This is an archive of the discontinued LLVM Phabricator instance.

Differential D49768

[analyzer] Removed API used by the Refutation Manager from SMTConstraintManager and replace by proper calls to SMTSolver
ClosedPublic

Authored by mikhail.ramalho on Jul 24 2018, 4:31 PM.

Details

Reviewers
NoQ
george.karpenkov
Commits
rG5c3d032e70a8: [analyzer] Removed API used by the Refutation Manager from SMTConstraintManager…
rL337922: [analyzer] Removed API used by the Refutation Manager from SMTConstraintManager…
rC337922: [analyzer] Removed API used by the Refutation Manager from SMTConstraintManager…
Summary

Third patch in the refactoring series, to decouple the SMT Solver from the Refutation Manager (1st: D49668, 2nd: D49767).

The refutation API in the SMTConstraintManager was a hack to allow us to create an SMT solver and verify the constraints; it was conceptually wrong from the start. Now, we don't actually need to use the SMTConstraintManager and can create an SMT object directly, add the constraints and check them.

While updating the Falsification visitor, I inlined the two functions that were used to collect the constraints and add them to the solver.

As a result of this patch, we could move the SMT API elsewhere and as it's not really dependent on the CSA anymore. Maybe we can create a new dir (utils/smt) for Z3 and future solvers?

Diff Detail

Repository
rC Clang

Event Timeline

mikhail.ramalho created this revision.Jul 24 2018, 4:31 PM
Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptJul 24 2018, 4:31 PM
mikhail.ramalho added a parent revision: D49767: [analyzer] Moved code from SMTConstraintManager to SMTSolver.Jul 24 2018, 4:31 PM
mikhail.ramalho added a child revision: D49769: [analyzer] Use the macro REGISTER_TRAIT_WITH_PROGRAMSTATE in the Z3 backend.Jul 24 2018, 4:45 PM
george.karpenkov accepted this revision.Jul 24 2018, 4:47 PM
george.karpenkov added inline comments.
lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp
1053

not sure whether it makes sense to return nullptr vs. crashing.

This revision is now accepted and ready to land.Jul 24 2018, 4:47 PM
mikhail.ramalho added inline comments.Jul 24 2018, 5:03 PM
lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp
1053

True, I got it from CreateZ3ConstraintManager. Should I remove it from both?

george.karpenkov added inline comments.Jul 24 2018, 5:05 PM
lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp
1053

if it was there before, let's leave it for now

Closed by commit rC337922: [analyzer] Removed API used by the Refutation Manager from SMTConstraintManager… (authored by mramalho). · Explain WhyJul 25 2018, 5:50 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: cfe-commits. · View Herald TranscriptJul 25 2018, 5:50 AM

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
8 lines
2 lines
lib/
StaticAnalyzer/
Core/
63 lines
25 lines
13 lines

Diff 157251

include/clang/StaticAnalyzer/Core/PathSensitive/SMTConstraintManager.h

Show First 20 LinesShow All 48 Lines▼ Show 20 Linespublic:
// Implementation for interface from ConstraintManager. // Implementation for interface from ConstraintManager.
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
ConditionTruthVal checkNull(ProgramStateRef State, SymbolRef Sym) override; ConditionTruthVal checkNull(ProgramStateRef State, SymbolRef Sym) override;
const llvm::APSInt *getSymVal(ProgramStateRef State, const llvm::APSInt *getSymVal(ProgramStateRef State,
SymbolRef Sym) const override; SymbolRef Sym) const override;
/// Converts the ranged constraints of a set of symbols to SMT
///
/// \param CR The set of constraints.
void addRangeConstraints(clang::ento::ConstraintRangeTy CR);
/// Checks if the added constraints are satisfiable
clang::ento::ConditionTruthVal isModelFeasible();
/// Dumps SMT formula /// Dumps SMT formula
LLVM_DUMP_METHOD void dump() const { Solver->dump(); } LLVM_DUMP_METHOD void dump() const { Solver->dump(); }
protected: protected:
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
// Internal implementation. // Internal implementation.
//===------------------------------------------------------------------===// //===------------------------------------------------------------------===//
Show All 17 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/SMTSolver.h

Show First 20 LinesShow All 948 Lines▼ Show 20 Linespublic:
/// Reset the solver and remove all constraints. /// Reset the solver and remove all constraints.
virtual void reset() const = 0; virtual void reset() const = 0;
virtual void print(raw_ostream &OS) const = 0; virtual void print(raw_ostream &OS) const = 0;
}; };
using SMTSolverRef = std::shared_ptr<SMTSolver>; using SMTSolverRef = std::shared_ptr<SMTSolver>;
std::unique_ptr<SMTSolver> CreateZ3Solver();
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif #endif

lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 2,364 Lines▼ Show 20 LinesTaintBugVisitor::VisitNode(const ExplodedNode *N, const ExplodedNode *PrevN,
PathDiagnosticLocation L = PathDiagnosticLocation L =
PathDiagnosticLocation::createBegin(S, BRC.getSourceManager(), NCtx); PathDiagnosticLocation::createBegin(S, BRC.getSourceManager(), NCtx);
if (!L.isValid() || !L.asLocation().isValid()) if (!L.isValid() || !L.asLocation().isValid())
return nullptr; return nullptr;
return std::make_shared<PathDiagnosticEventPiece>(L, "Taint originated here"); return std::make_shared<PathDiagnosticEventPiece>(L, "Taint originated here");
} }
static bool areConstraintsUnfeasible(BugReporterContext &BRC,
const ConstraintRangeTy &Cs) {
// Create a refutation manager
std::unique_ptr<ConstraintManager> RefutationMgr = CreateZ3ConstraintManager(
BRC.getStateManager(), BRC.getStateManager().getOwningEngine());
SMTConstraintManager *SMTRefutationMgr =
static_cast<SMTConstraintManager *>(RefutationMgr.get());
// Add constraints to the solver
SMTRefutationMgr->addRangeConstraints(Cs);
// And check for satisfiability
return SMTRefutationMgr->isModelFeasible().isConstrainedFalse();
}
static void addNewConstraints(ConstraintRangeTy &Cs,
const ConstraintRangeTy &NewCs,
ConstraintRangeTy::Factory &CF) {
// Add constraints if we don't have them yet
for (auto const &C : NewCs) {
const SymbolRef &Sym = C.first;
if (!Cs.contains(Sym)) {
Cs = CF.add(Cs, Sym, C.second);
}
}
}
FalsePositiveRefutationBRVisitor::FalsePositiveRefutationBRVisitor() FalsePositiveRefutationBRVisitor::FalsePositiveRefutationBRVisitor()
: Constraints(ConstraintRangeTy::Factory().getEmptyMap()) {} : Constraints(ConstraintRangeTy::Factory().getEmptyMap()) {}
void FalsePositiveRefutationBRVisitor::finalizeVisitor( void FalsePositiveRefutationBRVisitor::finalizeVisitor(
BugReporterContext &BRC, const ExplodedNode *EndPathNode, BugReport &BR) { BugReporterContext &BRC, const ExplodedNode *EndPathNode, BugReport &BR) {
// Collect new constraints // Collect new constraints
VisitNode(EndPathNode, nullptr, BRC, BR); VisitNode(EndPathNode, nullptr, BRC, BR);
// Create a new refutation manager and check feasibility // Create a refutation manager
if (areConstraintsUnfeasible(BRC, Constraints)) std::unique_ptr<SMTSolver> RefutationSolver = CreateZ3Solver();
ASTContext &Ctx = BRC.getASTContext();
// Add constraints to the solver
for (const auto &I : Constraints) {
SymbolRef Sym = I.first;
SMTExprRef Constraints = RefutationSolver->fromBoolean(false);
for (const auto &Range : I.second) {
Constraints = RefutationSolver->mkOr(
Constraints,
RefutationSolver->getRangeExpr(Ctx, Sym, Range.From(), Range.To(),
/*InRange=*/true));
}
RefutationSolver->addConstraint(Constraints);
}
// And check for satisfiability
if (RefutationSolver->check().isConstrainedFalse())
BR.markInvalid("Infeasible constraints", EndPathNode->getLocationContext()); BR.markInvalid("Infeasible constraints", EndPathNode->getLocationContext());
} }
std::shared_ptr<PathDiagnosticPiece> std::shared_ptr<PathDiagnosticPiece>
FalsePositiveRefutationBRVisitor::VisitNode(const ExplodedNode *N, FalsePositiveRefutationBRVisitor::VisitNode(const ExplodedNode *N,
const ExplodedNode *PrevN, const ExplodedNode *PrevN,
BugReporterContext &BRC, BugReporterContext &BRC,
BugReport &BR) { BugReport &BR) {
// Collect new constraints // Collect new constraints
addNewConstraints(Constraints, N->getState()->get<ConstraintRange>(), const ConstraintRangeTy &NewCs = N->getState()->get<ConstraintRange>();
N->getState()->get_context<ConstraintRange>()); ConstraintRangeTy::Factory &CF =
N->getState()->get_context<ConstraintRange>();
// Add constraints if we don't have them yet
for (auto const &C : NewCs) {
const SymbolRef &Sym = C.first;
if (!Constraints.contains(Sym)) {
Constraints = CF.add(Constraints, Sym, C.second);
}
}
return nullptr; return nullptr;
} }
void FalsePositiveRefutationBRVisitor::Profile( void FalsePositiveRefutationBRVisitor::Profile(
llvm::FoldingSetNodeID &ID) const { llvm::FoldingSetNodeID &ID) const {
static int Tag = 0; static int Tag = 0;
ID.AddPointer(&Tag); ID.AddPointer(&Tag);
} }

