In this test file these warnings were irrelevant, so I picked a different arbitrary constant to eliminate them.

Because addTransition() is a very confusing API that's very easy to misuse in subtle ways (causing unexpected state splits), I feel anxious when I see functions like

bool isValidShift();
bool isOvershift();
bool isOperandNegative(OperandSide Side);
bool isLeftShiftOverflow();

that look like boolean getters but in fact call addTransition() under the hood. If we could at least call them checkOvershift() etc., that'd be much better. Ideally I wish there was some safeguard against producing redundant transitions, like make them return an ExplodedNode and chain them, or something like that.

Can we just append this to the warning? The addNote() is useful for notes that need to be placed in code outside of the execution path, but if it's always next to the warning, it probably doesn't make sense to display it separately.

Props!! Even if they don't do anything, ultimately it's their responsibility.

These functions were originally called checkXXX() but I felt that the meaning of their boolean return value was too confusing with that naming scheme.

I'll try to ensure that emitReport or addTransition are only called on the topmost layer (the run() method) and change the return types of internal subroutines to make them return nullable pointers (e.g. std::unique_ptr<PathSensitiveBugReport>) instead of bools. This would (1) eliminate the "what does true mean at this point?" issues (2) clarify that this checker never performs more than one transition. (If the shift is invaild, we transition to a sink node by emitting a bug; if the shift is vaild, we perform a transition to record the state update.)

I didn't append this to the warning because I felt that the warning text is already too long. (By the way, an earlier internal variant of this checker produced two separate notes next to the warning message.)

I tweaked the messages of this checker before initiating this review, but I feel that there's still some room for improvements. (E.g. in this particular case perhaps we could omit some of the details that are not immediately useful and could be manually calculated from other parts of the message...)

Just a thought on simplifying the diagnostics a bit:

Warning: "Right operand is negative in left shift"
Note: "The result of left shift is undefined because the right operand is negative"
Shortened: "Undefined left shift due to negative right operand"

Warning: "Left shift by '34' overflows the capacity of 'int'"
Note: "The result of left shift is undefined because the right operand '34' is not smaller than 32, the capacity of 'int'"
Shortened: "Undefined left shift: '34' exceeds 'int' capacity (32 bits)"

The more complex notes are a bit sketchy, as relevant information can be lost, and the following solution is probably a bit too much, but could prove to be an inspiration:

Warning: "Left shift of '1024' overflows the capacity of 'int'"
CXX Note: "Left shift of '1024' is undefined because 'int' can hold only 32 bits (including the sign bit), so some bits overflow"
CXX Note: "The value '1024' is represented by 11 bits, allowing at most 21 bits for bitshift"
C Note: "Left shift of '1024' is undefined because 'int' can hold only 31 bits (excluding the sign bit), so some bits overflow"
C Note: "The value '1024' is represented by 11 bits, allowing at most 20 bits for bitshift"

Shortened:
CXX Warning: "Undefined left shift: '1024' (11 bits) exceeds 'int' capacity (32 bits, including sign)"
C Warning: "Undefined left shift: '1024' (11 bits) exceeds 'int' capacity (31 bits, excluding sign)"

Clarification about the Msg/ShortMsg distinction:
I'm intentionally separating the short warning messages and the longer note messages because createBugReport() enforces the convention that it will always emit a warning and a note at the bug location.

According to the comments in the source code, the intention is that the note contains all the relevant information, while the warning is a brief summary that can be displayed in situations where the notes wouldn't fit the UI.

IIUC many checkers ignore this distinction and emit the same (often long and cumbersome) message both as a note and as a warning (createBugReport() has a variant which takes only one message parameter and passes it to both locations), but I tried to follow it because I think it's ugly when the same message is repeated twice and there is some sense in providing both a brief summary and a full description that doesn't use potentially-ambiguous abbreviations to save space.

Of course I could also accept a community decision that this "brief warning / full note" distinction is deprecated and will be eliminated (because e.g. front-end utilities are not prepared to handle it), but in that case I'd strongly suggest a redesign where we eliminate the redundantly printed 'note' message. (There is no reason to say the same thing twice! There is no reason to say the same thing twice!)

