path traversal on ExplodedGraph of clang static analyzer

Hi all,

I implemented a simple checker on the static analysis framework.
However, I don’t quite understand how the underlying analyzer behave, especially
it traverses in a strange way on ExplodedGraph.

In checkEndAnalysis, my program just visits (DFS) and prints source code locations.
Here is an example:

     1 int main(int argc, char** argv){
     2 if(argc>10){
     3 int x = 1;
     4 int y = 2;
     5 int z = 3;
     6 }
     8 int a = 1;
     9 int b = 2;
    10 return 0;
    11 }

The output is sequences of line numbers. I have two paths here.
[2-8-9-5-8-9] and [2-8-9]
The latter one makes sense but why does it produce the first one? line 9 to 5?

Is there any document for the internal behavior of Clang Static Analyzer?


If you want to see the final analysis graph, you can dump it into graphviz via -analyzer-checker debug.ViewExplodedGraph (or -analyzer-viz-egraph-graphviz, which is the same thing). A debug build is required for that. See also

I'm not sure if your dumps are correct, they look strange indeed, and they don't quite correspond to what i see in the actual exploded graph.

You should rarely rely on the analysis order in your checkers though; you should keep information in the program state instead, and keep your checker object stateless, as in

There's also my old workbook at that captures the current (mildly outdated but overally actual) state of things.