Index: CMakeLists.txt =================================================================== --- CMakeLists.txt +++ CMakeLists.txt @@ -181,6 +181,11 @@ set(CLANG_HAVE_LIBXML 1) endif() +find_package(Z3 4.5) +if (Z3_FOUND) + set(CLANG_HAVE_Z3 1) +endif() + include(CheckIncludeFile) check_include_file(sys/resource.h CLANG_HAVE_RLIMITS) Index: cmake/modules/FindZ3.cmake =================================================================== --- /dev/null +++ cmake/modules/FindZ3.cmake @@ -0,0 +1,42 @@ +# use pkg-config to get the directories and then use these values +# in the find_path() and find_library() calls +find_package(PkgConfig QUIET) +PKG_CHECK_MODULES(PC_Z3 QUIET libz3) +set(Z3_DEFINITIONS ${PC_LIBZ3_CFLAGS_OTHER}) + +find_path(Z3_INCLUDE_DIR NAMES z3.h + HINTS + ${PC_LIBZ3_INCLUDEDIR} + ${PC_LIBZ3_INCLUDE_DIRS} + PATH_SUFFIXES libz3 + ) + +find_library(Z3_LIBRARIES NAMES z3 libz3 + HINTS + ${PC_LIBZ3_LIBDIR} + ${PC_LIBZ3_LIBRARY_DIRS} + ) + +find_program(Z3_EXECUTABLE z3) + +if(PC_LIBZ3_VERSION) + set(Z3_VERSION_STRING ${PC_LIBZ3_VERSION}) +elseif(Z3_INCLUDE_DIR AND Z3_EXECUTABLE) + execute_process (COMMAND ${Z3_EXECUTABLE} -version + OUTPUT_VARIABLE libz3_version_str + ERROR_QUIET + OUTPUT_STRIP_TRAILING_WHITESPACE) + + string(REGEX REPLACE "^Z3 version ([0-9.]+)" "\\1" + Z3_VERSION_STRING "${libz3_version_str}") + unset(libz3_version_str) +endif() + +# handle the QUIETLY and REQUIRED arguments and set Z3_FOUND to TRUE if +# all listed variables are TRUE +include(FindPackageHandleStandardArgs) +FIND_PACKAGE_HANDLE_STANDARD_ARGS(Z3 + REQUIRED_VARS Z3_LIBRARIES Z3_INCLUDE_DIR + VERSION_VAR Z3_VERSION_STRING) + +mark_as_advanced(Z3_INCLUDE_DIR Z3_LIBRARIES) Index: include/clang/Config/config.h.cmake =================================================================== --- include/clang/Config/config.h.cmake +++ include/clang/Config/config.h.cmake @@ -38,6 +38,9 @@ /* Define if we have libxml2 */ #cmakedefine CLANG_HAVE_LIBXML ${CLANG_HAVE_LIBXML} +/* Define if we have z3 */ +#cmakedefine CLANG_HAVE_Z3 ${CLANG_HAVE_Z3} + /* Define if we have sys/resource.h (rlimits) */ #cmakedefine CLANG_HAVE_RLIMITS ${CLANG_HAVE_RLIMITS} Index: include/clang/StaticAnalyzer/Core/Analyses.def =================================================================== --- include/clang/StaticAnalyzer/Core/Analyses.def +++ include/clang/StaticAnalyzer/Core/Analyses.def @@ -22,6 +22,7 @@ #endif ANALYSIS_CONSTRAINTS(RangeConstraints, "range", "Use constraint tracking of concrete value ranges", CreateRangeConstraintManager) +ANALYSIS_CONSTRAINTS(Z3Constraints, "z3", "Use Z3 contraint solver", CreateZ3ConstraintManager) #ifndef ANALYSIS_DIAGNOSTICS #define ANALYSIS_DIAGNOSTICS(NAME, CMDFLAG, DESC, CREATEFN) Index: include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h =================================================================== --- include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h +++ include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h @@ -184,6 +184,9 @@ CreateRangeConstraintManager(ProgramStateManager &statemgr, SubEngine *subengine); +std::unique_ptr +CreateZ3ConstraintManager(ProgramStateManager &statemgr, SubEngine *subengine); + } // end GR namespace } // end clang namespace Index: lib/StaticAnalyzer/Core/CMakeLists.txt =================================================================== --- lib/StaticAnalyzer/Core/CMakeLists.txt +++ lib/StaticAnalyzer/Core/CMakeLists.txt @@ -1,5 +1,12 @@ set(LLVM_LINK_COMPONENTS support) +# Link Z3 if the user wants to build it. +if(CLANG_HAVE_Z3) + set(Z3_LINK_FILES ${Z3_LIBRARIES}) +else() + set(Z3_LINK_FILES"") +endif() + add_clang_library(clangStaticAnalyzerCore APSIntType.cpp AnalysisManager.cpp @@ -43,6 +50,7 @@ Store.cpp SubEngine.cpp SymbolManager.cpp + Z3ConstraintManager.cpp LINK_LIBS clangAST @@ -50,4 +58,5 @@ clangBasic clangLex clangRewrite + ${Z3_LINK_FILES} ) Index: lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp =================================================================== --- /dev/null +++ lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp @@ -0,0 +1,1460 @@ +//== Z3ConstraintManager.cpp --------------------------------*- C++ -*--==// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// + +#include "clang/Basic/TargetInfo.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" +#include "clang/StaticAnalyzer/Core/PathSensitive/SimpleConstraintManager.h" + +#include "clang/Config/config.h" + +using namespace clang; +using namespace ento; + +#ifdef CLANG_HAVE_Z3 + +#include + +namespace { +class Z3Expr { + static Z3_context ZC; + Z3_ast AST; + + Z3Expr(Z3_ast ZA) : AST(ZA) { Z3_inc_ref(ZC, AST); } + + // Return an appropriate floating-point rounding mode. + static Z3Expr getFloatRoundingMode() { + // TODO: Don't assume nearest ties to even rounding mode + return Z3Expr(Z3_mk_fpa_rne(Z3Expr::ZC)); + } + + // Return an appropriate floating-point sort for the given bitwidth. + static Z3_sort getFloatSort(unsigned BitWidth) { + switch (BitWidth) { + default: + llvm_unreachable("Unsupported floating-point bitwidth!"); + break; + case 16: + return Z3_mk_fpa_sort_16(Z3Expr::ZC); + case 32: + return Z3_mk_fpa_sort_32(Z3Expr::ZC); + case 64: + return Z3_mk_fpa_sort_64(Z3Expr::ZC); + case 128: + return Z3_mk_fpa_sort_128(Z3Expr::ZC); + } + } + + // Determine whether two float semantics are equivalent + static bool areEquivalent(const llvm::fltSemantics &LHS, + const llvm::fltSemantics &RHS) { + return (llvm::APFloat::semanticsPrecision(LHS) == + llvm::APFloat::semanticsPrecision(RHS)) && + (llvm::APFloat::semanticsMinExponent(LHS) == + llvm::APFloat::semanticsMinExponent(RHS)) && + (llvm::APFloat::semanticsMaxExponent(LHS) == + llvm::APFloat::semanticsMaxExponent(RHS)) && + (llvm::APFloat::semanticsSizeInBits(LHS) == + llvm::APFloat::semanticsSizeInBits(RHS)); + } + +public: + /// Override implicit copy constructor for correct reference counting. + Z3Expr(const Z3Expr &Copy) : AST(Copy.AST) { Z3_inc_ref(Z3Expr::ZC, AST); } + + /// Provide move constructor + Z3Expr(Z3Expr &&Move) : AST(nullptr) { *this = std::move(Move); } + + /// Provide move assignment constructor + Z3Expr &operator=(Z3Expr &&Move) { + if (this != &Move) { + if (AST) + Z3_dec_ref(Z3Expr::ZC, AST); + AST = Move.AST; + Move.AST = nullptr; + } + return *this; + } + + ~Z3Expr() { + if (AST) + Z3_dec_ref(Z3Expr::ZC, AST); + } + + /// Given a model, extract the value of this operand in the model. + bool getInterpretation(const Z3_model &Model, llvm::APSInt &Int) const { + Z3_func_decl Func = Z3_get_app_decl(Z3Expr::ZC, Z3_to_app(Z3Expr::ZC, AST)); + if (Z3_model_has_interp(Z3Expr::ZC, Model, Func) != Z3_L_TRUE) + return false; + + Z3_ast Assign = Z3_model_get_const_interp(Z3Expr::ZC, Model, Func); + Z3_sort Sort = Z3_get_sort(Z3Expr::ZC, Assign); + return Z3Expr::toAPSInt(Sort, Assign, Int, true); + } + + /// Given