<div dir="ltr"><p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Hello, I’ve been studying the RegionStore implementation of

the static analyzer in an attempt to debug some false positives I’ve come

across. I found the paper “Memory Model for the Static Analysis of C Programs” and

Artem’s workbook (“Clang Static Analyzer – A Checker Developer’s Guide”) , and

read through many past articles. These are excellent references to get started, now I'd like to enhance my comprehension by jumping in and fixing a few issues

that may need to be fixed. I apologize in advance if I’m missing some obvious

bridges to comprehension, but I’m still early in the process of learning this.

I’d like to contribute to improving the static analyzer and learn best through debugging

and implementing. Which brings me to the discussion questions and asks for a

few tips on next steps. Thanks in advance for tips and suggestions for how to contribute.

</p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Question 1: </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Constructing a case to understanding how data and pointers

to data are mapped, I came across some unexpected behavior. In the example

below, I’d expect the UNKNOWN values to evaluate to true. Is this a reasonable

expectation for the clang static analyzer? </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Digging into this problem a bit more with the debugger, it

seems at least a small portion of RegionStore is not fully implemented. I

debugged this down to the code snippet shown in the data for Q1. ‘a’ comes back

as 0x11223344 into V (line 1723), V->getAsSymbol() comes back as NULL (line

1724), V is known, so UnknownVal() is returned – matching the test case results.

There’s also a comment in the code at that point – “// Other cases: give

up.  We are indexing into a larger object

that has some value, but we don't know how to handle that yet.”. </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Seems it’s possible to construct concrete values for these

cases, if I’m not missing anything – but I’m not sure how to do this. I see the

return type, and the offset into the base type, so it seems as “easy” as bit

twiddling to return the expected byte or short values. Is there a review that

demonstrates how to accomplish this, perhaps some tips? </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Question 2: </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Looking through CStringChecker.cpp, I see that memset is

implemented only for the case of an initialization value of 0, and the sizeof

arg and buffer extents are equal (see example in data below, line 1076, also a

FIXME in the comments). This seems reasonable for most use cases, but is also

interesting since an implementation that allows for arbitrary initialization

values could open up possibilities for other improvements (see Question 3).

ProgramState.cpp has a method named bindDefaultInitialValue that seems to be

perfect for this application, but asserts in RegionStore’s BindDefaultInitial

-> “Double initialization!” (approx line 452). Would repurposing this method

(bindDefaultInitial) be a reasonable approach to solve this problem, or is

there another way that would be a better approach?</p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Question 3: </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Looking through CStringChecker.cpp, I see that memcpy does

not perfectly model the memory copy from source to destination memory. Memcpy looks

to be implemented as a blank invalidation of the source and destination buffers.

I had first looked at this problem, and was quite puzzled since I had assumed

memory copies should be modeled (at least for common cases). The suggested

approach in the comment to address this issue is using LCVs. Is there an

example of such an approach, or perhaps an outline to start with? </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif"> </p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Case data for Question 1:</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">void

clang_analyzer_eval(int);</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">void

clang_analyzer_dump(int);</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">void

clang_analyzer_printState();</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">int foo(void) {</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  unsigned int a = 0x11223344;</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  unsigned char *p = (unsigned char*)&a; </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  unsigned short *pu = (unsigned short

*)&a;</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_printState();</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_eval(p[0] == 0x44); //

expected-warning{{TRUE}} -- OK</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_eval(p[1] == 0x33); //

expected-warning{{TRUE}} -- UNKNOWN</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_eval(p[2] == 0x22); //

expected-warning{{TRUE}} -- UNKNOWN</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_eval(p[3] == 0x11); //

expected-warning{{TRUE}} -- UNKNOWN</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_eval(pu[0] == 0x3344); //

expected-warning{{TRUE}} -- OK</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_eval(pu[1] == 0x1122); //

expected-warning{{TRUE}} -- UNKNOWN</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_dump(&p[0]); -- &Element{a,0

S64b,unsigned char} [as 32 bit integer]</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_dump(&p[1]); -- &Element{a,1

S64b,unsigned char} [as 32 bit integer]</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_dump(&pu[0]); -- &Element{a,0

S64b,unsigned short} [as 32 bit integer]</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  clang_analyzer_dump(&pu[1]); -- &Element{a,0

S64b,unsigned short} [as 32 bit integer]</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">}</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">The program

state from the decls in the sample are shown here.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">"program_state":

{</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "store": { "pointer":

"0x76787f8", "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    { "cluster": "a",

"pointer": "0x7677fc0", "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">      { "kind": "Direct",

"offset": 0, "value": "287454020 U32b" }</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    ]},</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    { "cluster": "p",

