This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
14/20
RangeConstraintManager.cpp
-
SimpleSValBuilder.cpp
-
test/Analysis/
-
Analysis/
-
PR35418.cpp
-
constant-folding.c
-
hangs.c
-
uninit-bug-first-iteration-init.c

Differential D80117

[analyzer] Introduce reasoning about symbolic remainder operator
ClosedPublic

Authored by vsavchenko on May 18 2020, 4:20 AM.

Download Raw Diff

Details

Reviewers

NoQ
dcoughlin
xazax.hun
ASDenysPetrov

Commits

rG73c120a9895a: [analyzer] Introduce reasoning about symbolic remainder operator

Summary

New logic tries to narrow possible result values of the remainder operation
based on its operands and their ranges. It also tries to be conservative
with negative operands because according to the standard the sign of
the result is implementation-defined.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

vsavchenko created this revision.May 18 2020, 4:20 AM

Herald added a project: Restricted Project. · View Herald TranscriptMay 18 2020, 4:20 AM

Herald added subscribers: cfe-commits, martong, Charusso and 8 others. · View Herald Transcript

Harbormaster failed remote builds in B57048: Diff 264582!May 18 2020, 5:20 AM

vsavchenko added a parent revision: D79434: [analyzer] Generalize bitwise AND rules for ranges.May 18 2020, 5:29 AM

Here is a proof in Z3:
https://gist.github.com/SavchenkoValeriy/559ca923b050f2c01e340c1be543b7e0

Rebase

Harbormaster completed remote builds in B57061: Diff 264605.May 18 2020, 8:02 AM

Here is a short summary of the performance testing I conducted across a bunch of open-source projects:

	vim	git	tmux	redis	cmake	pytorch	bitcoin	protobuf
Time (before)	20m56s	18m41s	11m40s	1h15m34s	30m34s	6h35m18s	9m27s	6m03s
Time (after)	22m16s	19m58s	29m52s	1h17m32s	33m03s	9h46m41s	9m33s	6m03s
Delta	+6.4%	+6.9%	+155.8%	+2.6%	+8.1%	+48.4%	-1.1%	+0.1%

Time (before) was measured on a commit before any of my solver changes.

This shows that performance tweaks discussed in various TODOs are indeed required to reduce the hit.

NoQ added inline comments.May 18 2020, 8:30 AM

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
504	`(Origin.From() + 1).isMinSignedValue()` is another sufficient condition(?)
507	You mean zero, right?

vsavchenko marked 2 inline comments as done.May 18 2020, 8:39 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
504	I'm sorry, I don't quite get what cases does this check cover. Can you please explain what you have in mind?
507	No, not always. It still can be signed at this point.

NoQ added inline comments.May 18 2020, 8:55 AM

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
507	Ok, so i misunderstood. This function computes range of `abs($x)` aka `\|$x\|` given the range for `$x`, right?

vsavchenko marked an inline comment as done.May 18 2020, 9:13 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
507	I guess I should fix my comments (and maybe the name for this function). This function finds absolute maximum, i.e. the value `C: \|$x\| <= C` and returns the range `[-C, C]` for signed `$x`s and `[0, C]` for unsigned `$x`s. So this new range is guaranteed to include the original range.

NoQ added inline comments.May 18 2020, 9:19 AM

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
504	Aha, ok, nvm, a different issue then: For range `[INT_MIN + 1, INT_MAX]`, the correct answer should be `[INT_MIN + 1, INT_MAX] (which is `[-C, C]` for `C = INT_MAX]`) rather than `[INT_MIN, INT_MAX]`.

Fix code review remarks.

xazax.hun added inline comments.May 19 2020, 5:38 AM

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
686	I wonder if we actually need this? I vaguely recall that we are doing a lot of simplifications during building symbolic expressions. I would be surprised if this identity is not handled there. (And in that case, probable this should be added there.) Or we might need a comment to explain why do we need this simplification at both places.

Harbormaster failed remote builds in B57193: Diff 264863!May 19 2020, 6:28 AM

@vsavchenko
I've made some assumptions.

