[cfe-dev] clang static analyzer: call graph for indirect calls?

Anna Zaks ganna at apple.com
Tue Jan 6 22:48:29 PST 2015


> On Jan 6, 2015, at 6:32 AM, Christian Convey <christian.convey at gmail.com> wrote:
> 
> Hello,
> 
> Is it the case that the clang static analyzer will perform
> interprocedural analyses over exactly the set of paths shown in the
> call graph?
> 

No. The call graph is mainly used to guide the order of analysis. (We try to pick the order that entails least work for the analyzer.)

> My overall goal is to figure out whether or not clang static analyzer
> will apply checkers to execution paths which flow over indirect calls.

This depends on whether the analyzer can track the value of the function pointer involved in the call. For example:
void f(int x) {
	int y = 5/x;
	y++;
}
void indirect_caller() {
   void (*func)() = f;
   func(0);
}

$clang --analyze ~/tmp/ex.c
/Users/anna/tmp/ex.c:2:11: warning: Division by zero
        int y = 5/x;

However, no warning is produced when func is a global variable because the analyzer does not track that assignment:

void f(int x) {
	int y = 5/x;
	y++;
}
void (*func)() = f;
void indirect_caller() {
   func(0);
}
$clang --analyze ~/tmp/ex.c

> I came up with this test case:
> 
>>>>>>>> 
> void f() {
> }
> 
> void direct_caller() {
>    f();
> }
> 
> 
> void indirect_caller() {
>    void (*func)() = f;
>    func();
> }
> <<<<<<
> 
> And I got the following results:
>>>>>>> 
> /tmp $ clang -cc1 -I /usr/lib/llvm-3.4/lib/clang/3.4/include -I
> /usr/include -I /usr/include/x86_64-linux-gnu  -analyze
> -analyzer-checker=debug.DumpCallGraph test.c
> --- Call graph Dump ---
>  Function: < root > calls: f direct_caller indirect_caller
>  Function: indirect_caller calls:
>  Function: direct_caller calls: f
>  Function: f calls:
> <<<<<<<
> 
> I'm trying to figure out if from this result, I can correctly infer
> that the clang static analyzer would not perform interprocedural
> analysis on the call string ("indirect_caller", "f").
> 
> Thanks,
> Christian
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150106/ea31927c/attachment.html>


More information about the cfe-dev mailing list