<div dir="ltr">Hi Ella and George,<div> Thanks for your timely help. Now I have a better understanding of this problem. I will also read this paper carefully.</div><div><br></div><div>Regards,</div><div>Chaz</div></div><br><div class="gmail_quote"><div dir="ltr">Ella Oikawa <<a href="mailto:alansnape3058@gmail.com">alansnape3058@gmail.com</a>> 于2019年1月4日周五 上午11:28写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">In case you cannot reach the full paper.<div><br></div><div>Regards,</div><div>Ella</div></div><br><div class="gmail_quote"><div dir="ltr">Ella Oikawa <<a href="mailto:alansnape3058@gmail.com" target="_blank">alansnape3058@gmail.com</a>> 于2019年1月4日周五 上午11:18写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr">scan build will only follow your build command to preprocess your code and check the bugs in the preprocessed code. </div><div dir="ltr">If you want to scan the code with STATS defined, you need to tell the compile process to define STATS while compiling.</div><div dir="ltr"><br><div>The STATS variable can either be defined to a specific value or not defined, only one version is available in one scan, but you can scan it again with different values.</div><div><br></div><div>Our team had researched this problem before, if there are a lot of macro switches, you can use combinatorial test technique to help you.</div><div>Here is our previous research on using combinatorial test technique to cover multiple macro switches values: <a href="https://doi.org/10.1109/COMPSAC.2017.91" target="_blank">https://doi.org/10.1109/COMPSAC.2017.91</a></div><div>(I am not one of the authors, as I was not the member of our team at that time. But you can still contact me or the last two authors (my boss) if you are interested in the method.)😝</div><div><br></div><div>The tool used in our research, Canalyze, is a private fork of CSA with our optimizations. The similar method can also be used on scan build.</div><div>As it is the strategy not the tool that matters.</div><div>I am not familiar with KLEE, but as far as I know about KLEE, the similar method can also be utilized on it.</div><div><br></div><div>Hope our research will be useful to you.</div><div><br></div><div>Regards,</div><div>Ella</div></div></div></div></div><br><div class="gmail_quote"><div dir="ltr">changze cui via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a>> 于2019年1月3日周四 下午6:27写道:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Hi all,<div> Recently, I am using Clang static checker to find buffer overflow related bugs. There is one case that the buggy code will be executed only if STATS is defined (#ifdef STATS). I hope my checker can find all the bugs in a program even in the cases that the code will not be executed for now. Do you have any idea how can I achieve this?</div><div> The following is a part of the buggy code. Since "STATS" is not defined, variable a and ns will be NULL. Thus, some code will not be checked by Clang and the checker will miss one bug.</div><div> I put the full code as the attached file. Let me know if you have any solution. Thanks in advance!!</div><div><br></div><div>Regards,</div><div>Chaz</div><div> </div><div style="background-color:rgb(30,30,30);font-family:"Droid Sans Mono",monospace,monospace,"Droid Sans Fallback";font-size:14px;line-height:19px;white-space:pre-wrap"><div style="color:rgb(212,212,212)"><span style="color:rgb(86,156,214)">static</span> <span style="color:rgb(86,156,214)">void </span><span style="color:rgb(220,220,170)">nslookupComplain</span>(sysloginfo, queryname, complaint, dname, a_rr, nsdp)</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(86,156,214)">const</span> <span style="color:rgb(86,156,214)">char</span> *sysloginfo, *queryname, *complaint, *dname;</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(86,156,214)">const</span> <span style="color:rgb(86,156,214)">struct</span> databuf *a_rr, *nsdp;</div><div style="color:rgb(212,212,212)">{</div><div style="color:rgb(212,212,212)"><span style="color:rgb(197,134,192)">#ifdef</span><span style="color:rgb(86,156,214)"> </span><span style="color:rgb(220,220,170)">STATS</span></div><div style="color:rgb(212,212,212)"> <span