On Thu, Apr 06, 2006 at 11:58:20PM +0200, Nic Volanschi wrote: > 3. (in the caller:) exiting the function after a va_start() then a call > to the mangler without an va_end(). > This one involves more than a from/to/avoid; it is of the form > from/then/to/avoid. In other words, the corresponding automaton has more > than three states, which is the limit of my current framework. The > reason why I chose this limitation in the first place is to ensure taht > checking is linear in time and space. I'm not sure this should be > re-considered.
The limitation is, I think, too strict. Other path-based tools (for example, Coverity's) handle cases like this, and limit the combinatorial explosion by cutting off after exploring a fixed number of paths .
