This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
-
SimpleSValBuilder.cpp
-
test/Analysis/
-
Analysis/
-
ptr-arith.cpp

Differential D36564

[analyzer] Fix SimpleSValBuilder::simplifySVal
ClosedPublic

Authored by alexander-shaposhnikov on Aug 9 2017, 5:21 PM.

Download Raw Diff

Details

Reviewers

NoQ
zaks.anna
dcoughlin

Commits

rG901d61561c99: [analyzer] Fix SimpleSValBuilder::simplifySVal
rC310887: [analyzer] Fix SimpleSValBuilder::simplifySVal
rL310887: [analyzer] Fix SimpleSValBuilder::simplifySVal

Summary

This diff attempts to address a crash (triggered assert) on the newly-added test case.
The assert being discussed is inside SValBuilder::evalBinOp

if (Optional<Loc> RV = rhs.getAs<Loc>()) {
   // Support pointer arithmetic where the addend is on the left
   // and the pointer on the right.
   assert(op == BO_Add);

but the root cause seems to be in a different place
(if I'm not missing smth).

The method simplifySVal appears to be doing the wrong thing for SVal "(char*)End - (char*)Begin".
Call stack: evalIntegralCast -> evalBinOpNN -> simplifySVal -> ... -> simplifySVal -> Simplifier::VisitSymSymExpr -> ...

Inside Simplifier::VisitSymSymExpr the call Visit(S->getLHS()) returns a NonLoc
(where S->getLHS() represents char* End) while the call Visit(S->getRHS()) returns a Loc.

For Visit(S->getRHS()) this happens because in VisitSymbolData(const SymbolData *S) the "if" condition

if (const llvm::APSInt *I =
   SVB.getKnownValue(State, nonloc::SymbolVal(S)))

is satisfied and Loc is correctly chosen.
For Visit(S->getLHS()) nonloc::SymbolVal(S) is used instead.
Next those values will passed to SValBuilder::evalBinOp and the code path

if (Optional<Loc> RV = rhs.getAs<Loc>()) {
   // Support pointer arithmetic where the addend is on the left
   // and the pointer on the right.
  assert(op == BO_Add);
   // Commute the operands.
  return evalBinOpLN(state, op, *RV, lhs.castAs<NonLoc>(), type);
}

will be executed instead of the correct one

if (Optional<Loc> LV = lhs.getAs<Loc>()) {
  if (Optional<Loc> RV = rhs.getAs<Loc>())
    return evalBinOpLL(state, op, *LV, *RV, type);

  return evalBinOpLN(state, op, *LV, rhs.castAs<NonLoc>(), type);
}

Test plan: make check-all (green)

Diff Detail

Repository: rL LLVM

Event Timeline

alexander-shaposhnikov created this revision.Aug 9 2017, 5:21 PM

Herald added a subscriber: xazax.hun. · View Herald TranscriptAug 9 2017, 5:21 PM

alexander-shaposhnikov edited the summary of this revision. (Show Details)Aug 9 2017, 5:22 PM

alexander-shaposhnikov edited the summary of this revision. (Show Details)Aug 10 2017, 8:27 AM

zaks.anna added a reviewer: dcoughlin.Aug 10 2017, 12:57 PM

alexander-shaposhnikov edited the summary of this revision. (Show Details)Aug 10 2017, 2:04 PM

Hmm, looks correct. Thanks! I guess this problem appeared when we enabled SymSymExprs, otherwise (End - Begin) would have been UnknownVal.

NoQ accepted this revision.Aug 14 2017, 7:06 AM

This revision is now accepted and ready to land.Aug 14 2017, 7:06 AM

Closed by commit rL310887: [analyzer] Fix SimpleSValBuilder::simplifySVal (authored by alexander-shaposhnikov). · Explain WhyAug 14 2017, 2:25 PM

This revision was automatically updated to reflect the committed changes.

I suspect this might have caused http://llvm.org/PR34309. Could you take a look?

In D36564#851384, @alexfh wrote:

I suspect this might have caused http://llvm.org/PR34309. Could you take a look?

FYI, PR34309 doesn't reproduce with this patch reverted.

I see, it seems that we've constructed $x - 1 somewhere, where $x is a pointer, while such stuff normally looks as &element{SymRegion{$x}, -1}. I guess i'd have to take a more careful look at it soon.

@alexfh, thanks for letting me know, i will take a closer look at https://bugs.llvm.org/show_bug.cgi?id=34309 soon.

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Core/

SimpleSValBuilder.cpp

3 lines

test/

Analysis/

ptr-arith.cpp

7 lines

Diff 111073

cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 Lines • Show All 1,010 Lines • ▼ Show 20 Lines	public:
Simplifier(ProgramStateRef State)		Simplifier(ProgramStateRef State)
: State(State), SVB(State->getStateManager().getSValBuilder()) {}		: State(State), SVB(State->getStateManager().getSValBuilder()) {}

SVal VisitSymbolData(const SymbolData *S) {		SVal VisitSymbolData(const SymbolData *S) {
if (const llvm::APSInt *I =		if (const llvm::APSInt *I =
SVB.getKnownValue(State, nonloc::SymbolVal(S)))		SVB.getKnownValue(State, nonloc::SymbolVal(S)))
return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I)		return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I)
: (SVal)SVB.makeIntVal(*I);		: (SVal)SVB.makeIntVal(*I);
return nonloc::SymbolVal(S);		return Loc::isLocType(S->getType()) ? (SVal)SVB.makeLoc(S)
		: nonloc::SymbolVal(S);
}		}

// TODO: Support SymbolCast. Support IntSymExpr when/if we actually		// TODO: Support SymbolCast. Support IntSymExpr when/if we actually
// start producing them.		// start producing them.

SVal VisitSymIntExpr(const SymIntExpr *S) {		SVal VisitSymIntExpr(const SymIntExpr *S) {
SVal LHS = Visit(S->getLHS());		SVal LHS = Visit(S->getLHS());
SVal RHS;		SVal RHS;
▲ Show 20 Lines • Show All 43 Lines • Show Last 20 Lines

cfe/trunk/test/Analysis/ptr-arith.cpp

Show First 20 Lines • Show All 92 Lines • ▼ Show 20 Lines	void checkConditionalArray() {
int* maybeArray = getArray(0);		int* maybeArray = getArray(0);
InitState(maybeArray);		InitState(maybeArray);
}		}

void checkMultiDimansionalArray() {		void checkMultiDimansionalArray() {
int a[5][5];		int a[5][5];
((a+1)+2) = 2;		((a+1)+2) = 2;
}		}

		unsigned ptrSubtractionNoCrash(char Begin, char End) {
		auto N = End - Begin;
		if (Begin)
		return 0;
		return N;
		}