From ad3273be3cd7dd465d38d43aedbf069f7770bb92 Mon Sep 17 00:00:00 2001
From: Jordan Rose <jordan_rose@apple.com>
Date: Sat, 10 Aug 2013 01:24:35 +0000
Subject: [PATCH] [analyzer] Update Open Projects and Potential Checkers pages.

- va_list checker (PR16811 and PR16812)
- Model floating-point values
- Bound bitwise masking operations (PR16615)
- Bound C string length (PR16558 and others)

git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@188127 91177308-0d34-0410-b5e6-96231b3b80d8
---
 www/analyzer/open_projects.html      | 22 ++++++++++++++-
 www/analyzer/potential_checkers.html | 40 ++++++++++++++++++++++++++++
 2 files changed, 61 insertions(+), 1 deletion(-)

diff --git a/www/analyzer/open_projects.html b/www/analyzer/open_projects.html
index c015b48665..a5f5538662 100644
--- a/www/analyzer/open_projects.html
+++ b/www/analyzer/open_projects.html
@@ -31,7 +31,17 @@ mailing list</a> to notify other members of the community.</p>
     not available during analysis. Modeling more of the widely used functions 
     (such as the members of <tt>std::string</tt>) will improve precision of the
     analysis. 
-    <i>(Difficulty: Easy)</i><p>
+    <i>(Difficulty: Easy, ongoing)</i><p>
+    </li>
+
+    <li>Handle floating-point values.
+    <p>Currently, the analyzer treats all floating-point values as unknown.
+    However, we already have most of the infrastructure we need to handle
+    floats: RangeConstraintManager. This would involve adding a new SVal kind
+    for constant floats, generalizing the constraint manager to handle floats
+    and integers equally, and auditing existing code to make sure it doesn't
+    make untoward assumptions.
+    <i> (Difficulty: Medium)</i></p>
     </li>
     
     <li>Implement generalized loop execution modeling.
@@ -159,6 +169,16 @@ mailing list</a> to notify other members of the community.</p>
     <i>(Difficulty: Easy)</i></p>
     </li>
 
+    <li>Implement a BitwiseMaskingChecker to handle <a href="http://llvm.org/bugs/show_bug.cgi?id=16615">PR16615</a>.
+    <p>Symbolic expressions of the form <code>$sym &amp; CONSTANT</code> can range from 0 to <code>CONSTANT-</code>1 if CONSTANT is <code>2^n-1</code>, e.g. 0xFF (0b11111111), 0x7F (0b01111111), 0x3 (0b0011), 0xFFFF, etc. Even without handling general bitwise operations on symbols, we can at least bound the value of the resulting expression. Bonus points for handling masks followed by shifts, e.g. <code>($sym &amp; 0b1100) >> 2</code>.
+    <i>(Difficulty: Easy)</i></p>
+    </li>
+
+    <li>Teach CStringChecker that strings are never longer than, say, <code>SIZE_MAX/4</code> characters.</li>
+    <p>Though most of CStringChecker's functionality is disabled (due to poor diagnostics for error edge cases), it's still used to model certain operations like <code>strlen</code>, which should give the same result each time it's called on a string. However, assuming that the string length is an arbitrary symbolic value can give strange results -- for example, <code>strlen(str)+1</code> could wrap around to 0. (This is the root cause of <a href="http://llvm.org/bugs/show_bug.cgi?id=16558">PR16558</a>.) In practice, strings are never that long, so picking some large upper bound and recording that in the state would make plenty of sense, and would fix these false positives.
+    <i>(Difficulty: Easy)</i></p>
+    </li>
+
     <li>Implement iterators invalidation checker.
     <p><i>(Difficulty: Easy)</i></p>
     </li>
diff --git a/www/analyzer/potential_checkers.html b/www/analyzer/potential_checkers.html
index c769541e70..6b96d1339c 100644
--- a/www/analyzer/potential_checkers.html
+++ b/www/analyzer/potential_checkers.html
@@ -183,6 +183,46 @@ void test(A *dst, A *src) {
 
 </table>
 
+<!-- =============================== va_list =============================== -->
+<h3>va_list</h3>
+<table class="checkers">
+<col class="namedescr"><col class="example"><col class="progress">
+<thead><tr><td>Name, Description</td><td>Example</td><td>Progress</td></tr></thead>
+
+<tr><td><span class="name">valist.Uninitialized</span><br><br>
+Calls to the <code>va_arg</code>, <code>va_copy</code>, or
+<code>va_end</code> macro must happen after calling <code>va_start</code> and
+before calling <code>va_end</code>.
+</td><td><pre>
+#include &lt;stdarg.h&gt;
+
+void test(int x, ...) {
+  va_list args;
+  int y = va_arg(args, int); // warn
+  va_start(args, x); 
+  va_end(args, x);
+  int z = va_arg(args, int); // warn
+}
+</pre></td><td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812">PR16811</a></td></tr>
+
+<tr><td><span class="name">valist.Unterminated</span><br><br>
+Every <code>va_start</code> must be matched by a <code>va_end</code>. A va_list
+can only be ended once.
+
+<i>This should be folded into the generalized "ownership checker" described on the <a href="open_projects.html">Open Projects</a> page.</i>
+</td><td><pre>
+#include &lt;stdarg.h&gt;
+
+void test(int x, ...) {
+  va_list args;
+  va_start(args, x);
+  int y = x + va_arg(args, int);
+  // missing va_end
+}
+</pre></td><td class="aligned"><a href="http://llvm.org/bugs/show_bug.cgi?id=16812">PR16812</a></td></tr>
+
+</table>
+
 <!-- ============================== exceptions ============================= -->
 <h3>exceptions</h3>
 <table class="checkers">
-- 
2.40.0