<html><head><meta http-equiv="Content-Type" content="text/html charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">Hi Pengfei,<div class=""><br class=""></div><div class=""><div><blockquote type="cite" class=""><div class="">On Dec 11, 2015, at 2:18 AM, Pengfei Wang via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org" class="">cfe-dev@lists.llvm.org</a>> wrote:</div><div class=""><div dir="ltr" class=""><p class="">I am writing a taint tracking checker of clang static analyzer, and currently I need to do something when a branch is finished being analyzed. Aka I need to know when the symbolic execution reaches the end of an If code block or Else code block.</p></div></div></blockquote><div>The static analyzer doesn’t generate pre/post-statement callbacks for control flow statements, so I don’t think there is a way for a checker to be notified when an IfStmt is finished being analyzed.</div><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><p class=""> I have tried the CompoundStmt, but it didn't work in the callback function CheckPostStmt<CompoundStmt>, and neither did the BlockExpr work.</p></div></div></blockquote><div>The analyzer *does* call post-statement callbacks for BlockExprs (see, for example, MallocChecker.cpp) — but this probably isn’t what you want because BlockExprs are for a C extension supporting closures (<<a href="http://clang.llvm.org/docs/BlockLanguageSpec.html" class="">http://clang.llvm.org/docs/BlockLanguageSpec.html</a>>).</div><blockquote type="cite" class=""><div class=""><div dir="ltr" class=""><p class=""><span class="">It seems that the control flow stmt can only be analyzed in a path-insensitive way, such as using the ASTDecl and ASTCodeBody callbacks. Can I handle the IfStmt or ForStmt in a path-sensitive way to achieve this goal? Thank you!</span></p></div></div></blockquote>The analyzer is path-sensitive and *does* take control flow statements into account during analysis as it explores potential paths through the program. Because the key unit of analysis is the *path* through the program it is typically unnecessary for a checker to be aware of when program execution finishes an IfStmt.</div><div><br class=""></div><div>For example, in:</div><div><br class=""></div><div> 1 b = 2;</div><div> 2 if (a > 1) {</div><div> 3 b = a;</div><div> 4 }<br class=""><div> 5 // <— Analyzer symbolically executes this program point twice.</div><div><br class=""></div><div>The analyzer will check two paths that reach line 5: one where the analyzer knows a > 1 and b == a and one where the it knows a <= 1and b == 2. The analyzer examines each of these paths independently so it is not usually necessary for a checker to be aware of of when the IfStmt ends. This is because any facts about symbolic values assumed on the path when the analyzer takes the ‘then’ branch of the if statement continue to hold even after the IfStmt is finished. Because of this per-path- rather the per-program-point view, knowing when an IfStmt is finished is not typically useful to checkers. Are you sure that your taint tracker really needs to get post-statement callbacks for control flow?</div><div><br class=""></div><div>Devin</div><div><br class=""></div></div></div></body></html>