From 05dfafd2415a3ab82b0f3d1f90443cc14995ea5f Mon Sep 17 00:00:00 2001 From: David Malcolm Date: Thu, 26 Sep 2019 16:55:30 -0400 Subject: [PATCH 55/60] FIXME: notes.txt --- notes.txt | 75 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 notes.txt diff --git a/notes.txt b/notes.txt new file mode 100644 index 0000000..2be7cce --- /dev/null +++ b/notes.txt @@ -0,0 +1,75 @@ +Notes +===== + +We need a path: we need to explain to the user what the problem is, and to +persuade them that there really is a problem. Hence having a path isn't +just an incidental detail of the analyzer; it's required. + +Paths ought to be: +* interprocedurally-valid +* feasible +...but it's not clear to what extent we can enforce this. + +We collate warnings and only emit them for simplest path +e.g. for a bug in a utility function, with lots of routes to calling it, +we only emit the simplest path (which could be intraprocedural, if +it can be reproduced without a caller). + + +Useful debugging tips +===================== + +Add: + __analyzer_break (); +to the source being analyzed to trigger a breakpoint in the analyzer when +that source is reached. By putting a series of these in the source, it's +much easier to effectively step through the program state as it's analyzed. + +__analyzer_dump (); + +will dump the copious information about the analyzer's state each time it +reaches the call in its traversal of the source. + +The builtin __analyzer_dump_exploded_nodes will dump information after +analysis on all of the exploded nodes at that program point: + + __analyzer_dump_exploded_nodes (0); + +will dump just the number of nodes, and their IDs. + + __analyzer_dump_exploded_nodes (1); + +will also dump all of the states within those nodes. + +region_model::get_value_by_name can be used when inserting custom +debugging code (e.g. adding it region_model::validate to detect the point +at which a named variable acquires an unexpected state). + +Re pending_diagnostic's describe_* vfuncs: + I would have given all these the name "describe" and let overloading + distinguish them, but I was getting numerous warnings from + -Woverloaded-virtual. + + +User-facing Docs (putting them here to avoid the tedious texinfo rebuild times): +================================================================================ + +-fanalyzer +Enables a more detailed, but much more time-consuming analysis pass. + +-fanalyzer-verbosity=0 + Only show interprocedural calls and the most critical state-change + events. + +-fanalyzer-verbosity=1 + Show interprocedural calls and entrypoints, and the most critical + state-change events. + +-fanalyzer-verbosity=2 (the default) + Show interprocedural calls and entrypoints, branches taken, and the + most critical state-change events. + +-fanalyzer-verbosity=3 + Show all events, including statements, and state-change events that + are unrelated to the diagnostic in question. This is more intended + for debugging the analyzer itself. -- 1.8.5.3