This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
-
SMTConv.h
-
test/Analysis/
-
Analysis/
-
z3-crosscheck.c

Differential D140891

[analyzer] Fix assertion failure in SMT conversion for unary operator on floats.
ClosedPublic

Authored by tomasz-kaminski-sonarsource on Jan 3 2023, 5:55 AM.

Download Raw Diff

Details

Reviewers

NoQ
martong
xazax.hun
ASDenysPetrov
mikhail.ramalho

Commits

rG3674421c4bc0: [analyzer] Fix assertion failure in SMT conversion for unary operator on floats

Summary

In the handling of the Symbols from the RangExpr, the code assumed that the operands of the unary operators need to have integral type.
However, the CSA can create SymExpr with a floating point operand, when the integer value is cast into it, like (float)h == (float)l where both of h and l are integers.

This patch handles such situations, by using fromFloatUnOp instead of fromUnOp, when the operand have a floating point type.

I have investigated all other calls of fromUnOp, and for one in:

getZeroExpr is applied only on boolean types, so it correct
fromBinOp is not invoked for floating points
fromFloatUnOp I am uncertain about this case and I was not able to produce a test that would reach this point, as a negation of floating points numbers seem to produce Unknown symbols.,

This issue exists since the introduction of UnarySymExpr in https://reviews.llvm.org/D125318 and their handling for Z3 in https://reviews.llvm.org/D125547.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

tomasz-kaminski-sonarsource created this revision.Jan 3 2023, 5:55 AM

Herald added a reviewer: NoQ. · View Herald TranscriptJan 3 2023, 5:55 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: steakhal, manas, ASDenysPetrov and 8 others. · View Herald Transcript

tomasz-kaminski-sonarsource requested review of this revision.Jan 3 2023, 5:55 AM

Herald added a project: Restricted Project. · View Herald TranscriptJan 3 2023, 5:55 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

tomasz-kaminski-sonarsource added a reviewer: martong.Jan 3 2023, 5:55 AM

Herald added a subscriber: rnkovacs. · View Herald TranscriptJan 3 2023, 5:55 AM

steakhal added reviewers: xazax.hun, ASDenysPetrov.Jan 3 2023, 6:01 AM

tomasz-kaminski-sonarsource edited the summary of this revision. (Show Details)Jan 3 2023, 6:03 AM

Harbormaster completed remote builds in B205454: Diff 485977.Jan 3 2023, 6:42 AM

LGTM.

This revision is now accepted and ready to land.Jan 19 2023, 12:58 PM

This revision was landed with ongoing or failed builds.Jan 26 2023, 8:36 AM

Closed by commit rG3674421c4bc0: [analyzer] Fix assertion failure in SMT conversion for unary operator on floats (authored by tomasz-kaminski-sonarsource, committed by steakhal). · Explain Why

This revision was automatically updated to reflect the committed changes.

steakhal added a commit: rG3674421c4bc0: [analyzer] Fix assertion failure in SMT conversion for unary operator on floats.

I'm proposing to backport this fix to clang-16.
https://github.com/llvm/llvm-project/issues/61097

Revision Contents

Path

Size

clang/

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

SMTConv.h

4 lines

test/

Analysis/

z3-crosscheck.c

26 lines

Diff 492466

clang/include/clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h

Show First 20 Lines • Show All 448 Lines • ▼ Show 20 Lines	static inline llvm::SMTExprRef getSymExpr(llvm::SMTSolverRef &Solver,
if (const UnarySymExpr *USE = dyn_cast<UnarySymExpr>(Sym)) {		if (const UnarySymExpr *USE = dyn_cast<UnarySymExpr>(Sym)) {
if (RetTy)		if (RetTy)
*RetTy = Sym->getType();		*RetTy = Sym->getType();

QualType OperandTy;		QualType OperandTy;
llvm::SMTExprRef OperandExp =		llvm::SMTExprRef OperandExp =
getSymExpr(Solver, Ctx, USE->getOperand(), &OperandTy, hasComparison);		getSymExpr(Solver, Ctx, USE->getOperand(), &OperandTy, hasComparison);
llvm::SMTExprRef UnaryExp =		llvm::SMTExprRef UnaryExp =
fromUnOp(Solver, USE->getOpcode(), OperandExp);		OperandTy->isRealFloatingType()
		? fromFloatUnOp(Solver, USE->getOpcode(), OperandExp)
		: fromUnOp(Solver, USE->getOpcode(), OperandExp);

// Currently, without the `support-symbolic-integer-casts=true` option,		// Currently, without the `support-symbolic-integer-casts=true` option,
// we do not emit `SymbolCast`s for implicit casts.		// we do not emit `SymbolCast`s for implicit casts.
// One such implicit cast is missing if the operand of the unary operator		// One such implicit cast is missing if the operand of the unary operator
// has a different type than the unary itself.		// has a different type than the unary itself.
if (Ctx.getTypeSize(OperandTy) != Ctx.getTypeSize(Sym->getType())) {		if (Ctx.getTypeSize(OperandTy) != Ctx.getTypeSize(Sym->getType())) {
if (hasComparison)		if (hasComparison)
*hasComparison = false;		*hasComparison = false;
▲ Show 20 Lines • Show All 326 Lines • Show Last 20 Lines

clang/test/Analysis/z3-crosscheck.c

	// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -DNO_CROSSCHECK -verify %s			// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -DNO_CROSSCHECK -verify %s
	// RUN: %clang_cc1 -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config crosscheck-with-z3=true -verify %s			// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -analyze -analyzer-checker=core,unix.Malloc,debug.ExprInspection -analyzer-config crosscheck-with-z3=true -verify %s
	// REQUIRES: z3			// REQUIRES: z3

				void clang_analyzer_dump(float);

	int foo(int x)			int foo(int x)
	{			{
	int *z = 0;			int *z = 0;
	if ((x & 1) && ((x & 1) ^ 1))			if ((x & 1) && ((x & 1) ^ 1))
	#ifdef NO_CROSSCHECK			#ifdef NO_CROSSCHECK
	return *z; // expected-warning {{Dereference of null pointer (loaded from variable 'z')}}			return *z; // expected-warning {{Dereference of null pointer (loaded from variable 'z')}}
	#else			#else
	return *z; // no-warning			return *z; // no-warning
	Show All 37 Lines
	void i() {			void i() {
	_Bool c = nondet_bool();			_Bool c = nondet_bool();
	if (c) {			if (c) {
	h(1);			h(1);
	} else {			} else {
	h(2);			h(2);
	}			}
	}			}

				void floatUnaryNegInEq(int h, int l) {
				int j;
				clang_analyzer_dump(-(float)h); // expected-warning-re{{-(float) (reg_${{[0-9]+}}<int h>)}}
				clang_analyzer_dump((float)l); // expected-warning-re {{(float) (reg_${{[0-9]+}}<int l>)}}
				if (-(float)h != (float)l) { // should not crash
				j += 10;
				// expected-warning@-1{{garbage}}
				}
				}

				void floatUnaryLNotInEq(int h, int l) {
				int j;
				clang_analyzer_dump(!(float)h); // expected-warning{{Unknown}}
				clang_analyzer_dump((float)l); // expected-warning-re {{(float) (reg_${{[0-9]+}}<int l>)}}
				if ((!(float)h) != (float)l) { // should not crash
				j += 10;
				// expected-warning@-1{{garbage}}
				}
				}