Big thank to all of u guys for building such an amazing tool.
Here comes my question. I am a new guy in clang. For now, I want to write a checker to check all buffer access (read/write about int */char */char /…). I use checkLocation to do this. But there are a lot of false positive.
I put the details here: https://stackoverflow.com/questions/52619110/how-to-detect-all-buffer-access-by-using-clang-static-checker
I am very grateful to see ur reply!
Thanks & Regrads,
LLVM-3.4 is ancient, you should try to update if possible. Clang is generally easy to compile from scratch, and it’s easier than loading plugins, though linking might be a bit memory-intensive.
I also encourage you to either write -cc1 -analyze, or --analyze -Xclang -analyzer-checker (analyze with double dash and without -Xclang), see more info on this at I don’t understand what are you trying to achieve by testing if location is a null pointer via assume(L), because it doesn’t seem to be anyhow aligned with your goals. That said, i don’t understand what you mean by “buffer”; there’s no formal definition of such concept in the language. Did you mean “array”? Would access to a field of a field of a field … of a field of a structure within an array of similar structures be described as a buffer access? Generally, the type stored in the memory region is available whenever the region is a sub-class of TypedValueRegion. If you’re accessing an array element, the location is likely to be the region of the element, not of the whole array, so you may need to have a look at the superregion. Not all regions are TypedValueRegions; the most important example of a non-typed region is SymbolicRegion which appears when you don’t know, within the realm of your analysis, where exactly does the pointer point to. In this case the pointee-type of the pointer-type of the symbol that denotes the unknown pointer value would not necessarily be the type of the value stored behind this pointer. In fact, the pointer might as well be of type void *, but it doesn’t mean that it points to a “value of type void”. In case you haven’t seen it yet, i mostly explained this sort of stuff in a re-usable manner in my old workbook at Also you shouldn’t throw bug reports against a node generated by addTransition(); use generateErrorNode() or generateNonFatalErrorNode(), depending on whether you want to continue analysis after an emitting a warning.