style="color:rgb(86,156,214)">char</span> nsbuf[<span style="color:rgb(181,206,168)">20</span>];</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(86,156,214)">char</span> abuf[<span style="color:rgb(181,206,168)">20</span>];</div><div style="color:rgb(212,212,212)"><span style="color:rgb(197,134,192)">#endif</span></div><div style="color:rgb(212,212,212)"> <span style="color:rgb(86,156,214)">char</span> *a, *ns; </div><div style="color:rgb(212,212,212)"> <span style="color:rgb(197,134,192)">if</span> (sysloginfo && queryname)</div><div style="color:rgb(212,212,212)"> {</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(86,156,214)">char</span> buf[<span style="color:rgb(181,206,168)">999</span>];</div><font color="#d4d4d4"><br></font><div style="color:rgb(212,212,212)"> a = ns = (<span style="color:rgb(86,156,214)">char</span> *)<span style="color:rgb(86,156,214)">NULL</span>;</div><div style="color:rgb(212,212,212)"><span style="color:rgb(197,134,192)">#ifdef</span><span style="color:rgb(86,156,214)"> </span><span style="color:rgb(220,220,170)">STATS </span></div><div style="color:rgb(212,212,212)"><span style="color:rgb(220,220,170)"> </span><span style="color:rgb(106,153,85)">/* this part will not be executed because STATS is not defined */</span></div><div style="color:rgb(212,212,212)"><span style="color:rgb(106,153,85)"> </span><span style="color:rgb(106,153,85)">/* so a and ns will be equal to NULL */</span></div><div style="color:rgb(212,212,212)"> <span style="color:rgb(197,134,192)">if</span> (nsdp) {</div><div><font color="#d4d4d4"> </font><span style="color:rgb(106,153,85)">/* assign value to a and ns */</span></div><div style="color:rgb(212,212,212)"> }</div><div style="color:rgb(212,212,212)"><span style="color:rgb(197,134,192)">#endif</span></div><div style="color:rgb(212,212,212)"> <span style="color:rgb(197,134,192)">if</span> ( a != <span style="color:rgb(86,156,214)">NULL</span> || ns != <span style="color:rgb(86,156,214)">NULL</span>)</div><div style="color:rgb(212,212,212)"> {</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(106,153,85)">/* the code here will not be checked by Clang because a and ns are equal to NULL */</span></div><div style="color:rgb(212,212,212)"> <span style="color:rgb(106,153,85)">/*This line is a buggy point, but it cannot be found by Clang </span><span style="color:rgb(106,153,85)">static checker</span><span style="color:rgb(106,153,85)"> now*/</span></div><div style="color:rgb(212,212,212)"> <span style="color:rgb(220,220,170)">sprintf</span>(buf, <span style="color:rgb(206,145,120)">"%s: query(%s) %s (%s:%s) learnt (A=%s:NS=%s)"</span>,</div><div style="color:rgb(212,212,212)"> sysloginfo, queryname,</div><div style="color:rgb(212,212,212)"> complaint, dname,</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(220,220,170)">inet_ntoa</span>(<span style="color:rgb(220,220,170)">data_inaddr</span>(a_rr-><span style="color:rgb(156,220,254)">d_data</span>)),</div><div style="color:rgb(212,212,212)"> a ? a : <span style="color:rgb(206,145,120)">"<Not Available>"</span>,</div><div style="color:rgb(212,212,212)"> ns ? ns : <span style="color:rgb(206,145,120)">"<Not Available>"</span> );</div><div style="color:rgb(212,212,212)"> }</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(197,134,192)">else</span>{</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(106,153,85)">/*This is another buggy point, can be found by Clang static checker*/</span></div><div style="color:rgb(212,212,212)"> <span style="color:rgb(220,220,170)">sprintf</span>(buf, <span style="color:rgb(206,145,120)">"%s: query(%s) %s (%s:%s)"</span>,</div><div style="color:rgb(212,212,212)"> sysloginfo, queryname,</div><div style="color:rgb(212,212,212)"> complaint, dname,</div><div style="color:rgb(212,212,212)"> <span style="color:rgb(220,220,170)">inet_ntoa</span>(<span style="color:rgb(220,220,170)">data_inaddr</span>(a_rr-><span style="color:rgb(156,220,254)">d_data</span>)));</div><div style="color:rgb(212,212,212)"> }</div><div style="color:rgb(212,212,212)"> }</div><div style="color:rgb(212,212,212)">}</div></div></div>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</blockquote></div>
</blockquote></div>
</blockquote></div>