[cfe-dev] [analyzer] Documentation for ExprEngine?

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Thu Apr 12 19:08:55 PDT 2018

CoreEngine and ExprEngine are pretty much a single entity; CoreEngine 
manages the worklist, while ExprEngine is a huge switch (aka visitor) 
over different kinds of program points it finds in the worklist that 
knows what to do on each of them.

Initially the program point that corresponds to "before the first 
statement" location of the top-level function we want to analyze, paired 
with the initial program state, is added to the worklist. CoreEngine 
takes this worklist item and realizes that he needs ExprEngine's help to 
model the actual statement. ExprEngine takes the item, adjusts the state 
of the program according to the effects of the statement, and puts zero 
or more "after that statement" items to the work list, paired with their 
respective updated program state. Then CoreEngine takes the new item, 
realizes that we're done with the respective statement, and looks up the 
CFG to see what the next statement (or a statementless CFGElement, such 
as a C++ automatic destructor call) is going to be. This goes on until 
the worklist is empty or we run out of budget and decide that the code 
is too complicated to analyze it further. The worklist itself is, since 
recently, a "priority stack" that puts unexplored statements in front of 
previously visited statements and works as a FIFO otherwise.

The above may be incorrect in detail, but that's the rough idea. I never 
really needed any deeper knowledge about that in years of working on the 
analyzer, so i'm kinda curious what sort of stuff you're trying to do.

In short, order of statements is controlled by the CFG, and you should 
be able to debug your problems by starting at 

On 4/12/18 5:37 PM, Brad S via cfe-dev wrote:
> Hello,
> I have been looking through the static analyzer source code in an 
> effort to better understand how it works and was wondering if there 
> are any good resources on understanding the ExprEngine.
> Specifically I am having some trouble understanding how statements 
> inside of functions/loops/etc. are added to the worklist.
> Thanks,
> Brad
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180412/326c3c54/attachment.html>

More information about the cfe-dev mailing list