[cfe-dev] Confused by analysis
Ted Kremenek
kremenek at apple.com
Thu Feb 26 21:38:26 PST 2009
On Feb 26, 2009, at 2:19 AM, Ben Laurie wrote:
> On Wed, Feb 25, 2009 at 5:22 PM, Ted Kremenek <kremenek at apple.com>
> wrote:
>>
>> On Feb 25, 2009, at 9:20 AM, Sebastian Redl wrote:
>>
>>> I'm pretty sure the analyzer works under the assumption that null
>>> pointer dereferences are unrecoverable.
>>
>> That's correct. It's an excellent way to prune paths. We also try
>> avoiding
>> the cascading of "hard errors"; e.g. dereferencing garbage values,
>> but
>> halting the simulation of a path.
>
> I did wonder if this was the case, cool. I haven't yet found the code
> that drives the path analysis (admittedly I haven't looked!) - where
> is it?
The code in question is in GRExprEngine.[h, cpp]. That's a fairly
complicated beast.
Probably the best place to get a holistic view of the analyzer is
AnalysisConsumer.cpp (in the Driver). There you will see how the
analyzer API is actually invoked, how checks get registered, when a
function gets analyzed, etc. For example, if you search for
"GRExprEngine" you'll see where an instance of the path-sensitive
engine gets created, executed, and destroyed.
More information about the cfe-dev
mailing list