maxjhandsome
/
llvm-project
forked from OSchip/llvm-project
1
0
Fork 0
Code Issues Pull Requests Packages Releases Wiki Activity

[analyzer] Fix wrong comparison generation of the ranges generated by the refutation manager 

The refutation manager is removing a true bug from the test in this patch.

The problem is that the following constraint:
```
(conj_$1{struct o *}) - (reg_$3<int * r>): [-9223372036854775808, 0]
```
is encoded as:
```
(and (bvuge (bvsub $1 $3) #x8000000000000000)
     (bvule (bvsub $1 $3) #x0000000000000000))
```
The issue is that unsigned comparisons (bvuge and bvule) are being generated instead of signed comparisons (bvsge and bvsle).

When generating the expressions:
```
(conj_$1{p *}) - (reg_$3<int * r>) >= -9223372036854775808
```
and
```
(conj_$1{p *}) - (reg_$3<int * r>) <= 0
```
both -9223372036854775808 and 0 are casted to pointer type and `LTy->isSignedIntegerOrEnumerationType()` in `Z3ConstraintManager::getZ3BinExpr` only checks if the type is signed, not if it's a pointer.

Reviewers: NoQ, george.karpenkov, ddcc

Subscribers: rnkovacs, NoQ, george.karpenkov, ddcc, xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D48324

llvm-svn: 335926
This commit is contained in:
Mikhail R. Gadelha 2018-06-28 21:26:52 +00:00
parent aadb254a79
commit 53ac1a2ed4
2 changed files with 26 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp
View File

@ -1414,9 +1414,8 @@ Z3Expr Z3ConstraintManager::getZ3BinExpr(const Z3Expr &LHS, QualType LTy,
// If the two operands are pointers and the operation is a subtraction, the
// result is of type ptrdiff_t, which is signed
if (LTy->isAnyPointerType() && LTy == RTy && Op == BO_Sub) {
ASTContext &Ctx = getBasicVals().getContext();
*RetTy = Ctx.getIntTypeForBitwidth(Ctx.getTypeSize(LTy), true);
if (LTy->isAnyPointerType() && RTy->isAnyPointerType() && Op == BO_Sub) {
*RetTy = getBasicVals().getContext().getPointerDiffType();
}
}

24
clang/test/PR37855.c Normal file
View File

@ -0,0 +1,24 @@
// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -DNO_CROSSCHECK -verify %s
// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -analyzer-config crosscheck-with-z3=true -verify %s
// REQUIRES: z3
typedef struct o p;
struct o {
struct {
} s;
};
void q(*r, p2) { r < p2; }
void k(l, node) {
struct {
p *node;
} * n, *nodep, path[sizeof(void)];
path->node = l;
for (n = path; node != l;) {
q(node, n->node);
nodep = n;
}
if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}}
n[1].node->s; // expected-warning {{Dereference of undefined pointer value}}
}