I plan to reimplement ‘CastToStructChecker’ with path-sensitive manner in my own codebase. Current AST-based ‘CastToStructChecker’ is very clean and can handle the vast majority issues except the ‘void*’ or ‘char*’ related cases. NoQ and danielmarjamaki once mentioned these cases in https://reviews.llvm.org/D23508.
Improve alpha.core.CastToStruct warn about widening casts …
The alpha.core.CastToStruct warns when for instance casting a int pointer to a struct pointer. As accessing a field can lead to memory access errors.
Path-sensitive analysis can:
- find ‘non-struct ’ → 'void’, ‘void*’ → ‘struct*’ bug.
- suppress ‘struct*’ → ‘char*’, ‘char*’ → ‘struct*’ warnings.
The intuitive idea in my mind is to use ‘checkLocation()’ API, and strip off the cast to check the actual region type. Is it resonable to reimplement ‘CastToStructChecker’ in path-sensitive manner? What needs to be noticed in the implementation?
Thanks in advance!
Qihoo 360 Codesafe Team