[cfe-commits] r163444 - in /cfe/trunk: lib/StaticAnalyzer/Core/ProgramState.cpp lib/StaticAnalyzer/Core/SymbolManager.cpp test/Analysis/traversal-path-unification.c

Ted Kremenek kremenek at apple.com
Sun Sep 9 13:38:38 PDT 2012 

I'm now wondering if this is correct.  If it is possible for a symbol to get conjured a second time along a path, even after all the original bindings are gone, then dropping the constraints is the wrong thing to do.  That said, we could address such issues by ensuring that a particular symbol (when applicable) stays live outside of losing all references to it.

On Sep 7, 2012, at 6:24 PM, Jordan Rose <jordan_rose at apple.com> wrote:

> Author: jrose
> Date: Fri Sep  7 20:24:53 2012
> New Revision: 163444
> 
> URL: http://llvm.org/viewvc/llvm-project?rev=163444&view=rev
> Log:
> [analyzer] Remove constraints on dead symbols as part of removeDeadBindings.
> 
> Previously, we'd just keep constraints around forever, which means we'd
> never be able to merge paths that differed only in constraints on dead
> symbols.
> 
> Because we now allow constraints on symbolic expressions, not just single
> symbols, this requires changing SymExpr::symbol_iterator to include
> intermediate symbol nodes in its traversal, not just the SymbolData leaf
> nodes.
> 
> Added:
>    cfe/trunk/test/Analysis/traversal-path-unification.c
> Modified:
>    cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
>    cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp
> 
> Modified: cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp?rev=163444&r1=163443&r2=163444&view=diff
> ==============================================================================
> --- cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp (original)
> +++ cfe/trunk/lib/StaticAnalyzer/Core/ProgramState.cpp Fri Sep  7 20:24:53 2012
> @@ -106,8 +106,9 @@
>                                                    SymReaper);
>   NewState.setStore(newStore);
>   SymReaper.setReapedStore(newStore);
> -  
> -  return getPersistentState(NewState);
> +
> +  ProgramStateRef Result = getPersistentState(NewState);
> +  return ConstraintMgr->removeDeadBindings(Result, SymReaper);
> }
> 
> ProgramStateRef ProgramStateManager::MarshalState(ProgramStateRef state,
> @@ -697,7 +698,9 @@
>   bool Tainted = false;
>   for (SymExpr::symbol_iterator SI = Sym->symbol_begin(), SE =Sym->symbol_end();
>        SI != SE; ++SI) {
> -    assert(isa<SymbolData>(*SI));
> +    if (!isa<SymbolData>(*SI))
> +      continue;
> +    
>     const TaintTagType *Tag = get<TaintMap>(*SI);
>     Tainted = (Tag && *Tag == Kind);
> 
> 
> Modified: cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp?rev=163444&r1=163443&r2=163444&view=diff
> ==============================================================================
> --- cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp (original)
> +++ cfe/trunk/lib/StaticAnalyzer/Core/SymbolManager.cpp Fri Sep  7 20:24:53 2012
> @@ -117,21 +117,17 @@
> 
> SymExpr::symbol_iterator::symbol_iterator(const SymExpr *SE) {
>   itr.push_back(SE);
> -  while (!isa<SymbolData>(itr.back())) expand();
> }
> 
> SymExpr::symbol_iterator &SymExpr::symbol_iterator::operator++() {
>   assert(!itr.empty() && "attempting to iterate on an 'end' iterator");
> -  assert(isa<SymbolData>(itr.back()));
> -  itr.pop_back();
> -  if (!itr.empty())
> -    while (!isa<SymbolData>(itr.back())) expand();
> +  expand();
>   return *this;
> }
> 
> SymbolRef SymExpr::symbol_iterator::operator*() {
>   assert(!itr.empty() && "attempting to dereference an 'end' iterator");
> -  return cast<SymbolData>(itr.back());
> +  return itr.back();
> }
> 
> void SymExpr::symbol_iterator::expand() {
> 
> Added: cfe/trunk/test/Analysis/traversal-path-unification.c
> URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/traversal-path-unification.c?rev=163444&view=auto
> ==============================================================================
> --- cfe/trunk/test/Analysis/traversal-path-unification.c (added)
> +++ cfe/trunk/test/Analysis/traversal-path-unification.c Fri Sep  7 20:24:53 2012
> @@ -0,0 +1,21 @@
> +// RUN: %clang_cc1 -analyze -analyzer-checker=core,debug.DumpTraversal %s | FileCheck %s
> +
> +int a();
> +int b();
> +int c();
> +
> +void testRemoveDeadBindings() {
> +  int i = a();
> +  if (i)
> +    a();
> +  else
> +    b();
> +
> +  // At this point the symbol bound to 'i' is dead.
> +  // The effects of a() and b() are identical (they both invalidate globals).
> +  // We should unify the two paths here and only get one end-of-path node.
> +  c();
> +}
> +
> +// CHECK: --END PATH--
> +// CHECK-NOT: --END PATH--
> \ No newline at end of file
> 
> 
> _______________________________________________
> cfe-commits mailing list
> cfe-commits at cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/cfe-commits

More information about the cfe-commits mailing list