[analyzer] Fix constraint being dropped when analyzing a program with…

…out taint tracking enabled Summary: This patch removes the constraint dropping when taint tracking is disabled. It also voids the crash reported in D28953 by treating a SymSymExpr with non pointer symbols as an opaque expression. Updated the regressions and verifying the big projects now; I'll update here when they're done. Based on the discussion on the mailing list and the patches by @ddcc. Reviewers: george.karpenkov, NoQ, ddcc, baloghadamsoftware Reviewed By: george.karpenkov Subscribers: delcypher, llvm-commits, rnkovacs, xazax.hun, szepet, a.sidorin, ddcc Differential Revision: https://reviews.llvm.org/D48650 llvm-svn: 337167
llvm · Jul 16, 2018 · e254b0f · e254b0f
1 parent de50663
commit e254b0f
Show file tree

Hide file tree

Showing 7 changed files with 36 additions and 39 deletions.
diff --git a/clang/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp b/clang/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp
@@ -390,7 +390,7 @@ unsigned AnalyzerOptions::getGraphTrimInterval() {
 
 unsigned AnalyzerOptions::getMaxSymbolComplexity() {
   if (!MaxSymbolComplexity.hasValue())
-    MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 10000);
+    MaxSymbolComplexity = getOptionAsInteger("max-symbol-complexity", 25);
   return MaxSymbolComplexity.getValue();
 }
 

diff --git a/clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp b/clang/lib/StaticAnalyzer/Core/RangedConstraintManager.cpp
@@ -52,17 +52,18 @@ ProgramStateRef RangedConstraintManager::assumeSym(ProgramStateRef State,
     assert(BinaryOperator::isComparisonOp(Op));
 
     // For now, we only support comparing pointers.
-    assert(Loc::isLocType(SSE->getLHS()->getType()));
-    assert(Loc::isLocType(SSE->getRHS()->getType()));
-    QualType DiffTy = SymMgr.getContext().getPointerDiffType();
-    SymbolRef Subtraction =
-        SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy);
-
-    const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy);
-    Op = BinaryOperator::reverseComparisonOp(Op);
-    if (!Assumption)
-      Op = BinaryOperator::negateComparisonOp(Op);
-    return assumeSymRel(State, Subtraction, Op, Zero);
+    if (Loc::isLocType(SSE->getLHS()->getType()) &&
+        Loc::isLocType(SSE->getRHS()->getType())) {
+      QualType DiffTy = SymMgr.getContext().getPointerDiffType();
+      SymbolRef Subtraction =
+          SymMgr.getSymSymExpr(SSE->getRHS(), BO_Sub, SSE->getLHS(), DiffTy);
+
+      const llvm::APSInt &Zero = getBasicVals().getValue(0, DiffTy);
+      Op = BinaryOperator::reverseComparisonOp(Op);
+      if (!Assumption)
+        Op = BinaryOperator::negateComparisonOp(Op);
+      return assumeSymRel(State, Subtraction, Op, Zero);
+    }
   }
 
   // If we get here, there's nothing else we can do but treat the symbol as

diff --git a/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp b/clang/lib/StaticAnalyzer/Core/SValBuilder.cpp
@@ -379,11 +379,9 @@ SVal SValBuilder::makeSymExprValNN(ProgramStateRef State,
                                    BinaryOperator::Opcode Op,
                                    NonLoc LHS, NonLoc RHS,
                                    QualType ResultTy) {
-  if (!State->isTainted(RHS) && !State->isTainted(LHS))
-    return UnknownVal();
-
   const SymExpr *symLHS = LHS.getAsSymExpr();
   const SymExpr *symRHS = RHS.getAsSymExpr();
+
   // TODO: When the Max Complexity is reached, we should conjure a symbol
   // instead of generating an Unknown value and propagate the taint info to it.
   const unsigned MaxComp = StateMgr.getOwningEngine()

diff --git a/clang/test/Analysis/PR37855.c b/clang/test/Analysis/PR37855.c
@@ -20,5 +20,5 @@ void k(l, node) {
     nodep = n;
   }
   if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}}
-    n[1].node->s; // expected-warning {{Dereference of undefined pointer value}}
+    n[1].node->s;
 }
diff --git a/clang/test/Analysis/bitwise-ops.c b/clang/test/Analysis/bitwise-ops.c
@@ -8,9 +8,8 @@ void testPersistentConstraints(int x, int y) {
   CHECK(x); // expected-warning{{TRUE}}
   CHECK(x & 1); // expected-warning{{TRUE}}
 
-  // False positives due to SValBuilder giving up on certain kinds of exprs.
-  CHECK(1 - x); // expected-warning{{UNKNOWN}}
-  CHECK(x & y); // expected-warning{{UNKNOWN}}
+  CHECK(1 - x); // expected-warning{{TRUE}}
+  CHECK(x & y); // expected-warning{{TRUE}}
 }
 
 int testConstantShifts_PR18073(int which) {

diff --git a/clang/test/Analysis/std-c-library-functions.c b/clang/test/Analysis/std-c-library-functions.c
@@ -57,8 +57,7 @@ void test_fread_fwrite(FILE *fp, int *buf) {
   size_t y = fread(buf, sizeof(int), 10, fp);
   clang_analyzer_eval(y <= 10); // expected-warning{{TRUE}}
   size_t z = fwrite(buf, sizeof(int), y, fp);
-  // FIXME: should be TRUE once symbol-symbol constraint support is improved.
-  clang_analyzer_eval(z <= y); // expected-warning{{UNKNOWN}}
+  clang_analyzer_eval(z <= y); // expected-warning{{TRUE}}
 }
 
