<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-text-flowed" style="font-family: -moz-fixed;
font-size: 12px;" lang="x-western">Hello Arthur,
<br>
<br>
There are some options that may be set using '-analyzer-config'
option. Example: -analyzer-config max-nodes=100000
<br>
1. max-nodes - maximal number of nodes of exploded graph that may
be analyzed for a top-level function. That does not limit number
of nodes that may be enqueued to worklist. 150000 by default.
<br>
2. mode - user analysis modes. Values: 'shallow' (set default
max-nodes to 75000) and 'deep' (default). Seems like you already
tried to set it somehow.
<br>
3. ipa-always-inline-size - set limit number of CFGBlocks in
functions that analyzer thinks as "small".
<br>
There are some other options. You may use debug.ConfigDumper
checker to view your default analysis options (or options you
set). You can take a look on test/Analysis/analyzer-config.c of
clang source tree (<a class="moz-txt-link-freetext"
href="https://github.com/llvm-mirror/clang/blob/master/test/Analysis/analyzer-config.cpp">https://github.com/llvm-mirror/clang/blob/master/test/Analysis/analyzer-config.cpp</a>)
to see them and their default values. You can also take a look on
AnalyzerOptions class of clang (<a class="moz-txt-link-freetext"
href="http://clang.llvm.org/doxygen/classclang_1_1AnalyzerOptions.html">http://clang.llvm.org/doxygen/classclang_1_1AnalyzerOptions.html</a>).
<br>
<br>
But could you clarify your question?
<br>
<br>
1. IPA mode is not IPA_NotSet by default. IPA_NotSet is only an
internal flag pointing user didn't specify any option and some
default value should be used. You can take a look into
AnalyzerOptions::getIPAMode() method. If IPA options were not
specified, CSA uses IPAK_DynamicDispatchBifurcate option by
default so your changes in IPA_Mode should not change anything (or
make even worse).
<br>
<br>
2. If you attach your file, we can understand more things about
your case.
<br>
<br>
3. There is no so much for memory limit but for time limit. CSA
doesn't use summary approach currently, it inlines a function or
loop iteration every time it is met. It can lead to slow analysis
so CSA limits loop inlining and function inlining as well as
number of ExplodedNodes analyzed to finish analysis in a
reasonable time. Number of nodes analyzed per function is limited
but number of nodes enqueued is not so there may be interesting
cases. Take a look on external/qemu/target-mips/translate.c file
from Android source tree: its analysis with CSA made 96 Gb server
swapping. But most files you'll analyze will not consume over 300
Mb with default analyzer options.
<br>
<br>
4. The fact that function evaluation is happens twice is strange.
How did you check this? Maybe it was analyzed multiple time as a
separate function and as a callee of other functions? Again,
attaching a test case may help.
<br>
<br>
5. Are there problems with analysis correctness that forced you to
find additional options? Can you explain what do you want to get
with these options?
<br>
<br>
<blockquote type="cite" style="color: #000000;">Hi all,
<br>
<br>
I find that Clang Static Analyzer can support Inter-Procedural
Analysis
<br>
(IPA) in one single TranslationUnit. But I was confused by its
IPA's result
<br>
for my testcase (C program) with the default arguments and
configuration of
<br>
Static Analyzer. For example, one function was called again in
the middle
<br>
of its evaluation. And the function itself is not a recursive
function.
<br>
My testcase contains three functions in one single file. And
there are some
<br>
loops in two of functions. There is no any recursive function in
my
<br>
testcase.
<br>
<br>
I guess the default analysis-related arguments/configuration
will guarantee
<br>
that the Static Analyzer will archieve precise analysis results,
in the
<br>
meanwhile it will also guarantee an appropriate memory space
utilization.
<br>
<br>
However, for my testcase, I feel that the default configuration
spent too
<br>
much attention on the memory aspect, so that it scarificed the
integrity of
<br>
the analysis. In this way, the result of the IPA evaluation
confused me. My
<br>
test machine has 32GB RAM. So for the primary tests current, I
paid more
<br>
attention on the correctness of my checker than the low memory
utilization.
<br>
So I began to search the arguments of Static Analyzer, which
may/will limit
<br>
the scale of the evaluation. I tuned the values of
analyzer_max_loop and
<br>
analyzer_inline_max_stack_depth with bigger number values. And I
also set
<br>
UserMode from UMK_NotSet to UMK_Deep, and set IPAMode from
IPAK_NotSet to
<br>
IPAK_Inlining. However, it seems that it doesn't work and the
results still
<br>
cunfused me.
<br>
<br>
Now I'm wondering that whether there is any other argument that
will
<br>
limit/modify the function's evaluation according to scale or the
number of
<br>
the ExplodedNodes of the function.
<br>
<br>
What's more, are there any other arguments I can tune, which can
<br>
loose/relax the limitations of the Static Analyzer, so that it
can archieve
<br>
more precise analysis results, in spite of the fact that it may
<br>
protentially lead to more memory occupation? If there are, where
and what
<br>
are they?
<br>
<br>
Thanks a lot.
<br>
<br>
</blockquote>
<div class="moz-txt-sig"><span class="moz-txt-tag">-- <br>
</span>Best regards,
<br>
Aleksei Sidorin
<br>
Software Engineer,
<br>
IMSWL-IMCG, SRR, Samsung Electronics
<br>
<br>
</div>
</div>
</body>
</html>