[cfe-dev] How to handle control flow stmt in path sensitive way?

Devin Coughlin via cfe-dev cfe-dev at lists.llvm.org
Sun Dec 13 10:17:04 PST 2015 

Hi Pengfei,

> On Dec 11, 2015, at 2:18 AM, Pengfei Wang via cfe-dev <cfe-dev at lists.llvm.org> wrote:
> I am writing a taint tracking checker of clang static analyzer,  and currently I need to do something when a branch is finished being analyzed. Aka I need to know when the symbolic execution reaches the end of an If code block or Else code block.
> 
The static analyzer doesn’t generate pre/post-statement callbacks for control flow statements, so I don’t think there is a way for a checker to be notified when an IfStmt is finished being analyzed.
> I have tried the CompoundStmt, but it didn't work in the callback function CheckPostStmt<CompoundStmt>, and neither did the BlockExpr work.
> 
The analyzer *does* call post-statement callbacks for BlockExprs (see, for example, MallocChecker.cpp) — but this probably isn’t what you want because BlockExprs are for a C extension supporting closures (<http://clang.llvm.org/docs/BlockLanguageSpec.html <http://clang.llvm.org/docs/BlockLanguageSpec.html>>).
> It seems that the control flow stmt can only be analyzed in a path-insensitive way, such as using the ASTDecl and ASTCodeBody callbacks. Can I handle the IfStmt or ForStmt in a path-sensitive way  to achieve this goal? Thank you!
> 
The analyzer is path-sensitive and *does* take control flow statements into account during analysis as it explores potential paths through the program. Because the key unit of analysis is the *path* through the program it is typically unnecessary for a checker to be aware of when program execution finishes an IfStmt.

For example, in:

  1  b = 2;
  2  if (a > 1) {
  3    b = a;
  4  }
  5 // <— Analyzer symbolically executes this program point twice.

The analyzer will check two paths that reach line 5: one where the analyzer knows a > 1 and b == a and one where the it knows a <= 1and b == 2. The analyzer examines each of these paths independently so it is not usually necessary for a checker to be aware of of when the IfStmt ends. This is because any facts about symbolic values assumed on the path when the analyzer takes the ‘then’ branch of the if statement continue to hold even after the IfStmt is finished. Because of this per-path- rather the per-program-point view, knowing when an IfStmt is finished is not typically useful to checkers. Are you sure that your taint tracker really needs to get post-statement callbacks for control flow?

Devin

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20151213/d3fd9e01/attachment.html>

More information about the cfe-dev mailing list