zaks.anna added inline comments.
================
Comment at: lib/StaticAnalyzer/Checkers/ConversionChecker.cpp:84
@@ +83,3 @@
+// Can E value be greater or equal than Val?
+static bool canBeGreaterEqual(CheckerContext &C, const Expr *E,
+ unsigned long long Val) {
----------------
danielmarjamaki wrote:
> zaks.anna wrote:
> > This function returns true if the value "is" greater or equal, not "can be"
> > greater or equal. The latter would be "return StGE".
> >
> > Also, it's slightly better to return the StGE state and use it to report
> > the bug. This way, our assumption is explicitly recorded in the error state.
> NoQ made the same comment. I disagree.
>
> int A = 0;
> if (X) {
> A = 1000;
> }
> U8 = A; // <- Imho; A _can_ be 1000
>
> Imho it's better to say that A _can_ be 1000 unless A is 1000 for all
> possible execution paths through the code.
>
> Do you still think "is" is better than "can be"?
The Clang Static Analyzer performs path sensitive analysis of the program. (It
does not merge the paths at the "U8 = A" statement!!!) You will only be
changing the state along a single execution path of this program. Along that
path, A will always be 1000.
When analyzing your example, the analyzer is going to separately analyze 2
paths:
1st path: A=0; X != 0; A =1000; U8 = A; // Here U8 is definitely 1000.
2d path: A=0; X == 0; U8 = A; // Here U8 is definitely 0.
This video contains an intuitive explanation of symbolic execution technique we
use: http://llvm.org/devmtg/2012-11/videos/Zaks-Rose-Checker24Hours.mp4
http://reviews.llvm.org/D13126
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