a model, extract the value of this operand in the model. + bool getInterpretation(const Z3_model &Model, llvm::APFloat &Float) const { + Z3_func_decl Func = Z3_get_app_decl(Z3Expr::ZC, Z3_to_app(Z3Expr::ZC, AST)); + if (Z3_model_has_interp(Z3Expr::ZC, Model, Func) != Z3_L_TRUE) + return false; + + Z3_ast Assign = Z3_model_get_const_interp(Z3Expr::ZC, Model, Func); + Z3_sort Sort = Z3_get_sort(Z3Expr::ZC, Assign); + return Z3Expr::toAPFloat(Sort, Assign, Float, true); + } + + /// Given a solver object, add this constraint to the solver. + void addToSolver(const Z3_solver &Solver) const { + Z3_solver_assert(Z3Expr::ZC, Solver, AST); + } + + /// Get the corresponding IEEE floating-point type for a given bitwidth. + static const llvm::fltSemantics &getFloatSemantics(unsigned BitWidth) { + switch (BitWidth) { + default: + llvm_unreachable("Unsupported floating-point semantics!"); + break; + case 16: + return llvm::APFloat::IEEEhalf(); + case 32: + return llvm::APFloat::IEEEsingle(); + case 64: + return llvm::APFloat::IEEEdouble(); + case 128: + return llvm::APFloat::IEEEquad(); + } + } + + /// Set the Z3 context. + static void setContext(const Z3_context &Context) { Z3Expr::ZC = Context; } + + /// Construct a Z3Expr from a unary operator, given a Z3_context. + static Z3Expr fromUnOp(const UnaryOperator::Opcode Op, const Z3Expr &Exp) { + Z3_ast AST; + + switch (Op) { + default: + llvm_unreachable("Unimplemented opcode"); + break; + + case UO_Minus: + AST = Z3_mk_bvneg(Z3Expr::ZC, Exp.AST); + break; + + case UO_Not: + AST = Z3_mk_bvnot(Z3Expr::ZC, Exp.AST); + break; + + case UO_LNot: + AST = Z3_mk_not(Z3Expr::ZC, Exp.AST); + break; + } + + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a floating-point unary operator, given a + /// Z3_context. + static Z3Expr fromFloatUnOp(const UnaryOperator::Opcode Op, + const Z3Expr &Exp) { + Z3_ast AST; + + switch (Op) { + default: + llvm_unreachable("Unimplemented opcode"); + break; + + case UO_Minus: + AST = Z3_mk_fpa_neg(Z3Expr::ZC, Exp.AST); + break; + + case UO_LNot: + AST = Z3_mk_not(Z3Expr::ZC, Exp.AST); + break; + } + + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a n-ary binary operator. + static Z3Expr fromNBinOp(const BinaryOperator::Opcode Op, + const std::vector &Exps) { + Z3_ast AST; + + std::vector ASTs; + for (std::vector::const_iterator I = Exps.begin(); I != Exps.end(); + ++I) { + ASTs.push_back(I->AST); + } + + switch (Op) { + default: + llvm_unreachable("Unimplemented opcode"); + break; + + case BO_LAnd: + AST = Z3_mk_and(Z3Expr::ZC, ASTs.size(), ASTs.data()); + break; + + case BO_LOr: + AST = Z3_mk_or(Z3Expr::ZC, ASTs.size(), ASTs.data()); + break; + } + + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a binary operator, given a Z3_context. + static Z3Expr fromBinOp(const Z3Expr &LHS, const BinaryOperator::Opcode Op, + const Z3Expr &RHS, bool isSigned) { + Z3_ast AST; + + assert(Z3_is_eq_sort(Z3Expr::ZC, Z3_get_sort(Z3Expr::ZC, LHS.AST), + Z3_get_sort(Z3Expr::ZC, RHS.AST)) && + "AST's must have the same sort!"); + + switch (Op) { + default: + llvm_unreachable("Unimplemented opcode"); + break; + + // Multiplicative operators + case BO_Mul: + AST = Z3_mk_bvmul(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_Div: + AST = isSigned ? Z3_mk_bvsdiv(Z3Expr::ZC, LHS.AST, RHS.AST) + : Z3_mk_bvudiv(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_Rem: + AST = isSigned ? Z3_mk_bvsrem(Z3Expr::ZC, LHS.AST, RHS.AST) + : Z3_mk_bvurem(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + + // Additive operators + case BO_Add: + AST = Z3_mk_bvadd(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_Sub: + AST = Z3_mk_bvsub(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + + // Bitwise shift operators + case BO_Shl: + AST = Z3_mk_bvshl(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_Shr: + AST = isSigned ? Z3_mk_bvashr(Z3Expr::ZC, LHS.AST, RHS.AST) + : Z3_mk_bvlshr(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + + // Relational operators + case BO_LT: + AST = isSigned ? Z3_mk_bvslt(Z3Expr::ZC, LHS.AST, RHS.AST) + : Z3_mk_bvult(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_GT: + AST = isSigned ? Z3_mk_bvsgt(Z3Expr::ZC, LHS.AST, RHS.AST) + : Z3_mk_bvugt(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_LE: + AST = isSigned ? Z3_mk_bvsle(Z3Expr::ZC, LHS.AST, RHS.AST) + : Z3_mk_bvule(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_GE: + AST = isSigned ? Z3_mk_bvsge(Z3Expr::ZC, LHS.AST, RHS.AST) + : Z3_mk_bvuge(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + + // Equality operators + case BO_EQ: + AST = Z3_mk_eq(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_NE: + return Z3Expr::fromUnOp(UO_LNot, + Z3Expr::fromBinOp(LHS, BO_EQ, RHS, isSigned)); + break; + + // Bitwise operators + case BO_And: + AST = Z3_mk_bvand(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_Xor: + AST = Z3_mk_bvxor(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_Or: + AST = Z3_mk_bvor(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + + // Logical operators + case BO_LAnd: { + Z3_ast Args[] = {LHS.AST, RHS.AST}; + AST = Z3_mk_and(Z3Expr::ZC, sizeof(Args) / sizeof(*Args), Args); + break; + } + case BO_LOr: { + Z3_ast Args[] = {LHS.AST, RHS.AST}; + AST = Z3_mk_or(Z3Expr::ZC, sizeof(Args) / sizeof(*Args), Args); + break; + } + } + + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a special floating-point binary operator, given a + /// Z3_context. + static Z3Expr fromFloatSpecialBinOp(const Z3Expr &LHS, + const BinaryOperator::Opcode Op, + const llvm::APFloat::fltCategory &RHS) { + Z3_ast AST; + + switch (Op) { + default: + llvm_unreachable("Unimplemented opcode"); + break; + + // Equality operators + case BO_EQ: + switch (RHS) { + case llvm::APFloat::fcInfinity: + AST = Z3_mk_fpa_is_infinite(Z3Expr::ZC, LHS.AST); + break; + case llvm::APFloat::fcNaN: + AST = Z3_mk_fpa_is_nan(Z3Expr::ZC, LHS.AST); + break; + case llvm::APFloat::fcNormal: + AST = Z3_mk_fpa_is_normal(Z3Expr::ZC, LHS.AST); + break; + case llvm::APFloat::fcZero: + AST = Z3_mk_fpa_is_zero(Z3Expr::ZC, LHS.AST); + break; + } + break; + case BO_NE: + return Z3Expr::fromFloatUnOp( + UO_LNot, Z3Expr::fromFloatSpecialBinOp(LHS, BO_EQ, RHS)); + break; + } + + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a floating-point binary operator, given a + /// Z3_context. + static Z3Expr fromFloatBinOp(const Z3Expr &LHS, + const BinaryOperator::Opcode Op, + const Z3Expr &RHS) { + Z3_ast AST; + + assert(Z3_is_eq_sort(Z3Expr::ZC, Z3_get_sort(Z3Expr::ZC, LHS.AST), + Z3_get_sort(Z3Expr::ZC, RHS.AST)) && + "AST's must have the same sort!"); + + switch (Op) { + default: + llvm_unreachable("Unimplemented opcode"); + break; + + // Multiplicative operators + case BO_Mul: { + Z3Expr RoundingMode = Z3Expr::getFloatRoundingMode(); + AST = Z3_mk_fpa_mul(Z3Expr::ZC, RoundingMode.AST, LHS.AST, RHS.AST); + break; + } + case BO_Div: { + Z3Expr RoundingMode = Z3Expr::getFloatRoundingMode(); + AST = Z3_mk_fpa_div(Z3Expr::ZC, RoundingMode.AST, LHS.AST, RHS.AST); + break; + } + case BO_Rem: + AST = Z3_mk_fpa_rem(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + + // Additive operators + case BO_Add: { + Z3Expr RoundingMode = Z3Expr::getFloatRoundingMode(); + AST = Z3_mk_fpa_add(Z3Expr::ZC, RoundingMode.AST, LHS.AST, RHS.AST); + break; + } + case BO_Sub: { + Z3Expr RoundingMode = Z3Expr::getFloatRoundingMode(); + AST = Z3_mk_fpa_sub(Z3Expr::ZC, RoundingMode.AST, LHS.AST, RHS.AST); + break; + } + + // Relational operators + case BO_LT: + AST = Z3_mk_fpa_lt(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_GT: + AST = Z3_mk_fpa_gt(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_LE: + AST = Z3_mk_fpa_leq(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_GE: + AST = Z3_mk_fpa_geq(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + + // Equality operators + case BO_EQ: + AST = Z3_mk_fpa_eq(Z3Expr::ZC, LHS.AST, RHS.AST); + break; + case BO_NE: + return Z3Expr::fromFloatUnOp(UO_LNot, + Z3Expr::fromFloatBinOp(LHS, BO_EQ, RHS)); + break; + + // Logical operators + case BO_LAnd: { + Z3_ast Args[] = {LHS.AST, RHS.AST}; + AST = Z3_mk_and(Z3Expr::ZC, sizeof(Args) / sizeof(*Args), Args); + break; + } + case BO_LOr: { + Z3_ast Args[] = {LHS.AST, RHS.AST}; + AST = Z3_mk_or(Z3Expr::ZC, sizeof(Args) / sizeof(*Args), Args); + break; + } + } + + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a SymbolData, given a Z3_context. + static Z3Expr fromData(const SymbolID ID, bool isBool, bool isFloat, + uint64_t BitWidth) { + llvm::Twine Name = "$" + llvm::Twine(ID); + + Z3_sort Sort; + if (isBool) + Sort = Z3_mk_bool_sort(Z3Expr::ZC); + else if (isFloat) + Sort = Z3Expr::getFloatSort(BitWidth); + else + Sort = Z3_mk_bv_sort(Z3Expr::ZC, BitWidth); + + Z3_symbol Symbol = Z3_mk_string_symbol(Z3Expr::ZC, Name.str().c_str()); + Z3_ast AST = Z3_mk_const(Z3Expr::ZC, Symbol, Sort); + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a SymbolCast, given a Z3_context. + static Z3Expr fromCast(const Z3Expr &Exp, QualType ToTy, uint64_t ToBitWidth, + QualType FromTy, uint64_t FromBitWidth) { + Z3_ast AST; + + if ((FromTy->isIntegralOrEnumerationType() && + ToTy->isIntegralOrEnumerationType()) || + (FromTy->isAnyPointerType() ^ ToTy->isAnyPointerType()) || + (FromTy->isBlockPointerType() ^ ToTy->isBlockPointerType()) || + (FromTy->isReferenceType() ^ ToTy->isReferenceType())) { + // Special case: Z3 boolean type is distinct from bitvector type, so + // must use if-then-else expression instead of direct cast + if (FromTy->isBooleanType()) { + assert(ToBitWidth > 0 && "BitWidth must be positive!"); + Z3Expr Zero = Z3Expr::fromInt("0", ToBitWidth); + Z3Expr One = Z3Expr::fromInt("1", ToBitWidth); + AST = Z3_mk_ite(Z3Expr::ZC, Exp.AST, One.AST, Zero.AST); + } else if (ToBitWidth > FromBitWidth) { + AST = + FromTy->isSignedIntegerOrEnumerationType() + ? Z3_mk_sign_ext(Z3Expr::ZC, ToBitWidth - FromBitWidth, Exp.AST) + : Z3_mk_zero_ext(Z3Expr::ZC, ToBitWidth - FromBitWidth, + Exp.AST); + } else if (ToBitWidth < FromBitWidth) { + AST = Z3_mk_extract(Z3Expr::ZC, ToBitWidth - 1, 0, Exp.AST); + } else { + // Both are bitvectors with the same width, ignore the type cast + return Exp; + } + } else if (FromTy->isRealFloatingType() && ToTy->isRealFloatingType()) { + if (ToBitWidth != FromBitWidth) { + Z3Expr RoundingMode = Z3Expr::getFloatRoundingMode(); + Z3_sort Sort = Z3Expr::getFloatSort(ToBitWidth); + AST = + Z3_mk_fpa_to_fp_float(Z3Expr::ZC, RoundingMode.AST, Exp.AST, Sort); + } else { + return Exp; + } + } else if (FromTy->isIntegralOrEnumerationType() && + ToTy->isRealFloatingType()) { + Z3Expr RoundingMode = Z3Expr::getFloatRoundingMode(); + Z3_sort Sort = Z3Expr::getFloatSort(ToBitWidth); + AST = FromTy->isSignedIntegerOrEnumerationType() + ? Z3_mk_fpa_to_fp_signed(Z3Expr::ZC, RoundingMode.AST, Exp.AST, + Sort) + : Z3_mk_fpa_to_fp_unsigned(Z3Expr::ZC, RoundingMode.AST, + Exp.AST, Sort); + } else if (FromTy->isRealFloatingType() && + ToTy->isIntegralOrEnumerationType()) { + Z3Expr RoundingMode = Z3Expr::getFloatRoundingMode(); + AST = ToTy->isSignedIntegerOrEnumerationType() + ? Z3_mk_fpa_to_sbv(Z3Expr::ZC, RoundingMode.AST, Exp.AST, + ToBitWidth) + : Z3_mk_fpa_to_ubv(Z3Expr::ZC, RoundingMode.AST, Exp.AST, + ToBitWidth); + } else { + llvm_unreachable("Unsupported explicit type cast!"); + } + + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a boolean, given a Z3_context. + static Z3Expr fromBoolean(const bool Bool) { + Z3_ast AST = Bool ? Z3_mk_true(Z3Expr::ZC) : Z3_mk_false(Z3Expr::ZC); + return Z3Expr(AST); + } + + /// Construct a Z3Expr from a finite APFloat, given a Z3_context. + static Z3Expr fromAPFloat(const llvm::APFloat &Float) { + Z3_ast AST; + Z3_sort Sort = Z3Expr::getFloatSort( + llvm::APFloat::semanticsSizeInBits(Float.getSemantics())); + switch (Float.getCategory()) { + case llvm::APFloat::fcInfinity: + AST = Z3_mk_fpa_inf(Z3Expr::ZC, Sort, Float.isNegative()); + break; + case llvm::APFloat::fcNaN: + AST = Z3_mk_fpa_nan(Z3Expr::ZC, Sort); + break; + case llvm::APFloat::fcZero: + AST = Z3_mk_fpa_zero(Z3Expr::ZC, Sort, Float.isNegative()); + break; + case llvm::APFloat::fcNormal: { + SmallString<24> Chars; + // Note: Z3 <= 4.4.1 has floating-point string parsing bug with '+' + // https://github.com/Z3Prover/z3/commit/0cb8193cdd2f2e5ae88fbc1565ddf00eaa323067 + Float.toString(Chars, 0, 0); + AST = Z3_mk_numeral(Z3Expr::ZC, Chars.c_str(), Sort); + break; + } + } + return Z3Expr(AST); + } + + /// Construct a Z3Expr from an APSInt, given a Z3_context. + static Z3Expr fromAPSInt(const llvm::APSInt &Int) { + Z3_sort Sort = Z3_mk_bv_sort(Z3Expr::ZC, Int.getBitWidth()); + Z3_ast AST = Z3_mk_numeral(Z3Expr::ZC, Int.toString(10).c_str(), Sort); + return Z3Expr(AST); + } + + /// Construct a Z3Expr from an integer, given a Z3_context. + static Z3Expr fromInt(const char *Int, uint64_t BitWidth) { + Z3_sort Sort = Z3_mk_bv_sort(Z3Expr::ZC, BitWidth); + Z3_ast AST = Z3_mk_numeral(Z3Expr::ZC, Int, Sort); + return Z3Expr(AST); + } + + /// Construct an APFloat from a Z3Expr, given the AST representation + static bool toAPFloat(const Z3_sort &Sort, const Z3_ast &AST, + llvm::APFloat &Float, bool useSemantics = true) { + StringRef Integer, Exponent; + llvm::SmallString<24> Scientific; + + assert(Z3_get_sort_kind(Z3Expr::ZC, Sort) == Z3_FLOATING_POINT_SORT && + "Unsupported sort to floating-point!"); + StringRef String = Z3_get_numeral_string(Z3Expr::ZC, AST); + const llvm::fltSemantics &Semantics = + Z3Expr::getFloatSemantics(Z3_fpa_get_ebits(Z3Expr::ZC, Sort) + + Z3_fpa_get_sbits(Z3Expr::ZC, Sort)); + + if (useSemantics && + !Z3Expr::areEquivalent(Float.getSemantics(), Semantics)) { + assert(false && "Floating-point types don't match!"); + return false; + } + + if (String.endswith("zero")) { + Float = llvm::APFloat::getZero(Semantics, String.front() == '-'); + return true; + } else if (String.endswith("oo")) { + Float = llvm::APFloat::getInf(Semantics, String.front() == '-'); + return true; + } else if (String.endswith("NaN")) { + Float = llvm::APFloat::getQNaN(Semantics, String.front() == '-'); + return true; + } + + // Replace the ' ' with an 'e' for scientific notation, e.g. in "1.24 -10" + std::tie(Integer, Exponent) = String.split(' '); + llvm::Twine Concat(Integer + "e" + Exponent); + + Float = llvm::APFloat(Semantics); + llvm::APFloat::opStatus Status = + Float.convertFromString(Concat.toNullTerminatedStringRef(Scientific), + llvm::APFloat::rmNearestTiesToEven); + return !