cfe-dev Digest, Vol 84, Issue 105

Hello Arthur,

Tl;dr: there are some options that may be set using '-anaylzer-config' option. Example: -analyzer-config max-nodes=100000
1. max-nodes - maximal number of nodes of exploded graph that may be analyzed for a top-level function. That does not limit number of nodes that may be enqueued to worklist. 150000 by default.
2. mode - user analysis modes. Values: 'shallow' (set default max-nodes to 75000) and 'deep' (default). Seems like you already tried to set it somehow.
3. ipa-always-inline-size - set limit number of CFGBlocks in functions that analyzer thinks as "small".
There are some other options. You may use debug.ConfigDumper checker to view your default analysis options (or options you set). You can take a look on test/Analysis/analyzer-config.c of clang source tree (https://github.com/llvm-mirror/clang/blob/master/test/Analysis/analyzer-config.cpp) to see them and their default values. You can also take a look on AnalyzerOptions class of clang (http://clang.llvm.org/doxygen/classclang_1_1AnalyzerOptions.html).

But could you clarify your question?

1. IPA mode is not IPA_NotSet by default. IPA_NotSet is only an internal flag pointing user didn't specify any option and some default value should be used. You can take a look into AnalyzerOptions::getIPAMode() method. If IPA options were not specified, CSA uses IPAK_DynamicDispatchBifurcate option by default so your changes in IPA_Mode should not change anything (or make even worse).

2. If you attach your file, we can understand more things about your case.

3. There is no so much for memory limit but for time limit. CSA doesn't use summary approach currently, it inlines a function or loop iteration every time it is met. It can lead to slow analysis so CSA limits loop inlining and function inlining as well as number of ExplodedNodes analyzed to finish analysis in a reasonable time. Number of nodes analyzed per function is limited but number of nodes enqueued is not so there may be interesting cases. Take a look on external/qemu/target-mips/translate.c file from Android source tree: its analysis with CSA made 96 Gb server swapping. But most files you'll analyze will not consume over 300 Mb with default analyzer options.

4. The fact that function evaluation is happens twice is strange. How did you check this? Maybe it was analyzed multiple time as a separate function and as a callee of other functions? Again, attaching a test case may help.

5. Are there problems with analysis correctness that forced you to find additional options? Can you explain what do you want to get with these options?