Clang Static Analyzer multipass checker

samins_KAlex · June 27, 2019, 5:44pm

11.06.2019, 04:12, “Artem Dergachev via cfe-dev” <cfe-dev@lists.llvm.org>:

Multi-pass path-sensitive analysis is indeed not a thing. However, you can do arbitrary AST-based analysis before path-sensitive analysis or after it by subscribing to the respective callback, and you can also explore the whole path-sensitive analysis graph at the end of the analysis. But none of this is actually used actively; there’s usually no need for this.

Also all path-sensitive checkers have a way to affect other checkers and communicate to each other via mutating the common program state. This is used much more actively and allows conducting multiple interconnected analysis in a single path.

There’s most likely an easier solution to what you’re trying to do; i recommend discussing it.
Hello, I’m beginner in CSA programming. I have read clang SA a checker developer manual
and have some questions.
How can I pass command line options to CSA checker? Does -Xanalyzer option can help me?
May be I need to see AnalyzerOptions.cpp, but can’t understand how to catch options from my checker.

Also I want to know is it possible to realize multi-pass analyzer with parallel or sequential running of one or multiply checker with data transfer between passes.
I need to run first checker that taint some input, observes taint values and find some AST expressions (or with path sensible analysis).
After this checker ends up I need to start the second checker, that uses search results of 1’st in analysis from begining of ExplodedGraph.
_______________________________________________
cfe-dev mailing list
[cfe-dev@lists.llvm.org](mailto:cfe-dev@lists.llvm.org)
[https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev](https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev)
cfe-dev mailing list
cfe-dev@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

Thanks for you reply.
But how I can walk through whole path-sensitive analysis graph at the end of the analysis?
Really, I need to collect some information based on first step of analysis and rewrite some AST statements in origin source code.

As I understood I must use checkEndAnalysis callback and then iterate over ExplodedGraph nodes, as here:
for ( ExplodedGraph :: node_iterator I =
G . nodes_begin () ,
E = G . nodes_end ();
I != E ; ++ I ) { … }

Next, I need to give some recommendations to user how he can improve code.
Is the way I’m going right?

NoQ · June 27, 2019, 9:39pm

Yeah, that’s roughly what i meant.

I don’t know if you’re going in the right direction because i’ve never seen this approach used successfully in any actual checkers, so i’ve no idea what you’re trying to do. Because inventing new static analysis techniques is a thing that’s very easy to get wrong, i suggest discussing the problem first, and only then discussing the specific solution.