[cfe-dev] [analyzer] Simple Example produces an inconsistent result
Yury Gribov via cfe-dev
cfe-dev at lists.llvm.org
Tue Nov 3 00:22:29 PST 2015
On 11/03/2015 11:18 AM, Aleksei Sidorin via cfe-dev wrote:
> Hello Scott,
>
> You have touched a very sensitive moment.
>
> TL;DR: The reason warning does not appear is that function is not
> analyzed out of context if it was inlined before. Functions are analyzed
> in topological order. In your case, inlining of 'foo' does not touch
> (len < 10 == true) branch so it will never be analyzed.
>
> But, more thoroughly, CSA has some issues with topological sorting.
> First, it is not clear if topological sorting is really required since
> it throws some possible execution paths away (as in Scott's example).
> Second, it does not work as expected because of some call graph issues
> (I made some attempts to resolve them and hope to contribute these
> patches).
>
> However, the assumption that function is analyzed only in given contexts
> can reduce amount of false positives.
>
> In our opinion, we should analyze all the functions and skip
> out-of-context analysis of functions that are:
> 1. not externally visible or
> 2. are private class members.
+1, currently we loose lots of interesting paths for e.g. shared libs.
-Y
More information about the cfe-dev
mailing list