This is an archive of the discontinued LLVM Phabricator instance.

Differential D79336

[analyzer] Generalize bitwise OR rules for ranges
ClosedPublic

Authored by vsavchenko on May 4 2020, 9:49 AM.

Details

Reviewers
NoQ
dcoughlin
Commits
rG47c4b8bd6869: [analyzer] Generalize bitwise OR rules for ranges
Summary

Previously the current solver started reasoning about bitwise OR
expressions only when one of the operands is a constant. However,
very similar logic could be applied to ranges. This commit addresses
this shortcoming. Additionally, it refines how we deal with negative
operands.

Diff Detail

Event Timeline

vsavchenko created this revision.May 4 2020, 9:49 AM
Herald added a project: Restricted Project. ยท View Herald TranscriptMay 4 2020, 9:49 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, martong and 9 others. ยท View Herald Transcript
vsavchenko added a comment.May 4 2020, 9:50 AM

Here is a little proof I've put together (using Z3): https://gist.github.com/SavchenkoValeriy/9ad6ca72e7420fd5612e618187bd4f76

Harbormaster failed remote builds in B55654: Diff 261852!May 4 2020, 10:11 AM
xazax.hun added inline comments.May 4 2020, 10:36 AM
clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
77

Yeah, this is quite unfortunate. But you might end up calling this a lot for bitwise operations. I wonder if it is worth to solve this problem before commiting this patch. I do not insist though.

450

Is roughen part of a nomenclature? If not, what about something like cover?

480

Why do we need this conversion?
Do we want to model a cast in the code somewhere?
If so, I think this is more like a workaround and in the future we would need an explicit way to represent those cast operations. It might be worth to have a TODO.

vsavchenko marked 3 inline comments as done.May 4 2020, 2:19 PM
vsavchenko added inline comments.
clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
77

I was even thinking about fixing it myself, this shouldn't be very hard, Also addition of lower_bound and upper_bound can really help implementing Includes for RangeSet.

450

Yeah ๐Ÿ˜† I spend quite some time thinking about a proper name for that one. It is used to be coarsen (yep, yuck!), but I don't really feel "cover" either. Mb something like "unify" will work? What do you think?

480

Those ranges that we inferred have nothing to do with upper operations. I mean, in theory, VisitBinaryOperator can take care of conversions, but I don't know how it can be done in the most generic way. In this particular situation, we really care that From and To don't change signs or something like that after conversion, but for other operators it might be not so important.

Answering the question of why we even need those, putting it simple - there is no other way, this is how APSInt works, couldn't do anything with values of different types (e.g. comparison).

I am totally on board with you on the inconvenience of the whole thing. Every implementer of the Visit* method should take care of conversions on their own. I would say that SValBuilder adding special symbolic values for this kind of casts, can be a solution.

ASDenysPetrov added inline comments.May 4 2020, 3:22 PM
clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
77

Be aware as D77792 also implements such a method.

NoQ accepted this revision.May 5 2020, 6:03 AM

Math looks good to me :)

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
450

Well, this is basically a one-dimensional convex hull...

But i do think that something like fillGaps() would be easier to understand.

480

Yeah i think this is correct. This is exactly how our symbolic expressions aren't type-safe: expression of type T corresponds to result of operations during which operand symbols were promoted to T.

This revision is now accepted and ready to land.May 5 2020, 6:03 AM
vsavchenko added a child revision: D79434: [analyzer] Generalize bitwise AND rules for ranges.May 5 2020, 10:34 AM
vsavchenko added a parent revision: D79232: [analyzer] Refactor range inference for symbolic expressions.
vsavchenko updated this revision to Diff 262163.May 5 2020, 10:43 AM

Fix few things here and there

vsavchenko updated this revision to Diff 262171.May 5 2020, 10:50 AM

Fix clang-format issue

Harbormaster failed remote builds in B55823: Diff 262163!May 5 2020, 11:53 AM
Harbormaster completed remote builds in B55825: Diff 262171.May 5 2020, 12:26 PM
vsavchenko updated this revision to Diff 264602.May 18 2020, 6:23 AM

