This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
4/5
SimpleSValBuilder.cpp
-
test/Analysis/
-
Analysis/
1/1
svalbuilder-simplify-in-evalbinop.cpp

Differential D113753

[Analyzer][Core] Better simplification in SimpleSValBuilder::evalBinOpNN
ClosedPublic

Authored by martong on Nov 12 2021, 4:06 AM.

Download Raw Diff

Details

Reviewers

steakhal
ASDenysPetrov
NoQ
Szelethus

Commits

rG12887a202404: [Analyzer][Core] Better simplification in SimpleSValBuilder::evalBinOpNN

Summary

Make the SValBuilder capable to simplify existing
SVals based on a newly added constraints when evaluating a BinOp.

Before this patch, we called simplify only in some edge cases.
However, we can and should investigate the constraints in all cases.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.Nov 12 2021, 4:06 AM

Herald added subscribers: manas, gamesh411, dkrupp and 8 others. · View Herald TranscriptNov 12 2021, 4:06 AM

martong requested review of this revision.Nov 12 2021, 4:06 AM

Herald added a project: Restricted Project. · View Herald TranscriptNov 12 2021, 4:06 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

martong added a child revision: D103317: [Analyzer][Core] Make SValBuilder to better simplify svals with 3 symbols in the tree.Nov 12 2021, 4:06 AM

Harbormaster completed remote builds in B133920: Diff 386798.Nov 12 2021, 4:59 AM

steakhal added inline comments.Nov 12 2021, 6:06 AM

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
378	It seems like you simplify the `rhs` as well. Could we have a test for that?
clang/test/Analysis/svalbuilder-simplify-in-evalbinop.cpp
14	Please declare `x` in this statement.

I'm attaching the coverage of the new test file for the related change:

375             :   // Constraints may have changed since the creation of a bound SVal. Check if
376             :   // the values can be simplified based on those new constraints.
377          12 :   SVal simplifiedLhs = simplifySVal(state, lhs);
378          12 :   SVal simplifiedRhs = simplifySVal(state, rhs);
379          12 :   if (auto simplifiedLhsAsNonLoc = simplifiedLhs.getAs<NonLoc>())
380          12 :     lhs = *simplifiedLhsAsNonLoc;
381          12 :   if (auto simplifiedRhsAsNonLoc = simplifiedRhs.getAs<NonLoc>())
382          12 :     rhs = *simplifiedRhsAsNonLoc;
383             :

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
378	Ok, I've added a new test case and reworked the existing a bit.

Add new test case

Awesome!

This revision is now accepted and ready to land.Nov 23 2021, 7:17 AM

This revision was landed with ongoing or failed builds.Nov 23 2021, 7:45 AM

Closed by commit rG12887a202404: [Analyzer][Core] Better simplification in SimpleSValBuilder::evalBinOpNN (authored by martong). · Explain Why

This revision was automatically updated to reflect the committed changes.

martong added a commit: rG12887a202404: [Analyzer][Core] Better simplification in SimpleSValBuilder::evalBinOpNN.

I'm attaching the coverage of the new test file for the related change:

375             :   // Constraints may have changed since the creation of a bound SVal. Check if
376             :   // the values can be simplified based on those new constraints.
377          12 :   SVal simplifiedLhs = simplifySVal(state, lhs);
378          12 :   SVal simplifiedRhs = simplifySVal(state, rhs);
379          12 :   if (auto simplifiedLhsAsNonLoc = simplifiedLhs.getAs<NonLoc>())
380          12 :     lhs = *simplifiedLhsAsNonLoc;
381          12 :   if (auto simplifiedRhsAsNonLoc = simplifiedRhs.getAs<NonLoc>())
382          12 :     rhs = *simplifiedRhsAsNonLoc;
383             :

Harbormaster completed remote builds in B135622: Diff 389186.Nov 23 2021, 9:58 AM

This seem to cause some weird results.

Given this input:

