r337167 - [analyzer] Fix constraint being dropped when analyzing a program without taint tracking enabled
Mikhail R. Gadelha via cfe-commits
cfe-commits at lists.llvm.org
Mon Jul 16 06:14:47 PDT 2018
Author: mramalho
Date: Mon Jul 16 06:14:46 2018
New Revision: 337167
URL: http://llvm.org/viewvc/llvm-project?rev=337167&view=rev
Log:
[analyzer] Fix constraint being dropped when analyzing a program without taint tracking enabled
Summary:
This patch removes the constraint dropping when taint tracking is disabled.
It also voids the crash reported in D28953 by treating a SymSymExpr with non pointer symbols as an opaque expression.
Updated the regressions and verifying the big projects now; I'll update here when they're done.
Based on the discussion on the mailing list and the patches by @ddcc.
Reviewers: george.karpenkov, NoQ, ddcc, baloghadamsoftware
Reviewed By: george.karpenkov
Subscribers: delcypher, llvm-commits, rnkovacs, xazax.hun, szepet, a.sidorin, ddcc
Differential Revision: https://reviews.llvm.org/D48650
Modified:
cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp
cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
cfe/trunk/test/Analysis/PR37855.c
cfe/trunk/test/Analysis/bitwise-ops.c
cfe/trunk/test/Analysis/std-c-library-functions.c
cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c
Modified: cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp?rev=337167&r1=337166&r2=337167&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp Mon Jul 16 06:14:46 2018
@@ -390,7 +390,7 @@ unsigned AnalyzerOptions::getGraphTrimIn
unsigned AnalyzerOptions::getMaxSymbolComplexity() {
if (!MaxSymbolComplexity.hasValue())
- MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 10000);
+ MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 25);
return MaxSymbolComplexity.getValue();
}
Modified: cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp?rev=337167&r1=337166&r2=337167&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp Mon Jul 16 06:14:46 2018
@@ -52,17 +52,18 @@ ProgramStateRef RangedConstraintManager:
assert(BinaryOperator::isComparisonOp(Op));
// For now, we only support comparing pointers.
- assert(Loc::isLocType(SSE->getLHS()->getType()));
- assert(Loc::isLocType(SSE->getRHS()->getType()));
- QualType DiffTy = SymMgr.getContext().getPointerDiffType();
- SymbolRef Subtraction =
- SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy);
+ if (Loc::isLocType(SSE->getLHS()->getType()) &&
+ Loc::isLocType(SSE->getRHS()->getType())) {
+ QualType DiffTy = SymMgr.getContext().getPointerDiffType();
+ SymbolRef Subtraction =
+ SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy);
- const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy);
- Op = BinaryOperator::reverseComparisonOp(Op);
- if (!Assumption)
- Op = BinaryOperator::negateComparisonOp(Op);
- return assumeSymRel(State, Subtraction, Op, Zero);
+ const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy);
+ Op = BinaryOperator::reverseComparisonOp(Op);
+ if (!Assumption)
+ Op = BinaryOperator::negateComparisonOp(Op);
+ return assumeSymRel(State, Subtraction, Op, Zero);
+ }
}
// If we get here, there's nothing else we can do but treat the symbol as
Modified: cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp?rev=337167&r1=337166&r2=337167&view=diff
==============================================================================
--- cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp (original)
+++ cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp Mon Jul 16 06:14:46 2018
@@ -379,11 +379,9 @@ SVal SValBuilder::makeSymExprValNN(Progr
BinaryOperator::Opcode Op,
NonLoc LHS, NonLoc RHS,
QualType ResultTy) {
- if (!State->isTainted(RHS) && !State->isTainted(LHS))
- return UnknownVal();
-
const SymExpr *symLHS = LHS.getAsSymExpr();
const SymExpr *symRHS = RHS.getAsSymExpr();
+
// TODO: When the Max Complexity is reached, we should conjure a symbol
// instead of generating an Unknown value and propagate the taint info to it.
const unsigned MaxComp = StateMgr.getOwningEngine()
Modified: cfe/trunk/test/Analysis/PR37855.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/PR37855.c?rev=337167&r1=337166&r2=337167&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/PR37855.c (original)
+++ cfe/trunk/test/Analysis/PR37855.c Mon Jul 16 06:14:46 2018
@@ -20,5 +20,5 @@ void k(l, node) {
nodep = n;
}
if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}}
- n[1].node->s; // expected-warning {{Dereference of undefined pointer value}}
+ n[1].node->s;
}
Modified: cfe/trunk/test/Analysis/bitwise-ops.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/bitwise-ops.c?rev=337167&r1=337166&r2=337167&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/bitwise-ops.c (original)
+++ cfe/trunk/test/Analysis/bitwise-ops.c Mon Jul 16 06:14:46 2018
@@ -8,9 +8,8 @@ void testPersistentConstraints(int x, in
CHECK(x); // expected-warning{{TRUE}}
CHECK(x & 1); // expected-warning{{TRUE}}
- // False positives due to SValBuilder giving up on certain kinds of exprs.
- CHECK(1 - x); // expected-warning{{UNKNOWN}}
- CHECK(x & y); // expected-warning{{UNKNOWN}}
+ CHECK(1 - x); // expected-warning{{TRUE}}
+ CHECK(x & y); // expected-warning{{TRUE}}
}
int testConstantShifts_PR18073(int which) {
Modified: cfe/trunk/test/Analysis/std-c-library-functions.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/std-c-library-functions.c?rev=337167&r1=337166&r2=337167&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/std-c-library-functions.c (original)
+++ cfe/trunk/test/Analysis/std-c-library-functions.c Mon Jul 16 06:14:46 2018
@@ -57,8 +57,7 @@ void test_fread_fwrite(FILE *fp, int *bu
size_t y = fread(buf, sizeof(int), 10, fp);
clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}}
size_t z = fwrite(buf, sizeof(int), y, fp);
- // FIXME: should be TRUE once symbol-symbol constraint support is improved.
