Newer
Older
//===----------------------------------------------------------------------===//
// Random notes for the static analysis module.
//===----------------------------------------------------------------------===//
Currently the analyzer with basic store will report false alarm for such code:
p[0] = "/bin/sh";
p[1] = NULL;
execv(p[0], argv);
This is because BasicStore "collapses" all elements of an array into their base
region. BasicStore should return UnknownVal() when getLValueElement. But that
way will break current test in null-deref-ps.c.
//===----------------------------------------------------------------------===//
Investigate what classes of exprs are passed silently in GRExprEngine::Visit().
//===----------------------------------------------------------------------===//
Remove PersistentSValPairs and PersistentSVals?
//===----------------------------------------------------------------------===//
If the pointer is symbolic, we should expand it to a full region with symbolic
values. This can eliminate the following false warning.
struct file {
int lineno;
};
struct file *fileinfo;
void f10() {
int i;
int *p = 0;
if (fileinfo->lineno)
p = &i;
if (fileinfo->lineno)
*p = 3; // false warning
}
Now we return a symbolic region for fileinfo->lineno in RegionStore. Loading
from it returns an UnknownVal. Therefore the path condition is not recorded.
Where should we call this ExpandSymbolicPointer method? Perhaps in
GRExprEngine::VisitMemberExpr().
Problem: The base expr of MemberExpr can be in various form. How do we get the
pointer varregion(or other kind of region) to be changed?