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
504–514	I think you should swap `if` statements. I'll explain. Let's consider the input is an uint8 range [42, 242] and you will return [0, 242] in the second `if`. But if the input is an uint8 range [128, 242] you will return [0, 255] in the first `if`, because 128 is an equivalent of -128(INT8_MIN) in binary representation so the condition in the first if would be true. What is the great difference between [42, 242] and [128, 242] to have different results? Or you've just missed this case? P.S. I think your function's name doesn't fit its body, since absolute value is always positive (without sign) from its definition, but you output range may have negative values. You'd better write an explanation above the function and rename it.
526	As for me, the last reason fully covers previous special cases, so you can omit those ones, thus simplify the comment.
712	Extend the comment, please, why we should move bounds to zero at all.
737	Is it OK to return this rangeset in case when one of operands(or both) is negative, since this rangeset can vary from specific implementation?

Move 0 % x case to SValBuilder

vsavchenko marked 5 inline comments as done.May 27 2020, 9:10 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
504–514	It is a valid point, I will add this test and change this behaviour! The name is confusing indeed, maybe you have any ideas what would be more appropriate?
526	I really want to be clear about the first two cases to explain why this works for any sign of `From` and `To`
686	Yeah, we don't do it in `SValBuilder`, but it is definitely a better place for that particular case. I'll move it.
712	Good point!
737	Yes, it is a conservative range for any ranges because only the sign of the operation is specific to different implementations

Harbormaster failed remote builds in B58061: Diff 266551!May 27 2020, 9:11 AM

vsavchenko marked an inline comment as done.May 27 2020, 9:11 AM

Fix code review remarks

vsavchenko marked 3 inline comments as done.May 27 2020, 10:02 AM

vsavchenko marked an inline comment as done.

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
504–514	@NoQ , @ASDenysPetrov what do you think about this name instead (i.e. `getSymmetricalRange`).

Harbormaster failed remote builds in B58075: Diff 266586!May 27 2020, 10:50 AM

Performance-wise, I've investigated huge slowdowns on tmux and pytorch.

pytorch build produces a lot of warnings and simply trashed my terminal. I guess one time it had more troubles with displaying all that than the other. Here is a table with new times:

	pytorch
Time (before)	2h21m33s
Time (after)	2h19m23s
Delta	-1.5%

As you can see, these numbers are way smaller than the original ones.

tmux is a much smaller project, so I decided to run it 20 times for each case.

After consistently shows slower runtimes, but the overall difference (for median times) is only +3%.

I believe that as of now we can submit these modifications as is and explore performance optimizations later if needed.

Aha, so performance regressions on real code weren't real, that's a relief :)

I believe that as of now we can submit these modifications as is and explore performance optimizations later if needed.

I still encourage you to explore the tests we have from our previous attempts to simplify expressions recursively without memoization (test/Analysis/hangs.c). I'm asking because these aren't all that artificial: this kind of code was previously reported by a frustrated user as "the analyzer started hanging on my code". Like, please replace a bunch of +es with &/|/% and see if this causes your code to perform exponentially over the size of the program. If so, i'd rather have us hurry up and implement memoization.

The math in this patch looks great, thanks!

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
506–507	I suggest not trying to express signed types and unsigned types in a single formula, the reader will have to unwrap it back into the two cases anyway in order to understand what's going on. The following would imho be easier to read: "If T is signed, return the smallest range `[-x..x]` that covers the original range, or `[-min(T), max(T)]` if the aforementioned symmetric range doesn't exist due to original range covering `min(T)`). If T is unsigned, return the smallest range `[0..x]` that covers the original range".

This revision is now accepted and ready to land.May 28 2020, 3:45 AM

vsavchenko marked an inline comment as done.May 28 2020, 5:55 AM

vsavchenko added inline comments.

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
506–507	That is a perfect explanation, thanks!

In D80117#2059567, @NoQ wrote:

I believe that as of now we can submit these modifications as is and explore performance optimizations later if needed.