On the other hand, in addition to this Msg/ShortMsg distinction, this part of the code also adds the extra LeftNote (as a remnant from an earlier internal version of this checker), and that's that's what I'd like to merge into Msg (following NoQ's suggestion and keeping it distinct from the ShortMsg).

I believe shifting out the "sign bit" is UB because the representation of the signed integer type was not defined.
Prior C++20 (?), it was allowed to represent signed integer types as two's-complement (virtually every platform uses this), one's complement, sign-magnitude. Wiki.
And it turns out, all these three representations behave differently with negative values.
Check out JF's talk from 2018 about this.

I'd need to think about the relevance of C++20 in this context, but here is what I think of now:
My idea is that the observed behavior is not influenced by the "standard", rather by the time we released C++20, they realized that no actual platform uses weird signed integer representations.
Given this observation, I'd argue that we shouldn't have this flag at all.

We should exactly elaborate on what "proper" means here.

One does not frequently see the long long type.
Do you have a specific reason why int or unsigned wouldn't be good?

How about swapping these branches on the ResultVal.isUndef() predicate?

Generally, I don't favor mutating member functions.
It makes it harder to track how we ended up with a given State.

I wonder if we should add a message here that we introduced a new constraint: "X assumed to be non-negative".
To add such a message, you should do something similar to what is done in the StdLibraryFunctionsChecker.
Take the C.getPredecessor() and chain all your NoteTags by calling the Pred = C.addTransition(NewState, Pred, Tag) like this. This way. This is how one "sequence of ExplodedNodes" can be made.

I'm pretty sure I got rid of this one :D
Consider rebasing on top of llvm/main.

The argument of ProgramState::assume() must be a DefinedOrUnknownSVal, so I need to cast the return value of evalBinOp (which may be Undefined) to this type.

This is already done by BitwiseShiftValidator::createNoteTag(). It's a bit complex because the checker merges all its assumptions into a single note tag (because I didn't want to emit two or three notes directly after each other.

Oops, this might be an error introduced during a rebase... Thanks for catching it!

Correction: now I'm leaning towards just discarding the secondary note, because the message examples listed in the previous comment are just the variants where the right operand is unknown. In the more detailed message template "The shift '{0} << {1}' is undefined {2}, so {3} bit{4} overflow{5}" there is no place to insert the "represented by {} bits" message.

I eliminated isValidShift() by merging it with run() (which was very short) and renamed the rest of the functions to checkXXX.

Now the exploded graph is only modified in the top-level method run().

I changed the type of the Limit argument to unsigned (because that's what this function is called with) and changed the type of LimitVal to IntTy with a comment that describes that it must be signed.

There's nothing wrong with long, multi-sentence diagnostic messages!

Unlike the compiler proper, we aren't typically used from the command line, so we aren't trying to fit into 80 columns. So we start our warnings with a capital letter and expect them to be, at the very least, complete sentences.

Check for subsequent duplicated words. They are usually typos.

Please elaborate what counts as "incorrect use".

This is used quite often and hinders the readability by indenting the args a lot. Making the spelling shorter, would somewhat mitigate this.

Where does this comment corresponds to?

How about using the same enum type for these two? It would signify that these are used together.
Also, by only looking at the possible values, it's not apparent that these are bitflag values. A suffix might help the reader.

Have you considered using std::optional?
Given that the dimension of this variable is "bits", I think it would be great to have that in its name.

Check if your member functions can be declared as const.

I'd prefer BR or Report. Since we know already that we are in the path-sensitive domain, P has less value there.
I'd apply this concept everywhere in the patch.

To me it feels as if this comment should be at the definition of checkLeftShiftOverflow, and only keep here a short reminder. Similarly to how you did with the previous cases.

The isLeftShift() ? "left" : "right" expression appears 4 times in total.
I'd also recommend to not distinguish the capitalized "left" and "right" strings, and just post-process the messages to ensure that the first character is capitalized inside the createBugReport().

