This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
cfe/trunk/
-
trunk/
-
lib/StaticAnalyzer/Checkers/
-
StaticAnalyzer/
-
Checkers/
-
BuiltinFunctionChecker.cpp
-
test/Analysis/
-
Analysis/
-
builtin-functions.cpp

Differential D60110

[analyzer] When failing to evaluate a __builtin_constant_p, presume it's false.
ClosedPublic

Authored by NoQ on Apr 1 2019, 7:45 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
xazax.hun
a_sidorin
rnkovacs
mikhail.ramalho
Szelethus
baloghadamsoftware
Charusso

Commits

rGf7887d41cbd7: [analyzer] When failing to evaluate a __builtin_constant_p, presume it's false.
rC357557: [analyzer] When failing to evaluate a __builtin_constant_p, presume it's false.
rL357557: [analyzer] When failing to evaluate a __builtin_constant_p, presume it's false.

Summary

__builtin_constant_p(x) is a compiler builtin that evaluates to 1 when its argument x is a compile-time constant and to 0 otherwise. In CodeGen it is simply lowered to the respective LLVM intrinsic. In the Analyzer we've been trying to delegate modeling to Expr::EvaluateAsInt, which can sometimes fail simply because the expression is too complicated.

When it fails, let's conservatively return false. The behavior of this builtin is so unpredictable (in fact, it even depends on optimization level) that any code that's using the builtin should expect anything except maybe a concrete integer to be described by it as "not a constant". Therefore, returning "false" when we're unsure is unlikely to trigger weird execution paths in the code, while returning "unknown (potentially true)" may do so. Which is something i've just seen on some real-world code within a weird macro expansion that tries to emulate compile-time assertions in C by declaring arrays of size -1 when it fails, which triggers the VLA checker to warn if "-1" wasn't in fact a constant. Something like this:

if (__builtin_constant_p((p == 0))) { // EvaluateAsInt returns Unknown here.
  char __compile_time_assert__[((p == 0)) ? 1 : -1]; // Warning: array of size -1.
  (void)__compile_time_assert__;
}

Diff Detail

Repository: rL LLVM

Event Timeline

NoQ created this revision.Apr 1 2019, 7:45 PM

Herald added a project: Restricted Project. · View Herald TranscriptApr 1 2019, 7:45 PM

Herald added subscribers: cfe-commits, jdoerfert, dkrupp and 4 others. · View Herald Transcript

LGTM!

This revision is now accepted and ready to land.Apr 2 2019, 4:40 AM

Closed by commit rL357557: [analyzer] When failing to evaluate a __builtin_constant_p, presume it's false. (authored by NoQ). · Explain WhyApr 2 2019, 6:54 PM

This revision was automatically updated to reflect the committed changes.

Herald added a project: Restricted Project. · View Herald TranscriptApr 2 2019, 6:54 PM

Herald added a subscriber: llvm-commits. · View Herald Transcript

Revision Contents

Path

Size

cfe/

trunk/

lib/

StaticAnalyzer/

Checkers/

BuiltinFunctionChecker.cpp

10 lines

test/

Analysis/

builtin-functions.cpp

9 lines

Diff 193412

cfe/trunk/lib/StaticAnalyzer/Checkers/BuiltinFunctionChecker.cpp

Show First 20 Lines • Show All 94 Lines • ▼ Show 20 Lines	case Builtin::BI__builtin_alloca: {
return true;		return true;
}		}

case Builtin::BI__builtin_dynamic_object_size:		case Builtin::BI__builtin_dynamic_object_size:
case Builtin::BI__builtin_object_size:		case Builtin::BI__builtin_object_size:
case Builtin::BI__builtin_constant_p: {		case Builtin::BI__builtin_constant_p: {
// This must be resolvable at compile time, so we defer to the constant		// This must be resolvable at compile time, so we defer to the constant
// evaluator for a value.		// evaluator for a value.
		SValBuilder &SVB = C.getSValBuilder();
SVal V = UnknownVal();		SVal V = UnknownVal();
Expr::EvalResult EVResult;		Expr::EvalResult EVResult;
if (CE->EvaluateAsInt(EVResult, C.getASTContext(), Expr::SE_NoSideEffects)) {		if (CE->EvaluateAsInt(EVResult, C.getASTContext(), Expr::SE_NoSideEffects)) {
// Make sure the result has the correct type.		// Make sure the result has the correct type.
llvm::APSInt Result = EVResult.Val.getInt();		llvm::APSInt Result = EVResult.Val.getInt();
SValBuilder &SVB = C.getSValBuilder();
BasicValueFactory &BVF = SVB.getBasicValueFactory();		BasicValueFactory &BVF = SVB.getBasicValueFactory();
BVF.getAPSIntType(CE->getType()).apply(Result);		BVF.getAPSIntType(CE->getType()).apply(Result);
V = SVB.makeIntVal(Result);		V = SVB.makeIntVal(Result);
}		}

