[cfe-dev] [analyzer] Evaluating a call to operator bool()

via cfe-dev cfe-dev at lists.llvm.org
Wed Jul 31 14:01:40 PDT 2019 

Hi list,

I have the following code to analyze:

struct BoolConvertibleStruct {
    int n;
    BoolConvertibleStruct(int m) : n(m) {}
    operator bool() const { return n != 0; }
};

BoolConvertibleStruct StructFunc() {
    return 1;
}

I have reduced my problem to wanting to analyze StructFunc() to figure out
the truth value of its return value. (The actual problem is more
complicated and you might recognize that BoolConvertibleStruct is a
stand-in for std::unique_ptr<T>, among other things :-P)

I have the following sample checker:

class Analyzer : public Checker<check::EndFunction> {
 public:
    void checkEndFunction(const ReturnStmt* ret, CheckerContext& cx) const {
        const auto* func =
cast<FunctionDecl>(cx.getStackFrame()->getDecl());
        if (func->getQualifiedNameAsString() != "StructFunc")
            return;

        ProgramStateRef state = cx.getState();
        SValBuilder& builder = cx.getSValBuilder();
        ASTContext& ast = cx.getASTContext();

        SVal returnValue = cx.getSVal(ret->getRetValue());
        SVal falseValue = builder.makeZeroVal(ast.BoolTy);
        SVal returnedFalse = builder.evalEQ(state, returnValue, falseValue);

        errs() << "Evaluating (" << returnValue << " == " << falseValue
            << ") -> " << returnedFalse << "\n";
    }
};

However when I run it on my sample code I get this output:

Evaluating (lazyCompoundVal{0x7f98f1871c70,Element{SymRegion{conj_$0{struct
BoolConvertibleStruct *, LC1, S973, #1}},0 S64b,struct
BoolConvertibleStruct}} == 0 U1b) -> Unknown

It seems to me that the result should be able to be easily modeled, but I'm
not sure how to go about it. (I don't even see the "1" stored in the field
showing up in the LazyCompoundVal.) Looking at the source code, it looks
like I will have to somehow transform the LazyCompoundVal to something else
because evalBinOp will always return Unknown if either side is a
LazyCompoundVal. I have tried these things so far:

- Getting the CXXConversionDecl for BoolConvertibleStruct::operator bool()
and creating a CXXMemberCallExpr, then calling cx.getSVal() on that; the
result is Unknown
- Getting the FieldDecl for BoolConvertibleStruct::n and calling
state->getLValue(field, returnValue); the resulting SVal crashes when I try
to print it
- Using builder.evalCast() to cast returnValue to ast.BoolTy; the result of
the cast is also Unknown
- Using state->isNull() to query the truth value directly; the result is
underconstrained

Some suggestion about what to try next (or even "this definitely won't
work") would be appreciated.

Regards,
-- 
Philip
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190731/b602b94a/attachment.html>

More information about the cfe-dev mailing list