<div dir="ltr"><div><div><div><div><div><div><div><div><div>Hi Anna,<br><br></div>I'm building a checker that detects inconsistent pointer usages, for example when a pointer is dereferenced, then along the same path is null-checked (without its value changing in between, obviously). Code example:<br>
<br></div>Foo* f = getFoo();<br></div>f->bar();<br><br></div>if(f) // warn<br>{ ... }<br><br></div>I want to be able to do this with aliases as well, for example:<br><br></div>Foo* f = getFoo();<br></div>f->bar();<br>
<br>Foo* g = f;<br>if(g) // warn<br>{ ... }<br><br></div>What I need is to be able to get the SVals representing 'f' and 'g' when checkBind is called on the Foo* g = f; line. Currently, instead of 'f', Clang gives me the value that was bound to 'f'.<br>
<br></div>Thanks for your help!<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/7/23 Anna Zaks <span dir="ltr"><<a href="mailto:ganna@apple.com" target="_blank">ganna@apple.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div style="word-wrap:break-word"><br><div><div class="im"><div>On Jul 23, 2013, at 9:21 AM, Gábor Kozár <<a href="mailto:kozargabor@gmail.com" target="_blank">kozargabor@gmail.com</a>> wrote:</div>
<br><blockquote type="cite"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div dir="ltr"><div><div><div><div><div>During the analysis of a test code, the following two bindings happen (checkBind), with their respective source lines:<br>
<br></div>(Bind: location <= value)<br><br>Bind: &fp <= &SymRegion{conj_$4{struct Foo *}}<br></div>Code: Foo* fp = getFooPtr();<br><br>Bind: &ap <= &SymRegion{conj_$4{struct Foo *}}<br></div>Code: Foo* ap = fp;<br>
<br></div>In the second line, I need to detect that 'ap' is in fact the alias of 'fp'. Unfortunately, I cannot seem to find any way to get Clang SA to tell me that "&SymRegion{conj_$4{struct Foo *}}" is stored in "fp", which seems weird, because the source code is very clear.<br>
</div></div></div></blockquote><div dir="auto"><br></div></div><div dir="auto">As you observe the two binds you see that the same value is stored in both.</div><div dir="auto"><br></div><div dir="auto">The analyzer does not perform alias analyzes as in it does not build sets of aliases. As it models the execution in presence of aliases, we did not find a need for the alias sets. Can you give a bit more background on why you need this info? Maybe your goal can be achieved differently?</div>
<br><blockquote type="cite"><div style="letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px"><div class="im"><div dir="ltr"><div><br></div><div>Some of the information I extracted, but is not really useful to me:<br>
</div><div> - original SVal: &SymRegion{conj_$4{struct Foo *}}<br></div><div> - getAsRegion(): SymRegion{conj_$4{struct Foo *}}<br></div><div> - state->getSVal(): &SymRegion{reg_$6<element{SymRegion{conj_$4{struct Foo *}},0 S32b,struct Foo *}>} -- in fact, I have no idea what this is<br>
</div><div> - getAsSymbol(): conj_$4{struct Foo *}<br></div><div><br></div>As a workaround, I can keep track of this information myself, but there must be a built-in way to do this.<br>Any help would be appreciated. Many thanks!<br>
</div></div>_______________________________________________<br>cfe-dev mailing list<br><a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a><br><a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a></div>
</blockquote></div><br></div></blockquote></div><br></div>