[cfe-dev] Static Analyzer: pointer alias assignment

[Anna Zaks]

On Jul 23, 2013, at 10:33 AM, Gábor Kozár <kozargabor at gmail.com> wrote:

> Hi Anna,
> 
> I'm building a checker that detects inconsistent pointer usages, for example when a pointer is dereferenced, then along the same path is null-checked (without its value changing in between, obviously).

Can this be designed as an extension of the Dereference checker? 

Also, the Dereference checker does work fine in presence of aliases... Is there a reason why it's different in your setting?

int foo(int *p) {
  int *q = p;
  if (q)
    ;
  return *p;  
}

zaks$ clang --analyze ~/tmp/ex.c -Xclang -analyzer-output=text
/Users/zaks/tmp/ex.c:5:10: warning: Dereference of null pointer (loaded from variable 'p')
  return *p;  
         ^~
/Users/zaks/tmp/ex.c:3:7: note: Assuming 'q' is null
  if (q)
      ^
/Users/zaks/tmp/ex.c:3:3: note: Taking false branch
  if (q)
  ^
/Users/zaks/tmp/ex.c:5:10: note: Dereference of null pointer (loaded from variable 'p')
  return *p;  
         ^
1 warning generated.


> Code example:
> 
> Foo* f = getFoo();
> f->bar();
> 
> if(f) // warn
> { ... }
> 
> I want to be able to do this with aliases as well, for example:
> 
> Foo* f = getFoo();
> f->bar();
> 
> Foo* g = f;
> if(g) // warn
> { ... }
> 
> What I need is to be able to get the SVals representing 'f' and 'g' when checkBind is called on the Foo* g = f; line. Currently, instead of 'f', Clang gives me the value that was bound to 'f'.
> 
> Thanks for your help!
> 
> 
> 2013/7/23 Anna Zaks <ganna at apple.com>
> 
> On Jul 23, 2013, at 9:21 AM, Gábor Kozár <kozargabor at gmail.com> wrote:
> 
>> During the analysis of a test code, the following two bindings happen (checkBind), with their respective source lines:
>> 
>> (Bind: location <= value)
>> 
>> Bind: &fp <= &SymRegion{conj_$4{struct Foo *}}
>> Code: Foo* fp = getFooPtr();
>> 
>> Bind: &ap <= &SymRegion{conj_$4{struct Foo *}}
>> Code: Foo* ap = fp;
>> 
>> In the second line, I need to detect that 'ap' is in fact the alias of 'fp'. Unfortunately, I cannot seem to find any way to get Clang SA to tell me that "&SymRegion{conj_$4{struct Foo *}}" is stored in "fp", which seems weird, because the source code is very clear.
> 
> As you observe the two binds you see that the same value is stored in both.
> 
> The analyzer does not perform alias analyzes as in it does not build sets of aliases. As it models the execution in presence of aliases, we did not find a need for the alias sets. Can you give a bit more background on why you need this info? Maybe your goal can be achieved differently?
> 
>> 
>> Some of the information I extracted, but is not really useful to me:
>>  - original SVal: &SymRegion{conj_$4{struct Foo *}}
>>  - getAsRegion(): SymRegion{conj_$4{struct Foo *}}
>>  - state->getSVal(): &SymRegion{reg_$6<element{SymRegion{conj_$4{struct Foo *}},0 S32b,struct Foo *}>} -- in fact, I have no idea what this is
>>  - getAsSymbol(): conj_$4{struct Foo *}
>> 
>> As a workaround, I can keep track of this information myself, but there must be a built-in way to do this.
>> Any help would be appreciated. Many thanks!
>> _______________________________________________
>> cfe-dev mailing list
>> cfe-dev at cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130723/1fb4a527/attachment.html>