I still encourage you to explore the tests we have from our previous attempts to simplify expressions recursively without memoization (test/Analysis/hangs.c). I'm asking because these aren't all that artificial: this kind of code was previously reported by a frustrated user as "the analyzer started hanging on my code". Like, please replace a bunch of +es with &/|/% and see if this causes your code to perform exponentially over the size of the program. If so, i'd rather have us hurry up and implement memoization.

Ok, looks like my memories on this subject are heavily messed up. The actual problem that made us hang was solved by D47155. This is a dumb bug that would have been avoided if we had memoization but it doesn't require memoization to be avoided and it doesn't look like this code risks repeating that mistake.

Then, our experience with memoization in D47402 wasn't as good as i expected; it turned out that there are other exponential parts of the analysis in such cases that we still couldn't avoid. We should probably still do it (given how difficult it is now to identify these "other parts" that are exponential, i'd rather not add more such parts consciously) but i guess it's not that much of a blocker.

Fix code review remarks

Harbormaster failed remote builds in B58239: Diff 266890!May 28 2020, 9:16 AM

Closed by commit rG73c120a9895a: [analyzer] Introduce reasoning about symbolic remainder operator (authored by vsavchenko). · Explain WhyMay 28 2020, 9:17 AM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

clang/

lib/

StaticAnalyzer/

Core/

RangeConstraintManager.cpp

99 lines

SimpleSValBuilder.cpp

5 lines

test/

Analysis/

PR35418.cpp

28 lines

constant-folding.c

77 lines

hangs.c

196 lines

uninit-bug-first-iteration-init.c

27 lines

Diff 266912

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

Show First 20 Lines • Show All 427 Lines • ▼ Show 20 Lines	private:

RangeSet VisitBinaryOperator(RangeSet LHS, BinaryOperator::Opcode Op,		RangeSet VisitBinaryOperator(RangeSet LHS, BinaryOperator::Opcode Op,
RangeSet RHS, QualType T) {		RangeSet RHS, QualType T) {
switch (Op) {		switch (Op) {
case BO_Or:		case BO_Or:
return VisitBinaryOperator<BO_Or>(LHS, RHS, T);		return VisitBinaryOperator<BO_Or>(LHS, RHS, T);
case BO_And:		case BO_And:
return VisitBinaryOperator<BO_And>(LHS, RHS, T);		return VisitBinaryOperator<BO_And>(LHS, RHS, T);
		case BO_Rem:
		return VisitBinaryOperator<BO_Rem>(LHS, RHS, T);
default:		default:
return infer(T);		return infer(T);
}		}
}		}

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Ranges and operators		// Ranges and operators
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
▲ Show 20 Lines • Show All 47 Lines • ▼ Show 20 Lines	RangeSet VisitBinaryOperator(RangeSet LHS, RangeSet RHS, QualType T) {
return VisitBinaryOperator<Op>(ConvertedCoarseLHS, ConvertedCoarseRHS, T);		return VisitBinaryOperator<Op>(ConvertedCoarseLHS, ConvertedCoarseRHS, T);
}		}

template <BinaryOperator::Opcode Op>		template <BinaryOperator::Opcode Op>
RangeSet VisitBinaryOperator(Range LHS, Range RHS, QualType T) {		RangeSet VisitBinaryOperator(Range LHS, Range RHS, QualType T) {
return infer(T);		return infer(T);
}		}

