[PATCH] D86874: [analyzer] Fix ArrayBoundCheckerV2 false positive regarding size_t indexer
Balázs Benics via Phabricator via cfe-commits
cfe-commits at lists.llvm.org
Fri Sep 4 03:16:32 PDT 2020
steakhal added a comment.
In D86874#2255990 <https://reviews.llvm.org/D86874#2255990>, @martong wrote:
> Hi Balázs,
>
> Since reviews.llvm.org is offline, I am sending my comments below, inline.
> Thanks for your huge effort in explaining all this!
>
> Overall, I have a feeling that this approach targets only one specific
> case, which is fine. But I believe we should think about all the other
> possible cases, so we could get rid of other false positives too:
>
> 1. In case of multidimensional arrays, there may be a symbolic value in any
>
> dimension.
Yes, obviously - but it's not a problem. See my next comment.
> 2. What if there are more symbolic values in the dimensions.
It stops the //simplification// process on the very first `SymExpr` which is not a `SymIntExpr`. This //simplification// is done on a //best effort// basis only.
Another interesting fact is that we don't generate nested `ElementRegion`s too frequently, so don't have to deal with //"What if there are more symbolic values in the dimensions."// :D
The last two lines of the following example are particularly interesting, I'm curious why we do that.
Let's see some examples:
void foo(int x, int y) {
int buf[10][3];
clang_analyzer_dump(&buf[1][2]); // &Element{Element{buf,1 S64b,int [3]},2 S64b,int}
clang_analyzer_dump(&buf[1][y]); // Unknown
clang_analyzer_dump(&buf[x][2]); // &Element{Element{buf,reg_$1<int x>,int [3]},2 S64b,int}
clang_analyzer_dump(&buf[x][y]); // Unknown
clang_analyzer_dump(&buf[1][y+1]); // Unknown
clang_analyzer_dump(&buf[x][y+1]); // Unknown
clang_analyzer_dump(&buf[x+1][2]); // &Element{Element{buf,(reg_$1<int x>) + 1,int [3]},2 S64b,int}
clang_analyzer_dump(&buf[1+x][2]); // &Element{Element{buf,(reg_$1<int x>) + 1,int [3]},2 S64b,int}
clang_analyzer_dump(&buf[x+1][y+2]); // Unknown
// Another surprise is that if we assign the pointer value to a variable, we get different results...
int *p = &buf[1][x+1];
clang_analyzer_dump(p); // &SymRegion{conj_$2{int *, LC1, S1740, #1}}
clang_analyzer_dump(&buf[1][x+1]); // Unknown
}
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D86874/new/
https://reviews.llvm.org/D86874
More information about the cfe-commits
mailing list