[cfe-dev] Inter procedural analysis across translation unit in clang static analyzer

Anna Zaks ganna at apple.com
Tue Jan 22 18:40:05 PST 2013


On Jan 17, 2013, at 11:31 AM, Karthik Bhat <blitz.opensource at gmail.com> wrote:

> Thanks Anna for the prompt replies. Will go through those documents.
> 
> Sure will contribute the checkers after refining it a bit. It is a simple SocketStream checker (checks socket open/close issues etc)  inspired by SimpleStream checker from Building a Checker in 24 Hours video
> 
> I had one more query currently we terminate analysis of a path as soon as we detect  a critical bug. (for e.g.) in the code -
> 
> int one =1;
> int zero = 0;
> 
> int k = one/zero;
> 
> // Some other bugs
> 
> In the above code we are generating a sink node as soon as we see a divbyzero and do not analyse other bugs along the path. 
> Since static analysis of large code usually takes a lot of time is it not a good idea to report as much bugs as possible on a particular path?
> 
Good point.

> For e.g in the above code instead of creating a sink node for divide by zero can we assign value for k as unknown and continue simulation?
> 
> I tried the same by modifying evalBinOp function and creating a transition node instead of sink node  -
> 
>   if ((op == BO_Div || op == BO_Rem ||op == BO_DivAssign ||op == BO_RemAssign) && rhs.isZeroConstant())  // in case of div by zero assign result as unknown and continue execution
> 	 return UnknownVal();
> 
> so that if we have a divide operation with rhs as 0 assign the result as unknown and continue simulation to detect other bugs on the path.
> 

There are several reasons why this approach might not work well in general.

For example, if you encounter a null pointer dereference(or div by zero), report it, and continue the execution, chances are that the same pointer would get used again and again. So you would end up reporting multiple instances of the same issue. Even if you came up with ways to unique those reports, analyzing after a "severe error" could lead to other issues being reported. How would one model the state after the error? Recovering from errors without loosing state/causing side effects might not always be as easy as in this case. (And even here we introduce some inconsistency into the analyzer.)

Another argument is that what is optimal for performance depends on the workflow in which one is using the analyzer. For example, it might be preferable to have a faster turnaround when issues are found rather than running the tool until as much as possible is covered. For example, if you are analyzing a small project regularly and expect a very fast turn around.

Anna.
> Thanks
> 
> 
> On Fri, Jan 18, 2013 at 12:29 AM, Anna Zaks <ganna at apple.com> wrote:
> 
> On Jan 17, 2013, at 5:33 AM, Karthik Bhat <blitz.opensource at gmail.com> wrote:
> 
>> Thanks Anna.. Can you suggest me some place were i can find document for static analyzer core module. I found many documents for checkers and how to write checkers, but couldn't find document explaining functioning of static analyzer core.
>> 
> 
> Unfortunately, there is not much documentation about the analyzer core yet (code is our documentation). The only additional documentation I know of is in clang/docs/analyzer; specifically, we have the IPA.txt there, which describes how we approach cross function analyzes. You could also search the archives from this list (in particular, emails from Ted Kremenek). 
> 
> The analyzer utilizes the idea of path-sensitive dataflow analysis, which can be tackled with different specific techniques, but they all boil down to trying to compute a set of reachable program states. Our LLVM Dev meeting talk Building a Checker in 24 Hours gives a very high level overview of how it works (http://llvm.org/devmtg/2012-11/). Here are some relevant academic papers, but there are many more papers in the area, and the analyzer is inspired by many of them:
>   A System and Language for Building System-Specific, Static Analyses (Hallem et al)
>   Precise interprocedural dataflow analysis via graph reachability (Reps et al)
> 
> As I had mentioned, cross translation unit analyzes is a huge project; for example, it would most likely take more than a year to complete. However, it can be split into subtasks. There are also many other directions for improving the analyzer core.
> 
> Please, feel free to ask questions.
> Anna.
> 
>> Any help appreciated. 
>> 
>> Thanks
>> 
>> On Tue, Jan 15, 2013 at 12:43 AM, Anna Zaks <ganna at apple.com> wrote:
>> 
>> On Jan 14, 2013, at 1:52 AM, Karthik Bhat <blitz.opensource at gmail.com> wrote:
>> 
>> > Hi All,
>> >
>> > I was going through clang project and found static analyzer to be a quite useful tool. I would like to work and contribute on the same. I went through the code and developed few basic checkers(Socket stream checker etc) to start with.
> 
> It would be great if you plan to contribute those checkers back!
> 
>> >
>> > I had a doubt which i wanted to clarify from the community.
>> >
>> > If i'm not wrong Clang static tool currently supports only one translation unit at a time and so inter procedural analysis across translation unit is not supported.
>> 
>> That is correct.
>> 
>> > Is there any plan to support the same in clang static analyzer?
>> 
>> This is something we would definitely like to address as it is one of the main missing pieces. I am not sure when we are going to address it.
>> 
>> > What kind of infrastructure would be required in static analyzer core to support this feature?
>> 
>> We have not designed this in detail yet. However, this is going to be a lot of work. We would probably go with summary based approach, where one constructs summaries for the analyzed functions; the summaries are then used when modeling the calls.
>> 
>> > Will it require detailed understanding of clang front end(AST etc)?
>> >
>> 
>> This project would require understanding the analyzer very well.
>> 
>> > Thanks
>> > Karthik
>> >
>> >
>> >
>> > _______________________________________________
>> > cfe-dev mailing list
>> > cfe-dev at cs.uiuc.edu
>> > http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130122/dcb54fc1/attachment.html>


More information about the cfe-dev mailing list