(Status & llvm::APFloat::opInvalidOp); + } + + /// Construct an APInt from a Z3Expr, given the AST representation + static bool toAPSInt(const Z3_sort &Sort, const Z3_ast &AST, + llvm::APSInt &Int, bool useSemantics = true) { + switch (Z3_get_sort_kind(Z3Expr::ZC, Sort)) { + default: + llvm_unreachable("Unsupported sort to integer!"); + case Z3_BV_SORT: { + uint64_t Value; + // Force cast because Z3 defines __uint64 to be a unsigned long long + // type, which isn't compatible with a unsigned long type, even if they + // are the same size. + Z3_get_numeral_uint64(Z3Expr::ZC, AST, + reinterpret_cast<__uint64 *>(&Value)); + if (useSemantics && + Int.getBitWidth() != Z3_get_bv_sort_size(Z3Expr::ZC, Sort)) { + assert(false && "Bitvector types don't match!"); + return false; + } + + Int = llvm::APInt(Int.getBitWidth(), Value); + return true; + } + case Z3_BOOL_SORT: + if (useSemantics && Int.getBitWidth() < 1) { + assert(false && "Boolean type doesn't match!"); + return false; + } + Int = + llvm::APInt(Int.getBitWidth(), + Z3_get_bool_value(Z3Expr::ZC, AST) == Z3_L_TRUE ? 1 : 0); + return true; + } + } + + void Profile(llvm::FoldingSetNodeID &ID) const { + ID.AddInteger(Z3_get_ast_hash(Z3Expr::ZC, AST)); + } + + bool operator<(const Z3Expr &Other) const { + llvm::FoldingSetNodeID ID1, ID2; + Profile(ID1); + Other.Profile(ID2); + return ID1 < ID2; + } + + /// Comparison of AST equality, not model equivalence. + bool operator==(const Z3Expr &Other) const { + assert(Z3_is_eq_sort(Z3Expr::ZC, Z3_get_sort(Z3Expr::ZC, AST), + Z3_get_sort(Z3Expr::ZC, Other.AST)) && + "AST's must have the same sort"); + return Z3_is_eq_ast(Z3Expr::ZC, AST, Other.AST); + } + + /// Override implicit move constructor for correct reference counting. + Z3Expr &operator=(const Z3Expr &Move) { + Z3_inc_ref(Z3Expr::ZC, Move.AST); + Z3_dec_ref(Z3Expr::ZC, AST); + AST = Move.AST; + return *this; + } + + void print(raw_ostream &OS) const { OS << Z3_ast_to_string(Z3Expr::ZC, AST); } + + LLVM_DUMP_METHOD void dump() const { print(llvm::errs()); } +}; // end class Z3Expr + +void Z3ErrorHandler(Z3_context Context, Z3_error_code Error) { + llvm::report_fatal_error("Z3 error: " + + llvm::Twine(Z3_get_error_msg_ex(Context, Error))); +} + +Z3_context Z3Expr::ZC; +} // end anonymous namespace + +// Use macro to avoid problems with textual substitution +#define Z3SetPair llvm::ImmutableSet> +REGISTER_TRAIT_WITH_PROGRAMSTATE(ConstraintZ3, Z3SetPair) + +namespace { +class Z3ConstraintManager : public SimpleConstraintManager { + Z3_context ZC; + +public: + Z3ConstraintManager(SubEngine *SE, SValBuilder &SB) + : SimpleConstraintManager(SE, SB) { + Z3_config Config = Z3_mk_config(); + // Enable model finding + Z3_set_param_value(Config, "model", "true"); + // Set timeout to 15000ms = 15s + Z3_set_param_value(Config, "timeout", "15000"); + ZC = Z3_mk_context_rc(Config); + Z3_set_error_handler(ZC, Z3ErrorHandler); + Z3_del_config(Config); + + Z3Expr::setContext(ZC); + } + + ~Z3ConstraintManager() override { Z3_del_context(ZC); } + + //===------------------------------------------------------------------===// + // Implementation for interface from ConstraintManager. + //===------------------------------------------------------------------===// + + bool canReasonAbout(SVal X) const override; + + ConditionTruthVal checkNull(ProgramStateRef State, SymbolRef Sym) override; + + const llvm::APSInt *getSymVal(ProgramStateRef State, + SymbolRef Sym) const override; + + ProgramStateRef removeDeadBindings(ProgramStateRef St, + SymbolReaper &SymReaper) override; + + void print(ProgramStateRef St, raw_ostream &Out, const char *nl, + const char *sep) override; + + //===------------------------------------------------------------------===// + // Implementation for interface from SimpleConstraintManager. + //===------------------------------------------------------------------===// + + ProgramStateRef assumeSym(ProgramStateRef state, SymbolRef Sym, + bool Assumption) override; + + ProgramStateRef assumeSymInclusiveRange(ProgramStateRef State, SymbolRef Sym, + const llvm::APSInt &From, + const llvm::APSInt &To, + bool InRange) override; + + ProgramStateRef assumeSymUnsupported(ProgramStateRef State, SymbolRef Sym, + bool Assumption) override; + +private: + //===------------------------------------------------------------------===// + // Internal implementation. + //===------------------------------------------------------------------===// + + // Check whether a new model is satisfiable, and update the program state. + ProgramStateRef assumeZ3Expr(ProgramStateRef State, SymbolRef Sym, + const Z3Expr &Exp); + + // Generate and check a Z3 model, using the given constraint. + Z3_lbool checkZ3Model(ProgramStateRef State, const Z3Expr &Exp) const; + + // Generate and check a Z3 model, then get the value of the given symbol in + // the model. + // Sets the Value parameter to the model value, if successful. + template + Z3_lbool getZ3Model(ProgramStateRef State, const Z3Expr &Exp, T &Value) const; + + // Generate a Z3Expr that represents the given symbolic expression. + // Sets the hasComparison parameter if the expression has a comparison + // operator. + // Sets the RetTy parameter to the final return type after promotions and + // casts. + Z3Expr getZ3Expr(SymbolRef Sym, QualType *RetTy = nullptr, + bool *hasComparison = nullptr) const; + + // Generate a Z3Expr that takes the logical not of an expression. + Z3Expr getZ3NotExpr(const Z3Expr &Exp) const; + + // Generate a Z3Expr that compares the expression to zero. + Z3Expr getZ3ZeroExpr(const Z3Expr &Exp, QualType RetTy, + bool Assumption) const; + + // Recursive implementation to unpack and generate symbolic expression. + // Sets the hasComparison and RetTy parameters. See getZ3Expr(). + Z3Expr getZ3SymExpr(SymbolRef Sym, QualType *RetTy, + bool *hasComparison) const; + + // Wrapper to generate Z3Expr from SymbolData. + Z3Expr getZ3DataExpr(const SymbolID ID, QualType Ty) const; + + // Wrapper to generate Z3Expr from SymbolCast. + Z3Expr getZ3CastExpr(const Z3Expr &Exp, QualType FromTy, QualType Ty) const; + + // Wrapper to generate Z3Expr from BinarySymExpr. + // Sets the hasComparison and RetTy parameters. See getZ3Expr(). + Z3Expr getZ3SymBinExpr(const BinarySymExpr *BSE, bool *hasComparison, + QualType *RetTy) const; + + // Wrapper to generate Z3Expr from unpacked binary symbolic expression. + // Sets the RetTy parameter. See getZ3Expr(). + Z3Expr getZ3BinExpr(const Z3Expr &LHS, QualType LTy, + BinaryOperator::Opcode Op, const Z3Expr &RHS, + QualType RTy, QualType *RetTy) const; + + //===------------------------------------------------------------------===// + // Helper functions. + //===------------------------------------------------------------------===// + + // Recover the QualType of an APSInt. + // TODO: Refactor to put elsewhere + QualType getAPSIntType(const llvm::APSInt &Int) const; + + // Perform implicit type conversion on binary symbolic expressions. + // May modify all input parameters. + // TODO: Refactor to use built-in conversion functions + void doTypeConversion(Z3Expr &LHS, Z3Expr &RHS, QualType <y, + QualType &RTy) const; + + // Perform implicit integer type conversion. + // May modify all input parameters. + // TODO: Refactor to use Sema::handleIntegerConversion() + template + void doIntTypeConversion(T &LHS, QualType <y, T &RHS, QualType &RTy) const; + + // Perform implicit floating-point type conversion. + // May modify all input parameters. + // TODO: Refactor to use Sema::handleFloatConversion() + template + void doFloatTypeConversion(T &LHS, QualType <y, T &RHS, + QualType &RTy) const; + + // Callback function for doCast parameter on APSInt type. + static llvm::APSInt castAPSInt(const llvm::APSInt &V, QualType ToTy, + uint64_t ToWidth, QualType FromTy, + uint64_t FromWidth); +}; // end class Z3ConstraintManager + +} // end anonymous namespace + +ProgramStateRef Z3ConstraintManager::assumeSym(ProgramStateRef State, + SymbolRef Sym, bool Assumption) { + QualType RetTy; + bool hasComparison; + + Z3Expr Exp = getZ3Expr(Sym, &RetTy, &hasComparison); + // Create zero comparison for implicit boolean cast, with reversed assumption + if (!hasComparison && !RetTy->isBooleanType()) + return assumeZ3Expr(State, Sym, getZ3ZeroExpr(Exp, RetTy, !Assumption)); + + return assumeZ3Expr(State, Sym, Assumption ? Exp : getZ3NotExpr(Exp)); +} + +ProgramStateRef Z3ConstraintManager::assumeSymInclusiveRange( + ProgramStateRef State, SymbolRef Sym, const llvm::APSInt &From, + const llvm::APSInt &To, bool InRange) { + QualType RetTy; + // The expression may be casted, so we cannot call getZ3DataExpr() directly + Z3Expr Exp = getZ3Expr(Sym, &RetTy); + + assert((getAPSIntType(From) == getAPSIntType(To)) && + "Range values have different types!"); + QualType RTy = getAPSIntType(From); + bool isSignedTy = RetTy->isSignedIntegerOrEnumerationType(); + Z3Expr FromExp = Z3Expr::fromAPSInt(From); + Z3Expr ToExp = Z3Expr::fromAPSInt(To); + + // Construct single (in)equality + if (From == To) + return assumeZ3Expr(State, Sym, + getZ3BinExpr(Exp, RetTy, InRange ? BO_EQ : BO_NE, + FromExp, RTy, nullptr)); + + // Construct two (in)equalities, and a logical and/or + Z3Expr LHS = + getZ3BinExpr(Exp, RetTy, InRange ? BO_GE : BO_LT, FromExp, RTy, nullptr); + Z3Expr RHS = + getZ3BinExpr(Exp, RetTy, InRange ? BO_LE : BO_GT, ToExp, RTy, nullptr); + return assumeZ3Expr( + State, Sym, + Z3Expr::fromBinOp(LHS, InRange ? BO_LAnd : BO_LOr, RHS, isSignedTy)); +} + +ProgramStateRef Z3ConstraintManager::assumeSymUnsupported(ProgramStateRef State, + SymbolRef Sym, + bool Assumption) { + // Skip anything that is unsupported + return State; +} + +bool Z3ConstraintManager::canReasonAbout(SVal X) const { + const TargetInfo &TI = getBasicVals().getContext().getTargetInfo(); + + Optional SymVal = X.getAs(); + if (!SymVal) + return true; + + const SymExpr *Sym = SymVal->getSymbol(); + do { + QualType Ty = Sym->getType(); + + // Complex types are not modeled + if (Ty->isComplexType() || Ty->isComplexIntegerType()) + return false; + + // Non-IEEE 754 floating-point types are not modeled + if ((Ty->isSpecificBuiltinType(BuiltinType::LongDouble) && + (&TI.getLongDoubleFormat() == &llvm::APFloat::x87DoubleExtended() || + &TI.getLongDoubleFormat() == &llvm::APFloat::PPCDoubleDouble()))) + return false; + + if (isa(Sym)) { + break; + } else if (const SymbolCast *SC = dyn_cast(Sym)) { + Sym = SC->getOperand(); + } else if (const BinarySymExpr *BSE = dyn_cast(Sym)) { + if (const SymIntExpr *SIE = dyn_cast(BSE)) { + Sym = SIE->getLHS(); + } else if (const IntSymExpr *ISE = dyn_cast(BSE)) { + Sym = ISE->getRHS(); + } else if (const SymSymExpr *SSM = dyn_cast(BSE)) { + return canReasonAbout(nonloc::SymbolVal(SSM->getLHS())) && + canReasonAbout(nonloc::SymbolVal(SSM->getRHS())); + } else { + llvm_unreachable("Unsupported binary expression to reason about!"); + } + } else { + llvm_unreachable("Unsupported expression to reason about!"); + } + } while (Sym); + + return true; +} + +ConditionTruthVal Z3ConstraintManager::checkNull(ProgramStateRef State, + SymbolRef Sym) { + QualType RetTy; + // The expression may be casted, so we cannot call getZ3DataExpr() directly + Z3Expr VarExp = getZ3Expr(Sym, &RetTy); + Z3Expr Exp = getZ3ZeroExpr(VarExp, RetTy, true); + // Negate the constraint + Z3Expr NotExpr = getZ3ZeroExpr(VarExp, RetTy, false); + + Z3_lbool isSat = checkZ3Model(State, Exp); + Z3_lbool isNotSat = checkZ3Model(State, NotExpr); + // Zero is the only possible solution + if (isSat == Z3_L_TRUE && isNotSat == Z3_L_FALSE) + return true; + // Zero is not a solution + else if (isSat == Z3_L_FALSE && isNotSat == Z3_L_TRUE) + return false; + + // Zero may be a solution + return ConditionTruthVal(); +} + +const llvm::APSInt *Z3ConstraintManager::getSymVal(ProgramStateRef State, + SymbolRef Sym) const { + BasicValueFactory &BV = getBasicVals(); + ASTContext &Ctx = BV.getContext(); + + if (const SymbolData *SD = dyn_cast(Sym)) { + QualType Ty = Sym->getType(); + assert(!Ty->isRealFloatingType()); + llvm::APSInt Value(Ctx.getTypeSize(Ty), + !Ty->isSignedIntegerOrEnumerationType()); + + Z3Expr Exp = getZ3DataExpr(SD->getSymbolID(), Ty); + if (getZ3Model(State, Exp, Value) != Z3_L_TRUE) + return nullptr; + + // A value has been obtained, need to check if it is the only value + Z3Expr NotExpr = Z3Expr::fromBinOp( + Exp, BO_NE, + Ty->isBooleanType() ? Z3Expr::fromBoolean(Value.getBoolValue()) + : Z3Expr::fromAPSInt(Value), + false); + if (checkZ3Model(State, NotExpr) == Z3_L_TRUE) + return nullptr; + + // This is the only solution, store it + return &BV.getValue(Value); + } else if (const SymbolCast *SC = dyn_cast(Sym)) { + SymbolRef CastSym = SC->getOperand(); + QualType CastTy = SC->getType(); + // Skip the void type + if (CastTy->isVoidType()) + return nullptr; + + const llvm::APSInt *Value; + if (!