[cfe-dev] Requirements for production-ready StreamChecker

Anna Zaks ganna at apple.com
Fri Aug 9 13:30:01 PDT 2013 

On Aug 9, 2013, at 1:12 PM, Aditya Kumar <hiraditya at codeaurora.org> wrote:

> I started improving the simpleStreamChecker and the video talk on building a
> simple stream checker was very helpful.

Great. We also have http://clang-analyzer.llvm.org/checker_dev_manual.html

> 
> I have a couple of questions.
> 
> 1. The function `SimpleStreamChecker::initIdentifierInfo' gets called every
> time functions `checkPostCall' and `checkPreCall' are invoked. Is it
> necessary?
> What I understand is that initIdentifierInfo maps a token with the function
> name (e.g. fopen, fclose) into the ASTContext.
> So as long as there is one call to initIdentifierInfo during the analysis it
> should be okay, right?
> 

The function is not doing any work if it has already been called before. We need to ensure it is called at least once. 

> 2. Should we use BugType::setSuppressOnSink() for all the non-severe bugs?

Not in all cases. The idea is that in some cases a report will most likely be invalid if there is a sink after it on the same path. In that case, we do not want to show the report. This method allows to convey that to the bug reporter.

>> -----Original Message-----
>> From: Anna Zaks [mailto:ganna at apple.com]
>> Sent: Wednesday, August 07, 2013 3:53 PM
>> To: Aditya Kumar
>> Subject: Re: Requirements for production-ready StreamChecker
>> 
>> 
>> On Aug 7, 2013, at 1:52 PM, Aditya Kumar <hiraditya at codeaurora.org>
>> wrote:
>> 
>>> 
>>>> The main limitation is that it only handles a very limited set of APIs.
>>> Also, we
>>>> did not test it much on production code, so you might find more
>>>> issues
>>> that
>>>> need to be addressed before it is turned on.
>>> 
>>> By APIs do you mean the APIs we have in StreamCheckers e.g., Fopen,
>>> Tmpfile Fclose etc...
>>> 
>> yes
>>> Thanks for the reply.
>>> -Aditya
>>> 
>>>> -----Original Message-----
>>>> From: Anna Zaks [mailto:ganna at apple.com]
>>>> Sent: Wednesday, August 07, 2013 3:00 PM
>>>> To: Aditya Kumar
>>>> Subject: Re: Requirements for production-ready StreamChecker
>>>> 
>>>> Aditya,
>>>> 
>>>> The main limitation is that it only handles a very limited set of APIs.
>>> Also, we
>>>> did not test it much on production code, so you might find more
>>>> issues
>>> that
>>>> need to be addressed before it is turned on.
>>>> 
>>>> Also, if you want to work on this checker, I suggest to write a new
>>> checker,
>>>> starting with this one. The idea is to rip out the experimental
>>> StreamChecker
>>>> and replace it with a checker based on Simple Stream checker.
>>>> 
>>>> There were other people interested in working on this. You can search
>>>> the cfe-dev and cfe-commits lists for more info. Here are some of them:
>>>> http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-
>>>> 20130415/078438.html
>>>> http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-
>>>> 20130610/081436.html
>>>> 
>>>> Cheers,
>>>> Anna.
>>>> 
>>>> On Aug 7, 2013, at 11:58 AM, Aditya Kumar <hiraditya at codeaurora.org>
>>>> wrote:
>>>> 
>>>>> Hi Anna,
>>>>> I listened to the video lecture to learn how to implement checkers,
>>>>> and it was very helpful.
>>>>> You mention in the list of open projects that 'production-ready
>>>>> StreamChecker' is required.
>>>>> I would like to know what kind of enhancements would you like to
>>>>> have in the current implementation of SimpleStreamChecker.
>>>>> I would really appreciate if you can give some pointers so that I
>>>>> can work on it.
>>>>> 
>>>>> Thanks,
>>>>> -Aditya
>>>>> 
>>> 
>>> 
> 
>

More information about the cfe-dev mailing list