[cfe-dev] Static Analyzer and signed 64bit constraints
- yrp via cfe-dev
cfe-dev at lists.llvm.org
Mon Jan 29 00:25:15 PST 2018
Hello,
I'm attempting to write a checker to look for certain signedness issues. I have code similar to the following:
int32_t z = -1;read (STDIN_FILENO, &z, sizeof(z));
if (z > 20) exit (EXIT_FAILURE);
memcpy (x, y, z);
Inside the checker I am printing the constraints on the SVal 'z' with a PreCall, filtering on memcpy:
ProgramStateRef State = C.getState();
State->getConstraintManager().print(State, llvm::outs(), "\n", " ");
I have two questions related to this:
1. The constraint on the above value is printed as 'conj_$0{int32_t} : { [-2147483648, -1], [1, 20] }'. What happened to zero? My best guess is the static analyzer realizing that 'memcpy(x, y, 0)' is a nop and pruning that program state?
2. The above code, aside from the zero exception, makes sense when z is an int8_t, int16_t, or an int32_t:
conj_$0{int8_t} : { [-128, -1], [1, 20] }
conj_$0{int16_t} : { [-32768, -1], [1, 20] }
conj_$0{int32_t} : { [-2147483648, -1], [1, 20] }
However, if I switch this to an int64_t I get:
conj_$0{int64_t} : { [1, 20] }
What happened to all the negative numbers?
Apologies if I've missed something obvious.
Cheers!-yrp
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180129/c0d995dd/attachment.html>
More information about the cfe-dev
mailing list