This is an archive of the discontinued LLVM Phabricator instance.

Differential D127285

[analyzer] Fix assertion failure after getKnownValue call
ClosedPublic

Authored by martong on Jun 8 2022, 3:16 AM.

Details

Reviewers
steakhal
Szelethus
Commits
rGbc2c759aeee7: [analyzer] Fix assertion failure after getKnownValue call
Summary

Depends on D126560. getKnownValue has been changed by the parent patch
in a way that simplification was removed. This is not correct when the
function is called by the Checkers. Thus, a new internal function is
introduced, getConstValue, which simply queries the constraint manager.
This getConstValue is used internally in the SimpleSValBuilder when a
binop is evaluated, this way we avoid the recursion into the Simplifier.

Diff Detail

Event Timeline

martong created this revision.Jun 8 2022, 3:16 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptJun 8 2022, 3:16 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: manas, ASDenysPetrov, gamesh411 and 9 others. · View Herald Transcript
martong requested review of this revision.Jun 8 2022, 3:16 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 8 2022, 3:16 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong retitled this revision from [analyzer] Fix assertion failure after getKnwonValue call to [analyzer] Fix assertion failure after getKnownValue call.Jun 8 2022, 3:17 AM
steakhal added a comment.Jun 8 2022, 3:26 AM

LGTM
Schedule a measurement to see what changes. Let's hope it won't introduce more crashes.
If everything checks out, it gets approved.

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
25–28

I'm also wondering if this should be at the top. I would rather put it below simplifySValOnce().

steakhal added a comment.Jun 8 2022, 3:27 AM

Check the summary for typos. Try to mark named entities like this.

Harbormaster completed remote builds in B168511: Diff 435092.Jun 8 2022, 3:44 AM
uabelho added a subscriber: uabelho.Jun 8 2022, 3:47 AM
martong edited the summary of this revision. (Show Details)Jun 8 2022, 4:56 AM
martong added a comment.Jun 8 2022, 5:00 AM
In D127285#3566034, @steakhal wrote:

... Try to mark named entities like this.

Could you please elaborate?

steakhal added a comment.Jun 8 2022, 6:37 AM
In D127285#3566198, @martong wrote:
In D127285#3566034, @steakhal wrote:

... Try to mark named entities like this.

Could you please elaborate?

Oh sure. The SimpleSValBuilder is not escaped like code or class entities should be in the summary. But it's really not that important.

martong added a comment.Jun 8 2022, 6:40 AM
In D127285#3566397, @steakhal wrote:
In D127285#3566198, @martong wrote:
In D127285#3566034, @steakhal wrote:

... Try to mark named entities like this.

Could you please elaborate?

Oh sure. The SimpleSValBuilder is not escaped like code or class entities should be in the summary. But it's really not that important.

Ok, thanks!

martong edited the summary of this revision. (Show Details)Jun 8 2022, 6:41 AM
martong updated this revision to Diff 435154.Jun 8 2022, 7:28 AM
martong marked an inline comment as done.
  • Add one more sentence in the comments.
clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
25–28

It is a good idea to draw the checker writer's attention to use getKnownValue, however, this is a private function deliberately for this exact reason.

I'm also wondering if this should be at the top. I would rather put it below simplifySValOnce().

I've put it here because simplifySValOnce references this even in its header comment.

steakhal accepted this revision.Jun 8 2022, 7:32 AM
steakhal added inline comments.
clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
25–28

It is a good idea to draw the checker writer's attention to use getKnownValue, however, this is a private function deliberately for this exact reason.

I know. My point is that the name of those two functions won't express the difference; thus I wanted to have a more verbose way of expressing that the private impl. fn. should not be exposed. I won't insist though.

I've put it here because simplifySValOnce references this even in its header comment.

Well, it also refers to simplifySValOnce(), yet that's below that comment.

This revision is now accepted and ready to land.Jun 8 2022, 7:32 AM
Harbormaster completed remote builds in B168568: Diff 435154.Jun 8 2022, 8:18 AM
martong added a comment.Jun 9 2022, 6:59 AM
In D127285#3566032, @steakhal wrote:

LGTM
Schedule a measurement to see what changes. Let's hope it won't introduce more crashes.
If everything checks out, it gets approved.

