<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello Haowei,<br>
<br>
After call to request(), both values of fd1 and fd2 should become
symbolic. This is because its body is not available in the current
translation unit so the analyzer invalidates the values of
argument pointers. I can see this behaviour while reproducing your
test - both fd1 and fd2 are assigned with SymbolConjured.<br>
This behaviour you observe looks strange. Do you try to perform
evalCall() on request() function? If so, you could forgot to
invalidate the arguments. Could you post your checker here?<br>
<br>
<br>
23.05.2017 03:21, Haowei Wu via cfe-dev пишет:<br>
</div>
<blockquote type="cite"
cite="mid:CAJ+zqLgKxkG84jtK8jMh8U_V4XAe7EagUHBNgVcf7p9f+4wmdQ@mail.gmail.com">
<div dir="ltr">Hi,
<div><br>
</div>
<div>I am new to clang and I am developing a checker to detect
resource leaks that is similar to the <span style="color:rgb(0,0,0);white-space:pre-wrap">SimpleStreamChecker</span> except
that the target function is passing its return value through
parameters. The example code would be like:<br>
</div>
<div><br>
</div>
<div>
<div>int request(int * arg1, int * arg2);</div>
<div>int release(int arg1);</div>
</div>
<div>void foo() {</div>
<div> int fd1 = 0, fd2 = 0;</div>
<div> </div>
<div> request(&fd1, &fd2);</div>
<div><br>
</div>
<div> // ..... some unrelated code</div>
<div><br>
</div>
<div> release(fd1);</div>
<div> release(fd2);</div>
<div>}</div>
<div><br>
</div>
<div><br>
</div>
<div>Here, the integer fd1 and fd2 are resource descriptors that
should be assigned with unique integer values after the
"request(&fd1, &fd2)" call. The resource will be
leaked if someone forgot to call "release(fd)" on a resource
descriptor.</div>
<div><br>
</div>
<div>The problem is , if I use the "Call.getArgSVal(0)" on the
calls to the "release(fd1)" or "release(fd2)" function, I
only get a "ConcreteInt" which is the value "0" that I
assigned in the initializer instead of a SVal with a
SymbolRef. In this case, I cannot determine if the value in
"fd1" is the same value that is assigned after the call to the
"request(&fd1, &fd2)".</div>
<div><br>
</div>
<div>
<div>The original <span style="color:rgb(0,0,0);white-space:pre-wrap">SimpleStreamChecker does not have this issue because the </span>file
descriptor (to be precise, it is FILE *) used in "FILE *F =
fopen("mylog.txt", "w");" is passed through the return value
instead of parameter. In this case, clang will allocate a
SymbolRef for "F". And it will be the same one if I call
"Call.getReturnValue().getAsSymbol()" on a "fclose(F)".</div>
</div>
<div><br>
</div>
<div>My question is, is there anyway to allocate SymbolRef to
the variables pointed by arg1 and arg2 manually in the
checkPreCall for the "int request(int * arg1, int * arg2)"? So
in checkPostCall for "int release(int arg1);" I can use
"Call.getReturnValue().getAsSymbol()" to check if the
SymbolRef of "arg1" is the same one that allocated in "int
request(int * arg1, int * arg2)"?</div>
<div><br>
</div>
<div>Thanks for any help,</div>
<div>Haowei</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
cfe-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cfe-dev@lists.llvm.org">cfe-dev@lists.llvm.org</a>
<a class="moz-txt-link-freetext" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a>
</pre>
</blockquote>
<p><br>
</p>
<pre class="moz-signature" cols="72">--
Best regards,
Aleksei Sidorin,
SRR, Samsung Electronics
</pre>
</body>
</html>