| //===----------------------------------------------------------------------===// |
| // Random notes for the static analysis module. |
| //===----------------------------------------------------------------------===// |
| |
| Currently the analyzer with basic store will report false alarm for such code: |
| |
| p[0] = "/bin/sh"; |
| p[1] = NULL; |
| |
| execv(p[0], argv); |
| |
| This is because BasicStore "collapses" all elements of an array into their base |
| region. BasicStore should return UnknownVal() when getLValueElement. But that |
| way will break current test in null-deref-ps.c. |
| |
| //===----------------------------------------------------------------------===// |
| |
| Investigate what classes of exprs are passed silently in GRExprEngine::Visit(). |
| |
| One is PredefinedExpr. |
| |
| //===----------------------------------------------------------------------===// |
| |
| Remove PersistentSValPairs and PersistentSVals? |
| |
| //===----------------------------------------------------------------------===// |
| |
| If the pointer is symbolic, we should expand it to a full region with symbolic |
| values. This can eliminate the following false warning. |
| |
| struct file { |
| int lineno; |
| }; |
| |
| struct file *fileinfo; |
| |
| void f10() { |
| int i; |
| int *p = 0; |
| |
| if (fileinfo->lineno) |
| p = &i; |
| |
| if (fileinfo->lineno) |
| *p = 3; // false warning |
| } |
| |
| Now we return a symbolic region for fileinfo->lineno in RegionStore. Loading |
| from it returns an UnknownVal. Therefore the path condition is not recorded. |
| |
| Where should we call this ExpandSymbolicPointer method? Perhaps in |
| GRExprEngine::VisitMemberExpr(). |
| |
| Problem: The base expr of MemberExpr can be in various form. How do we get the |
| pointer varregion(or other kind of region) to be changed? |