		if (FD->getBuiltinID() == Builtin::BI__builtin_constant_p) {
		// If we didn't manage to figure out if the value is constant or not,
		// it is safe to assume that it's not constant and unsafe to assume
		// that it's constant.
		if (V.isUnknown())
		V = SVB.makeIntVal(0, CE->getType());
		}

C.addTransition(state->BindExpr(CE, LCtx, V));		C.addTransition(state->BindExpr(CE, LCtx, V));
return true;		return true;
}		}
}		}
}		}

void ento::registerBuiltinFunctionChecker(CheckerManager &mgr) {		void ento::registerBuiltinFunctionChecker(CheckerManager &mgr) {
mgr.registerChecker<BuiltinFunctionChecker>();		mgr.registerChecker<BuiltinFunctionChecker>();
}		}

bool ento::shouldRegisterBuiltinFunctionChecker(const LangOptions &LO) {		bool ento::shouldRegisterBuiltinFunctionChecker(const LangOptions &LO) {
return true;		return true;
}		}

cfe/trunk/test/Analysis/builtin-functions.cpp

	Show First 20 Lines • Show All 59 Lines • ▼ Show 20 Lines
	void g(int i) {			void g(int i) {
	if (i > 5) {			if (i > 5) {
	__builtin_assume(i < 5);			__builtin_assume(i < 5);
	clang_analyzer_warnIfReached(); // Assumtion contradicts constraints.			clang_analyzer_warnIfReached(); // Assumtion contradicts constraints.
	// We give up the analysis on this path.			// We give up the analysis on this path.
	}			}
	}			}

	void test_constant_p() {			void test_constant_p(void *ptr) {
	int i = 1;			int i = 1;
	const int j = 2;			const int j = 2;
	constexpr int k = 3;			constexpr int k = 3;
	clang_analyzer_eval(__builtin_constant_p(42) == 1); // expected-warning {{TRUE}}			clang_analyzer_eval(__builtin_constant_p(42) == 1); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(i) == 0); // expected-warning {{UNKNOWN}}			clang_analyzer_eval(__builtin_constant_p(i) == 0); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(j) == 1); // expected-warning {{TRUE}}			clang_analyzer_eval(__builtin_constant_p(j) == 1); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(k) == 1); // expected-warning {{TRUE}}			clang_analyzer_eval(__builtin_constant_p(k) == 1); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(i + 42) == 0); // expected-warning {{UNKNOWN}}			clang_analyzer_eval(__builtin_constant_p(i + 42) == 0); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(j + 42) == 1); // expected-warning {{TRUE}}			clang_analyzer_eval(__builtin_constant_p(j + 42) == 1); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(k + 42) == 1); // expected-warning {{TRUE}}			clang_analyzer_eval(__builtin_constant_p(k + 42) == 1); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(" ") == 1); // expected-warning {{TRUE}}			clang_analyzer_eval(__builtin_constant_p(" ") == 1); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(test_constant_p) == 0); // expected-warning {{UNKNOWN}}			clang_analyzer_eval(__builtin_constant_p(test_constant_p) == 0); // expected-warning {{TRUE}}
	clang_analyzer_eval(__builtin_constant_p(k - 3) == 0); // expected-warning {{FALSE}}			clang_analyzer_eval(__builtin_constant_p(k - 3) == 0); // expected-warning {{FALSE}}
	clang_analyzer_eval(__builtin_constant_p(k - 3) == 1); // expected-warning {{TRUE}}			clang_analyzer_eval(__builtin_constant_p(k - 3) == 1); // expected-warning {{TRUE}}
				clang_analyzer_eval(__builtin_constant_p(ptr == 0)); // expected-warning {{FALSE}}
	}			}