(Value = getSymVal(State, CastSym))) + return nullptr; + return &BV.Convert(SC->getType(), *Value); + } else if (const BinarySymExpr *BSE = dyn_cast(Sym)) { + const llvm::APSInt *LHS, *RHS; + if (const SymIntExpr *SIE = dyn_cast(BSE)) { + LHS = getSymVal(State, SIE->getLHS()); + RHS = &SIE->getRHS(); + } else if (const IntSymExpr *ISE = dyn_cast(BSE)) { + LHS = &ISE->getLHS(); + RHS = getSymVal(State, ISE->getRHS()); + } else if (const SymSymExpr *SSM = dyn_cast(BSE)) { + // Early termination to avoid expensive call + LHS = getSymVal(State, SSM->getLHS()); + RHS = LHS ? getSymVal(State, SSM->getRHS()) : nullptr; + } else { + llvm_unreachable("Unsupported binary expression to get symbol value!"); + } + + if (!LHS || !RHS) + return nullptr; + + llvm::APSInt ConvertedLHS = *LHS, ConvertedRHS = *RHS; + QualType LTy = getAPSIntType(*LHS), RTy = getAPSIntType(*RHS); + doIntTypeConversion( + ConvertedLHS, LTy, ConvertedRHS, RTy); + return BV.evalAPSInt(BSE->getOpcode(), ConvertedLHS, ConvertedRHS); + } + + llvm_unreachable("Unsupported expression to get symbol value!"); +} + +ProgramStateRef +Z3ConstraintManager::removeDeadBindings(ProgramStateRef State, + SymbolReaper &SymReaper) { + ConstraintZ3Ty CZ = State->get(); + ConstraintZ3Ty::Factory &CZFactory = State->get_context(); + + for (ConstraintZ3Ty::iterator I = CZ.begin(), E = CZ.end(); I != E; ++I) { + if (SymReaper.maybeDead(I->first)) + CZ = CZFactory.remove(CZ, *I); + } + + return State->set(CZ); +} + +//===------------------------------------------------------------------===// +// Internal implementation. +//===------------------------------------------------------------------===// + +ProgramStateRef Z3ConstraintManager::assumeZ3Expr(ProgramStateRef State, + SymbolRef Sym, + const Z3Expr &Exp) { + // Check the model, avoid simplifying AST to save time + if (checkZ3Model(State, Exp) == Z3_L_TRUE) + return State->add(std::make_pair(Sym, Exp)); + + return nullptr; +} + +Z3_lbool Z3ConstraintManager::checkZ3Model(ProgramStateRef State, + const Z3Expr &Exp) const { + Z3_lbool Result; + Z3_solver Solver = Z3_mk_simple_solver(ZC); + + Z3_solver_inc_ref(ZC, Solver); + + // TODO: Don't add all the constraints, only the relevant ones + ConstraintZ3Ty CZ = State->get(); + + // Construct the logical AND of all the constraints + if (CZ.begin() != CZ.end()) { + std::vector Exps; + Exps.push_back(Exp); + for (ConstraintZ3Ty::iterator I = CZ.begin(), IE = CZ.end(); I != IE; ++I) + Exps.push_back(I->second); + + Z3Expr Conj = Z3Expr::fromNBinOp(BO_LAnd, Exps); + Conj.addToSolver(Solver); + } else + Exp.addToSolver(Solver); + + Result = Z3_solver_check(ZC, Solver); + Z3_solver_dec_ref(ZC, Solver); + return Result; +} + +template +Z3_lbool Z3ConstraintManager::getZ3Model(ProgramStateRef State, + const Z3Expr &Exp, T &Value) const { + Z3_lbool Result; + Z3_model Model; + Z3_solver Solver = Z3_mk_solver(ZC); + + Z3_solver_inc_ref(ZC, Solver); + + // TODO: Don't add all the constraints, only the relevant ones + ConstraintZ3Ty CZ = State->get(); + + // Construct the logical AND of all the constraints + std::vector Exps; + for (ConstraintZ3Ty::iterator I = CZ.begin(), IE = CZ.end(); I != IE; ++I) + Exps.push_back(I->second); + + Z3Expr Conj = Z3Expr::fromNBinOp(BO_LAnd, Exps); + Conj.addToSolver(Solver); + + Result = Z3_solver_check(ZC, Solver); + + // The solver returned an unknown result (e.g. timeout), or not satisfiable + if (Result != Z3_L_TRUE) { + Z3_solver_dec_ref(ZC, Solver); + return Result; + } + + Model = Z3_solver_get_model(ZC, Solver); + + Z3_model_inc_ref(ZC, Model); + Z3_solver_dec_ref(ZC, Solver); + + // The model does not assign an interpretation + if (!Exp.getInterpretation(Model, Value)) { + Z3_model_dec_ref(ZC, Model); + return Z3_L_FALSE; + } + + Z3_model_dec_ref(ZC, Model); + return Z3_L_TRUE; +} + +Z3Expr Z3ConstraintManager::getZ3Expr(SymbolRef Sym, QualType *RetTy, + bool *hasComparison) const { + if (hasComparison) { + *hasComparison = false; + } + + return getZ3SymExpr(Sym, RetTy, hasComparison); +} + +Z3Expr Z3ConstraintManager::getZ3NotExpr(const Z3Expr &Exp) const { + return Z3Expr::fromUnOp(UO_LNot, Exp); +} + +Z3Expr Z3ConstraintManager::getZ3ZeroExpr(const Z3Expr &Exp, QualType Ty, + bool Assumption) const { + ASTContext &Ctx = getBasicVals().getContext(); + if (Ty->isRealFloatingType()) { + llvm::APFloat Zero = llvm::APFloat::getZero(Ctx.getFloatTypeSemantics(Ty)); + return Z3Expr::fromFloatBinOp(Exp, Assumption ? BO_EQ : BO_NE, + Z3Expr::fromAPFloat(Zero)); + } else if (Ty->isIntegralOrEnumerationType() || Ty->isAnyPointerType() || + Ty->isBlockPointerType() || Ty->isReferenceType()) { + bool isSigned = Ty->isSignedIntegerOrEnumerationType(); + // Skip explicit comparison for boolean types + if (Ty->isBooleanType()) + return Assumption ? getZ3NotExpr(Exp) : Exp; + return Z3Expr::fromBinOp(Exp, Assumption ? BO_EQ : BO_NE, + Z3Expr::fromInt("0", Ctx.getTypeSize(Ty)), + isSigned); + } + + llvm_unreachable("Unsupported type for zero value!"); +} + +Z3Expr Z3ConstraintManager::getZ3SymExpr(SymbolRef Sym, QualType *RetTy, + bool *hasComparison) const { + if (const SymbolData *SD = dyn_cast(Sym)) { + if (RetTy) + *RetTy = Sym->getType(); + + return getZ3DataExpr(SD->getSymbolID(), Sym->getType()); + } else if (const SymbolCast *SC = dyn_cast(Sym)) { + if (RetTy) + *RetTy = Sym->getType(); + + QualType FromTy; + Z3Expr Exp = getZ3SymExpr(SC->getOperand(), &FromTy, hasComparison); + // Casting an expression with a comparison invalidates it. Note that this + // must occur after the recursive call above. + // e.g. (signed char) (x > 0) + if (hasComparison) + *hasComparison = false; + return getZ3CastExpr(Exp, FromTy, Sym->getType()); + } else if (const BinarySymExpr *BSE = dyn_cast(Sym)) { + Z3Expr Exp = getZ3SymBinExpr(BSE, hasComparison, RetTy); + // Set the hasComparison parameter, in post-order traversal order. + if (hasComparison) + *hasComparison = BinaryOperator::isComparisonOp(BSE->getOpcode()); + return Exp; + } + + llvm_unreachable("Unsupported SymbolRef type!"); +} + +Z3Expr Z3ConstraintManager::getZ3DataExpr(const SymbolID ID, + QualType Ty) const { + ASTContext &Ctx = getBasicVals().getContext(); + return Z3Expr::fromData(ID, Ty->isBooleanType(), Ty->isRealFloatingType(), + Ctx.getTypeSize(Ty)); +} + +Z3Expr Z3ConstraintManager::getZ3CastExpr(const Z3Expr &Exp, QualType FromTy, + QualType ToTy) const { + ASTContext &Ctx = getBasicVals().getContext(); + return Z3Expr::fromCast(Exp, ToTy, Ctx.getTypeSize(ToTy), FromTy, + Ctx.getTypeSize(FromTy)); +} + +Z3Expr Z3ConstraintManager::getZ3SymBinExpr(const BinarySymExpr *BSE, + bool *hasComparison, + QualType *RetTy) const { + QualType LTy, RTy; + BinaryOperator::Opcode Op = BSE->getOpcode(); + + if (const SymIntExpr *SIE = dyn_cast(BSE)) { + RTy = getAPSIntType(SIE->getRHS()); + Z3Expr LHS = getZ3SymExpr(SIE->getLHS(), <y, hasComparison); + Z3Expr