path traversal on ExplodedGraph of clang static analyzer

Hi all,

I implemented a simple checker on the static analysis framework.
However, I don’t quite understand how the underlying analyzer behave, especially
it traverses in a strange way on ExplodedGraph.

In checkEndAnalysis, my program just visits (DFS) and prints source code locations.
Here is an example:

     1 int main(int argc, char** argv){
     2 if(argc>10){
     3 int x = 1;
     4 int y = 2;
     5 int z = 3;
     6 }
     7
     8 int a = 1;
     9 int b = 2;
    10 return 0;
    11 }

The output is sequences of line numbers. I have two paths here.
[2-8-9-5-8-9] and [2-8-9]
The latter one makes sense but why does it produce the first one? line 9 to 5?

Is there any document for the internal behavior of Clang Static Analyzer?

Thanks,
Kihong

If you want to see the final analysis graph, you can dump it into graphviz via -analyzer-checker debug.ViewExplodedGraph (or -analyzer-viz-egraph-graphviz, which is the same thing). A debug build is required for that. See also http://clang-analyzer.llvm.org/checker_dev_manual.html#visualizing

I'm not sure if your dumps are correct, they look strange indeed, and they don't quite correspond to what i see in the actual exploded graph.

You should rarely rely on the analysis order in your checkers though; you should keep information in the program state instead, and keep your checker object stateless, as in http://clang-analyzer.llvm.org/checker_dev_manual.html#events_callbacks

There's also my old workbook at https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf that captures the current (mildly outdated but overally actual) state of things.