[analyzer] How to analyzer the code after an indefinite loop?

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

[analyzer] How to analyzer the code after an indefinite loop?

Keane, Erich via cfe-dev

Hi, community!


A quick question.


Is CSA Core able to analyze the code after some indefinite loop?

E.g.

void f(int x)
{
  int i = 0;
  while(i < x)
    i++;
  // Interested in some code here!!
}


I found that Exploded graph grows going through the loop 4 times and then stops to analyze the code further.

P.S. I know about -analyzer-max-loop(4)​.


Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: [analyzer] How to analyzer the code after an indefinite loop?

Keane, Erich via cfe-dev
Here's how you can find this out with the help of ExprInspection:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  clang_analyzer_warnIfReached();
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:7:3: warning: REACHABLE [debug.ExprInspection]
  clang_analyzer_warnIfReached();
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.


Here's a slightly more interesting experiment:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  if (flag) {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return i;
  } else {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return 0;
  }
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:8:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:9:5: warning: 4 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:12:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:13:5: warning: 1 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.


Will you be able to figure out why is one branch reached 4 times while the other branch is reached only once? You can find all your answers on the exploded graph dump.


On 7/28/20 5:59 AM, Denis Petrov via cfe-dev wrote:

Hi, community!


A quick question.


Is CSA Core able to analyze the code after some indefinite loop?

E.g.

void f(int x)
{
  int i = 0;
  while(i < x)
    i++;
  // Interested in some code here!!
}


I found that Exploded graph grows going through the loop 4 times and then stops to analyze the code further.

P.S. I know about -analyzer-max-loop(4)​.


Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: [analyzer] How to analyzer the code after an indefinite loop?

Keane, Erich via cfe-dev

Thanks, Artem!


>You can find all your answers on the exploded graph dump.

Ok, I see. In this particular example analyzer splits an exploded graph on every iteration and the code below is reached in case of false branch. But what I am really interested in is to reach the code in true branch.

The problem is that the core generates a sink node after it reaches the limit of loop iterations.

My better example:

void f1()
{
  int i = 0;
  while(i < 100)
    i++;
  // Interested in some code here!!
}
​​one more example

void f2()
{
  int i = 0;
  while(true)
    i++;
  // Interested in some code here!!
}​
​As I understand, there is no way to do this, right?



Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


От: Artem Dergachev <[hidden email]>
Отправлено: 28 июля 2020 г. 22:34
Кому: Denis Petrov; cfe-dev
Тема: Re: [cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.  If you suspect potential phishing or spam email, report it to [hidden email]

Here's how you can find this out with the help of ExprInspection:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  clang_analyzer_warnIfReached();
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:7:3: warning: REACHABLE [debug.ExprInspection]
  clang_analyzer_warnIfReached();
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.


Here's a slightly more interesting experiment:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  if (flag) {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return i;
  } else {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return 0;
  }
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:8:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:9:5: warning: 4 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:12:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:13:5: warning: 1 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.


Will you be able to figure out why is one branch reached 4 times while the other branch is reached only once? You can find all your answers on the exploded graph dump.


On 7/28/20 5:59 AM, Denis Petrov via cfe-dev wrote:

Hi, community!


A quick question.


Is CSA Core able to analyze the code after some indefinite loop?

E.g.

void f(int x)
{
  int i = 0;
  while(i < x)
    i++;
  // Interested in some code here!!
}


I found that Exploded graph grows going through the loop 4 times and then stops to analyze the code further.

P.S. I know about -analyzer-max-loop(4)​.


Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: [analyzer] How to analyzer the code after an indefinite loop?

Keane, Erich via cfe-dev
In reply to this post by Keane, Erich via cfe-dev

In addition to my previous letter. I'm very concerned that we may have no chance to analyze a big chunk of code in this case:

void clang_analyzer_warnIfReached();
int f()
{
  int i = 0;
  for(int i = 0; i < 100; i++){
    if(i > 10){
      clang_analyzer_warnIfReached();
      // a lot of code will never be analyzed
    }
  }
}

Why don't we analyze loop bodies as functions, just substitute a var `i` with symbols(or constraint ranges) after reaching the limits, not generating a sinks instead?

Or there are somewhere already disscussed plans for improvement?



Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


От: Artem Dergachev <[hidden email]>
Отправлено: 28 июля 2020 г. 22:34
Кому: Denis Petrov; cfe-dev
Тема: Re: [cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.  If you suspect potential phishing or spam email, report it to [hidden email]

Here's how you can find this out with the help of ExprInspection:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  clang_analyzer_warnIfReached();
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:7:3: warning: REACHABLE [debug.ExprInspection]
  clang_analyzer_warnIfReached();
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.