Results are good. No new assertion failures, neither crashes. Runtime is the same (in the margin of error). Redis has been added to the set of analyzed projects this time.

stats.html211 KBDownload

This revision was landed with ongoing or failed builds.Jun 9 2022, 7:14 AM
Closed by commit rGbc2c759aeee7: [analyzer] Fix assertion failure after getKnownValue call (authored by martong). · Explain Why
This revision was automatically updated to reflect the committed changes.
martong added a commit: rGbc2c759aeee7: [analyzer] Fix assertion failure after getKnownValue call.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
31 lines
test/
Analysis/
13 lines

Diff 435536

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show All 16 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class SimpleSValBuilder : public SValBuilder { class SimpleSValBuilder : public SValBuilder {
// Query the constraint manager whether the SVal has only one possible
// (integer) value. If that is the case, the value is returned. Otherwise,
// returns NULL.
// This is an implementation detail. Checkers should use `getKnownValue()`
steakhalUnsubmitted
Done
ReplyInline Actions
class SimpleSValBuilder : public SValBuilder {
// Query the constraint manager whether the SVal has only one possible
// (integer) value. If that is the case, the value is returned. Otherwise,
// returns NULL.
+ // This is an implementation detail. Users should use `getKnownValue()` instead.
const llvm::APSInt *getConstValue(ProgramStateRef state, SVal V);
// With one `simplifySValOnce` call, a compound symbols might collapse to

I'm also wondering if this should be at the top. I would rather put it below simplifySValOnce().

steakhal: I'm also wondering if this should be at the top. I would rather put it below `simplifySValOnce…
martongAuthorUnsubmitted
Done
ReplyInline Actions

It is a good idea to draw the checker writer's attention to use getKnownValue, however, this is a private function deliberately for this exact reason.

I'm also wondering if this should be at the top. I would rather put it below simplifySValOnce().

I've put it here because simplifySValOnce references this even in its header comment.

martong: It is a good idea to draw the checker writer's attention to use `getKnownValue`, however, this…
steakhalUnsubmitted
Not Done
ReplyInline Actions

It is a good idea to draw the checker writer's attention to use getKnownValue, however, this is a private function deliberately for this exact reason.

I know. My point is that the name of those two functions won't express the difference; thus I wanted to have a more verbose way of expressing that the private impl. fn. should not be exposed. I won't insist though.

I've put it here because simplifySValOnce references this even in its header comment.

Well, it also refers to simplifySValOnce(), yet that's below that comment.

