This is an archive of the discontinued LLVM Phabricator instance.

Differential D115349

[analyzer][NFC] Re-enable skipped SValTests by relaxing expectations
ClosedPublic

Authored by steakhal on Dec 8 2021, 7:43 AM.

Details

Reviewers
martong
NoQ
Szelethus
stevewan
Commits
rG881b6a009fb6: [analyzer][NFC] Re-enable skipped SValTests by relaxing expectations
Summary

Some tests were skipped in D114454 to resolve test failures on some
platforms, where the pointers have different bitwidth than expected.
This patch re-enables these tests, by relaxing the requirements on the
types of the SVal.

The issue:
There is no way to reconstruct the type of the SVal perfectly
accurately, since there could be multiple types having the required
bitwidth and signedness.
Consider platforms where int and long have the same bitwidth.
Additionally, we need to be careful about casting a pointer to an
integral representation, because we don't know what smallest integral
type can represent that.

To workaround these issues, I propose enforcing a type that has the
same signedness and bitwidth as the expected type, instead of perfect
equality.

In the GetLocAsIntType test, in case of pointer-to-integral casts
I'm using the widest standard integral type (long long) to make sure
that the pointer can be represented by the type without losing
precision. This won't affect the test in any meaningful way, since the
type of the lvalue remained the same.

In one case, I had to replace getUIntPtrType() with UnsignedLongTy
because on some platforms getUIntPtrType() is different then `long
int`.

In this patch, I also enforce that the tests must compile without
errors, to prevent narrowing conversions in the future.

Diff Detail

Event Timeline

steakhal created this revision.Dec 8 2021, 7:43 AM
Herald added subscribers: manas, ASDenysPetrov, dkrupp and 7 others. · View Herald TranscriptDec 8 2021, 7:43 AM
steakhal requested review of this revision.Dec 8 2021, 7:43 AM
Herald added a subscriber: aheejin. · View Herald TranscriptDec 8 2021, 7:43 AM
steakhal added a child revision: D114454: [analyzer]Skip unstable CSA tests failing on several platforms.Dec 8 2021, 7:47 AM
steakhal removed a child revision: D114454: [analyzer]Skip unstable CSA tests failing on several platforms.Dec 8 2021, 7:50 AM
steakhal added a parent revision: D114454: [analyzer]Skip unstable CSA tests failing on several platforms.
steakhal added a comment.Dec 15 2021, 3:23 PM

Ping

stevewan added inline comments.Jan 5 2022, 10:50 AM
clang/unittests/StaticAnalyzer/SValTest.cpp
177–179

Okay this reminded me that I wanted to ask this dumb question. Don't the assignments eventually do the implicit down-casting? Is it fine because we are not dealing with anything concrete and just doing static analysis over the code?

stevewan accepted this revision.Jan 5 2022, 10:55 AM

As emphasized in the description, we can't get the exact type of the SVal, and I agree that checking for the same signedness and bitwidth is our best bet. LGTM given that my question is addressed. Thanks.

This revision is now accepted and ready to land.Jan 5 2022, 10:55 AM
steakhal added a comment.Jan 6 2022, 12:59 AM

Thanks for the review @stevewan!
Let me know if I managed to answer your question.

clang/unittests/StaticAnalyzer/SValTest.cpp
177–179

I think the problem is that this is a c-style reinterpret cast. And that must operate on equal bitwidth (or casting to something even larger) types.
So, if I recall correctly, this code did not compile on all targetted platforms, thus I decided to use a slightly wider type to accommodate for that.

From the CSA's standpoint, it shouldn't matter. The value of x will be eventually narrowed to a long int.
If the pointer has the same bitwidth as long int, then the widening is compensated by the narrowing, binding a directly to x.
If the pointer has the same bitwidth as long long int, then there is no widening, only a narrowing, thus CSA will bind a to (long int)x.

Anyway, since x is a pointer, and AFAIK CSA models pointers as unsigned values, we should get an unsigned value at the end of the day.
But don't quote me on that :D

stevewan added a comment.EditedJan 6 2022, 8:17 AM

Thanks @steakhal for the clarification. Yes my question is answered.

