[cfe-dev] Inter procedural analysis across translation unit in clang static analyzer

Anna Zaks ganna at apple.com
Thu Jan 17 10:59:15 PST 2013 

On Jan 17, 2013, at 5:33 AM, Karthik Bhat <blitz.opensource at gmail.com> wrote:

> Thanks Anna.. Can you suggest me some place were i can find document for static analyzer core module. I found many documents for checkers and how to write checkers, but couldn't find document explaining functioning of static analyzer core.
> 

Unfortunately, there is not much documentation about the analyzer core yet (code is our documentation). The only additional documentation I know of is in clang/docs/analyzer; specifically, we have the IPA.txt there, which describes how we approach cross function analyzes. You could also search the archives from this list (in particular, emails from Ted Kremenek). 

The analyzer utilizes the idea of path-sensitive dataflow analysis, which can be tackled with different specific techniques, but they all boil down to trying to compute a set of reachable program states. Our LLVM Dev meeting talk Building a Checker in 24 Hours gives a very high level overview of how it works (http://llvm.org/devmtg/2012-11/). Here are some relevant academic papers, but there are many more papers in the area, and the analyzer is inspired by many of them:
  A System and Language for Building System-Specific, Static Analyses (Hallem et al)
  Precise interprocedural dataflow analysis via graph reachability (Reps et al)

As I had mentioned, cross translation unit analyzes is a huge project; for example, it would most likely take more than a year to complete. However, it can be split into subtasks. There are also many other directions for improving the analyzer core.

Please, feel free to ask questions.
Anna.

> Any help appreciated. 
> 
> Thanks
> 
> On Tue, Jan 15, 2013 at 12:43 AM, Anna Zaks <ganna at apple.com> wrote:
> 
> On Jan 14, 2013, at 1:52 AM, Karthik Bhat <blitz.opensource at gmail.com> wrote:
> 
> > Hi All,
> >
> > I was going through clang project and found static analyzer to be a quite useful tool. I would like to work and contribute on the same. I went through the code and developed few basic checkers(Socket stream checker etc) to start with.

It would be great if you plan to contribute those checkers back!

> >
> > I had a doubt which i wanted to clarify from the community.
> >
> > If i'm not wrong Clang static tool currently supports only one translation unit at a time and so inter procedural analysis across translation unit is not supported.
> 
> That is correct.
> 
> > Is there any plan to support the same in clang static analyzer?
> 
> This is something we would definitely like to address as it is one of the main missing pieces. I am not sure when we are going to address it.
> 
> > What kind of infrastructure would be required in static analyzer core to support this feature?
> 
> We have not designed this in detail yet. However, this is going to be a lot of work. We would probably go with summary based approach, where one constructs summaries for the analyzed functions; the summaries are then used when modeling the calls.
> 
> > Will it require detailed understanding of clang front end(AST etc)?
> >
> 
> This project would require understanding the analyzer very well.
> 
> > Thanks
> > Karthik
> >
> >
> >
> > _______________________________________________
> > cfe-dev mailing list
> > cfe-dev at cs.uiuc.edu
> > http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130117/2c2e5da6/attachment.html>

More information about the cfe-dev mailing list