RHS = Z3Expr::fromAPSInt(SIE->getRHS()); + return getZ3BinExpr(LHS, LTy, Op, RHS, RTy, RetTy); + } else if (const IntSymExpr *ISE = dyn_cast(BSE)) { + LTy = getAPSIntType(ISE->getLHS()); + Z3Expr LHS = Z3Expr::fromAPSInt(ISE->getLHS()); + Z3Expr RHS = getZ3SymExpr(ISE->getRHS(), &RTy, hasComparison); + return getZ3BinExpr(LHS, LTy, Op, RHS, RTy, RetTy); + } else if (const SymSymExpr *SSM = dyn_cast(BSE)) { + Z3Expr LHS = getZ3SymExpr(SSM->getLHS(), <y, hasComparison); + Z3Expr RHS = getZ3SymExpr(SSM->getRHS(), &RTy, hasComparison); + return getZ3BinExpr(LHS, LTy, Op, RHS, RTy, RetTy); + } else { + llvm_unreachable("Unsupported BinarySymExpr type!"); + } +} + +Z3Expr Z3ConstraintManager::getZ3BinExpr(const Z3Expr &LHS, QualType LTy, + BinaryOperator::Opcode Op, + const Z3Expr &RHS, QualType RTy, + QualType *RetTy) const { + Z3Expr NewLHS = LHS; + Z3Expr NewRHS = RHS; + doTypeConversion(NewLHS, NewRHS, LTy, RTy); + // Update the return type parameter if the output type has changed. + if (RetTy) { + // A boolean result can be represented as an integer type in C/C++, but at + // this point we only care about the Z3 type. Set it as a boolean type to + // avoid subsequent Z3 errors. + if (BinaryOperator::isComparisonOp(Op) || BinaryOperator::isLogicalOp(Op)) { + ASTContext &Ctx = getBasicVals().getContext(); + *RetTy = Ctx.BoolTy; + } else { + *RetTy = LTy; + } + + // If the two operands are pointers and the operation is a subtraction, the + // result is of type ptrdiff_t, which is signed + if (LTy->isAnyPointerType() && LTy == RTy && Op == BO_Sub) { + ASTContext &Ctx = getBasicVals().getContext(); + *RetTy = Ctx.getIntTypeForBitwidth(Ctx.getTypeSize(LTy), true); + } + } + + return LTy->isRealFloatingType() + ? Z3Expr::fromFloatBinOp(NewLHS, Op, NewRHS) + : Z3Expr::fromBinOp(NewLHS, Op, NewRHS, + LTy->isSignedIntegerOrEnumerationType()); +} + +//===------------------------------------------------------------------===// +// Helper functions. +//===------------------------------------------------------------------===// + +QualType Z3ConstraintManager::getAPSIntType(const llvm::APSInt &Int) const { + ASTContext &Ctx = getBasicVals().getContext(); + return Ctx.getIntTypeForBitwidth(Int.getBitWidth(), Int.isSigned()); +} + +void Z3ConstraintManager::doTypeConversion(Z3Expr &LHS, Z3Expr &RHS, + QualType <y, QualType &RTy) const { + ASTContext &Ctx = getBasicVals().getContext(); + + // Perform type conversion + if (LTy->isIntegralOrEnumerationType() && + RTy->isIntegralOrEnumerationType()) { + if (LTy->isArithmeticType() && RTy->isArithmeticType()) + return doIntTypeConversion(LHS, LTy, RHS, RTy); + } else if (LTy->isRealFloatingType() || RTy->isRealFloatingType()) { + return doFloatTypeConversion(LHS, LTy, RHS, RTy); + } else if ((LTy->isAnyPointerType() || RTy->isAnyPointerType()) || + (LTy->isBlockPointerType() || RTy->isBlockPointerType()) || + (LTy->isReferenceType() || RTy->isReferenceType())) { + // TODO: Refactor to Sema::FindCompositePointerType(), and + // Sema::CheckCompareOperands(). + + uint64_t LBitWidth = Ctx.getTypeSize(LTy); + uint64_t RBitWidth = Ctx.getTypeSize(RTy); + + // Cast the non-pointer type to the pointer type. + // TODO: Be more strict about this. + if ((LTy->isAnyPointerType() ^ RTy->isAnyPointerType()) || + (LTy->isBlockPointerType() ^ RTy->isBlockPointerType()) || + (LTy->isReferenceType() ^ RTy->isReferenceType())) { + if (LTy->isNullPtrType() || LTy->isBlockPointerType() || + LTy->isReferenceType()) { + LHS = Z3Expr::fromCast(LHS, RTy, RBitWidth, LTy, LBitWidth); + LTy = RTy; + } else { + RHS = Z3Expr::fromCast(RHS, LTy, LBitWidth, RTy, RBitWidth); + RTy = LTy; + } + } + + // Cast the void pointer type to the non-void pointer type. + // For void types, this assumes that the casted value is equal to the value + // of the original pointer, and does not account for alignment requirements. + if (LTy->isVoidPointerType() ^ RTy->isVoidPointerType()) { + assert((Ctx.getTypeSize(LTy) == Ctx.getTypeSize(RTy)) && + "Pointer types have different bitwidths!"); + if (RTy->isVoidPointerType()) + RTy = LTy; + else + LTy = RTy; + } + + if (LTy == RTy) + return; + } + + // Fallback: for the solver, assume that these types don't really matter + if ((LTy.getCanonicalType() == RTy.getCanonicalType()) || + (LTy->isObjCObjectPointerType() && RTy->isObjCObjectPointerType())) { + LTy = RTy; + return; + } + + // TODO: Refine behavior for invalid type casts +} + +template +void Z3ConstraintManager::doIntTypeConversion(T &LHS, QualType <y, T &RHS, + QualType &RTy) const { + ASTContext &Ctx = getBasicVals().getContext(); + + uint64_t LBitWidth = Ctx.getTypeSize(LTy); + uint64_t RBitWidth = Ctx.getTypeSize(RTy); + + // Always perform integer promotion before checking type equality. + // Otherwise, e.g. (bool) a + (bool) b could trigger a backend assertion + if (LTy->isPromotableIntegerType()) { + QualType NewTy = Ctx.getPromotedIntegerType(LTy); + uint64_t NewBitWidth = Ctx.getTypeSize(NewTy); + LHS = (*doCast)(LHS, NewTy, NewBitWidth, LTy, LBitWidth); + LTy = NewTy; + LBitWidth = NewBitWidth; + } + if (RTy->isPromotableIntegerType()) { + QualType NewTy = Ctx.getPromotedIntegerType(RTy); + uint64_t NewBitWidth = Ctx.getTypeSize(NewTy); + RHS = (*doCast)(RHS, NewTy, NewBitWidth, RTy, RBitWidth); + RTy = NewTy; + RBitWidth = NewBitWidth; + } + + if (LTy == RTy) + return; + + // Perform integer type conversion + // Note: Safe to skip updating bitwidth because this must terminate + bool isLSignedTy = LTy->isSignedIntegerOrEnumerationType(); + bool isRSignedTy = RTy->isSignedIntegerOrEnumerationType(); + + int order = Ctx.getIntegerTypeOrder(LTy, RTy); + if (isLSignedTy == isRSignedTy) { + // Same signedness; use the higher-ranked type + if (order == 1) { + RHS = (*doCast)(RHS, LTy, LBitWidth, RTy, RBitWidth); + RTy = LTy; + } else { + LHS = (*doCast)(LHS, RTy, RBitWidth, LTy, LBitWidth); + LTy = RTy; + } + } else if (order != (isLSignedTy ? 