File: infeasible-sink.c

package info (click to toggle)
llvm-toolchain-15 1%3A15.0.6-4
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 1,554,644 kB
  • sloc: cpp: 5,922,452; ansic: 1,012,136; asm: 674,362; python: 191,568; objc: 73,855; f90: 42,327; lisp: 31,913; pascal: 11,973; javascript: 10,144; sh: 9,421; perl: 7,447; ml: 5,527; awk: 3,523; makefile: 2,520; xml: 885; cs: 573; fortran: 567
file content (80 lines) | stat: -rw-r--r-- 2,349 bytes parent folder | download | duplicates (9) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
 
// RUN: %clang_analyze_cc1 %s \
// RUN:   -analyzer-checker=core \
// RUN:   -analyzer-checker=debug.ExprInspection \
// RUN:   -analyzer-config eagerly-assume=false \
// RUN:   -verify

// Here we test that if it turns out that the parent state is infeasible then
// both children States (more precisely the ExplodedNodes) are marked as a
// Sink.
// We rely on existing defects of the underlying constraint solver. However,
// in the future we might strengthen the solver to discover the infeasibility
// right when we create the parent state. At that point some of these tests
// will fail, and either we shall find another solver weakness to have the test
// case functioning, or we shall simply remove that.

void clang_analyzer_warnIfReached();
void clang_analyzer_eval(int);

void test1(int x) {
  if (x * x != 4)
    return;
  if (x < 0 || x > 1)
    return;

  // { x^2 == 4 and x:[0,1] }
  // This state is already infeasible.

  // Perfectly constraining 'x' will trigger constant folding,
  // when we realize we were already infeasible.
  // The same happens for the 'else' branch.
  if (x == 0) {
    clang_analyzer_warnIfReached(); // no-warning
  } else {
    clang_analyzer_warnIfReached(); // no-warning
  }
  clang_analyzer_warnIfReached(); // no-warning
  (void)x;
}

int a, b, c, d, e;
void test2() {

  if (a == 0)
    return;

  if (e != c)
    return;

  d = e - c;
  b = d;
  a -= d;

  if (a != 0)
    return;

  clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}

  /* The BASELINE passes these checks ('wrning' is used to avoid lit to match)
  // The parent state is already infeasible, look at this contradiction:
  clang_analyzer_eval(b > 0);  // expected-wrning{{FALSE}}
  clang_analyzer_eval(b <= 0); // expected-wrning{{FALSE}}
  // Crashes with expensive checks.
  if (b > 0) {
    clang_analyzer_warnIfReached(); // no-warning, OK
    return;
  }
  // Should not be reachable.
  clang_analyzer_warnIfReached(); // expected-wrning{{REACHABLE}}
  */

  // The parent state is already infeasible, but we realize that only if b is
  // constrained.
  clang_analyzer_eval(b > 0);  // expected-warning{{UNKNOWN}}
  clang_analyzer_eval(b <= 0); // expected-warning{{UNKNOWN}}
  if (b > 0) {
    clang_analyzer_warnIfReached(); // no-warning
    return;
  }
  clang_analyzer_warnIfReached(); // no-warning
}