Clang Static Analyzer not taking all paths


I ran the CSA on the CGC HackMan challenge:

Starting from line 190, there is an uninitialized read:

   while (1)
     error = 0;
     if (win || cgc_strlen(h_state.word) == 0)
       goto new_chal;
         if (h_state.new_challenge_handler == NULL)
           h_state.new_challenge_handler = cgc_new_challenge;

CSA does not find this uninitialized read, however if a "if (!win);" is placed before the loop, it is found.

Can anyone tell me why?


The analyzer's method never gives a guarantee to explore all paths, as there may potentially be infinitely many paths or a finite but hyper-exponentially exploding amount of paths. However, this example seems to start working after we've recently changed path exploration order in svn r326157 "[analyzer] Switch the default exploration strategy to priority queue based on coverage":

$ clang (...) --analyze -Xclang -analyzer-config -Xclang exploration_strategy=dfs main.c
$ clang (...) --analyze main.c
main.c:202:43: warning: The left operand of '==' is a garbage value
if (h_state.new_challenge_handler == NULL)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^