"pointer": "0x7678728", "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">      { "kind": "Direct",

"offset": 0, "value": "&Element{a,0 S64b,unsigned

char}" }</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    ]},</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    { "cluster": "pu",

"pointer": "0x767d9a8", "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">      { "kind": "Direct",

"offset": 0, "value": "&Element{a,0 S64b,unsigned

short}" }</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    ]}</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  ]},</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "environment": {

"pointer": "0x7607d50", "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    { "lctx_id": 1,

"location_context": "#0 Call", "calling":

"foo", "location": null, "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">      { "stmt_id": 805,

"pretty": "clang_analyzer_printState", "value":

"&code{clang_analyzer_printState}" }</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    ]}</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  ]},</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "constraints": null,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "dynamic_types": null,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "constructing_objects": null,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "checker_messages": null</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">}"program_state":

{</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "store": null,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "environment": {

"pointer": "0x7607d50", "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    { "lctx_id": 1,

"location_context": "#0 Call", "calling":

"foo", "location": null, "items": [</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">      { "stmt_id": 1201,

"pretty": "clang_analyzer_printState", "value":

"&code{clang_analyzer_printState}" }</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">    ]}</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  ]},</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "constraints": null,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "dynamic_types": null,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "constructing_objects": null,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">  "checker_messages": null</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">Code snippet

from RegionStore.cpp, Function getBindingForElement, line #s approximate.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1716   if (const TypedValueRegion *baseR =</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1717        

dyn_cast_or_null<TypedValueRegion>(O.getRegion())) {</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1718     QualType baseT = baseR->getValueType();</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1719     if (baseT->isScalarType()) {</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1720       QualType elemT = R->getElementType();</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1721       if (elemT->isScalarType()) {</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1722         if (Ctx.getTypeSizeInChars(baseT)

>= Ctx.getTypeSizeInChars(elemT)) {</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1723           if (const Optional<SVal>

&V = B.getDirectBinding(superR)) {</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">(gdb) p

V->dump()</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">287454020

U32b$2 = void</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">(gdb) p

R->dump()</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">Element{a,1

S64b,unsigned char}$3 = void</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1724             if (SymbolRef parentSym =

V->getAsSymbol())</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1725               return

svalBuilder.getDerivedRegionValueSymbolVal(parentSym, R);</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1726               </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1727             if (V->isUnknownOrUndef())</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1728               return *V;</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1729             // Other cases: give up.  We are indexing into a larger object</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1730             // that has some value, but we don't

know how to handle that yet.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1731             return UnknownVal();</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1732           } </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1733         } </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1734       }</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Question 2 – CStringChecker.cpp, method memsetAux</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1071     if (StateWholeReg &&

!StateNotWholeReg && StateNullChar &&</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1072         !StateNonNullChar) {</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1073       // If the 'memset()' acts on the whole

region of destination buffer and</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1074       // the value of the second argument of

'memset()' is zero, bind the second</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1075       // argument's value to the destination

buffer with 'default binding'.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1076       //

FIXME: Since there is no perfect way to bind the non-zero character, we</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1077       // can only deal with zero value here.

In the future, we need to deal with</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1078       // the binding of non-zero value in the

case of whole region.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1079       State =

State->bindDefaultZero(svalBuilder.makeLoc(BR),</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1080                                     

C.getLocationContext());</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 8pt;line-height:107%;font-size:11pt;font-family:Calibri,sans-serif">Question 3 – CStringChecker.cpp, method evalCopyCommon</p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New""> </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1201     // Invalidate the destination (regular

invalidation without pointer-escaping</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1202     // the address of the top-level region).</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1203     // FIXME: Even if we can't perfectly model

the copy, we should see if we</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1204     // can use LazyCompoundVals to copy the

source values into the destination.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1205     // This would probably remove any existing

bindings past the end of the</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1206     // copied region, but that's still an

improvement over blank invalidation.</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1207     state =</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1208         InvalidateBuffer(C, state,

Dest.Expression, C.getSVal(Dest.Expression),</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1209                          /*IsSourceBuffer*/

false, Size.Expression);</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1210 </span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1211     // Invalidate the source

(const-invalidation without const-pointer-escaping</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1212     // the address of the top-level region).</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1213     state = InvalidateBuffer(C, state,

Source.Expression,</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1214                             

C.getSVal(Source.Expression),</span></p>

<p class="MsoNormal" style="margin:0in 0in 0.0001pt;line-height:normal;font-size:11pt;font-family:Calibri,sans-serif"><span style="font-size:8pt;font-family:"Courier New"">1215                             

/*IsSourceBuffer*/ true, nullptr);</span></p></div>