[cfe-dev] Static Analyzer "Uninitialized argument value checks for Unions"

Aditya Kumar hiraditya at codeaurora.org
Mon Jan 13 17:28:51 PST 2014 

Hi Jordan,

Thanks for the reply.

I was trying to figure out if Uninitialized union members can be tracked by
saving the ProgramState into some map<SymbolRef, SymState> as it is done in
the SimpleStreamChecker.cpp.

 

e.g.,

union {

int a;

int b;

} ab;

 

int foo(ab o);

int bar() {

ab obj;

obj.a = 100;

foo(obj);

}

 

So I can save `obj.a' as a SymbolRef in a map<SymbolRef, SymState>.

The problem I'm facing is that I don't know how to get the SymbolRefs of all
the members (obj.a and obj.b in this case) when I encounter the function
call `foo', so that I can do the arithmetic and figure out that `obj' is
completely initialized in this case.

 

 

-Aditya

-- 

Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, 

hosted by The Linux Foundation

 

From: Jordan Rose [mailto:jordan_rose at apple.com] 
Sent: Wednesday, January 08, 2014 8:44 PM
To: Aditya Kumar
Cc: cfe-dev Developers
Subject: Re: [cfe-dev] Static Analyzer "Uninitialized argument value checks
for Unions"

 

Hi, Aditya. The static analyzer currently has some trouble with unions
because it (a) treats certain symbolic values as typed, and (b)
distinguishes certain symbolic memory regions by field name. Historically,
unions have caused much difficulty, so there are a number of places (largely
in RegionStore.cpp) that say "if this is a union, treat it as unknown opaque
memory".

 

Our current model for RegionStore, which uses offsets from the complete
object region whenever possible, actually has a good chance of handling
unions well, but nobody's taken the time to turn support back on and verify
that nothing breaks, either in our test suite or in real-world projects.

 

So unfortunately I can't recommend any course of action here. I haven't
thought about the problem in a while, so I don't have all the necessary
concerns paged in, but basically IIRC it's a nontrivial problem to get even
initialized vs. uninitialized working for unions in RegionStore. It's not
just CallAndMessageChecker's fault.

 

Sorry for the bad news,

Jordan

 

 

On Jan 8, 2014, at 11:56 , Aditya Kumar <hiraditya at codeaurora.org> wrote:





In the CallAndMessageChecker.cpp, is it possible to implement checks for
uninitialized unions?

E.g., for the following example, I do not get any static analysis report
even if the union 'uoff' is passed uninitialized to the function 'bar'.

 

#include<stdint.h>

 

typedef union {

  uint32_t Reg;

  struct {

    uint16_t Cx;

    uint16_t sf;

  };

} tf;

 

typedef struct {

  uint16_t i;

  uint16_t j;

} st;

 

int bar(tf, tf, st);

 

int foo(tf t0, int32_t offset) {

  tf uoff;

   st s;

   s.i = 10;

  s.j = 100;

  return bar(t0, uoff, s);

}

 

 

 

-Aditya

--

Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum,

hosted by The Linux Foundation

_______________________________________________
cfe-dev mailing list
 <mailto:cfe-dev at cs.uiuc.edu> cfe-dev at cs.uiuc.edu
 <http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev>
http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20140113/93958e49/attachment.html>

More information about the cfe-dev mailing list