lib/Analysis/NOTES.TXT - fp2-dev/platform/external/clang - Gitiles

 //===----------------------------------------------------------------------===//
 // Random notes for the static analysis module.
 //===----------------------------------------------------------------------===//

 Currently the analyzer with basic store will report false alarm for such code:

 p[0] = "/bin/sh";
 p[1] = NULL;

 execv(p[0], argv);

 This is because BasicStore "collapses" all elements of an array into their base
 region. BasicStore should return UnknownVal() when getLValueElement. But that
 way will break current test in null-deref-ps.c.

 //===----------------------------------------------------------------------===//

 Investigate what classes of exprs are passed silently in GRExprEngine::Visit().

 One is PredefinedExpr.

 //===----------------------------------------------------------------------===//

 Remove PersistentSValPairs and PersistentSVals?

 //===----------------------------------------------------------------------===//

 If the pointer is symbolic, we should expand it to a full region with symbolic
 values. This can eliminate the following false warning.

 struct file {
   int lineno;
 };

 struct file *fileinfo;

 void f10() {
   int i;
   int *p = 0;

   if (fileinfo->lineno)
     p = &i;

   if (fileinfo->lineno)
     *p = 3; // false warning
 }

 Now we return a symbolic region for fileinfo->lineno in RegionStore. Loading
 from it returns an UnknownVal. Therefore the path condition is not recorded.

 Where should we call this ExpandSymbolicPointer method? Perhaps in
 GRExprEngine::VisitMemberExpr().

 Problem: The base expr of MemberExpr can be in various form. How do we get the
 pointer varregion(or other kind of region) to be changed?
	//===----------------------------------------------------------------------===//
	// Random notes for the static analysis module.
	//===----------------------------------------------------------------------===//

	Currently the analyzer with basic store will report false alarm for such code:

	p[0] = "/bin/sh";
	p[1] = NULL;

	execv(p[0], argv);

	This is because BasicStore "collapses" all elements of an array into their base
	region. BasicStore should return UnknownVal() when getLValueElement. But that
	way will break current test in null-deref-ps.c.

	//===----------------------------------------------------------------------===//

	Investigate what classes of exprs are passed silently in GRExprEngine::Visit().

	One is PredefinedExpr.

	//===----------------------------------------------------------------------===//

	Remove PersistentSValPairs and PersistentSVals?

	//===----------------------------------------------------------------------===//

	If the pointer is symbolic, we should expand it to a full region with symbolic
	values. This can eliminate the following false warning.

	struct file {
	int lineno;
	};

	struct file *fileinfo;

	void f10() {
	int i;
	int *p = 0;

	if (fileinfo->lineno)
	p = &i;

	if (fileinfo->lineno)
	*p = 3; // false warning
	}

	Now we return a symbolic region for fileinfo->lineno in RegionStore. Loading
	from it returns an UnknownVal. Therefore the path condition is not recorded.

	Where should we call this ExpandSymbolicPointer method? Perhaps in
	GRExprEngine::VisitMemberExpr().

	Problem: The base expr of MemberExpr can be in various form. How do we get the
	pointer varregion(or other kind of region) to be changed?