Fwd: Clang Static Analyzer multipass checker

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Fwd: Clang Static Analyzer multipass checker

Nathan Ridge via cfe-dev



11.06.2019, 04:12, "Artem Dergachev via cfe-dev" <[hidden email]>:
Multi-pass path-sensitive analysis is indeed not a thing. However, you can do arbitrary AST-based analysis before path-sensitive analysis or after it by subscribing to the respective callback, and you can also explore the whole path-sensitive analysis graph at the end of the analysis. But none of this is actually used actively; there's usually no need for this.

Also all path-sensitive checkers have a way to affect other checkers and communicate to each other via mutating the common program state. This is used much more actively and allows conducting multiple interconnected analysis in a single path.

There's most likely an easier solution to what you're trying to do; i recommend discussing it.

On 6/9/19 6:51 AM, Алексеев Кирилл via cfe-dev wrote:

Hello, I'm beginner in CSA programming. I have read clang SA a checker developer manual
and have some questions.
How can I pass command line options to CSA checker? Does -Xanalyzer option can help me?
May be I need to see AnalyzerOptions.cpp, but can't understand how to catch options from my checker.

Also I want to know  is it possible to realize multi-pass analyzer with parallel or sequential running of one or multiply checker with data transfer between passes.
I need to run first checker that taint some input, observes taint values and find some AST expressions (or with path sensible analysis).
After this checker ends up I need to start the second checker, that uses search results of 1'st in analysis from begining of ExplodedGraph.


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev




Thanks for you reply.
But how I can walk through whole path-sensitive analysis graph at the end of the analysis?
Really, I need to collect some information based on first step of analysis and rewrite some AST statements in origin source code.

As I understood I must use checkEndAnalysis callback and then iterate over ExplodedGraph nodes, as here:
for ( ExplodedGraph :: node_iterator I = 
            G . nodes_begin () ,
            E = G . nodes_end (); 
            I != E ; ++ I ) { ... }

Next, I need to give some recommendations to user how he can improve code.
Is the way I'm going right?




_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Fwd: Clang Static Analyzer multipass checker

Nathan Ridge via cfe-dev
Yeah, that's roughly what i meant.

I don't know if you're going in the right direction because i've never seen this approach used successfully in any actual checkers, so i've no idea what you're trying to do. Because inventing new static analysis techniques is a thing that's *very* easy to get wrong, i suggest discussing the problem first, and only then discussing the specific solution.

On 6/27/19 10:44 AM, Алексеев Кирилл via cfe-dev wrote:



11.06.2019, 04:12, "Artem Dergachev via cfe-dev" <[hidden email]>:
Multi-pass path-sensitive analysis is indeed not a thing. However, you can do arbitrary AST-based analysis before path-sensitive analysis or after it by subscribing to the respective callback, and you can also explore the whole path-sensitive analysis graph at the end of the analysis. But none of this is actually used actively; there's usually no need for this.

Also all path-sensitive checkers have a way to affect other checkers and communicate to each other via mutating the common program state. This is used much more actively and allows conducting multiple interconnected analysis in a single path.

There's most likely an easier solution to what you're trying to do; i recommend discussing it.

On 6/9/19 6:51 AM, Алексеев Кирилл via cfe-dev wrote:

Hello, I'm beginner in CSA programming. I have read clang SA a checker developer manual
and have some questions.
How can I pass command line options to CSA checker? Does -Xanalyzer option can help me?
May be I need to see AnalyzerOptions.cpp, but can't understand how to catch options from my checker.

Also I want to know  is it possible to realize multi-pass analyzer with parallel or sequential running of one or multiply checker with data transfer between passes.
I need to run first checker that taint some input, observes taint values and find some AST expressions (or with path sensible analysis).
After this checker ends up I need to start the second checker, that uses search results of 1'st in analysis from begining of ExplodedGraph.


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev




Thanks for you reply.
But how I can walk through whole path-sensitive analysis graph at the end of the analysis?
Really, I need to collect some information based on first step of analysis and rewrite some AST statements in origin source code.

As I understood I must use checkEndAnalysis callback and then iterate over ExplodedGraph nodes, as here:
for ( ExplodedGraph :: node_iterator I = 
            G . nodes_begin () ,
            E = G . nodes_end (); 
            I != E ; ++ I ) { ... }

Next, I need to give some recommendations to user how he can improve code.
Is the way I'm going right?




_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev