[llvm-bugs] [Bug 37855] New: [Analyzer][Z3] Wrong comparison operation being generated from ranged constraint

via llvm-bugs llvm-bugs at lists.llvm.org
Tue Jun 19 08:06:17 PDT 2018


            Bug ID: 37855
           Summary: [Analyzer][Z3] Wrong comparison operation being
                    generated from ranged constraint
           Product: clang
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: Static Analyzer
          Assignee: dcoughlin at apple.com
          Reporter: mikhail.ramalho at gmail.com
                CC: llvm-bugs at lists.llvm.org

The following program:

typedef struct o p;
struct o {
  struct {
  } s;

void q(*r, p2) {
  r < p2;

void k(l, node) {
  struct {
    p *node;
  } * n, *nodep, path[sizeof(void)];
  path->node = l;
  for (n = path; node != l;) {
    q(node, n->node);
    nodep = n;
  if (nodep)

generates the following constraint:

(conj_$1{struct o *}) - (reg_$3<int * r>): [-9223372036854775808, 0]

but the SMT generated is:

(and (bvuge (bvsub $1 $3) #x8000000000000000)
     (bvule (bvsub $1 $3) #x0000000000000000))

The issue is that unsigned comparisons (bvuge and bvule) are being generated
instead of signed comparisons (bvsge and bvsle).

When generating the expressions: 

(conj_$1{p *}) - (reg_$3<int * r>) >= -9223372036854775808


(conj_$1{p *}) - (reg_$3<int * r>) <= 0

both -9223372036854775808 and 0 are casted to pointer type and
LTy->isSignedIntegerOrEnumerationType() in Z3ConstraintManager::getZ3BinExpr
only checks if the type is signed, not if it's a pointer.

You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20180619/4ffced98/attachment.html>

More information about the llvm-bugs mailing list