[cfe-dev] How does Clang Staic Analyzer deal with DeclRefExpr?

Jordan Rose jordan_rose at apple.com
Mon Dec 2 13:33:18 PST 2013 

Hi, Arthur. I’d like to refer you to the Checker Developer Manual at http://clang-analyzer.llvm.org/checker_dev_manual.html#analyzer. In particular, the Environment is used to map expressions to values. The Store is used to map memory regions to the values they contain.

In this example ("b = a"), we need to evaluate 'a'-the-DeclRefExpr, whose value is the VarRegion for 'a'. After that, we evaluate the LValueToRValue cast, which loads the value currently stored in the VarRegion for 'a' (from the Store). Then we evaluate the assignment, which updates the Store to record that the VarRegion for 'b' now contains the value we just loaded. (I skipped the DeclRefExpr for 'b', but that also needs to be evaluated so that we know which memory region is being updated.)

Most of the analyzer, including almost all checkers, shouldn't need to directly access the Environment or the Store; they should instead just use the methods on ProgramState.

Hope that helps,
Jordan


On Dec 2, 2013, at 5:53 , Arthur Yoo <phjy007 at gmail.com> wrote:

> Hi all,
> 
> I am confused on the behavior of Analyzer dealing with DeclRefExpr. For an example:
> 1  int a, b;
> 2  a = 56;
> 3  b = a;
> 4  a = b - 8;
> 
> I wanted to print the Stmt information in the checkPostStmt(), and I got the results below:
> 
> IntegerLiteral 0x4dbc078 'int' 56
> 
> BinaryOperator 0x4dbc098 'int' '='
> |-DeclRefExpr 0x4dbc050 'int' lvalue Var 0x4d8bc80 'a' 'int'
> `-IntegerLiteral 0x4dbc078 'int' 56
> 
> ImplicitCastExpr 0x4dbc110 'int' <LValueToRValue>
> `-DeclRefExpr 0x4dbc0e8 'int' lvalue Var 0x4d8bc80 'a' 'int'
> 
> BinaryOperator 0x4dbc128 'int' '='
> |-DeclRefExpr 0x4dbc0c0 'int' lvalue Var 0x4d8bcf0 'b' 'int'
> `-ImplicitCastExpr 0x4dbc110 'int' <LValueToRValue>
>   `-DeclRefExpr 0x4dbc0e8 'int' lvalue Var 0x4d8bc80 'a' 'int'
> 
> ImplicitCastExpr 0x4dbc1c0 'int' <LValueToRValue>
> `-DeclRefExpr 0x4dbc178 'int' lvalue Var 0x4d8bcf0 'b' 'int'
> 
> IntegerLiteral 0x4dbc1a0 'int' 8
> 
> BinaryOperator 0x4dbc1d8 'int' '-'
> |-ImplicitCastExpr 0x4dbc1c0 'int' <LValueToRValue>
> | `-DeclRefExpr 0x4dbc178 'int' lvalue Var 0x4d8bcf0 'b' 'int'
> `-IntegerLiteral 0x4dbc1a0 'int' 8
> 
> BinaryOperator 0x4dbc200 'int' '='
> |-DeclRefExpr 0x4dbc150 'int' lvalue Var 0x4d8bc80 'a' 'int'
> `-BinaryOperator 0x4dbc1d8 'int' '-'
>   |-ImplicitCastExpr 0x4dbc1c0 'int' <LValueToRValue>
>   | `-DeclRefExpr 0x4dbc178 'int' lvalue Var 0x4d8bcf0 'b' 'int'
>   `-IntegerLiteral 0x4dbc1a0 'int' 8
> 
> As we know, the Environment provides us  a chance to get the corresponding value of some expression. So, when evaluating the value of BinOp 0x4dbc200 'int' '=', it can use the value of BinOp 0x4dbc1d8 'int' '-', which has been evaluated already. 
> 
> Now I want to know that how Analyzer evaluates 'b = a' in Line 3. In other words, how does Analyzer know the value of a when evaluating  ImplicitCastExpr 0x4dbc110 'int' <LValueToRValue>? Does Analyzer get the value of a from Environment?
> 
> Thanks a lot.
> 
> -- 
> Best regards,
> Arthur Yoo
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20131202/55ea4a09/attachment.html>

More information about the cfe-dev mailing list