<html><head><meta http-equiv="Content-Type" content="text/html; charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class="">Do you mean Klee or the Clang Static Analyzer?<div class=""><br class=""></div><div class="">For Klee, there is a separate mailing list. For CSA, you could just have two invocations: with and without -DSTATS=1.</div><div class="">You could also try to write a tool to generate all possible invocations if you want to consider all possible combinations of defined/undefined macros.<br class=""><div><br class=""><blockquote type="cite" class=""><div class="">On Jan 3, 2019, at 2:27 AM, changze cui via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" class="">cfe-dev@lists.llvm.org</a>> wrote:</div><br class="Apple-interchange-newline"><div class=""><div dir="ltr" class="">Hi all,<div class=""> Recently, I am using Clang static checker to find buffer overflow related bugs. There is one case that the buggy code will be executed only if STATS is defined (#ifdef STATS). I hope my checker can find all the bugs in a program even in the cases that the code will not be executed for now. Do you have any idea how can I achieve this?</div><div class=""> The following is a part of the buggy code. Since "STATS" is not defined, variable a and ns will be NULL. Thus, some code will not be checked by Clang and the checker will miss one bug.</div><div class=""> I put the full code as the attached file. Let me know if you have any solution. Thanks in advance!!</div><div class=""><br class=""></div><div class="">Regards,</div><div class="">Chaz</div><div class=""> </div><div style="background-color:rgb(30,30,30);font-family:"Droid Sans Mono",monospace,monospace,"Droid Sans Fallback";font-size:14px;line-height:19px;white-space:pre" class=""><div style="color:rgb(212,212,212)" class=""><span style="color:rgb(86,156,214)" class="">static</span> <span style="color:rgb(86,156,214)" class="">void </span><span style="color:rgb(220,220,170)" class="">nslookupComplain</span>(sysloginfo, queryname, complaint, dname, a_rr, nsdp)</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(86,156,214)" class="">const</span> <span style="color:rgb(86,156,214)" class="">char</span> *sysloginfo, *queryname, *complaint, *dname;</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(86,156,214)" class="">const</span> <span style="color:rgb(86,156,214)" class="">struct</span> databuf *a_rr, *nsdp;</div><div style="color:rgb(212,212,212)" class="">{</div><div style="color:rgb(212,212,212)" class=""><span style="color:rgb(197,134,192)" class="">#ifdef</span><span style="color:rgb(86,156,214)" class=""> </span><span style="color:rgb(220,220,170)" class="">STATS</span></div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(86,156,214)" class="">char</span> nsbuf[<span style="color:rgb(181,206,168)" class="">20</span>];</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(86,156,214)" class="">char</span> abuf[<span style="color:rgb(181,206,168)" class="">20</span>];</div><div style="color:rgb(212,212,212)" class=""><span style="color:rgb(197,134,192)" class="">#endif</span></div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(86,156,214)" class="">char</span> *a, *ns; </div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(197,134,192)" class="">if</span> (sysloginfo && queryname)</div><div style="color:rgb(212,212,212)" class=""> {</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(86,156,214)" class="">char</span> buf[<span style="color:rgb(181,206,168)" class="">999</span>];</div><font color="#d4d4d4" class=""><br class=""></font><div style="color:rgb(212,212,212)" class=""> a = ns = (<span style="color:rgb(86,156,214)" class="">char</span> *)<span style="color:rgb(86,156,214)" class="">NULL</span>;</div><div style="color:rgb(212,212,212)" class=""><span style="color:rgb(197,134,192)" class="">#ifdef</span><span style="color:rgb(86,156,214)" class=""> </span><span style="color:rgb(220,220,170)" class="">STATS </span></div><div style="color:rgb(212,212,212)" class=""><span style="color:rgb(220,220,170)" class=""> </span><span style="color:rgb(106,153,85)" class="">/* this part will not be executed because STATS is not defined */</span></div><div style="color:rgb(212,212,212)" class=""><span style="color:rgb(106,153,85)" class=""> </span><span style="color:rgb(106,153,85)" class="">/* so a and ns will be equal to NULL */</span></div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(197,134,192)" class="">if</span> (nsdp) {</div><div style="" class=""><font color="#d4d4d4" class=""> </font><span style="color:rgb(106,153,85)" class="">/* assign value to a and ns */</span></div><div style="color:rgb(212,212,212)" class=""> }</div><div style="color:rgb(212,212,212)" class=""><span style="color:rgb(197,134,192)" class="">#endif</span></div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(197,134,192)" class="">if</span> ( a != <span style="color:rgb(86,156,214)" class="">NULL</span> || ns != <span style="color:rgb(86,156,214)" class="">NULL</span>)</div><div style="color:rgb(212,212,212)" class=""> {</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(106,153,85)" class="">/* the code here will not be checked by Clang because a and ns are equal to NULL */</span></div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(106,153,85)" class="">/*This line is a buggy point, but it cannot be found by Clang </span><span style="color:rgb(106,153,85)" class="">static checker</span><span style="color:rgb(106,153,85)" class=""> now*/</span></div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(220,220,170)" class="">sprintf</span>(buf, <span style="color:rgb(206,145,120)" class="">"%s: query(%s) %s (%s:%s) learnt (A=%s:NS=%s)"</span>,</div><div style="color:rgb(212,212,212)" class=""> sysloginfo, queryname,</div><div style="color:rgb(212,212,212)" class=""> complaint, dname,</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(220,220,170)" class="">inet_ntoa</span>(<span style="color:rgb(220,220,170)" class="">data_inaddr</span>(a_rr-><span style="color:rgb(156,220,254)" class="">d_data</span>)),</div><div style="color:rgb(212,212,212)" class=""> a ? a : <span style="color:rgb(206,145,120)" class="">"<Not Available>"</span>,</div><div style="color:rgb(212,212,212)" class=""> ns ? ns : <span style="color:rgb(206,145,120)" class="">"<Not Available>"</span> );</div><div style="color:rgb(212,212,212)" class=""> }</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(197,134,192)" class="">else</span>{</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(106,153,85)" class="">/*This is another buggy point, can be found by Clang static checker*/</span></div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(220,220,170)" class="">sprintf</span>(buf, <span style="color:rgb(206,145,120)" class="">"%s: query(%s) %s (%s:%s)"</span>,</div><div style="color:rgb(212,212,212)" class=""> sysloginfo, queryname,</div><div style="color:rgb(212,212,212)" class=""> complaint, dname,</div><div style="color:rgb(212,212,212)" class=""> <span style="color:rgb(220,220,170)" class="">inet_ntoa</span>(<span style="color:rgb(220,220,170)" class="">data_inaddr</span>(a_rr-><span style="color:rgb(156,220,254)" class="">d_data</span>)));</div><div style="color:rgb(212,212,212)" class=""> }</div><div style="color:rgb(212,212,212)" class=""> }</div><div style="color:rgb(212,212,212)" class="">}</div></div></div>
<span id="cid:f_jqggpw190"><ns-lookup-klee.c></span>_______________________________________________<br class="">cfe-dev mailing list<br class=""><a href="mailto:cfe-dev@lists.llvm.org" class="">cfe-dev@lists.llvm.org</a><br class="">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev<br class=""></div></blockquote></div><br class=""></div></body></html>