[cfe-dev] [analyzer] limits in reasoning about memory regions

Thu Oct 8 11:23:29 PDT 2015

Thanks a lot for providing these insights!

So is it possible to obtain all single
'subregions' of heap allocated memory for code like this
(if the MallocChecker is activated)? :

int *x = malloc(sizeof(int)*4);

The reason why I would like to detect the 'subregions'
of a heap allocated memory block is to iterate over them,
in order to set a state for each element represented by the 'subregion'.

On 08.10.15 16:18, hao/NoQ via cfe-dev wrote:
> Hello,
>
>> the analyzer cannot fully reason about a region in the following cases, as those are not represented as TypedRegions
>
> Technically, there's a difference between reasoning about type and
> reasoning about size of the region. Different mechanisms are
> responsible for that.
>
> It is true that reasoning about types is implemented by the means of
> TypedValueRegion and its derived classes. Symbolic region, which
> represents a region behind a symbolic pointer, is untyped, because
> pointer can be casted arbitrarily - for example, you may allocate an
> array of four chars with operator new[], and then treat it as a 32-bit
> int (consider a custom allocator). Whenever access occurs inside a
> SymbolicRegion, however, you are not seeing access to the
> SymbolicRegion itself, but an ElementRegion of the necessary type
> inside this SymbolicRegion, which is the way the analyzer represents
> pointer casts.
>
> Reasoning about region size, in bytes, is implemented via region
> extent, obtained with SubRegion::getExtent(). This may be either a
> symbol or a concrete value, depending on whether the analyzer can
> reason about the extent of the region. To obtain a direct answer for
> your question, you can see how the getExtent() method is implemented
> for various region classes. For VarRegion, for example, the extent
> would be the size of the variable. For SymbolicRegion, it would be a
> symbol of type SymbolExtent, because SymbolicRegion is only based on a
> pointer at start of it, and no information about the end of the region
> is available.
>
> There's good news, however: there may be various things that affect
> range constraints for the extent symbols. One of such things is
> MallocChecker. If you enable this checker, it would affect the program
> state by applying constraints over the SymbolExtent for symbolic
> regions explicitly allocated on the heap to mark it as known to be
> equal to the actual amount of allocated memory. This allows you to
> reason about extents of regions allocated on heap when such
> information can actually be obtained during analysis.
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>