[cfe-dev] Writing simple checkers for the static analyzer

Jordan Rose jordan_rose at apple.com
Sun May 25 00:13:23 PDT 2014 

Hi, Rafael. From your description, this sounds like a bug in the analyzer—two program states with differing user data should not be folded. Can you attach your checker so I can take a look and see if there are any obvious mistakes? (on your part or ours).

Thanks,
Jordan

On May 24, 2014, at 22:01 , Rafael Auler <rafaelauler at gmail.com> wrote:

> Hello,
> 
> I am trying to write a very simple checker for the clang static analyzer for the sake of writing a first exercise on this topic. Its goal is to simply alert whether a specific function has been called twice in a given path. Let's assume the name of this specific function that I am tracking is "doNotCallTwice()".
> 
> In order to record state information, I use the REGISTER_TRAIT_WITH_PROGRAMSTATE macro to register an unsigned together with the program state. This integer indicates whether the function "doNotCallTwice()" has been called in a path and, if it is equal to 1 in a node where I detect yet another call, I prepare to report a "double call" bug. I use "checkPostCall" for changing the state.
> 
> However, something strange happens. My extra integer registered in the program state is not sufficient to differentiate two ProgramStates with the same ProgramPoint: the engine fold the two nodes anyway, ignoring my new state information. On the other hand, the information *is* propagated. If I use other ways to avoid the nodes being folded, the checker works fine.
> 
> An example where it does not work:
> 
> void myfunc (int x, int y) {
>   if (x)
>     doNotCallTwice();
>   if (y)
>     doNotCallTwice();
>   doNotCallTwice();
> }
> 
> Since programstates get folded in the ExplodedGraph, I never detect any path where two calls to doNotCallTwice() happen. However, change the code in the following way avoids the folding and make my checker work:
> 
> void myfunc (int x, int y) {
>   if (x)
>     doNotCallTwice();
>   if (y)
>     doNotCallTwice();
>   y = x;  // Now x and y are not dead anymore and this won't be folded
>   doNotCallTwice();
> }
> 
> I based my checker on SimpleStreamChecker.cpp. Am I doing something conceptually wrong?
> 
> Best regards,
> Rafael
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list