Fix a bug with double expressions withing integer expressions

vsavchenko updated this revision to Diff 264615.May 18 2020, 7:06 AM

Rebase

Harbormaster completed remote builds in B57058: Diff 264602.May 18 2020, 8:34 AM
Harbormaster completed remote builds in B57068: Diff 264615.
Closed by commit rG47c4b8bd6869: [analyzer] Generalize bitwise OR rules for ranges (authored by vsavchenko). ยท Explain WhyMay 28 2020, 9:16 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
16 lines
8 lines
lib/
StaticAnalyzer/
Core/
124 lines
test/
Analysis/
51 lines

Diff 266910

clang/include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h

Show First 20 Lines โ€ข Show All 151 Lines โ€ข โ–ผ Show 20 Lines const llvm::APSInt &Convert(const llvm::APSInt& To,
if (TargetType == APSIntType(From)) if (TargetType == APSIntType(From))
return From; return From;
return getValue(TargetType.convert(From)); return getValue(TargetType.convert(From));
} }
const llvm::APSInt &Convert(QualType T, const llvm::APSInt &From) { const llvm::APSInt &Convert(QualType T, const llvm::APSInt &From) {
APSIntType TargetType = getAPSIntType(T); APSIntType TargetType = getAPSIntType(T);
return Convert(TargetType, From);
}
const llvm::APSInt &Convert(APSIntType TargetType, const llvm::APSInt &From) {
if (TargetType == APSIntType(From)) if (TargetType == APSIntType(From))
return From; return From;
return getValue(TargetType.convert(From)); return getValue(TargetType.convert(From));
} }
const llvm::APSInt &getIntValue(uint64_t X, bool isUnsigned) { const llvm::APSInt &getIntValue(uint64_t X, bool isUnsigned) {
QualType T = isUnsigned ? Ctx.UnsignedIntTy : Ctx.IntTy; QualType T = isUnsigned ? Ctx.UnsignedIntTy : Ctx.IntTy;
return getValue(X, T); return getValue(X, T);
} }
const llvm::APSInt &getMaxValue(const llvm::APSInt &v) { const llvm::APSInt &getMaxValue(const llvm::APSInt &v) {
return getValue(APSIntType(v).getMaxValue()); return getValue(APSIntType(v).getMaxValue());
} }
const llvm::APSInt &getMinValue(const llvm::APSInt &v) { const llvm::APSInt &getMinValue(const llvm::APSInt &v) {
return getValue(APSIntType(v).getMinValue()); return getValue(APSIntType(v).getMinValue());
} }
const llvm::APSInt &getMaxValue(QualType T) { const llvm::APSInt &getMaxValue(QualType T) {
return getValue(getAPSIntType(T).getMaxValue()); return getMaxValue(getAPSIntType(T));
} }
const llvm::APSInt &getMinValue(QualType T) { const llvm::APSInt &getMinValue(QualType T) {
return getValue(getAPSIntType(T).getMinValue()); return getMinValue(getAPSIntType(T));
}
const llvm::APSInt &getMaxValue(APSIntType T) {
return getValue(T.getMaxValue());
}
const llvm::APSInt &getMinValue(APSIntType T) {
return getValue(T.getMinValue());
} }
const llvm::APSInt &Add1(const llvm::APSInt &V) { const llvm::APSInt &Add1(const llvm::APSInt &V) {
llvm::APSInt X = V; llvm::APSInt X = V;
++X; ++X;
return getValue(X); return getValue(X);
} }
โ–ฒ Show 20 Lines โ€ข Show All 78 Lines โ€ข Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h