steakhal: > It is a good idea to draw the checker writer's attention to use getKnownValue, however, this…
// instead.
const llvm::APSInt *getConstValue(ProgramStateRef state, SVal V);
// With one `simplifySValOnce` call, a compound symbols might collapse to // With one `simplifySValOnce` call, a compound symbols might collapse to
// simpler symbol tree that is still possible to further simplify. Thus, we // simpler symbol tree that is still possible to further simplify. Thus, we
// do the simplification on a new symbol tree until we reach the simplest // do the simplification on a new symbol tree until we reach the simplest
// form, i.e. the fixpoint. // form, i.e. the fixpoint.
// Consider the following symbol `(b * b) * b * b` which has this tree: // Consider the following symbol `(b * b) * b * b` which has this tree:
// * // *
// / \ // / \
// * b // * b
// / \ // / \
// / b // / b
// (b * b) // (b * b)
// Now, if the `b * b == 1` new constraint is added then during the first // Now, if the `b * b == 1` new constraint is added then during the first
// iteration we have the following transformations: // iteration we have the following transformations:
// * * // * *
// / \ / \ // / \ / \
// * b --> b b // * b --> b b
// / \ // / \
// / b // / b
// 1 // 1
// We need another iteration to reach the final result `1`. // We need another iteration to reach the final result `1`.
SVal simplifyUntilFixpoint(ProgramStateRef State, SVal Val); SVal simplifyUntilFixpoint(ProgramStateRef State, SVal Val);
// Recursively descends into symbolic expressions and replaces symbols // Recursively descends into symbolic expressions and replaces symbols
// with their known values (in the sense of the getKnownValue() method). // with their known values (in the sense of the getConstValue() method).
// We traverse the symbol tree and query the constraint values for the // We traverse the symbol tree and query the constraint values for the
// sub-trees and if a value is a constant we do the constant folding. // sub-trees and if a value is a constant we do the constant folding.
SVal simplifySValOnce(ProgramStateRef State, SVal V); SVal simplifySValOnce(ProgramStateRef State, SVal V);
public: public:
SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context, SimpleSValBuilder(llvm::BumpPtrAllocator &alloc, ASTContext &context,
ProgramStateManager &stateMgr) ProgramStateManager &stateMgr)
: SValBuilder(alloc, context, stateMgr) {} : SValBuilder(alloc, context, stateMgr) {}
~SimpleSValBuilder() override {} ~SimpleSValBuilder() override {}
SVal evalMinus(NonLoc val) override; SVal evalMinus(NonLoc val) override;
SVal evalComplement(NonLoc val) override; SVal evalComplement(NonLoc val) override;
SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op, SVal evalBinOpNN(ProgramStateRef state, BinaryOperator::Opcode op,
NonLoc lhs, NonLoc rhs, QualType resultTy) override; NonLoc lhs, NonLoc rhs, QualType resultTy) override;
SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op, SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op,
Loc lhs, Loc rhs, QualType resultTy) override; Loc lhs, Loc rhs, QualType resultTy) override;
SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op,
Loc lhs, NonLoc rhs, QualType resultTy) override; Loc lhs, NonLoc rhs, QualType resultTy) override;
/// getKnownValue - evaluates a given SVal. If the SVal has only one possible /// Evaluates a given SVal by recursively evaluating and
/// simplifying the children SVals. If the SVal has only one possible
/// (integer) value, that value is returned. Otherwise, returns NULL. /// (integer) value, that value is returned. Otherwise, returns NULL.
const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V) override; const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V) override;
SVal simplifySVal(ProgramStateRef State, SVal V) override; SVal simplifySVal(ProgramStateRef State, SVal V) override;
SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op,
const llvm::APSInt &RHS, QualType resultTy); const llvm::APSInt &RHS, QualType resultTy);
}; };
} // end anonymous namespace } // end anonymous namespace
▲ Show 20 LinesShow All 449 Lines▼ Show 20 Lines case nonloc::LocAsIntegerKind: {
return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);
} }
} }
} }
case nonloc::ConcreteIntKind: { case nonloc::ConcreteIntKind: {
llvm::APSInt LHSValue = lhs.castAs<nonloc::ConcreteInt>().getValue(); llvm::APSInt LHSValue = lhs.castAs<nonloc::ConcreteInt>().getValue();
// If we're dealing with two known constants, just perform the operation. // If we're dealing with two known constants, just perform the operation.
if (const llvm::APSInt *KnownRHSValue = getKnownValue(state, rhs)) { if (const llvm::APSInt *KnownRHSValue = getConstValue(state, rhs)) {
llvm::APSInt RHSValue = *KnownRHSValue; llvm::APSInt RHSValue = *KnownRHSValue;
if (BinaryOperator::isComparisonOp(op)) { if (BinaryOperator::isComparisonOp(op)) {
// We're looking for a type big enough to compare the two values. // We're looking for a type big enough to compare the two values.
// FIXME: This is not correct. char + short will result in a promotion // FIXME: This is not correct. char + short will result in a promotion
// to int. Unfortunately we have lost types by this point. // to int. Unfortunately we have lost types by this point.
APSIntType CompareType = std::max(APSIntType(LHSValue), APSIntType CompareType = std::max(APSIntType(LHSValue),
APSIntType(RHSValue)); APSIntType(RHSValue));
CompareType.apply(LHSValue); CompareType.apply(LHSValue);
▲ Show 20 LinesShow All 103 Lines▼ Show 20 Lines case nonloc::SymbolValKind: {
