<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>You've got the idea correct. Here's how I would explain it:</div><div><br></div><div>An SVal represents any sort of value, something that can be "the value of an expression" or "the value currently stored in a variable". A MemRegion represents, well, a region of memory. So a loc::MemRegionVal is a value that represents (the address of) a region in memory, and when you use getAsRegion(), you're saying "I want to see if this value refers to a region of memory, and if so, which region."</div><div><br></div><div>(I've tried to avoid saying "the value <i>of</i> a region", since then it's unclear whether you mean its address or its contents.)</div><div><br></div><div>A lot more of this is described (verbosely) in the "<a href="http://clang-analyzer.llvm.org/checker_dev_manual.html#values">Representing Values</a>" section of the Checker Developer Manual on the analyzer site, and in the first half of the "Building a Checker in 24 Hours" talk linked <a href="http://clang-analyzer.llvm.org/checker_dev_manual.html">at the top of the same page</a>.</div><div><br></div><div>Hope that helps clear things up!</div><div>Jordan</div><div><br></div><br><div><div>On Feb 19, 2014, at 8:43 , Per Viberg <<a href="mailto:Per.Viberg@evidente.se">Per.Viberg@evidente.se</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div ocsi="0" fpstyle="1" style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-stroke-width: 0px; word-wrap: break-word;"><div style="direction: ltr; font-family: Tahoma; font-size: 10pt;">Hi Jordan,<br><br>thanks for the quick reply!, it helped a lot.<br><br><br>while on the topic,<br><br>this:<br><br><font face="Courier New">const MemRegion *MR = ArgVal.getAsRegion();</font><br><br>is basically casting the<span class="Apple-converted-space"> </span><font face="Courier New">SVal ArgVal</font><span class="Apple-converted-space"> </span>as a MemRegion (which I assume is something like a pointer in C), so you can access the symbol that it points to (using<span class="Apple-converted-space"> </span><font face="Courier New">getSVal</font>) ?.<br><br>Am I roughly correct?<br><div><br><br>cheers!<br>/Per<br><div style="font-size: 13px; font-family: Tahoma;"><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">.......................................................................................................................</span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif;"><br>Per Viberg<span class="Apple-converted-space"> </span></span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">Senior Engineer</span><span lang="EN-US" style="font-size: 8.5pt; font-family: Arial, sans-serif; color: gray;"><br>Evidente ES East</span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;"><span class="Apple-converted-space"> </span>AB Warfvinges väg 34 SE-112 51 Stockholm Sweden</span><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif;"></span></div><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-GB" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">Phone: +46 (0)8 402 79 00<br>Mobile: +46 (0)70 912 42 52<br>E-mail: <span class="Apple-converted-space"> </span><a href="mailto:Per.Viberg@evidente.se" target="_blank"><font color="#0000ff">Per.Viberg@evidente.se</font></a><span class="Apple-converted-space"> </span></span><span lang="EN-GB" style="font-size: 8pt; font-family: Arial, sans-serif;"><br><br><a href="http://www.evidente.se/" target="_blank"><font color="#0000ff">www.evidente.se</font></a></span></div><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-GB" style="font-size: 6pt; font-family: Arial, sans-serif;">This e-mail, which might contain confidential information, is addressed to the above stated person/company. If you are not the correct addressee, employee or in any other way the person concerned, please notify the sender immediately. At the same time, please delete this e-mail and destroy any prints. Thank You.</span></div></div></div><div style="font-family: 'Times New Roman'; font-size: 16px;"><hr tabindex="-1"><div id="divRpF847143" style="direction: ltr;"><font face="Tahoma" size="2"><b>Från:</b><span class="Apple-converted-space"> </span>Jordan Rose [<a href="mailto:jordan_rose@apple.com">jordan_rose@apple.com</a>]<br><b>Skickat:</b><span class="Apple-converted-space"> </span>den 18 februari 2014 18:04<br><b>Till:</b><span class="Apple-converted-space"> </span>Per Viberg<br><b>Cc:</b><span class="Apple-converted-space"> </span>"Clang Dev [<a href="mailto:cfe-dev@cs.uiuc.edu">cfe-dev@cs.uiuc.edu</a>]"; Anders Rönnholm; Daniel Marjamäki<br><b>Ämne:</b><span class="Apple-converted-space"> </span>Re: [cfe-dev] How to access SVal of SubExpr with LocationContext<br></font><br></div><div></div><div><div>Hi, Per. Yeah, what you're trying to do isn't directly supported. The structure that maps from statements (Stmt*) to values (SVal) is called the Environment, and it very deliberately only holds values necessary to compute the next expression. For example, in the expression "(x + y) + z", the value for the subexpression "x + y" is live when trying to evaluate the whole thing, as is "z", but "x" and "y" have already been consumed and so have been taken out of the map to save memory.