[cfe-dev] Clang GenericTaintChecker limitations
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Thu Aug 11 09:04:19 PDT 2016
On 8/11/16 3:42 PM, Gábor Horváth wrote:
> Note that the analyzer do not reason about global variables right now.
@Gábor: Hmm, what do you mean? :o They're present in the Store and work
like all other variables, they're just invalidated too often (on every
unmodeled function call). If the variables are also const-qualified,
then they shouldn't be invalidated, and should always resolve to their
initial value (though i think there were some bugs there).
@Divya: if you think that your own API functions themselves do
unnecessary invalidation (rather than user-defined functions or library
functions), then you have an option to `evalCall` them - that's a
special checker callback in which you can take care of all modeling, but
> And also not that there are no guarantees about the coverage. Therr
> might be code that is not covered by the analysis at all.
@Gábor: Yeah, it might be that as well. The loop might have been to
complex, and the analyzer didn't find the proper path through the loop
(loops are currently inlined as well.
@Divya: you may want to increase the `-cc1 -analyzer-max-loop=4` option
to a higher value). In the worst case, i'd have had a look at the
ExplodedGraph
(http://clang-analyzer.llvm.org/checker_dev_manual.html#visualizing) to
see what exactly is going on.
It might also easily be something else, so if you can post some sample
code, we'd probably make a better guess.
More information about the cfe-dev
mailing list