[PATCH] D59857: [analyzer] PR37501: Disable the assertion for reverse-engineering logical op short circuits.
Phabricator via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Mar 29 15:46:27 PDT 2019
This revision was automatically updated to reflect the committed changes.
Closed by commit rC357325: [analyzer] PR37501: Disable assertion for logical op short circuit evaluation. (authored by dergachev, committed by ).
Changed prior to commit:
https://reviews.llvm.org/D59857?vs=192390&id=192933#toc
Repository:
rC Clang
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D59857/new/
https://reviews.llvm.org/D59857
Files:
lib/StaticAnalyzer/Core/ExprEngineC.cpp
test/Analysis/logical-ops.c
Index: lib/StaticAnalyzer/Core/ExprEngineC.cpp
===================================================================
--- lib/StaticAnalyzer/Core/ExprEngineC.cpp
+++ lib/StaticAnalyzer/Core/ExprEngineC.cpp
@@ -627,6 +627,21 @@
void ExprEngine::VisitLogicalExpr(const BinaryOperator* B, ExplodedNode *Pred,
ExplodedNodeSet &Dst) {
+ // This method acts upon CFG elements for logical operators && and ||
+ // and attaches the value (true or false) to them as expressions.
+ // It doesn't produce any state splits.
+ // If we made it that far, we're past the point when we modeled the short
+ // circuit. It means that we should have precise knowledge about whether
+ // we've short-circuited. If we did, we already know the value we need to
+ // bind. If we didn't, the value of the RHS (casted to the boolean type)
+ // is the answer.
+ // Currently this method tries to figure out whether we've short-circuited
+ // by looking at the ExplodedGraph. This method is imperfect because there
+ // could inevitably have been merges that would have resulted in multiple
+ // potential path traversal histories. We bail out when we fail.
+ // Due to this ambiguity, a more reliable solution would have been to
+ // track the short circuit operation history path-sensitively until
+ // we evaluate the respective logical operator.
assert(B->getOpcode() == BO_LAnd ||
B->getOpcode() == BO_LOr);
@@ -648,10 +663,20 @@
ProgramPoint P = N->getLocation();
assert(P.getAs<PreStmt>()|| P.getAs<PreStmtPurgeDeadSymbols>());
(void) P;
- assert(N->pred_size() == 1);
+ if (N->pred_size() != 1) {
+ // We failed to track back where we came from.
+ Bldr.generateNode(B, Pred, state);
+ return;
+ }
N = *N->pred_begin();
}
- assert(N->pred_size() == 1);
+
+ if (N->pred_size() != 1) {
+ // We failed to track back where we came from.
+ Bldr.generateNode(B, Pred, state);
+ return;
+ }
+
N = *N->pred_begin();
BlockEdge BE = N->getLocation().castAs<BlockEdge>();
SVal X;
Index: test/Analysis/logical-ops.c
===================================================================
--- test/Analysis/logical-ops.c
+++ test/Analysis/logical-ops.c
@@ -1,4 +1,5 @@
-// RUN: %clang_analyze_cc1 -Wno-pointer-bool-conversion -analyzer-checker=core,debug.ExprInspection -verify -analyzer-config eagerly-assume=false %s
+// RUN: %clang_analyze_cc1 -w -analyzer-checker=core,debug.ExprInspection\
+// RUN: -analyzer-config eagerly-assume=false -verify %s
void clang_analyzer_eval(int);
@@ -33,7 +34,21 @@
return x >= start && x < end;
}
-int undef(void) {} // expected-warning{{control reaches end of non-void function}}
+int undef(void) {}
void useUndef(void) { 0 || undef(); }
void testPointer(void) { (void) (1 && testPointer && 0); }
+
+char *global_ap, *global_bp, *global_cp;
+void ambiguous_backtrack_1() {
+ for (;;) {
+ (global_bp - global_ap ? global_cp[global_bp - global_ap] : 0) || 1;
+ global_bp++;
+ }
+}
+
+int global_a, global_b;
+void ambiguous_backtrack_2(int x) {
+ global_a = x >= 2 ? 1 : x;
+ global_b == x && 9 || 2;
+}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: D59857.192933.patch
Type: text/x-patch
Size: 3181 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/cfe-commits/attachments/20190329/a2fe190f/attachment.bin>
More information about the cfe-commits
mailing list