Differential D48650
[analyzer] Fix constraint being dropped when analyzing a program without taint tracking enabled Authored by mikhail.ramalho on Jun 27 2018, 8:15 AM.
Details
This patch removes the constraint dropping when taint tracking is disabled. It also voids the crash reported in D28953 by treating a SymSymExpr with non pointer symbols as an opaque expression. Updated the regressions and verifying the big projects now; I'll update here when they're done. Based on the discussion on the mailing list and the patches by @ddcc.
Diff Detail
Event TimelineComment Actions +Adam because that's a lot of stuff he's interested in and his tests are affected. Do we need a complexity threshold like in the original revision?: // Use a lower bound to avoid recursive blowup, e.g. on PR24184.cpp if (V.getSymbol()->computeComplexity() > 10) ... I.e., could the same test be rewritten to cause performance problems on the current patch? Comment Actions I don't see any #ifdef for the tests. Do they pass both with and without z3? I recall needing to case out the expected test output before. Because he's not extending the SValBuilder visitors, it's possible the complexity threshold won't be a problem. But regardless, I think it would be good practice to allow runtime configuration of the complexity threshold. For reference, my stale version is D35450. I haven't rebased yet to remove the APSInt fixes that have been merged. Comment Actions Actually, one test is crashing because of D32642. The following cast in lib/StaticAnalyzer/Checkers/IteratorChecker.cpp:1168: return assumeNoOverflow(NewState, cast<SymIntExpr>(CompSym)->getLHS(), 2); A SymExpr object is reaching that call and the cast fails. Comment Actions Thank you for pointing me this! The iterator checker may have worked incorrectly (but did not crash) without your patch. Now I fixed that, it works correctly and does not crash with your patch. I added my patch as parent revision for yours. Comment Actions Just found a test where this patch removes a true positive: test/Analysis/PR37855.c. The path that leads to the second bug: n[1].node->s; // expected-warning {{Dereference of undefined pointer value}}is removed because the CSA is removing the branch where the loop termination condition node != l is false, which is the one that leads to the bug. Comment Actions
@mikhail.ramalho I don't really follow your description, could you clarify? Comment Actions Ok, this is the test: typedef struct o p;
struct o {
struct {
} s;
};
void q(*r, p2) { r < p2; }
void k(l, node) {
struct {
p *node;
} * n, *nodep, path[sizeof(void)];
path->node = l;
for (n = path; node != l;) {
q(node, n->node);
nodep = n;
}
if (nodep)
n[1].node->s; // warning: Dereference of undefined pointer value
}Without this patch, the graph shows that the bugs is found when the loop is unrolled once and terminates. When this happens, nodep contains a valid value n (which is path), so a new core.NullDereference node is created to check the expression n[1].node->s;. With this patch, since the constraints are not being dropped, it knows that neither node nor l change, so the loop doesn't terminate after the first iteration and the CSA doesn't evaluate anything after the loop. However, there is another path that triggers the bug, when node != l holds, the loop body is not evaluated and, if nodep happens to be not null, n[1].node->s is a real bug. This path is not evaluated by the CSA, I only see a core.uninitialized.branch node and the analysis stops there. Am I correct to assume that, since if (nodep) is undefined behaviour in this path (nodep is uninitialized), the static analyzer doesn't evaluate it? Comment Actions
Yeah, so once we reach if (nodep) we are already reading from an uninitialized variable, and that should be reported as a bug. Comment Actions The CSA correctly reports: arena.c:18:7: warning: Branch condition evaluates to a garbage value
if (nodep)
^~~~~but not: arena.c:19:5: warning: Dereference of undefined pointer value
n[1].node->s; // warning: Dereference of undefined pointer value
^~~~~~~~~~~~Comment Actions
That's expected, since the above error message is fatal, and the path is killed.
Comment Actions Indeed, most of them are something like conj_$2{int} == conj_$2{int} or conj_$2{int} < conj_$2{int}. Comment Actions
Yep. Even if it wasn't undefined behavior but only unspecified value, we would still interrupt the analysis because otherwise we'd just get a bunch of duplicate warnings about the same uninitialized value used all over the place.
Comment Actions Decreased default complexity threshold to 25 as it finds the same amount of bugs as 10000 in the following projects: tmux, git, openssl, postgresql, redis, sqlite3, tmux and twin. Going < 25, and a number of bugs stop being reported. Also, removed the FIXMEs from the test. Comment Actions @mikhail.ramalho Could you also state how different values affect the effectivity of refutation? Comment Actions Hi, the same bugs are removed, with threshold 25 and 10000:
With complexity 10000, however, the verification time of openSSL went from 260s to 1500s. The other were roughly the same (~20s slower at most). Comment Actions LGTM with a nit. We'll watch the bots after this is merged.
Comment Actions This commit causes an assertion failure on void foo(int a, int *b) { (int)b < a; } Run-line: clang -cc1 -analyze -analyzer-checker=core -analyzer-eagerly-assume test.c So it kinda frustrates RangeConstraintManager with a SymSymExpr that expresses a comparison between a Loc and a NonLoc symbol. I'll think a bit more on how do i want to address that. Comment Actions Earlier today I created an issue in bugzilla for this problem. | ||||||||||||||||||||||||||||||||||||||||||||