Tracking Values in the Clang Static Analyzer

Clang Experts,

I’m interested in using the CSA to track various aspects and properties of values in C++ programs. For example, if I decide that a value or object should be colored blue, then it should remain blue throughout its life in the translation unit. So far, I’ve been using the following map with some degree of success:

REGISTER_MAP_WITH_PROGRAMSTATE(ColorMap, const MemRegion *, Color)

So rather than coloring the values, I’m coloring their associated memory. Furthermore, when blue memory is copied to another location, the target location is also colored blue (using checkBind). In the following typical case, my strategy works fine:

void foo (int *j) {
*j += 3; // in this statement, color the memory pointed to by j “blue”
return;
}

void bar () {
int i = 42;
foo(&i);
i -= 3; // in this statement, i is still “blue”
}

But the following will NOT work:

int foo (int j) {
j += 3; // in this statement, color j’s memory “blue”
return j;
}

void bar () {
int i = 42;
int k = foo(i);
k -= 3; // in this statement, k is not “blue”, though I want it to be
}

The reason why this doesn’t work is that in the second example, j is returned by foo() by value, meaning it’s copied, and so the k inside bar() no longer refers to the same (blue) memory region. This would be fine if checkBind() were to catch such copies, but apparently it does not. The same problem arises when variables are passed by value to a function. For example, if I had colored i blue in bar() before calling foo(i), then i would no longer be blue inside foo();

My second approach was to also allow for the coloring of SVal’s:

REGISTER_MAP_WITH_PROGRAMSTATE(ColorSValMap, SVal *, Color)

But this led to other problems, because apparently SVal’s are not unique, and are recycled. So a lot of values were being incorrectly labeled as blue.

Any help would be very much appreciated. BTW I’m using Clang 3.5.

~Scott Constable