This is an archive of the discontinued LLVM Phabricator instance.

Differential D99343

[Analyzer] Infer 0 value when the divisible is 0 (bug fix)
ClosedPublic

Authored by martong on Mar 25 2021, 8:06 AM.

Details

Reviewers
steakhal
NoQ
vsavchenko
Szelethus
Commits
rG015c39882ebc: [Analyzer] Infer 0 value when the divisible is 0 (bug fix)
Summary

Currently, we infer 0 if the divisible of the modulo op is 0:

int a = x < 0; // a can be 0
int b = a % y; // b is either 1 % sym or 0

However, we don't when the op is / :

int a = x < 0; // a can be 0
int b = a / y; // b is either 1 / sym or 0 / sym

This commit fixes the discrepancy.

Diff Detail

Event Timeline

martong created this revision.Mar 25 2021, 8:06 AM
Herald added subscribers: ASDenysPetrov, Charusso, gamesh411 and 9 others. · View Herald TranscriptMar 25 2021, 8:06 AM
martong requested review of this revision.Mar 25 2021, 8:06 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 25 2021, 8:06 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong added a child revision: D99344: [Analyzer] Track RValue expressions.Mar 25 2021, 8:09 AM
martong added inline comments.Mar 25 2021, 8:12 AM
clang/test/Analysis/zero-operands.c
44

Note, this is the test that fails without this fix.

The preceding tests are here to demonstrate the current functionality with the other multiplicative operands and will be good for regression testing.

vsavchenko accepted this revision.Mar 25 2021, 8:17 AM

Looks great!

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
655

I think we should either add: // 0 / x == 0 or modify the comment for BO_Rem

This revision is now accepted and ready to land.Mar 25 2021, 8:17 AM
Harbormaster completed remote builds in B95696: Diff 333308.Mar 25 2021, 9:38 AM
martong marked an inline comment as done.Mar 25 2021, 10:25 AM

Thanks for the review!

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
655

Okay, I added the new comment.

Closed by commit rG015c39882ebc: [Analyzer] Infer 0 value when the divisible is 0 (bug fix) (authored by martong). · Explain WhyMar 25 2021, 10:25 AM
This revision was automatically updated to reflect the committed changes.
martong marked an inline comment as done.
martong added a commit: rG015c39882ebc: [Analyzer] Infer 0 value when the divisible is 0 (bug fix).
vsavchenko added a comment.Mar 25 2021, 10:25 AM

Awesome! Thanks!

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
2 lines
test/
Analysis/
53 lines

Diff 333341

clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

Show First 20 LinesShow All 646 Lines▼ Show 20 Lines case nonloc::ConcreteIntKind: {
if (LHSValue.isAllOnesValue() && LHSValue.isSigned()) if (LHSValue.isAllOnesValue() && LHSValue.isSigned())
return evalCastFromNonLoc(lhs, resultTy); return evalCastFromNonLoc(lhs, resultTy);
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
case BO_Shl: case BO_Shl:
// 0<<a and 0>>a // 0<<a and 0>>a
if (LHSValue == 0) if (LHSValue == 0)
return evalCastFromNonLoc(lhs, resultTy); return evalCastFromNonLoc(lhs, resultTy);
return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);
case BO_Div:
vsavchenkoUnsubmitted
Done
ReplyInline Actions

I think we should either add: // 0 / x == 0 or modify the comment for BO_Rem

vsavchenko: I think we should either add: `// 0 / x == 0` or modify the comment for `BO_Rem`
martongAuthorUnsubmitted
Done
ReplyInline Actions

Okay, I added the new comment.

martong: Okay, I added the new comment.
// 0 / x == 0
case BO_Rem: case BO_Rem:
// 0 % x == 0 // 0 % x == 0
if (LHSValue == 0) if (LHSValue == 0)
return makeZeroVal(resultTy); return makeZeroVal(resultTy);
LLVM_FALLTHROUGH; LLVM_FALLTHROUGH;
default: default:
return makeSymExprValNN(op, InputLHS, InputRHS, resultTy); return makeSymExprValNN(op, InputLHS, InputRHS, resultTy);
} }
▲ Show 20 LinesShow All 702 LinesShow Last 20 Lines

clang/test/Analysis/zero-operands.c

  • This file was added.
// RUN: %clang_analyze_cc1 -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -verify %s
void clang_analyzer_dump(int);
void test_0_multiplier1(int x, int y) {
int a = x < 0; // Eagerly bifurcate.
clang_analyzer_dump(a);
// expected-warning@-1{{0 S32b}}
// expected-warning@-2{{1 S32b}}
int b = a * y;
clang_analyzer_dump(b);
// expected-warning@-1{{0 S32b}}
// expected-warning-re@-2{{reg_${{[[:digit:]]+}}<int y>}}
}
void test_0_multiplier2(int x, int y) {
int a = x < 0; // Eagerly bifurcate.
clang_analyzer_dump(a);
// expected-warning@-1{{0 S32b}}
// expected-warning@-2{{1 S32b}}
int b = y * a;
clang_analyzer_dump(b);
// expected-warning@-1{{0 S32b}}
// expected-warning-re@-2{{reg_${{[[:digit:]]+}}<int y>}}
}
void test_0_modulo(int x, int y) {
int a = x < 0; // Eagerly bifurcate.
clang_analyzer_dump(a);
// expected-warning@-1{{0 S32b}}
// expected-warning@-2{{1 S32b}}
int b = a % y;
clang_analyzer_dump(b);
// expected-warning@-1{{0 S32b}}
// expected-warning-re@-2{{1 % (reg_${{[[:digit:]]+}}<int y>)}}
}
void test_0_divisible(int x, int y) {
int a = x < 0; // Eagerly bifurcate.
martongAuthorUnsubmitted
Done
ReplyInline Actions

Note, this is the test that fails without this fix.

The preceding tests are here to demonstrate the current functionality with the other multiplicative operands and will be good for regression testing.

martong: Note, this is the test that fails without this fix. The preceding tests are here to…
clang_analyzer_dump(a);
// expected-warning@-1{{0 S32b}}
// expected-warning@-2{{1 S32b}}
int b = a / y;
clang_analyzer_dump(b);
// expected-warning@-1{{0 S32b}}
// expected-warning-re@-2{{1 / (reg_${{[[:digit:]]+}}<int y>)}}
}