Help needed about clang checker

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Help needed about clang checker

Yvan Roux via cfe-dev
Hi all, 
   Big thank to all of u guys for building such an amazing tool.
   Here comes my question. I am a new guy in clang. For now, I want to write a checker to check all buffer access (read/write about  int */char */char []/......). I use checkLocation to do this. But there are a lot of false positive.
   I am very grateful to see ur reply!

Thanks & Regrads,
Chaz

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: Help needed about clang checker

Yvan Roux via cfe-dev
LLVM-3.4 is ancient, you should try to update if possible. Clang is generally easy to compile from scratch, and it's easier than loading plugins, though linking might be a bit memory-intensive.

I also encourage you to either write -cc1 -analyze, or --analyze -Xclang -analyzer-checker (analyze with double dash and without -Xclang), see more info on this at http://clang-analyzer.llvm.org/checker_dev_manual.html

I don't understand what are you trying to achieve by testing if location is a null pointer via assume(L), because it doesn't seem to be anyhow aligned with your goals.

That said, i don't understand what you mean by "buffer"; there's no formal definition of such concept in the language. Did you mean "array"? Would access to a field of a field of a field ... of a field of a structure within an array of similar structures be described as a buffer access?

Generally, the type stored in the memory region is available whenever the region is a sub-class of TypedValueRegion. If you're accessing an array element, the location is likely to be the region of the element, not of the whole array, so you may need to have a look at the superregion. Not all regions are TypedValueRegions; the most important example of a non-typed region is SymbolicRegion which appears when you don't know, within the realm of your analysis, where exactly does the pointer point to. In this case the pointee-type of the pointer-type of the symbol that denotes the unknown pointer value would not necessarily be the type of the value stored behind this pointer. In fact, the pointer might as well be of type void *, but it doesn't mean that it points to a "value of type void".

In case you haven't seen it yet, i mostly explained this sort of stuff in a re-usable manner in my old workbook at https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf

Also you shouldn't throw bug reports against a node generated by addTransition(); use generateErrorNode() or generateNonFatalErrorNode(), depending on whether you want to continue analysis after an emitting a warning.


On 10/2/18 8:46 PM, changze cui via cfe-dev wrote:
Hi all, 
   Big thank to all of u guys for building such an amazing tool.
   Here comes my question. I am a new guy in clang. For now, I want to write a checker to check all buffer access (read/write about  int */char */char []/......). I use checkLocation to do this. But there are a lot of false positive.
   I am very grateful to see ur reply!

Thanks & Regrads,
Chaz

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev


_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev