<div dir="ltr"><div dir="ltr"><div class="gmail_default" style="font-size:small">Hello Artem,<br><br></div><div class="gmail_default" style="font-size:small">I went through the checkers you suggested. I found this project seems interesting to me and I got a very basic idea about it.</div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I tried to find out few cases where unique_ptr::operator->() returns null apart from default constructed unique_ptr.</div><div class="gmail_default" style="font-size:small"><b>Case 1: </b>Use of std::move on std::unique_ptr<br></div><div class="gmail_default" style="font-size:small">It seems its already covered in the MoveChecker.</div><div class="gmail_default" style="font-size:small"><b>Case 2:</b> Use after calling release() on std::unique_ptr<br></div><div class="gmail_default" style="font-size:small">When I ran the analyzer for this scenario, it did produce any warnings</div><div class="gmail_default" style="font-size:small"><b>Case 3: </b>Use up.reset() or up.reset(nullptr)<br></div><div class="gmail_default" style="font-size:small">Similar to release() case it seems this case also not covered.</div><div class="gmail_default" style="font-size:small"><b>Case 4:</b> Get raw pointer via std::unique_ptr.get() then delete<br></div><div class="gmail_default" style="font-size:small">I am not sure about this case. It seems user explicitly trying to break the code.</div><div class="gmail_default" style="font-size:small"><b>Case 5:</b> Use after <span style="color:rgb(0,0,0);font-size:12px">swap(</span>std::unique_ptr<span style="color:rgb(0,0,0);font-size:12px">, null)</span><br></div><div class="gmail_default" style="font-size:small"><span style="color:rgb(0,0,0);font-size:12px">In case we swap a </span>std::unique_ptr with another std::unique_ptr with pointing null. </div><div class="gmail_default" style="font-size:small"><br></div><div class="gmail_default" style="font-size:small">I am guessing the list is not complete and this will be a first task, to figure out all possible cases.<span style="color:rgb(0,0,0);font-size:12px"><br></span></div><div class="gmail_default" style="font-size:small">And some what same we have to come up with for other smart pointers.<br><br></div><div class="gmail_default" style="font-size:small">Regarding the implementation part, similar to move checker we have to keep a map for memory region and state (whether it is null or not). </div><div class="gmail_default" style="font-size:small">States should be updated based on the changes in MemRegion. I was wondering is this the right way? (I know I still have to figure out lot of details regarding concrete implementations)<br></div><div class="gmail_default" style="font-size:small">In case of default-constructed std::unique_ptr object, why can't we get symbolic value as null and do a check same as what we are doing for raw pointer?</div><div class="gmail_default" style="font-size:small">Is it because some limitations on tracking the symbolic values of std::unique_ptr objects?</div><div class="gmail_default" style="font-size:small"><br></div><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">----<br><span class="gmail_default" style="font-size:small">Thanks & </span>Regards,<br><font face="'courier new', monospace">Nithin</font><br></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Tue, Mar 10, 2020 at 1:13 AM Nithin Vadukkumchery Rajendrakumar <<a href="mailto:vrnithinkumar@gmail.com">vrnithinkumar@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div style="font-size:small">Hi Artem,<br><br></div><div style="font-size:small">Thank you very much for this detailed information and help.<br>I will checkout the existing checkers you mentioned and try to get a better understanding of the problem.<br></div><div><div dir="ltr"><br>----<br>Regards,<br><font face="'courier new', monospace">Nithin.VR</font><br></div></div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Mar 9, 2020 at 2:30 AM Artem Dergachev <<a href="mailto:noqnoqneo@gmail.com" target="_blank">noqnoqneo@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hey!<br>
<br>
Welcome. Let's see.<br>
<br>
Nullability checker isn't the one that you're looking for. It's a <br>
different beast that governs hunt for null dereferences via so-called <br>
"nullability annotations". Like, a language extension is provided <br>
through which the programmer can tell the analyzer which variables / <br>
functions may or may not hold / produce null pointers, and the analyzer <br>
checks whether it makes sense how these nullable and non-null values <br>
propagate from one function to another. So it's the same problem but a <br>
different technique. It is targeted mostly at finding crashes in <br>
Objective-C apps that pass a lot of pointers around across many <br>
user-defined functions.<br>
<br>
The proposed GSoC project is of a different nature: we want to teach the <br>
static analyzer about a very specific C++ API, but we want to teach it <br>
much more thoroughly. It's not enough to know that <br>
std::unique_ptr::operator->() may occasionally return a null pointer; <br>
we'd much rather know when exactly does it return a null pointer (eg., <br>
if the smart pointer is freshly default-constructed).<br>
<br>
If you want to study existing checkers, check out:<br>
- MoveChecker - the use-after-move checker which already finds *some* <br>
null smart pointer dereferences, given that they're guaranteed to be <br>
null after move.<br>
- SmartPtrChecker currently does almost nothing, but that's probably <br>
where you put your code into :)<br>
- IteratorChecker is a large ongoing pioneer project to find iterator <br>
and container related bugs such as dereferencing vector.end(). It's the <br>
closest thing to what you'll be implementing, but its handling of C++ <br>
objects is outdated and overly complicated because some new facilities <br>
for C++ support (mostly the ones explained in the second half of <br>
<a href="https://www.youtube.com/watch?v=4n3l-ZcDJNY" rel="noreferrer" target="_blank">https://www.youtube.com/watch?v=4n3l-ZcDJNY</a>) weren't in place yet when <br>
it all started.<br>
<br>
Once you understand the project a bit better and like it, the next step <br>
is to discuss here (in this mailing list) what is the best way to <br>
implement the checker. The ultimate outcome of this discussion will be a <br>
so-called "GSoC proposal". It's a few pages of text that you write, post <br>
here for more discussion, and eventually upload to the GSoC website. <br>
According to the GSoC timeline, the proposal should be submitted by the <br>
end of March. The proposal summarizes how *you* understand the project <br>
and how *you* plan to tackle it during the summer.<br>
<br>
Good luck on your GSoC path!<br>
Artem.<br>
<br>
<br>
On 3/7/20 3:40 PM, Nithin Vadukkumchery Rajendrakumar via cfe-dev wrote:<br>
><br>
> Greetings,<br>
><br>
><br>
> I am interested to participate in GSoC 2020. I am particularly <br>
> interested in the project idea "Find null smart pointer dereferences <br>
> with the Static Analyzer". I am doing my masters in computer science <br>
> and interested in program analysis and verification. I thought <br>
> GSoC2020 will be a wonderful opportunity to learn more about Clang <br>
> Static Analyzer and contribute.<br>
><br>
><br>
> I have started reading about smart pointers in C++ to get a good grasp <br>
> of the concepts. Also, has some experience in implementing Clang <br>
> Static Analyzer simple checks(similar to SimpleStreamChecker) from the <br>
> tutorials. I read through few available tutorials and have some basic <br>
> idea about Control Flow Graph, Exploded Graph and Symbolic Values. I <br>
> have read the paper "A memory model for static analysis of C programs" <br>
> to get some theoretical background. I also started looking into <br>
> NullabilityChecker.cpp <br>
> <<a href="https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp" rel="noreferrer" target="_blank">https://github.com/llvm/llvm-project/blob/master/clang/lib/StaticAnalyzer/Checkers/NullabilityChecker.cpp</a>> to <br>
> understand the codebase.<br>
><br>
> I would like to know is this the right place to look?<br>
><br>
> Could anyone please help me on what should I do next?<br>
><br>
> ----<br>
> Thanks & Regards,<br>
> Nithin<br>
><br>
> _______________________________________________<br>
> cfe-dev mailing list<br>
> <a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
> <a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
<br>
</blockquote></div>
</blockquote></div></div>