[analyzer] Whole Program Analysis - Full Call Graph

Hello cfe-dev,

I am interested in researching possible static analyzer schemes on whole program states. Initially I would like to build a whole program call graph. I plan to develop program wide checkers for calls to a proprietary SDK. To begin with these checkers would rely on simple call graph/AST based analysis rather than ‘full’ static analysis. These checkers would include items like simple flow analysis of SDK calls that should occur in a particular order (e.g. open()/read()/write()/close()). I would be very grateful if anyone can offer any guidance as to how to achieve this.

My initial thoughts are to use the current AST call graph feature within clang. I would create a checker that builds and serialises the call graph to a file for each source file. I plan to add this serialisation to the clang CallGraph class along the lines of the current AST serialisation. The available serialised call graph files would subsequently be read and a merged, creating a full program graph (or partial program graph if the whole program has not been serialised).

I have a couple of questions regarding development style:

a) Would the clang CallGraph class be the best place for the serialisation, or would it better to place it in the checker(s)?

b) For the read and merge process, should this be an external utility or use the regular clang executable?

Any feedback most welcome. Thank you for your time.

Phil Camp

1 Like

Hi, have you made any progress?