This is an archive of the discontinued LLVM Phabricator instance.

Differential D43741

[Analyzer] More accurate modeling about the increment operator of the operand with type bool.
ClosedPublic

Authored by MTC on Feb 25 2018, 6:05 AM.

Details

Reviewers
alexander-shaposhnikov
NoQ
dcoughlin
george.karpenkov
Commits
rGe47b89d1f866: [Analyzer] More accurate modeling about the increment operator of the operand…
rL326776: [Analyzer] More accurate modeling about the increment operator of the operand…
rC326776: [Analyzer] More accurate modeling about the increment operator of the operand…
Summary

There is a problem with analyzer that a wrong value is given when modeling the increment operator of the operand with type bool. After rL307604 is applied, a unsigned overflow may occur.

Example:

void func() {
  bool b = true;
  // unsigned overflow occur, 2 -> 0 U1b
  b++;
}

The use of an operand of type bool with the ++ operators is deprecated but valid untill C++17. And if the operand of the increment operator is of type bool, it is set to true.

This patch includes two parts:

  • If the operand of the increment operator is of type bool or type _Bool, set to true.
  • Modify BasicValueFactory::getTruthValue(), use getIntWidth() instead getTypeSize() and use unsigned instead signed.

Diff Detail

Repository
rL LLVM

Event Timeline

MTC created this revision.Feb 25 2018, 6:05 AM
Herald added a reviewer: george.karpenkov. · View Herald TranscriptFeb 25 2018, 6:05 AM
Herald added subscribers: cfe-commits, a.sidorin, szepet, xazax.hun. · View Herald Transcript
alexander-shaposhnikov added a comment.Mar 1 2018, 11:20 PM

i see, but just in case - what about the decrement operator ?

MTC added a comment.Mar 2 2018, 2:28 AM
In D43741#1024949, @alexshap wrote:

i see, but just in case - what about the decrement operator ?

@alexshap, If I'm not wrong, decrement operation is not allowed on bool type in C++98 and C++14.

5.2.6 Increment and decrement [expr.post.incr]
The operand of postfix -- is decremented analogously to the postfix ++ operator, except that the operand
shall not be of type bool. [ Note: For prefix increment and decrement, see 5.3.2. — end note ]

NoQ added a comment.Mar 2 2018, 2:16 PM

Nice catch, thanks!

lib/StaticAnalyzer/Core/ExprEngineC.cpp
1078–1080 ↗(On Diff #135820)

untill seems to be deprecated in favor of until.

1082 ↗(On Diff #135820)

Doesn't isBooleanType() imply CPlusPlus? I guess we need to see if it works in Objective-C++ as well.

test/Analysis/bool.cpp
65 ↗(On Diff #135820)

dump() exposes too much internals, we try to only use it for debugging, not for tests.

Would eg. clang_analyzer_eval(b == 1) be enough?

MTC updated this revision to Diff 136901.Mar 3 2018, 3:20 AM
  • If the operand of the ++ operator is of type _Bool, also set to true.
  • Add test file _Bool-increment-decement.c.
MTC added a comment.Mar 3 2018, 3:22 AM

Thank you for your review, @NoQ!

  • isBooleanType() is used to check _Bool in C99/C11 and bool in C++. For _Bool , there is the same overflow problem.
  • In C++98/C++11/C++14, for ++bool and bool+, both sets true directly.
  • In C++, --bool and bool-- is illeagal.
  • In C99/C11 standard, there is not much information about _Bool++ and _Bool--.

From the implementation of the compiler, _Bool++ and _Bool-- are divided into the following situations.

  • _Bool b = 0; b++; // b -> 1
  • _Bool b = 1; b++; // b -> 1
  • _Bool b = 0; b--; // b -> 1
  • _Bool b = 1; b--; // b -> 0

So it's reasonable to set to true if the operand of the increment operator is of type _Bool, just my opinion.

I not familiar with Objective-C++, can you provide a appropriate test about Objective-C++ for me, thank you!

And I'm not a native speaker of English, the grammar of the comments may not be correct. If so, please correct me, thanks!

MTC marked an inline comment as done.Mar 3 2018, 3:23 AM
NoQ accepted this revision.Mar 5 2018, 2:01 PM

LGTM, thank you for the fix!

I not familiar with Objective-C++, can you provide a appropriate test about Objective-C++ for me, thank you!

Now that the explicit check and the respective code path is removed, i don't think we should explicitly test it.

