Alias-awareness of unix.Malloc checker

Hi everyone,

Recently I'm looking into the unix.Malloc checker, and wonder if it's
capable of treating pointers that alias each other correctly. If not,
is it possible to incorporate llvm's inter-procedural alias-analysis
into the checker to make it smarter? I'm aware that the alias analysis
runs on llvm IR, and the static checkers are based on symbolic
execution of AST, so it might not be a feasible approach. I would like
to hear your opinions.

William Yang

Hi, Weikun. MallocChecker isn't specifically alias-aware, but as part of the analyzer it can pick up one variable getting assigned to another. There's not currently much beyond that—even comparing two pointers for equality doesn't start treating them as aliases downstream. (This is a harder problem than it sounds.)

In general, though, trying to pull in LLVM-style alias analysis wouldn't be the best thing for the analyzer. By design, the analyzer's analysis is not sound—a perfectly sound analysis would produce a lot of false negatives or a lot of false positives or both. For example, "p1" and "p2" may alias in an actual program, but you'd never want to treat them as if they aliased!

void *p1 = malloc(sizeof(int));
free(p1);
void *p2 = malloc(sizeof(long));

We have some aliasing heuristics in the analyzer: stack memory will never alias heap memory, heap-allocated memory will never alias other heap-allocated memory, etc. But we probably don't want to do more than that, at least not right now. I don't think it would actually improve the quality of results very much.

Jordan

P.S. This would also be a non-trivial project because Clang and LLVM use different representations for both types and values.