[analyzer] What do I need to pay attention to when I convert 'CastToStructChecker' from AST-based check to path-sensitive check?

Hi all,
I plan to reimplement ‘CastToStructChecker’ with path-sensitive manner in my own codebase. Current AST-based ‘CastToStructChecker’ is very clean and can handle the vast majority issues except the ‘void*’ or ‘char*’ related cases. NoQ and danielmarjamaki once mentioned these cases in https://reviews.llvm.org/D23508.


Improve alpha.core.CastToStruct warn about widening casts …
The alpha.core.CastToStruct warns when for instance casting a int pointer to a struct pointer. As accessing a field can lead to memory access errors.
reviews.llvm.org

Path-sensitive analysis can:

  1. find ‘non-struct ’ → 'void’, ‘void*’ → ‘struct*’ bug.
  2. suppress ‘struct*’ → ‘char*’, ‘char*’ → ‘struct*’ warnings.

The intuitive idea in my mind is to use ‘checkLocation()’ API, and strip off the cast to check the actual region type. Is it resonable to reimplement ‘CastToStructChecker’ in path-sensitive manner? What needs to be noticed in the implementation?

Thanks in advance!

Henry Wong
Qihoo 360 Codesafe Team