On Fri, 2026-03-06 at 23:32 +0530, Saksham Gupta via Gcc wrote: > Hi everyone, > > My name is Saksham Gupta, and I am a 3rd-year Computing Science & > Engineering student. I am writing to express my strong interest in > contributing to GCC for GSoC 2026, specifically under the project > "Extending the static analysis pass" to add checking for the CPython > API, > mentored by David Malcolm.
Hi Saksham Thanks for your interest in this project. By conincidence, I spent a large chunk of yesterday working on the CPython analyzer plugin (see bug 112520), where fixing a crash turned into a big cleanup of the plugin. So if you've looked at the existing CPython plugin code, it changed a *lot* yesterday (But hopefully it should be easier to read now!). > > I have a strong background in C++ and Python, alongside a deep > interest in > vulnerability analysis and cybersecurity. I have previously developed > risk > analysis models to detect systemic vulnerabilities, and extending > -fanalyzer to catch reference-counting bugs and memory leaks in C/C++ > Python extensions feels like a natural and exciting progression of > that > work. (nods) How familiar are you with the CPython extension API? With this project, you need to know about both GCC's insides *and* the insides of CPython. See the various links on the project wiki page: https://gcc.gnu.org/wiki/StaticAnalyzer/CPython (sorry, there wasn't a link to that on the SummerOfCode page; I've added it now) > > To prepare for this proposal, I have completed the prerequisites > outlined > in the "Before you apply" guide: > > - I have successfully checked out the GCC source. > - I built GCC locally from source natively on an Apple Silicon Mac > (using Iain Sandoe's gcc-darwin-arm64 branch, as I noted mainline > lacks > full native support). > - I have successfully run the testsuite. > - I've experimented with dumping the GIMPLE trees (-fdump-tree- > all) to > understand the intermediate representation flow. > - I have read through the "Analyzer Internals" and "Debugging the > Analyzer" documentation. Have you tried writing a CPython extension module in C by hand? (see the links on the above wiki page). > > Before I begin drafting my formal proposal, I would love to start > contributing code. Could anyone point me toward a "good first issue" > or a > relatively isolated bug in the gcc/analyzer/ directory that I could > attempt > to patch to familiarize myself with the workflow? A problem is that the easy bugs are fixed, and only hard bugs remain :( Have you tried making changes, and stepping through them in the debugger? See the "hello world" challenge here: https://gcc-newbies-guide.readthedocs.io/en/latest/getting-started.html (and indeed, see the other pages of that site) Have you tried stepping through the analyzer on a trivial buggy C file to get a feel for how it works. After that a possible starter project you could try is "teaching" the analyzer about a well-known function; see the kf.cc ("known functions") file in the source tree (e.g. something in the C standard library that isn't covered yet). > > Thank you for your time and for maintaining such an incredible > project. Thanks again for your interest; hope this is helpful; let me know if you have further questions. Dave
