[cfe-dev] Help needed about clang checker

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Wed Oct 3 11:56:40 PDT 2018


LLVM-3.4 is ancient, you should try to update if possible. Clang is 
generally easy to compile from scratch, and it's easier than loading 
plugins, though linking might be a bit memory-intensive.

I also encourage you to either write -cc1 -analyze, or --analyze -Xclang 
-analyzer-checker (analyze with double dash and without -Xclang), see 
more info on this at http://clang-analyzer.llvm.org/checker_dev_manual.html

I don't understand what are you trying to achieve by testing if location 
is a null pointer via assume(L), because it doesn't seem to be anyhow 
aligned with your goals.

That said, i don't understand what you mean by "buffer"; there's no 
formal definition of such concept in the language. Did you mean "array"? 
Would access to a field of a field of a field ... of a field of a 
structure within an array of similar structures be described as a buffer 
access?

Generally, the type stored in the memory region is available whenever 
the region is a sub-class of TypedValueRegion. If you're accessing an 
array element, the location is likely to be the region of the element, 
not of the whole array, so you may need to have a look at the 
superregion. Not all regions are TypedValueRegions; the most important 
example of a non-typed region is SymbolicRegion which appears when you 
don't know, within the realm of your analysis, where exactly does the 
pointer point to. In this case the pointee-type of the pointer-type of 
the symbol that denotes the unknown pointer value would not necessarily 
be the type of the value stored behind this pointer. In fact, the 
pointer might as well be of type void *, but it doesn't mean that it 
points to a "value of type void".

In case you haven't seen it yet, i mostly explained this sort of stuff 
in a re-usable manner in my old workbook at 
https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf

Also you shouldn't throw bug reports against a node generated by 
addTransition(); use generateErrorNode() or generateNonFatalErrorNode(), 
depending on whether you want to continue analysis after an emitting a 
warning.


On 10/2/18 8:46 PM, changze cui via cfe-dev wrote:
> Hi all,
>    Big thank to all of u guys for building such an amazing tool.
>    Here comes my question. I am a new guy in clang. For now, I want to 
> write a checker to check all buffer access (read/write about  int 
> */char */char []/......). I use checkLocation to do this. But there 
> are a lot of false positive.
>    I put the details here: 
> https://stackoverflow.com/questions/52619110/how-to-detect-all-buffer-access-by-using-clang-static-checker
>    I am very grateful to see ur reply!
>
> Thanks & Regrads,
> Chaz
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20181003/698b5505/attachment.html>


More information about the cfe-dev mailing list