This revision was landed with ongoing or failed builds.Jan 19 2022, 6:16 AM
Closed by commit rG881b6a009fb6: [analyzer][NFC] Re-enable skipped SValTests by relaxing expectations (authored by steakhal). · Explain Why
This revision was automatically updated to reflect the committed changes.
steakhal added a commit: rG881b6a009fb6: [analyzer][NFC] Re-enable skipped SValTests by relaxing expectations.
Herald added a project: Restricted Project. · View Herald TranscriptJan 19 2022, 6:16 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
unittests/
StaticAnalyzer/
48 lines

Diff 401207

clang/unittests/StaticAnalyzer/SValTest.cpp

Show First 20 LinesShow All 86 Lines▼ Show 20 Lines
private: private:
/// Entry point for tests. /// Entry point for tests.
virtual void test(ExprEngine &Engine, const ASTContext &Context) const = 0; virtual void test(ExprEngine &Engine, const ASTContext &Context) const = 0;
mutable bool Tested = false; mutable bool Tested = false;
mutable SVals CollectedSVals; mutable SVals CollectedSVals;
}; };
// Fixture class for parameterized SValTest static void expectSameSignAndBitWidth(QualType ExpectedTy, QualType ActualTy,
class SValTest : public testing::TestWithParam<TestClangConfig> { const ASTContext &Context) {
protected: EXPECT_EQ(ExpectedTy->isUnsignedIntegerType(),
// FIXME: The tests "GetConstType" and "GetLocAsIntType" infer the type of ActualTy->isUnsignedIntegerType());
// integrals based on their bitwidth. This is not a reliable method on EXPECT_EQ(Context.getTypeSize(ExpectedTy), Context.getTypeSize(ActualTy));
// platforms where different integrals have the same width.
bool skipTest(StringRef TestName) {
std::string target = GetParam().Target;
return (target == "powerpc-ibm-aix" || target == "i686-apple-darwin9" ||
target == "wasm32-unknown-unknown" ||
target == "wasm64-unknown-unknown") &&
(TestName == "GetConstType" || TestName == "GetLocAsIntType");
} }
};
// Fixture class for parameterized SValTest
class SValTest : public testing::TestWithParam<TestClangConfig> {};
// SVAL_TEST is a combined way of providing a short code snippet and // SVAL_TEST is a combined way of providing a short code snippet and
// to test some programmatic predicates on symbolic values produced by the // to test some programmatic predicates on symbolic values produced by the
// engine for the actual code. // engine for the actual code.
// //
// Each test has a NAME. One can think of it as a name for normal gtests. // Each test has a NAME. One can think of it as a name for normal gtests.
// //
// Each test should provide a CODE snippet. Code snippets might contain any // Each test should provide a CODE snippet. Code snippets might contain any
Show All 30 Lines void add##NAME##SValCollector(AnalysisASTConsumer &AnalysisConsumer, \
AnOpts.CheckersAndPackages = {{"test.##NAME##SValCollector", true}}; \ AnOpts.CheckersAndPackages = {{"test.##NAME##SValCollector", true}}; \
AnalysisConsumer.AddCheckerRegistrationFn([](CheckerRegistry &Registry) { \ AnalysisConsumer.AddCheckerRegistrationFn([](CheckerRegistry &Registry) { \
Registry.addChecker<NAME##SValCollector>("test.##NAME##SValCollector", \ Registry.addChecker<NAME##SValCollector>("test.##NAME##SValCollector", \
"Description", ""); \ "Description", ""); \
}); \ }); \
} \ } \
\ \
TEST_P(SValTest, NAME) { \ TEST_P(SValTest, NAME) { \
if (skipTest(#NAME)) { \ EXPECT_TRUE(runCheckerOnCodeWithArgs<add##NAME##SValCollector>( \
std::string target = GetParam().Target; \ CODE, GetParam().getCommandLineArgs())); \
GTEST_SKIP() << "certain integrals have the same bitwidth on " \
<< target; \
return; \
} \
runCheckerOnCodeWithArgs<add##NAME##SValCollector>( \
CODE, GetParam().getCommandLineArgs()); \
} \ } \
void NAME##SValCollector::test(ExprEngine &Engine, \ void NAME##SValCollector::test(ExprEngine &Engine, \
const ASTContext &Context) const const ASTContext &Context) const
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Actual tests // Actual tests
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
SVAL_TEST(GetConstType, R"( SVAL_TEST(GetConstType, R"(
void foo() { void foo() {
int x = 42; int x = 42;
int *y = nullptr; int *y = nullptr;
})") { })") {
SVal X = getByName("x"); SVal X = getByName("x");
ASSERT_FALSE(X.getType(Context).isNull()); ASSERT_FALSE(X.getType(Context).isNull());
EXPECT_EQ(Context.IntTy, X.getType(Context)); EXPECT_EQ(Context.IntTy, X.getType(Context));
SVal Y = getByName("y"); SVal Y = getByName("y");
ASSERT_FALSE(Y.getType(Context).isNull()); ASSERT_FALSE(Y.getType(Context).isNull());
EXPECT_EQ(Context.getUIntPtrType(), Y.getType(Context)); expectSameSignAndBitWidth(Context.getUIntPtrType(), Y.getType(Context),
Context);
} }
SVAL_TEST(GetLocAsIntType, R"( SVAL_TEST(GetLocAsIntType, R"(
void foo(int *x) { void foo(int *x) {
long int a = (long int)x; long int a = (long long int)x;
unsigned b = (long unsigned)&a; unsigned b = (long long unsigned)&a;
int c = (long int)nullptr; int c = (long long int)nullptr;
stevewanUnsubmitted
Not Done
ReplyInline Actions

