<div dir="ltr">I also just noticed that implicit destructors (i.e. compiler-generated or defaulted) are ignored by the Static Analyzer. Is this intentional? This makes it impossible to figure out when an object without an explicit destructor is destroyed. Or am I missing something?<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/16 Gábor Kozár <span dir="ltr"><<a href="mailto:kozargabor@gmail.com" target="_blank">kozargabor@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div>In the meanwhile, I figured out how to get the FieldRegion that is the argument of the CXXDeleteExpr:<br><br>ProgramStateRef state = context.getState();<br>ASTContext& astContext = context.getASTContext();<br>
MemRegionManager& memRegionManager = context.getStoreManager().getRegionManager();<br><br>if(const MemberExpr* memberExpr = llvm::dyn_cast<MemberExpr>(delExpr->getArgument()->IgnoreImpCasts()))<br>{<br> const FieldDecl* fieldDecl = llvm::dyn_cast<FieldDecl>(memberExpr->getMemberDecl());<div class="im">
<br>
const CXXThisRegion* thisRegion = context.getStoreManager().getRegionManager().getCXXThisRegion(<br></div> astContext.getPointerType(astContext.getRecordType(fieldDecl->getParent())),<br> context.getLocationContext());<br>
<br> MemRegionRef thisObjectRegion = context.getState()->getSVal(thisRegion).getAsRegion();<br><br> const FieldRegion* fieldRegion = memRegionManager.getFieldRegion(fieldDecl, thisObjectRegion); // this is what I needed<br>
}<br><br></div><div>(Hope this helps someone, someday.)<br></div><div><br></div>This MemRegionManager class is really useful, but this code still has been a headache to put together. (e.g. I got numerous assertion failures until I realized getCXXThisRegion wants a QualType that is a pointer type.) What I was trying to do is working now, but I'm still interested in how to do it more easily...<br>
</div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/16 Gábor Kozár <span dir="ltr"><<a href="mailto:kozargabor@gmail.com" target="_blank">kozargabor@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr"><div><div><div><div>Hi Jordan,<br><br></div><div>Thanks for the answer!<br></div><div><div><br>> <i>Objects that live on the stack don't have symbols; the properties of a
stack object's region is entirely known and doesn't need to be symbolic.
It's a VarRegion, not a SymbolicRegion.</i><br><br></div></div>I'm kind of confused about the difference between SVal and SymExpr. I understand that a MemRegion models a region of the memory, i.e. this contains a value that can be obtained using context.getState()->getSVal(memRegion). My impression is that SVal is just a bridge between SymExpr and MemRegion, where SymExpr actually represents the symbolic values assigned during analysis. Is this about right?<div>
<br>
<br>> <i>Additionally, symbol death is not quite the same as local
variable death. If the value of a local variable is symbolic, and that
value gets copied somewhere else, the symbol won't die when the local
variable does.</i><br><br></div></div>This is the kind of code I'm talking about:<br><br></div>void foo()<br>{<br></div> Foo f;<br><div>}<br><br></div><div>As far as I can tell, 'f' here is actually a MemRegion, which seems counter-intuitive to me. I want to be notified when the 'f' object dies. checkDeadSymbols doesn't seem to work, I dump everything every time it's called and I don't get anything resembling what I'm looking for. I also tried checkRegionChanges, but that doesn't seem to tell me either.<br>
<br></div><div>What I'm left doing is looking when a dtor is called. checkPostCall is actually a good idea on that, although I've also figured out how to get the 'this' region from only a CheckerContext:<div>
<br>
<br>const CXXThisRegion* thisRegion = context.getStoreManager().getRegionManager().getCXXThisRegion(<br> dtor->getThisType(context.getASTContext()),<br> context.getLocationContext());<br><br></div>
</div>
<div>SVal thisVal = context.getState()->getSVal(thisRegion);<br></div><div>const MemRegion* objectRegion = thisVal.getAsRegion(); // this is 'f'<br><br></div><div>What I'm trying to do here is to check what resources the object destructor deallocates. checkDeadSymbols does tell me when a member pointer is freed using delete, but this unfortunately happens after both checkEndFunction and checkPostCall for the destructor, so it is not useful for me. Or it would be, if I had been able to get the MemRegion that contains the SymExpr that died - this would get me the FieldRegion, in which the pointer was stored, and that would be enough.<br>
