[cfe-dev] On heap variables and Clang SA
Manuel Klimek
klimek at google.com
Tue Mar 17 08:02:31 PDT 2015
On Tue, Mar 17, 2015 at 4:00 PM Bhargava Shastry <
bshastry at sec.t-labs.tu-berlin.de> wrote:
> On a tangent, does Google use Clang SA on large codebases esp. Chromium
> that has a massive C++ LoC count? If not, what are the top reasons for
> not doing so? Lack of C++ support seems to be the Google position on
> this [1] but am wondering if that is the only reason.
>
Yes, this is the only reason; we'd *love* to be able to use it. I already
shot considerable time and effort into trying to get this good enough, but
I think I'd need to spend another couple of weeks, which I currently just
don't have.
>
> [1]: https://code.google.com/p/chromium/wiki/ClangStaticAnalyzer
>
> Regards,
> Bhargava
>
> On 03/17/2015 03:00 PM, Manuel Klimek wrote:
> > On Tue, Mar 17, 2015 at 2:50 PM Bhargava Shastry
> > <bshastry at sec.t-labs.tu-berlin.de
> > <mailto:bshastry at sec.t-labs.tu-berlin.de>> wrote:
> >
> > Hi,
> >
> > On 03/17/2015 01:09 PM, Manuel Klimek wrote:
> > > How can you prove a comparison against garbage value from that
> code?
> > > Seems like somebody can set m_x to anything between the
> > constructor and
> > > the call to method.
> > > If you want to catch this, you'll at least need:
> > > void f() {
> > > foo f;
> > > f.method();
> > > }
> >
> > Apologies for having left out the crucial function that instantiates
> a
> > foo object. Agree that this is the missing piece.
> >
> > > ... and then the SA needs to "inline" both the call to the
> constructor
> > > and the method call to see the problem.
> >
> > My understanding is that, during symbolic execution, Clang SA
> ``visits"
> > function calls in the procedure under analysis. So, in the function
> void
> > f() above, Clang SA would metaphorically step into foo's constructor
> and
> > subsequently method() and prove garbage value in two steps i.e.,
> >
> >
> > Yes, that's what the SA calls "inlining". I agree that it's confusing :)
> >
> >
> >
> > Step 1. Call to f.method() from void f()
> > Step 2. Garbage value comparison in method()
> >
> > Is inlining how Clang SA really does this? Afaik, Clang SA visits the
> > call graph for a translation unit in topological order. In the
> example,
> > this means, when void f() is being analyzed, both ctor declaration
> and
> > method declarations would be visited, no?
> >
> >
> > Well, it depends. Whether the SA drills into a function depends on many
> > things.
> >
> >
> >
> >
> > Regards,
> > Bhargava
> >
> > --
> > Bhargava Shastry <bshastry at sec.t-labs.tu-__berlin.de
> > <mailto:bshastry at sec.t-labs.tu-berlin.de>>
> > Security in Telecommunications
> > TU Berlin / Telekom Innovation Laboratories
> > Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
> > phone: +49 30 8353 58235
> >
>
> --
> Bhargava Shastry <bshastry at sec.t-labs.tu-berlin.de>
> Security in Telecommunications
> TU Berlin / Telekom Innovation Laboratories
> Ernst-Reuter-Platz 7, Sekr TEL 17 / D - 10587 Berlin, Germany
> phone: +49 30 8353 58235
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20150317/dc1d6e9b/attachment.html>
More information about the cfe-dev
mailing list