[cfe-dev] [analyzer] Bug post-processing questions

[Réka Nikolett Kovács via cfe-dev]

 Hi,

I'd love to ask for some help to understand how bug post-processing could
fit into the analyzer's pipeline.

My current rough understanding is that an ExplodedGraph is built for each
top-level function (including other functions reachable from it). During
analysis, reports (grouped into equivalence classes) are collected in the
ExprEngine's BugReporter's EQClassesVector, and flushed after the
construction is finished. Flushing includes selecting a 'representative'
report from each class to generate a PathDiagnostic from, which is
influenced by visitors and such. After some post-processing (pruning,
filtering), diagnostics to display are collected into
PathDiagnosticConsumer's Diags set, and actually printed in some form in
the end. As I see it now, this whole process is repeated for the next
untouched top-level function in the CallGraph.

I was thinking about whether the whole ExplodedGraph needs to be re-built
if we want to post-process bugs occured in its realm. After looking at the
EGs of some code snippets analyzed using the default solver and then Z3, it
seems to me that constraints, but also environment and store contents are
changing, so one guess would be a yes. But again, completely re-building
EGs might not be far in slow-down from analyzing with Z3 from the
beginning, depending on what portion of the code is buggy. So one could
work with the information already present in the graph (this might need
telling the analyzer core not to throw away stuff it does not understand
when the false positive refutation option is turned on, if such thing
happens?), and re-evaluate those, perhaps around the time we call
FindReportInEquivalenceClass().

But I might be on a completely wrong track, so I'd love to hear your
thoughts about it :)

Thanks,
Réka
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180305/ed23a24a/attachment.html>