forked from OSchip/llvm-project
56 lines
1.6 KiB
Plaintext
56 lines
1.6 KiB
Plaintext
//===----------------------------------------------------------------------===//
|
|
// Random notes for the static analysis module.
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
Currently the analyzer with basic store will report false alarm for such code:
|
|
|
|
p[0] = "/bin/sh";
|
|
p[1] = NULL;
|
|
|
|
execv(p[0], argv);
|
|
|
|
This is because BasicStore "collapses" all elements of an array into their base
|
|
region. BasicStore should return UnknownVal() when getLValueElement. But that
|
|
way will break current test in null-deref-ps.c.
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
Investigate what classes of exprs are passed silently in GRExprEngine::Visit().
|
|
|
|
One is PredefinedExpr.
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
Remove PersistentSValPairs and PersistentSVals?
|
|
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
If the pointer is symbolic, we should expand it to a full region with symbolic
|
|
values. This can eliminate the following false warning.
|
|
|
|
struct file {
|
|
int lineno;
|
|
};
|
|
|
|
struct file *fileinfo;
|
|
|
|
void f10() {
|
|
int i;
|
|
int *p = 0;
|
|
|
|
if (fileinfo->lineno)
|
|
p = &i;
|
|
|
|
if (fileinfo->lineno)
|
|
*p = 3; // false warning
|
|
}
|
|
|
|
Now we return a symbolic region for fileinfo->lineno in RegionStore. Loading
|
|
from it returns an UnknownVal. Therefore the path condition is not recorded.
|
|
|
|
Where should we call this ExpandSymbolicPointer method? Perhaps in
|
|
GRExprEngine::VisitMemberExpr().
|
|
|
|
Problem: The base expr of MemberExpr can be in various form. How do we get the
|
|
pointer varregion(or other kind of region) to be changed?
|