[PATCH] D28953: [analyzer] Eliminate analyzer limitations on symbolic constraint generation

Anna Zaks via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Wed Jun 14 16:09:51 PDT 2017

zaks.anna added inline comments.

Comment at: lib/StaticAnalyzer/Core/SValBuilder.cpp:356
                                    QualType ResultTy) {
-  if (!State->isTainted(RHS) && !State->isTainted(LHS))
-    return UnknownVal();
I am concerned that removing the guard will regress performance in the vanilla case. (Note that Z3 support as well as taint are not on by default.)

I am curious how much of the regression you've measured could be gained back if we make this conditional.

Comment at: lib/StaticAnalyzer/Core/SValBuilder.cpp:363
   // instead of generating an Unknown value and propagate the taint info to it.
-  const unsigned MaxComp = 10000; // 100000 28X
Reducing the MaxComp is going to regress taint analysis..

> I've updated this revision to account for the recent SVal simplification commit by @NoQ, 

Which commit introduced the regression?

> but now there is an exponential blowup problem that prevents testcase PR24184.cpp from terminating, 

What triggers the regression? Removing the if statement above? Does the regression only effect the Z3 "mode" (I am guessing not since you said "due to an interaction between Simplifier::VisitNonLocSymbolVal() and SValBuilder::makeSymExprValNN()")? 


More information about the cfe-commits mailing list