Path sensitive algorithm

Is there any documentation of the path sensitive algorithm?

Are you asking about the clang static analyzer?

We’ve recently gave a talk on the static analyzer. See “Building a checker in 24 hours” at http://llvm.org/devmtg/2012-11/ The talk is targeted at someone writing a new check extension to the analyzer so it only has a very high level description of the internals.

There is some additional documentation on the analyzer’s website and in the clang/docs/analyzer directory (+ a patch for extensions to the Checker Developer Manual is currently in review: http://clang-developers.42468.n3.nabble.com/Patch-Update-to-Checker-Development-Manual-td4031120.html)

However, there is currently no document fully describing the internals of the analyzer. The analyzer is inspired by many papers on path-sensitive dataflow analysis, see http://lists.cs.uiuc.edu/pipermail/cfe-dev/2009-January/003996.html

Cheers,
Anna.

Anna, I am asking about the clang static analyzer, and after viewing I still cannot understand why in a linear program like:

int f();
void g() {
int i;
i = f();
i = f();
}

I stop at “checkPreStmt(CallExpr, CheckerContext)” once for the first function call and twice for the second.

You are right - checkPreStmt should be called once fro each call.

I cannot repo by adding a breakpoint to MallocChecker’s checkPreStmt(const CallExpr *CE, CheckerContext &C) on your test case. Is it possible that you are splitting paths in your checker?

Cheers,
Anna.