| Zhongxing Xu | a40a357 | 2008-10-25 14:56:36 +0000 | [diff] [blame] | 1 | //===----------------------------------------------------------------------===// |
| 2 | // Random notes for the static analysis module. |
| 3 | //===----------------------------------------------------------------------===// |
| 4 | |
| 5 | Currently the analyzer with basic store will report false alarm for such code: |
| 6 | |
| 7 | p[0] = "/bin/sh"; |
| 8 | p[1] = NULL; |
| 9 | |
| 10 | execv(p[0], argv); |
| 11 | |
| 12 | This is because BasicStore "collapses" all elements of an array into their base |
| 13 | region. BasicStore should return UnknownVal() when getLValueElement. But that |
| Zhongxing Xu | b621394 | 2008-10-28 09:09:48 +0000 | [diff] [blame] | 14 | way will break current test in null-deref-ps.c. |
| 15 | |
| 16 | //===----------------------------------------------------------------------===// |
| 17 | |
| 18 | Investigate what classes of exprs are passed silently in GRExprEngine::Visit(). |
| 19 | |
| Zhongxing Xu | afd7105 | 2008-10-28 09:32:08 +0000 | [diff] [blame] | 20 | One is PredefinedExpr. |
| Zhongxing Xu | 8cda9e9 | 2008-10-29 07:05:10 +0000 | [diff] [blame] | 21 | |
| 22 | //===----------------------------------------------------------------------===// |
| 23 | |
| 24 | Remove PersistentSValPairs and PersistentSVals? |
| Zhongxing Xu | f8fc414 | 2008-11-03 06:04:23 +0000 | [diff] [blame] | 25 | |
| 26 | //===----------------------------------------------------------------------===// |
| 27 | |
| 28 | If the pointer is symbolic, we should expand it to a full region with symbolic |
| 29 | values. This can eliminate the following false warning. |
| 30 | |
| 31 | struct file { |
| 32 | int lineno; |
| 33 | }; |
| 34 | |
| 35 | struct file *fileinfo; |
| 36 | |
| 37 | void f10() { |
| 38 | int i; |
| 39 | int *p = 0; |
| 40 | |
| 41 | if (fileinfo->lineno) |
| 42 | p = &i; |
| 43 | |
| 44 | if (fileinfo->lineno) |
| 45 | *p = 3; // false warning |
| 46 | } |
| 47 | |
| 48 | Now we return a symbolic region for fileinfo->lineno in RegionStore. Loading |
| 49 | from it returns an UnknownVal. Therefore the path condition is not recorded. |
| 50 | |
| 51 | Where should we call this ExpandSymbolicPointer method? Perhaps in |
| 52 | GRExprEngine::VisitMemberExpr(). |
| 53 | |
| 54 | Problem: The base expr of MemberExpr can be in various form. How do we get the |
| 55 | pointer varregion(or other kind of region) to be changed? |