		/// Return a symmetrical range for the given range and type.
		///
		/// If T is signed, return the smallest range [-x..x] that covers the original
		/// range, or [-min(T), max(T)] if the aforementioned symmetric range doesn't
		NoQUnsubmitted Not Done Reply Inline Actions `(Origin.From() + 1).isMinSignedValue()` is another sufficient condition(?) NoQ: `(Origin.From() + 1).isMinSignedValue()` is another sufficient condition(?)
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions I'm sorry, I don't quite get what cases does this check cover. Can you please explain what you have in mind? vsavchenko: I'm sorry, I don't quite get what cases does this check cover. Can you please explain what you…
		NoQUnsubmitted Not Done Reply Inline Actions Aha, ok, nvm, a different issue then: For range `[INT_MIN + 1, INT_MAX]`, the correct answer should be `[INT_MIN + 1, INT_MAX] (which is `[-C, C]` for `C = INT_MAX]`) rather than `[INT_MIN, INT_MAX]`. NoQ: Aha, ok, nvm, a different issue then: For range `[INT_MIN + 1, INT_MAX]`, the correct answer…
		/// exist due to original range covering min(T)).
		///
		/// If T is unsigned, return the smallest range [0..x] that covers the
		NoQUnsubmitted Not Done Reply Inline Actions You mean zero, right? NoQ: You mean zero, right?
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions No, not always. It still can be signed at this point. vsavchenko: No, not always. It still can be signed at this point.
		NoQUnsubmitted Not Done Reply Inline Actions Ok, so i misunderstood. This function computes range of `abs($x)` aka `\|$x\|` given the range for `$x`, right? NoQ: Ok, so i misunderstood. This function computes range of `abs($x)` aka `\|$x\|` given the range…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions I guess I should fix my comments (and maybe the name for this function). This function finds absolute maximum, i.e. the value `C: \|$x\| <= C` and returns the range `[-C, C]` for signed `$x`s and `[0, C]` for unsigned `$x`s. So this new range is guaranteed to include the original range. vsavchenko: I guess I should fix my comments (and maybe the name for this function). This function finds…
		NoQUnsubmitted Not Done Reply Inline Actions I suggest not trying to express signed types and unsigned types in a single formula, the reader will have to unwrap it back into the two cases anyway in order to understand what's going on. The following would imho be easier to read: "If T is signed, return the smallest range `[-x..x]` that covers the original range, or `[-min(T), max(T)]` if the aforementioned symmetric range doesn't exist due to original range covering `min(T)`). If T is unsigned, return the smallest range `[0..x]` that covers the original range". NoQ: I suggest not trying to express signed types and unsigned types in a single formula, the reader…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions That is a perfect explanation, thanks! vsavchenko: That is a perfect explanation, thanks!
		/// original range.
		Range getSymmetricalRange(Range Origin, QualType T) {
		APSIntType RangeType = ValueFactory.getAPSIntType(T);

		if (RangeType.isUnsigned()) {
		return Range(ValueFactory.getMinValue(RangeType), Origin.To());
		}
		ASDenysPetrovUnsubmitted Done Reply Inline Actions I think you should swap `if` statements. I'll explain. Let's consider the input is an uint8 range [42, 242] and you will return [0, 242] in the second `if`. But if the input is an uint8 range [128, 242] you will return [0, 255] in the first `if`, because 128 is an equivalent of -128(INT8_MIN) in binary representation so the condition in the first if would be true. What is the great difference between [42, 242] and [128, 242] to have different results? Or you've just missed this case? P.S. I think your function's name doesn't fit its body, since absolute value is always positive (without sign) from its definition, but you output range may have negative values. You'd better write an explanation above the function and rename it. ASDenysPetrov: I think you should swap `if` statements. I'll explain. Let's consider the input is an uint8…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions It is a valid point, I will add this test and change this behaviour! The name is confusing indeed, maybe you have any ideas what would be more appropriate? vsavchenko: It is a valid point, I will add this test and change this behaviour! The name is confusing…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions @NoQ , @ASDenysPetrov what do you think about this name instead (i.e. `getSymmetricalRange`). vsavchenko: @NoQ , @ASDenysPetrov what do you think about this name instead (i.e. `getSymmetricalRange`).

		if (Origin.From().isMinSignedValue()) {
		// If mini is a minimal signed value, absolute value of it is greater
		// than the maximal signed value. In order to avoid these
		// complications, we simply return the whole range.
		return {ValueFactory.getMinValue(RangeType),
		ValueFactory.getMaxValue(RangeType)};
		}

