From 53ac1a2ed44ca7711f8872d857be0c2e4152af17 Mon Sep 17 00:00:00 2001 From: "Mikhail R. Gadelha" Date: Thu, 28 Jun 2018 21:26:52 +0000 Subject: [PATCH] [analyzer] Fix wrong comparison generation of the ranges generated by the refutation manager The refutation manager is removing a true bug from the test in this patch. The problem is that the following constraint: ``` (conj_$1{struct o *}) - (reg_$3): [-9223372036854775808, 0] ``` is encoded as: ``` (and (bvuge (bvsub $1 $3) #x8000000000000000) (bvule (bvsub $1 $3) #x0000000000000000)) ``` The issue is that unsigned comparisons (bvuge and bvule) are being generated instead of signed comparisons (bvsge and bvsle). When generating the expressions: ``` (conj_$1{p *}) - (reg_$3) >= -9223372036854775808 ``` and ``` (conj_$1{p *}) - (reg_$3) <= 0 ``` both -9223372036854775808 and 0 are casted to pointer type and `LTy->isSignedIntegerOrEnumerationType()` in `Z3ConstraintManager::getZ3BinExpr` only checks if the type is signed, not if it's a pointer. Reviewers: NoQ, george.karpenkov, ddcc Subscribers: rnkovacs, NoQ, george.karpenkov, ddcc, xazax.hun, szepet, a.sidorin Differential Revision: https://reviews.llvm.org/D48324 llvm-svn: 335926 --- .../StaticAnalyzer/Core/Z3ConstraintManager.cpp | 5 ++--- clang/test/PR37855.c | 24 ++++++++++++++++++++++ 2 files changed, 26 insertions(+), 3 deletions(-) create mode 100644 clang/test/PR37855.c diff --git a/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp b/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp index a47b7a2..9e97567 100644 --- a/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp +++ b/clang/lib/StaticAnalyzer/Core/Z3ConstraintManager.cpp @@ -1414,9 +1414,8 @@ Z3Expr Z3ConstraintManager::getZ3BinExpr(const Z3Expr &LHS, QualType LTy, // If the two operands are pointers and the operation is a subtraction, the // result is of type ptrdiff_t, which is signed - if (LTy->isAnyPointerType() && LTy == RTy && Op == BO_Sub) { - ASTContext &Ctx = getBasicVals().getContext(); - *RetTy = Ctx.getIntTypeForBitwidth(Ctx.getTypeSize(LTy), true); + if (LTy->isAnyPointerType() && RTy->isAnyPointerType() && Op == BO_Sub) { + *RetTy = getBasicVals().getContext().getPointerDiffType(); } } diff --git a/clang/test/PR37855.c b/clang/test/PR37855.c new file mode 100644 index 0000000..24e34c0 --- /dev/null +++ b/clang/test/PR37855.c @@ -0,0 +1,24 @@ +// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -DNO_CROSSCHECK -verify %s +// RUN: %clang_cc1 -analyze -analyzer-eagerly-assume -analyzer-checker=core -w -analyzer-config crosscheck-with-z3=true -verify %s +// REQUIRES: z3 + +typedef struct o p; +struct o { + struct { + } s; +}; + +void q(*r, p2) { r < p2; } + +void k(l, node) { + struct { + p *node; + } * n, *nodep, path[sizeof(void)]; + path->node = l; + for (n = path; node != l;) { + q(node, n->node); + nodep = n; + } + if (nodep) // expected-warning {{Branch condition evaluates to a garbage value}} + n[1].node->s; // expected-warning {{Dereference of undefined pointer value}} +} -- 2.7.4