On Sun, 2020-03-01 at 23:48 +0800, y...@bupt.edu.cn wrote:
> Hello, David! 
>  
> It's so excited to receive a reply from you directedly. My name is
> Beenle, an undergraduate student in Beijing, China. 

Hello Beenle.

> I've read the analyzer internal documentation, but I'm not sure I
> understood well. The following are my thoughts about the analyzer and
> I’m not sure they are right or feasible. Would it be possible for you
> to give me some advice? 

I'll try.

> For the detecting part, the core is the state machine. But it's
> working on the gimple-SSA representation, it’s more complex.
> According to the graphs and the state machine, we detect the problem.
> I wonder that since I know little about gimple and ssa, should I read
> the 12 gimple internal and 13 analysis and optimization of gimple
> tuples internal firstly so that I can understand the approach of the
> analyzer well and maybe produce some new ideas?

Yes: it's worth reading through the GCC internals manual - in
particular the sections about gimple-SSA.

You should definitely also read "7 Testsuites": I tend to follow Test-
Driven Development with the analyzer: I create some simple test files
that demonstrate bugs that the analyzer ought to detect, and turn them
into DejaGnu tests.

>   And the reason why we build the supergraph is that the gimple-SSA
> representation gives us the callgraph and CFGs of the program.
> And there is a problem derived from the graph--since we have to
> represent the graph to the user (is there any other reason?), we have
> to simplify the graph. So how to prune and merge is an important
> part.

There are several "graphs":

- the supergraph combines the CFGs and the callgraph
- the exploded_graph combines the supergraph with state (and call
strings)
- the graph within a region_model at a node within the exploded_graph,
expressing pointers to regions.

Pruning within region_model instances, and merging them is indeed very
important, to avoid the analysis "exploding".

I've been working on a rewrite of how region_models are pruned, which I
hope to land in "master" in the next week.

> The last is how to represent the problem to the users. How to find a
> simplest and feasible way is important too.

Yes.  diagnostic-manager.cc generates events, and then tries to purge
them (a kind of peephole optimization, but optimizing for readability
to the end-user, rather than optimizing code).

> For the GSoC, I would like to extend the analyzer for C++ and
> optimize the pruning and merging algorithm. I’m also interested in
> optimizing the region model, but not sure if time permitted. This is
> just my first thought, and I’m eager for your suggestion, such as on
> the time limitation and the urgent need for the project.

All of these ideas sound very worthwhile.

Perhaps it's worth focusing on C++ support.  For example:
- extending the malloc/free checking to cover new/delete and 
new[]/delete[] (and mismatches between them)
- exception-handling
- properly handling constructors and destructors
- virtual functions
- ...etc

The above could easily take the whole summer, and would be self-
contained.

> It's still a bit difficult for me to read the codes after reading the
> internal documentation. Is there any way that I can understand
> easier? 

FWIW I wrote some notes on GCC for newcomers here:
  https://dmalcolm.fedorapeople.org/gcc/newbies-guide/index.html

I would recommend building the code from source, and trying to step
through the analyzer.

Use "--disable-bootstrap" when building from source: it's much quicker.
Build it, and change to the "gcc" subdirectory (containing the built
"cc1" and "xgcc" binaries).
I wrote some instructions on debugging here:
  https://dmalcolm.fedorapeople.org/gcc/newbies-guide/debugging.html

The entrypoint to the analyzer is ana::run_checkers, so try putting a
breakpoint there and stepping through it.

Also, -fdump-analyzer and -fdump-analyzer-stderr may prove useful for
seeing what's going on.


> And when I try to test the analyzer, I got a 404 when I try to open  
> https://gcc.gnu.org/git/gcc even without the firewall. How can I
> solve this problem?

I don't know where you got that URL; I get a 404 for it as well.

I hope you're able to access the links I gave above.  Some of it is on
github, if that's accessible from China.


Try the instructions here for obtaining a git clone of the latest
sources:
  https://gcc.gnu.org/git.html


> Thank you very much for your patience! I’m looking forward to your
> reply.
> 
> Best wishes!
> 
> Beenle Yi

I hope the above was helpful
David


> >  
> > From: David Malcolm
> > Date: 2020-02-28 10:01
> > To: y...@bupt.edu.cn; gcc
> > Subject: Re: GSoC: some questions about the static analyzer pass
> > On Fri, 2020-02-28 at 09:31 +0800, y...@bupt.edu.cn wrote:
> > > Hello everybody! I've learned about the projects in Google summer
> > of
> > > code, and I'm so interested in the static analyzer pass. I wonder
> > > that where I can read the code of the static analyzer pass and
> > how to
> > > contact with the mental David Malcolm. Can anyone help me please?
> > > Thank you so much.
> >  
> > Hi!
> >  
> > The code is in the gcc/analyzer subdirectory of the GCC source
> > tree:
> >   https://gcc.gnu.org/git/?p=gcc.git;a=tree;f=gcc/analyzer
> >  
> > Internal documentation is here:
> >   https://gcc.gnu.org/onlinedocs/gccint/Static-Analyzer.html
> >  
> > Some other notes can be seen at:
> >   https://gcc.gnu.org/wiki/DavidMalcolm/StaticAnalyzer
> >  
> >  
> > Hope this is helpful
> > David
> >  
> >  
> >  

Reply via email to