This is an archive of the discontinued LLVM Phabricator instance.

Differential D104844

[Analyzer][solver] Fix crashes during symbol simplification
ClosedPublic

Authored by martong on Jun 24 2021, 3:06 AM.

Details

Reviewers
vsavchenko
steakhal
Szelethus
NoQ
Commits
rG0646e3625499: [Analyzer][solver] Fix crashes during symbol simplification
Summary

Consider the code

void f(int a0, int b0, int c)
{
    int a1 = a0 - b0;
    int b1 = (unsigned)a1 + c;
    if (c == 0) {
        int d = 7L / b1;
    }
}

At the point of divisiion by b1 that is considered to be non-zero,
which results in a new constraint for $a0 - $b0 + $c. The type
of this sym is unsigned, however, the simplified sym is `$a0 -
$b0` and its type is signed. This is probably the result of the
inherent improper handling of casts. Anyway, Range assignment
for constraints use this type information. Therefore, we must
make sure that first we simplify the symbol and only then we
assign the range.

Diff Detail

Event Timeline

martong created this revision.Jun 24 2021, 3:06 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJun 24 2021, 3:06 AM
Herald added subscribers: manas, ASDenysPetrov, gamesh411 and 10 others. · View Herald Transcript
martong requested review of this revision.Jun 24 2021, 3:06 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 24 2021, 3:06 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong added a parent revision: D103314: [Analyzer][solver] Simplify existing constraints when a new constraint is added.Jun 24 2021, 3:07 AM
martong mentioned this in D103314: [Analyzer][solver] Simplify existing constraints when a new constraint is added.
martong added a reviewer: NoQ.Jun 24 2021, 3:10 AM
Harbormaster completed remote builds in B110783: Diff 354186.Jun 24 2021, 3:44 AM
vsavchenko added inline comments.Jun 24 2021, 4:04 AM
clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
2282–2283

I don't like the idea of duplicating it into every assume method. This way we drastically increase our chances to forget it (like you did with assumeSymGE and assumeSymLE).
I think the better place for it is in RangedConstraintManager::assumeSymRel and neighboring methods, though still not perfect.
I don't really get why we get not simplified symbol to begin with.

martong added inline comments.Jun 24 2021, 7:59 AM
clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
2282–2283

assumeSymRel is not enough, because e.g. assumeSymGE is called also e.g. from assumeSymUnsupported. Perhaps we could change the signature of assumeSymEQ/NE/GT/GE/LT/LE to take an auxiliary Simplifier wrapper object instead of SymbolRef?

ProgramStateRef assumeSymNE(ProgramStateRef State, Simplifier S,
                                    const llvm::APSInt &V,
                                    const llvm::APSInt &Adjustment);

And for the Simplifier something like:

struct Simplifier {
  SymbolRef SimplifiedSym = nullptr;
  Simplifier(SymbolRef Sym) : SimplifiedSym(simplify(Sym)) {}
  
};
martong added a comment.Jun 24 2021, 8:03 AM

I don't really get why we get not simplified symbol to begin with.

This is because of the Environment bindings. I.e. b1 is bound to $a0 - $b0 + $c when we evaluate int b1 = (unsigned)a1 + c;. This binding is not changed/updated, so when we evaluate the division then we query the DeclRefExpr for b1 from the Environment and that gives still $a0 - $b0 + $c. We either do the simplification in the ConstraintManager (as we do now with this and the parent patch) or perhaps we could try to simplify the Environment bindings as an alternative solution.

vsavchenko added a comment.Jun 24 2021, 8:21 AM
In D104844#2838674, @martong wrote:

I don't really get why we get not simplified symbol to begin with.

This is because of the Environment bindings. I.e. b1 is bound to $a0 - $b0 + $c when we evaluate int b1 = (unsigned)a1 + c;. This binding is not changed/updated, so when we evaluate the division then we query the DeclRefExpr for b1 from the Environment and that gives still $a0 - $b0 + $c. We either do the simplification in the ConstraintManager (as we do now with this and the parent patch) or perhaps we could try to simplify the Environment bindings as an alternative solution.

Yeah, I remember now, thanks!

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
2282–2283

assumeSymRel is not enough, because e.g. assumeSymGE is called also e.g. from assumeSymUnsupported.

Yep, that's why I suggested assumeSymRel and its neighbors. I actually think that three top-level public methods from RangedConstraintManager will do: assumeSym, assumeSymInclusiveRange, and assumeSymUnsupported.

We can't really change the signatures of those methods because we'll be introducing this functionality into solvers that didn't sign up for this (and don't need it).

Also we can least put this if statement inside of simplify, so we can use it like this: Sym = simplify(St, Sym);.

martong updated this revision to Diff 354274.Jun 24 2021, 9:01 AM
  • Use simplify from RangedConstraintManager
martong marked 2 inline comments as done.Jun 24 2021, 9:01 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
2282–2283

Okay, I've updated like so.

vsavchenko added a comment.Jun 24 2021, 9:04 AM

Awesome, thanks for swiftly addressing it!

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
1956

Oof, and there is no way to avoid all these namespaces?

vsavchenko accepted this revision.Jun 24 2021, 9:05 AM
This revision is now accepted and ready to land.Jun 24 2021, 9:05 AM
Harbormaster completed remote builds in B110847: Diff 354274.Jun 24 2021, 9:42 AM
martong marked 2 inline comments as done.Jun 25 2021, 2:48 AM

Valeriy, thanks for the assiduous and quick review!

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
1956

Unfortunately, the candidate function would be the member simplify in that case. Though, we can get rid of the ::clang prefix.

Closed by commit rG0646e3625499: [Analyzer][solver] Fix crashes during symbol simplification (authored by martong). · Explain WhyJun 25 2021, 2:50 AM
This revision was automatically updated to reflect the committed changes.
martong marked an inline comment as done.
martong added a commit: rG0646e3625499: [Analyzer][solver] Fix crashes during symbol simplification.
vsavchenko added inline comments.Jun 25 2021, 2:56 AM
clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
1956

OK, at least ento::!

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
5 lines
lib/
StaticAnalyzer/
Core/
12 lines
21 lines
test/
Analysis/
26 lines
29 lines

Diff 354455

clang/include/clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h

Show First 20 LinesShow All 378 Lines▼ Show 20 Linesprotected:
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
// Internal implementation. // Internal implementation.
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
private: private:
static void computeAdjustment(SymbolRef &Sym, llvm::APSInt &Adjustment); static void computeAdjustment(SymbolRef &Sym, llvm::APSInt &Adjustment);
}; };
/// Try to simplify a given symbolic expression's associated value based on the
/// constraints in State. This is needed because the Environment bindings are
/// not getting updated when a new constraint is added to the State.
SymbolRef simplify(ProgramStateRef State, SymbolRef Sym);
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
REGISTER_FACTORY_WITH_PROGRAMSTATE(ConstraintMap) REGISTER_FACTORY_WITH_PROGRAMSTATE(ConstraintMap)
#endif #endif

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

Show First 20 LinesShow All 1,378 Lines▼ Show 20 LinesRangeSet SymbolicRangeInferrer::VisitBinaryOperator<BO_Rem>(Range LHS,
// for any sign of either LHS, or RHS. // for any sign of either LHS, or RHS.
return {RangeFactory, ValueFactory.getValue(Min), ValueFactory.getValue(Max)}; return {RangeFactory, ValueFactory.getValue(Min), ValueFactory.getValue(Max)};
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Constraint manager implementation details // Constraint manager implementation details
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static SymbolRef simplify(ProgramStateRef State, SymbolRef Sym) {
SValBuilder &SVB = State->getStateManager().getSValBuilder();
SVal SimplifiedVal = SVB.simplifySVal(State, SVB.makeSymbolVal(Sym));
return SimplifiedVal.getAsSymbol();
}
class RangeConstraintManager : public RangedConstraintManager { class RangeConstraintManager : public RangedConstraintManager {
public: public:
RangeConstraintManager(ExprEngine *EE, SValBuilder &SVB) RangeConstraintManager(ExprEngine *EE, SValBuilder &SVB)
: RangedConstraintManager(EE, SVB), F(getBasicVals()) {} : RangedConstraintManager(EE, SVB), F(getBasicVals()) {}
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
// Implementation for interface from ConstraintManager. // Implementation for interface from ConstraintManager.
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
▲ Show 20 LinesShow All 97 Lines▼ Show 20 Linesprivate:
template <bool EQ> template <bool EQ>
ProgramStateRef track(RangeSet NewConstraint, ProgramStateRef State, ProgramStateRef track(RangeSet NewConstraint, ProgramStateRef State,
SymbolRef Sym, const llvm::APSInt &Int, SymbolRef Sym, const llvm::APSInt &Int,
const llvm::APSInt &Adjustment) { const llvm::APSInt &Adjustment) {
if (NewConstraint.isEmpty()) if (NewConstraint.isEmpty())
// This is an infeasible assumption. // This is an infeasible assumption.
return nullptr; return nullptr;
if (SymbolRef SimplifiedSym = simplify(State, Sym))
Sym = SimplifiedSym;
if (ProgramStateRef NewState = setConstraint(State, Sym, NewConstraint)) { if (ProgramStateRef NewState = setConstraint(State, Sym, NewConstraint)) {
if (auto Equality = EqualityInfo::extract(Sym, Int, Adjustment)) { if (auto Equality = EqualityInfo::extract(Sym, Int, Adjustment)) {
// If the original assumption is not Sym + Adjustment !=/</> Int, // If the original assumption is not Sym + Adjustment !=/</> Int,
// we should invert IsEquality flag. // we should invert IsEquality flag.
Equality->IsEquality = Equality->IsEquality != EQ; Equality->IsEquality = Equality->IsEquality != EQ;
return track(NewState, *Equality); return track(NewState, *Equality);
} }
▲ Show 20 LinesShow All 440 Lines▼ Show 20 Lines
// simplified then we check if we can merge the simplified symbol's equivalence // simplified then we check if we can merge the simplified symbol's equivalence
// class to this class. This way, we simplify not just the symbols but the // class to this class. This way, we simplify not just the symbols but the
// classes as well: we strive to keep the number of the classes to be the // classes as well: we strive to keep the number of the classes to be the
// absolute minimum. // absolute minimum.
LLVM_NODISCARD ProgramStateRef EquivalenceClass::simplify( LLVM_NODISCARD ProgramStateRef EquivalenceClass::simplify(
SValBuilder &SVB, RangeSet::Factory &F, ProgramStateRef State) { SValBuilder &SVB, RangeSet::Factory &F, ProgramStateRef State) {
SymbolSet ClassMembers = getClassMembers(State); SymbolSet ClassMembers = getClassMembers(State);
for (const SymbolRef &MemberSym : ClassMembers) { for (const SymbolRef &MemberSym : ClassMembers) {
SymbolRef SimplifiedMemberSym = ::simplify(State, MemberSym); SymbolRef SimplifiedMemberSym = ento::simplify(State, MemberSym);
vsavchenkoUnsubmitted
Done
ReplyInline Actions

