<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
LLVM-3.4 is ancient, you should try to update if possible. Clang is
generally easy to compile from scratch, and it's easier than loading
plugins, though linking might be a bit memory-intensive.<br>
<br>
I also encourage you to either write -cc1 -analyze, or --analyze
-Xclang -analyzer-checker (analyze with double dash and without
-Xclang), see more info on this at
<a class="moz-txt-link-freetext" href="http://clang-analyzer.llvm.org/checker_dev_manual.html">http://clang-analyzer.llvm.org/checker_dev_manual.html</a><br>
<br>
I don't understand what are you trying to achieve by testing if
location is a null pointer via assume(L), because it doesn't seem to
be anyhow aligned with your goals.<br>
<br>
That said, i don't understand what you mean by "buffer"; there's no
formal definition of such concept in the language. Did you mean
"array"? Would access to a field of a field of a field ... of a
field of a structure within an array of similar structures be
described as a buffer access?<br>
<br>
Generally, the type stored in the memory region is available
whenever the region is a sub-class of TypedValueRegion. If you're
accessing an array element, the location is likely to be the region
of the element, not of the whole array, so you may need to have a
look at the superregion. Not all regions are TypedValueRegions; the
most important example of a non-typed region is SymbolicRegion which
appears when you don't know, within the realm of your analysis,
where exactly does the pointer point to. In this case the
pointee-type of the pointer-type of the symbol that denotes the
unknown pointer value would not necessarily be the type of the value
stored behind this pointer. In fact, the pointer might as well be of
type void *, but it doesn't mean that it points to a "value of type
void".<br>
<br>
In case you haven't seen it yet, i mostly explained this sort of
stuff in a re-usable manner in my old workbook at
<a class="moz-txt-link-freetext" href="https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf">https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf</a><br>
<br>
Also you shouldn't throw bug reports against a node generated by
addTransition(); use generateErrorNode() or
generateNonFatalErrorNode(), depending on whether you want to
continue analysis after an emitting a warning.<br>
<br>
<br>
<div class="moz-cite-prefix">On 10/2/18 8:46 PM, changze cui via
cfe-dev wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAMuLasLzHTeTJX+0jUdihCQtoBnh226Y=LVXJ4PUh0uV9XxanQ@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">Hi all,
<div> Big thank to all of u guys for building such an
amazing tool.</div>
<div> Here comes my question. I am a new guy in clang. For
now, I want to write a checker to check all buffer access
(read/write about int */char */char []/......). I use
checkLocation to do this. But there are a lot of false
positive.</div>
<div> I put the details here: <a
href="https://stackoverflow.com/questions/52619110/how-to-detect-all-buffer-access-by-using-clang-static-checker"
moz-do-not-send="true">https://stackoverflow.com/questions/52619110/how-to-detect-all-buffer-access-by-using-clang-static-checker</a></div>
<div> I am very grateful to see ur reply!</div>
<div><br>
</div>
<div>Thanks & Regrads,</div>
<div>Chaz</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
cfe-dev mailing list
<a class="moz-txt-link-abbreviated" href="mailto:cfe-dev@lists.llvm.org">cfe-dev@lists.llvm.org</a>
<a class="moz-txt-link-freetext" href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a>
</pre>
</blockquote>
<br>
</body>
</html>