[cfe-dev] [analyzer] How to analyzer the code after an indefinite loop?

Gábor Horváth via cfe-dev cfe-dev at lists.llvm.org
Thu Jul 30 05:48:37 PDT 2020


Hi!

There are two tools in the analyzer to help these problems but both are off
by default as they would need some additional improvements and testing.

One is loop unrolling which (when turned on) will detect specific loop
patterns and unroll them completely (instead of stopping after 4
iterations).
The other is loop widening which involves restarting the analysis after the
loop. While this increases the coverage of the analysis it can also trigger
additional false positives as a large portion of the state needs to be
invalidated to restart the analysis. Making this invalidation less severe
is one way to improve the situation.

Cheers,
Gabor

On Thu, 30 Jul 2020 at 14:32, Denis Petrov via cfe-dev <
cfe-dev at lists.llvm.org> wrote:

> In addition to my previous letter. I'm very concerned that we may have no
> chance to analyze a big chunk of code in this case:
>
> void clang_analyzer_warnIfReached();
> int f()
> {
>   int i = 0;
>   for(int i = 0; i < 100; i++){
>     if(i > 10){
>       clang_analyzer_warnIfReached();
>       // a lot of code will never be analyzed
>     }
>   }
> }
>
> Why don't we analyze loop bodies as functions, just substitute a var `i`
> with symbols(or constraint ranges) after reaching the limits, not
> generating a sinks instead?
>
> Or there are somewhere already disscussed plans for improvement?
>
>
> ------------------------------
> *Denys Petrov*
> Senior С++ Developer | Kharkiv, Ukraine
>
> ------------------------------
> *От:* Artem Dergachev <noqnoqneo at gmail.com>
> *Отправлено:* 28 июля 2020 г. 22:34
> *Кому:* Denis Petrov; cfe-dev
> *Тема:* Re: [cfe-dev] [analyzer] How to analyzer the code after an
> indefinite loop?
>
> CAUTION: This email originated from outside of the organization. Do not
> click links or open attachments unless you recognize the sender and know
> the content is safe.  If you suspect potential phishing or spam email,
> report it to ReportSpam at accesssoftek.com
> Here's how you can find this out with the help of ExprInspection:
>
>
> $ cat test.c
>
> int f(int x, int flag)
> {
>   int i = 0;
>   while(i < x)
>     i++;
>
>   clang_analyzer_warnIfReached();
> }
>
>
> $ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c
>
> test.c:7:3: warning: REACHABLE [debug.ExprInspection]
>   clang_analyzer_warnIfReached();
>   ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 1 warning generated.
>
>
> Here's a slightly more interesting experiment:
>
>
> $ cat test.c
>
> int f(int x, int flag)
> {
>   int i = 0;
>   while(i < x)
>     i++;
>
>   if (flag) {
>     clang_analyzer_warnIfReached();
>     clang_analyzer_numTimesReached();
>     return i;
>   } else {
>     clang_analyzer_warnIfReached();
>     clang_analyzer_numTimesReached();
>     return 0;
>   }
> }
>
>
> $ clang --analyze -Xclang -analyzer-checker=debug.ExprInspection test.c
>
> test.c:8:5: warning: REACHABLE [debug.ExprInspection]
>     clang_analyzer_warnIfReached();
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> test.c:9:5: warning: 4 [debug.ExprInspection]
>     clang_analyzer_numTimesReached();
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> test.c:12:5: warning: REACHABLE [debug.ExprInspection]
>     clang_analyzer_warnIfReached();
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> test.c:13:5: warning: 1 [debug.ExprInspection]
>     clang_analyzer_numTimesReached();
>     ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 4 warnings generated.
>
>
> Will you be able to figure out why is one branch reached 4 times while the
> other branch is reached only once? You can find all your answers on the
> exploded graph dump.
>
>
> On 7/28/20 5:59 AM, Denis Petrov via cfe-dev wrote:
>
> Hi, community!
>
>
> A quick question.
>
>
> Is CSA Core able to analyze the code after some indefinite loop?
>
> E.g.
> void f(int x)
> {
>   int i = 0;
>   while(i < x)
>     i++;
>   // Interested in some code here!!
> }
>
>
> I found that Exploded graph grows going through the loop 4 times and
> then stops to analyze the code further.
>
> P.S. I know about -analyzer-max-loop(4)​.
> ------------------------------
> *Denys Petrov*
> Senior С++ Developer | Kharkiv, Ukraine
>
>
> _______________________________________________
> cfe-dev mailing listcfe-dev at lists.llvm.orghttps://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
>
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20200730/6cb47b2f/attachment.html>


More information about the cfe-dev mailing list