From: Ankur Saini <arsenic.secondary@gmail.com>
To: David Malcolm <dmalcolm@redhat.com>
Cc: gcc@gcc.gnu.org
Subject: Re: GSoC 2021 - Static analyzer project
Date: Tue, 30 Mar 2021 16:36:31 +0530 [thread overview]
Message-ID: <AF4ABFAA-E32E-4026-BF15-9F94F05B7E3F@gmail.com> (raw)
In-Reply-To: <9d1d387c90e8a67adcafaa88bdb4a067256699a2.camel@redhat.com>
hello sir
in my quest of finding a bug ( which ended up being a feature ) along with it’s source in the analyzer, I tested the code on these 2 code snippets and here’s how I went towards it
(1)
int main()
{
int *ptr = (int *)malloc(sizeof(int));
return 0;
}
link to running example (https://godbolt.org/z/1jGW1qYez <https://godbolt.org/z/1jGW1qYez>)
(2)
int definaltly_main()
{
int *ptr = (int *)malloc(sizeof(int));
return 0;
}
link to running example (https://godbolt.org/z/bzjMYex4M <https://godbolt.org/z/bzjMYex4M>)
where on second snipper analyzer is warning us about the leak as it should be, but in the first one it isn’t.
and as the gimple representation of both looks exactly the same apart from function name, which made me think that either intentionally or unintentionally, analyzer handles case of main() differently than any other function.
so while looking at it’s exploded graphs I found out that the only 2 differences in them
1. There is one less exploded node(after node E-8) created in first one ( I earlier thought state merging or state pruning is taking place here but it isn’t because the results are not affected even after disabling those using `-fno-analyzer-state-purge` and `-fno-analyzer-state-merge` options )
2. no diagnosis for malloc leak happening at the end of first one even though there exist a pointer in unchecked state at the end ( according to the malloc state machine )
In quest to find the cause I started navigating through the source code of the analyser starting off with the run_checkers() function in engine.cc which looks like the entry point of the analyser ( found via the commit history of the analyzer ). But finally it ended at `impl_region_model_context::on_state_leak()` function where I found out that analyzer is intentionally skipping the leak report when it is in main.
This gave rise to some questions
1. why does the analyzer make exceptions with the main() function ?
2. even if it is not complaining about the leak then this still doesn’t explain the reason for one less exploded node in this case of main() function.
thanks
- Ankur
next prev parent reply other threads:[~2021-03-30 11:06 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-05 11:34 Ankur Saini
2021-03-06 0:35 ` David Malcolm
2021-03-08 11:13 ` Ankur Saini
2021-03-30 11:06 ` Ankur Saini [this message]
2021-03-30 13:57 ` David Malcolm
2021-04-06 12:26 ` Ankur Saini
2021-04-06 14:04 ` David Malcolm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=AF4ABFAA-E32E-4026-BF15-9F94F05B7E3F@gmail.com \
--to=arsenic.secondary@gmail.com \
--cc=dmalcolm@redhat.com \
--cc=gcc@gcc.gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).