Also note that you can reuse the same placeholder, so you would only need to pass the side() only once.

static void capitalizeBeginning(std::string &Str) {
  if (Str.empty())
    return;
  Str[0] = llvm::toUpper(Str[0]);
}

StringRef side() const {
  return isLeftShift() ? "left" : "right";
}

This will ensure that the definition of LeftAvailableBitWidth does not wrap.
And, more importantly, assert(LeftBitWidth >= UsedBitsInLeftOperand) also holds, asserted later.

Okay, so this is an invariant.
How about rephrasing this to better express that:

We should have already reported if the left operand of the shift was negative, thus this cannot be negative here.

I'd move this closer to the first "use" place.

Hmm, does this "but" actually mean "and" here?
Anyway, both using "but" and "and" there looks awkward.
It might be only me though.

It's an unrelated comment, but always bothers me to see 'right' mentioned here, where there is nothing called like that...

How about simplifying these lines to -Wno-shift? Have you considered it?

Let's test if the shift RHS operand is bigger than 64.

Have you considered using clang_analyzer_value(left) for inspecting the assumed range of the operands?
IMO that leads to more readable tests.

The two data members (Ctx and State) that are directly below the comment.

I tried to split the list of data members into three groups (primary mutable state, secondary mutable state, const members), but now I reconsider this I feel that these header comments are actually superfluous.

I'll return to a variant of the earlier layout where I put NonNegFlags/UpperBound to the end and comment that they are only used for note tag creation; but don't emphasize the (immediately visible) constness / non-const-ness of other members with comments.

Using the enum type is a good idea, however I'd probably put the Flag suffix into the name of the type:

enum SignednessFlags : unsigned { NonNegLeft = 1, NonNegRight = 2 };
SignednessFlags NonNegOperands = 0;

I considered using std::optional, but using this "old-school" solution ensures that NoUpperBound is comparable to and larger than the "real" upper bound values, which lets me avoid some ugly boolean logic. I'll update the comment and probably also the variable name.

The P stands for the "Ptr" in the name of the type alias BugReportPtr; but your comment clearly highlights that this variable name is confusing ;).

I'll probably avoid the auto and use BugReportPtr Bug = ... to remind the reader that this is a pointer (that can be null) and if it's non-null, then we found a bug.

This is an important distinction, I use "not smaller than {2}" as a shorter synonym of "larger than or equal to {2}". I can choose some other wording if you feel that this is not clear enough.

Good point, previously it was used by the calculation that is now performed by assumeRequirement.

Even if the message length is not limited, I think it's better to delete the additional note line (instead of merging it with the "regular" note line) because it's just too much information and the gist of the issue is lost behind the flood of redundant numbers.

However, this is just a subjective decision and I'm open to extending the message if you feel that something important is missing from it.

I'd say that the current wording is correct because the the checker "use"s the comparison operators (in its implementation) instead of "accept"ing them from outside; but I can replace the message with e.g. "this function does not accept other comparison operators" if you'd prefer that.

Yes, this sentence fragment is like "not too small but not too large", where "but" is equivalent to "and" and both are a bit awkward.

Unfortunately there is no such shortcut: when I tried to execute trunk clang with it, I got "warning: unknown warning option '-Wno-shift'".

Good idea!

I rename the member NonNegFlags to NonNegOperands but its type remains a plain unsigned because otherwise using the or-assign operator like NonNegOperands |= NonNegLeft produces the error

Assigning to 'enum SignednessFlags' from incompatible type 'unsigned int' (clang typecheck_convert_incompatible)

(note that both operands were from the same enum type).

I introduced a method for isLeftShift() ? "left" : "right" (which is indeed repeated several times), but I didn't define capitalizeBeginning because that would've been used only once.

