trailofbits
Return value analysis
Like in Understand, it could be valuable to annotate calls/decls with function metadata (name, params, return value) in the code explorer. A separate issue has been created for the UI here: https://github.com/trailofbits/qt-multiplier/issues/178.
However, we should maximize the usefulness of this feature, especially in finding type-confusion/null dereference issues. This could be more powerful if we additionally grab each ReturnStmt in the call to find the set of possible types and/or values that a function could return. For a tail call, we should additionally recurse into that callee to further determine that set. Each item in that set should then be an xref to the exact ReturnStmt in the appropriate callee.
A trivial example:
alloc = some_allocator(user_controlled_size);
doSomethingWithAllocation(alloc);
With https://github.com/trailofbits/qt-multiplier/issues/178, we'll be able to see something like this when highlighting and hovering over some_allocator:
name: some_allocator
parameters: size_t len
return: void* val, NULL
Clicking on NULL would then go to that specific line in some_allocator to further introspect how we can reach that specific condition.
Absent re-implementing a Clang-like type printer, the types stuff is going to rely on #356, and @kumarak is working on #275 as a lead-in to that work. The idea is that we have a custom fork of Clang's type printer in PASTA, and so we'll save off printed tokens for types in the indexer. But the current way we store types is, for historical reasons, very redundant, hence the initial work on type deduplication.