Show First 20 Lines โ€ข Show All 101 Lines โ€ข โ–ผ Show 20 Linespublic:
/// getConcreteValue - If a symbol is contrained to equal a specific integer /// getConcreteValue - If a symbol is contrained to equal a specific integer
/// constant then this method returns that value. Otherwise, it returns /// constant then this method returns that value. Otherwise, it returns
/// NULL. /// NULL.
const llvm::APSInt *getConcreteValue() const { const llvm::APSInt *getConcreteValue() const {
return ranges.isSingleton() ? ranges.begin()->getConcreteValue() : nullptr; return ranges.isSingleton() ? ranges.begin()->getConcreteValue() : nullptr;
} }
/// Get a minimal value covered by the ranges in the set
const llvm::APSInt &getMinValue() const;
/// Get a maximal value covered by the ranges in the set
const llvm::APSInt &getMaxValue() const;
private: private:
void IntersectInRange(BasicValueFactory &BV, Factory &F, void IntersectInRange(BasicValueFactory &BV, Factory &F,
const llvm::APSInt &Lower, const llvm::APSInt &Upper, const llvm::APSInt &Lower, const llvm::APSInt &Upper,
PrimRangeSet &newRanges, PrimRangeSet::iterator &i, PrimRangeSet &newRanges, PrimRangeSet::iterator &i,
PrimRangeSet::iterator &e) const; PrimRangeSet::iterator &e) const;
const llvm::APSInt &getMinValue() const;
bool pin(llvm::APSInt &Lower, llvm::APSInt &Upper) const; bool pin(llvm::APSInt &Lower, llvm::APSInt &Upper) const;
public: public:
RangeSet Intersect(BasicValueFactory &BV, Factory &F, llvm::APSInt Lower, RangeSet Intersect(BasicValueFactory &BV, Factory &F, llvm::APSInt Lower,
llvm::APSInt Upper) const; llvm::APSInt Upper) const;
RangeSet Intersect(BasicValueFactory &BV, Factory &F, RangeSet Intersect(BasicValueFactory &BV, Factory &F,
const RangeSet &Other) const; const RangeSet &Other) const;
RangeSet Negate(BasicValueFactory &BV, Factory &F) const; RangeSet Negate(BasicValueFactory &BV, Factory &F) const;
void print(raw_ostream &os) const; void print(raw_ostream &os) const;
bool operator==(const RangeSet &other) const { bool operator==(const RangeSet &other) const {
return ranges == other.ranges; return ranges == other.ranges;
} }
}; };
class ConstraintRange {}; class ConstraintRange {};
using ConstraintRangeTy = llvm::ImmutableMap<SymbolRef, RangeSet>; using ConstraintRangeTy = llvm::ImmutableMap<SymbolRef, RangeSet>;
template <> template <>
struct ProgramStateTrait<ConstraintRange> struct ProgramStateTrait<ConstraintRange>
: public ProgramStatePartialTrait<ConstraintRangeTy> { : public ProgramStatePartialTrait<ConstraintRangeTy> {
static void *GDMIndex(); static void *GDMIndex();
}; };
โ–ฒ Show 20 Lines โ€ข Show All 81 Lines โ€ข Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

Show First 20 Lines โ€ข Show All 63 Lines โ€ข โ–ผ Show 20 Lines if (i->Includes(Lower)) {
} else } else
newRanges = F.add(newRanges, *i); newRanges = F.add(newRanges, *i);
} }
} }
} }
const llvm::APSInt &RangeSet::getMinValue() const { const llvm::APSInt &RangeSet::getMinValue() const {
assert(!isEmpty()); assert(!isEmpty());
return ranges.begin()->From(); return begin()->From();
}
const llvm::APSInt &RangeSet::getMaxValue() const {
assert(!isEmpty());
// NOTE: It's a shame that we can't implement 'getMaxValue' without scanning
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Yeah, this is quite unfortunate. But you might end up calling this a lot for bitwise operations. I wonder if it is worth to solve this problem before commiting this patch. I do not insist though.

xazax.hun: Yeah, this is quite unfortunate. But you might end up calling this a lot for bitwise operations.
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

I was even thinking about fixing it myself, this shouldn't be very hard, Also addition of lower_bound and upper_bound can really help implementing Includes for RangeSet.

vsavchenko: I was even thinking about fixing it myself, this shouldn't be very hard, Also addition ofโ€ฆ
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions

Be aware as D77792 also implements such a method.