Your remark that [with the capitalization function] "you can reuse the same placeholder, so you would only need to pass the side() only once" seems to be incorrect, because Side == OperandSide::Left ? "Left" : "Right" (which operand are we talking about?) and isLeftShift() ? "left" : "right" (what kind of shift operator are we talking about?) are two independent values.

else after return

One way to emphasize this is by choosing names like FoldedState, or anything else that has something to do with "motion" or "change".
Given that if we have ProgramStateRefs in helper classes they usually remain still. Think of BugReportVisitors for example. Consequently,it's important to raise awareness when it's not like that. A different name would achieve this.

Okay, indeed one would need to define the operator|(SignednessStatus, SignednessStatus) and operato&|(SignednessStatus, SignednessStatus) as well.
It probably doesn't worth it. Such a pity that we can't have nice things in C++.

What "ugly boolean logic" are you referring to?
I thought one can always use value_or(999) anyway. To me, that means that the option approach is a refinement of yours. But depending on the situation, it might be possible to avoid the extrema value 999 altogether.

Oh I see. To me, it's fairly obvious now that bugreports are just smart-pointers.
So I implicitly looked for some other reason. But just look at other checker, and call it the same way how they do, for consistency. That's all I wanted.
There are two/three common options I believe: B or BR, and maybe Report.

No, I have not strong feelings. Feel free to use the one you like more.

Makes sense. It was so tempting though.

getExtValue(), I believe, asserts that it "fits", thus the concrete int is at most 64 bits wide. Does it work for _BigInts? (or whatever we have like that :D)

When I see something like this I always think of using a ternary.
Have you also considered?

No strong feelings :)

AHA! Now I got you. You also call this R.
Just use R at the callsite as well. Job done.

How about eagerly inline initializing this field? And avoiding mutable as well.

My intuition is that the variable name "State" already implies that it will be regularly changed and updated as we are going forward; but you're right that in this project we've a tradition of storing snapshots of "old" states in various helper classes.

(By the way, I'm a bit worried when I read code that stores and passes around random stale snapshots of the state. Of course we cannot avoid the branching nature of the exploded graph, but other than that it'd be good to store the State in language constructs where you cannot accidentally lose information by building onto an older state variable.)

I'm prejudiced against optional in C++ because I feel that it's clunky and doesn't fit the rest of the language. (Note that I like Maybe in Haskell and don't have strong feelings about "using a variable that may be None" in Python; so this is specific to C++.)

However, in this particular case I decided to switch to std::optional<unsigned>, because it lets me write !UpperBoundBitCount instead of the longer (but perhaps more readable) UpperBoundBitCount != NoUpperBound.

The "ugly boolean logic" that I spoke about is (!UpperBoundBitCount || Limit < UpperBoundBitCount.value()); however I think this is still better than Limit < UpperBoundBitCount.value_or(999) which falls to the ground between two chairs as it introduces both the type optional and the arbitrary placeholder number.

Ok, I switched to the variable name "BR". I didn't have a strong preference for using "Bug", I just thought that your request is "the current name is bad, use anything else" and not "please use one of the traditional names".

Yes, trivial string formatting can introduce a surprising amount of complications...

This final check is executed when we already know that 0 <= ConcreteRight < 128 (or the bit width of the largest integer type). I added a comment that mentions this and replaced the type std::int64_t with a plain unsigned.

I also updated the testcase large_right to ensure that later changes don't introduce crashes related to absurdly oversized right arguments.

This is a code fragment that survived my refactoring efforts without significant changes... until now :)

Now that you highlighted it, I'm renaming R to BR just to be a contrarian :)

This pattern systematically appears in all checkers that I've seen because the constructor of BugType queries and stores the name of the checker, which is only initialized when the checker (*this) is registered. This dependency means that the BugType cannot be initialized in the constructor of the Checker.

I already tried calling clang_analyzer_value() at that point when I was investigating, but unfortunately it won't say anything useful because the actual range corresponding to the symbolic expression is only calculated when the evalBinOp() calls examine it.

I'll change the "expected - warning" to a FIXME.

(I'm marking this request as "Done" because I couldn't find a better wording. Feel free to reopen the discussion if you wish.)