[cfe-dev] On heap variables and Clang SA

Bhargava Shastry bshastry at sec.t-labs.tu-berlin.de
Tue Mar 17 08:00:38 PDT 2015 

On a tangent, does Google use Clang SA on large codebases esp. Chromium
that has a massive C++ LoC count? If not, what are the top reasons for
not doing so? Lack of C++ support seems to be the Google position on
this [1] but am wondering if that is the only reason.

[1]: https://code.google.com/p/chromium/wiki/ClangStaticAnalyzer

Regards,
Bhargava

On 03/17/2015 03:00 PM, Manuel Klimek wrote:
> On Tue, Mar 17, 2015 at 2:50 PM Bhargava Shastry
> <bshastry at sec.t-labs.tu-berlin.de
> <mailto:bshastry at sec.t-labs.tu-berlin.de>> wrote:
> 
>     Hi,
> 
>     On 03/17/2015 01:09 PM, Manuel Klimek wrote:
>     > How can you prove a comparison against garbage value from that code?
>     > Seems like somebody can set m_x to anything between the
>     constructor and
>     > the call to method.
>     > If you want to catch this, you'll at least need:
>     > void f() {
>     >   foo f;
>     >   f.method();
>     > }
> 
>     Apologies for having left out the crucial function that instantiates a
>     foo object. Agree that this is the missing piece.
> 
>     > ... and then the SA needs to "inline" both the call to the constructor
>     > and the method call to see the problem.
> 
>     My understanding is that, during symbolic execution, Clang SA ``visits"
>     function calls in the procedure under analysis. So, in the function void
>     f() above, Clang SA would metaphorically step into foo's constructor and
>     subsequently method() and prove garbage value in two steps i.e.,
> 
> 
> Yes, that's what the SA calls "inlining". I agree that it's confusing :)
>  
> 
> 
>     Step 1. Call to f.method() from void f()
>     Step 2. Garbage value comparison in method()
> 
>     Is inlining how Clang SA really does this? Afaik, Clang SA visits the
>     call graph for a translation unit in topological order. In the example,
>     this means, when void f() is being analyzed, both ctor declaration and
>     method declarations would be visited, no?
> 
> 
> Well, it depends. Whether the SA drills into a function depends on many
> things.
>  
> 
> 
> 
>     Regards,
>     Bhargava
> 
>     --
>     Bhargava Shastry <bshastry at sec.t-labs.tu-__berlin.de
>     <mailto:bshastry at sec.t-labs.tu-berlin.de>>
>     Security in Telecommunications
>     TU Berlin / Telekom Innovation Laboratories
>     Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
>     phone: +49 30 8353 58235
> 

-- 
Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
Security in Telecommunications
TU Berlin / Telekom Innovation Laboratories
Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
phone: +49 30 8353 58235

More information about the cfe-dev mailing list