bar(short k) {
  k++;
  for (short f = 0; f < k; f++)
    ;
  (long)k << 16;
}

we get

> clang  --analyze --target=x86_64 'bbi-63538.c'
bbi-63538.c:5:11: warning: The result of the left shift is undefined due to shifting '1' by '16', which is unrepresentable in the unsigned version of the return type 'long' [core.UndefinedBinaryOperatorResult]
  (long)k << 16;
  ~~~~~~~ ^
bbi-63538.c:5:11: warning: The result of the left shift is undefined due to shifting '2' by '16', which is unrepresentable in the unsigned version of the return type 'long' [core.UndefinedBinaryOperatorResult]
  (long)k << 16;
  ~~~~~~~ ^
bbi-63538.c:5:11: warning: The result of the left shift is undefined due to shifting '3' by '16', which is unrepresentable in the unsigned version of the return type 'long' [core.UndefinedBinaryOperatorResult]
  (long)k << 16;
  ~~~~~~~ ^
3 warnings generated.

In D113753#3156270, @bjope wrote:

This seem to cause some weird results.

Given this input:

bar(short k) {
  k++;
  for (short f = 0; f < k; f++)
    ;
  (long)k << 16;
}

we get

> clang  --analyze --target=x86_64 'bbi-63538.c'
bbi-63538.c:5:11: warning: The result of the left shift is undefined due to shifting '1' by '16', which is unrepresentable in the unsigned version of the return type 'long' [core.UndefinedBinaryOperatorResult]
  (long)k << 16;
  ~~~~~~~ ^
bbi-63538.c:5:11: warning: The result of the left shift is undefined due to shifting '2' by '16', which is unrepresentable in the unsigned version of the return type 'long' [core.UndefinedBinaryOperatorResult]
  (long)k << 16;
  ~~~~~~~ ^
bbi-63538.c:5:11: warning: The result of the left shift is undefined due to shifting '3' by '16', which is unrepresentable in the unsigned version of the return type 'long' [core.UndefinedBinaryOperatorResult]
  (long)k << 16;
  ~~~~~~~ ^
3 warnings generated.

Good catch @bjope !
Here is an example without the loop: https://godbolt.org/z/z3rqMz4bs
We'll have a closer look.

dstenb added a subscriber: dstenb.Nov 29 2021, 4:21 AM

Here is a smaller reproducer:

void bar(short k) {
  ++k;             // k1 = k0 + 1
  assert(k == 1);  // k1 == 1 --> k0 == 0
  (long)k << 16;   // k0 + 1 <<  16
}

And the explanation is the following. With this patch, when the analyzer evaluates the (long)k << 16 expression then it can properly deduce the value of k being 1. However, it was not possible in the baseline. Since we do not model neither promotion nor explicit casts we get the false positive report. This issue highlights the importance of the patch stack to implement the modeling of casts (starting with https://reviews.llvm.org/D99797).

martong mentioned this in D99797: [analyzer] Implemented RangeSet::Factory::unite function to handle intersections and adjacency.Dec 2 2021, 12:11 PM

steakhal added inline comments.Dec 2 2021, 2:24 PM

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
372	@martong, you simplified the operands, but you overwrite only the lhs and rhs. Shouldnt you overwite these as well? What is the purpose of these variables, do you know?

martong added inline comments.Dec 3 2021, 12:41 AM

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
372	@martong, you simplified the operands, but you overwrite only the lhs and rhs. Shouldnt you overwite these as well? What is the purpose of these variables, do you know? They are used exclusively to create `SymExpr`s with `makeSymExprValNN` when both lhs and rhs are symbols. If we were to simplify the `Input` variables then it might happen that we end up with a non symbol (i.e. a concrete int) and then `makeSymExprValNN` would fail miserably (would assert I guess).

steakhal added inline comments.Dec 3 2021, 1:42 AM

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
372	I see. Although, it still seems suboptimal.

martong mentioned this in D126560: [analyzer] Track assume call stack to detect fixpoint.May 27 2022, 11:55 AM

martong mentioned this in rGf66f4d3b07b2: [analyzer] Track assume call stack to detect fixpoint.Jun 6 2022, 11:36 PM

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

SimpleSValBuilder.cpp

19 lines

test/

Analysis/

svalbuilder-simplify-in-evalbinop.cpp

30 lines

Diff 389204

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 Lines • Show All 363 Lines • ▼ Show 20 Lines	static Optional<NonLoc> tryRearrange(ProgramStateRef State,
// We know that no overflows can occur anymore.		// We know that no overflows can occur anymore.
return doRearrangeUnchecked(State, Op, LSym, LInt, RSym, RInt);		return doRearrangeUnchecked(State, Op, LSym, LInt, RSym, RInt);
}		}

