This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
8/8
ConstraintManager.h
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
5/5
ConstraintManager.cpp
-
SimpleSValBuilder.cpp

Differential D126560

[analyzer] Track assume call stack to detect fixpoint
ClosedPublic

Authored by martong on May 27 2022, 11:55 AM.

Download Raw Diff

Details

Reviewers

NoQ
steakhal
Szelethus

Commits

rGf66f4d3b07b2: [analyzer] Track assume call stack to detect fixpoint

Summary

Assume functions might recurse (see reAssume or tryRearrange). During the
recursion, the State might not change anymore, that means we reached a
fixpoint. In this patch, we avoid infinite recursion of assume calls by
checking already visited States on the stack of assume function calls. This
patch renders the previous "workaround" solution (D47155) unnecessary.
Note that this is not an NFC patch. If we were to limit the maximum stack
depth of the assume calls to 1 then would it be equivalent with the previous
solution in D47155.

Additionally, in D113753, we simplify the symbols right at the beginning of evalBinOpNN.
So, a call to simplifySVal in getKnownValue (added in D51252) is no longer needed.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.May 27 2022, 11:55 AM

Herald added a reviewer: Szelethus. · View Herald TranscriptMay 27 2022, 11:55 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: manas, ASDenysPetrov, gamesh411 and 9 others. · View Herald Transcript

martong requested review of this revision.May 27 2022, 11:55 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 27 2022, 11:55 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

Harbormaster completed remote builds in B166688: Diff 432611.May 27 2022, 12:22 PM

Add AssumeStack to track recursive assume calls

martong retitled this revision from [analyzer][NFC] SimpleSValBuilder simplification: Remove superfluous workaround code to [analyzer][NFC] SimpleSValBuilder simplification: Remove superfluous workaround code and track Assume call stack rather.May 31 2022, 8:38 AM

martong edited the summary of this revision. (Show Details)

Harbormaster completed remote builds in B167051: Diff 433097.May 31 2022, 9:08 AM

This isn't an NFC change. It's more than a refactor/cosmetic change.
Please run some benchmarks to validate the assumed performance characteristics.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
155	Have you considered llvm::SmallPtrSet ?
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
56–59	Why don't you return `RawSt` on the early return path instead? That seems to contain more information than `State`, right? You lookup twice the location of the `RawSt` entry; once in the `hasCycle()` and again in the `push()`. I would recommend doing an unconditional `insert()` directly and reusing the returned bool part of the pair to observe if it did actually insert.

martong marked 2 inline comments as done.Jun 1 2022, 1:52 AM

martong added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
155	Actually, a SmallSet of pointers is transparently implemented with a SmallPtrSet.
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
56–59	Why don't you return `RawSt` on the early return path instead? That seems to contain more information than `State`, right? No, `RawSt` contains the same information as `State`. You lookup twice the location of the `RawSt` entry; once in the `hasCycle()` and again in the `push()`. I would recommend doing an unconditional `insert()` directly and reusing the returned bool part of the pair to observe if it did actually insert. I am considering to change the container to a `SmallVector` instead. I'd like to keep the interface of `hasCycle` and `push` and `pop` because those express the intention more clearly. And SmallSet falls back to a simple linear search anyway if size is less than N.

In D126560#3549408, @steakhal wrote:

This isn't an NFC change. It's more than a refactor/cosmetic change.

Still, there is no visible change in the behavior, at least that is intended. Should it be an NFCi ?

Please run some benchmarks to validate the assumed performance characteristics.

Yeah I've thought of it, here it is:

Use SmallVector in AssumeStack

In D126560#3549570, @martong wrote:

In D126560#3549408, @steakhal wrote:

This isn't an NFC change. It's more than a refactor/cosmetic change.

Still, there is no visible change in the behavior, at least that is intended. Should it be an NFCi ?

Please run some benchmarks to validate the assumed performance characteristics.

