Diff 428681

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

Show First 20 Lines • Show All 1,437 Lines • ▼ Show 20 Lines private:

} }

/// Return a range set subtracting zero from \p Domain. /// Return a range set subtracting zero from \p Domain.

RangeSet assumeNonZero(RangeSet Domain, QualType T) { RangeSet assumeNonZero(RangeSet Domain, QualType T) {

APSIntType IntType = ValueFactory.getAPSIntType(T); APSIntType IntType = ValueFactory.getAPSIntType(T);

return RangeFactory.deletePoint(Domain, IntType.getZeroValue()); return RangeFactory.deletePoint(Domain, IntType.getZeroValue());

} }

// FIXME: Once SValBuilder supports unary minus, we should use SValBuilder to

// obtain the negated symbolic expression instead of constructing the

// symbol manually. This will allow us to support finding ranges of not

// only negated SymSymExpr-type expressions, but also of other, simpler

// expressions which we currently do not know how to negate.

Optional<RangeSet> getRangeForNegatedSub(SymbolRef Sym) { Optional<RangeSet> getRangeForNegatedSub(SymbolRef Sym) {

if (const SymSymExpr *SSE = dyn_cast<SymSymExpr>(Sym)) { // Do not negate if the type cannot be meaningfully negated.

if (SSE->getOpcode() == BO_Sub) { if (!Sym->getType()->isUnsignedIntegerOrEnumerationType() &&

QualType T = Sym->getType(); !Sym->getType()->isSignedIntegerOrEnumerationType())

// Do not negate unsigned ranges

if (!T->isUnsignedIntegerOrEnumerationType() &&

!T->isSignedIntegerOrEnumerationType())

return llvm::None; return llvm::None;

const RangeSet *NegatedRange = nullptr;

if (const UnarySymExpr *USE = dyn_cast<UnarySymExpr>(Sym)) {

steakhalUnsubmitted

Done

const RangeSet *NegatedRange = nullptr;

- if (const UnarySymExpr *USE = dyn_cast<UnarySymExpr>(Sym)) {

+ if (const auto *USE = dyn_cast<UnarySymExpr>(Sym)) {

if (USE->getOpcode() == UO_Minus) {

steakhal:

if (USE->getOpcode() == UO_Minus) {

// Just get the operand when we negate a symbol that is already negated.

// -(-a) == a, ~(~a) == a

steakhalUnsubmitted

Done

The comment says that it would work with both - and ~.
Why do you check against only -?

steakhal: The comment says that it would work with both `-` and `~`. Why do you check against only `-`?

martongAuthorUnsubmitted

Done

Unfortunately, the complement operation is not implemented on the RangeSet. So, yes, in this sense the comment is misleading, I've changed it.

martong: Unfortunately, the complement operation is not implemented on the RangeSet. So, yes, in this…

SymbolRef NegatedSym = USE->getOperand();

NegatedRange = getConstraint(State, NegatedSym);

steakhalUnsubmitted

Done

// -(-a) == a, ~(~a) == a

- SymbolRef NegatedSym = USE->getOperand();

- NegatedRange = getConstraint(State, NegatedSym);

+ NegatedRange = getConstraint(State, USE->getOperand());

}

} else if (const SymSymExpr *SSE = dyn_cast<SymSymExpr>(Sym)) {

steakhal:

}

} else if (const SymSymExpr *SSE = dyn_cast<SymSymExpr>(Sym)) {

if (SSE->getOpcode() == BO_Sub) {

QualType T = Sym->getType();

SymbolManager &SymMgr = State->getSymbolManager(); SymbolManager &SymMgr = State->getSymbolManager();

steakhalUnsubmitted

Done

This SymMgr is acquired multiple times. We could hoist it and use it everywhere.

steakhal: This `SymMgr` is acquired multiple times. We could hoist it and use it everywhere.

