[PATCH] [analyzer] [patch] Path-sensitive different.IntegerOverflow checker

[Julia Trofimovich]

Thanks a lot for reviewing!

Unfortunately we have no ability to share our code before it satisfies some quality level...

Could you propose description for "different" package?

You are correct in your assumption about ExternalSym goals. But there are some cases where analyzer fails to determine right value for a symbol, i.e two alerts from android codebase:
* report-7f4011.html
| File |  external/mesa3d/src/glsl/linker.cpp |
| Location | line 779, column 42 |
| Description | Integer overflow while subtraction. 0 U32b AND 1 U32b |
This alert happens because analyzer have no information about num_shaders and while cross_validate_globals proccessing assumes that num_shaders can be 0. But actually it's never happened because num_shaders is checked for 0 every time before link_intrastage_shaders calling (external/mesa3d/src/glsl/linker.cpp, lines 1602 and 1617).

* report-51bc27.html
| File | frameworks/av/drm/libdrmframework/plugins/passthru/src/DrmPassthruPlugIn.cpp |
| Location | line 66, column 41|
| Description | Integer overflow while addition. 4294967295 U32b AND 1 U32b |
This alert happens because constructor for value(line 64) doesn't inlined (because this constructor is defined in another translation unit frameworks/​native/​libs/​utils/​String8.cpp) and class member mString is assumed to be 0. So, when value.length() is called(line 66) underflow happens and (0 - 1) is returned. Further addition 1 results in FP overflow.

We tested IntegerOverflow checker on Android codebase where it produced 236 alerts. In brief I guess about 70% of alerts are TP.

If you would like to inspect full results of analysis with enabled/disabled heuristic please suggest place for uploading(size is about 100mb).

I'll try to change the checker according to your comments and it would be nice if you'll find time to review it again!)

{F110916}

{F110918}

http://reviews.llvm.org/D4066