This is an archive of the discontinued LLVM Phabricator instance.

Differential D110910

[analyzer][solver] Fix CmpOpTable handling bug
ClosedPublic

Authored by martong on Oct 1 2021, 1:34 AM.

Details

Reviewers
steakhal
manas
vsavchenko
NoQ
Szelethus
ASDenysPetrov
Commits
rG792be5df92e8: [analyzer][solver] Fix CmpOpTable handling bug
Summary

There is an error in the implementation of the logic of reaching the Unknonw tristate in CmpOpTable.

void cmp_op_table_unknownX2(int x, int y, int z) {
  if (x >= y) {
                    // x >= y    [1, 1]
    if (x + z < y)
      return;
                    // x + z < y [0, 0]
    if (z != 0)
      return;
                    // x < y     [0, 0]
    clang_analyzer_eval(x > y);  // expected-warning{{TRUE}} expected-warning{{FALSE}}
  }
}

We miss the FALSE warning because the false branch is infeasible.

We have to exploit simplification to discover the bug. If we had x < y
as the second condition then the analyzer would return the parent state
on the false path and the new constraint would not be part of the State.
But adding z to the condition makes both paths feasible.

The root cause of the bug is that we reach the Unknown tristate
twice, but in both occasions we reach the same Op that is >= in the
test case. So, we reached >= twice, but we never reached !=, thus
querying the Unknonw2x column with getCmpOpStateForUnknownX2 is
wrong.

The solution is to ensure that we reached both different Ops once.

Diff Detail

Event Timeline

martong created this revision.Oct 1 2021, 1:34 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptOct 1 2021, 1:34 AM
Herald added subscribers: gamesh411, dkrupp, donat.nagy and 8 others. · View Herald Transcript
martong requested review of this revision.Oct 1 2021, 1:34 AM
Harbormaster completed remote builds in B126684: Diff 376447.Oct 1 2021, 1:34 AM
Herald added a project: Restricted Project. · View Herald TranscriptOct 1 2021, 1:34 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong added a comment.Oct 4 2021, 2:50 AM

@ASDenysPetrov Gentle ping

martong removed a reviewer: ASDenysPetrov.Oct 5 2021, 2:45 AM
Herald added a subscriber: ASDenysPetrov. · View Herald TranscriptOct 5 2021, 2:45 AM
martong added a reviewer: ASDenysPetrov.Oct 5 2021, 2:45 AM
ASDenysPetrov added a comment.Oct 5 2021, 9:13 AM

Thanks for mentioning me. I'll make a review of this tomorrow.

ASDenysPetrov accepted this revision.EditedOct 6 2021, 7:01 AM

I see the problem. It appears when you meet, say, > in a true branch and <= in a false branch which then turns into > again and trigger the flag, but shouldn't. Your solution is correct and looks clear.
Here I propose you one more to not use additional abstruction in a favor of performance. See inlines.

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
1129–1134
1170–1173
1179–1182
This revision is now accepted and ready to land.Oct 6 2021, 7:01 AM
martong updated this revision to Diff 377564.Oct 6 2021, 9:00 AM
  • Update to use a single variable to track the state
  • Make CurrentOP const
martong added a comment.Oct 6 2021, 9:02 AM

Thanks for the review Denys!

I've updated accordingly to your suggestion, it is certainly more efficient. However, I've found your solution more difficult to follow, thus I've added some more explanatory comments.

This revision was landed with ongoing or failed builds.Oct 6 2021, 9:28 AM
Closed by commit rG792be5df92e8: [analyzer][solver] Fix CmpOpTable handling bug (authored by martong). · Explain Why
This revision was automatically updated to reflect the committed changes.
martong added a commit: rG792be5df92e8: [analyzer][solver] Fix CmpOpTable handling bug.
ASDenysPetrov added a comment.Oct 6 2021, 9:32 AM

LGTM

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
1129–1135

Perfect explanation. This is really worth to be here.

P.S. My nit. Disregard if you think it is unnecessary.