And I'm not a native speaker of English

Same here, i guess.

test/Analysis/_Bool-increment-decrement.c
1–2 ↗(On Diff #136901)

We don't write -analyzer-store=region these days because that's the default value and it's unlikely that anybody would ever care.

This revision is now accepted and ready to land.Mar 5 2018, 2:01 PM
MTC updated this revision to Diff 137154.Mar 6 2018, 4:25 AM

Remove the default configuration -analyzer-store=region in the test file.

MTC edited the summary of this revision. (Show Details)Mar 6 2018, 4:28 AM
Closed by commit rC326776: [Analyzer] More accurate modeling about the increment operator of the operand… (authored by henrywong). · Explain WhyMar 6 2018, 4:34 AM
Closed by commit rL326776: [Analyzer] More accurate modeling about the increment operator of the operand… (authored by henrywong). · Explain Why
This revision was automatically updated to reflect the committed changes.
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptMar 6 2018, 4:34 AM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
2 lines
lib/
StaticAnalyzer/
Core/
11 lines
test/
Analysis/
140 lines
84 lines

Diff 137158

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/BasicValueFactory.h

Show First 20 LinesShow All 205 Lines▼ Show 20 Lines const llvm::APSInt &getZeroWithPtrWidth(bool isUnsigned = true) {
return getValue(0, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned); return getValue(0, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned);
} }
const llvm::APSInt &getIntWithPtrWidth(uint64_t X, bool isUnsigned) { const llvm::APSInt &getIntWithPtrWidth(uint64_t X, bool isUnsigned) {
return getValue(X, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned); return getValue(X, Ctx.getTypeSize(Ctx.VoidPtrTy), isUnsigned);
} }
const llvm::APSInt &getTruthValue(bool b, QualType T) { const llvm::APSInt &getTruthValue(bool b, QualType T) {
return getValue(b ? 1 : 0, Ctx.getTypeSize(T), false); return getValue(b ? 1 : 0, Ctx.getIntWidth(T), true);
} }
const llvm::APSInt &getTruthValue(bool b) { const llvm::APSInt &getTruthValue(bool b) {
return getTruthValue(b, Ctx.getLogicalOperationType()); return getTruthValue(b, Ctx.getLogicalOperationType());
} }
const CompoundValData *getCompoundValData(QualType T, const CompoundValData *getCompoundValData(QualType T,
llvm::ImmutableList<SVal> Vals); llvm::ImmutableList<SVal> Vals);
▲ Show 20 LinesShow All 48 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/ExprEngineC.cpp

