[PATCH] D86874: [analyzer] Fix ArrayBoundCheckerV2 false positive regarding size_t indexer

Balázs Benics via Phabricator via cfe-commits cfe-commits at lists.llvm.org
Fri Sep 4 03:16:32 PDT 2020 

steakhal added a comment.

In D86874#2255990 <https://reviews.llvm.org/D86874#2255990>, @martong wrote:

> Hi Balázs,
>
> Since reviews.llvm.org is offline, I am sending my comments below, inline.
> Thanks for your huge effort in explaining all this!
>
> Overall, I have a feeling that this approach targets only one specific
> case, which is fine. But I believe we should think about all the other
> possible cases, so we could get rid of other false positives too:
>
> 1. In case of multidimensional arrays, there may be a symbolic value in any
>
> dimension.

Yes, obviously - but it's not a problem. See my next comment.

> 2. What if  there are more symbolic values in the dimensions.

It stops the //simplification// process on the very first `SymExpr` which is not a `SymIntExpr`. This //simplification// is done on a //best effort// basis only.

Another interesting fact is that we don't generate nested `ElementRegion`s too frequently, so don't have to deal with //"What if  there are more symbolic values in the dimensions."// :D
The last two lines of the following example are particularly interesting, I'm curious why we do that.

Let's see some examples:

  void foo(int x, int y) {
    int buf[10][3];
    clang_analyzer_dump(&buf[1][2]);   // &Element{Element{buf,1 S64b,int [3]},2 S64b,int}
    clang_analyzer_dump(&buf[1][y]);   // Unknown
    clang_analyzer_dump(&buf[x][2]);   // &Element{Element{buf,reg_$1<int x>,int [3]},2 S64b,int}
    clang_analyzer_dump(&buf[x][y]);   // Unknown
    clang_analyzer_dump(&buf[1][y+1]); // Unknown
    clang_analyzer_dump(&buf[x][y+1]); // Unknown
    clang_analyzer_dump(&buf[x+1][2]); // &Element{Element{buf,(reg_$1<int x>) + 1,int [3]},2 S64b,int}
    clang_analyzer_dump(&buf[1+x][2]); // &Element{Element{buf,(reg_$1<int x>) + 1,int [3]},2 S64b,int}
    clang_analyzer_dump(&buf[x+1][y+2]); // Unknown
  
    // Another surprise is that if we assign the pointer value to a variable, we get different results...
    int *p = &buf[1][x+1];
    clang_analyzer_dump(p);            // &SymRegion{conj_$2{int *, LC1, S1740, #1}}
    clang_analyzer_dump(&buf[1][x+1]); // Unknown
  }


Repository:
  rG LLVM Github Monorepo

CHANGES SINCE LAST ACTION
  https://reviews.llvm.org/D86874/new/

https://reviews.llvm.org/D86874

More information about the cfe-commits mailing list