Path sensitive algorithm

Is there any documentation of the path sensitive algorithm?

Are you asking about the clang static analyzer?

We’ve recently gave a talk on the static analyzer. See “Building a checker in 24 hours” at The talk is targeted at someone writing a new check extension to the analyzer so it only has a very high level description of the internals.

There is some additional documentation on the analyzer’s website and in the clang/docs/analyzer directory (+ a patch for extensions to the Checker Developer Manual is currently in review:

However, there is currently no document fully describing the internals of the analyzer. The analyzer is inspired by many papers on path-sensitive dataflow analysis, see


Anna, I am asking about the clang static analyzer, and after viewing I still cannot understand why in a linear program like:

int f();
void g() {
int i;
i = f();
i = f();

I stop at “checkPreStmt(CallExpr, CheckerContext)” once for the first function call and twice for the second.

You are right - checkPreStmt should be called once fro each call.

I cannot repo by adding a breakpoint to MallocChecker’s checkPreStmt(const CallExpr *CE, CheckerContext &C) on your test case. Is it possible that you are splitting paths in your checker?