Harbormaster completed remote builds in B127314: Diff 377564.Oct 6 2021, 10:02 AM

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
18 lines
test/
Analysis/
14 lines

Diff 377571

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

Show First 20 LinesShow All 1,106 Lines▼ Show 20 Linesprivate:
// It covers all possible combinations (see CmpOpTable description). // It covers all possible combinations (see CmpOpTable description).
// Note that `x` and `y` can also stand for subexpressions, // Note that `x` and `y` can also stand for subexpressions,
// not only for actual symbols. // not only for actual symbols.
Optional<RangeSet> getRangeForComparisonSymbol(SymbolRef Sym) { Optional<RangeSet> getRangeForComparisonSymbol(SymbolRef Sym) {
const auto *SSE = dyn_cast<SymSymExpr>(Sym); const auto *SSE = dyn_cast<SymSymExpr>(Sym);
if (!SSE) if (!SSE)
return llvm::None; return llvm::None;
BinaryOperatorKind CurrentOP = SSE->getOpcode(); const BinaryOperatorKind CurrentOP = SSE->getOpcode();
// We currently do not support <=> (C++20). // We currently do not support <=> (C++20).
if (!BinaryOperator::isComparisonOp(CurrentOP) || (CurrentOP == BO_Cmp)) if (!BinaryOperator::isComparisonOp(CurrentOP) || (CurrentOP == BO_Cmp))
return llvm::None; return llvm::None;
static const OperatorRelationsTable CmpOpTable{}; static const OperatorRelationsTable CmpOpTable{};
const SymExpr *LHS = SSE->getLHS(); const SymExpr *LHS = SSE->getLHS();
const SymExpr *RHS = SSE->getRHS(); const SymExpr *RHS = SSE->getRHS();
QualType T = SSE->getType(); QualType T = SSE->getType();
SymbolManager &SymMgr = State->getSymbolManager(); SymbolManager &SymMgr = State->getSymbolManager();
int UnknownStates = 0; // We use this variable to store the last queried operator (`QueriedOP`)
// for which the `getCmpOpState` returned with `Unknown`. If there are two
// different OPs that returned `Unknown` then we have to query the special
// `UnknownX2` column. We assume that `getCmpOpState(CurrentOP, CurrentOP)`
// never returns `Unknown`, so `CurrentOP` is a good initial value.
BinaryOperatorKind LastQueriedOpToUnknown = CurrentOP;
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions
SymbolManager &SymMgr = State->getSymbolManager();
- llvm::SmallSet<BinaryOperatorKind, 2> QueriedToUnknown;
+ // We assume that `getCmpOpState(CurrentOP, CurrentOP)` never be Unknown.
+ BinaryOperatorKind LastQueriedOpAsUnknown = CurrentOP;
// Loop goes through all of the columns exept the last one ('UnknownX2').
ASDenysPetrov:
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions
SymbolManager &SymMgr = State->getSymbolManager();
- // We use this variable to store the last queried operator (`QueriedOP`)
+ // We use this variable as a flag to store the last queried operator (`QueriedOP`)
// for which the `getCmpOpState` returned with `Unknown`. If there are two
// different OPs that returned `Unknown` then we have to query the special
// `UnknownX2` column. We assume that `getCmpOpState(CurrentOP, CurrentOP)`
// never returns `Unknown`, so `CurrentOP` is a good initial value.
BinaryOperatorKind LastQueriedOpToUnknown = CurrentOP;
// Loop goes through all of the columns exept the last one ('UnknownX2').

Perfect explanation. This is really worth to be here.

P.S. My nit. Disregard if you think it is unnecessary.

