c4fa05f5f7
In some cases a parent State is already infeasible, but we recognize this only if an additonal constraint is added. This patch is the first of a series to address this issue. In this patch `assumeDual` is changed to clone the parent State but with an `Infeasible` flag set, and this infeasible-parent is returned both for the true and false case. Then when we add a new transition in the exploded graph and the destination is marked as infeasible, the node will be a sink node. Related bug: https://github.com/llvm/llvm-project/issues/50883 Actually, this patch does not solve that bug in the solver, rather with this patch we can handle the general parent-infeasible cases. Next step would be to change the State API and require all checkers to use the `assume*Dual` API and deprecate the simple `assume` calls. Hopefully, the next patch will introduce `assumeInBoundDual` and will solve the CRASH we have here: https://github.com/llvm/llvm-project/issues/54272 Differential Revision: https://reviews.llvm.org/D124674
73 lines
2.9 KiB
C++
73 lines
2.9 KiB
C++
//===- ConstraintManager.cpp - Constraints on symbolic values. ------------===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
//
|
|
// This file defined the interface to manage constraints on symbolic values.
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h"
|
|
#include "clang/AST/Type.h"
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
|
|
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
|
|
|
|
using namespace clang;
|
|
using namespace ento;
|
|
|
|
ConstraintManager::~ConstraintManager() = default;
|
|
|
|
static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,
|
|
SymbolRef Sym) {
|
|
const MemRegion *R =
|
|
State->getStateManager().getRegionManager().getSymbolicRegion(Sym);
|
|
return loc::MemRegionVal(R);
|
|
}
|
|
|
|
ConditionTruthVal ConstraintManager::checkNull(ProgramStateRef State,
|
|
SymbolRef Sym) {
|
|
QualType Ty = Sym->getType();
|
|
DefinedSVal V = Loc::isLocType(Ty) ? getLocFromSymbol(State, Sym)
|
|
: nonloc::SymbolVal(Sym);
|
|
const ProgramStatePair &P = assumeDual(State, V);
|
|
if (P.first && !P.second)
|
|
return ConditionTruthVal(false);
|
|
if (!P.first && P.second)
|
|
return ConditionTruthVal(true);
|
|
return {};
|
|
}
|
|
|
|
ConstraintManager::ProgramStatePair
|
|
ConstraintManager::assumeDual(ProgramStateRef State, DefinedSVal Cond) {
|
|
ProgramStateRef StTrue = assume(State, Cond, true);
|
|
|
|
if (!StTrue) {
|
|
ProgramStateRef StFalse = assume(State, Cond, false);
|
|
if (LLVM_UNLIKELY(!StFalse)) { // both infeasible
|
|
ProgramStateRef StInfeasible = State->cloneAsPosteriorlyOverconstrained();
|
|
assert(StInfeasible->isPosteriorlyOverconstrained());
|
|
// Checkers might rely on the API contract that both returned states
|
|
// cannot be null. Thus, we return StInfeasible for both branches because
|
|
// it might happen that a Checker uncoditionally uses one of them if the
|
|
// other is a nullptr. This may also happen with the non-dual and
|
|
// adjacent `assume(true)` and `assume(false)` calls. By implementing
|
|
// assume in therms of assumeDual, we can keep our API contract there as
|
|
// well.
|
|
return ProgramStatePair(StInfeasible, StInfeasible);
|
|
}
|
|
return ProgramStatePair(nullptr, StFalse);
|
|
}
|
|
|
|
ProgramStateRef StFalse = assume(State, Cond, false);
|
|
if (!StFalse) {
|
|
return ProgramStatePair(StTrue, nullptr);
|
|
}
|
|
|
|
return ProgramStatePair(StTrue, StFalse);
|
|
}
|