haoNoQ wrote: Hi! I wonder if path-sensitive analysis is useful here at all. If you simply warn every time you see arithmetic performed on a pointer to a class with at least one virtual method, wouldn't that be quite accurate most of the time?
At a glance, such operation only makes sense when all subclasses are actually of the same size. I'm aware of pretty much exactly one real-world class of this kind: static analyzer's own `SVal` lol. You can detect this case by looking at one or two derived classes in the AST, to see if they add any new member variables. This won't work if base classes aren't visible in the AST, but your checker will also not work in this case(?) I can also think of cases where path sensitivity is useful because it can catch cases like ``` Object *Objs; char *x = reinterpret_cast<int *>(Objs); x += 1; ``` but these aren't exactly the cases we're trying to catch; it's probably easier to think of them as a different problem that we can catch separately (invalid reinterpretation of a pointer). So, maybe your checker should be a plain old compiler warning? Compiler warnings are great because they're much easier to enable, so they benefit a much larger portion of users. An on-by-default compiler warning will be even more accessible, and this one can probably be enabled by default? We usually prefer implementing checks as compiler warnings when they don't need sophisticated analysis (eg. path-sensitivity) or any sort of domain-specific knowledge. https://github.com/llvm/llvm-project/pull/82977 _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