Yeah I've thought of it, here it is:

Yes, let's go with NFCi.

clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
56–59	I'd like to keep the interface of hasCycle and push and pop because those express the intention more clearly. I disagree. Double lookups are always a code-smell. I insist on this.

Harbormaster completed remote builds in B167209: Diff 433324.Jun 1 2022, 2:37 AM

Remove FIXME comment

martong added inline comments.Jun 1 2022, 4:57 AM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
139–145	This hunk is probably also superfluous. With tracking the assume stack below, it should be safe to call `assume` even from `evalAssume`. But, I'd rather remove that in a subsequent patch, because `checkNull`s behavior is dependent on that.

Harbormaster completed remote builds in B167231: Diff 433353.Jun 1 2022, 5:09 AM

steakhal accepted this revision.Jun 1 2022, 7:09 AM

steakhal added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
21	Unused.
139–145	Oh, I haven't thought about that. Thanks. Feel free to do in a followup!
153	Use `llvm::is_contained()` instead.
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
60	Don't we call these 'Guards'?

This revision is now accepted and ready to land.Jun 1 2022, 7:09 AM

I've made some measurements with the diff down below. So, it seems like the chance of being a recursive call is very unlikely (roughly 1/10000). Thus I am going to update this condition with LLVM_UNLIKELY. Besides, the depth of the call stack seems to be less than 4 in the majority of cases (99.98%). However, there are edge cases (ffmpeg) when the depth is even bigger than 16. Consequently, a SmallPtrSet with 4 as the small buffer size would be better than the SmallVector.

Attached the csa-testbanch results.

stats.html255 KBDownload

Plus, attached a summarizing excel sheet about the assume stack depth (courtesy of @steakhal).

assume-stack-depths.xlsx25 KBDownload

diff --git a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
index f1b75a57115b..097d0ff8d162 100644
--- a/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
+++ b/clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
@@ -153,6 +153,7 @@ protected:
     bool contains(const ProgramState *S) const {
       return llvm::find(Aux, S) != Aux.end();
     }
+    size_t size() { return Aux.size(); }

   private:
     llvm::SmallVector<const ProgramState *, 4> Aux;
diff --git a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
index 0866d3d0db74..11bbda9dd899 100644
--- a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
@@ -17,10 +17,25 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
 #include "llvm/ADT/ScopeExit.h"
+#include "llvm/ADT/Statistic.h"

 using namespace clang;
 using namespace ento;

+#define DEBUG_TYPE "CoreEngine"
+
+STATISTIC(NumAssume, "The # of assume calls");
+STATISTIC(NumAssumeRecurse, "The # of recursive assume calls");
+STATISTIC(AssumeStackSize01, "The # of assume stack size between 0 and 1");
+STATISTIC(AssumeStackSize23, "The # of assume stack size between 2 and 3");
+STATISTIC(AssumeStackSize45, "The # of assume stack size between 4 and 5");
+STATISTIC(AssumeStackSize67, "The # of assume stack size between 6 and 7");
+STATISTIC(AssumeStackSize89, "The # of assume stack size between 8 and 9");
+STATISTIC(AssumeStackSize1011, "The # of assume stack size between 10 and 11");
+STATISTIC(AssumeStackSize1213, "The # of assume stack size between 12 and 13");
+STATISTIC(AssumeStackSize1415, "The # of assume stack size between 14 and 15");
+STATISTIC(AssumeStackSize16XX, "The # of assume stack size greater equal than 16");
+
 ConstraintManager::~ConstraintManager() = default;