Here's a slightly more interesting experiment:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  if (flag) {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return i;
  } else {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return 0;
  }
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:8:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:9:5: warning: 4 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:12:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:13:5: warning: 1 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.


Will you be able to figure out why is one branch reached 4 times while the other branch is reached only once? You can find all your answers on the exploded graph dump.


On 7/28/20 5:59 AM, Denis Petrov via cfe-dev wrote:

Hi, community!


A quick question.


Is CSA Core able to analyze the code after some indefinite loop?

E.g.

void f(int x)
{
  int i = 0;
  while(i < x)
    i++;
  // Interested in some code here!!
}


I found that Exploded graph grows going through the loop 4 times and then stops to analyze the code further.

P.S. I know about -analyzer-max-loop(4)​.


Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: [analyzer] How to analyzer the code after an indefinite loop?

Keane, Erich via cfe-dev
Hi!

There are two tools in the analyzer to help these problems but both are off by default as they would need some additional improvements and testing.

One is loop unrolling which (when turned on) will detect specific loop patterns and unroll them completely (instead of stopping after 4 iterations).
The other is loop widening which involves restarting the analysis after the loop. While this increases the coverage of the analysis it can also trigger additional false positives as a large portion of the state needs to be invalidated to restart the analysis. Making this invalidation less severe is one way to improve the situation.

Cheers,
Gabor

On Thu, 30 Jul 2020 at 14:32, Denis Petrov via cfe-dev <[hidden email]> wrote:

In addition to my previous letter. I'm very concerned that we may have no chance to analyze a big chunk of code in this case:

void clang_analyzer_warnIfReached();
int f()
{
  int i = 0;
  for(int i = 0; i < 100; i++){
    if(i > 10){
      clang_analyzer_warnIfReached();
      // a lot of code will never be analyzed
    }
  }
}

Why don't we analyze loop bodies as functions, just substitute a var `i` with symbols(or constraint ranges) after reaching the limits, not generating a sinks instead?

Or there are somewhere already disscussed plans for improvement?



Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


От: Artem Dergachev <[hidden email]>
Отправлено: 28 июля 2020 г. 22:34
Кому: Denis Petrov; cfe-dev
Тема: Re: [cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.  If you suspect potential phishing or spam email, report it to [hidden email]

Here's how you can find this out with the help of ExprInspection:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  clang_analyzer_warnIfReached();
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:7:3: warning: REACHABLE [debug.ExprInspection]
  clang_analyzer_warnIfReached();
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.


Here's a slightly more interesting experiment:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  if (flag) {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return i;
  } else {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return 0;
  }
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:8:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:9:5: warning: 4 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:12:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:13:5: warning: 1 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.


Will you be able to figure out why is one branch reached 4 times while the other branch is reached only once? You can find all your answers on the exploded graph dump.


On 7/28/20 5:59 AM, Denis Petrov via cfe-dev wrote:

Hi, community!


A quick question.


Is CSA Core able to analyze the code after some indefinite loop?

E.g.

void f(int x)
{
  int i = 0;
  while(i < x)
    i++;
  // Interested in some code here!!
}


I found that Exploded graph grows going through the loop 4 times and then stops to analyze the code further.

P.S. I know about -analyzer-max-loop(4)​.


Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: [analyzer] How to analyzer the code after an indefinite loop?

Keane, Erich via cfe-dev
Gabor, thank you.

Well, as I see there's no way to do this without changes/improvements in the core for now.



Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


От: Gábor Horváth <[hidden email]>
Отправлено: 30 июля 2020 г. 15:48
Кому: Denis Petrov
Копия: Artem Dergachev; cfe-dev
Тема: Re: [cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?
 
Hi!

There are two tools in the analyzer to help these problems but both are off by default as they would need some additional improvements and testing.

One is loop unrolling which (when turned on) will detect specific loop patterns and unroll them completely (instead of stopping after 4 iterations).
The other is loop widening which involves restarting the analysis after the loop. While this increases the coverage of the analysis it can also trigger additional false positives as a large portion of the state needs to be invalidated to restart the analysis. Making this invalidation less severe is one way to improve the situation.

Cheers,
Gabor

On Thu, 30 Jul 2020 at 14:32, Denis Petrov via cfe-dev <[hidden email]> wrote:

In addition to my previous letter. I'm very concerned that we may have no chance to analyze a big chunk of code in this case:

void clang_analyzer_warnIfReached();
int f()
{
  int i = 0;
  for(int i = 0; i < 100; i++){
    if(i > 10){
      clang_analyzer_warnIfReached();
      // a lot of code will never be analyzed
    }
  }
}

Why don't we analyze loop bodies as functions, just substitute a var `i` with symbols(or constraint ranges) after reaching the limits, not generating a sinks instead?

Or there are somewhere already disscussed plans for improvement?



Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


От: Artem Dergachev <[hidden email]>
Отправлено: 28 июля 2020 г. 22:34
Кому: Denis Petrov; cfe-dev
Тема: Re: [cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.  If you suspect potential phishing or spam email, report it to [hidden email]

Here's how you can find this out with the help of ExprInspection:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  clang_analyzer_warnIfReached();
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:7:3: warning: REACHABLE [debug.ExprInspection]
  clang_analyzer_warnIfReached();
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.


Here's a slightly more interesting experiment:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  if (flag) {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return i;
  } else {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return 0;
  }
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:8:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:9:5: warning: 4 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:12:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:13:5: warning: 1 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.


Will you be able to figure out why is one branch reached 4 times while the other branch is reached only once? You can find all your answers on the exploded graph dump.


On 7/28/20 5:59 AM, Denis Petrov via cfe-dev wrote:

Hi, community!


A quick question.


Is CSA Core able to analyze the code after some indefinite loop?

E.g.

void f(int x)
{
  int i = 0;
  while(i < x)
    i++;
  // Interested in some code here!!
}


I found that Exploded graph grows going through the loop 4 times and then stops to analyze the code further.

P.S. I know about -analyzer-max-loop(4)​.


Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: [analyzer] How to analyzer the code after an indefinite loop?

Keane, Erich via cfe-dev
Well, technically you can do this by changing some config values but we have not turned these on by default yet. Mainly, because we have yet to see strong evidence that the additional false positives worth the gain in coverage. 

On Fri, Jul 31, 2020, 6:26 PM Denis Petrov <[hidden email]> wrote:
Gabor, thank you.

Well, as I see there's no way to do this without changes/improvements in the core for now.



Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


От: Gábor Horváth <[hidden email]>
Отправлено: 30 июля 2020 г. 15:48
Кому: Denis Petrov
Копия: Artem Dergachev; cfe-dev
Тема: Re: [cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?
 
Hi!

There are two tools in the analyzer to help these problems but both are off by default as they would need some additional improvements and testing.

One is loop unrolling which (when turned on) will detect specific loop patterns and unroll them completely (instead of stopping after 4 iterations).
The other is loop widening which involves restarting the analysis after the loop. While this increases the coverage of the analysis it can also trigger additional false positives as a large portion of the state needs to be invalidated to restart the analysis. Making this invalidation less severe is one way to improve the situation.

Cheers,
Gabor

On Thu, 30 Jul 2020 at 14:32, Denis Petrov via cfe-dev <[hidden email]> wrote:

In addition to my previous letter. I'm very concerned that we may have no chance to analyze a big chunk of code in this case:

void clang_analyzer_warnIfReached();
int f()
{
  int i = 0;
  for(int i = 0; i < 100; i++){
    if(i > 10){
      clang_analyzer_warnIfReached();
      // a lot of code will never be analyzed
    }
  }
}

Why don't we analyze loop bodies as functions, just substitute a var `i` with symbols(or constraint ranges) after reaching the limits, not generating a sinks instead?

Or there are somewhere already disscussed plans for improvement?



Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


От: Artem Dergachev <[hidden email]>
Отправлено: 28 июля 2020 г. 22:34
Кому: Denis Petrov; cfe-dev
Тема: Re: [cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?
 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.  If you suspect potential phishing or spam email, report it to [hidden email]

Here's how you can find this out with the help of ExprInspection:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  clang_analyzer_warnIfReached();
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:7:3: warning: REACHABLE [debug.ExprInspection]
  clang_analyzer_warnIfReached();
  ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1 warning generated.


Here's a slightly more interesting experiment:


$ cat test.c

int f(int x, int flag)
{
  int i = 0;
  while(i < x)
    i++;

  if (flag) {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return i;
  } else {
    clang_analyzer_warnIfReached();
    clang_analyzer_numTimesReached();
    return 0;
  }
}


$ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c

test.c:8:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:9:5: warning: 4 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:12:5: warning: REACHABLE [debug.ExprInspection]
    clang_analyzer_warnIfReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
test.c:13:5: warning: 1 [debug.ExprInspection]
    clang_analyzer_numTimesReached();
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4 warnings generated.


Will you be able to figure out why is one branch reached 4 times while the other branch is reached only once? You can find all your answers on the exploded graph dump.


On 7/28/20 5:59 AM, Denis Petrov via cfe-dev wrote:

Hi, community!


A quick question.


Is CSA Core able to analyze the code after some indefinite loop?

E.g.

void f(int x)
{
  int i = 0;
  while(i < x)
    i++;
  // Interested in some code here!!
}


I found that Exploded graph grows going through the loop 4 times and then stops to analyze the code further.

P.S. I know about -analyzer-max-loop(4)​.


Denys Petrov
Senior С++ Developer | Kharkiv, Ukraine


_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev