[cfe-dev] [llvm-dev] [GSoC 2018] Integrate with Z3 SMT solver to reduce false positives.

Brenda So via cfe-dev cfe-dev at lists.llvm.org
Fri Mar 16 18:14:44 PDT 2018 

Hi George,

Thanks for the references, after watching them and a few more videos, I
sort of have a high level idea on how z3 will be useful for the static
analyzer:

1. For all the feasible paths reported by the bug reporter, initiate z3
solver.
2. Use the ProgramState to add constraints to the z3 solver as we step
through the path
3. If at any point the z3 solver returns false (i.e. the constraints cannot
be satisfied), the path is infeasible and hence should be flagged as a
false positive.

The above procedure is assuming that the bug reporter returns feasible
paths, but I am actually still confused about what the bug reporter
reports. Does it report bugs? infeasible paths or feasible paths of the
program? I am also wondering how the bug reporter and constraint manager
interact with each other.

Moreover, on the project description, it says that z3 is useful in
"complicated branches that the constraint manager cannot reason about".
>From the bug reports, or other objects in the static analyzer, how would I
know whether the constraint manager can/cannot reason about?

Thanks for all your help and I look forward to hear from you,
Brenda


On Fri, Mar 16, 2018 at 8:52 PM, Brenda So <so at cooper.edu> wrote:

> Hi George,
>
> Thanks for the references, after watching them and a few more videos, I
> sort of have a high level idea on how z3 will be useful for the static
> analyzer:
>
> 1. For all the feasible paths reported by the bug reporter, initiate z3
> solver.
> 2. Use the ProgramState to add constraints to the z3 solver as we step
> through the path
> 3. If at any point the z3 solver returns false (i.e. the constraints
> cannot be satisfied), the path is infeasible and hence should be flagged as
> a false positive.
>
> The above procedure is assuming that the bug reporter returns feasible
> paths, but I am actually still confused about what the bug reporter
> reports. Does it report bugs? infeasible paths or feasible paths of the
> program? I am also wondering how the bug reporter and constraint manager
> interact with each other.
>
> Moreover, on the project description, it says that z3 is useful in
> "complicated branches that the constraint manager cannot reason about".
> From the bug reports, or other objects in the static analyzer, how would I
> know whether the constraint manager can/cannot reason about?
>
> Thanks for all your help and I look forward to hear from you,
> Brenda
>
>
> On Wed, Mar 14, 2018 at 10:16 PM, George Karpenkov <ekarpenkov at apple.com>
> wrote:
>
>> Hi Brenda,
>>
>> Great that you are interested in the project!
>> I’m reposting this to cfe-dev as Clang development is discussed there
>> (please direct all future email to that list).
>>
>> As to your question, I think I have answered it in the following email:
>> http://lists.llvm.org/pipermail/cfe-dev/2018-March/057067.html
>> (yes, lack of easily searchable/browsable archives is a problem..)
>>
>> Regards,
>> George
>>
>> On Mar 14, 2018, at 6:37 PM, Brenda So via llvm-dev <
>> llvm-dev at lists.llvm.org> wrote:
>>
>> Hi all,
>>
>> I am a fourth year EE bachelors student who is very interested in
>> compilers. I have taken the only compilers course offered in my school and
>> did an independent study with my CS professor. Although I'll begin to work
>> in a couple of months, I definitely want to pursue my interest in compiler
>> design and optimization as a PhD in the future. I am very interested in the
>> z3 SMT solver project detailed on the LLVM website and have been doing some
>> research about it.
>>
>> From what I understand, the current analyzer traces the program, and at
>> each branch, it branches out into the true branch and the false branch. The
>> true and false branch causes certain constraints on the values. If the
>> conditions on the branch causes a constraint to be unsatisfiable, the path
>> is considered to be infeasible. traces the program, and at each branch,
>> it branches out into the true branch and the false branch. The true and
>> false branch causes certain constraints on the values. If the conditions on
>> the branch causes a constraint to be unsatisfiable, the path is considered
>> to be infeasible. In that case, z3 would be useful in proving whether a
>> branch is definitely true or false (i.e. whether the constraints are
>> satisfiable), thus preventing exponential blowup of the analysis.
>>
>> However, when I was looking through the github version of LLVM, it seems
>> like z3 is already incorporated:
>> https://github.com/llvm-mirror/clang/blob/master/lib/StaticA
>> nalyzer/Core/Z3ConstraintManager.cpp
>>
>> I guess my question is, what would the project contribute on top of the
>> z3 manager that is currently implemented for LLVM?
>>
>> Thanks!
>> Brenda
>> _______________________________________________
>> LLVM Developers mailing list
>> llvm-dev at lists.llvm.org
>> http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-dev
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20180316/fd98105a/attachment.html>

More information about the cfe-dev mailing list