Author: mramalho Date: Mon Jul 16 06:14:46 2018 New Revision: 337167 URL: http://llvm.org/viewvc/llvm-project?rev=337167&view=rev Log: [analyzer] Fix constraint being dropped when analyzing a program without taint tracking enabled
Summary: This patch removes the constraint dropping when taint tracking is disabled. It also voids the crash reported in D28953 by treating a SymSymExpr with non pointer symbols as an opaque expression. Updated the regressions and verifying the big projects now; I'll update here when they're done. Based on the discussion on the mailing list and the patches by @ddcc. Reviewers: george.karpenkov, NoQ, ddcc, baloghadamsoftware Reviewed By: george.karpenkov Subscribers: delcypher, llvm-commits, rnkovacs, xazax.hun, szepet, a.sidorin, ddcc Differential Revision: https://reviews.llvm.org/D48650 Modified: cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp cfe/trunk/test/Analysis/PR37855.c cfe/trunk/test/Analysis/bitwise-ops.c cfe/trunk/test/Analysis/std-c-library-functions.c cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c Modified: cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp?rev=337167&r1=337166&r2=337167&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp Mon Jul 16 06:14:46 2018 @@ -390,7 +390,7 @@ unsigned AnalyzerOptions::getGraphTrimIn unsigned AnalyzerOptions::getMaxSymbolComplexity() { if (!MaxSymbolComplexity.hasValue()) - MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 10000); + MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 25); return MaxSymbolComplexity.getValue(); } Modified: cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp?rev=337167&r1=337166&r2=337167&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp Mon Jul 16 06:14:46 2018 @@ -52,17 +52,18 @@ ProgramStateRef RangedConstraintManager: assert(BinaryOperator::isComparisonOp(Op)); // For now, we only support comparing pointers. - assert(Loc::isLocType(SSE->getLHS()->getType())); - assert(Loc::isLocType(SSE->getRHS()->getType())); - QualType DiffTy = SymMgr.getContext().getPointerDiffType(); - SymbolRef Subtraction = - SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy); + if (Loc::isLocType(SSE->getLHS()->getType()) && + Loc::isLocType(SSE->getRHS()->getType())) { + QualType DiffTy = SymMgr.getContext().getPointerDiffType(); + SymbolRef Subtraction = + SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy); - const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy); - Op = BinaryOperator::reverseComparisonOp(Op); - if (!Assumption) - Op = BinaryOperator::negateComparisonOp(Op); - return assumeSymRel(State, Subtraction, Op, Zero); + const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy); + Op = BinaryOperator::reverseComparisonOp(Op); + if (!Assumption) + Op = BinaryOperator::negateComparisonOp(Op); + return assumeSymRel(State, Subtraction, Op, Zero); + } } // If we get here, there's nothing else we can do but treat the symbol as Modified: cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp?rev=337167&r1=337166&r2=337167&view=diff ============================================================================== --- cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp (original) +++ cfe/trunk/lib/StaticAnalyzer/Core/SValBuilder.cpp Mon Jul 16 06:14:46 2018 @@ -379,11 +379,9 @@ SVal SValBuilder::makeSymExprValNN(Progr BinaryOperator::Opcode Op, NonLoc LHS, NonLoc RHS, QualType ResultTy) { - if (!State->isTainted(RHS) && !State->isTainted(LHS)) - return UnknownVal(); - const SymExpr *symLHS = LHS.getAsSymExpr(); const SymExpr *symRHS = RHS.getAsSymExpr(); + // TODO: When the Max Complexity is reached, we should conjure a symbol // instead of generating an Unknown value and propagate the taint info to it. const unsigned MaxComp = StateMgr.getOwningEngine() Modified: cfe/trunk/test/Analysis/PR37855.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/PR37855.c?rev=337167&r1=337166&r2=337167&view=diff ============================================================================== --- cfe/trunk/test/Analysis/PR37855.c (original) +++ cfe/trunk/test/Analysis/PR37855.c Mon Jul 16 06:14:46 2018 @@ -20,5 +20,5 @@ void k(l, node) { nodep = n; } if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}} - n[1].node->s; // expected-warning {{Dereference of undefined pointer value}} + n[1].node->s; } Modified: cfe/trunk/test/Analysis/bitwise-ops.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/bitwise-ops.c?rev=337167&r1=337166&r2=337167&view=diff ============================================================================== --- cfe/trunk/test/Analysis/bitwise-ops.c (original) +++ cfe/trunk/test/Analysis/bitwise-ops.c Mon Jul 16 06:14:46 2018 @@ -8,9 +8,8 @@ void testPersistentConstraints(int x, in CHECK(x); // expected-warning{{TRUE}} CHECK(x & 1); // expected-warning{{TRUE}} - // False positives due to SValBuilder giving up on certain kinds of exprs. - CHECK(1 - x); // expected-warning{{UNKNOWN}} - CHECK(x & y); // expected-warning{{UNKNOWN}} + CHECK(1 - x); // expected-warning{{TRUE}} + CHECK(x & y); // expected-warning{{TRUE}} } int testConstantShifts_PR18073(int which) { Modified: cfe/trunk/test/Analysis/std-c-library-functions.