[cfe-dev] Clang Static Analyzer execution path for loop
Anna Zaks
ganna at apple.com
Wed Apr 10 10:24:51 PDT 2013
Arthur,
You are seeing the behavior I've described in the previous reply. When the analyzer knows that the loop will be executed more than 4 times (or whatever the loop unrolling bound is), it is NOT going to continue exploring the path after unrolling the loop 4 times. In order to continue exploring, it needs so simulate/approximate the remaining iterations. Simulating the remaining iterations is a feature that the analyzer does not currently have.
When we don't know that the loop has to execute at least 4 times, the rest of the function will be explored. In particular, we would explore a path on which exactly one iteration of the loop is executed following by the lines 8-15.
Anna.
On Apr 10, 2013, at 6:48 AM, Arthur Yoo <phjy007 at gmail.com> wrote:
> Hi Anna,
>
> Thank you and Jordan for your reply to answer my questions. Now I can understand the execution path sequence of ex3. However, it seems that I met another problem with loop execution path.
>
> Here is my test code ex4:
>
> 1 void func(int arg) {
>
> 2 int v;
>
> 3 v = 0;
>
> 4 int i;
>
> 5 for(int i = 0; i < arg; i++) {
>
> 6 v = v + 1;
>
> 7 }
>
> 8
>
> 9 if(arg < 0) {
>
> 10 v = 5566;
>
> 11 }
>
> 12
>
> 13 int c;
>
> 14 c = v;
>
> 15 }
>
> The corresponding CFG of ex4 is http://ww3.sinaimg.cn/large/a74ecc4cjw1e3kuhrthqij.jpg
>
> With analyzer, I get its execution path sequence: B7-B6-B3-B1-B2-B1-B5-B4-B6-B3-B1-B5-B4-B6-B3-B1-B5-B4-B6-B3-B1-B5-B4. It shows that the analyzer traces all possible paths in its CFG since arg(in line 5) is a symbolic value. Analyzer has no idea about whether arg is greater than zero.
>
> Then I replaced the arg in line 5 with a concrete number(say 64, actually any number which is greater than three).
>
> for(int i = 0; i < arg; i++) --> for(int i = 0; i < 64; i++)
>
> Then the analyzer gave me the following execution path sequence: B7-B6-B5-B4-B6-B5-B4-B6-B5-B4-B6-B5-B4.
>
> It is right that the loop has been executed for four time, but it seems that the analyzer didn't
>
> cover all possible paths. In other words, it means that the analyzer didn't analyze the range from line 9 to line 14 in ex4's source code. I can't find the corresponding CFG blocks which represent the part of source code from line 9 to line 14 of ex4 in this execution path sequence.
>
> In addition, I did another four tests. In these four tests, I replaced the loop condition with 0, 1, 2 and 3 for each time. The corresponding execution path sequences are below.
>
> for(int i = 0; i < 3; i++): B7-B6-B5-B4-B6-B5-B4-B6-B5-B4-B6-B3-B1-B2-B1
>
> for(int i = 0; i < 2; i++): B7-B6-B5-B4-B6-B5-B4-B6-B3-B1-B2-B1
>
> for(int i = 0; i < 1; i++): B7-B6-B5-B4-B6-B3-B1-B2-B1
>
> for(int i = 0; i < 0; i++): B7-B6-B3-B1-B2-B1
>
> With these four execution path sequences above, I can get the conclusion that for these four cases, the analyzer analyzed the whole ex4 source code and traced all possible paths in ex4.
>
> So I don't know why the analyzer didn't analyze the range from line 9 to line 14 in ex4's source code when the loop time is more or equal to 4?
>
>
>
> Best regards,
> Arthur Yoo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130410/503d3748/attachment.html>
More information about the cfe-dev
mailing list