Show First 20 LinesShow All 1,060 Lines▼ Show 20 Lines for (ExplodedNodeSet::iterator I=Tmp.begin(), E=Tmp.end();I!=E;++I) {
// Handle all other values. // Handle all other values.
BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub; BinaryOperator::Opcode Op = U->isIncrementOp() ? BO_Add : BO_Sub;
// If the UnaryOperator has non-location type, use its type to create the // If the UnaryOperator has non-location type, use its type to create the
// constant value. If the UnaryOperator has location type, create the // constant value. If the UnaryOperator has location type, create the
// constant with int type and pointer width. // constant with int type and pointer width.
SVal RHS; SVal RHS;
SVal Result;
if (U->getType()->isAnyPointerType()) if (U->getType()->isAnyPointerType())
RHS = svalBuilder.makeArrayIndex(1); RHS = svalBuilder.makeArrayIndex(1);
else if (U->getType()->isIntegralOrEnumerationType()) else if (U->getType()->isIntegralOrEnumerationType())
RHS = svalBuilder.makeIntVal(1, U->getType()); RHS = svalBuilder.makeIntVal(1, U->getType());
else else
RHS = UnknownVal(); RHS = UnknownVal();
SVal Result = evalBinOp(state, Op, V2, RHS, U->getType()); // The use of an operand of type bool with the ++ operators is deprecated
// but valid until C++17. And if the operand of the ++ operator is of type
// bool, it is set to true until C++17. Note that for '_Bool', it is also
// set to true when it encounters ++ operator.
if (U->getType()->isBooleanType() && U->isIncrementOp())
Result = svalBuilder.makeTruthVal(true, U->getType());
else
Result = evalBinOp(state, Op, V2, RHS, U->getType());
// Conjure a new symbol if necessary to recover precision. // Conjure a new symbol if necessary to recover precision.
if (Result.isUnknown()){ if (Result.isUnknown()){
DefinedOrUnknownSVal SymVal = DefinedOrUnknownSVal SymVal =
svalBuilder.conjureSymbolVal(nullptr, U, LCtx, svalBuilder.conjureSymbolVal(nullptr, U, LCtx,
currBldrCtx->blockCount()); currBldrCtx->blockCount());
Result = SymVal; Result = SymVal;
// If the value is a location, ++/-- should always preserve // If the value is a location, ++/-- should always preserve
// non-nullness. Check if the original value was non-null, and if so // non-nullness. Check if the original value was non-null, and if so
// propagate that constraint. // propagate that constraint.
if (Loc::isLocType(U->getType())) { if (Loc::isLocType(U->getType())) {
DefinedOrUnknownSVal Constraint = DefinedOrUnknownSVal Constraint =
svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(U->getType())); svalBuilder.evalEQ(state, V2,svalBuilder.makeZeroVal(U->getType()));
if (!state->assume(Constraint, true)) { if (!state->assume(Constraint, true)) {
// It isn't feasible for the original value to be null. // It isn't feasible for the original value to be null.
// Propagate this constraint. // Propagate this constraint.
Constraint = svalBuilder.evalEQ(state, SymVal, Constraint = svalBuilder.evalEQ(state, SymVal,
svalBuilder.makeZeroVal(U->getType())); svalBuilder.makeZeroVal(U->getType()));
state = state->assume(Constraint, false); state = state->assume(Constraint, false);
assert(state); assert(state);
} }
} }
} }
// Since the lvalue-to-rvalue conversion is explicit in the AST, // Since the lvalue-to-rvalue conversion is explicit in the AST,
// we bind an l-value if the operator is prefix and an lvalue (in C++). // we bind an l-value if the operator is prefix and an lvalue (in C++).
Show All 13 Lines

cfe/trunk/test/Analysis/_Bool-increment-decrement.c

// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection -verify -std=c99 -Dbool=_Bool -Dtrue=1 -Dfalse=0 %s
// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection -verify -std=c11 -Dbool=_Bool -Dtrue=1 -Dfalse=0 %s
extern void clang_analyzer_eval(bool);
void test__Bool_value() {
{
bool b = true;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = false;
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
}
{
bool b = -10;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 10;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 10;
b++;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 0;
b++;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
}
void test__Bool_increment() {
{
bool b = true;
b++;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = false;
b++;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = true;
++b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = false;
++b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 0;
++b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 10;
++b;
++b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = -10;
++b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = -1;
++b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
}
void test__Bool_decrement() {
{
bool b = true;
b--;
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
}
{
bool b = false;
b--;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = true;
--b;
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
}
{
bool b = false;
--b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 0;
--b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 10;
--b;
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
--b;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = -10;
--b;
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
}
{
bool b = 1;
--b;
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
}
}

cfe/trunk/test/Analysis/bool-increment.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection -verify -std=c++98 -Wno-deprecated %s
// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection -verify -std=c++11 -Wno-deprecated %s
// RUN: %clang_analyze_cc1 -analyzer-checker=debug.ExprInspection -verify -std=c++14 -Wno-deprecated %s
extern void clang_analyzer_eval(bool);
void test_bool_value() {
{
bool b = true;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = false;
clang_analyzer_eval(b == 0); // expected-warning{{TRUE}}
}
{
bool b = -10;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 10;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 10;
b++;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
{
bool b = 0;
b++;
clang_analyzer_eval(b == 1); // expected-warning{{TRUE}}
}
}
void test_bool_increment() {
{
bool b = true;
b++;
clang_analyzer_eval(b); // expected-warning{{TRUE}}
}
{
bool b = false;
b++;
clang_analyzer_eval(b); // expected-warning{{TRUE}}
}
{
bool b = true;
++b;
clang_analyzer_eval(b); // expected-warning{{TRUE}}
}
{
bool b = false;
++b;
clang_analyzer_eval(b); // expected-warning{{TRUE}}
}
{
bool b = 0;
++b;
clang_analyzer_eval(b); // expected-warning{{TRUE}}
}
{
bool b = 10;
++b;
++b;
clang_analyzer_eval(b); // expected-warning{{TRUE}}
}
{
bool b = -10;
++b;
clang_analyzer_eval(b); // expected-warning{{TRUE}}
}
}