[cfe-dev] Clang Static Analyzer execution path for loop

Wed Apr 10 10:24:51 PDT 2013

Arthur, 

You are seeing the behavior I've described in the previous reply. When the analyzer knows that the loop will be executed more than 4 times (or whatever the loop unrolling bound is), it is NOT going to continue exploring the path after unrolling the loop 4 times. In order to continue exploring, it needs so simulate/approximate the remaining iterations. Simulating the remaining iterations is a feature that the analyzer does not currently have.

When we don't know that the loop has to execute at least 4 times, the rest of the function will be explored. In particular, we would explore a path on which exactly one iteration of the loop is executed following by the lines 8-15.

Anna.

On Apr 10, 2013, at 6:48 AM, Arthur Yoo <phjy007 at gmail.com> wrote:

> Hi Anna, 
> 
> Thank you and Jordan for your reply to answer my questions. Now I can understand the execution path sequence of ex3. However, it seems that I met another problem with loop execution path. 
> 
> Here is  my test code ex4:
> 
>   1 void func(int arg) {
> 
>   2     int v;
> 
>   3     v = 0;
> 
>   4     int i;
> 
>   5     for(int i = 0; i < arg; i++) {
> 
>   6         v = v + 1;    
> 
>   7     }
> 
>   8 
> 
>   9     if(arg < 0) {
> 
>  10         v = 5566;
> 
>  11     }
> 
>  12 
> 
>  13     int c;
> 
>  14     c = v;
> 
>  15 }
> 
> The corresponding CFG of ex4 is http://ww3.sinaimg.cn/large/a74ecc4cjw1e3kuhrthqij.jpg
> 
> With analyzer, I get its execution path sequence: B7-B6-B3-B1-B2-B1-B5-B4-B6-B3-B1-B5-B4-B6-B3-B1-B5-B4-B6-B3-B1-B5-B4. It shows that the analyzer traces all possible paths in its CFG since arg(in line 5) is a symbolic value. Analyzer has no idea about whether arg is greater than zero. 
> 
> Then I replaced the arg in line 5 with a concrete number(say 64, actually any number which is greater than three). 
> 
> for(int i = 0; i < arg; i++) --> for(int i = 0; i < 64; i++)
> 
> Then the analyzer gave me the following execution path sequence: B7-B6-B5-B4-B6-B5-B4-B6-B5-B4-B6-B5-B4.
> 
> It is right that the loop has been executed for four time, but it seems that the analyzer didn't 
> 
> cover all possible paths. In other words, it means that the analyzer didn't analyze the range from line 9 to line 14 in ex4's source code. I can't find the corresponding CFG blocks which represent the part of source code from line 9 to line 14 of ex4 in this execution path sequence. 
> 
> In addition, I did another four tests. In these four tests, I replaced the loop condition with 0, 1, 2 and 3 for each time. The corresponding execution path sequences are below.
> 
> for(int i = 0; i < 3; i++):       B7-B6-B5-B4-B6-B5-B4-B6-B5-B4-B6-B3-B1-B2-B1
> 
> for(int i = 0; i < 2; i++):	B7-B6-B5-B4-B6-B5-B4-B6-B3-B1-B2-B1
> 
> for(int i = 0; i < 1; i++):	B7-B6-B5-B4-B6-B3-B1-B2-B1
> 
> for(int i = 0; i < 0; i++):	B7-B6-B3-B1-B2-B1
> 
> With these four execution path sequences above, I can get the conclusion that for these four cases, the analyzer analyzed the whole ex4 source code and traced all possible paths in ex4. 
> 
> So I don't know why the analyzer didn't analyze the range from line 9 to line 14 in ex4's source code when the loop time is more or equal to 4?
> 
> 
> 
> Best regards,
> Arthur Yoo

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20130410/503d3748/attachment.html>