path traversal on ExplodedGraph of clang static analyzer

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

path traversal on ExplodedGraph of clang static analyzer

Hans Wennborg via cfe-dev
Hi all,

I implemented a simple checker on the static analysis framework.
However, I don’t quite understand how the underlying analyzer behave, especially
it traverses in a strange way on ExplodedGraph.

In checkEndAnalysis, my program just visits (DFS) and prints source code locations.
Here is an example:

     1  int main(int argc, char** argv){
     2    if(argc>10){
     3      int x = 1;
     4      int y = 2;
     5      int z = 3;
     6    }
     7
     8    int a = 1;
     9    int b = 2;
    10    return 0;
    11  }

The output is sequences of line numbers. I have two paths here.
[2-8-9-5-8-9] and [2-8-9]
The latter one makes sense but why does it produce the first one? line 9 to 5?

Is there any document for the internal behavior of Clang Static Analyzer?

Thanks,
Kihong
_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
Reply | Threaded
Open this post in threaded view
|

Re: path traversal on ExplodedGraph of clang static analyzer

Hans Wennborg via cfe-dev
If you want to see the final analysis graph, you can dump it into
graphviz via -analyzer-checker debug.ViewExplodedGraph (or
-analyzer-viz-egraph-graphviz, which is the same thing). A debug build
is required for that. See also
http://clang-analyzer.llvm.org/checker_dev_manual.html#visualizing

I'm not sure if your dumps are correct, they look strange indeed, and
they don't quite correspond to what i see in the actual exploded graph.

You should rarely rely on the analysis order in your checkers though;
you should keep information in the program state instead, and keep your
checker object stateless, as in
http://clang-analyzer.llvm.org/checker_dev_manual.html#events_callbacks

There's also my old workbook at
https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf 
that captures the current (mildly outdated but overally actual) state of
things.


On 22/02/2018 9:52 PM, Kihong Heo via cfe-dev wrote:

> Hi all,
>
> I implemented a simple checker on the static analysis framework.
> However, I don’t quite understand how the underlying analyzer behave, especially
> it traverses in a strange way on ExplodedGraph.
>
> In checkEndAnalysis, my program just visits (DFS) and prints source code locations.
> Here is an example:
>
>       1  int main(int argc, char** argv){
>       2    if(argc>10){
>       3      int x = 1;
>       4      int y = 2;
>       5      int z = 3;
>       6    }
>       7
>       8    int a = 1;
>       9    int b = 2;
>      10    return 0;
>      11  }
>
> The output is sequences of line numbers. I have two paths here.
> [2-8-9-5-8-9] and [2-8-9]
> The latter one makes sense but why does it produce the first one? line 9 to 5?
>
> Is there any document for the internal behavior of Clang Static Analyzer?
>
> Thanks,
> Kihong
> _______________________________________________
> cfe-dev mailing list
> [hidden email]
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

_______________________________________________
cfe-dev mailing list
[hidden email]
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev