This is an archive of the discontinued LLVM Phabricator instance.

Differential D107636

[analyzer][solver] Compute adjustment for unsupported symbols as well
Needs RevisionPublic

Authored by vsavchenko on Aug 6 2021, 4:13 AM.

Details

Reviewers
NoQ
xazax.hun
martong
steakhal
Szelethus
ASDenysPetrov
manas
RedDocMD
Summary

When the solver sees conditions like a +/- INT cmp INT, it disassembles
such expressions and uses the first integer constant as a so-called "Adjustment".
So it's easier later on to reason about the range of the symbol (a
in this case).

However, conditions of form a +/- INT are not treated the same way,
and we might end up with contradictory constraints.

This patch resolves this issue and extracts "Adjustment" for the
latter case as well.

Diff Detail

Event Timeline

vsavchenko created this revision.Aug 6 2021, 4:13 AM
Herald added subscribers: dkrupp, donat.nagy, mikhail.ramalho and 4 others. · View Herald TranscriptAug 6 2021, 4:13 AM
vsavchenko requested review of this revision.Aug 6 2021, 4:13 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 6 2021, 4:13 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B118349: Diff 364750.Aug 6 2021, 4:55 AM
steakhal accepted this revision.Aug 6 2021, 8:15 AM

Seems reasonable to me. Let's wait for someone else as well.
This is a really elegant patch, I should tell!

This revision is now accepted and ready to land.Aug 6 2021, 8:15 AM
vsavchenko added a comment.Aug 6 2021, 8:18 AM
In D107636#2931302, @steakhal wrote:

Seems reasonable to me. Let's wait for someone else as well.

Sure, NP.

This is a really elegant patch, I should tell!

Thanks! I guess my take on this, that this path to the solver just got forgotten and that's what produced this inconsistency.

ASDenysPetrov added a comment.Apr 11 2022, 9:52 AM

I checked the tests file on the latest sources. It passes even without your changes. Maybe this patch is already outdated.

clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
82–86

Do we need the same changes here as below?

Herald added a project: Restricted Project. · View Herald TranscriptApr 11 2022, 9:52 AM
martong requested changes to this revision.Apr 13 2022, 5:57 AM

I am not sure if this patch makes sense at all because the adjustment handling logic is restricted to handle SymInt expressions only.

clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
82–86

I believe, the adjustment is deliberately Zero here. This is because we are dealing with a SymSym expr, and the adjustment logic is capable of handling only a SymInt expr.

This revision now requires changes to proceed.Apr 13 2022, 5:57 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
9 lines
test/
Analysis/
25 lines

Diff 364750

clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp

Show First 20 LinesShow All 73 Lines▼ Show 20 Lines if (BinaryOperator::isEqualityOp(Op)) {
SymbolRef CanonicalEquality = SymbolRef CanonicalEquality =
SymMgr.getSymSymExpr(SSE->getLHS(), BO_EQ, SSE->getRHS(), ExprType); SymMgr.getSymSymExpr(SSE->getLHS(), BO_EQ, SSE->getRHS(), ExprType);
bool WasEqual = SSE->getOpcode() == BO_EQ; bool WasEqual = SSE->getOpcode() == BO_EQ;
bool IsExpectedEqual = WasEqual == Assumption; bool IsExpectedEqual = WasEqual == Assumption;
const llvm::APSInt &Zero = getBasicVals().getValue(0, ExprType); const llvm::APSInt &Zero = getBasicVals().getValue(0, ExprType);
if (IsExpectedEqual) { if (IsExpectedEqual) {
return assumeSymNE(State, CanonicalEquality, Zero, Zero); return assumeSymNE(State, CanonicalEquality, Zero, Zero);
} }
return assumeSymEQ(State, CanonicalEquality, Zero, Zero); return assumeSymEQ(State, CanonicalEquality, Zero, Zero);
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions

Do we need the same changes here as below?

ASDenysPetrov: Do we need the same changes here as below?
martongUnsubmitted
Not Done
ReplyInline Actions

I believe, the adjustment is deliberately Zero here. This is because we are dealing with a SymSym expr, and the adjustment logic is capable of handling only a SymInt expr.

martong: I believe, the adjustment is deliberately Zero here. This is because we are dealing with a…
} }
} }
// If we get here, there's nothing else we can do but treat the symbol as // If we get here, there's nothing else we can do but treat the symbol as
// opaque. // opaque.
return assumeSymUnsupported(State, Sym, Assumption); return assumeSymUnsupported(State, Sym, Assumption);
} }
Show All 37 LinesRangedConstraintManager::assumeSymUnsupported(ProgramStateRef State,
QualType T = Sym->getType(); QualType T = Sym->getType();
// Non-integer types are not supported. // Non-integer types are not supported.
if (!T->isIntegralOrEnumerationType()) if (!T->isIntegralOrEnumerationType())
return State; return State;
// Reverse the operation and add directly to state. // Reverse the operation and add directly to state.
const llvm::APSInt &Zero = BVF.getValue(0, T); const llvm::APSInt &Zero = BVF.getValue(0, T);
llvm::APSInt Adjustment = Zero;
computeAdjustment(Sym, Adjustment);
if (Assumption) if (Assumption)
return assumeSymNE(State, Sym, Zero, Zero); return assumeSymNE(State, Sym, Zero, Adjustment);
else
return assumeSymEQ(State, Sym, Zero, Zero); return assumeSymEQ(State, Sym, Zero, Adjustment);
} }
ProgramStateRef RangedConstraintManager::assumeSymRel(ProgramStateRef State, ProgramStateRef RangedConstraintManager::assumeSymRel(ProgramStateRef State,
SymbolRef Sym, SymbolRef Sym,
BinaryOperator::Opcode Op, BinaryOperator::Opcode Op,
const llvm::APSInt &Int) { const llvm::APSInt &Int) {
assert(BinaryOperator::isComparisonOp(Op) && assert(BinaryOperator::isComparisonOp(Op) &&
"Non-comparison ops should be rewritten as comparisons to zero."); "Non-comparison ops should be rewritten as comparisons to zero.");
▲ Show 20 LinesShow All 87 LinesShow Last 20 Lines

clang/test/Analysis/infeasible_paths.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify %s
// expected-no-diagnostics
void clang_analyzer_warnIfReached();
void unsupportedSymAssumption_1(int a) {
int b = a + 1;
if (b + 1)
return;
// At this point, b == -1, a == -2
// and this condition is always true.
if (b < 1)
return;
clang_analyzer_warnIfReached(); // no-warning
}
void unsupportedSymAssumption_2(int a) {
int b = a - 1;
if (!b)
return;
if (b)
return;
clang_analyzer_warnIfReached(); // no-warning
}