		// At this point, we are sure that the type is signed and we can safely
		// use unary - operator.
		//
		ASDenysPetrovUnsubmitted Not Done Reply Inline Actions As for me, the last reason fully covers previous special cases, so you can omit those ones, thus simplify the comment. ASDenysPetrov: As for me, the last //reason// fully covers previous special cases, so you can omit those ones…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions I really want to be clear about the first two cases to explain why this works for any sign of `From` and `To` vsavchenko: I really want to be clear about the first two cases to explain why this works for any sign of…
		// While calculating absolute maximum, we can use the following formula
		// because of these reasons:
		// * If From >= 0 then To >= From and To >= -From.
		// AbsMax == To == max(To, -From)
		// * If To <= 0 then -From >= -To and -From >= From.
		// AbsMax == -From == max(-From, To)
		// * Otherwise, From <= 0, To >= 0, and
		// AbsMax == max(abs(From), abs(To))
		llvm::APSInt AbsMax = std::max(-Origin.From(), Origin.To());

		// Intersection is guaranteed to be non-empty.
		return {ValueFactory.getValue(-AbsMax), ValueFactory.getValue(AbsMax)};
		}

/// Return a range set subtracting zero from \p Domain.		/// Return a range set subtracting zero from \p Domain.
RangeSet assumeNonZero(RangeSet Domain, QualType T) {		RangeSet assumeNonZero(RangeSet Domain, QualType T) {
APSIntType IntType = ValueFactory.getAPSIntType(T);		APSIntType IntType = ValueFactory.getAPSIntType(T);
return Domain.Intersect(ValueFactory, RangeFactory,		return Domain.Intersect(ValueFactory, RangeFactory,
++IntType.getZeroValue(), --IntType.getZeroValue());		++IntType.getZeroValue(), --IntType.getZeroValue());
}		}

// FIXME: Once SValBuilder supports unary minus, we should use SValBuilder to		// FIXME: Once SValBuilder supports unary minus, we should use SValBuilder to
▲ Show 20 Lines • Show All 123 Lines • ▼ Show 20 Lines	if (IsLHSPositiveOrZero \|\| IsRHSPositiveOrZero) {
return {RangeFactory, ValueFactory.getValue(Zero),		return {RangeFactory, ValueFactory.getValue(Zero),
ValueFactory.getValue(Max)};		ValueFactory.getValue(Max)};
}		}

// Nothing much else to do here.		// Nothing much else to do here.
return infer(T);		return infer(T);
}		}

		template <>
		RangeSet SymbolicRangeInferrer::VisitBinaryOperator<BO_Rem>(Range LHS,
		Range RHS,
		QualType T) {
		llvm::APSInt Zero = ValueFactory.getAPSIntType(T).getZeroValue();

		Range ConservativeRange = getSymmetricalRange(RHS, T);
		xazax.hunUnsubmitted Done Reply Inline Actions I wonder if we actually need this? I vaguely recall that we are doing a lot of simplifications during building symbolic expressions. I would be surprised if this identity is not handled there. (And in that case, probable this should be added there.) Or we might need a comment to explain why do we need this simplification at both places. xazax.hun: I wonder if we actually need this? I vaguely recall that we are doing a lot of simplifications…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Yeah, we don't do it in `SValBuilder`, but it is definitely a better place for that particular case. I'll move it. vsavchenko: Yeah, we don't do it in `SValBuilder`, but it is definitely a better place for that particular…

		llvm::APSInt Max = ConservativeRange.To();
		llvm::APSInt Min = ConservativeRange.From();

		if (Max == Zero) {
		// It's an undefined behaviour to divide by 0 and it seems like we know
		// for sure that RHS is 0. Let's say that the resulting range is
		// simply infeasible for that matter.
		return RangeFactory.getEmptySet();
		}

		// At this point, our conservative range is closed. The result, however,
		// couldn't be greater than the RHS' maximal absolute value. Because of
		// this reason, we turn the range into open (or half-open in case of
		// unsigned integers).
		//
		// While we operate on integer values, an open interval (a, b) can be easily
		// represented by the closed interval [a + 1, b - 1]. And this is exactly
		// what we do next.
		//
		// If we are dealing with unsigned case, we shouldn't move the lower bound.
		if (Min.isSigned()) {
		++Min;
		}
		--Max;

		ASDenysPetrovUnsubmitted Done Reply Inline Actions Extend the comment, please, why we should move bounds to zero at all. ASDenysPetrov: Extend the comment, please, why we should move bounds to zero at all.
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Good point! vsavchenko: Good point!
		bool IsLHSPositiveOrZero = LHS.From() >= Zero;
		bool IsRHSPositiveOrZero = RHS.From() >= Zero;