ASDenysPetrov: Be aware as D77792 also implements such a method.
// the whole tree to get to the last element.
// llvm::ImmutableSet should support decrement for 'end' iterators
// or reverse order iteration.
auto It = begin();
for (auto End = end(); std::next(It) != End; ++It) {
}
return It->To();
} }
bool RangeSet::pin(llvm::APSInt &Lower, llvm::APSInt &Upper) const { bool RangeSet::pin(llvm::APSInt &Lower, llvm::APSInt &Upper) const {
if (isEmpty()) { if (isEmpty()) {
// This range is already infeasible. // This range is already infeasible.
return false; return false;
} }
โ–ฒ Show 20 Lines โ€ข Show All 340 Lines โ€ข โ–ผ Show 20 Lines case BO_Or:
return VisitOrOperator(LHS, RHS, T); return VisitOrOperator(LHS, RHS, T);
case BO_And: case BO_And:
return VisitAndOperator(LHS, RHS, T); return VisitAndOperator(LHS, RHS, T);
default: default:
return infer(T); return infer(T);
} }
} }
//===----------------------------------------------------------------------===//
// Ranges and operators
//===----------------------------------------------------------------------===//
/// Return a rough approximation of the given range set.
///
/// For the range set:
/// { [x_0, y_0], [x_1, y_1], ... , [x_N, y_N] }
/// it will return the range [x_0, y_N].
static Range fillGaps(RangeSet Origin) {
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Is roughen part of a nomenclature? If not, what about something like cover?

xazax.hun: Is `roughen` part of a nomenclature? If not, what about something like `cover`?
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

Yeah ๐Ÿ˜† I spend quite some time thinking about a proper name for that one. It is used to be coarsen (yep, yuck!), but I don't really feel "cover" either. Mb something like "unify" will work? What do you think?

vsavchenko: Yeah ๐Ÿ˜† I spend quite some time thinking about a proper name for that one. It is used to beโ€ฆ
NoQUnsubmitted
Not Done
ReplyInline Actions

Well, this is basically a one-dimensional convex hull...

But i do think that something like fillGaps() would be easier to understand.

NoQ: Well, this is basically a one-dimensional //convex hull//... But i do think that somethingโ€ฆ
assert(!Origin.isEmpty());
return {Origin.getMinValue(), Origin.getMaxValue()};
}
/// Try to convert given range into the given type.
///
/// It will return llvm::None only when the trivial conversion is possible.
llvm::Optional<Range> convert(const Range &Origin, APSIntType To) {
if (To.testInRange(Origin.From(), false) != APSIntType::RTR_Within ||
To.testInRange(Origin.To(), false) != APSIntType::RTR_Within) {
return llvm::None;
}
return Range(ValueFactory.Convert(To, Origin.From()),
ValueFactory.Convert(To, Origin.To()));
}
RangeSet VisitOrOperator(RangeSet LHS, RangeSet RHS, QualType T) { RangeSet VisitOrOperator(RangeSet LHS, RangeSet RHS, QualType T) {
// TODO: generalize for the ranged RHS. // We should propagate information about unfeasbility of one of the
if (const llvm::APSInt *RHSConstant = RHS.getConcreteValue()) { // operands to the resulting range.
// For unsigned types, the output is greater-or-equal than RHS. if (LHS.isEmpty() || RHS.isEmpty()) {
if (T->isUnsignedIntegerType()) { return RangeFactory.getEmptySet();
return LHS.Intersect(ValueFactory, RangeFactory, *RHSConstant,
ValueFactory.getMaxValue(T));
} }
// Bitwise-or with a non-zero constant is always non-zero. APSIntType ResultType = ValueFactory.getAPSIntType(T);
const llvm::APSInt &Zero = ValueFactory.getAPSIntType(T).getZeroValue(); RangeSet DefaultRange = infer(T);
if (*RHSConstant != Zero) {
return assumeNonZero(LHS, T); Range CoarseLHS = fillGaps(LHS);
Range CoarseRHS = fillGaps(RHS);
// We need to convert ranges to the resulting type, so we can compare values
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Why do we need this conversion?
Do we want to model a cast in the code somewhere?
If so, I think this is more like a workaround and in the future we would need an explicit way to represent those cast operations. It might be worth to have a TODO.

xazax.hun: Why do we need this conversion? Do we want to model a cast in the code somewhere? If so, Iโ€ฆ
vsavchenkoAuthorUnsubmitted
Done
ReplyInline Actions

Those ranges that we inferred have nothing to do with upper operations. I mean, in theory, VisitBinaryOperator can take care of conversions, but I don't know how it can be done in the most generic way. In this particular situation, we really care that From and To don't change signs or something like that after conversion, but for other operators it might be not so important.

