[PATCH] D35110: [Analyzer] Constraint Manager Negates Difference

Artem Dergachev via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Tue Jul 18 04:25:05 PDT 2017 

NoQ added inline comments.


================
Comment at: lib/StaticAnalyzer/Core/RangeConstraintManager.cpp:511
+           SSE->getLHS()->getType()->isSignedIntegerOrEnumerationType() ||
+           SSE->getLHS()->getType()->isPointerType()) {
+          return negV->Negate(BV, F);
----------------
baloghadamsoftware wrote:
> NoQ wrote:
> > baloghadamsoftware wrote:
> > > NoQ wrote:
> > > > Pointer types are currently treated as unsigned, so i'm not sure you want them here.
> > > For me it seems that pointer differences are still pointer types and they are signed. (The range becomes negative upon negative assumption. From test `ptr-arith.c`:
> > > 
> > > ```
> > > void use_symbols(int *lhs, int *rhs) {
> > >   clang_analyzer_eval(lhs < rhs); // expected-warning{{UNKNOWN}}
> > >   if (lhs < rhs)
> > >     return;
> > >   clang_analyzer_eval(lhs < rhs); // expected-warning{{FALSE}}
> > > 
> > >   clang_analyzer_eval(lhs - rhs); // expected-warning{{UNKNOWN}}
> > >   if ((lhs - rhs) != 5)
> > >     return;
> > >   clang_analyzer_eval((lhs - rhs) == 5); // expected-warning{{TRUE}}
> > > }
> > > ```
> > > 
> > > If I put `clang_analyzer_printState()` into the empty line in the middle, I get the following range for the difference: `[-9223372036854775808, 0]`. If I replace `int*` with `unsigned`, this range becomes `[0, 0]`, so `int*` is handled as a signed type here.
> > Umm, yeah, i was wrong.
> > 
> > *looks closer*
> > 
> > `T` is the type of the difference, right? I don't think i'd expect pointer type as the type of the difference.
> > 
> > Could you add test cases for pointers if you intend to support them (and maybe for unsigned types)?
> I do not know exactly the type, but if I remove the `T->isPointerType()` condition the test in `ptr_arith.c` will fail with `UNKNOWN`. So the type of the difference is a type that returns `true` from `T->isPointerType()`.
> 
> Pointer tests are already there in `ptr_arith.c`. Should I duplicate them?
I don't see any failing tests when i remove `T->isPointerType()`.

Also this shouldn't be system-specific, because the target triple is hardcoded in `ptr-arith.c` runline.

Could you point out which test is failing and dump the type in question (`-ast-dump`, or `Type->dump()`, or `llvm::errs() << QualType::getAsString()`, or whatever)?


https://reviews.llvm.org/D35110

More information about the cfe-commits mailing list