Any article/documentation for Value Flow Analysis

[Naren Mehra]

Hi,
Could anybody point me to an article or documentation on value flow analysis and how it helps in writing checkers.

Thx and regards,
Naren

[Daniel Marjamäki]

If you have not read that then read: http://sourceforge.net/projects/cppcheck/files/Articles/cppcheck-design.pdf/download.

There is no detailed article/documentation about the Cppcheck ValueFlow analysis.

Cppcheck ValueFlow analysis is a generic context sensitive analysis that is executed before any checker is executed. It tracks symbolic values in different ways: forwards, backwards, into function calls, abstract interpretation, etc.

It is generic since it tracks all values. It doesn't focus on any particular values such as 0 or NULL. There is no knowledge about what values the checkers are interested about.

Symbol values can be classified like this:
* impossible - symbol can't have this value
* unknown - don't know if symbol can have this value
* possible - symbol can have this value

The ValueFlow only tracks "possible" values. So for instance if we only know that the value is larger than 3 then there is no "possible" values - it is not known that it will be for instance 5.

From the checker point of view: Each node in the syntax trees have a list with "possible" values. If the node is a variable then the list of values is the possible values of the variable. If the node is a operation such as "+" then the values are the possible results of the operation. If the list is empty then it is unknown what values there can be.

Example:

void f1(int a)
{
    int x = 2 * a;  // "a" can be 7. the "*" result can be 14.
}

void f2()
{
    f1(7);
}

Cppcheck output when you use --debug is:

##Value flow
Line 3
  2:{2}
  *:{14}
  a:{7}
Line 8
  7:{7}