static analyzer invalidating entire structs


I noticed that conservativeEvallCall invalidates all items in a
cluster(struct) in the example below instead of invalidating
only the item passed as argument.

I think the following Code should report a NonNullParamChecker warning.
However t.mem is invalidated in the conservativeEvallCall of the scanf


#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct test{
    int* mem;
    int value;

int main(int argc, char** argv, char** envp)
    struct test t;
    t.mem = NULL;

Is this a known limitation?

I'm trying to debug this, but haven't fully understood the RegionStore
yet. Is there more documentation besides the RegionStore.rst?


Hi Max,
Consider the following (somewhat contrived) example:

#include <stddef.h>

struct foo {
int val1;
int val2;

void sneaky(int *val) {
// Suppose I know I am always going to be passed
// val2 of an instance of struct foo here
size_t val2_off;
char *val2_ptr, *base_ptr;
struct foo *foo_ptr;

val2_off = offsetof(struct foo, val2);
val2_ptr = (char *) val;
// Sneak level: 100
base_ptr = val2_ptr - val2_off;
// I have found the struct instance pointer!
foo_ptr = (struct foo *) base_ptr;

// And now I can mangle every field of the
// struct instance as I please.
foo_ptr->val1 = rand();

void bar() {
struct foo fooer = { .val1 = 100, .val2 = 200 };

// If CSA were to perform conservative eval of sneaky,
// it can have no idea what happened to the other fields
// of the struct instance.

As you can see, conservative evaluation has no choice but to invalidate all struct members.
Btw, the example I have given is less contrived than it seems. In C, with intrusive data structures, usually something very similar is done. The “linked-list”, which is an ubiquitous data-structure in the Linux kernel, uses something like this (as a macro) to reach the struct from the list node.
Warm regards,