This is an archive of the discontinued LLVM Phabricator instance.

Differential D16178

[analyzer] A quick fix on top of D12901/r257464
ClosedPublic

Authored by NoQ on Jan 14 2016, 2:42 AM.

Details

Reviewers
dcoughlin
pgousseau
zaks.anna
xazax.hun
Commits
rG91c45e8f46ae: [analyzer] Fix an off-by-one in evalIntegralCast()
rC258039: [analyzer] Fix an off-by-one in evalIntegralCast()
rL258039: [analyzer] Fix an off-by-one in evalIntegralCast()
Summary

Sorry for being a bit slow, i should have had a look at the review earlier; i noticed some stuff after the recent patch by Pierre Gousseau was committed.

  1. There's an off-by-one in the comparison evalBinOp in evalIntegralCast, the patch attached to this revision fixes it, and tests it via bool-assignment checker.
  1. There's also a FIXME test for the same checker, which is a regression after this patch (used to throw a warning, now it doesn't); seems not as bad as the crash, so it can probably be addressed later.
  1. I noticed that it's still possible to trigger the crash with the following test, not sure what to do with it:
void f1(long foo)
{
  unsigned index = -1;
  if (index < foo - 1) index = foo;
  if (index + 1 == 0) {}
}

So my best idea is to push this quick fix for off-by-one and then think where to go further. Probably we need to teach RangeConstraintManager to work with SymbolCast's correctly (eg. understand how their range is related to a parent symbol's range). Eventually, once it gets better, we'd probably want to change the following in evalIntegralCast:

   std::tie(IsNotTruncated, IsTruncated) = state->assume(CompVal);
-  if (!IsNotTruncated && IsTruncated) {
+  if (IsTruncated) {

but right now it breaks tests (not only bool-assignment, but also other checkers that start failing can probably be shown to loose warnings after this patch, but i didn't have a look at this yet, so not sure, just hand-waving).

Anyway, generally, overally, i think r257464 is a step in the very right direction if we want to work with casts better, and i was actually very happy to see it went that way :)

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ updated this revision to Diff 44842.Jan 14 2016, 2:42 AM
NoQ retitled this revision from to [analyzer] A quick fix on top of D12901/r257464.
NoQ updated this object.
NoQ added reviewers: pgousseau, zaks.anna, dcoughlin, xazax.hun.
NoQ added a subscriber: cfe-commits.
pgousseau accepted this revision.Jan 14 2016, 4:53 AM
pgousseau edited edge metadata.

LGTM!
Thanks Artom for finding the bug and new test case, sorry for missing those in my patch!
Removing "!IsNotTruncated" is definitely worth trying.
Please commit if code owners are happy with it too.

Pierre.

This revision is now accepted and ready to land.Jan 14 2016, 4:53 AM
zaks.anna accepted this revision.Jan 15 2016, 4:42 PM
zaks.anna edited edge metadata.
Closed by commit rL258039: [analyzer] Fix an off-by-one in evalIntegralCast() (authored by dergachev). · Explain WhyJan 18 2016, 2:22 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
cfe/
trunk/
lib/
StaticAnalyzer/
Core/
2 lines
test/
Analysis/
9 lines

Diff 45159

cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp

Show First 20 LinesShow All 445 Lines▼ Show 20 Lines NonLoc ToTypeMaxVal =
: ToTypeMax.getSExtValue(), : ToTypeMax.getSExtValue(),
castTy) castTy)
.castAs<NonLoc>(); .castAs<NonLoc>();
// Check the range of the symbol being casted against the maximum value of the // Check the range of the symbol being casted against the maximum value of the
// target type. // target type.
NonLoc FromVal = val.castAs<NonLoc>(); NonLoc FromVal = val.castAs<NonLoc>();
QualType CmpTy = getConditionType(); QualType CmpTy = getConditionType();
NonLoc CompVal = NonLoc CompVal =
evalBinOpNN(state, BO_LT, FromVal, ToTypeMaxVal, CmpTy).castAs<NonLoc>(); evalBinOpNN(state, BO_LE, FromVal, ToTypeMaxVal, CmpTy).castAs<NonLoc>();
ProgramStateRef IsNotTruncated, IsTruncated; ProgramStateRef IsNotTruncated, IsTruncated;
std::tie(IsNotTruncated, IsTruncated) = state->assume(CompVal); std::tie(IsNotTruncated, IsTruncated) = state->assume(CompVal);
if (!IsNotTruncated && IsTruncated) { if (!IsNotTruncated && IsTruncated) {
// Symbol is truncated so we evaluate it as a cast. // Symbol is truncated so we evaluate it as a cast.
NonLoc CastVal = makeNonLoc(se, originalTy, castTy); NonLoc CastVal = makeNonLoc(se, originalTy, castTy);
return CastVal; return CastVal;
} }
return evalCast(val, castTy, originalTy); return evalCast(val, castTy, originalTy);
▲ Show 20 LinesShow All 133 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/bool-assignment.c

Show All 36 Lines
typedef signed char BOOL; typedef signed char BOOL;
void test_BOOL_initialization(int y) { void test_BOOL_initialization(int y) {
BOOL constant = 2; // expected-warning {{Assignment of a non-Boolean value}} BOOL constant = 2; // expected-warning {{Assignment of a non-Boolean value}}
if (y < 0) { if (y < 0) {
BOOL x = y; // expected-warning {{Assignment of a non-Boolean value}} BOOL x = y; // expected-warning {{Assignment of a non-Boolean value}}
return; return;
} }
if (y > 200 && y < 250) {
// FIXME: Currently we are loosing this warning due to a SymbolCast in RHS.
BOOL x = y; // no-warning
return;
}
if (y >= 127 && y < 150) {
BOOL x = y; // expected-warning{{Assignment of a non-Boolean value}}
return;
}
if (y > 1) { if (y > 1) {
BOOL x = y; // expected-warning {{Assignment of a non-Boolean value}} BOOL x = y; // expected-warning {{Assignment of a non-Boolean value}}
return; return;
} }
BOOL x = y; // no-warning BOOL x = y; // no-warning
} }
void test_BOOL_assignment(int y) { void test_BOOL_assignment(int y) {
▲ Show 20 LinesShow All 42 LinesShow Last 20 Lines