[all-commits] [llvm/llvm-project] 0646e3: [Analyzer][solver] Fix crashes during symbol simpl...

Fri Jun 25 02:50:11 PDT 2021

  Branch: refs/heads/main
  Home:   https://github.com/llvm/llvm-project
  Commit: 0646e3625499b08a3ac9efd48396f3b463a19139
      https://github.com/llvm/llvm-project/commit/0646e3625499b08a3ac9efd48396f3b463a19139
  Author: Gabor Marton <gabor.marton at ericsson.com>
  Date:   2021-06-25 (Fri, 25 Jun 2021)

  Changed paths:
    M clang/include/clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h
    M clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp
    M clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
    A clang/test/Analysis/solver-sym-simplification-no-crash.c
    A clang/test/Analysis/solver-sym-simplification-with-proper-range-type.c

  Log Message:
  -----------
  [Analyzer][solver] Fix crashes during symbol simplification

Consider the code
```
  void f(int a0, int b0, int c)
  {
      int a1 = a0 - b0;
      int b1 = (unsigned)a1 + c;
      if (c == 0) {
          int d = 7L / b1;
      }
  }
```
At the point of divisiion by `b1` that is considered to be non-zero,
which results in a new constraint for `$a0 - $b0 + $c`. The type
of this sym is unsigned, however, the simplified sym is `$a0 -
$b0` and its type is signed. This is probably the result of the
inherent improper handling of casts. Anyway, Range assignment
for constraints use this type information. Therefore, we must
make sure that first we simplify the symbol and only then we
assign the range.

Differential Revision: https://reviews.llvm.org/D104844