		// Remainder operator results with negative operands is implementation
		// defined. Positive cases are much easier to reason about though.
		if (IsLHSPositiveOrZero && IsRHSPositiveOrZero) {
		// If maximal value of LHS is less than maximal value of RHS,
		// the result won't get greater than LHS.To().
		Max = std::min(LHS.To(), Max);
		// We want to check if it is a situation similar to the following:
		//
		// <------------\|---[ LHS ]--------[ RHS ]----->
		// -INF 0 +INF
		//
		// In this situation, we can conclude that (LHS / RHS) == 0 and
		// (LHS % RHS) == LHS.
		Min = LHS.To() < RHS.From() ? LHS.From() : Zero;
		}

		// Nevertheless, the symmetrical range for RHS is a conservative estimate
		// for any sign of either LHS, or RHS.
		return {RangeFactory, ValueFactory.getValue(Min), ValueFactory.getValue(Max)};
		}

class RangeConstraintManager : public RangedConstraintManager {		class RangeConstraintManager : public RangedConstraintManager {
		ASDenysPetrovUnsubmitted Done Reply Inline Actions Is it OK to return this rangeset in case when one of operands(or both) is negative, since this rangeset can vary from specific implementation? ASDenysPetrov: Is it OK to return this rangeset in case when one of operands(or both) is negative, since this…
		vsavchenkoAuthorUnsubmitted Done Reply Inline Actions Yes, it is a conservative range for any ranges because only the sign of the operation is specific to different implementations vsavchenko: Yes, it is a conservative range for any ranges because only the sign of the operation is…
public:		public:
RangeConstraintManager(ExprEngine *EE, SValBuilder &SVB)		RangeConstraintManager(ExprEngine *EE, SValBuilder &SVB)
: RangedConstraintManager(EE, SVB) {}		: RangedConstraintManager(EE, SVB) {}

//===------------------------------------------------------------------===//		//===------------------------------------------------------------------===//
// Implementation for interface from ConstraintManager.		// Implementation for interface from ConstraintManager.
//===------------------------------------------------------------------===//		//===------------------------------------------------------------------===//

▲ Show 20 Lines • Show All 459 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 Lines • Show All 646 Lines • ▼ Show 20 Lines	case nonloc::ConcreteIntKind: {
if (LHSValue.isAllOnesValue() && LHSValue.isSigned())		if (LHSValue.isAllOnesValue() && LHSValue.isSigned())
return evalCastFromNonLoc(lhs, resultTy);		return evalCastFromNonLoc(lhs, resultTy);
LLVM_FALLTHROUGH;		LLVM_FALLTHROUGH;
case BO_Shl:		case BO_Shl:
// 0<<a and 0>>a		// 0<<a and 0>>a
if (LHSValue == 0)		if (LHSValue == 0)
return evalCastFromNonLoc(lhs, resultTy);		return evalCastFromNonLoc(lhs, resultTy);
return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);		return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);
		case BO_Rem:
		// 0 % x == 0
		if (LHSValue == 0)
		return makeZeroVal(resultTy);
		LLVM_FALLTHROUGH;
default:		default:
return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);		return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);
}		}
}		}
case nonloc::SymbolValKind: {		case nonloc::SymbolValKind: {
// We only handle LHS as simple symbols or SymIntExprs.		// We only handle LHS as simple symbols or SymIntExprs.
SymbolRef Sym = lhs.castAs<nonloc::SymbolVal>().getSymbol();		SymbolRef Sym = lhs.castAs<nonloc::SymbolVal>().getSymbol();

▲ Show 20 Lines • Show All 688 Lines • Show Last 20 Lines

clang/test/Analysis/PR35418.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s

