[cfe-dev] [analyzer] limits in reasoning about memory regions

hao/NoQ via cfe-dev cfe-dev at lists.llvm.org
Fri Oct 9 02:33:05 PDT 2015


Hello, i'm not quite sure what you mean by setting a state for each
element, but iterating over all possible sub-regions of a region is
probably not what you really want.

The program may allocate much more bytes than you want to iterate over
during analysis (consider AddressSanitizer that allocates 16+TB of
memory; you don't really want to set states for all possible elements
of such array, the analyzer wouldn't be able to handle it; less
corner-case examples are possible, of course).

Additionally, element regions with different element types are
different regions, even if they represent the same memory segment,
which allows for infinitely many different subregions of the same
regions. If my understanding of your approach is correct, you should
probably re-consider it and conduct your analysis over base regions
instead.

If you're trying to set bindings to all elements of a large array (eg.
zero-initialize the output of calloc(), similarly to how MallocChecker
does it), you're probably looking for the 'default binding' thing (see
ProgramState::bindDefault()).



More information about the cfe-dev mailing list