Okay this reminded me that I wanted to ask this dumb question. Don't the assignments eventually do the implicit down-casting? Is it fine because we are not dealing with anything concrete and just doing static analysis over the code?

stevewan: Okay this reminded me that I wanted to ask this dumb question. Don't the assignments eventually…
steakhalAuthorUnsubmitted
Done
ReplyInline Actions

I think the problem is that this is a c-style reinterpret cast. And that must operate on equal bitwidth (or casting to something even larger) types.
So, if I recall correctly, this code did not compile on all targetted platforms, thus I decided to use a slightly wider type to accommodate for that.

From the CSA's standpoint, it shouldn't matter. The value of x will be eventually narrowed to a long int.
If the pointer has the same bitwidth as long int, then the widening is compensated by the narrowing, binding a directly to x.
If the pointer has the same bitwidth as long long int, then there is no widening, only a narrowing, thus CSA will bind a to (long int)x.

Anyway, since x is a pointer, and AFAIK CSA models pointers as unsigned values, we should get an unsigned value at the end of the day.
But don't quote me on that :D

steakhal: I think the problem is that this is a c-style reinterpret cast. And that must operate on equal…
})") { })") {
SVal A = getByName("a"); SVal A = getByName("a");
ASSERT_FALSE(A.getType(Context).isNull()); ASSERT_FALSE(A.getType(Context).isNull());
// TODO: Turn it into signed long // TODO: Turn it into signed long
EXPECT_EQ(Context.getUIntPtrType(), A.getType(Context)); expectSameSignAndBitWidth(Context.UnsignedLongTy, A.getType(Context),
Context);
SVal B = getByName("b"); SVal B = getByName("b");
ASSERT_FALSE(B.getType(Context).isNull()); ASSERT_FALSE(B.getType(Context).isNull());
EXPECT_EQ(Context.UnsignedIntTy, B.getType(Context)); expectSameSignAndBitWidth(Context.UnsignedIntTy, B.getType(Context), Context);
SVal C = getByName("c"); SVal C = getByName("c");
ASSERT_FALSE(C.getType(Context).isNull()); ASSERT_FALSE(C.getType(Context).isNull());
EXPECT_EQ(Context.IntTy, C.getType(Context)); expectSameSignAndBitWidth(Context.IntTy, C.getType(Context), Context);
} }
SVAL_TEST(GetSymExprType, R"( SVAL_TEST(GetSymExprType, R"(
void foo(int a, int b) { void foo(int a, int b) {
int x = a; int x = a;
int y = a + b; int y = a + b;
long z = a; long z = a;
})") { })") {
▲ Show 20 LinesShow All 206 LinesShow Last 20 Lines