Oof, and there is no way to avoid all these namespaces?

vsavchenko: Oof, and there is no way to avoid all these namespaces?
martongAuthorUnsubmitted
Done
ReplyInline Actions

Unfortunately, the candidate function would be the member simplify in that case. Though, we can get rid of the ::clang prefix.

martong: Unfortunately, the candidate function would be the member `simplify` in that case. Though, we…
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

OK, at least ento::!

vsavchenko: OK, at least `ento::`!
if (SimplifiedMemberSym && MemberSym != SimplifiedMemberSym) { if (SimplifiedMemberSym && MemberSym != SimplifiedMemberSym) {
EquivalenceClass ClassOfSimplifiedSym = EquivalenceClass ClassOfSimplifiedSym =
EquivalenceClass::find(State, SimplifiedMemberSym); EquivalenceClass::find(State, SimplifiedMemberSym);
// The simplified symbol should be the member of the original Class, // The simplified symbol should be the member of the original Class,
// however, it might be in another existing class at the moment. We // however, it might be in another existing class at the moment. We
// have to merge these classes. // have to merge these classes.
State = merge(SVB.getBasicValueFactory(), F, State, ClassOfSimplifiedSym); State = merge(SVB.getBasicValueFactory(), F, State, ClassOfSimplifiedSym);
if (!State) if (!State)
▲ Show 20 LinesShow All 309 Lines▼ Show 20 LinesRangeConstraintManager::assumeSymNE(ProgramStateRef St, SymbolRef Sym,
const llvm::APSInt &Int, const llvm::APSInt &Int,
const llvm::APSInt &Adjustment) { const llvm::APSInt &Adjustment) {
// Before we do any real work, see if the value can even show up. // Before we do any real work, see if the value can even show up.
APSIntType AdjustmentType(Adjustment); APSIntType AdjustmentType(Adjustment);
if (AdjustmentType.testInRange(Int, true) != APSIntType::RTR_Within) if (AdjustmentType.testInRange(Int, true) != APSIntType::RTR_Within)
return St; return St;
llvm::APSInt Point = AdjustmentType.convert(Int) - Adjustment; llvm::APSInt Point = AdjustmentType.convert(Int) - Adjustment;
RangeSet New = getRange(St, Sym); RangeSet New = getRange(St, Sym);
New = F.deletePoint(New, Point); New = F.deletePoint(New, Point);
vsavchenkoUnsubmitted
Done
ReplyInline Actions

I don't like the idea of duplicating it into every assume method. This way we drastically increase our chances to forget it (like you did with assumeSymGE and assumeSymLE).
I think the better place for it is in RangedConstraintManager::assumeSymRel and neighboring methods, though still not perfect.
I don't really get why we get not simplified symbol to begin with.

vsavchenko: I don't like the idea of duplicating it into every `assume` method. This way we drastically…
martongAuthorUnsubmitted
Done
ReplyInline Actions

assumeSymRel is not enough, because e.g. assumeSymGE is called also e.g. from assumeSymUnsupported. Perhaps we could change the signature of assumeSymEQ/NE/GT/GE/LT/LE to take an auxiliary Simplifier wrapper object instead of SymbolRef?