Answering the question of why we even need those, putting it simple - there is no other way, this is how APSInt works, couldn't do anything with values of different types (e.g. comparison).

I am totally on board with you on the inconvenience of the whole thing. Every implementer of the Visit* method should take care of conversions on their own. I would say that SValBuilder adding special symbolic values for this kind of casts, can be a solution.

vsavchenko: Those ranges that we inferred have nothing to do with upper operations. I mean, in theoryโ€ฆ
NoQUnsubmitted
Not Done
ReplyInline Actions

Yeah i think this is correct. This is exactly how our symbolic expressions aren't type-safe: expression of type T corresponds to result of operations during which operand symbols were promoted to T.

NoQ: Yeah i think this is correct. This is exactly how our symbolic expressions aren't type-safeโ€ฆ
// and combine them in a meaningful (in terms of the given operation) way.
auto ConvertedCoarseLHS = convert(CoarseLHS, ResultType);
auto ConvertedCoarseRHS = convert(CoarseRHS, ResultType);
// It is hard to reason about ranges when conversion changes
// borders of the ranges.
if (!ConvertedCoarseLHS || !ConvertedCoarseRHS) {
return DefaultRange;
} }
llvm::APSInt Zero = ResultType.getZeroValue();
bool IsLHSPositiveOrZero = ConvertedCoarseLHS->From() >= Zero;
bool IsRHSPositiveOrZero = ConvertedCoarseRHS->From() >= Zero;
bool IsLHSNegative = ConvertedCoarseLHS->To() < Zero;
bool IsRHSNegative = ConvertedCoarseRHS->To() < Zero;
// Check if both ranges have the same sign.
if ((IsLHSPositiveOrZero && IsRHSPositiveOrZero) ||
(IsLHSNegative && IsRHSNegative)) {
// The result is definitely greater or equal than any of the operands.
const llvm::APSInt &Min =
std::max(ConvertedCoarseLHS->From(), ConvertedCoarseRHS->From());
// We estimate maximal value for positives as the maximal value for the
// given type. For negatives, we estimate it with -1 (e.g. 0x11111111).
//
// TODO: We basically, limit the resulting range from below (in absolute
// numbers), but don't do anything with the upper bound.
// For positive operands, it can be done as follows: for the upper
// bound of LHS and RHS we calculate the most significant bit set.
// Let's call it the N-th bit. Then we can estimate the maximal
// number to be 2^(N+1)-1, i.e. the number with all the bits up to
// the N-th bit set.
const llvm::APSInt &Max = IsLHSNegative
? ValueFactory.getValue(--Zero)
: ValueFactory.getMaxValue(ResultType);
return {RangeFactory, ValueFactory.getValue(Min), Max};
}
// Otherwise, let's check if at least one of the operands is negative.
if (IsLHSNegative || IsRHSNegative) {
// This means that the result is definitely negative as well.
return {RangeFactory, ValueFactory.getMinValue(ResultType),
ValueFactory.getValue(--Zero)};
}
// It is pretty hard to reason about operands with different signs
// (and especially with possibly different signs). We simply check if it
// can be zero. In order to conclude that the result could not be zero,
// at least one of the operands should be definitely not zero itself.
if (!ConvertedCoarseLHS->Includes(Zero) ||
!ConvertedCoarseRHS->Includes(Zero)) {
return assumeNonZero(DefaultRange, T);
} }
return infer(T);
// Nothing much else to do here.
return DefaultRange;
} }
RangeSet VisitAndOperator(RangeSet LHS, RangeSet RHS, QualType T) { RangeSet VisitAndOperator(RangeSet LHS, RangeSet RHS, QualType T) {
// TODO: generalize for the ranged RHS. // TODO: generalize for the ranged RHS.
if (const llvm::APSInt *RHSConstant = RHS.getConcreteValue()) { if (const llvm::APSInt *RHSConstant = RHS.getConcreteValue()) {
const llvm::APSInt &Zero = ValueFactory.getAPSIntType(T).getZeroValue(); const llvm::APSInt &Zero = ValueFactory.getAPSIntType(T).getZeroValue();
// For unsigned types, or positive RHS, // For unsigned types, or positive RHS,
โ–ฒ Show 20 Lines โ€ข Show All 514 Lines โ€ข Show Last 20 Lines