 static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,
@@ -53,9 +68,30 @@ ConstraintManager::assumeDualImpl(ProgramStateRef &State,
   // fixpoint.
   // We avoid infinite recursion of assume calls by checking already visited
   // States on the stack of assume function calls.
+  ++NumAssume;
+  if (AssumeStack.size() < 2)
+    ++AssumeStackSize01;
+  else if (AssumeStack.size() < 4)
+    ++AssumeStackSize23;
+  else if (AssumeStack.size() < 6)
+    ++AssumeStackSize45;
+  else if (AssumeStack.size() < 8)
+    ++AssumeStackSize67;
+  else if (AssumeStack.size() < 10)
+    ++AssumeStackSize89;
+  else if (AssumeStack.size() < 12)
+    ++AssumeStackSize1011;
+  else if (AssumeStack.size() < 14)
+    ++AssumeStackSize1213;
+  else if (AssumeStack.size() < 16)
+    ++AssumeStackSize1415;
+  else
+    ++AssumeStackSize16XX;
   const ProgramState *RawSt = State.get();
-  if (AssumeStack.contains(RawSt))
+  if (AssumeStack.contains(RawSt)) {
+    ++NumAssumeRecurse;
     return {State, State};
+  }
   AssumeStack.push(RawSt);
   auto AssumeStackBuilder =
       llvm::make_scope_exit([this]() { AssumeStack.pop(); });

martong retitled this revision from [analyzer][NFC] SimpleSValBuilder simplification: Remove superfluous workaround code and track Assume call stack rather to [analyzer] Track assume call stack to detect fixpoint.Jun 2 2022, 4:42 AM

martong edited the summary of this revision. (Show Details)

Consequently, a SmallPtrSet with 4 as the small buffer size would be better than the SmallVector

Ahh, SmallVector is still better, because with the set we need to do a search in the `erase, which compares badly to a simple decrement in the vector's pop_back.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
21	Thx.
153	Ok.
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
60	Yeah, we tend to call them guards in the context of exception safety and resource management. But, I think, "builder" is more expressive here.

Add LLVM_UNLIKELY

Harbormaster completed remote builds in B167493: Diff 433719.Jun 2 2022, 5:52 AM

Looks good!

Express why this is not an NFC patch in the summary.

martong added a child revision: D126878: [analyzer] Remove NotifyAssumeClients.Jun 2 2022, 6:09 AM

martong edited the summary of this revision. (Show Details)Jun 2 2022, 6:24 AM

Measurement results on the last diff looks good.

This revision was landed with ongoing or failed builds.Jun 6 2022, 11:36 PM

Closed by commit rGf66f4d3b07b2: [analyzer] Track assume call stack to detect fixpoint (authored by martong). · Explain Why

This revision was automatically updated to reflect the committed changes.

martong added a commit: rGf66f4d3b07b2: [analyzer] Track assume call stack to detect fixpoint.

uabelho added a subscriber: uabelho.Jun 7 2022, 6:37 AM

New assertion failure:

llvm-project/clang/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp:72: bool isLeftShiftResultUnrepresentable(const clang::BinaryOperator *, clang::ento::CheckerContext &): Assertion `LHS && RHS && "Values unknown, inconsistent state"' failed.

Reproduction:

cat > extent.c <<EOF
void crashing(long a, _Bool b) {
  a & 1 && 0;
  b = a & 1;
  b << 1;
}
EOF
build/release/bin/clang --analyze -Xclang -analyzer-checker=core extent.c

The important part of the stack trace:

isLeftShiftResultUnrepresentable(clang::BinaryOperator const*, clang::ento::CheckerContext&) llvm-project/clang/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp:73:20
UndefResultChecker::checkPostStmt(clang::BinaryOperator const*, clang::ento::CheckerContext&) const llvm-project/clang/lib/StaticAnalyzer/Checkers/UndefResultChecker.cpp:154:18

Please @martong have a look at this.

