[cfe-dev] Help needed about clang checker
Artem Dergachev via cfe-dev
cfe-dev at lists.llvm.org
Wed Oct 3 11:56:40 PDT 2018
LLVM-3.4 is ancient, you should try to update if possible. Clang is
generally easy to compile from scratch, and it's easier than loading
plugins, though linking might be a bit memory-intensive.
I also encourage you to either write -cc1 -analyze, or --analyze -Xclang
-analyzer-checker (analyze with double dash and without -Xclang), see
more info on this at http://clang-analyzer.llvm.org/checker_dev_manual.html
I don't understand what are you trying to achieve by testing if location
is a null pointer via assume(L), because it doesn't seem to be anyhow
aligned with your goals.
That said, i don't understand what you mean by "buffer"; there's no
formal definition of such concept in the language. Did you mean "array"?
Would access to a field of a field of a field ... of a field of a
structure within an array of similar structures be described as a buffer
access?
Generally, the type stored in the memory region is available whenever
the region is a sub-class of TypedValueRegion. If you're accessing an
array element, the location is likely to be the region of the element,
not of the whole array, so you may need to have a look at the
superregion. Not all regions are TypedValueRegions; the most important
example of a non-typed region is SymbolicRegion which appears when you
don't know, within the realm of your analysis, where exactly does the
pointer point to. In this case the pointee-type of the pointer-type of
the symbol that denotes the unknown pointer value would not necessarily
be the type of the value stored behind this pointer. In fact, the
pointer might as well be of type void *, but it doesn't mean that it
points to a "value of type void".
In case you haven't seen it yet, i mostly explained this sort of stuff
in a re-usable manner in my old workbook at
https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf
Also you shouldn't throw bug reports against a node generated by
addTransition(); use generateErrorNode() or generateNonFatalErrorNode(),
depending on whether you want to continue analysis after an emitting a
warning.
On 10/2/18 8:46 PM, changze cui via cfe-dev wrote:
> Hi all,
> Big thank to all of u guys for building such an amazing tool.
> Here comes my question. I am a new guy in clang. For now, I want to
> write a checker to check all buffer access (read/write about int
> */char */char []/......). I use checkLocation to do this. But there
> are a lot of false positive.
> I put the details here:
> https://stackoverflow.com/questions/52619110/how-to-detect-all-buffer-access-by-using-clang-static-checker
> I am very grateful to see ur reply!
>
> Thanks & Regrads,
> Chaz
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20181003/698b5505/attachment.html>
More information about the cfe-dev
mailing list