is element{obj,0 S32b,int} rather than element{obj,4 S32b,int}?</div>
<div><br></div><div><br></div><div>After the analyzer analyzed the BinaryOperator(assignment operator) in line 14, I got the dump information:BinaryOperator 0x4d1b2b0 'int' '='</div><div><div>BinaryOperator 0x4d1b2b0 'int' '='</div>
<div>|-UnaryOperator 0x4d1b270 'int' lvalue prefix '*'</div><div>| `-ParenExpr 0x4d1b250 'int *'</div><div>| `-CStyleCastExpr 0x4d1b228 'int *' <BitCast></div><div>| `-ImplicitCastExpr 0x4d1b210 'void *' <LValueToRValue></div>
<div>| `-DeclRefExpr 0x4d1b1d0 'void *' lvalue Var 0x4d1adc0 'p' 'void *'</div><div>`-IntegerLiteral 0x4d1b290 'int' 99999</div><div>lhs_sval: &element{obj,0 S32b,int}</div><div>
lhs_region: element{obj,0 S32b,int}</div>
<div>sval: 99999 S32b</div><div>size: 4 S32b</div><div>space: StackLocalsSpaceRegion</div><div>Base_Region: obj</div><div>Super_Region: obj</div></div><div><br></div><div>Here, my first question is similar, since the pointer p's offset is 8 at that moment, why LHS_region is element{obj,0 S32b,int} rather than element{obj,8 S32b,int}? What makes me more confused is that in line 14, the destination pointed by p is outside of obj, but the dump information still shows "Super_Region: obj". </div>
<div><span style="font-family:arial,sans-serif;font-size:14px">Am I doing something stupid here?</span><br></div><div><span style="font-family:arial,sans-serif;font-size:14px"><br></span></div><div><span style="font-family:arial,sans-serif;font-size:14px"><br>
</span></div><div><span style="font-family:arial,sans-serif;font-size:14px">Arthur</span></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/12 Jordan Rose <span dir="ltr"><<a href="mailto:jordan_rose@apple.com" target="_blank">jordan_rose@apple.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div>SVals are values; you can't change them. It'd be like saying x is 2, and now you want to change 2 into 3, when you really want to assign 3 to x.</div><div><br></div><div>What are you actually trying to do here?</div>
<span class="HOEnZb"><font color="#888888"><div>Jordan</div></font></span><div><div class="h5"><div><br></div><br><div><div>On Jul 11, 2013, at 3:58 , Arthur Yoo <<a href="mailto:phjy007@gmail.com" target="_blank">phjy007@gmail.com</a>> wrote:</div>
<br><blockquote type="cite"><div dir="ltr"><br><table cellpadding="0" style="font-family:arial,sans-serif;font-size:14px"><tbody><tr><td style="width:680px"><table cellpadding="0" style="width:680px"><tbody><tr>
<td><div><span name="Jordan Rose" style="font-size:14px">Jordan£º</span></div><div><span name="Jordan Rose" style="font-size:14px"><br></span></div><div><span name="Jordan Rose" style="font-size:14px">It's so kind of you to answer my questions. If I get a SVal variable, how can I modify its value? For an example, I have a SVal. With dump(), it shows '2 S32b'. I want to change its value to 3. So how can I do that? Thank you.</span></div>
<div><span name="Jordan Rose" style="font-size:14px"><br></span></div><div><span name="Jordan Rose" style="font-size:14px">Arthur</span></div></td></tr></tbody></table></td></tr></tbody></table>
<div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/10 Jordan Rose <span dir="ltr"><<a href="mailto:jordan_rose@apple.com" target="_blank">jordan_rose@apple.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div style="word-wrap:break-word"><div>Hi, Arthur. The Store and Environment are not manipulated directly. Rather, you use the methods of ProgramState to access them.</div><div><br></div><div>...and that said, checkers should hardly ever need to modify the Store and Environment. Most of the time, you should be storing your state in the generic data map (the set<> and get<> methods of ProgramState). Modifying the Environment arbitrarily can break invariants about what does and doesn't have a value. The Store is a little safer—performing simple bindings and providing default values is usually safe for checkers. Just be careful about types.</div>
<div><br></div><div>The keys in the environment are a tuple of the statement and the location context. The location context is what allows us to handle recursive functions without the callee's bindings stomping on the caller's. We don't have a great way to print a location context, so we just use the pointer value. (Perhaps a stack depth would be helpful?)</div>
<div><br></div><div>Hope that helps,</div><div>Jordan.</div><div><br></div><div>P.S. I can't remember if we've suggested this to you already, but there are some reference materials at <a href="http://clang-analyzer.llvm.org/checker_dev_manual.html" target="_blank">http://clang-analyzer.llvm.org/checker_dev_manual.html</a>. In the first paragraph there's also a link to the talk Anna Zaks and I gave at last year's LLVM Developers' Meeting, which runs through how to build a simple checker and use the generic data map.</div>
<div><br></div><br><div><div><div><div>On Jul 8, 2013, at 5:43 , Arthur Yoo <<a href="mailto:phjy007@gmail.com" target="_blank">phjy007@gmail.com</a>> wrote:</div><br></div></div><blockquote type="cite"><div>
<div><div dir="ltr">Hi all,
<div><br></div><div><p>I want to get and manipulate the Store and Environment in
the current ProgramState in checkPreStmt() and checkPostStmt(). How can I do
that? </p><p>What's more, I’ve dumped the ProgramState in my checker in checkPostStmt(). But I don’t know
the meaning of addresses in the Expressions. What do those addresses mean? Thanks a
lot. <span style="white-space:pre-wrap">Any help will be greatly appreciated.</span></p><p><span style="white-space:pre-wrap"><br></span></p><pre style="white-space:pre-wrap">Best regards,
Arthur Yoo</pre><div><br></div>
</div></div></div></div>
_______________________________________________<br>cfe-dev mailing list<br><a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a><br><a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
</blockquote></div><br></div></blockquote></div><br>
</div></div>
</blockquote></div><br></div></div></div></blockquote></div><br><br>
</div></div>