From 9da34f900b1651dfa83ec7e552a287879542691e Mon Sep 17 00:00:00 2001 From: Anna Zaks Date: Tue, 8 Jan 2013 00:25:14 +0000 Subject: [PATCH] [analyzer] Extend the Representing Values section of the dev manual. git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@171823 91177308-0d34-0410-b5e6-96231b3b80d8 --- www/analyzer/checker_dev_manual.html | 38 ++++++++++++++++++++-------- 1 file changed, 27 insertions(+), 11 deletions(-) diff --git a/www/analyzer/checker_dev_manual.html b/www/analyzer/checker_dev_manual.html index 043b53612a..5368eb0e96 100644 --- a/www/analyzer/checker_dev_manual.html +++ b/www/analyzer/checker_dev_manual.html @@ -116,28 +116,44 @@ for general developer guidelines and information.

Representing Values

During symbolic execution, SVal - objects are used to represent the semantic evaluation of expressions. They can - represent things like concrete integers, symbolic values, or memory locations - (which are memory regions). They are a discriminated union of "values", - symbolic and otherwise. + objects are used to represent the semantic evaluation of expressions. + They can represent things like concrete + integers, symbolic values, or memory locations (which are memory regions). + They are a discriminated union of "values", symbolic and otherwise. + If a value isn't symbolic, usually that means there is no symbolic + information to track. For example, if the value was an integer, such as + 42, it would be a ConcreteInt, + and the checker doesn't usually need to track any state with the concrete + number. In some cases, SVal is not a symbol, but it really should be + a symbolic value. This happens when the analyzer cannot reason about something + (yet). An example is floating point numbers. In such cases, the + SVal will evaluate to UnknownVal. + This represents a case that is outside the realm of the analyzer's reasoning + capabilities. SVals are value objects and their values can be viewed + using the .dump() method. Often they wrap persistent objects such as + symbols or regions.

SymExpr (symbol) - is meant to represent abstract, but named, symbolic value. - Symbolic values can have constraints associated with them. Symbols represent + is meant to represent abstract, but named, symbolic value. Symbols represent an actual (immutable) value. We might not know what its specific value is, but - we can associate constraints with that value as we analyze a path. + we can associate constraints with that value as we analyze a path. For + example, we might record that the value of a symbol is greater than + 0, etc. +

+

- MemRegion is similar to a symbol. It is used to provide a lexicon of how to describe abstract memory. Regions can layer on top of other regions, providing a layered approach to representing memory. For example, a struct object on the stack might be represented by a VarRegion, but a FieldRegion which is a subregion of the VarRegion could be used to represent the memory associated with a specific field of that object. - So how do we represent symbolic memory regions? That's what SymbolicRegion - is for. It is a MemRegion that has an associated symbol. Since the + So how do we represent symbolic memory regions? That's what + SymbolicRegion + is for. It is a MemRegion that has an associated symbol. Since the symbol is unique and has a unique name; that symbol names the region. -

+ +

Let's see how the analyzer processes the expressions in the following example: 

-- 
2.40.0