				// expected-no-diagnostics

				void halt() __attribute__((__noreturn__));
				void assert(int b) {
				if (!b)
				halt();
				}

				void decode(unsigned width) {
				assert(width > 0);

				int base;
				bool inited = false;

				int i = 0;

				if (i % width == 0) {
				base = 512;
				inited = true;
				}

				base += 1; // no-warning

				if (base >> 10)
				assert(false);
				}

clang/test/Analysis/constant-folding.c

// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify -analyzer-config eagerly-assume=false %s		// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection -verify -analyzer-config eagerly-assume=false %s

		#define UINT_MAX (~0U)
		#define INT_MAX (int)(UINT_MAX & (UINT_MAX >> 1))
		#define INT_MIN (int)(UINT_MAX & ~(UINT_MAX >> 1))

void clang_analyzer_eval(int);		void clang_analyzer_eval(int);

// There should be no warnings unless otherwise indicated.		// There should be no warnings unless otherwise indicated.

void testComparisons (int a) {		void testComparisons (int a) {
// Sema can already catch the simple comparison a==a,		// Sema can already catch the simple comparison a==a,
// since that's usually a logic error (and not path-dependent).		// since that's usually a logic error (and not path-dependent).
int b = a;		int b = a;
▲ Show 20 Lines • Show All 158 Lines • ▼ Show 20 Lines	void testBitwiseRules(unsigned int a, int b, int c) {
if (a < 10) {		if (a < 10) {
clang_analyzer_eval((a \| 20) >= 20); // expected-warning{{TRUE}}		clang_analyzer_eval((a \| 20) >= 20); // expected-warning{{TRUE}}
}		}

if (a > 10) {		if (a > 10) {
clang_analyzer_eval((a & 1) <= 1); // expected-warning{{TRUE}}		clang_analyzer_eval((a & 1) <= 1); // expected-warning{{TRUE}}
}		}
}		}

		void testRemainderRules(unsigned int a, unsigned int b, int c, int d) {
		// Check that we know that remainder of zero divided by any number is still 0.
		clang_analyzer_eval((0 % c) == 0); // expected-warning{{TRUE}}

		clang_analyzer_eval((10 % a) <= 10); // expected-warning{{TRUE}}

		if (a <= 30 && b <= 50) {
		clang_analyzer_eval((40 % a) < 30); // expected-warning{{TRUE}}
		clang_analyzer_eval((a % b) < 50); // expected-warning{{TRUE}}
		clang_analyzer_eval((b % a) < 30); // expected-warning{{TRUE}}

		if (a >= 10) {
		// Even though it seems like a valid assumption, it is not.
		// Check that we are not making this mistake.
		clang_analyzer_eval((a % b) >= 10); // expected-warning{{UNKNOWN}}

		// Check that we can we can infer when remainder is equal
		// to the dividend.
		clang_analyzer_eval((4 % a) == 4); // expected-warning{{TRUE}}
		if (b < 7) {
		clang_analyzer_eval((b % a) < 7); // expected-warning{{TRUE}}
		}
		}
		}

		if (c > -10) {
		clang_analyzer_eval((d % c) < INT_MAX); // expected-warning{{TRUE}}
		clang_analyzer_eval((d % c) > INT_MIN + 1); // expected-warning{{TRUE}}
		}

		// Check that we can reason about signed integers when they are
		// known to be positive.
		if (c >= 10 && c <= 30 && d >= 20 && d <= 50) {
		clang_analyzer_eval((5 % c) == 5); // expected-warning{{TRUE}}
		clang_analyzer_eval((c % d) <= 30); // expected-warning{{TRUE}}
		clang_analyzer_eval((c % d) >= 0); // expected-warning{{TRUE}}
		clang_analyzer_eval((d % c) < 30); // expected-warning{{TRUE}}
		clang_analyzer_eval((d % c) >= 0); // expected-warning{{TRUE}}
		}

		if (c >= -30 && c <= -10 && d >= -20 && d <= 50) {
		// Test positive LHS with negative RHS.
		clang_analyzer_eval((40 % c) < 30); // expected-warning{{TRUE}}
		clang_analyzer_eval((40 % c) > -30); // expected-warning{{TRUE}}

		// Test negative LHS with possibly negative RHS.
		clang_analyzer_eval((-10 % d) < 50); // expected-warning{{TRUE}}
		clang_analyzer_eval((-20 % d) > -50); // expected-warning{{TRUE}}