Thanks for the report. I am looking into it.

martong added a child revision: D127285: [analyzer] Fix assertion failure after getKnownValue call.Jun 8 2022, 3:16 AM

Revision Contents

Path

Size

clang/

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

ConstraintManager.h

14 lines

lib/

StaticAnalyzer/

Core/

ConstraintManager.cpp

13 lines

SimpleSValBuilder.cpp

10 lines

Diff 434699

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h

Show All 12 Lines
#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CONSTRAINTMANAGER_H		#ifndef LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CONSTRAINTMANAGER_H
#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CONSTRAINTMANAGER_H		#define LLVM_CLANG_STATICANALYZER_CORE_PATHSENSITIVE_CONSTRAINTMANAGER_H

#include "clang/Basic/LLVM.h"		#include "clang/Basic/LLVM.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"		#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
#include "llvm/ADT/Optional.h"		#include "llvm/ADT/Optional.h"
#include "llvm/Support/SaveAndRestore.h"		#include "llvm/Support/SaveAndRestore.h"
		steakhalUnsubmitted Done Reply Inline Actions Unused. steakhal: Unused.
		martongAuthorUnsubmitted Done Reply Inline Actions Thx. martong: Thx.
#include <memory>		#include <memory>
#include <utility>		#include <utility>

namespace llvm {		namespace llvm {

class APSInt;		class APSInt;

} // namespace llvm		} // namespace llvm
▲ Show 20 Lines • Show All 101 Lines • ▼ Show 20 Lines	public:
/// not null, or if neither assumption can be made.		/// not null, or if neither assumption can be made.
ConditionTruthVal isNull(ProgramStateRef State, SymbolRef Sym) {		ConditionTruthVal isNull(ProgramStateRef State, SymbolRef Sym) {
SaveAndRestore<bool> DisableNotify(NotifyAssumeClients, false);		SaveAndRestore<bool> DisableNotify(NotifyAssumeClients, false);

return checkNull(State, Sym);		return checkNull(State, Sym);
}		}

protected:		protected:
/// A flag to indicate that clients should be notified of assumptions.		/// A flag to indicate that clients should be notified of assumptions.
/// By default this is the case, but sometimes this needs to be restricted		/// By default this is the case, but sometimes this needs to be restricted
/// to avoid infinite recursions within the ConstraintManager.		/// to avoid infinite recursions within the ConstraintManager.
///		///
/// Note that this flag allows the ConstraintManager to be re-entrant,		/// Note that this flag allows the ConstraintManager to be re-entrant,
/// but not thread-safe.		/// but not thread-safe.
bool NotifyAssumeClients = true;		bool NotifyAssumeClients = true;
		martongAuthorUnsubmitted Done Reply Inline Actions This hunk is probably also superfluous. With tracking the assume stack below, it should be safe to call `assume` even from `evalAssume`. But, I'd rather remove that in a subsequent patch, because `checkNull`s behavior is dependent on that. martong: This hunk is probably also superfluous. With tracking the assume stack below, it should be safe…
		steakhalUnsubmitted Done Reply Inline Actions Oh, I haven't thought about that. Thanks. Feel free to do in a followup! steakhal: Oh, I haven't thought about that. Thanks. Feel free to do in a followup!

		/// A helper class to simulate the call stack of nested assume calls.
		class AssumeStackTy {
		public:
		void push(const ProgramState *S) { Aux.push_back(S); }
		void pop() { Aux.pop_back(); }
		bool contains(const ProgramState *S) const {
		return llvm::is_contained(Aux, S);
		steakhalUnsubmitted Done Reply Inline Actions Use `llvm::is_contained()` instead. steakhal: Use `llvm::is_contained()` instead.
		martongAuthorUnsubmitted Done Reply Inline Actions Ok. martong: Ok.
		}

		steakhalUnsubmitted Done Reply Inline Actions Have you considered llvm::SmallPtrSet ? steakhal: Have you considered [[ https://www.llvm.org/docs/ProgrammersManual.html#llvm-adt-smallptrset-h…
		martongAuthorUnsubmitted Done Reply Inline Actions Actually, a SmallSet of pointers is transparently implemented with a SmallPtrSet. martong: Actually, a SmallSet of pointers is transparently implemented with a SmallPtrSet.
		private:
		llvm::SmallVector<const ProgramState *, 4> Aux;
		};
		AssumeStackTy AssumeStack;