 ssize_t getline(char **, size_t *, FILE *);

diff --git a/clang/test/Analysis/svalbuilder-rearrange-comparisons.c b/clang/test/Analysis/svalbuilder-rearrange-comparisons.c
@@ -560,7 +560,7 @@ void compare_same_symbol_plus_left_int_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(x == y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) + 1U) == (conj_$2{int})}}
 }
 
 void compare_same_symbol_minus_left_int_equal_unsigned() {
@@ -569,23 +569,23 @@ void compare_same_symbol_minus_left_int_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(x == y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) - 1U) == (conj_$2{int})}}
 }
 
 void compare_same_symbol_plus_right_int_equal_unsigned() {
   unsigned x = f(), y = x+1;
   clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(x == y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{(conj_$2{int}) == ((conj_$2{int}) + 1U)}}
 }
 
 void compare_same_symbol_minus_right_int_equal_unsigned() {
   unsigned x = f(), y = x-1;
   clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(x == y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{(conj_$2{int}) == ((conj_$2{int}) - 1U)}}
 }
 
 void compare_same_symbol_plus_left_plus_right_int_equal_unsigned() {
@@ -603,7 +603,7 @@ void compare_same_symbol_plus_left_minus_right_int_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(x == y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) + 1U) == ((conj_$2{int}) - 1U)}}
 }
 
 void compare_same_symbol_minus_left_plus_right_int_equal_unsigned() {
@@ -612,7 +612,7 @@ void compare_same_symbol_minus_left_plus_right_int_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(x == y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) - 1U) == ((conj_$2{int}) + 1U)}}
 }
 
 void compare_same_symbol_minus_left_minus_right_int_equal_unsigned() {
@@ -710,7 +710,7 @@ void compare_same_symbol_plus_left_int_less_or_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(x <= y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) + 1U) <= (conj_$2{int})}}
 }
 
 void compare_same_symbol_minus_left_int_less_or_equal_unsigned() {
@@ -719,23 +719,23 @@ void compare_same_symbol_minus_left_int_less_or_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(x <= y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) - 1U) <= (conj_$2{int})}}
 }
 
 void compare_same_symbol_plus_right_int_less_or_equal_unsigned() {
   unsigned x = f(), y = x+1;
   clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(x <= y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{(conj_$2{int}) <= ((conj_$2{int}) + 1U)}}
 }
 
 void compare_same_symbol_minus_right_int_less_or_equal_unsigned() {
   unsigned x = f(), y = x-1;
   clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(x <= y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{(conj_$2{int}) <= ((conj_$2{int}) - 1U)}}
 }
 
 void compare_same_symbol_plus_left_plus_right_int_less_or_equal_unsigned() {
@@ -753,7 +753,7 @@ void compare_same_symbol_plus_left_minus_right_int_less_or_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(x <= y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) + 1U) <= ((conj_$2{int}) - 1U)}}
 }
 
 void compare_same_symbol_minus_left_plus_right_int_less_or_equal_unsigned() {
@@ -762,7 +762,7 @@ void compare_same_symbol_minus_left_plus_right_int_less_or_equal_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(x <= y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) - 1U) <= ((conj_$2{int}) + 1U)}}
 }
 
 void compare_same_symbol_minus_left_minus_right_int_less_or_equal_unsigned() {
@@ -860,7 +860,7 @@ void compare_same_symbol_plus_left_int_less_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(x < y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) + 1U) < (conj_$2{int})}}
 }
 
 void compare_same_symbol_minus_left_int_less_unsigned() {
@@ -869,23 +869,23 @@ void compare_same_symbol_minus_left_int_less_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(y); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(x < y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) - 1U) < (conj_$2{int})}}
 }
 
 void compare_same_symbol_plus_right_int_less_unsigned() {
   unsigned x = f(), y = x+1;
   clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(x < y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{(conj_$2{int}) < ((conj_$2{int}) + 1U)}}
 }
 
 void compare_same_symbol_minus_right_int_less_unsigned() {
   unsigned x = f(), y = x-1;
   clang_analyzer_dump(x); // expected-warning{{conj_$2{int}}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(x < y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{(conj_$2{int}) < ((conj_$2{int}) - 1U)}}
 }
 
 void compare_same_symbol_plus_left_plus_right_int_less_unsigned() {
@@ -903,7 +903,7 @@ void compare_same_symbol_plus_left_minus_right_int_less_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(x < y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) + 1U) < ((conj_$2{int}) - 1U)}}
 }
 
 void compare_same_symbol_minus_left_plus_right_int_less_unsigned() {
@@ -912,7 +912,7 @@ void compare_same_symbol_minus_left_plus_right_int_less_unsigned() {
   clang_analyzer_dump(x); // expected-warning{{(conj_$2{int}) - 1}}
   clang_analyzer_dump(y); // expected-warning{{(conj_$2{int}) + 1}}
   clang_analyzer_dump(x < y);
-  // expected-warning@-1{{Unknown}} // FIXME: Can this be simplified?
+  // expected-warning@-1{{((conj_$2{int}) - 1U) < ((conj_$2{int}) + 1U)}}
 }
 
 void compare_same_symbol_minus_left_minus_right_int_less_unsigned() {