[cfe-dev] [Analyzer] ArrayBoundCheckerV2: Why the analyzer add the constraint `Idx < ArraySize` after element access?

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Wed Jul 11 12:00:55 PDT 2018

If 'x' is 100 or greater, it'd mean that undefined behavior has already 
occured, and it's pointless to explore that path further.

Same with 'x' being less than 0, so the checker should have added that 
as well.

So i believe that this is a valid behavior. A similar approach is taken 
by, say, DivZeroChecker that refutes the "y == 0" patch after "x / y" is 
evaluated. NullDereferenceChecker also assumes that all dereferenced 
pointers are non-null.

If they can prove that the operation is indeed unsafe on the current 
path, then the assumption would fail, and these checkers would report a 
warning instead.

What sort of problem are you having with these assumptions? Why are they 
affecting your checker? With constraints it shouldn't normally ever be 
an issue, because adding constraints doesn't really "mutate" the program 
state, it just "clarifies" it.

On 7/11/18 3:27 AM, Henry Wong via cfe-dev wrote:
> Hi all,
> For the code below, the `ArrayBoundCheckerV2` will add the constraint 
> `x < 100` after the `buf[x] = 1`, see https://reviews.llvm.org/D23112.
> ```
> void test_assume_after_access(unsigned long x) {
>     int buf[100];
>     buf[x] = 1;
>     clang_analyzer_eval(x <= 99); // expected-warning{{TRUE}}
> }
> ```
> 1.What is the purpose for doing this?
> 2. why not add `x >= 0` as well?
> I used`checkLocation()`, same as `ArrayBoundCheckerV2`, in my own 
> checker too. Due to the uncertain calling order, I got the wrong 
> constraints on `x` in my own checker. That's why I pay attention to 
> this problem.
> Thanks in advance!
> Henry Wong
> Qihoo 360 Codesafe Team
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180711/ff8f9aa6/attachment.html>

More information about the cfe-dev mailing list