<div dir="ltr">Hi!<div><br></div><div>The clang static analyzer does not give you any guarantees regarding the coverage/exhaustiveness. There is no way to ensure exhaustive analysis (such analysis is likely to be unbounded for most non-trivial programs, so this is not only about runtime, but also termination). For this reason all the checks have to be implemented with non-exhaustiveness in mind.</div><div><br></div><div>Could you share what you are trying to achieve? Maybe symbolic execution is not the right tool for that problem. </div><div><br></div><div>Cheers,</div><div>Gabor</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Jan 15, 2020 at 12:58 AM Fernandez, Matthew via cfe-dev <<a href="mailto:cfe-dev@lists.llvm.org">cfe-dev@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-6218440364798232082WordSection1">
<p class="MsoNormal">Hello cfe-dev,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">In prototyping a custom checker for the Clang Static Analyzer, I’ve found analysis terminates at some complexity limit. That is, when your target function exceeds some complexity bound, CSA stops path traversal and your checker does not
receive callbacks for any remaining unvisited nodes. The two specific scenarios where I’ve run into this are high-iteration-count loops and complex conditionals (multiple short circuiting && and || operators). The first I can work around by rephrasing the
target loops or something like -analyzer-max-loop, but I can’t find a way to affect the behavior of the second. To compound the situation, I cannot see how the checker can detect that path exploration was incomplete.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Is there a way to control the complexity limit enforced for conditionals? Or, failing that, to detect within the checker when path exploration was incomplete?<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">To give some more context, my checker is an experiment and not something I am intending to upstream. Runtime is not an issue; I am fine with the analyzer taking multiple hours for a single run. Though I understand why the existing CSA bound
choices have been made, as most users do not want their compiler to run for this long.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Please CC me in replies as I’m not subscribed.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks,<u></u><u></u></p>
<p class="MsoNormal">Matthew<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
cfe-dev mailing list<br>
<a href="mailto:cfe-dev@lists.llvm.org" target="_blank">cfe-dev@lists.llvm.org</a><br>
<a href="https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev" rel="noreferrer" target="_blank">https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev</a><br>
</blockquote></div>