[cfe-dev] Iterator Checkers: Understanding Bindings

Ádám Balogh via cfe-dev cfe-dev at lists.llvm.org
Fri May 13 02:30:19 PDT 2016 

Hello,

Contents of an iterator (a class or structure) do change. However, we are not interested in the internal changes, for us an iterator is a black box. We track some of their operations and record their state (which is checker dependent) in the execution state. This is almost exactly the same as SimpleStreamChecker does with streams, the only difference is that streams are pointers and iterators are structures. I am sure that iterator checkers are not the only ones that require an API for tracking structures/classes as black boxes. There could be some other STL, Boost or project specific library checkers as well.

evalCall() is not an option since it forces all iterator checking into one single checker which is inconvenient. Furthermore, instead of unreliable hacks with regions we need a proper solution. I wonder what the core guys would say about such a new function what I proposed.

Regards,

Ádám


-----Original Message-----
From: cfe-dev [mailto:cfe-dev-bounces at lists.llvm.org] On Behalf Of Artem Dergachev via cfe-dev
Sent: 2016. május 12. csütörtök 17:35
To: cfe-dev at lists.llvm.org
Subject: Re: [cfe-dev] Iterator Checkers: Understanding Bindings

 > If I understand it correctly, we need to implement a new function in  > RegionStoreManager that retrieves the raw binding for an SVal.
 > This function must also be declared in StoreManager class as a pure  > virtual function. This function must be able to retrieve default bindings  > as well. Should it try to retrieve a direct binding first? And how to call  > that function? getRawBinding()? Or maybe getBindingForOpaqVal()?

Hmm. As long as the contents of the structure remain unchanged, LazyCompoundVal retains its original region (it is simply copied around as an value). Have a look at this quick debug.ExprInspection -based test:


   struct S {
     int z;
   };

   S conjure_S();

   void test_6() {
     S s1 = conjure_S();
     S s2 = s1;
     // lazily frozen compound value of temporary object constructed at statement 'conjure_S()'
     clang_analyzer_explain(s2);
     s2.z = 3;
     // lazily frozen compound value of local variable 's2'
     clang_analyzer_explain(s2);
   }


Maybe it'd be a good idea to try to identify iterators by that region. 
You'd probably need to able to evalCall() their methods (and probably a 
few other functions) in order to avoid corrupting their contents through 
invalidation. On methods like operator++, which are bound to invalidate 
contents, you can still transfer your id to the new region.
_______________________________________________
cfe-dev mailing list
cfe-dev at lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

More information about the cfe-dev mailing list