virtual ProgramStateRef assumeInternal(ProgramStateRef state,		virtual ProgramStateRef assumeInternal(ProgramStateRef state,
DefinedSVal Cond, bool Assumption) = 0;		DefinedSVal Cond, bool Assumption) = 0;

virtual ProgramStateRef assumeInclusiveRangeInternal(ProgramStateRef State,		virtual ProgramStateRef assumeInclusiveRangeInternal(ProgramStateRef State,
NonLoc Value,		NonLoc Value,
const llvm::APSInt &From,		const llvm::APSInt &From,
const llvm::APSInt &To,		const llvm::APSInt &To,
bool InBound) = 0;		bool InBound) = 0;
Show All 29 Lines

clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp

	Show All 10 Lines
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
	#include "clang/AST/Type.h"			#include "clang/AST/Type.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
				#include "llvm/ADT/ScopeExit.h"

	using namespace clang;			using namespace clang;
	using namespace ento;			using namespace ento;

	ConstraintManager::~ConstraintManager() = default;			ConstraintManager::~ConstraintManager() = default;

	static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,			static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,
	SymbolRef Sym) {			SymbolRef Sym) {
	Show All 17 Lines

	template <typename AssumeFunction>			template <typename AssumeFunction>
	ConstraintManager::ProgramStatePair			ConstraintManager::ProgramStatePair
	ConstraintManager::assumeDualImpl(ProgramStateRef &State,			ConstraintManager::assumeDualImpl(ProgramStateRef &State,
	AssumeFunction &Assume) {			AssumeFunction &Assume) {
	if (State->isPosteriorlyOverconstrained())			if (State->isPosteriorlyOverconstrained())
	return {State, State};			return {State, State};

				// Assume functions might recurse (see `reAssume` or `tryRearrange`). During
				// the recursion the State might not change anymore, that means we reached a
				// fixpoint.
				// We avoid infinite recursion of assume calls by checking already visited
				// States on the stack of assume function calls.
				const ProgramState *RawSt = State.get();
				if (LLVM_UNLIKELY(AssumeStack.contains(RawSt)))
				steakhalUnsubmitted Done Reply Inline Actions Why don't you return `RawSt` on the early return path instead? That seems to contain more information than `State`, right? You lookup twice the location of the `RawSt` entry; once in the `hasCycle()` and again in the `push()`. I would recommend doing an unconditional `insert()` directly and reusing the returned bool part of the pair to observe if it did actually insert. steakhal: Why don't you return `RawSt` on the early return path instead? That seems to contain more…
				martongAuthorUnsubmitted Done Reply Inline Actions Why don't you return `RawSt` on the early return path instead? That seems to contain more information than `State`, right? No, `RawSt` contains the same information as `State`. You lookup twice the location of the `RawSt` entry; once in the `hasCycle()` and again in the `push()`. I would recommend doing an unconditional `insert()` directly and reusing the returned bool part of the pair to observe if it did actually insert. I am considering to change the container to a `SmallVector` instead. I'd like to keep the interface of `hasCycle` and `push` and `pop` because those express the intention more clearly. And SmallSet falls back to a simple linear search anyway if size is less than N. martong: > Why don't you return `RawSt` on the early return path instead? That seems to contain more…
				steakhalUnsubmitted Done Reply Inline Actions I'd like to keep the interface of hasCycle and push and pop because those express the intention more clearly. I disagree. Double lookups are always a code-smell. I insist on this. steakhal: > I'd like to keep the interface of hasCycle and push and pop because those express the…
				return {State, State};
				steakhalUnsubmitted Done Reply Inline Actions Don't we call these 'Guards'? steakhal: Don't we call these 'Guards'?
				martongAuthorUnsubmitted Done Reply Inline Actions Yeah, we tend to call them guards in the context of exception safety and resource management. But, I think, "builder" is more expressive here. martong: Yeah, we tend to call them guards in the context of exception safety and resource management.
				AssumeStack.push(RawSt);
				auto AssumeStackBuilder =
				llvm::make_scope_exit([this]() { AssumeStack.pop(); });

