Hi Dave, (I forgot to cc the list in the last email and it was too late to unsend. Sorry for sending you the same email again.) > On 20 Mar 2023, at 23:50, David Malcolm > wrote: > > I think if you try the patch to sm.cc above, then you'll see > various existing DejaGnu tests below gcc.dg/analyzer will fail with > state explosions. After patching on the latest trunk, the DejaGnu tests report two cases with state explosion: pr93032-mztools-{signed, unsigned}-char.c I didn’t see any cases with ICE though. In addition, although I did see “warning: terminating analysis for this program point…” in the test log, nothing was reported when I ran the individual test (with or without gdb)…Did I miss anything? Just by looking at these test files, it seems that it may have to do with how the analyzer does path selection, because there are many nested conditionals in these two files. As I mentioned in the proposal, it would be curious if this state explosion only happens for taint analysis, because I don’t think there is anything special about taint analysis that would cause state explosion (unless there is some buggy implementation?). I will look at your latest patch. It seems that there are many useful tips that can help me further investigate the internals of analyzer. Thanks a lot! Best, Shengyu