[cfe-dev] static analysis: covers all possible control flows?
Anna Zaks
ganna at apple.com
Tue Jan 6 23:02:23 PST 2015
> On Jan 6, 2015, at 7:24 AM, Christian Convey <christian.convey at gmail.com> wrote:
>
> I'm thinking about writing a checker whose correctness depends on
> analyzing all valid control flows through a given procedure's basic
> blocks.
>
> Does anyone know whether clang's static analyzer is guaranteed to
> analyze a superset, subset, or the exact set of valid control flows?
>
I am not 100% sure what you mean by valid control flows.
However, I think the answer is “neither". The analyzer tries to approximate the set of valid paths through the program. However, it may drop feasible paths (see the example with loops below). It also may cover an invalid path. For example, it may think that entering true branches of the two consecutive if statements is possible, when it is not:
if (cubed(y) == x) // The analyzer may not know that cubed(y) === y*y*y.
a++;
if (y*y*y != x)
a—;
> Also, if there's an infinite loop within some procedure, how does the
> static analyzer handle / present that?
The loops are “unrolled” a certain number of times. So given that the analyzer cannot precisely model the loop condition, you would get coverage for several path:
- the loop is not entered
- only one iteration of the loop is executed
- only two iterations of the loop are executed
- only three iterations of the loop are executed
>
> Thanks,
> Christian
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-dev
More information about the cfe-dev
mailing list