</div><div><br></div><div>What you should actually do here is load the value<span class="Apple-converted-space"> </span><i>stored</i> in 'par'. That will look something like this:</div><div><br></div><div><font face="Courier New">SVal ArgVal = Call.getArgSVal(0); // "par"</font></div><div><font face="Courier New">const MemRegion *MR = ArgVal.getAsRegion();</font></div><div><font face="Courier New">if (!MR)</font></div><div><font face="Courier New"> return;</font></div><div><font face="Courier New">SVal DerefVal = State->getSVal(MR); // "*par"</font></div><div><br></div><div>And now you can check if DerefVal is uninitialized. (Another advantage of this code is that it's also correct for a reference argument.)</div><div><br></div><div>By the way, this is a good idea for a check. Thanks for working on it!</div><div>Jordan</div><div><br></div><br><div><div>On Feb 17, 2014, at 9:58 , Per Viberg <<a href="mailto:Per.Viberg@evidente.se" target="_blank">Per.Viberg@evidente.se</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div style="font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px;"><div style="direction: ltr; font-family: Tahoma; font-size: 10pt;">Hi,<span class="Apple-converted-space"> </span><br><br>I was wondering if there is a way to get<span class="Apple-converted-space"> </span><font face="Courier New">SVal<span class="Apple-converted-space"> </span></font><font face="Courier New"><font face="Tahoma">of a</font><span class="Apple-converted-space"> </span>SubExpr</font><span class="Apple-converted-space"> </span>with<span class="Apple-converted-space"> </span><br>the<span class="Apple-converted-space"> </span><font face="Courier New">LocationContext<span class="Apple-converted-space"> </span><font face="Tahoma">at a function call.</font><span class="Apple-converted-space"> </span><font face="Tahoma"><br></font></font><br>Here is what I mean:<br><br>A function fun is declared and called like this:<br><br><font face="Courier New">Type arg; //1.<br>fun(Type* par){...} //2.<br>fun(&arg); //3.<br></font><font face="Courier New"><br><br></font>If I wanted to detect if<span class="Apple-converted-space"> </span><font face="Courier New">arg</font><span class="Apple-converted-space"> </span>was uninitialized when the function fun is called (line 3.), I would use:<span class="Apple-converted-space"> </span><br><br><font face="Courier New">const CallEvent Call;</font><br><font face="Courier New">CheckerContext C;</font><br><font face="Courier New">Expr* argExp = Call.getArgExpr(0);</font><br><font face="Courier New">ProgramStateRef state = C.getState();<span class="Apple-converted-space"> </span><br>const LocationContext *LCtx = C.getLocationContext();<br>SVal LV = state->getSVal(argExp, LCtx);</font><br><font face="Courier New">bool FirstArgIsUndef = LV.isUndef();</font><br><br><font face="Courier New">FirstArgIsUndef</font><span class="Apple-converted-space"> </span>will be false, because the address of <span class="Apple-converted-space"> </span><font face="Courier New">arg</font><span class="Apple-converted-space"> </span>does exist.<br><br>But now I want to detect if that which arg/par is pointing at is uninitialized, how would I do that?.<br><br><br>I started experimenting with this in<span class="Apple-converted-space"> </span><font face="Courier New"><font face="Tahoma">CallAndMessageChecker::checkPreCall</font></font>:<br><br><font face="Courier New">const Expr* argExp = Call.getArgExpr(i);</font><br><font face="Courier New">const Expr* argExpPure = argExp->IgnoreImpCasts();<br><br>if(const UnaryOperator* unOp = dyn_cast<UnaryOperator>(argExpPure))<br>{<br> UnaryOperator::Opcode opc = unOp->getOpcode();<br> if(opc == UO_AddrOf)// '&' operator<br> {<br> Expr* referencedInputArg = unOp->getSubExpr(); // in a dump() I see that this is really the argument arg (not par)<br> SVal refVal = state->getSVal(referencedInputArg, LCtx);<br> bool unknownRefVal = refVal.isUnknown();<br> bool validRefVal = refVal.isValid();<br> bool undefRefVal = refVal.isUndef();<br> }<br>}<br><br><font face="Tahoma">it turns out that it will set<span class="Apple-converted-space"> </span></font></font><font face="Courier New"><font face="Tahoma"><font face="Courier New">refVal</font><span class="Apple-converted-space"> </span>to isUnknown() instead of isUndef(). The context LCtx seems to forget that the SubExpr <span class="Apple-converted-space"> </span></font></font>(that is here<span class="Apple-converted-space"> </span><br><font face="Courier New"><font face="Tahoma"><font face="Courier New">arg)<span class="Apple-converted-space"> </span><font face="Tahoma">is uninitialized. I put this code in the<span class="Apple-converted-space"> </span></font></font>CallAndMessageChecker::checkPreCall, perhaps this is the wrong place? or do I need to use the LCtx in another way so that it remembers the SVal of SubExpr too?.<br><br></font></font><font face="Courier New"><font face="Tahoma" size="2"></font><br></font>/Per<br><div><br><div style="font-size: 13px; font-family: Tahoma;"><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">.......................................................................................................................