SymbolRef NegatedSym = SymbolRef NegatedSym =

SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), T); SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), T);

NegatedRange = getConstraint(State, NegatedSym);

if (const RangeSet *NegatedRange = getConstraint(State, NegatedSym)) {

return RangeFactory.negate(*NegatedRange);

}

} }

} else {

SymbolManager &SymMgr = State->getSymbolManager();

SymbolRef NegatedSym =

SymMgr.getUnarySymExpr(Sym, UO_Minus, Sym->getType());

NegatedRange = getConstraint(State, NegatedSym);

} }

if (NegatedRange)

return RangeFactory.negate(*NegatedRange);

return llvm::None; return llvm::None;

} }

// Returns ranges only for binary comparison operators (except <=>) // Returns ranges only for binary comparison operators (except <=>)

// when left and right operands are symbolic values. // when left and right operands are symbolic values.

// Finds any other comparisons with the same operands. // Finds any other comparisons with the same operands.

// Then do logical calculations and refuse impossible branches. // Then do logical calculations and refuse impossible branches.

// E.g. (x < y) and (x > y) at the same time are impossible. // E.g. (x < y) and (x > y) at the same time are impossible.

▲ Show 20 Lines • Show All 1,856 Lines • Show Last 20 Lines

clang/test/Analysis/constraint_manager_negate.c

This file was added.

// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection,core.builtin \

// RUN: -analyzer-config eagerly-assume=false \

// RUN: -verify %s

void clang_analyzer_eval(int);

void clang_analyzer_dump(int);

void exit(int);

#define UINT_MIN (0U)

#define UINT_MAX (~UINT_MIN)

#define UINT_MID (UINT_MAX / 2 + 1)

#define INT_MAX (UINT_MAX & (UINT_MAX >> 1))

#define INT_MIN (UINT_MAX & ~(UINT_MAX >> 1))

extern void __assert_fail (__const char *__assertion, __const char *__file,

unsigned int __line, __const char *__function)

__attribute__ ((__noreturn__));

#define assert(expr) \

((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))

steakhalUnsubmitted

Done

#define INT_MIN (UINT_MAX & ~(UINT_MAX >> 1))

- extern void __assert_fail (__const char *__assertion, __const char *__file,

- unsigned int __line, __const char *__function)

- __attribute__ ((__noreturn__));

- #define assert(expr) \

- ((expr) ? (void)(0) : __assert_fail (#expr, __FILE__, __LINE__, __func__))

+ extern void abort() __attribute__ ((__noreturn__));

+ #define assert(expr) ((expr) ? (void)(0) : abort())

void negate_positive_range(int a) {

We can probably spare the unimportant stuff.

steakhal: We can probably spare the unimportant stuff.

void negate_positive_range(int a) {

if (-a <= 0)

return;

// -a: [1, INT_MAX]

steakhalUnsubmitted

Done

Why don't you use assert(-a > 0) here? It should be equivalent. Same for the rest.

steakhal: Why don't you use `assert(-a > 0)` here? It should be equivalent. Same for the rest.

// a: [INT_MIN, -1]

clang_analyzer_eval(a < 0); // expected-warning{{TRUE}}

clang_analyzer_eval(a >= INT_MIN); // expected-warning{{TRUE}}

clang_analyzer_eval(a == INT_MIN); // expected-warning{{FALSE}}

}

steakhalUnsubmitted

Done

You can also query if the bound is sharp, by asking the same question but with a slightly different value and expect UNKNOWN.

clang_analyzer_eval(a < 0); // expected-warning{{TRUE}}
clang_analyzer_eval(a < -1); // expected-warning{{UNKNOWN}}

I also believe that a >= INT_MIN is TRUE for all a anyway, thus it can be omitted.
Checking against equality won't help much either, because we had no equality check before, thus it should result in FALSE unconditionally.

steakhal: You can also query if the bound is sharp, by asking the same question but with a slightly…

martongAuthorUnsubmitted

Done

Okay, I changed it to something very obvious:

clang_analyzer_eval(a < 0); // expected-warning{{TRUE}}
clang_analyzer_eval(a > INT_MIN); // expected-warning{{TRUE}}

martong: Okay, I changed it to something very obvious: ``` clang_analyzer_eval(a < 0); // expected…

void negate_positive_range2(int a) {

if (a <= 0)

return;

// a: [1, INT_MAX]

