steakhal updated this revision to Diff 286318.
steakhal marked 4 inline comments as done.
steakhal retitled this revision from "[analyzer][RFC] Handle pointer difference
of ElementRegion and SymbolicRegion" to "[analyzer] Handle pointer difference
of ElementRegion and SymbolicRegion".
steakhal edited the summary of this revision.
steakhal added a comment.
- Refined documentation comments as noted.
- Added tests.
- Removed the complicated `ByteOffsetOfElement` lambda.
- Rename revision.
---
Before this patch, only these reported `Unknown` instead of the currently
expected value.
Besides that all tests passed as-is on master:
clang_analyzer_dump_int(p - p0); // expected-warning {{0 S32b}}
clang_analyzer_dump_int(p - p1); // expected-warning {{-1 S32b}}
clang_analyzer_dump_int(p - pn); // expected-warning-re {{0 -
(reg_${{[0-9]+}})}}
clang_analyzer_dump_int((p + 1) - p); // expected-warning {{1 S32b}}
// Swapped operands:
clang_analyzer_dump_int(p0 - p); // expected-warning {{0 S32b}}
clang_analyzer_dump_int(p1 - p); // expected-warning {{1 S32b}}
clang_analyzer_dump_int(pn - p); // expected-warning-re
{{reg_${{[0-9]+
clang_analyzer_dump_int(p - (p + 1)); // expected-warning {{-1 S32b}}
---
Further notes:
Element{X, n, Ty1} and Element{X, m, Ty2} should compare equal if and only if
the `n * sizeof(Ty1)` equals to `n * sizeof(Ty2)`.
However, previously it did not take the size of the types into account (there
is the corresponding FIXIT).
I'm not fixing this either for now.
The analyzer returns `Unknown` for this call:
clang_analyzer_dump_int((p + 1) - q);
However, IMO it should hold the expression 'p+1+q' instead - regardless of `p`
alias (or not) the same memory region of `p`
There is a FIXME in the testcode for this.
Repository:
rG LLVM Github Monorepo
CHANGES SINCE LAST ACTION
https://reviews.llvm.org/D84736/new/
https://reviews.llvm.org/D84736
Files:
clang/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
clang/test/Analysis/pointer-arithmetic.c
Index: clang/test/Analysis/pointer-arithmetic.c
===
--- clang/test/Analysis/pointer-arithmetic.c
+++ clang/test/Analysis/pointer-arithmetic.c
@@ -1,4 +1,9 @@
-// RUN: %clang_analyze_cc1 -analyzer-checker=core -verify %s
+// RUN: %clang_analyze_cc1 -analyzer-checker=core,debug.ExprInspection \
+// RUN: -analyzer-config eagerly-assume=false -verify %s
+
+void clang_analyzer_eval(int);
+void clang_analyzer_dump_ptr(int *);
+void clang_analyzer_dump_int(int);
int test1() {
int *p = (int *)sizeof(int);
@@ -28,3 +33,88 @@
p += 1;
return *p; // expected-warning {{Dereference of null pointer}}
}
+
+void simplify_symregion_and_elementregion_pointer_arithmetic_and_comparison(int *p, int n, int m, int *q) {
+ // 'q' is SymReg{q}
+ // 'p' is SymReg{p}
+ int *p1 = p + 1; // Element{p,1}
+ int *p0 = p1 - 1; // Element{p,0}
+ int *pn = p + n; // Element{p,n}
+ int *pm = p + m; // Element{p,m}
+
+ clang_analyzer_dump_ptr(q);
+ clang_analyzer_dump_ptr(p);
+ clang_analyzer_dump_ptr(p0);
+ clang_analyzer_dump_ptr(p1);
+ clang_analyzer_dump_ptr(pn);
+ clang_analyzer_dump_ptr(pm);
+ // expected-warning-re@-6 {{{reg_${{[0-9]+}
+ // expected-warning-re@-6 {{{reg_${{[0-9]+}
+ // expected-warning-re@-6 {{{SymRegion{reg_${{[0-9]+}}},0 S64b,int
+ // expected-warning-re@-6 {{{SymRegion{reg_${{[0-9]+}}},1 S64b,int}}}
+ // expected-warning-re@-6 {{{SymRegion{reg_${{[0-9]+}}},reg_${{[0-9]+}},int}}}
+ // expected-warning-re@-6 {{{SymRegion{reg_${{[0-9]+}}},reg_${{[0-9]+}},int}}}
+
+ // Test the equality operator:
+ clang_analyzer_eval(p == p0); // expected-warning {{TRUE}}
+ clang_analyzer_eval(p == p1); // expected-warning {{FALSE}}
+ clang_analyzer_eval(p1 == pn); // expected-warning {{UNKNOWN}}
+ clang_analyzer_eval(pn == pm); // expected-warning {{UNKNOWN}}
+
+ // Reverse operands:
+ clang_analyzer_eval(p0 == p); // expected-warning {{TRUE}}
+ clang_analyzer_eval(p1 == p); // expected-warning {{FALSE}}
+ clang_analyzer_eval(pn == p1); // expected-warning {{UNKNOWN}}
+ clang_analyzer_eval(pm == pn); // expected-warning {{UNKNOWN}}
+
+ // Test the inequality operator:
+ clang_analyzer_eval(p != p0); // expected-warning {{FALSE}}
+ clang_analyzer_eval(p != p1); // expected-warning {{TRUE}}
+ clang_analyzer_eval(p1 != pn); // expected-warning {{UNKNOWN}}
+ clang_analyzer_eval(pn != pm); // expected-warning {{UNKNOWN}}
+
+ // Reverse operands:
+ clang_analyzer_eval(p0 != p); // expected-warning {{FALSE}}
+ clang_analyzer_eval(p1 != p); // expected-warning {{TRUE}}
+ clang_analyzer_eval(pn != p1); // expected-warning {{UNKNOWN}}
+ clang_analyzer_eval(pm != pn); // expected-warning {{UNKNOWN}}
+
+ // Test the subtraction operator:
+ clang_analyzer_dump_int(p - q);// expected-warning-re {{(reg_${{[0-9]+}}) - (reg_${{[0-9]+}})}}
+ clang_analyzer_dump_int(p - p);