</span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif;"><br>Per Viberg<span class="Apple-converted-space"> </span></span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">Senior Engineer</span><span lang="EN-US" style="font-size: 8.5pt; font-family: Arial, sans-serif; color: gray;"><br>Evidente ES East</span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;"><span class="Apple-converted-space"> </span>AB Warfvinges väg 34 SE-112 51 Stockholm Sweden</span><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif;"></span></div><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-GB" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">Phone: +46 (0)8 402 79 00<br>Mobile: +46 (0)70 912 42 52<br>E-mail: <span class="Apple-converted-space"> </span><a href="mailto:Per.Viberg@evidente.se" target="_blank"><font color="#0000ff">Per.Viberg@evidente.se</font></a><span class="Apple-converted-space"> </span></span><span lang="EN-GB" style="font-size: 8pt; font-family: Arial, sans-serif;"><br><br><a href="http://www.evidente.se/" target="_blank"><font color="#0000ff">www.evidente.se</font></a></span></div><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-GB" style="font-size: 6pt; font-family: Arial, sans-serif;">This e-mail, which might contain confidential information, is addressed to the above stated person/company. If you are not the correct addressee, employee or in any other way the person concerned, please notify the sender immediately. At the same time, please delete this e-mail and destroy any prints. Thank You.</span></div></div></div><div style="font-family: 'Times New Roman'; font-size: 16px;"><hr tabindex="-1"><div id="divRpF224886" style="direction: ltr;"><font face="Tahoma" size="2"><b>Från:</b><span class="Apple-converted-space"> </span>Per Viberg<br><b>Skickat:</b><span class="Apple-converted-space"> </span>den 14 februari 2014 13:41<br><b>Till:</b><span class="Apple-converted-space"> </span>Clang Dev [<a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a>]<br><b>Ämne:</b><span class="Apple-converted-space"> </span>improving detection of uninitialized arguments (the CallAndMessageChecker)<br></font><br></div><div></div><div><div style="direction: ltr; font-family: Tahoma; font-size: 10pt;"><br><div>Hi,<br><br>I'm looking into extending the check that warns for uninitialized arguments. Below I've described what should be detected. Any opinions on if it's a useful check or potential problems/drawbacks with it?.<br><br>Check: should this be detected as a warning for uninitialized argument?:"<b><font face="Courier New">warning: Function call argument is an uninitialized value"</font></b><br><br><b><font face="Courier New">void doStuff(const int *p);<br>void f(void);<br><br>void f(void) {<br> int x;<br> doStuff(&x); // ← warning?<br>}</font></b><br><br>My rationale behind the warning:<br>1. it's not possible to write to *p, because it's of type const<br>2. content of *p is uninitialized stack value, and shouldn't be used.<br>3. the value of p is of no interest, since it's an address of an stack variable.<br><br>if any of the above criteria are not fulfilled, then no warning. Thus the function prototype must state pointer to const for the argument, the variable that the function is called with must be address of local/stack variable.<br><br>currently, only this is detected:<br><br><b><font face="Courier New">void doStuff2(int p);<br>void g(void);<br><br>void g(void) {<br> int y;<br> doStuff2(y); //<span class="Apple-converted-space"> </span></font></b><b><font face="Courier New">warning: Function call argument is an uninitialized value</font></b><br><br><br>/Per<br><br><br><br><div style="font-size: 13px; font-family: Tahoma;"><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">.......................................................................................................................</span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif;"><br>Per Viberg<span class="Apple-converted-space"> </span></span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">Senior Engineer</span><span lang="EN-US" style="font-size: 8.5pt; font-family: Arial, sans-serif; color: gray;"><br>Evidente ES East</span><span lang="EN-US" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;"><span class="Apple-converted-space"> </span>AB Warfvinges väg 34 SE-112 51 Stockholm Sweden</span><span lang="EN-US" style="font-size: 10pt; font-family: Tahoma, sans-serif;"></span></div><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-GB" style="font-size: 8pt; font-family: Arial, sans-serif; color: gray;">Phone: +46 (0)8 402 79 00<br>Mobile: +46 (0)70 912 42 52<br>E-mail: <span class="Apple-converted-space"> </span><a href="mailto:Per.Viberg@evidente.se" target="_blank"><font color="#0000ff">Per.Viberg@evidente.se</font></a><span class="Apple-converted-space"> </span></span><span lang="EN-GB" style="font-size: 8pt; font-family: Arial, sans-serif;"><br><br><a href="http://www.evidente.se/" target="_blank"><font color="#0000ff">www.evidente.se</font></a></span></div><div style="margin-top: 0px; margin-bottom: 0px;"><span lang="EN-GB" style="font-size: 6pt; font-family: Arial, sans-serif;">This e-mail, which might contain confidential information, is addressed to the above stated person/company. If you are not the correct addressee, employee or in any other way the person concerned, please notify the sender immediately. At the same time, please delete this e-mail and destroy any prints. Thank You.</span></div></div></div><div style="font-family: 'Times New Roman'; font-size: 16px;"><hr tabindex="-1"><br></div></div></div></div></div>_______________________________________________<br>cfe-dev mailing list<br><a href="mailto:cfe-dev@cs.uiuc.edu" target="_blank">cfe-dev@cs.uiuc.edu</a><br><a href="http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev</a></div></blockquote></div></div></div></div></div></blockquote></div><br></body></html>