clang/test/Analysis/constant-folding.c

Show First 20 Lines โ€ข Show All 71 Lines โ€ข โ–ผ Show 20 Linesvoid testMixedTypeComparisons (char a, unsigned long b) {
if (a != 0) return; if (a != 0) return;
if (b != 0x100) return; if (b != 0x100) return;
clang_analyzer_eval(a <= b); // expected-warning{{TRUE}} clang_analyzer_eval(a <= b); // expected-warning{{TRUE}}
clang_analyzer_eval(b >= a); // expected-warning{{TRUE}} clang_analyzer_eval(b >= a); // expected-warning{{TRUE}}
clang_analyzer_eval(a != b); // expected-warning{{TRUE}} clang_analyzer_eval(a != b); // expected-warning{{TRUE}}
} }
void testBitwiseRules(unsigned int a, int b) { void testBitwiseRules(unsigned int a, int b, int c) {
clang_analyzer_eval((a | 1) >= 1); // expected-warning{{TRUE}} clang_analyzer_eval((a | 1) >= 1); // expected-warning{{TRUE}}
clang_analyzer_eval((a | -1) >= -1); // expected-warning{{TRUE}} clang_analyzer_eval((a | -1) >= -1); // expected-warning{{TRUE}}
clang_analyzer_eval((a | 2) >= 2); // expected-warning{{TRUE}} clang_analyzer_eval((a | 2) >= 2); // expected-warning{{TRUE}}
clang_analyzer_eval((a | 5) >= 5); // expected-warning{{TRUE}} clang_analyzer_eval((a | 5) >= 5); // expected-warning{{TRUE}}
clang_analyzer_eval((a | 10) >= 10); // expected-warning{{TRUE}} clang_analyzer_eval((a | 10) >= 10); // expected-warning{{TRUE}}
// Argument order should not influence this // Argument order should not influence this
clang_analyzer_eval((1 | a) >= 1); // expected-warning{{TRUE}} clang_analyzer_eval((1 | a) >= 1); // expected-warning{{TRUE}}
clang_analyzer_eval((a & 1) <= 1); // expected-warning{{TRUE}} clang_analyzer_eval((a & 1) <= 1); // expected-warning{{TRUE}}
clang_analyzer_eval((a & 2) <= 2); // expected-warning{{TRUE}} clang_analyzer_eval((a & 2) <= 2); // expected-warning{{TRUE}}
clang_analyzer_eval((a & 5) <= 5); // expected-warning{{TRUE}} clang_analyzer_eval((a & 5) <= 5); // expected-warning{{TRUE}}
clang_analyzer_eval((a & 10) <= 10); // expected-warning{{TRUE}} clang_analyzer_eval((a & 10) <= 10); // expected-warning{{TRUE}}
clang_analyzer_eval((a & -10) <= 10); // expected-warning{{UNKNOWN}} clang_analyzer_eval((a & -10) <= 10); // expected-warning{{UNKNOWN}}
// Again, check for different argument order. // Again, check for different argument order.
clang_analyzer_eval((1 & a) <= 1); // expected-warning{{TRUE}} clang_analyzer_eval((1 & a) <= 1); // expected-warning{{TRUE}}
unsigned int c = a; unsigned int d = a;
c |= 1; d |= 1;
clang_analyzer_eval((c | 0) == 0); // expected-warning{{FALSE}} clang_analyzer_eval((d | 0) == 0); // expected-warning{{FALSE}}
// Rules don't apply to signed typed, as the values might be negative. // Rules don't apply to signed typed, as the values might be negative.
clang_analyzer_eval((b | 1) > 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval((b | 1) > 0); // expected-warning{{UNKNOWN}}
// Even for signed values, bitwise OR with a non-zero is always non-zero. // Even for signed values, bitwise OR with a non-zero is always non-zero.
