<div dir="ltr"><div><div><div><div><div><div>Hello,<br><br>Having reread the docs, I have several questions.<br><br></div>1) During the presentation you say that the order in which checker callbacks happen is not guaranteed by the analyzer as it explores the CFG. As far as I know, for example, PreCall will always be called before a PostCall event, and PreStmt always before a PostStmt. I don't really understand what you were referring to.<br>
<br>2) Should a checker be interested only in the parameter being passed during a function call, I guess it wouldn't make any difference whether checking the parameter in a PreCall event or in a PostCall event, would it? However, in this case, is it better to only register for the PreCall callback/event because of performance reasons?<br>
<br></div>3) When tracking the use of values (variables) between callbacks, if needed, checkers must use the ProgramState as a means of preserving custom information. This is clear. It's best to refer to those values by the underlying symbol (symbolic representation) created by the analyzer. In my case, I want to track the use of pointers to char (variables of type char *). In this case, the 1st argumento to checkBind callback will be a MemRegionVal. Reading the documentation, the counterpart of a symbol (SymbolRef in terms of the API) with regard to MemRegions is a SymbolicRegion.<br>
<br></div>Let's consider the following:<br></div><div></div><span style="font-family:courier new,monospace">char *s = "string literal";<br>char pwd[] = "password";<br>char *p;<br></span></div><span style="font-family:courier new,monospace"><b>p = s; (1)</b><br>
</span><span style="font-family:courier new,monospace"><b>p = pwd; (2)</b></span><br></div><br>To be able to track the use of "p" --as in (1) and (2) above-- I was thinking of obtaining a symbol that represents that variable (memory region) and save that symbol in the ProgramState in case there's a future reference to it in the program being analyzed, similar to the idea in the sample SimpleStreamChecker. Why in this case "p" is not a symbolic region? Reading the API, I thought the best way would be: getSymbolicBase() to be able to call getSymbol() on the result, but the former returns NULL. So, did I misunderstood and MemRegion is just the counterpart of a SymbolRef? If so, what would be the best way of saving a MemRegion's symbolic representation in the ProgramState?<br>
<br>I'm confused. Any hint or suggestion would be highly appreciated<br>Many thanks.<br><div><div><div><div>
<div class="gmail_extra"><br><div class="gmail_quote">2014-05-08 19:57 GMT+02:00 Aitor San Juan <span dir="ltr"><<a href="mailto:aitor.sj@opendeusto.es" target="_blank">aitor.sj@opendeusto.es</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><div>Watching that presentation you mention was one of the 1st things I did some time ago. I think I'll watch it again to refresh.<br><br></div><div>I'll reread again the docs with your comments in mind.<br>
</div><div><br></div>Thanks for the clarifications, Jordan.</div><div class="gmail_extra"><br><br><div class="gmail_quote">2014-05-08 6:02 GMT+02:00 Jordan Rose <span dir="ltr"><<a href="mailto:jordan_rose@apple.com" target="_blank">jordan_rose@apple.com</a>></span>:<div>
<div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div>Hello, Aitor. I'm afraid you're still getting SVals, symbols, and MemRegions somewhat mixed up. They are not interchangeable. Have you watched our presentation on writing a checker yet? (Linked here: <a href="http://clang-analyzer.llvm.org/checker_dev_manual.html" target="_blank">http://clang-analyzer.llvm.org/checker_dev_manual.html</a>) I'm sorry it's not really incorporated into the rest of the Checker Development Manual, but the video is probably still the clearest introduction to analyzer core concepts that we have.</div>
<div><br></div><div><br></div><div><div><blockquote type="cite"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">1) To test if Loc is a MemRegionVal I use the following, but there's something wrong I can't figure out (it doesn't compile), and I'm stuck (as far as I know, MemRegionVal is a subclass of SVal):<br>
<br><span style="font-family:'courier new',monospace">if (clang::isa<loc::MemRegionVal></span><span style="font-family:'courier new',monospace">(Loc)) ...</span><span style="font-family:arial,helvetica,sans-serif"><br>
</span><span style="font-family:'courier new',monospace"></span></div></blockquote></div></div></blockquote><div><br></div></div><div><div>This is a bit mundane—you can only use isa<> on pointers and references, but SVals are passed around by value. As you discovered, you can use getAs.</div>
</div><div><div><br></div><div><blockquote type="cite"><div dir="ltr"><div><div><span style="font-family:'courier new',monospace"><span style="font-family:arial,helvetica,sans-serif">SymbolRef sym = L->getAsLocSymbol();<br>
</span></span></div><span style="font-family:'courier new',monospace"><span style="font-family:arial,helvetica,sans-serif"></span></span><span style="font-family:'courier new',monospace"><span style="font-family:arial,helvetica,sans-serif">SymbolRef sym = VLoc.getAsLocSymbol();<br>
</span></span></div><span style="font-family:'courier new',monospace"><span style="font-family:arial,helvetica,sans-serif"></span></span><span style="font-family:'courier new',monospace"><span style="font-family:arial,helvetica,sans-serif">SymbolRef sym = VLoc.getAsSymbol()</span></span>;<br>
<div></div></div></blockquote></div><div><br></div></div><div>The second one will handle everything the first one handles, as well as locations cast to integer values (like "(intptr_t)&x"). The last one will also give you back symbols for non-location values. But not all memory regions are based on symbols (a local variable does not need a symbol), and of course not all symbolic values are memory regions (the result of random() is an integer).</div>
<div><div><br></div><br><blockquote type="cite"><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr"><span style="font-family:'courier new',monospace"><span style="font-family:arial,helvetica,sans-serif">2) ElementRegion doesn't belong to the SVal class hierarchy</span></span>. <span style="font-family:'courier new',monospace"><span style="font-family:arial,helvetica,sans-serif">How can I know if Loc is an ElementRegin?</span></span></div>
</blockquote></div></div></blockquote><br></div></div><div>That's not really a good question. What you really want to know is if a given location is within a constant string region. That's a much simpler question.</div>
<div><br></div><div>// Does this value represent the address of a region?</div><div>const MemRegion *MR = V.getAsRegion();</div><div>if (!MR)</div><div> return;</div><div><br></div><div>bool isString = isa<StringRegion>(MR->getBaseRegion());</div>
<div><br></div><div>This isn't going to cover <i>all</i> use cases, but it does cover this one much more nicely than trying to pattern-match on ElementRegion.</div><div><br></div><div>(Finally, of course, -fconst-strings is a much safer way to handle this kind of issue, but that doesn't help if you have an existing codebase.)</div>
<span><font color="#888888"><div><br></div><div>Jordan</div><div><br></div></font></span></div></blockquote></div></div></div><br></div>
</blockquote></div><br></div></div></div></div></div></div>