[cfe-dev] [GSoC] Re: CSA constraint solver improvements

Valeriy Savchenko via cfe-dev cfe-dev at lists.llvm.org
Fri Apr 9 02:40:24 PDT 2021


Hi Manas,

Great to see some interest for the project!

The solver in question is fully located in RangeConstraintManager.cpp. There we try our best to provide useful ranges for symbolic expressions AND do it real fast. The last part is probably the most important thing here.  This solver works every time we see a condition in code and when we tried using z3 for this instead, it degraded performance so drastically that the analyzer is not useable (e.g 10min --> 25h).  

However, we have found another application for z3 - refute produced warnings. When we are about to report a new warning, we can check that constraints are sat/unsat and discard the warning in the latter case.  This happens way less frequently and good in terms of performance.  Alas, the majority of users have static analyzer build without z3, and some false positives warnings sneak in.

So, there are two main directions that I see:
Figure out cases when z3 refutation works better than the built-in fast solver.  
Run the analyzer in both modes and analyze the difference.  Usually it’s under 10 warnings, so it won’t be very tedious.
Add reasoning about range-based binary operations.  
If we know ranges for symbols or symbolic expressions x and y, we can often reason about possible ranges for x OP y, where OP is some binary operator.  At the moment, we have support for &, |, and % (it’s a bit weird set of operators, but it was driven by reported false positives).

We are open for other suggestions and algorithms in this component, but I guess it’s valuable to start with the first bullet point to have a good motivation for improvements.

@Balazs, sorry for confusion.  Here is a short description of the project I suggested for this year: https://llvm.org/OpenProjects.html#static_analyzer_constraint_solver <https://llvm.org/OpenProjects.html#static_analyzer_constraint_solver>

It’s a logical continuation of my work:
D86465, D82445, D83286, D82381, D80117, D79434, and D79336

Cheers,
Valeriy

> On 9 Apr 2021, at 11:37, via cfe-dev <cfe-dev at lists.llvm.org> wrote:
> 
> Good to hear that someone is interested in the SMT Solver part of the analyzer.
> 
> Mikhail Ramalho is probably the primary driving factor in this direction, but I try to participate/help as much as I can.
> You probably already know, Artem Dergachev is the code owner of the CSA, so I guess, you can count on him as well.
> 
> Unfortunately, the SMT solver is not maintained, thus it is in pretty bad shape. It can not pass the tests for various reasons.
> I planned to improve the situation, but it was always a low priority for me. My primary concern is the Z3 solver for bugreport refutation for the range-based solver.
> 
> I recommend you have a look at patches in the past using git blame.
> AFAIK these three are the most important patches which not landed yet:
> D83677, D83660, D85528
> 
> Regards, Balazs.
> 
> -----Original Message-----
> From: cfe-dev <cfe-dev-bounces at lists.llvm.org> On Behalf Of Manas via cfe-dev
> Sent: 2021. április 9., péntek 10:01
> To: clang-front-end mailing list <cfe-dev at lists.llvm.org>
> Subject: [cfe-dev] [GSoC] Re: CSA constraint solver improvements
> 
> Hi everyone, 
> 
> I am a pre-final year undergraduate in computer science. I am interested in "Clang Static Analyzer: constraint solver improvements" project.
> 
> I have around 8 months of experience with LLVM/Clang during my compilers class where I also implemented some dataflow analysis techniques for LLVM IR. I am also in middle of completing my decision procedures course at university. This course has helped me in gaining fundamental knowledge about solvers. I am familiar with range-based logic. Along with these, I have tried z3 while learning about solvers, and I think I can learn more about it fairly quickly.
> 
> I think this project fits for me. It will also help me in improving my knowledge further. I have started working on my proposal.
> 
> Can you give me further directions regarding the proposal for this project?
> 
> Thank you
> --
> Manas
> CSAM Undergraduate | 2022
> IIIT-Delhi, India
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
> 
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org
> https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20210409/2fc2317d/attachment.html>


More information about the cfe-dev mailing list