Clang Static Analyzer not taking all paths

Hi,

I ran the CSA on the CGC HackMan challenge:
https://github.com/trailofbits/cb-multios/blob/master/challenges/HackMan/src/main.c

Starting from line 190, there is an uninitialized read:

...
   while (1)
   {
     error = 0;
     if (win || cgc_strlen(h_state.word) == 0)
       goto new_chal;
...
new_chal:
         if (h_state.new_challenge_handler == NULL)
           h_state.new_challenge_handler = cgc_new_challenge;
...

CSA does not find this uninitialized read, however if a "if (!win);" is placed before the loop, it is found.

Can anyone tell me why?

Thanks,
Nils

The analyzer's method never gives a guarantee to explore all paths, as there may potentially be infinitely many paths or a finite but hyper-exponentially exploding amount of paths. However, this example seems to start working after we've recently changed path exploration order in svn r326157 "[analyzer] Switch the default exploration strategy to priority queue based on coverage":

$ clang (...) --analyze -Xclang -analyzer-config -Xclang exploration_strategy=dfs main.c
$ clang (...) --analyze main.c
main.c:202:43: warning: The left operand of '==' is a garbage value
if (h_state.new_challenge_handler == NULL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^