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/std-c-library-functions.c?rev=337167&r1=337166&r2=337167&view=diff ============================================================================== --- cfe/trunk/test/Analysis/std-c-library-functions.c (original) +++ cfe/trunk/test/Analysis/std-c-library-functions.c Mon Jul 16 06:14:46 2018 @@ -57,8 +57,7 @@ void test_fread_fwrite(FILE *fp, int *bu size_t y = fread(buf, sizeof(int), 10, fp); clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}} size_t z = fwrite(buf, sizeof(int), y, fp); - // FIXME: should be TRUE once symbol-symbol constraint support is improved. - clang_analyzer_eval(z <= y); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(z <= y); // expected-warning{{TRUE}} } ssize_t getline(char **, size_t *, FILE *); Modified: cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c?rev=337167&r1=337166&r2=337167&view=diff ============================================================================== --- cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c (original) +++ cfe/trunk/test/Analysis/svalbuilder-rearrange-comparisons.c Mon Jul 16 06:14:46 2018 @@ -560,7 +560,7 @@ void compare_same_symbol_plus_left_int_e clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) == (conj_$2{int})}} } void compare_same_symbol_minus_left_int_equal_unsigned() { @@ -569,7 +569,7 @@ void compare_same_symbol_minus_left_int_ clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) == (conj_$2{int})}} } void compare_same_symbol_plus_right_int_equal_unsigned() { @@ -577,7 +577,7 @@ void compare_same_symbol_plus_right_int_ clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) == ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_right_int_equal_unsigned() { @@ -585,7 +585,7 @@ void compare_same_symbol_minus_right_int clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) == ((conj_$2{int}) - 1U)}} } void compare_same_symbol_plus_left_plus_right_int_equal_unsigned() { @@ -603,7 +603,7 @@ void compare_same_symbol_plus_left_minus clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) == ((conj_$2{int}) - 1U)}} } void compare_same_symbol_minus_left_plus_right_int_equal_unsigned() { @@ -612,7 +612,7 @@ void compare_same_symbol_minus_left_plus clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) == ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_left_minus_right_int_equal_unsigned() { @@ -710,7 +710,7 @@ void compare_same_symbol_plus_left_int_l clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) <= (conj_$2{int})}} } void compare_same_symbol_minus_left_int_less_or_equal_unsigned() { @@ -719,7 +719,7 @@ void compare_same_symbol_minus_left_int_ clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) <= (conj_$2{int})}} } void compare_same_symbol_plus_right_int_less_or_equal_unsigned() { @@ -727,7 +727,7 @@ void compare_same_symbol_plus_right_int_ clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) <= ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_right_int_less_or_equal_unsigned() { @@ -735,7 +735,7 @@ void compare_same_symbol_minus_right_int clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) <= ((conj_$2{int}) - 1U)}} } void compare_same_symbol_plus_left_plus_right_int_less_or_equal_unsigned() { @@ -753,7 +753,7 @@ void compare_same_symbol_plus_left_minus clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) <= ((conj_$2{int}) - 1U)}} } void compare_same_symbol_minus_left_plus_right_int_less_or_equal_unsigned() { @@ -762,7 +762,7 @@ void compare_same_symbol_minus_left_plus clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) <= ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_left_minus_right_int_less_or_equal_unsigned() { @@ -860,7 +860,7 @@ void compare_same_symbol_plus_left_int_l clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) < (conj_$2{int})}} } void compare_same_symbol_minus_left_int_less_unsigned() { @@ -869,7 +869,7 @@ void compare_same_symbol_minus_left_int_ clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) < (conj_$2{int})}} } void compare_same_symbol_plus_right_int_less_unsigned() { @@ -877,7 +877,7 @@ void compare_same_symbol_plus_right_int_ clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) < ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_right_int_less_unsigned() { @@ -885,7 +885,7 @@ void compare_same_symbol_minus_right_int clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) < ((conj_$2{int}) - 1U)}} } void compare_same_symbol_plus_left_plus_right_int_less_unsigned() { @@ -903,7 +903,7 @@ void compare_same_symbol_plus_left_minus clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) < ((conj_$2{int}) - 1U)}} } void compare_same_symbol_minus_left_plus_right_int_less_unsigned() { @@ -912,7 +912,7 @@ void compare_same_symbol_minus_left_plus clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) < ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_left_minus_right_int_less_unsigned() { _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