- clang_analyzer_eval(z <= y); // expected-warning{{UNKNOWN}}
+ clang_analyzer_eval(z <= y); // expected-warning{{TRUE}}
}
ssize_t getline(char **, size_t *, FILE *);
Modified: cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c?rev=337167&r1=337166&r2=337167&view=diff
==============================================================================
--- cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c (original)
+++ cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c Mon Jul 16 06:14:46 2018
@@ -560,7 +560,7 @@ void compare_same_symbol_plus_left_int_e
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(x == y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) + 1U) == (conj_$2{int})}}
}
void compare_same_symbol_minus_left_int_equal_unsigned() {
@@ -569,7 +569,7 @@ void compare_same_symbol_minus_left_int_
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(x == y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) - 1U) == (conj_$2{int})}}
}
void compare_same_symbol_plus_right_int_equal_unsigned() {
@@ -577,7 +577,7 @@ void compare_same_symbol_plus_right_int_
clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(x == y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{(conj_$2{int}) == ((conj_$2{int}) + 1U)}}
}
void compare_same_symbol_minus_right_int_equal_unsigned() {
@@ -585,7 +585,7 @@ void compare_same_symbol_minus_right_int
clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(x == y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{(conj_$2{int}) == ((conj_$2{int}) - 1U)}}
}
void compare_same_symbol_plus_left_plus_right_int_equal_unsigned() {
@@ -603,7 +603,7 @@ void compare_same_symbol_plus_left_minus
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(x == y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) + 1U) == ((conj_$2{int}) - 1U)}}
}
void compare_same_symbol_minus_left_plus_right_int_equal_unsigned() {
@@ -612,7 +612,7 @@ void compare_same_symbol_minus_left_plus
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(x == y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) - 1U) == ((conj_$2{int}) + 1U)}}
}
void compare_same_symbol_minus_left_minus_right_int_equal_unsigned() {
@@ -710,7 +710,7 @@ void compare_same_symbol_plus_left_int_l
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(x <= y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) + 1U) <= (conj_$2{int})}}
}
void compare_same_symbol_minus_left_int_less_or_equal_unsigned() {
@@ -719,7 +719,7 @@ void compare_same_symbol_minus_left_int_
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(x <= y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) - 1U) <= (conj_$2{int})}}
}
void compare_same_symbol_plus_right_int_less_or_equal_unsigned() {
@@ -727,7 +727,7 @@ void compare_same_symbol_plus_right_int_
clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(x <= y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{(conj_$2{int}) <= ((conj_$2{int}) + 1U)}}
}
void compare_same_symbol_minus_right_int_less_or_equal_unsigned() {
@@ -735,7 +735,7 @@ void compare_same_symbol_minus_right_int
clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(x <= y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{(conj_$2{int}) <= ((conj_$2{int}) - 1U)}}
}
void compare_same_symbol_plus_left_plus_right_int_less_or_equal_unsigned() {
@@ -753,7 +753,7 @@ void compare_same_symbol_plus_left_minus
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(x <= y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) + 1U) <= ((conj_$2{int}) - 1U)}}
}
void compare_same_symbol_minus_left_plus_right_int_less_or_equal_unsigned() {
@@ -762,7 +762,7 @@ void compare_same_symbol_minus_left_plus
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(x <= y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) - 1U) <= ((conj_$2{int}) + 1U)}}
}
void compare_same_symbol_minus_left_minus_right_int_less_or_equal_unsigned() {
@@ -860,7 +860,7 @@ void compare_same_symbol_plus_left_int_l
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(x < y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) + 1U) < (conj_$2{int})}}
}
void compare_same_symbol_minus_left_int_less_unsigned() {
@@ -869,7 +869,7 @@ void compare_same_symbol_minus_left_int_
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(x < y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) - 1U) < (conj_$2{int})}}
}
void compare_same_symbol_plus_right_int_less_unsigned() {
@@ -877,7 +877,7 @@ void compare_same_symbol_plus_right_int_
clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(x < y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{(conj_$2{int}) < ((conj_$2{int}) + 1U)}}
}
void compare_same_symbol_minus_right_int_less_unsigned() {
@@ -885,7 +885,7 @@ void compare_same_symbol_minus_right_int
clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(x < y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{(conj_$2{int}) < ((conj_$2{int}) - 1U)}}
}
void compare_same_symbol_plus_left_plus_right_int_less_unsigned() {
@@ -903,7 +903,7 @@ void compare_same_symbol_plus_left_minus
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(x < y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) + 1U) < ((conj_$2{int}) - 1U)}}
}
void compare_same_symbol_minus_left_plus_right_int_less_unsigned() {
@@ -912,7 +912,7 @@ void compare_same_symbol_minus_left_plus
clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
clang_analyzer_dump(x < y);
- // expected-warning at -1{{Unknown}} // FIXME: Can this be simplified?
+ // expected-warning at -1{{((conj_$2{int}) - 1U) < ((conj_$2{int}) + 1U)}}
}
void compare_same_symbol_minus_left_minus_right_int_less_unsigned() {
More information about the cfe-commits
mailing list