Hi:
I’m trying to implement a custom tool that does Path-Sensitive analysis on a c source code, and lists all calls to a specific C function in the order they’ll be called, rooting from main.
For such calls found in a loop, we require the loop to be statically reducible and warns the user if this is not the case.

What I’ve tried so far is to use REGISTER_LIST_WITH_PROGRAMSTATE to create a list of CallExprs, and add the state in checkPreCall, as demonstrated below:

void checkPreCall(const CallEvent &msg, CheckerContext &C) const {
if (isa<SimpleFunctionCall>(msg)) {
// Check Callee is the C function needed
const SimpleFunctionCall &sfc = cast<SimpleFunctionCall>(msg);
C.addTransition(C.getState()->add<CallList>(sfc.getOriginExpr()));
}
}

Then, in checkEndAnalysis, iterate ExplodedGraph’s eops.

My question is:

• How do I limit the path being explored to start and end in main() ?
• How do I detect the function is being called in a irreducible loop?