Unfortunately, I get UnknownSpaceRegion if I try to do this: context.getStoreManager().getRegionManager().getSymbolicRegion(deadSymbol)->getSuperRegion(). This kind of makes sense, since the symbol is dead, so the information about where it has been is probably already lost.<br>
<br>I also tried to do checkPreStmt for CXXDeleteExpr, but here I have no clue as to how to get the SVal/SymExpr/MemRegion that is being deleted.<br><br></div><div class="gmail_extra">So I'm kind of running out of ideas here. Could you give me some pointers?<br>
<br>Thanks!<br><br></div><div class="gmail_extra">Gabor<br></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2013/7/15 Jordan Rose <span dir="ltr"><<a href="mailto:jordan_rose@apple.com" target="_blank">jordan_rose@apple.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><div>Hi, Gabor. Objects that live on the stack don't have symbols; the properties of a stack object's region is entirely known and doesn't need to be symbolic. It's a VarRegion, not a SymbolicRegion.</div>
<div><br></div><div>The good news is that regions are also uniqued, and so if you're just looking to identify an object, using the region as the key is often reasonable as well, possibly with a call to stripCasts().</div>
<div><br></div><div>Additionally, symbol death is not <i>quite</i> the same as local variable death. If the value of a local variable is symbolic, and that value gets copied somewhere else, the symbol won't die when the local variable does. (Symbol information is basically garbage collected—each cleanup starts by crawling through all the live regions and values to see what's still accessible.) Local variables have very well-defined scope rules, so all of their control is in the CFG.</div>
<div><br></div><div>Rather than using the 'this' region and checkEndFunction, why not use checkPostCall and CXXDestructorCall's getCXXThisVal? (What are you actually trying to do?)</div><div><br></div><div>Jordan</div>
<div><br></div><br><div><div><div><div>On Jul 13, 2013, at 10:30 , Gábor Kozár <<a href="mailto:kozargabor@gmail.com" target="_blank">kozargabor@gmail.com</a>> wrote:</div><br></div></div><blockquote type="cite">
<div><div><div dir="ltr"><div>Hi,<br><br><br></div><div>I'm using the Clang Static Analyzer from Clang 3.3. I want to check object's state when they die. I tried using checkDeadSymbols, but according to the SymbolReaper, the objects of interest never die. This is my test code:<br>
<br></div><div>struct Foo<br>{<br></div><div> int* x;<br></div><div> Foo() { x = new int(10); }<br></div><div>};<br><br></div><div>int main(int argc, const char** argv)<br>{<br></div><div> Foo f;<br></div><div>
return 0;<br></div><div>}<br><br></div><div>The int* does die, but f does not. (I cannot check this directly: I just made the SymbolReaper print all symbols are regions that died, using the dead_begin(), etc. and region_begin() etc. methods). Why is this, and how can I work around it?<br>
<br></div><div>Even when there is a user-made destructor, which I can get using checkEndFunction, I'm unable to get back the symbol that represents 'f'. I spent like an hour digging through clang::ento's reference, and this was my best tip:<br>
<br>const CXXThisRegion* thisRegion = context.getStoreManager().getRegionManager().getCXXThisRegion(<br> dtor->getThisType(context.getASTContext()),<br> context.getLocationContext());<br><br></div>
<div>Unfortunately, this gives something that doesn't seem to have anything to do with 'f'. How can I get the symbol representing 'f', using only the CheckerContext and the const CXXDestructorDecl* I can obtain from the LocationContext?<br>
<br></div><div>I'm really stuck, and any help would be greatly appreciated. Thank you!<br><br>Gabor<br></div></div></div></div>
_______________________________________________<br>cfe-dev mailing list<br><a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a><br><a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a><br>
</blockquote></div><br></div></blockquote></div><br></div></div></div></div>
</blockquote></div><br></div>
</div></div></blockquote></div><br></div>