<div dir="ltr"><div class="gmail_quote">On Tue, Mar 17, 2015 at 4:00 PM Bhargava Shastry <<a href="mailto:bshastry@sec.t-labs.tu-berlin.de">bshastry@sec.t-labs.tu-berlin.de</a>> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">On a tangent, does Google use Clang SA on large codebases esp. Chromium<br>
that has a massive C++ LoC count? If not, what are the top reasons for<br>
not doing so? Lack of C++ support seems to be the Google position on<br>
this [1] but am wondering if that is the only reason.<br></blockquote><div><br></div><div>Yes, this is the only reason; we'd *love* to be able to use it. I already shot considerable time and effort into trying to get this good enough, but I think I'd need to spend another couple of weeks, which I currently just don't have.</div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
[1]: <a href="https://code.google.com/p/chromium/wiki/ClangStaticAnalyzer" target="_blank">https://code.google.com/p/<u></u>chromium/wiki/<u></u>ClangStaticAnalyzer</a><br>
<br>
Regards,<br>
Bhargava<br>
<br>
On 03/17/2015 03:00 PM, Manuel Klimek wrote:<br>
> On Tue, Mar 17, 2015 at 2:50 PM Bhargava Shastry<br>
> <<a href="mailto:bshastry@sec.t-labs.tu-berlin.de" target="_blank">bshastry@sec.t-labs.tu-<u></u>berlin.de</a><br>
> <mailto:<a href="mailto:bshastry@sec.t-labs.tu-berlin.de" target="_blank">bshastry@sec.t-labs.<u></u>tu-berlin.de</a>>> wrote:<br>
><br>
> Hi,<br>
><br>
> On 03/17/2015 01:09 PM, Manuel Klimek wrote:<br>
> > How can you prove a comparison against garbage value from that code?<br>
> > Seems like somebody can set m_x to anything between the<br>
> constructor and<br>
> > the call to method.<br>
> > If you want to catch this, you'll at least need:<br>
> > void f() {<br>
> > foo f;<br>
> > f.method();<br>
> > }<br>
><br>
> Apologies for having left out the crucial function that instantiates a<br>
> foo object. Agree that this is the missing piece.<br>
><br>
> > ... and then the SA needs to "inline" both the call to the constructor<br>
> > and the method call to see the problem.<br>
><br>
> My understanding is that, during symbolic execution, Clang SA ``visits"<br>
> function calls in the procedure under analysis. So, in the function void<br>
> f() above, Clang SA would metaphorically step into foo's constructor and<br>
> subsequently method() and prove garbage value in two steps i.e.,<br>
><br>
><br>
> Yes, that's what the SA calls "inlining". I agree that it's confusing :)<br>
><br>
><br>
><br>
> Step 1. Call to f.method() from void f()<br>
> Step 2. Garbage value comparison in method()<br>
><br>
> Is inlining how Clang SA really does this? Afaik, Clang SA visits the<br>
> call graph for a translation unit in topological order. In the example,<br>
> this means, when void f() is being analyzed, both ctor declaration and<br>
> method declarations would be visited, no?<br>
><br>
><br>
> Well, it depends. Whether the SA drills into a function depends on many<br>
> things.<br>
><br>
><br>
><br>
><br>
> Regards,<br>
> Bhargava<br>
><br>
> --<br>
> Bhargava Shastry <<a href="mailto:bshastry@sec.t-labs.tu-__berlin.de" target="_blank">bshastry@sec.t-labs.tu-__<u></u>berlin.de</a><br>
> <mailto:<a href="mailto:bshastry@sec.t-labs.tu-berlin.de" target="_blank">bshastry@sec.t-labs.<u></u>tu-berlin.de</a>>><br>
> Security in Telecommunications<br>
> TU Berlin / Telekom Innovation Laboratories<br>
> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany<br>
> phone: +49 30 8353 58235<br>
><br>
<br>
--<br>
Bhargava Shastry <<a href="mailto:bshastry@sec.t-labs.tu-berlin.de" target="_blank">bshastry@sec.t-labs.tu-<u></u>berlin.de</a>><br>
Security in Telecommunications<br>
TU Berlin / Telekom Innovation Laboratories<br>
Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany<br>
phone: +49 30 8353 58235<br>
</blockquote></div></div>