[PATCH] D49074: [Analyzer] [WIP] Basic support for multiplication and division in the constraint manager

Mon Jul 9 05:19:18 PDT 2018

baloghadamsoftware created this revision.
baloghadamsoftware added reviewers: NoQ, dcoughlin.
Herald added subscribers: mikhail.ramalho, a.sidorin, szepet.
Herald added a reviewer: george.karpenkov.

Currently, the default (range-based) constrain manager supports symbolic expressions of the format "symbol + integer" or "symbol - integer" to compare them to another integer. However, multiplication and division is not supported yet.

An example where this lack of support causes false positives is the following:

  unsigned size = 32;
  int init(int *s);
  void assert(int);
  static void test(void)
  {
    int val;
    if (size>10 && size<=100){
       for (unsigned j = 0; j<size/2; j++)
        init(&val);
       assert((int) (val == 1));  //False positive: val may be uninitialized
    }
  }

In this example the loop executes at least 5 times, but the analyzer cannot deduce this so it assumes that it may be completely skipped, since it cannot reason about `size/2` even if it knows that size has a range of (10..100] which is [11..100] among integers.

This patch solves this problem by introducing support for symbols such as "symbol * integer" or "symbol / integer". In this patch only positive integers are supported. On the long-term our goal is to extend this support to more generic first-degree symbolic expressions, e.g. "symbol * integer + another integer".

https://reviews.llvm.org/D49074

Files:
  include/clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h
  lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
  lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
  test/Analysis/constraint_manager_scale.c

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D49074.154578.patch
Type: text/x-patch
Size: 27201 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20180709/1bfb42a7/attachment-0001.bin>