lib/StaticAnalyzer/Core/SMTConstraintManager.cpp

Show All 9 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/SMTConstraintManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SMTConstraintManager.h"
#include "clang/Basic/TargetInfo.h" #include "clang/Basic/TargetInfo.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
void SMTConstraintManager::addRangeConstraints(ConstraintRangeTy CR) {
ASTContext &Ctx = getBasicVals().getContext();
Solver->reset();
for (const auto &I : CR) {
SymbolRef Sym = I.first;
SMTExprRef Constraints = Solver->fromBoolean(false);
for (const auto &Range : I.second) {
SMTExprRef SymRange = Solver->getRangeExpr(Ctx, Sym, Range.From(),
Range.To(), /*InRange=*/true);
// FIXME: the last argument (isSigned) is not used when generating the
// or expression, as both arguments are booleans
Constraints =
Solver->fromBinOp(Constraints, BO_LOr, SymRange, /*IsSigned=*/true);
}
Solver->addConstraint(Constraints);
}
}
clang::ento::ConditionTruthVal SMTConstraintManager::isModelFeasible() {
return Solver->check();
}
ProgramStateRef SMTConstraintManager::assumeSym(ProgramStateRef State, ProgramStateRef SMTConstraintManager::assumeSym(ProgramStateRef State,
SymbolRef Sym, SymbolRef Sym,
bool Assumption) { bool Assumption) {
ASTContext &Ctx = getBasicVals().getContext(); ASTContext &Ctx = getBasicVals().getContext();
QualType RetTy; QualType RetTy;
bool hasComparison; bool hasComparison;
▲ Show 20 LinesShow All 155 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp

Show First 20 LinesShow All 926 Lines▼ Show 20 Linespublic:
void reset() const override { Z3_solver_reset(Context.Context, Solver); } void reset() const override { Z3_solver_reset(Context.Context, Solver); }
void print(raw_ostream &OS) const override { void print(raw_ostream &OS) const override {
OS << Z3_solver_to_string(Context.Context, Solver); OS << Z3_solver_to_string(Context.Context, Solver);
} }
}; // end class Z3Solver }; // end class Z3Solver
class Z3ConstraintManager : public SMTConstraintManager { class Z3ConstraintManager : public SMTConstraintManager {
SMTSolverRef Solver = std::make_shared<Z3Solver>(); SMTSolverRef Solver = CreateZ3Solver();
public: public:
Z3ConstraintManager(SubEngine *SE, SValBuilder &SB) Z3ConstraintManager(SubEngine *SE, SValBuilder &SB)
: SMTConstraintManager(SE, SB, Solver) {} : SMTConstraintManager(SE, SB, Solver) {}
void addStateConstraints(ProgramStateRef State) const override { void addStateConstraints(ProgramStateRef State) const override {
// TODO: Don't add all the constraints, only the relevant ones // TODO: Don't add all the constraints, only the relevant ones
ConstraintZ3Ty CZ = State->get<ConstraintZ3>(); ConstraintZ3Ty CZ = State->get<ConstraintZ3>();
▲ Show 20 LinesShow All 94 Lines▼ Show 20 Lines void print(ProgramStateRef St, raw_ostream &OS, const char *nl,
OS << nl; OS << nl;
} }
}; // end class Z3ConstraintManager }; // end class Z3ConstraintManager
} // end anonymous namespace } // end anonymous namespace
#endif #endif
std::unique_ptr<SMTSolver> clang::ento::CreateZ3Solver() {
#if CLANG_ANALYZER_WITH_Z3
return llvm::make_unique<Z3Solver>();
#else
llvm::report_fatal_error("Clang was not compiled with Z3 support, rebuild "
"with -DCLANG_ANALYZER_BUILD_Z3=ON",
false);
return nullptr;
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

not sure whether it makes sense to return nullptr vs. crashing.

george.karpenkov: not sure whether it makes sense to return `nullptr` vs. crashing.
mikhail.ramalhoAuthorUnsubmitted
Not Done
ReplyInline Actions

True, I got it from CreateZ3ConstraintManager. Should I remove it from both?

mikhail.ramalho: True, I got it from `CreateZ3ConstraintManager`. Should I remove it from both?
george.karpenkovUnsubmitted
Not Done
ReplyInline Actions

if it was there before, let's leave it for now

george.karpenkov: if it was there before, let's leave it for now
#endif
}
std::unique_ptr<ConstraintManager> std::unique_ptr<ConstraintManager>
ento::CreateZ3ConstraintManager(ProgramStateManager &StMgr, SubEngine *Eng) { ento::CreateZ3ConstraintManager(ProgramStateManager &StMgr, SubEngine *Eng) {
#if CLANG_ANALYZER_WITH_Z3 #if CLANG_ANALYZER_WITH_Z3
return llvm::make_unique<Z3ConstraintManager>(Eng, StMgr.getSValBuilder()); return llvm::make_unique<Z3ConstraintManager>(Eng, StMgr.getSValBuilder());
#else #else
llvm::report_fatal_error("Clang was not compiled with Z3 support, rebuild " llvm::report_fatal_error("Clang was not compiled with Z3 support, rebuild "
"with -DCLANG_ANALYZER_BUILD_Z3=ON", "with -DCLANG_ANALYZER_BUILD_Z3=ON",
false); false);
return nullptr; return nullptr;
#endif #endif
} }