[clang] [clang] [Static analyzer]: add initial support for builtin overflow (PR #102602)

[Balazs Benics via cfe-commits]

================
@@ -50,6 +101,44 @@ class BuiltinFunctionChecker : public Checker<eval::Call> {
 
 } // namespace
 
+void BuiltinFunctionChecker::HandleOverflowBuiltin(const CallEvent &Call,
+                                                   CheckerContext &C,
+                                                   BinaryOperator::Opcode Op,
+                                                   QualType ResultType) const {
+  // All __builtin_*_overflow functions take 3 argumets.
+  assert(Call.getNumArgs() == 3);
+
+  ProgramStateRef State = C.getState();
+  SValBuilder &SVB = C.getSValBuilder();
+  const Expr *CE = Call.getOriginExpr();
+
+  SVal Arg1 = Call.getArgSVal(0);
+  SVal Arg2 = Call.getArgSVal(1);
+
+  SVal RetVal = SVB.evalBinOp(State, Op, Arg1, Arg2, ResultType);
+
+  // TODO: Handle overflows with values that known to overflow. Like INT_MAX + 1
+  // should not produce state for non-overflow case and threat it as
----------------
steakhal wrote:

evalBinOp models wrapping semantics - even for signed arithmetic (where it would be UB).
We don't have a similar evaluation model (operating on symbolic values, aka. SVals) which operates with mathematical (non-wrapping) semantics. This is unfortunate.

Initially I wanted to recommend `SVB.getKnownValue(State, Val)`, but I believe it's not too likely that one would use `malloc` with two concrete int params. So this wouldn't really enable many use-cases.

I can agree with @NagyDonat, about using `getMinValue` and friends. That would enable us using the constraints we have in the State, and unlock symbolic cases.

https://github.com/llvm/llvm-project/pull/102602