================
@@ -50,6 +101,44 @@ class BuiltinFunctionChecker : public Checker<eval::Call> {
} // namespace
+void BuiltinFunctionChecker::HandleOverflowBuiltin(const CallEvent &Call,
+ CheckerContext &C,
+ BinaryOperator::Opcode Op,
+ QualType ResultType) const {
+ // All __builtin_*_overflow functions take 3 argumets.
+ assert(Call.getNumArgs() == 3);
+
+ ProgramStateRef State = C.getState();
+ SValBuilder &SVB = C.getSValBuilder();
+ const Expr *CE = Call.getOriginExpr();
+
+ SVal Arg1 = Call.getArgSVal(0);
+ SVal Arg2 = Call.getArgSVal(1);
+
+ SVal RetVal = SVB.evalBinOp(State, Op, Arg1, Arg2, ResultType);
+
+ // TODO: Handle overflows with values that known to overflow. Like INT_MAX +
1
+ // should not produce state for non-overflow case and threat it as
----------------
steakhal wrote:
evalBinOp models wrapping semantics - even for signed arithmetic (where it
would be UB).
We don't have a similar evaluation model (operating on symbolic values, aka.
SVals) which operates with mathematical (non-wrapping) semantics. This is
unfortunate.
Initially I wanted to recommend `SVB.getKnownValue(State, Val)`, but I believe
it's not too likely that one would use `malloc` with two concrete int params.
So this wouldn't really enable many use-cases.
I can agree with @NagyDonat, about using `getMinValue` and friends. That would
enable us using the constraints we have in the State, and unlock symbolic cases.
https://github.com/llvm/llvm-project/pull/102602
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