// -a: [INT_MIN, -1]

clang_analyzer_eval(-a < 0); // expected-warning{{TRUE}}

clang_analyzer_eval(-a >= INT_MIN); // expected-warning{{TRUE}}

clang_analyzer_eval(-a == INT_MIN); // expected-warning{{FALSE}}

}

_Static_assert(INT_MIN == -INT_MIN, "");

void negate_int_min(int a) {

if (a != INT_MIN)

return;

clang_analyzer_eval(-a == INT_MIN); // expected-warning{{TRUE}}

}

steakhalUnsubmitted

Done

Let's also assert a == INT_MIN just for the symmetry.

steakhal: Let's also assert `a == INT_MIN` just for the symmetry.

martongAuthorUnsubmitted

Done

That would be superfluous in my opinion, since I have changed the if to an

assert(a == INT_MIN);

martong: That would be superfluous in my opinion, since I have changed the `if` to an ``` assert(a ==…

void negate_mixed(int a) {

if (INT_MIN < a && a <= 0)

return;

clang_analyzer_eval(-a <= 0); // expected-warning{{TRUE}}

}

void effective_range(int a) {

assert(a >= 0);

assert(-a >= 0);

clang_analyzer_eval(a == 0); // expected-warning{{TRUE}}

clang_analyzer_eval(-a == 0); // expected-warning{{TRUE}}

}

_Static_assert(-INT_MIN == INT_MIN, "");

void effective_range_2(int a) {

assert(a <= 0);

assert(-a <= 0);

clang_analyzer_eval(a == 0 || a == INT_MIN); // expected-warning{{TRUE}}

}

void negate_symexpr(int a, int b) {

assert(3 <= a * b && a * b <= 5);

clang_analyzer_eval(-(a * b) >= -5); // expected-warning{{TRUE}}

clang_analyzer_eval(-(a * b) <= -3); // expected-warning{{TRUE}}

}

steakhalUnsubmitted

Done

Sweet!!

steakhal: Sweet!!

void negate_unsigned_min(unsigned a) {

if (a == UINT_MIN) {

clang_analyzer_eval(-a == UINT_MIN); // expected-warning{{TRUE}}

steakhalUnsubmitted

Done

Well, this is the third form of expressing constraints.

Using asserts.
Use ifs but with early returns.
Use ifs but embed the code into the true branch.

Please, settle on one method.

steakhal: Well, this is the third form of expressing constraints. 1) Using asserts. 2) Use ifs but with…

martongAuthorUnsubmitted

Done

Ok, I changed to assert everywhere.

martong: Ok, I changed to `assert` everywhere.

clang_analyzer_eval(-a != UINT_MIN); // expected-warning{{FALSE}}

clang_analyzer_eval(-a > UINT_MIN); // expected-warning{{FALSE}}

clang_analyzer_eval(-a < UINT_MIN); // expected-warning{{FALSE}}

}

_Static_assert(7u - 3u != 3u - 7u, "");

void negate_unsigned_4(unsigned a) {

if (a == 4u) {

clang_analyzer_eval(-a == 4u); // expected-warning{{FALSE}}

clang_analyzer_eval(-a != 4u); // expected-warning{{TRUE}}

}

steakhalUnsubmitted

Done

Add an equality comparison which results in TRUE.

steakhal: Add an equality comparison which results in `TRUE`.

martongAuthorUnsubmitted

Done

Sure.

martong: Sure.

}

_Static_assert(UINT_MID == -UINT_MID, "");

void negate_unsigned_mid(unsigned a) {

if (a == UINT_MID) {

clang_analyzer_eval(-a == UINT_MID); // expected-warning{{TRUE}}

clang_analyzer_eval(-a != UINT_MID); // expected-warning{{FALSE}}

}

steakhalUnsubmitted

Done

Leave a comment here that this is the only value besides zero where the negated is equal to the original value in the unsigned int domain.

steakhal: Leave a comment here that this is the only value besides zero where the negated is equal to the…

void negate_unsigned_mid2(unsigned a) {

if (a < UINT_MID && a > UINT_MIN) {

clang_analyzer_eval(-a > UINT_MID); // expected-warning{{TRUE}}

clang_analyzer_eval(-a < UINT_MID); // expected-warning{{FALSE}}

}

steakhalUnsubmitted

Done

}

void negate_unsigned_mid2(unsigned a) {

if (a < UINT_MID && a > UINT_MIN) {

+ // a: [UINT_MIN+1, UINT_MID-1]

clang_analyzer_eval(-a > UINT_MID); // expected-warning{{TRUE}}

clang_analyzer_eval(-a < UINT_MID); // expected-warning{{FALSE}}

}

_Static_assert(1u - 2u == UINT_MAX, "");

I believe the eval query can be sharper than this.

steakhal: I believe the eval query can be sharper than this.

martongAuthorUnsubmitted

Done

Ok.

martong: Ok.