SVal SimpleSValBuilder::evalBinOpNN(ProgramStateRef state,		SVal SimpleSValBuilder::evalBinOpNN(ProgramStateRef state,
BinaryOperator::Opcode op,		BinaryOperator::Opcode op,
NonLoc lhs, NonLoc rhs,		NonLoc lhs, NonLoc rhs,
QualType resultTy) {		QualType resultTy) {
NonLoc InputLHS = lhs;		NonLoc InputLHS = lhs;
		steakhalUnsubmitted Not Done Reply Inline Actions @martong, you simplified the operands, but you overwrite only the lhs and rhs. Shouldnt you overwite these as well? What is the purpose of these variables, do you know? steakhal: @martong, you simplified the operands, but you overwrite only the lhs and rhs. Shouldnt you…
		martongAuthorUnsubmitted Done Reply Inline Actions @martong, you simplified the operands, but you overwrite only the lhs and rhs. Shouldnt you overwite these as well? What is the purpose of these variables, do you know? They are used exclusively to create `SymExpr`s with `makeSymExprValNN` when both lhs and rhs are symbols. If we were to simplify the `Input` variables then it might happen that we end up with a non symbol (i.e. a concrete int) and then `makeSymExprValNN` would fail miserably (would assert I guess). martong: > @martong, you simplified the operands, but you overwrite only the lhs and rhs. Shouldnt you…
		steakhalUnsubmitted Done Reply Inline Actions I see. Although, it still seems suboptimal. steakhal: I see. Although, it still seems suboptimal.
NonLoc InputRHS = rhs;		NonLoc InputRHS = rhs;

		// Constraints may have changed since the creation of a bound SVal. Check if
		// the values can be simplified based on those new constraints.
		SVal simplifiedLhs = simplifySVal(state, lhs);
		SVal simplifiedRhs = simplifySVal(state, rhs);
		steakhalUnsubmitted Done Reply Inline Actions It seems like you simplify the `rhs` as well. Could we have a test for that? steakhal: It seems like you simplify the `rhs` as well. Could we have a test for that?
		martongAuthorUnsubmitted Done Reply Inline Actions Ok, I've added a new test case and reworked the existing a bit. martong: Ok, I've added a new test case and reworked the existing a bit.
		if (auto simplifiedLhsAsNonLoc = simplifiedLhs.getAs<NonLoc>())
		lhs = *simplifiedLhsAsNonLoc;
		if (auto simplifiedRhsAsNonLoc = simplifiedRhs.getAs<NonLoc>())
		rhs = *simplifiedRhsAsNonLoc;

// Handle trivial case where left-side and right-side are the same.		// Handle trivial case where left-side and right-side are the same.
if (lhs == rhs)		if (lhs == rhs)
switch (op) {		switch (op) {
default:		default:
break;		break;
case BO_EQ:		case BO_EQ:
case BO_LE:		case BO_LE:
case BO_GE:		case BO_GE:
▲ Show 20 Lines • Show All 231 Lines • ▼ Show 20 Lines	case nonloc::SymbolValKind: {
}		}
}		}

// Otherwise, make a SymIntExpr out of the expression.		// Otherwise, make a SymIntExpr out of the expression.
return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy);		return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy);
}		}
}		}

// Does the symbolic expression simplify to a constant?
// If so, "fold" the constant by setting 'lhs' to a ConcreteInt
// and try again.
SVal simplifiedLhs = simplifySVal(state, lhs);
if (simplifiedLhs != lhs)
if (auto simplifiedLhsAsNonLoc = simplifiedLhs.getAs<NonLoc>()) {
lhs = *simplifiedLhsAsNonLoc;
continue;
}

// Is the RHS a constant?		// Is the RHS a constant?
if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs))		if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs))
return MakeSymIntVal(Sym, op, *RHSValue, resultTy);		return MakeSymIntVal(Sym, op, *RHSValue, resultTy);

if (Optional<NonLoc> V = tryRearrange(state, op, lhs, rhs, resultTy))		if (Optional<NonLoc> V = tryRearrange(state, op, lhs, rhs, resultTy))
return *V;		return *V;

// Give up -- this is not a symbolic expression we can handle.		// Give up -- this is not a symbolic expression we can handle.
▲ Show 20 Lines • Show All 605 Lines • Show Last 20 Lines

clang/test/Analysis/svalbuilder-simplify-in-evalbinop.cpp

This file was added.

				// RUN: %clang_analyze_cc1 %s \
				// RUN: -analyzer-checker=core \
				// RUN: -analyzer-checker=debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -verify

				// Here we test whether the SValBuilder is capable to simplify existing
				// SVals based on a newly added constraints when evaluating a BinOp.

				void clang_analyzer_eval(bool);

				void test_evalBinOp_simplifies_lhs(int y) {
				int x = y / 77;
				if (y != 77)
				steakhalUnsubmitted Done Reply Inline Actions Please declare `x` in this statement. steakhal: Please declare `x` in this statement.
				return;

				// Below `x` is the LHS being simplified.
				clang_analyzer_eval(x == 1); // expected-warning{{TRUE}}
				(void)(x * y);
				}

				void test_evalBinOp_simplifies_rhs(int y) {
				int x = y / 77;
				if (y != 77)
				return;

				// Below `x` is the RHS being simplified.
				clang_analyzer_eval(1 == x); // expected-warning{{TRUE}}
				(void)(x * y);
				}