[cfe-dev] Traces of SVal in BugReporterVisitor

Anna Zaks ganna at apple.com
Thu Feb 21 17:48:58 PST 2013


You both mention tracking SVals. I just want to highlight that SVals are transient values, so symbols or regions should be tracked (added to state) instead. See Representing Values here:
http://clang-analyzer.llvm.org/checker_dev_manual.html

You can take a look at visitors implemented in BugReporterVisitors and add the ones that are useful for your checker on BugReport creation. For example, DereferenceChecker and DivZeroChecker call bugreporter::trackNullOrundefValue helper, which adds a few visitors to the bug report. It contains heuristics, which decide what expressions along the path would be important to show when the user needs an explanation on why a an expression evaluates to zero or is undefined.

You can play with the existing checkers to see what to expect. For example:
// Null ptr dereference
int f(int i) {
  int *a = 0;
  int *c = a;
  return *c;
}

/Users/zaks/tmp/ex.c:26:5: note: Variable 'a' initialized to a null pointer value
  int *a = 0;
  ^
/Users/zaks/tmp/ex.c:28:5: note: Variable 'c' initialized to a null pointer value
  int *c = a;
  ^
/Users/zaks/tmp/ex.c:29:12: note: Dereference of null pointer (loaded from variable 'c')
  return *c;
         ^

The original example, has a division operation "int b = a/i;". Here, the analyzer doesn't even know that 'b' is zero. (Due to constraint manager not modeling division.)
int f2(int i) {
  int a = 0;
  int b = a/i;
  int c = b;
  return 5/c;
}
// no warning reported

On Feb 21, 2013, at 1:51 AM, YuvalShahar <yuval.shahar.007 at gmail.com> wrote:

> Hi Gerard, Anna,
> 
> I have been trying to do the same thing, or should I say "failing to do the
> same thing..." :)
> 
> I tried adding a checker that will add sval-s to the state as they are
> created, and then let the BugReporterVisitor trace the state in which they
> were added. This requires a ProgramStateTrait that is known both to the
> checker and to the visitor, and though I try following the Taint examole, I
> am currently stuck in this direction too.
> 

If the notes you are trying to add are checker-specific, you need to implement a visitor in the same file as the checker. The ProgramStateTrait will be visible. See Malloc checker and RetainCount checker - they both have custom visitors.

If the notes are generic (could apply to symbols from any checker). You should add/enhance visitors in BugReporterVisitor.cpp. Please, let us know if you decide to take this direction and need more help.

> I also tried marking the sval (and the sval->getAsSymbol()) as important, as
> Anna suggested, but that didn't seem to do anything... I think it would have
> satisfied me, but I cannot make it work. 

My previous explanation was not right. Currently, interesting symbols are only used to find out if a function call along analyzes path is interesting - or important to step into during diagnostics. 

> Anna, Can you please help here?
> 
> Thanks, Yuval.
> 
> 
> 
> --
> View this message in context: http://clang-developers.42468.n3.nabble.com/Traces-of-SVal-in-BugReporterVisitor-tp4030520p4030541.html
> Sent from the Clang Developers mailing list archive at Nabble.com.
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev




More information about the cfe-dev mailing list