ASDenysPetrov: Perfect explanation. This is really worth to be here. P.S. My nit. Disregard if you think it…
// Loop goes through all of the columns exept the last one ('UnknownX2'). // Loop goes through all of the columns exept the last one ('UnknownX2').
// We treat `UnknownX2` column separately at the end of the loop body. // We treat `UnknownX2` column separately at the end of the loop body.
for (size_t i = 0; i < CmpOpTable.getCmpOpCount(); ++i) { for (size_t i = 0; i < CmpOpTable.getCmpOpCount(); ++i) {
// Let's find an expression e.g. (x < y). // Let's find an expression e.g. (x < y).
BinaryOperatorKind QueriedOP = OperatorRelationsTable::getOpFromIndex(i); BinaryOperatorKind QueriedOP = OperatorRelationsTable::getOpFromIndex(i);
const SymSymExpr *SymSym = SymMgr.getSymSymExpr(LHS, QueriedOP, RHS, T); const SymSymExpr *SymSym = SymMgr.getSymSymExpr(LHS, QueriedOP, RHS, T);
const RangeSet *QueriedRangeSet = getConstraint(State, SymSym); const RangeSet *QueriedRangeSet = getConstraint(State, SymSym);
Show All 18 Lines for (size_t i = 0; i < CmpOpTable.getCmpOpCount(); ++i) {
// because the table is made assuming we are in the true branch. // because the table is made assuming we are in the true branch.
// E.g. when (x <= y) is false, then (x > y) is true. // E.g. when (x <= y) is false, then (x > y) is true.
if (isInFalseBranch) if (isInFalseBranch)
QueriedOP = BinaryOperator::negateComparisonOp(QueriedOP); QueriedOP = BinaryOperator::negateComparisonOp(QueriedOP);
OperatorRelationsTable::TriStateKind BranchState = OperatorRelationsTable::TriStateKind BranchState =
CmpOpTable.getCmpOpState(CurrentOP, QueriedOP); CmpOpTable.getCmpOpState(CurrentOP, QueriedOP);
if (BranchState == OperatorRelationsTable::Unknown) { if (BranchState == OperatorRelationsTable::Unknown) {
if (++UnknownStates == 2) if (LastQueriedOpToUnknown != CurrentOP &&
// If we met both Unknown states. LastQueriedOpToUnknown != QueriedOP) {
// If we got the Unknown state for both different operators.
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions
if (BranchState == OperatorRelationsTable::Unknown) {
- QueriedToUnknown.insert(QueriedOP);
- if (QueriedToUnknown.size() == 2)
+ if (LastQueriedOpAsUnknown != CurrentOP &&
+ LastQueriedOpAsUnknown != QueriedOP)
// If we met both Unknown states.
ASDenysPetrov:
// if (x <= y) // assume true // if (x <= y) // assume true
// if (x != y) // assume true // if (x != y) // assume true
// if (x < y) // would be also true // if (x < y) // would be also true
// Get a state from `UnknownX2` column. // Get a state from `UnknownX2` column.
BranchState = CmpOpTable.getCmpOpStateForUnknownX2(CurrentOP); BranchState = CmpOpTable.getCmpOpStateForUnknownX2(CurrentOP);
else } else {
LastQueriedOpToUnknown = QueriedOP;
continue; continue;
} }
ASDenysPetrovUnsubmitted
Not Done
ReplyInline Actions
BranchState = CmpOpTable.getCmpOpStateForUnknownX2(CurrentOP);
- else
+ else {
+ LastQueriedOpAsUnknown = QueriedOP;
continue;
- }
+ }
+ }
return (BranchState == OperatorRelationsTable::True) ? getTrueRange(T)
ASDenysPetrov:
}
return (BranchState == OperatorRelationsTable::True) ? getTrueRange(T) return (BranchState == OperatorRelationsTable::True) ? getTrueRange(T)
: getFalseRange(T); : getFalseRange(T);
} }
return llvm::None; return llvm::None;
} }
▲ Show 20 LinesShow All 1,631 LinesShow Last 20 Lines

clang/test/Analysis/constraint_manager_conditions.cpp

Show First 20 LinesShow All 205 Lines▼ Show 20 Linesvoid comparison_le_ge(int x, int y) {
if (x <= y) if (x <= y)
if (x >= y) { if (x >= y) {
clang_analyzer_eval(x == y); // expected-warning{{TRUE}} clang_analyzer_eval(x == y); // expected-warning{{TRUE}}
clang_analyzer_eval(y == x); // expected-warning{{TRUE}} clang_analyzer_eval(y == x); // expected-warning{{TRUE}}
clang_analyzer_eval(x != y); // expected-warning{{FALSE}} clang_analyzer_eval(x != y); // expected-warning{{FALSE}}
clang_analyzer_eval(y != x); // expected-warning{{FALSE}} clang_analyzer_eval(y != x); // expected-warning{{FALSE}}
} }
} }
// Test the logic of reaching the `Unknonw` tristate in CmpOpTable.
void cmp_op_table_unknownX2(int x, int y, int z) {
if (x >= y) {
// x >= y [1, 1]
if (x + z < y)
return;
// x + z < y [0, 0]
if (z != 0)
return;
// x < y [0, 0]
clang_analyzer_eval(x > y); // expected-warning{{TRUE}} expected-warning{{FALSE}}
}
}