		// Check that we don't make wrong assumptions
		clang_analyzer_eval((-20 % d) > -20); // expected-warning{{UNKNOWN}}

		// Check that we can reason about negative ranges...
		clang_analyzer_eval((c % d) < 50); // expected-warning{{TRUE}}
		/// ...both ways
		clang_analyzer_eval((d % c) < 30); // expected-warning{{TRUE}}

		if (a <= 10) {
		// Result is unsigned. This means that 'c' is casted to unsigned.
		// We don't want to reason about ranges changing boundaries with
		// conversions.
		clang_analyzer_eval((a % c) < 30); // expected-warning{{UNKNOWN}}
		}
		}

		// Check that we work correctly when minimal unsigned value from a range is
		// equal to the signed minimum for the same bit width.
		unsigned int x = INT_MIN;
		if (a >= x && a <= x + 10) {
		clang_analyzer_eval((b % a) < x + 10); // expected-warning{{TRUE}}
		}
		}

clang/test/Analysis/hangs.c

	// RUN: %clang_analyze_cc1 -analyzer-checker core -verify %s			// RUN: %clang_analyze_cc1 -verify %s \
				// RUN: -analyzer-checker core,debug.ExprInspection
	// expected-no-diagnostics

	// Stuff that used to hang.			// Stuff that used to hang.

				extern void __assert_fail(__const char __assertion, __const char __file,
				unsigned int __line, __const char *__function)
				__attribute__((__noreturn__));
				#define assert(expr) \
				((expr) ? (void)(0) : __assert_fail(#expr, __FILE__, __LINE__, __func__))

				void clang_analyzer_eval(int);

	int g();			int g();

	int f(int y) {			int f(int y) {
	return y + g();			return y + g();
	}			}

	int produce_a_very_large_symbol(int x) {			int produce_a_very_large_symbol(int x) {
	return f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(			return f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(
	f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(x))))))))))))))))))))))))))))))));			f(f(f(f(f(f(f(f(f(f(f(f(f(f(f(x))))))))))))))))))))))))))))))));
	}			}

	void produce_an_exponentially_exploding_symbol(int x, int y) {			void produce_an_exponentially_exploding_symbol(int x, int y) {
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	x += y; y += x + g();			x += y; y += x + g();
	}			}

				void produce_an_exponentially_exploding_symbol_2(int x, int y) {
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				if (x > 1) {
				if (x > 2) {
				if (x > 3) {
				if (x > 4) {
				if (x > 5) {
				if (x > 6) {
				if (x > 7) {
				if (x > 8) {
				if (x > 9) {
				if (x > 10) {
				}
				}
				}
				}
				}
				}
				}
				}
				}
				}
				}

				void produce_an_exponentially_exploding_symbol_3(int x, int y) {
				assert(0 < x && x < 10);
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				x &= y;
				y &= x & g();
				clang_analyzer_eval(0 < x && x < 10); // expected-warning{{TRUE}}
				// expected-warning@-1{{FALSE}}
				}

clang/test/Analysis/uninit-bug-first-iteration-init.c

This file was added.

				// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s

				// rdar://problem/44978988
				// expected-no-diagnostics

				int foo();

				int gTotal;

				double bar(int start, int end) {
				int i, cnt, processed, size;
				double result, inc;

				result = 0;
				processed = start;
				size = gTotal * 2;
				cnt = (end - start + 1) * size;

				for (i = 0; i < cnt; i += 2) {
				if ((i % size) == 0) {
				inc = foo();
				processed++;
				}
				result += inc * inc; // no-warning
				}
				return result;
				}

This is an archive of the discontinued LLVM Phabricator instance.

[analyzer] Introduce reasoning about symbolic remainder operatorClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 266912

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

clang/test/Analysis/PR35418.cpp

clang/test/Analysis/constant-folding.c

clang/test/Analysis/hangs.c

clang/test/Analysis/uninit-bug-first-iteration-init.c

[analyzer] Introduce reasoning about symbolic remainder operator
ClosedPublic