This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
Z3ConstraintManager.cpp

Differential D49305

[analyzer] Fix the Z3 backend always generating unsigned APSInt
ClosedPublic

Authored by mikhail.ramalho on Jul 13 2018, 10:07 AM.

Download Raw Diff

Details

Reviewers

george.karpenkov
NoQ
ddcc

Commits

rG07f6e8e3a519: [analyzer] Fix the Z3 backend always generating unsigned APSInt
rL337169: [analyzer] Fix the Z3 backend always generating unsigned APSInt
rC337169: [analyzer] Fix the Z3 backend always generating unsigned APSInt

Summary

In toAPSInt, the Z3 backend was not checking the variable Int's type and was always generating unsigned APSInts.

This was found by accident when I removed:

    llvm::APSInt ConvertedLHS, ConvertedRHS;
    QualType LTy, RTy;
    std::tie(ConvertedLHS, LTy) = fixAPSInt(*LHS);
    std::tie(ConvertedRHS, RTy) = fixAPSInt(*RHS);
-    doIntTypePromotion<llvm::APSInt, Z3ConstraintManager::castAPSInt>(
-        ConvertedLHS, LTy, ConvertedRHS, RTy);
    return BVF.evalAPSInt(BSE->getOpcode(), ConvertedLHS, ConvertedRHS);

And the BasicValueFactory started to complain about different signedness.

Diff Detail

Repository: rC Clang

Event Timeline

mikhail.ramalho created this revision.Jul 13 2018, 10:07 AM

Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptJul 13 2018, 10:07 AM

I recall that this problem extends beyond the Z3ConstraintManager. Have you looked at D28955, specifically the changes to BasicValueFactory.h?

In D49305#1161850, @ddcc wrote:

I recall that this problem extends beyond the Z3ConstraintManager. Have you looked at D28955, specifically the changes to BasicValueFactory.h?

I did but the changes in this patch fix all the "wrong signedness" crashes in our regressions (when we remove the doIntTypeConversion call).

It doesn't solve all the issues though, as the CSA seems to ignore a number of type casts, but that's not the goal of this patch.

ddcc accepted this revision.Jul 13 2018, 10:23 AM

This revision is now accepted and ready to land.Jul 13 2018, 10:23 AM

Closed by commit rC337169: [analyzer] Fix the Z3 backend always generating unsigned APSInt (authored by mramalho). · Explain WhyJul 16 2018, 6:37 AM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: cfe-commits. · View Herald TranscriptJul 16 2018, 6:37 AM

Revision Contents

Path

Size

lib/

StaticAnalyzer/

Core/

Z3ConstraintManager.cpp

8 lines

Diff 155665

lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp

Show First 20 Lines • Show All 675 Lines • ▼ Show 20 Lines	case Z3_BV_SORT: {

uint64_t Value[2];		uint64_t Value[2];
// Force cast because Z3 defines __uint64 to be a unsigned long long		// Force cast because Z3 defines __uint64 to be a unsigned long long
// type, which isn't compatible with a unsigned long type, even if they		// type, which isn't compatible with a unsigned long type, even if they
// are the same size.		// are the same size.
Z3_get_numeral_uint64(Z3Context::ZC, AST,		Z3_get_numeral_uint64(Z3Context::ZC, AST,
reinterpret_cast<__uint64 *>(&Value[0]));		reinterpret_cast<__uint64 *>(&Value[0]));
if (Sort.getBitvectorSortSize() <= 64) {		if (Sort.getBitvectorSortSize() <= 64) {
Int = llvm::APSInt(llvm::APInt(Int.getBitWidth(), Value[0]), true);		Int = llvm::APSInt(llvm::APInt(Int.getBitWidth(), Value[0]),
		Int.isUnsigned());
} else if (Sort.getBitvectorSortSize() == 128) {		} else if (Sort.getBitvectorSortSize() == 128) {
Z3Expr ASTHigh = Z3Expr(Z3_mk_extract(Z3Context::ZC, 127, 64, AST));		Z3Expr ASTHigh = Z3Expr(Z3_mk_extract(Z3Context::ZC, 127, 64, AST));
Z3_get_numeral_uint64(Z3Context::ZC, AST,		Z3_get_numeral_uint64(Z3Context::ZC, AST,
reinterpret_cast<__uint64 *>(&Value[1]));		reinterpret_cast<__uint64 *>(&Value[1]));
Int = llvm::APSInt(llvm::APInt(Int.getBitWidth(), Value), true);		Int = llvm::APSInt(llvm::APInt(Int.getBitWidth(), Value),
		Int.isUnsigned());
} else {		} else {
assert(false && "Bitwidth not supported!");		assert(false && "Bitwidth not supported!");
return false;		return false;
}		}
return true;		return true;
}		}
case Z3_BOOL_SORT:		case Z3_BOOL_SORT:
if (useSemantics && Int.getBitWidth() < 1) {		if (useSemantics && Int.getBitWidth() < 1) {
assert(false && "Boolean type doesn't match!");		assert(false && "Boolean type doesn't match!");
return false;		return false;
}		}
Int = llvm::APSInt(		Int = llvm::APSInt(
llvm::APInt(Int.getBitWidth(),		llvm::APInt(Int.getBitWidth(),
Z3_get_bool_value(Z3Context::ZC, AST) == Z3_L_TRUE ? 1		Z3_get_bool_value(Z3Context::ZC, AST) == Z3_L_TRUE ? 1
: 0),		: 0),
true);		Int.isUnsigned());
return true;		return true;
}		}
}		}

void Profile(llvm::FoldingSetNodeID &ID) const {		void Profile(llvm::FoldingSetNodeID &ID) const {
ID.AddInteger(Z3_get_ast_hash(Z3Context::ZC, AST));		ID.AddInteger(Z3_get_ast_hash(Z3Context::ZC, AST));
}		}

▲ Show 20 Lines • Show All 991 Lines • Show Last 20 Lines