[cfe-dev] Clang Static Analyzer execution path for loop

Wed Apr 10 06:48:56 PDT 2013

Hi Anna,

Thank you and Jordan for your reply to answer my questions. Now I can
understand the execution path sequence of ex3. However, it seems that I met
another problem with loop execution path.

Here is  my test code ex4:

  1 void func(int arg) {

  2     int v;

  3     v = 0;

  4     int i;

  5     for(int i = 0; i < arg; i++) {

  6         v = v + 1;

  7     }

  8

  9     if(arg < 0) {

 10         v = 5566;

 11     }

 12

 13     int c;

 14     c = v;

 15 }

The corresponding CFG of ex4 is
http://ww3.sinaimg.cn/large/a74ecc4cjw1e3kuhrthqij.jpg

With analyzer, I get its execution path sequence:
B7-B6-B3-B1-B2-B1-B5-B4-B6-B3-B1-B5-B4-B6-B3-B1-B5-B4-B6-B3-B1-B5-B4. It
shows that the analyzer traces all possible paths in its CFG since arg(in
line 5) is a symbolic value. Analyzer has no idea about whether arg is
greater than zero.

Then I replaced the arg in line 5 with a concrete number(say 64, actually
any number which is greater than three).

for(int i = 0; i < arg; i++) --> for(int i = 0; i < 64; i++)

Then the analyzer gave me the following execution path sequence:
B7-B6-B5-B4-B6-B5-B4-B6-B5-B4-B6-B5-B4.

It is right that the loop has been executed for four time, but it seems
that the analyzer didn't

cover all possible paths. In other words, it means that the analyzer didn't
analyze the range from line 9 to line 14 in ex4's source code. I can't find
the corresponding CFG blocks which represent the part of source code from
line 9 to line 14 of ex4 in this execution path sequence.

In addition, I did another four tests. In these four tests, I replaced the
loop condition with 0, 1, 2 and 3 for each time. The corresponding
execution path sequences are below.

for(int i = 0; i < 3; i++):
B7-B6-B5-B4-B6-B5-B4-B6-B5-B4-B6-B3-B1-B2-B1

for(int i = 0; i < 2; i++): B7-B6-B5-B4-B6-B5-B4-B6-B3-B1-B2-B1

for(int i = 0; i < 1; i++): B7-B6-B5-B4-B6-B3-B1-B2-B1

for(int i = 0; i < 0; i++): B7-B6-B3-B1-B2-B1

With these four execution path sequences above, I can get the conclusion
that for these four cases, the analyzer analyzed the whole ex4 source code
and traced all possible paths in ex4.

So I don't know why the analyzer didn't analyze the range from line 9 to
line 14 in ex4's source code when the loop time is more or equal to 4?

Best regards,
Arthur Yoo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130410/dc621d54/attachment.html>