1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN"
2 "http://www.w3.org/TR/html4/strict.dtd">
5 <title>Open Projects</title>
6 <link type="text/css" rel="stylesheet" href="menu.css">
7 <link type="text/css" rel="stylesheet" href="content.css">
8 <script type="text/javascript" src="scripts/menu.js"></script>
13 <!--#include virtual="menu.html.incl"-->
16 <h1>Open Projects</h1>
18 <p>This page lists several projects that would boost analyzer's usability and
19 power. Most of the projects listed here are infrastructure-related so this list
20 is an addition to the <a href="potential_checkers.html">potential checkers
21 list</a>. If you are interested in tackling one of these, please send an email
22 to the <a href=http://lists.llvm.org/mailman/listinfo/cfe-dev>cfe-dev
23 mailing list</a> to notify other members of the community.</p>
26 <li>Core Analyzer Infrastructure
28 <li>Explicitly model standard library functions with <tt>BodyFarm</tt>.
29 <p><tt><a href="http://clang.llvm.org/doxygen/classclang_1_1BodyFarm.html">BodyFarm</a></tt>
30 allows the analyzer to explicitly model functions whose definitions are
31 not available during analysis. Modeling more of the widely used functions
32 (such as the members of <tt>std::string</tt>) will improve precision of the
34 <i>(Difficulty: Easy, ongoing)</i><p>
37 <li>Handle floating-point values.
38 <p>Currently, the analyzer treats all floating-point values as unknown.
39 However, we already have most of the infrastructure we need to handle
40 floats: RangeConstraintManager. This would involve adding a new SVal kind
41 for constant floats, generalizing the constraint manager to handle floats
42 and integers equally, and auditing existing code to make sure it doesn't
43 make untoward assumptions.
44 <i> (Difficulty: Medium)</i></p>
47 <li>Implement generalized loop execution modeling.
48 <p>Currently, the analyzer simply unrolls each loop <tt>N</tt> times. This
49 means that it will not execute any code after the loop if the loop is
50 guaranteed to execute more than <tt>N</tt> times. This results in lost
51 basic block coverage. We could continue exploring the path if we could
52 model a generic <tt>i</tt>-th iteration of a loop.
53 <i> (Difficulty: Hard)</i></p>
56 <li>Enhance CFG to model C++ temporaries properly.
57 <p>There is an existing implementation of this, but it's not complete and
58 is disabled in the analyzer.
59 <i>(Difficulty: Medium; current contact: Alex McCarthy)</i></p>
61 <li>Enhance CFG to model exception-handling properly.
62 <p>Currently exceptions are treated as "black holes", and exception-handling
63 control structures are poorly modeled (to be conservative). This could be
64 much improved for both C++ and Objective-C exceptions.
65 <i>(Difficulty: Medium)</i></p>
67 <li>Enhance CFG to model C++ <code>new</code> more precisely.
68 <p>The current representation of <code>new</code> does not provide an easy
69 way for the analyzer to model the call to a memory allocation function
70 (<code>operator new</code>), then initialize the result with a constructor
71 call. The problem is discussed at length in
72 <a href="http://llvm.org/bugs/show_bug.cgi?id=12014">PR12014</a>.
73 <i>(Difficulty: Easy; current contact: Karthik Bhat)</i></p>
75 <li>Enhance CFG to model C++ <code>delete</code> more precisely.
76 <p>Similarly, the representation of <code>delete</code> does not include
77 the call to the destructor, followed by the call to the deallocation
78 function (<code>operator delete</code>). One particular issue
79 (<tt>noreturn</tt> destructors) is discussed in
80 <a href="http://llvm.org/bugs/show_bug.cgi?id=15599">PR15599</a>
81 <i>(Difficulty: Easy; current contact: Karthik Bhat)</i></p>
83 <li>Implement a BitwiseConstraintManager to handle <a href="http://llvm.org/bugs/show_bug.cgi?id=3098">PR3098</a>.
84 <p>Constraints on the bits of an integer are not easily representable as
85 ranges. A bitwise constraint manager would model constraints such as "bit 32
86 is known to be 1". This would help code that made use of bitmasks</code>.
87 <i>(Difficulty: Medium)</i></p>
90 <li>Track type info through casts more precisely.
91 <p>The DynamicTypePropagation checker is in charge of inferring a region's
92 dynamic type based on what operations the code is performing. Casts are a
93 rich source of type information that the analyzer currently ignores. They
94 are tricky to get right, but might have very useful consequences.
95 <i>(Difficulty: Medium)</i></p>
97 <li>Design and implement alpha-renaming.
98 <p>Implement unifying two symbolic values along a path after they are
99 determined to be equal via comparison. This would allow us to reduce the
100 number of false positives and would be a building step to more advanced
101 analyses, such as summary-based interprocedural and cross-translation-unit
103 <i>(Difficulty: Hard)</i></p>
110 <li>Refactor path diagnostic generation in <a href="http://clang.llvm.org/doxygen/BugReporter_8cpp_source.html">BugReporter.cpp</a>.
111 <p>It would be great to have more code reuse between "Minimal" and
112 "Extensive" PathDiagnostic generation algorithms. One idea is to create an
113 IR for representing path diagnostics, which would be later be used to
114 generate minimal or extensive report output. <i>(Difficulty: Medium)</i></p>
119 <li>Other Infrastructure
121 <li>Rewrite <tt>scan-build</tt> (in Python).
122 <p><i>(Difficulty: Easy)</i></p>
125 <li>Do a better job interposing on a compilation.
126 <p>Currently, <tt>scan-build</tt> just sets the <tt>CC</tt> and <tt>CXX</tt>
127 environment variables to its wrapper scripts, which then call into an
128 underlying platform compiler. This is problematic for any project that
129 doesn't exclusively use <tt>CC</tt> and <tt>CXX</tt> to control its
131 <p><i>(Difficulty: Medium-Hard)</i></p>
134 <li>Create an <tt>analyzer_annotate</tt> attribute for the analyzer
136 <p>We would like to put all analyzer attributes behind a fence so that we
137 could add/remove them without worrying that compiler (not analyzer) users
138 depend on them. Design and implement such a generic analyzer attribute in
139 the compiler. <i>(Difficulty: Medium)</i></p>
146 <li>Implement a production-ready StreamChecker.
147 <p>A SimpleStreamChecker has been presented in the Building a Checker in 24
149 (<a href="http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf">slides</a>
150 <a href="https://youtu.be/kdxlsP5QVPw">video</a>).
151 We need to implement a production version of the checker with richer set of
152 APIs and evaluate it by running on real codebases.
153 <i>(Difficulty: Easy)</i></p>
156 <li>Extend Malloc checker with reasoning about custom allocator,
157 deallocator, and ownership-transfer functions.
158 <p>This would require extending the MallocPessimistic checker to reason
159 about annotated functions. It is strongly desired that one would rely on
160 the <tt>analyzer_annotate</tt> attribute, as described above.
161 <i>(Difficulty: Easy)</i></p>
164 <li>Implement a BitwiseMaskingChecker to handle <a href="http://llvm.org/bugs/show_bug.cgi?id=16615">PR16615</a>.
165 <p>Symbolic expressions of the form <code>$sym & CONSTANT</code> can range from 0 to <code>CONSTANT-</code>1 if CONSTANT is <code>2^n-1</code>, e.g. 0xFF (0b11111111), 0x7F (0b01111111), 0x3 (0b0011), 0xFFFF, etc. Even without handling general bitwise operations on symbols, we can at least bound the value of the resulting expression. Bonus points for handling masks followed by shifts, e.g. <code>($sym & 0b1100) >> 2</code>.
166 <i>(Difficulty: Easy)</i></p>
169 <li>Implement iterators invalidation checker.
170 <p><i>(Difficulty: Easy)</i></p>
173 <li>Write checkers which catch Copy and Paste errors.
174 <p>Take a look at the
175 <a href="http://pages.cs.wisc.edu/~shanlu/paper/TSE-CPMiner.pdf">CP-Miner</a>
176 paper for inspiration.
177 <i>(Difficulty: Medium-Hard; current contacts: Daniel Marjamäki and Daniel Fahlgren)</i></p>
projects / FreeBSD / FreeBSD.git / blob