[analyzer] Fix wrong comparison generation of the ranges generated by the refutation manager
The refutation manager is removing a true bug from the test in this patch.
The problem is that the following constraint:
```
(conj_$1{struct o *}) - (reg_$3<int * r>): [-9223372036854775808, 0]
```
is encoded as:
```
(and (bvuge (bvsub $1 $3) #x8000000000000000)
(bvule (bvsub $1 $3) #x0000000000000000))
```
The issue is that unsigned comparisons (bvuge and bvule) are being generated instead of signed comparisons (bvsge and bvsle).
When generating the expressions:
```
(conj_$1{p *}) - (reg_$3<int * r>) >= -9223372036854775808
```
and
```
(conj_$1{p *}) - (reg_$3<int * r>) <= 0
```
both -9223372036854775808 and 0 are casted to pointer type and `LTy->isSignedIntegerOrEnumerationType()` in `Z3ConstraintManager::getZ3BinExpr` only checks if the type is signed, not if it's a pointer.
Reviewers: NoQ, george.karpenkov, ddcc
Subscribers: rnkovacs, NoQ, george.karpenkov, ddcc, xazax.hun, szepet, a.sidorin
Differential Revision: https://reviews.llvm.org/D48324
llvm-svn: 335926
2018-06-29 05:26:52 +08:00
|
|
|
// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -DNO_CROSSCHECK -verify %s
|
|
|
|
// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -analyzer-config crosscheck-with-z3=true -verify %s
|
|
|
|
// REQUIRES: z3
|
|
|
|
|
|
|
|
typedef struct o p;
|
|
|
|
struct o {
|
|
|
|
struct {
|
|
|
|
} s;
|
|
|
|
};
|
|
|
|
|
|
|
|
void q(*r, p2) { r < p2; }
|
|
|
|
|
|
|
|
void k(l, node) {
|
|
|
|
struct {
|
|
|
|
p *node;
|
|
|
|
} * n, *nodep, path[sizeof(void)];
|
|
|
|
path->node = l;
|
|
|
|
for (n = path; node != l;) {
|
|
|
|
q(node, n->node);
|
|
|
|
nodep = n;
|
|
|
|
}
|
|
|
|
if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}}
|
2018-07-16 21:14:46 +08:00
|
|
|
n[1].node->s;
|
[analyzer] Fix wrong comparison generation of the ranges generated by the refutation manager
The refutation manager is removing a true bug from the test in this patch.
The problem is that the following constraint:
```
(conj_$1{struct o *}) - (reg_$3<int * r>): [-9223372036854775808, 0]
```
is encoded as:
```
(and (bvuge (bvsub $1 $3) #x8000000000000000)
(bvule (bvsub $1 $3) #x0000000000000000))
```
The issue is that unsigned comparisons (bvuge and bvule) are being generated instead of signed comparisons (bvsge and bvsle).
When generating the expressions:
```
(conj_$1{p *}) - (reg_$3<int * r>) >= -9223372036854775808
```
and
```
(conj_$1{p *}) - (reg_$3<int * r>) <= 0
```
both -9223372036854775808 and 0 are casted to pointer type and `LTy->isSignedIntegerOrEnumerationType()` in `Z3ConstraintManager::getZ3BinExpr` only checks if the type is signed, not if it's a pointer.
Reviewers: NoQ, george.karpenkov, ddcc
Subscribers: rnkovacs, NoQ, george.karpenkov, ddcc, xazax.hun, szepet, a.sidorin
Differential Revision: https://reviews.llvm.org/D48324
llvm-svn: 335926
2018-06-29 05:26:52 +08:00
|
|
|
}
|