	ProgramStateRef StTrue = Assume(true);			ProgramStateRef StTrue = Assume(true);

	if (!StTrue) {			if (!StTrue) {
	ProgramStateRef StFalse = Assume(false);			ProgramStateRef StFalse = Assume(false);
	if (LLVM_UNLIKELY(!StFalse)) { // both infeasible			if (LLVM_UNLIKELY(!StFalse)) { // both infeasible
	ProgramStateRef StInfeasible = State->cloneAsPosteriorlyOverconstrained();			ProgramStateRef StInfeasible = State->cloneAsPosteriorlyOverconstrained();
	assert(StInfeasible->isPosteriorlyOverconstrained());			assert(StInfeasible->isPosteriorlyOverconstrained());
	// Checkers might rely on the API contract that both returned states			// Checkers might rely on the API contract that both returned states
	▲ Show 20 Lines • Show All 51 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 Lines • Show All 314 Lines • ▼ Show 20 Lines	static NonLoc doRearrangeUnchecked(ProgramStateRef State,
QualType ResultTy;		QualType ResultTy;
if (BinaryOperator::isComparisonOp(Op))		if (BinaryOperator::isComparisonOp(Op))
ResultTy = SVB.getConditionType();		ResultTy = SVB.getConditionType();
else if (BinaryOperator::isAdditiveOp(Op))		else if (BinaryOperator::isAdditiveOp(Op))
ResultTy = SymTy;		ResultTy = SymTy;
else		else
llvm_unreachable("Operation not suitable for unchecked rearrangement!");		llvm_unreachable("Operation not suitable for unchecked rearrangement!");

// FIXME: Can we use assume() without getting into an infinite recursion?
if (LSym == RSym)		if (LSym == RSym)
return SVB.evalBinOpNN(State, Op, nonloc::ConcreteInt(LInt),		return SVB.evalBinOpNN(State, Op, nonloc::ConcreteInt(LInt),
nonloc::ConcreteInt(RInt), ResultTy)		nonloc::ConcreteInt(RInt), ResultTy)
.castAs<NonLoc>();		.castAs<NonLoc>();

SymbolRef ResultSym = nullptr;		SymbolRef ResultSym = nullptr;
BinaryOperator::Opcode ResultOp;		BinaryOperator::Opcode ResultOp;
llvm::APSInt ResultInt;		llvm::APSInt ResultInt;
▲ Show 20 Lines • Show All 853 Lines • ▼ Show 20 Lines	if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) {
superR, getContext()));		superR, getContext()));
}		}
}		}
return UnknownVal();		return UnknownVal();
}		}

const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state,		const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state,
SVal V) {		SVal V) {
V = simplifySVal(state, V);
if (V.isUnknownOrUndef())		if (V.isUnknownOrUndef())
return nullptr;		return nullptr;

if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>())		if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>())
return &X->getValue();		return &X->getValue();

if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>())		if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>())
return &X->getValue();		return &X->getValue();
▲ Show 20 Lines • Show All 177 Lines • ▼ Show 20 Lines	SVal VisitNonLocSymbolVal(nonloc::SymbolVal V) {
// Simplification is much more costly than computing complexity.		// Simplification is much more costly than computing complexity.
// For high complexity, it may be not worth it.		// For high complexity, it may be not worth it.
return Visit(V.getSymbol());		return Visit(V.getSymbol());
}		}

SVal VisitSVal(SVal V) { return V; }		SVal VisitSVal(SVal V) { return V; }
};		};

// A crude way of preventing this function from calling itself from evalBinOp.
static bool isReentering = false;
if (isReentering)
return V;

isReentering = true;
SVal SimplifiedV = Simplifier(State).Visit(V);		SVal SimplifiedV = Simplifier(State).Visit(V);
isReentering = false;

return SimplifiedV;		return SimplifiedV;
}		}