_Static_assert(1u - 2u == UINT_MAX, "");

_Static_assert(2u - 1u == 1, "");

void negate_unsigned_max(unsigned a) {

if (a == UINT_MAX) {

clang_analyzer_eval(-a == 1); // expected-warning{{TRUE}}

clang_analyzer_eval(-a != 1); // expected-warning{{FALSE}}

}

void negate_unsigned_one(unsigned a) {

if (a == 1) {

clang_analyzer_eval(-a == UINT_MAX); // expected-warning{{TRUE}}

clang_analyzer_eval(-a < UINT_MAX); // expected-warning{{FALSE}}

}

clang/test/Analysis/constraint_manager_negate_difference.c

	// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection,core.builtin -analyzer-config aggressive-binary-operation-simplification=true -verify %s			// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection,core.builtin \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -verify %s

	void clang_analyzer_eval(int);			void clang_analyzer_eval(int);

	void exit(int);			void exit(int);

	#define UINT_MIN (0U)			#define UINT_MIN (0U)
	#define UINT_MAX (~UINT_MIN)			#define UINT_MAX (~UINT_MIN)
	#define UINT_MID (UINT_MAX / 2 + 1)			#define UINT_MID (UINT_MAX / 2 + 1)
	▲ Show 20 Lines • Show All 72 Lines • ▼ Show 20 Lines
	void negate_positive_range(int m, int n) {			void negate_positive_range(int m, int n) {
	if (m - n <= 0)			if (m - n <= 0)
	return;			return;
	clang_analyzer_eval(n - m < 0); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m < 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m > INT_MIN); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m > INT_MIN); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m == INT_MIN); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m == INT_MIN); // expected-warning{{FALSE}}
	}			}

				_Static_assert(INT_MIN == -INT_MIN, "");
	void negate_int_min(int m, int n) {			void negate_int_min(int m, int n) {
	if (m - n != INT_MIN)			if (m - n != INT_MIN)
	return;			return;
	clang_analyzer_eval(n - m == INT_MIN); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m == INT_MIN); // expected-warning{{TRUE}}
	}			}

	void negate_mixed(int m, int n) {			void negate_mixed(int m, int n) {
	if (m -n > INT_MIN && m - n <= 0)			if (m -n > INT_MIN && m - n <= 0)
	return;			return;
	clang_analyzer_eval(n - m <= 0); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m <= 0); // expected-warning{{TRUE}}
	}			}

	void effective_range(int m, int n) {			void effective_range(int m, int n) {
	assert(m - n >= 0);			assert(m - n >= 0);
	assert(n - m >= 0);			assert(n - m >= 0);
	clang_analyzer_eval(m - n == 0); // expected-warning{{TRUE}}			clang_analyzer_eval(m - n == 0); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m == 0); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m == 0); // expected-warning{{TRUE}}
	}			}

				_Static_assert(INT_MIN == -INT_MIN, "");
	void effective_range_2(int m, int n) {			void effective_range_2(int m, int n) {
	assert(m - n <= 0);			assert(m - n <= 0);
	assert(n - m <= 0);			assert(n - m <= 0);
	clang_analyzer_eval(m - n == 0); // expected-warning{{TRUE}} expected-warning{{FALSE}}			clang_analyzer_eval(m - n == 0 \|\| m - n == INT_MIN); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m == 0); // expected-warning{{TRUE}} expected-warning{{FALSE}}
	}			}

	void negate_unsigned_min(unsigned m, unsigned n) {			void negate_unsigned_min(unsigned m, unsigned n) {
	if (m - n == UINT_MIN) {			if (m - n == UINT_MIN) {
	clang_analyzer_eval(n - m == UINT_MIN); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m == UINT_MIN); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m != UINT_MIN); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m != UINT_MIN); // expected-warning{{FALSE}}
	clang_analyzer_eval(n - m > UINT_MIN); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m > UINT_MIN); // expected-warning{{FALSE}}
	clang_analyzer_eval(n - m < UINT_MIN); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m < UINT_MIN); // expected-warning{{FALSE}}
	}			}
	}			}

