[cfe-dev] [analyzer] Conjuring symbols in checkBeginFunction()
Julian Ganz via cfe-dev
cfe-dev at lists.llvm.org
Wed Jun 20 02:56:40 PDT 2018
Hi List,
For some time now I'm trying to use information attached to symbols created
in a checker's `checkBeginFunction()`. Specifically, I'm trying to conjure
symbols for fields of `this` for methods. Currently, my checker does this
by:
retrieving a symbolic value for the `this region`:
auto self = state->getSVal(C.getSValBuilder.getCXXThis(record,
C.getStackFrame()));
(with `state` being the `ProgramStateRef`, `C` being the `CheckerContext`
and `record` being the `RecordDecl` of the object)
retrieving a region from this symbolic value:
auto instanceRegion = dyn_cast_or_null<SubRegion>(self.getAsRegion());
retrieving a region for the field:
auto fieldRegion =
state->getStateManager().getRegionManager().getFieldRegion(fieldDecl,
instanceRegion);
(with `fieldDecl` being the declaration of the field within the `record`)
and, finally, getting a symbol representing this region's value:
auto symbol = C.getSymbolManager().getRegionValueSymbol(fieldRegion);
This gives me a symbol, which I tried to use in other checker callbacks:
reg_$1<TypeOfField SymRegion{reg_$0<ObjType * this>}->field>
Note: I don't use ` ProgramState::getLValue (const FieldDecl*, SVal) `
because it did not work (either). I don't really remember why.
In callbacks executed afterwards, I indeed see that some symbol is bound to
the field. However, it appears not to be the one I created. E.g.
`state->dump()` prints:
Expressions:
(0xf5e7470,0x931a828) this->field :
&base{SymRegion{derived_$224{conj_$221{int},base{base{base{base{SymRegion{re
g_$0<class ObjType * this>}->field,somethig}, somethig }, somethig else},
somethig else }-> somethig else }}, somethig else }
When given either a `MemberExpr` expression referring to that field or a
`ImplicitCastExpr` wrapping the former, I just get an ` UnknownVal ` from
`state->getSVal(expr)` (neither expression is at `0x931a828`).
Is there actually any way to make this work with the (current) clang static
analyzer? E.g. to create symbols wich are not (yet) "backed" by an
expression encountered in the AST?
Btw: I'm not really surprised that this did not work for me, since the fresh
symbol is not bound to any expression and hence can not be (trivially) found
in later callbacks. I could work around the issue by trying to catch
expressions referring to `this`, but this is quite suboptimal in my
use-case, especially given the fact that a ` check::PreStmt<CXXThisExpr>`
apparently never get's invoked. Also. considering that support for
contract-based programming made it into the draft for C++20 this week, I
suspect that there will be other developers trying to construct and use
symbols for expressions which may not be in the function body at all.
Regards,
Julian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 7670 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180620/e4fde2d1/attachment.bin>
More information about the cfe-dev
mailing list