clang_analyzer_eval((b | 1) == 0); // expected-warning{{FALSE}} clang_analyzer_eval((b | 1) == 0); // expected-warning{{FALSE}}
clang_analyzer_eval((b | -2) == 0); // expected-warning{{FALSE}} clang_analyzer_eval((b | -2) == 0); // expected-warning{{FALSE}}
clang_analyzer_eval((b | 10) == 0); // expected-warning{{FALSE}} clang_analyzer_eval((b | 10) == 0); // expected-warning{{FALSE}}
clang_analyzer_eval((b | 0) == 0); // expected-warning{{UNKNOWN}} clang_analyzer_eval((b | 0) == 0); // expected-warning{{UNKNOWN}}
#ifdef ANALYZER_CM_Z3
clang_analyzer_eval((b | -2) >= 0); // expected-warning{{FALSE}} clang_analyzer_eval((b | -2) >= 0); // expected-warning{{FALSE}}
#else
clang_analyzer_eval((b | -2) >= 0); // expected-warning{{UNKNOWN}} // Check that we can operate with negative ranges
#endif if (b < 0) {
clang_analyzer_eval((b | -1) == -1); // expected-warning{{TRUE}}
clang_analyzer_eval((b | -10) >= -10); // expected-warning{{TRUE}}
int e = (b | -5);
clang_analyzer_eval(e >= -5 && e <= -1); // expected-warning{{TRUE}}
if (b < -20) {
clang_analyzer_eval((b | e) >= -5); // expected-warning{{TRUE}}
}
// Check that we can reason about the result even if know nothing
// about one of the operands.
clang_analyzer_eval((b | c) != 0); // expected-warning{{TRUE}}
}
if (a <= 30 && b >= 10 && c >= 20) {
// Check that we can reason about non-constant operands.
clang_analyzer_eval((b | c) >= 20); // expected-warning{{TRUE}}
// Check that we can reason about the resulting range even if
// the types are not the same, but we still can convert operand
// ranges.
clang_analyzer_eval((a | b) >= 10); // expected-warning{{TRUE}}
}
// Check that dynamically computed constants also work. // Check that dynamically computed constants also work.
unsigned int constant = 1 << 3; unsigned int constant = 1 << 3;
unsigned int d = a | constant; unsigned int f = a | constant;
clang_analyzer_eval(d >= constant); // expected-warning{{TRUE}} clang_analyzer_eval(f >= constant); // expected-warning{{TRUE}}
// Check that nested expressions also work. // Check that nested expressions also work.
clang_analyzer_eval(((a | 10) | 5) >= 10); // expected-warning{{TRUE}} clang_analyzer_eval(((a | 10) | 5) >= 10); // expected-warning{{TRUE}}
if (a < 10) {
clang_analyzer_eval((a | 20) >= 20); // expected-warning{{TRUE}}
}
// TODO: We misuse intersection of ranges for bitwise AND and OR operators. // TODO: We misuse intersection of ranges for bitwise AND and OR operators.
// Resulting ranges for the following cases are infeasible. // Resulting ranges for the following cases are infeasible.
// This is what causes paradoxical results below. // This is what causes paradoxical results below.
if (a > 10) { if (a > 10) {
clang_analyzer_eval((a & 1) <= 1); // expected-warning{{FALSE}} clang_analyzer_eval((a & 1) <= 1); // expected-warning{{FALSE}}
clang_analyzer_eval((a & 1) > 1); // expected-warning{{FALSE}} clang_analyzer_eval((a & 1) > 1); // expected-warning{{FALSE}}
} }
if (a < 10) {
clang_analyzer_eval((a | 20) >= 20); // expected-warning{{FALSE}}
clang_analyzer_eval((a | 20) < 20); // expected-warning{{FALSE}}
}
} }