				_Static_assert(7u - 3u != 3u - 7u, "");
				void negate_unsigned_4(unsigned m, unsigned n) {
				if (m - n == 4u) {
				clang_analyzer_eval(n - m == 4u); // expected-warning{{FALSE}}
				clang_analyzer_eval(n - m != 4u); // expected-warning{{TRUE}}
				}
				}

				_Static_assert(UINT_MID == -UINT_MID, "");
	void negate_unsigned_mid(unsigned m, unsigned n) {			void negate_unsigned_mid(unsigned m, unsigned n) {
	if (m - n == UINT_MID) {			if (m - n == UINT_MID) {
	clang_analyzer_eval(n - m == UINT_MID); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m == UINT_MID); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m != UINT_MID); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m != UINT_MID); // expected-warning{{FALSE}}
	}			}
	}			}

	void negate_unsigned_mid2(unsigned m, unsigned n) {			void negate_unsigned_mid2(unsigned m, unsigned n) {
	if (m - n < UINT_MID && m - n > UINT_MIN) {			if (m - n < UINT_MID && m - n > UINT_MIN) {
	clang_analyzer_eval(n - m > UINT_MID); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m > UINT_MID); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m < UINT_MID); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m < UINT_MID); // expected-warning{{FALSE}}
	}			}
	}			}

				_Static_assert(1u - 2u == UINT_MAX, "");
				_Static_assert(2u - 1u == 1, "");
	void negate_unsigned_max(unsigned m, unsigned n) {			void negate_unsigned_max(unsigned m, unsigned n) {
	if (m - n == UINT_MAX) {			if (m - n == UINT_MAX) {
	clang_analyzer_eval(n - m == 1); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m == 1); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m != 1); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m != 1); // expected-warning{{FALSE}}
	}			}
	}			}

	void negate_unsigned_one(unsigned m, unsigned n) {			void negate_unsigned_one(unsigned m, unsigned n) {
	if (m - n == 1) {			if (m - n == 1) {
	clang_analyzer_eval(n - m == UINT_MAX); // expected-warning{{TRUE}}			clang_analyzer_eval(n - m == UINT_MAX); // expected-warning{{TRUE}}
	clang_analyzer_eval(n - m < UINT_MAX); // expected-warning{{FALSE}}			clang_analyzer_eval(n - m < UINT_MAX); // expected-warning{{FALSE}}
	}			}
	}			}

	// The next code is a repro for the bug PR41588			// The next code is a repro for the bug PR41588
	void negated_unsigned_range(unsigned x, unsigned y) {			void negated_unsigned_range(unsigned x, unsigned y) {
	clang_analyzer_eval(x - y != 0); // expected-warning{{FALSE}} expected-warning{{TRUE}}			clang_analyzer_eval(x - y != 0); // expected-warning{{UNKNOWN}}
	clang_analyzer_eval(y - x != 0); // expected-warning{{FALSE}} expected-warning{{TRUE}}			clang_analyzer_eval(y - x != 0); // expected-warning{{UNKNOWN}}
	// expected no assertion on the next line			// expected no assertion on the next line
	clang_analyzer_eval(x - y != 0); // expected-warning{{FALSE}} expected-warning{{TRUE}}			clang_analyzer_eval(x - y != 0); // expected-warning{{UNKNOWN}}
	}			}

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer][solver] Handle UnarySymExpr in RangeConstraintSolver
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 428681

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

clang/test/Analysis/constraint_manager_negate.c

clang/test/Analysis/constraint_manager_negate_difference.c

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer][solver] Handle UnarySymExpr in RangeConstraintSolverClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 428681

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

clang/test/Analysis/constraint_manager_negate.c

clang/test/Analysis/constraint_manager_negate_difference.c

[analyzer][solver] Handle UnarySymExpr in RangeConstraintSolver
ClosedPublic