ProgramStateRef assumeSymNE(ProgramStateRef State, Simplifier S,
                                    const llvm::APSInt &V,
                                    const llvm::APSInt &Adjustment);

And for the Simplifier something like:

struct Simplifier {
  SymbolRef SimplifiedSym = nullptr;
  Simplifier(SymbolRef Sym) : SimplifiedSym(simplify(Sym)) {}
  
};
martong: `assumeSymRel` is not enough, because e.g. `assumeSymGE` is called also e.g. from…
vsavchenkoUnsubmitted
Done
ReplyInline Actions

assumeSymRel is not enough, because e.g. assumeSymGE is called also e.g. from assumeSymUnsupported.

Yep, that's why I suggested assumeSymRel and its neighbors. I actually think that three top-level public methods from RangedConstraintManager will do: assumeSym, assumeSymInclusiveRange, and assumeSymUnsupported.

We can't really change the signatures of those methods because we'll be introducing this functionality into solvers that didn't sign up for this (and don't need it).

Also we can least put this if statement inside of simplify, so we can use it like this: Sym = simplify(St, Sym);.

vsavchenko: > assumeSymRel is not enough, because e.g. assumeSymGE is called also e.g. from…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Okay, I've updated like so.

martong: Okay, I've updated like so.
return trackNE(New, St, Sym, Int, Adjustment); return trackNE(New, St, Sym, Int, Adjustment);
} }
ProgramStateRef ProgramStateRef
RangeConstraintManager::assumeSymEQ(ProgramStateRef St, SymbolRef Sym, RangeConstraintManager::assumeSymEQ(ProgramStateRef St, SymbolRef Sym,
const llvm::APSInt &Int, const llvm::APSInt &Int,
const llvm::APSInt &Adjustment) { const llvm::APSInt &Adjustment) {
▲ Show 20 LinesShow All 227 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp

Show All 17 Lines
namespace ento { namespace ento {
RangedConstraintManager::~RangedConstraintManager() {} RangedConstraintManager::~RangedConstraintManager() {}
ProgramStateRef RangedConstraintManager::assumeSym(ProgramStateRef State, ProgramStateRef RangedConstraintManager::assumeSym(ProgramStateRef State,
SymbolRef Sym, SymbolRef Sym,
bool Assumption) { bool Assumption) {
Sym = simplify(State, Sym);
// Handle SymbolData. // Handle SymbolData.
if (isa<SymbolData>(Sym)) { if (isa<SymbolData>(Sym))
return assumeSymUnsupported(State, Sym, Assumption); return assumeSymUnsupported(State, Sym, Assumption);
// Handle symbolic expression. // Handle symbolic expression.
} else if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(Sym)) { if (const SymIntExpr *SIE = dyn_cast<SymIntExpr>(Sym)) {
// We can only simplify expressions whose RHS is an integer. // We can only simplify expressions whose RHS is an integer.
BinaryOperator::Opcode op = SIE->getOpcode(); BinaryOperator::Opcode op = SIE->getOpcode();
if (BinaryOperator::isComparisonOp(op) && op != BO_Cmp) { if (BinaryOperator::isComparisonOp(op) && op != BO_Cmp) {
if (!Assumption) if (!Assumption)
op = BinaryOperator::negateComparisonOp(op); op = BinaryOperator::negateComparisonOp(op);
return assumeSymRel(State, SIE->getLHS(), op, SIE->getRHS()); return assumeSymRel(State, SIE->getLHS(), op, SIE->getRHS());
▲ Show 20 LinesShow All 48 Lines▼ Show 20 LinesProgramStateRef RangedConstraintManager::assumeSym(ProgramStateRef State,
// If we get here, there's nothing else we can do but treat the symbol as // If we get here, there's nothing else we can do but treat the symbol as
// opaque. // opaque.
return assumeSymUnsupported(State, Sym, Assumption); return assumeSymUnsupported(State, Sym, Assumption);
} }
ProgramStateRef RangedConstraintManager::assumeSymInclusiveRange( ProgramStateRef RangedConstraintManager::assumeSymInclusiveRange(
ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &From, ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &From,
const llvm::APSInt &To, bool InRange) { const llvm::APSInt &To, bool InRange) {
Sym = simplify(State, Sym);
// Get the type used for calculating wraparound. // Get the type used for calculating wraparound.
BasicValueFactory &BVF = getBasicVals(); BasicValueFactory &BVF = getBasicVals();
APSIntType WraparoundType = BVF.getAPSIntType(Sym->getType()); APSIntType WraparoundType = BVF.getAPSIntType(Sym->getType());
llvm::APSInt Adjustment = WraparoundType.getZeroValue(); llvm::APSInt Adjustment = WraparoundType.getZeroValue();
SymbolRef AdjustedSym = Sym; SymbolRef AdjustedSym = Sym;
computeAdjustment(AdjustedSym, Adjustment); computeAdjustment(AdjustedSym, Adjustment);
Show All 12 Lines return assumeSymWithinInclusiveRange(State, AdjustedSym, ConvertedFrom,
ConvertedTo, Adjustment); ConvertedTo, Adjustment);
return assumeSymOutsideInclusiveRange(State, AdjustedSym, ConvertedFrom, return assumeSymOutsideInclusiveRange(State, AdjustedSym, ConvertedFrom,
ConvertedTo, Adjustment); ConvertedTo, Adjustment);
} }
ProgramStateRef ProgramStateRef
RangedConstraintManager::assumeSymUnsupported(ProgramStateRef State, RangedConstraintManager::assumeSymUnsupported(ProgramStateRef State,
SymbolRef Sym, bool Assumption) { SymbolRef Sym, bool Assumption) {
Sym = simplify(State, Sym);
BasicValueFactory &BVF = getBasicVals(); BasicValueFactory &BVF = getBasicVals();
QualType T = Sym->getType(); QualType T = Sym->getType();
// Non-integer types are not supported. // Non-integer types are not supported.
if (!T->isIntegralOrEnumerationType()) if (!T->isIntegralOrEnumerationType())
return State; return State;
// Reverse the operation and add directly to state. // Reverse the operation and add directly to state.
▲ Show 20 LinesShow All 82 Lines▼ Show 20 Lines if (Op == BO_Add || Op == BO_Sub) {
// This should happen /after/ promotion, in case the value being // This should happen /after/ promotion, in case the value being
// subtracted is, say, CHAR_MIN, and the promoted type is 'int'. // subtracted is, say, CHAR_MIN, and the promoted type is 'int'.
if (Op == BO_Sub) if (Op == BO_Sub)
Adjustment = -Adjustment; Adjustment = -Adjustment;
} }
} }
} }
SymbolRef simplify(ProgramStateRef State, SymbolRef Sym) {
SValBuilder &SVB = State->getStateManager().getSValBuilder();
SVal SimplifiedVal = SVB.simplifySVal(State, SVB.makeSymbolVal(Sym));
if (SymbolRef SimplifiedSym = SimplifiedVal.getAsSymbol())
return SimplifiedSym;
return Sym;
}
} // end of namespace ento } // end of namespace ento
} // end of namespace clang } // end of namespace clang

clang/test/Analysis/solver-sym-simplification-no-crash.c

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -verify
// Here, we test that symbol simplification in the solver does not produce any
// crashes.
// expected-no-diagnostics
static int a, b;
static long c;
static void f(int i, int j)
{
(void)(j <= 0 && i ? i : j);
}
static void g(void)
{
int d = a - b | (c < 0);
for (;;)
{
f(d ^ c, c);
}
}

clang/test/Analysis/solver-sym-simplification-with-proper-range-type.c

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -verify
// Here we test that the range based solver equivalency tracking mechanism
// assigns a properly typed range to the simplified symbol.
void clang_analyzer_printState();
void clang_analyzer_eval(int);
void f(int a0, int b0, int c)
{
int a1 = a0 - b0;
int b1 = (unsigned)a1 + c;
if (c == 0) {
int d = 7L / b1; // ...
// At this point b1 is considered non-zero, which results in a new
// constraint for $a0 - $b0 + $c. The type of this sym is unsigned,
// however, the simplified sym is $a0 - $b0 and its type is signed.
// This is probably the result of the inherent improper handling of
// casts. Anyway, Range assignment for constraints use this type
// information. Therefore, we must make sure that first we simplify the
// symbol and only then we assign the range.
clang_analyzer_eval(a0 - b0 != 0); // expected-warning{{TRUE}}
}
}