// Negate the comparison and make a value. // Negate the comparison and make a value.
opc = BinaryOperator::negateComparisonOp(opc); opc = BinaryOperator::negateComparisonOp(opc);
return makeNonLoc(symIntExpr->getLHS(), opc, return makeNonLoc(symIntExpr->getLHS(), opc,
symIntExpr->getRHS(), resultTy); symIntExpr->getRHS(), resultTy);
} }
} }
// For now, only handle expressions whose RHS is a constant. // For now, only handle expressions whose RHS is a constant.
if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) { if (const llvm::APSInt *RHSValue = getConstValue(state, rhs)) {
// If both the LHS and the current expression are additive, // If both the LHS and the current expression are additive,
// fold their constants and try again. // fold their constants and try again.
if (BinaryOperator::isAdditiveOp(op)) { if (BinaryOperator::isAdditiveOp(op)) {
BinaryOperator::Opcode lop = symIntExpr->getOpcode(); BinaryOperator::Opcode lop = symIntExpr->getOpcode();
if (BinaryOperator::isAdditiveOp(lop)) { if (BinaryOperator::isAdditiveOp(lop)) {
// Convert the two constants to a common type, then combine them. // Convert the two constants to a common type, then combine them.
// resultTy may not be the best type to convert to, but it's // resultTy may not be the best type to convert to, but it's
Show All 30 Lines case nonloc::SymbolValKind: {
} }
// Otherwise, make a SymIntExpr out of the expression. // Otherwise, make a SymIntExpr out of the expression.
return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy); return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy);
} }
} }
// Is the RHS a constant? // Is the RHS a constant?
if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) if (const llvm::APSInt *RHSValue = getConstValue(state, rhs))
return MakeSymIntVal(Sym, op, *RHSValue, resultTy); return MakeSymIntVal(Sym, op, *RHSValue, resultTy);
if (Optional<NonLoc> V = tryRearrange(state, op, lhs, rhs, resultTy)) if (Optional<NonLoc> V = tryRearrange(state, op, lhs, rhs, resultTy))
return *V; return *V;
// Give up -- this is not a symbolic expression we can handle. // Give up -- this is not a symbolic expression we can handle.
return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);
} }
▲ Show 20 LinesShow All 471 Lines▼ Show 20 Lines if (const MemRegion *region = lhs.getAsRegion()) {
if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) { if (Optional<NonLoc> indexV = index.getAs<NonLoc>()) {
return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV, return loc::MemRegionVal(MemMgr.getElementRegion(elementType, *indexV,
superR, getContext())); superR, getContext()));
} }
} }
return UnknownVal(); return UnknownVal();
} }
const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state, const llvm::APSInt *SimpleSValBuilder::getConstValue(ProgramStateRef state,
SVal V) { SVal V) {
if (V.isUnknownOrUndef()) if (V.isUnknownOrUndef())
return nullptr; return nullptr;
if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>()) if (Optional<loc::ConcreteInt> X = V.getAs<loc::ConcreteInt>())
return &X->getValue(); return &X->getValue();
if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>()) if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>())
return &X->getValue(); return &X->getValue();
if (SymbolRef Sym = V.getAsSymbol()) if (SymbolRef Sym = V.getAsSymbol())
return state->getConstraintManager().getSymVal(state, Sym); return state->getConstraintManager().getSymVal(state, Sym);
return nullptr; return nullptr;
} }
const llvm::APSInt *SimpleSValBuilder::getKnownValue(ProgramStateRef state,
SVal V) {
return getConstValue(state, simplifySVal(state, V));
}
SVal SimpleSValBuilder::simplifyUntilFixpoint(ProgramStateRef State, SVal Val) { SVal SimpleSValBuilder::simplifyUntilFixpoint(ProgramStateRef State, SVal Val) {
SVal SimplifiedVal = simplifySValOnce(State, Val); SVal SimplifiedVal = simplifySValOnce(State, Val);
while (SimplifiedVal != Val) { while (SimplifiedVal != Val) {
Val = SimplifiedVal; Val = SimplifiedVal;
SimplifiedVal = simplifySValOnce(State, Val); SimplifiedVal = simplifySValOnce(State, Val);
} }
return SimplifiedVal; return SimplifiedVal;
} }
▲ Show 20 LinesShow All 50 Lines▼ Show 20 LinesSVal SimpleSValBuilder::simplifySValOnce(ProgramStateRef State, SVal V) {
public: public:
Simplifier(ProgramStateRef State) Simplifier(ProgramStateRef State)
: State(State), SVB(State->getStateManager().getSValBuilder()) {} : State(State), SVB(State->getStateManager().getSValBuilder()) {}
SVal VisitSymbolData(const SymbolData *S) { SVal VisitSymbolData(const SymbolData *S) {
// No cache here. // No cache here.
if (const llvm::APSInt *I = if (const llvm::APSInt *I =
SVB.getKnownValue(State, SVB.makeSymbolVal(S))) State->getConstraintManager().getSymVal(State, S))
return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I) return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I)
: (SVal)SVB.makeIntVal(*I); : (SVal)SVB.makeIntVal(*I);
return SVB.makeSymbolVal(S); return SVB.makeSymbolVal(S);
} }
SVal VisitSymIntExpr(const SymIntExpr *S) { SVal VisitSymIntExpr(const SymIntExpr *S) {
auto I = Cached.find(S); auto I = Cached.find(S);
if (I != Cached.end()) if (I != Cached.end())
▲ Show 20 LinesShow All 106 LinesShow Last 20 Lines

clang/test/Analysis/svalbuilder-simplify-no-crash.c

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -verify
// Here, we test that svalbuilder simplification does not produce any
// assertion failure.
void crashing(long a, _Bool b) {
(void)(a & 1 && 0);
b = a & 1;
(void)(b << 1); // expected-warning{{core.UndefinedBinaryOperatorResult}}
}