how to statically obtain filename and line numbers that lead to a variable setting in C?

Question

I have a large software system written in C. I have all the sources. I am trying to find a tool that can help me determine (preferably via static analysis) the functions and line numbers that can set a variable that is of interest to me. Example:

void func_a(int q) {
   int z;
   ...
   z = q*2;
   ....
   func_b(z);   //  I NEED TO FIND OUT ALL LINES in ALL FILES that can set "z"
}

int main(int argc, char *argv[]) {
     int x;
     ...
     x = 38;
     ...
     func_a(x);
}

I would like to be told:

main()   x = 38;
func_a(x);
void func_a(int q);
func_a() z = q*2;

Above 4 lines determine value of z that I am about to send to func_b().

I have examined clang, gtags (with --idutils), and some others. I can not determine if this is something that is supported. Naturally main() and func_a() can be in different .c files and have lots of other lines unrelated to my variable of interest (its a large software system.)

Any hints appreciated.

Answer 1

I have a large software system written in C. I have all the sources. I am trying to find a tool that can help me determine (preferably via static analysis) the functions and line numbers that can set a variable that is of interest to me.

This problem is unsolvable. See Rice's theorem

The intuition is that if you have some automatic variable x, you could pass its address &x elsewhere, and arbitrarily. You'll have complex pointer aliasing.

However, you could consider using Frama-C (with manually added annotations in ACSL) or Clang static analyzers, and debuggers. Notice that GDB provide watchpoints.

If your C compiler is a recent GCC, you might code your own GCC plugin to help you (and analyze the GIMPLE representation of your program). Expect a few weeks or months of work. With old versions of GCC, the unmaintained GCC MELT (which I wrote) might be useful.