1 : -1)) { + // The unsigned type has greater than or equal rank to the + // signed type, so use the unsigned type + if (isRSignedTy) { + RHS = (*doCast)(RHS, LTy, LBitWidth, RTy, RBitWidth); + RTy = LTy; + } else { + LHS = (*doCast)(LHS, RTy, RBitWidth, LTy, LBitWidth); + LTy = RTy; + } + } else if (LBitWidth != RBitWidth) { + // The two types are different widths; if we are here, that + // means the signed type is larger than the unsigned type, so + // use the signed type. + if (isLSignedTy) { + RHS = (*doCast)(RHS, LTy, LBitWidth, RTy, RBitWidth); + RTy = LTy; + } else { + LHS = (*doCast)(LHS, RTy, RBitWidth, LTy, LBitWidth); + LTy = RTy; + } + } else { + // The signed type is higher-ranked than the unsigned type, + // but isn't actually any bigger (like unsigned int and long + // on most 32-bit systems). Use the unsigned type corresponding + // to the signed type. + QualType NewTy = Ctx.getCorrespondingUnsignedType(isLSignedTy ? LTy : RTy); + RHS = (*doCast)(RHS, LTy, LBitWidth, RTy, RBitWidth); + RTy = NewTy; + LHS = (*doCast)(LHS, RTy, RBitWidth, LTy, LBitWidth); + LTy = NewTy; + } +} + +template +void Z3ConstraintManager::doFloatTypeConversion(T &LHS, QualType <y, T &RHS, + QualType &RTy) const { + ASTContext &Ctx = getBasicVals().getContext(); + + uint64_t LBitWidth = Ctx.getTypeSize(LTy); + uint64_t RBitWidth = Ctx.getTypeSize(RTy); + + // Perform float-point type promotion + if (!LTy->isRealFloatingType()) { + LHS = (*doCast)(LHS, RTy, RBitWidth, LTy, LBitWidth); + LTy = RTy; + LBitWidth = RBitWidth; + } + if (!RTy->isRealFloatingType()) { + RHS = (*doCast)(RHS, LTy, LBitWidth, RTy, RBitWidth); + RTy = LTy; + RBitWidth = LBitWidth; + } + + if (LTy == RTy) + return; + + // If we have two real floating types, convert the smaller operand to the + // bigger result + // Note: Safe to skip updating bitwidth because this must terminate + int order = Ctx.getFloatingTypeOrder(LTy, RTy); + if (order > 0) { + RHS = Z3Expr::fromCast(RHS, LTy, LBitWidth, RTy, RBitWidth); + RTy = LTy; + } else if (order == 0) { + LHS = Z3Expr::fromCast(LHS, RTy, RBitWidth, LTy, LBitWidth); + LTy = RTy; + } else { + llvm_unreachable("Unsupported floating-point type cast!"); + } +} + +llvm::APSInt Z3ConstraintManager::castAPSInt(const llvm::APSInt &V, + QualType ToTy, uint64_t ToWidth, + QualType FromTy, + uint64_t FromWidth) { + APSIntType TargetType(ToWidth, !ToTy->isSignedIntegerOrEnumerationType()); + return TargetType.convert(V); +} + +//==------------------------------------------------------------------------==/ +// Pretty-printing. +//==------------------------------------------------------------------------==/ + +void Z3ConstraintManager::print(ProgramStateRef St, raw_ostream &OS, + const char *nl, const char *sep) { + + ConstraintZ3Ty CZ = St->get(); + + OS << nl << sep << "Constraints:"; + for (ConstraintZ3Ty::iterator I = CZ.begin(), E = CZ.end(); I != E; ++I) { + OS << nl << ' ' << I->first << " : "; + I->second.print(OS); + } + OS << nl; +} + +#endif + +std::unique_ptr +ento::CreateZ3ConstraintManager(ProgramStateManager &StMgr, SubEngine *Eng) { +#ifdef CLANG_HAVE_Z3 + return llvm::make_unique(Eng, StMgr.getSValBuilder()); +#else + llvm::report_fatal_error("Clang was not compiled with Z3 support!", false); + return nullptr; +#endif +} Index: test/Analysis/bool-assignment.c =================================================================== --- test/Analysis/bool-assignment.c +++ test/Analysis/bool-assignment.c @@ -43,8 +43,7 @@ return; } if (y > 200 && y < 250) { - // FIXME: Currently we are loosing this warning due to a SymbolCast in RHS. - BOOL x = y; // no-warning + BOOL x = y; // expected-warning {{Assignment of a non-Boolean value}} return; } if (y >= 127 && y < 150) { Index: test/Analysis/expr-inspection.c =================================================================== --- test/Analysis/expr-inspection.c +++ test/Analysis/expr-inspection.c @@ -19,4 +19,4 @@ // CHECK: Expressions: // CHECK-NEXT: clang_analyzer_printState : &code{clang_analyzer_printState} -// CHECK-NEXT: Ranges are empty. +// CHECK-NEXT: {{(Ranges are empty)|(Constraints:[[:space:]]*$)}} Index: test/Analysis/ptr-arith.c =================================================================== --- test/Analysis/ptr-arith.c +++ test/Analysis/ptr-arith.c @@ -255,30 +255,24 @@ void zero_implies_reversed_equal(int *lhs, int *rhs) { clang_analyzer_eval((rhs - lhs) == 0); // expected-warning{{UNKNOWN}} if ((rhs - lhs) == 0) { - // FIXME: Should be FALSE. - clang_analyzer_eval(rhs != lhs); // expected-warning{{UNKNOWN}} - // FIXME: Should be TRUE. - clang_analyzer_eval(rhs == lhs); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(rhs != lhs); // expected-warning{{FALSE}} + clang_analyzer_eval(rhs == lhs); // expected-warning{{TRUE}} return; } clang_analyzer_eval((rhs - lhs) == 0); // expected-warning{{FALSE}} - // FIXME: Should be FALSE. - clang_analyzer_eval(rhs == lhs); // expected-warning{{UNKNOWN}} - // FIXME: Should be TRUE. - clang_analyzer_eval(rhs != lhs); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(rhs == lhs); // expected-warning{{FALSE}} + clang_analyzer_eval(rhs != lhs); // expected-warning{{TRUE}} } void canonical_equal(int *lhs, int *rhs) { clang_analyzer_eval(lhs == rhs); // expected-warning{{UNKNOWN}} if (lhs == rhs) { - // FIXME: Should be TRUE. - clang_analyzer_eval(rhs == lhs); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(rhs == lhs); // expected-warning{{TRUE}} return; } clang_analyzer_eval(lhs == rhs); // expected-warning{{FALSE}} - // FIXME: Should be FALSE. - clang_analyzer_eval(rhs == lhs); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(rhs == lhs); // expected-warning{{FALSE}} } void compare_element_region_and_base(int *p) { Index: test/Analysis/unsupported-types.c =================================================================== --- /dev/null +++ test/Analysis/unsupported-types.c @@ -0,0 +1,31 @@ +// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -verify %s +// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -triple x86_64-unknown-linux -verify %s +// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.ExprInspection -triple powerpc64-linux-gnu -verify %s + +#define _Complex_I (__extension__ 1.0iF) + +void clang_analyzer_eval(int); + +void complex_float(double _Complex x, double _Complex y) { + clang_analyzer_eval(x == y); // expected-warning{{UNKNOWN}} + if (x != 1.0 + 3.0 * _Complex_I && y != 1.0 - 4.0 * _Complex_I) + return + clang_analyzer_eval(x == y); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(x + y == 2.0 - 1.0 * _Complex_I); // expected-warning{{UNKNOWN}} +} + +void complex_int(int _Complex x, int _Complex y) { + clang_analyzer_eval(x == y); // expected-warning{{UNKNOWN}} + if (x != 1.0 + 3.0 * _Complex_I && y != 1.0 - 4.0 * _Complex_I) + return + clang_analyzer_eval(x == y); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(x + y == 2.0 - 1.0 * _Complex_I); // expected-warning{{UNKNOWN}} +} + +void longdouble_float(long double x, long double y) { + clang_analyzer_eval(x == y); // expected-warning{{UNKNOWN}} + if (x != 0.0L && y != 1.0L) + return + clang_analyzer_eval(x == y); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(x + y == 1.0L); // expected-warning{{UNKNOWN}} +} Index: test/lit.site.cfg.in =================================================================== --- test/lit.site.cfg.in +++ test/lit.site.cfg.in @@ -15,6 +15,7 @@ config.target_triple = "@TARGET_TRIPLE@" config.llvm_use_sanitizer = "@LLVM_USE_SANITIZER@" config.have_zlib = "@HAVE_LIBZ@" +config.have_z3 = "@CLANG_HAVE_Z3@" config.clang_arcmt = @ENABLE_CLANG_ARCMT@ config.clang_default_cxx_stdlib = "@CLANG_DEFAULT_CXX_STDLIB@" config.clang_staticanalyzer = @ENABLE_CLANG_STATIC_ANALYZER@