[LLVMdev] summer of code idea — checking bounds overflow bugs

[John Regehr]

John,

Thanks for the detailed response.

> Regarding the use of alternative algorithms, there are new, simple static 
> array bounds checking passes within SAFECode that utilize analysis group 
> chaining.  When one analysis cannot determine that a GEP remains within 
> bounds, it can ask a more powerful pass to return a result.  This could 
> potentially be used to reduce the use of the Omega method to just those GEPs 
> that cannot be proven safe using simpler methods.

I think this is the right engineering choice, with a command line option 
to simply disable the heavyweight decision procedure for people who want 
faster compile times.

> I'm curious why you think some undefined behavior detectors need to be built 
> in Clang.  It seems to me that any static analysis could be built using 
> either LLVM or Clang; there are just tradeoffs to each approach.  What 
> advantages does Clang provide?

Some checks must live in Clang because too much information has been lost 
by the time LLVM sees the code.  There are many examples but here is the 
canonical one.  A program has undefined behavior if "between two sequence 
points, an object is modified more than once, or is modified and the prior 
value is read other than to determine the value to be stored."

To implement this check in LLVM, we would have to answer the question: 
Where, in the LLVM code, are the sequence points?

John