diff --git a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp --- a/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp +++ b/clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp @@ -1102,7 +1102,6 @@ if (SymbolRef Sym = V.getAsSymbol()) return state->getConstraintManager().getSymVal(state, Sym); - // FIXME: Add support for SymExprs. return nullptr; } @@ -1134,6 +1133,24 @@ return cache(Sym, SVB.makeSymbolVal(Sym)); } + // Return the known const value for the Sym if available, or return Unknown + // otherwise. + SVal getConst(SymbolRef Sym) { + const llvm::APSInt *Const = + State->getConstraintManager().getSymVal(State, Sym); + if (Const) + return Loc::isLocType(Sym->getType()) ? (SVal)SVB.makeIntLocVal(*Const) + : (SVal)SVB.makeIntVal(*Const); + return SVal(); + } + + SVal getConstOrVisit(SymbolRef Sym) { + SVal Ret = getConst(Sym); + if (Ret.isUndef()) + Ret = Visit(Sym); + return Ret; + } + public: Simplifier(ProgramStateRef State) : State(State), SVB(State->getStateManager().getSValBuilder()) {} @@ -1147,15 +1164,14 @@ return SVB.makeSymbolVal(S); } - // TODO: Support SymbolCast. Support IntSymExpr when/if we actually - // start producing them. + // TODO: Support SymbolCast. SVal VisitSymIntExpr(const SymIntExpr *S) { auto I = Cached.find(S); if (I != Cached.end()) return I->second; - SVal LHS = Visit(S->getLHS()); + SVal LHS = getConstOrVisit(S->getLHS()); if (isUnchanged(S->getLHS(), LHS)) return skip(S); @@ -1187,9 +1203,10 @@ if (I != Cached.end()) return I->second; - SVal RHS = Visit(S->getRHS()); + SVal RHS = getConstOrVisit(S->getRHS()); if (isUnchanged(S->getRHS(), RHS)) return skip(S); + SVal LHS = SVB.makeIntVal(S->getLHS()); return cache( S, SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType())); @@ -1208,8 +1225,9 @@ Loc::isLocType(S->getRHS()->getType())) return skip(S); - SVal LHS = Visit(S->getLHS()); - SVal RHS = Visit(S->getRHS()); + SVal LHS = getConstOrVisit(S->getLHS()); + SVal RHS = getConstOrVisit(S->getRHS()); + if (isUnchanged(S->getLHS(), LHS) && isUnchanged(S->getRHS(), RHS)) return skip(S); diff --git a/clang/test/Analysis/svalbuilder-simplify-compound-svals.cpp b/clang/test/Analysis/svalbuilder-simplify-compound-svals.cpp new file mode 100644 --- /dev/null +++ b/clang/test/Analysis/svalbuilder-simplify-compound-svals.cpp @@ -0,0 +1,69 @@ +// RUN: %clang_analyze_cc1 %s \ +// RUN: -analyzer-checker=core \ +// RUN: -analyzer-checker=debug.ExprInspection \ +// RUN: -analyzer-config eagerly-assume=false \ +// RUN: -verify + +// Here we test whether the SValBuilder is capable to simplify existing +// compound SVals (where there are at leaset 3 symbols in the tree) based on +// newly added constraints. + +void clang_analyzer_eval(bool); +void clang_analyzer_warnIfReached(); + +int test_left_tree_constrained(int x, int y, int z) { + if (x + y + z != 0) + return 0; + if (x + y != 0) + return 0; + clang_analyzer_eval(x + y + z == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(x + y == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(z == 0); // expected-warning{{TRUE}} + x = y = z = 1; + return 0; +} + +int test_right_tree_constrained(int x, int y, int z) { + if (x + y * z != 0) + return 0; + if (y * z != 0) + return 0; + clang_analyzer_eval(x + y * z == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(y * z == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(x == 0); // expected-warning{{TRUE}} + return 0; +} + +int test_left_tree_constrained_minus(int x, int y, int z) { + if (x - y - z != 0) + return 0; + if (x - y != 0) + return 0; + clang_analyzer_eval(x - y - z == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(x - y == 0); // expected-warning{{TRUE}} + clang_analyzer_eval(z == 0); // expected-warning{{TRUE}} + x = y = z = 1; + return 0; +} + +void test_SymInt_constrained(int x, int y, int z) { + if (x * y * z != 4) + return; + if (z != 2) + return; + if (x * y == 3) { + clang_analyzer_warnIfReached(); // no-warning + return; + } + (void)(x * y * z); +} + +void test_SValBuilder_simplifies_IntSym(int x, int y, int z) { + // Most IntSym BinOps are transformed to SymInt in SimpleSValBuilder. + // Division is one exception. + x = 77 / (y + z); + if (y + z != 1) + return; + clang_analyzer_eval(x == 77); // expected-warning{{TRUE}} + (void)(x * y * z); +} diff --git a/clang/test/Analysis/taint-tester.c b/clang/test/Analysis/taint-tester.c --- a/clang/test/Analysis/taint-tester.c +++ b/clang/test/Analysis/taint-tester.c @@ -59,7 +59,7 @@ int tty = xy.y; // expected-warning + {{tainted}} } -void BitwiseOp(int in, char inn) { +void BitwiseOp(int in, char inn, int zz) { // Taint on bitwise operations, integer to integer cast. int m; int x = 0; @@ -67,11 +67,12 @@ int y = (in << (x << in)) * 5;// expected-warning + {{tainted}} // The next line tests integer to integer cast. int z = y & inn; // expected-warning + {{tainted}} - if (y == 5) // expected-warning + {{tainted}} + if (y == zz) { // expected-warning + {{tainted}} m = z | z;// expected-warning + {{tainted}} + } else m = inn; - int mm = m; // expected-warning + {{tainted}} + int mm = m; // expected-warning 1 {{tainted}} } // Test getenv.