<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class=""><br class=""><div><blockquote type="cite" class=""><div class="">On Jan 6, 2015, at 6:32 AM, Christian Convey <<a href="mailto:christian.convey@gmail.com" class="">christian.convey@gmail.com</a>> wrote:</div><br class="Apple-interchange-newline"><div class="">Hello,<br class=""><br class="">Is it the case that the clang static analyzer will perform<br class="">interprocedural analyses over exactly the set of paths shown in the<br class="">call graph?<br class=""><br class=""></div></blockquote><div><br class=""></div>No. The call graph is mainly used to guide the order of analysis. (We try to pick the order that entails least work for the analyzer.)</div><div><br class=""><blockquote type="cite" class=""><div class="">My overall goal is to figure out whether or not clang static analyzer<br class="">will apply checkers to execution paths which flow over indirect calls.<br class=""></div></blockquote><div><br class=""></div><div>This depends on whether the analyzer can track the value of the function pointer involved in the call. For example:</div><div><div>void f(int x) {</div><div><span class="Apple-tab-span" style="white-space:pre">    </span>int y = 5/x;</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>y++;</div><div>}</div><div>void indirect_caller() {</div><div>   void (*func)() = f;</div><div>   func(0);</div><div>}</div><div><br class=""></div></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">$clang --analyze ~/tmp/ex.c</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><b class="">/Users/anna/tmp/ex.c:2:11: </b><span style="font-variant-ligatures: no-common-ligatures; color: #d53bd3" class=""><b class="">warning: </b></span><b class="">Division by zero</b></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">        int y = 5/x;</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">However, no warning is produced when func is a global variable because the analyzer does not track that assignment:</div><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class=""><br class=""></div><div style="margin: 0px;" class=""><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">void f(int x) {</span></font></div><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class=""><span class="Apple-tab-span" style="white-space:pre">  </span>int y = 5/x;</span></font></div><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class=""><span class="Apple-tab-span" style="white-space:pre">     </span>y++;</span></font></div><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">}</span></font></div><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">void (*func)() = f;</span></font></div><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">void indirect_caller() {</span></font></div><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">   func(0);</span></font></div><div style="margin: 0px;" class=""><font face="Menlo" class=""><span style="font-size: 11px;" class="">}</span></font></div><div style="margin: 0px;" class=""><div style="margin: 0px; font-size: 11px; font-family: Menlo;" class="">$clang --analyze ~/tmp/ex.c</div><div class=""><br class=""></div></div></div><blockquote type="cite" class=""><div class="">I came up with this test case:<br class=""><br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>void f() {<br class="">}<br class=""><br class="">void direct_caller() {<br class="">    f();<br class="">}<br class=""><br class=""><br class="">void indirect_caller() {<br class="">    void (*func)() = f;<br class="">    func();<br class="">}<br class=""><<<<<<<br class=""><br class="">And I got the following results:<br class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><blockquote type="cite" class=""><br class=""></blockquote></blockquote></blockquote></blockquote></blockquote></blockquote>/tmp $ clang -cc1 -I /usr/lib/llvm-3.4/lib/clang/3.4/include -I<br class="">/usr/include -I /usr/include/x86_64-linux-gnu  -analyze<br class="">-analyzer-checker=debug.DumpCallGraph test.c<br class=""> --- Call graph Dump ---<br class="">  Function: < root > calls: f direct_caller indirect_caller<br class="">  Function: indirect_caller calls:<br class="">  Function: direct_caller calls: f<br class="">  Function: f calls:<br class=""><<<<<<<<br class=""><br class="">I'm trying to figure out if from this result, I can correctly infer<br class="">that the clang static analyzer would not perform interprocedural<br class="">analysis on the call string ("indirect_caller", "f").<br class=""><br class="">Thanks,<br class="">Christian<br class="">_______________________________________________<br class="">cfe-dev mailing list<br class=""><a href="mailto:cfe-dev@cs.uiuc.edu" class="">cfe-dev@cs.uiuc.edu</a><br class="">http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev<br class=""></div></blockquote></div><br class=""></body></html>