diff options
| author | Mikhail R. Gadelha <mikhail.ramalho@gmail.com> | 2018-07-16 13:14:46 +0000 |
|---|---|---|
| committer | Mikhail R. Gadelha <mikhail.ramalho@gmail.com> | 2018-07-16 13:14:46 +0000 |
| commit | 6fda594059bd48b6b2ddcb34eda0a278aee2214e (patch) | |
| tree | b3fe7a1633c53730c07615b4c5020d55e8e65553 | |
| parent | 90809faeea5a4cf6c25dcff6a55a74248a7cac83 (diff) | |
[analyzer] Fix constraint being dropped when analyzing a program without taint tracking enabled
Summary:
This patch removes the constraint dropping when taint tracking is disabled.
It also voids the crash reported in D28953 by treating a SymSymExpr with non pointer symbols as an opaque expression.
Updated the regressions and verifying the big projects now; I'll update here when they're done.
Based on the discussion on the mailing list and the patches by @ddcc.
Reviewers: george.karpenkov, NoQ, ddcc, baloghadamsoftware
Reviewed By: george.karpenkov
Subscribers: delcypher, llvm-commits, rnkovacs, xazax.hun, szepet, a.sidorin, ddcc
Differential Revision: https://reviews.llvm.org/D48650
git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@337167 91177308-0d34-0410-b5e6-96231b3b80d8
| -rw-r--r-- | lib/StaticAnalyzer/Core/AnalyzerOptions.cpp | 2 | ||||
| -rw-r--r-- | lib/StaticAnalyzer/Core/RangedConstraintManager.cpp | 23 | ||||
| -rw-r--r-- | lib/StaticAnalyzer/Core/SValBuilder.cpp | 4 | ||||
| -rw-r--r-- | test/Analysis/PR37855.c | 2 | ||||
| -rw-r--r-- | test/Analysis/bitwise-ops.c | 5 | ||||
| -rw-r--r-- | test/Analysis/std-c-library-functions.c | 3 | ||||
| -rw-r--r-- | test/Analysis/svalbuilder-rearrange-comparisons.c | 36 |
7 files changed, 36 insertions, 39 deletions
diff --git a/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp b/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp index 75c22a34ea..a4abb82e2a 100644 --- a/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp +++ b/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp @@ -390,7 +390,7 @@ unsigned AnalyzerOptions::getGraphTrimInterval() { unsigned AnalyzerOptions::getMaxSymbolComplexity() { if (!MaxSymbolComplexity.hasValue()) - MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 10000); + MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 25); return MaxSymbolComplexity.getValue(); } diff --git a/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp b/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp index 1499d49899..f99853f070 100644 --- a/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp +++ b/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp @@ -52,17 +52,18 @@ ProgramStateRef RangedConstraintManager::assumeSym(ProgramStateRef State, assert(BinaryOperator::isComparisonOp(Op)); // For now, we only support comparing pointers. - assert(Loc::isLocType(SSE->getLHS()->getType())); - assert(Loc::isLocType(SSE->getRHS()->getType())); - QualType DiffTy = SymMgr.getContext().getPointerDiffType(); - SymbolRef Subtraction = - SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy); - - const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy); - Op = BinaryOperator::reverseComparisonOp(Op); - if (!Assumption) - Op = BinaryOperator::negateComparisonOp(Op); - return assumeSymRel(State, Subtraction, Op, Zero); + if (Loc::isLocType(SSE->getLHS()->getType()) && + Loc::isLocType(SSE->getRHS()->getType())) { + QualType DiffTy = SymMgr.getContext().getPointerDiffType(); + SymbolRef Subtraction = + SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy); + + const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy); + Op = BinaryOperator::reverseComparisonOp(Op); + if (!Assumption) + Op = BinaryOperator::negateComparisonOp(Op); + return assumeSymRel(State, Subtraction, Op, Zero); + } } // If we get here, there's nothing else we can do but treat the symbol as diff --git a/lib/StaticAnalyzer/Core/SValBuilder.cpp b/lib/StaticAnalyzer/Core/SValBuilder.cpp index febe7cdb83..f292dca8e9 100644 --- a/lib/StaticAnalyzer/Core/SValBuilder.cpp +++ b/lib/StaticAnalyzer/Core/SValBuilder.cpp @@ -379,11 +379,9 @@ SVal SValBuilder::makeSymExprValNN(ProgramStateRef State, BinaryOperator::Opcode Op, NonLoc LHS, NonLoc RHS, QualType ResultTy) { - if (!State->isTainted(RHS) && !State->isTainted(LHS)) - return UnknownVal(); - const SymExpr *symLHS = LHS.getAsSymExpr(); const SymExpr *symRHS = RHS.getAsSymExpr(); + // TODO: When the Max Complexity is reached, we should conjure a symbol // instead of generating an Unknown value and propagate the taint info to it. const unsigned MaxComp = StateMgr.getOwningEngine() diff --git a/test/Analysis/PR37855.c b/test/Analysis/PR37855.c index 24e34c0836..0779796531 100644 --- a/test/Analysis/PR37855.c +++ b/test/Analysis/PR37855.c @@ -20,5 +20,5 @@ void k(l, node) { nodep = n; } if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}} - n[1].node->s; // expected-warning {{Dereference of undefined pointer value}} + n[1].node->s; } diff --git a/test/Analysis/bitwise-ops.c b/test/Analysis/bitwise-ops.c index 5cdb668867..fcd3d7dbc7 100644 --- a/test/Analysis/bitwise-ops.c +++ b/test/Analysis/bitwise-ops.c @@ -8,9 +8,8 @@ void testPersistentConstraints(int x, int y) { CHECK(x); // expected-warning{{TRUE}} CHECK(x & 1); // expected-warning{{TRUE}} - // False positives due to SValBuilder giving up on certain kinds of exprs. - CHECK(1 - x); // expected-warning{{UNKNOWN}} - CHECK(x & y); // expected-warning{{UNKNOWN}} + CHECK(1 - x); // expected-warning{{TRUE}} + CHECK(x & y); // expected-warning{{TRUE}} } int testConstantShifts_PR18073(int which) { diff --git a/test/Analysis/std-c-library-functions.c b/test/Analysis/std-c-library-functions.c index 042b035f8b..b8eb3e54bd 100644 --- a/test/Analysis/std-c-library-functions.c +++ b/test/Analysis/std-c-library-functions.c @@ -57,8 +57,7 @@ void test_fread_fwrite(FILE *fp, int *buf) { size_t y = fread(buf, sizeof(int), 10, fp); clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}} size_t z = fwrite(buf, sizeof(int), y, fp); - // FIXME: should be TRUE once symbol-symbol constraint support is improved. - clang_analyzer_eval(z <= y); // expected-warning{{UNKNOWN}} + clang_analyzer_eval(z <= y); // expected-warning{{TRUE}} } ssize_t getline(char **, size_t *, FILE *); diff --git a/test/Analysis/svalbuilder-rearrange-comparisons.c b/test/Analysis/svalbuilder-rearrange-comparisons.c index 720144c38a..2303ce693c 100644 --- a/test/Analysis/svalbuilder-rearrange-comparisons.c +++ b/test/Analysis/svalbuilder-rearrange-comparisons.c @@ -560,7 +560,7 @@ void compare_same_symbol_plus_left_int_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) == (conj_$2{int})}} } void compare_same_symbol_minus_left_int_equal_unsigned() { @@ -569,7 +569,7 @@ void compare_same_symbol_minus_left_int_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) == (conj_$2{int})}} } void compare_same_symbol_plus_right_int_equal_unsigned() { @@ -577,7 +577,7 @@ void compare_same_symbol_plus_right_int_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) == ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_right_int_equal_unsigned() { @@ -585,7 +585,7 @@ void compare_same_symbol_minus_right_int_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) == ((conj_$2{int}) - 1U)}} } void compare_same_symbol_plus_left_plus_right_int_equal_unsigned() { @@ -603,7 +603,7 @@ void compare_same_symbol_plus_left_minus_right_int_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) == ((conj_$2{int}) - 1U)}} } void compare_same_symbol_minus_left_plus_right_int_equal_unsigned() { @@ -612,7 +612,7 @@ void compare_same_symbol_minus_left_plus_right_int_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x == y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) == ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_left_minus_right_int_equal_unsigned() { @@ -710,7 +710,7 @@ void compare_same_symbol_plus_left_int_less_or_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) <= (conj_$2{int})}} } void compare_same_symbol_minus_left_int_less_or_equal_unsigned() { @@ -719,7 +719,7 @@ void compare_same_symbol_minus_left_int_less_or_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) <= (conj_$2{int})}} } void compare_same_symbol_plus_right_int_less_or_equal_unsigned() { @@ -727,7 +727,7 @@ void compare_same_symbol_plus_right_int_less_or_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) <= ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_right_int_less_or_equal_unsigned() { @@ -735,7 +735,7 @@ void compare_same_symbol_minus_right_int_less_or_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) <= ((conj_$2{int}) - 1U)}} } void compare_same_symbol_plus_left_plus_right_int_less_or_equal_unsigned() { @@ -753,7 +753,7 @@ void compare_same_symbol_plus_left_minus_right_int_less_or_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) <= ((conj_$2{int}) - 1U)}} } void compare_same_symbol_minus_left_plus_right_int_less_or_equal_unsigned() { @@ -762,7 +762,7 @@ void compare_same_symbol_minus_left_plus_right_int_less_or_equal_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x <= y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) <= ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_left_minus_right_int_less_or_equal_unsigned() { @@ -860,7 +860,7 @@ void compare_same_symbol_plus_left_int_less_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) < (conj_$2{int})}} } void compare_same_symbol_minus_left_int_less_unsigned() { @@ -869,7 +869,7 @@ void compare_same_symbol_minus_left_int_less_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) < (conj_$2{int})}} } void compare_same_symbol_plus_right_int_less_unsigned() { @@ -877,7 +877,7 @@ void compare_same_symbol_plus_right_int_less_unsigned() { clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) < ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_right_int_less_unsigned() { @@ -885,7 +885,7 @@ void compare_same_symbol_minus_right_int_less_unsigned() { clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{(conj_$2{int}) < ((conj_$2{int}) - 1U)}} } void compare_same_symbol_plus_left_plus_right_int_less_unsigned() { @@ -903,7 +903,7 @@ void compare_same_symbol_plus_left_minus_right_int_less_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) + 1U) < ((conj_$2{int}) - 1U)}} } void compare_same_symbol_minus_left_plus_right_int_less_unsigned() { @@ -912,7 +912,7 @@ void compare_same_symbol_minus_left_plus_right_int_less_unsigned() { clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}} clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}} clang_analyzer_dump(x < y); - // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified? + // expected-warning@-1{{((conj_$2{int}) - 1U) < ((conj_$2{int}) + 1U)}} } void compare_same_symbol_minus_left_minus_right_int_less_unsigned() { |