clang 22.0.0git
Z3CrosscheckVisitor.cpp
Go to the documentation of this file.
1//===- Z3CrosscheckVisitor.cpp - Crosscheck reports with Z3 -----*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file declares the visitor and utilities around it for Z3 report
10// refutation.
11//
12//===----------------------------------------------------------------------===//
13
14#include "clang/StaticAnalyzer/Core/BugReporter/Z3CrosscheckVisitor.h"
15#include "clang/StaticAnalyzer/Core/AnalyzerOptions.h"
16#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
17#include "clang/StaticAnalyzer/Core/PathSensitive/EntryPointStats.h"
18#include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h"
19#include "llvm/Support/SMTAPI.h"
20#include "llvm/Support/Timer.h"
21
22#define DEBUG_TYPE "Z3CrosscheckOracle"
23
24// Queries attempted at most `Z3CrosscheckMaxAttemptsPerQuery` number of times.
25// Multiple `check()` calls might be called on the same query if previous
26// attempts of the same query resulted in UNSAT for any reason. Each query is
27// only counted once for these statistics, the retries are not accounted for.
28STAT_COUNTER(NumZ3QueriesDone, "Number of Z3 queries done");
29STAT_COUNTER(NumTimesZ3TimedOut, "Number of times Z3 query timed out");
30STAT_COUNTER(NumTimesZ3ExhaustedRLimit,
31 "Number of times Z3 query exhausted the rlimit");
32STAT_COUNTER(
33 NumTimesZ3SpendsTooMuchTimeOnASingleEQClass,
34 "Number of times report equivalenece class was cut because it spent "
35 "too much time in Z3");
36
37STAT_COUNTER(NumTimesZ3QueryAcceptsReport,
38 "Number of Z3 queries accepting a report");
39STAT_COUNTER(NumTimesZ3QueryRejectReport,
40 "Number of Z3 queries rejecting a report");
41STAT_COUNTER(NumTimesZ3QueryRejectEQClass,
42 "Number of times rejecting an report equivalenece class");
43
44STAT_COUNTER(TimeSpentSolvingZ3Queries,
45 "Total time spent solving Z3 queries excluding retries");
46STAT_MAX(MaxTimeSpentSolvingZ3Queries,
47 "Max time spent solving a Z3 query excluding retries");
48
49using namespace clang;
50using namespace ento;
51
52Z3CrosscheckVisitor::Z3CrosscheckVisitor(Z3CrosscheckVisitor::Z3Result &Result,
53 const AnalyzerOptions &Opts)
54 : Constraints(ConstraintMap::Factory().getEmptyMap()), Result(Result),
55 Opts(Opts) {}
56
57void Z3CrosscheckVisitor::finalizeVisitor(BugReporterContext &BRC,
58 const ExplodedNode *EndPathNode,
59 PathSensitiveBugReport &BR) {
60 // Collect new constraints
61 addConstraints(EndPathNode, /*OverwriteConstraintsOnExistingSyms=*/true);
62
63 // Create a refutation manager
64 llvm::SMTSolverRef RefutationSolver = llvm::CreateZ3Solver();
65 if (Opts.Z3CrosscheckRLimitThreshold)
66 RefutationSolver->setUnsignedParam("rlimit",
67 Opts.Z3CrosscheckRLimitThreshold);
68 if (Opts.Z3CrosscheckTimeoutThreshold)
69 RefutationSolver->setUnsignedParam("timeout",
70 Opts.Z3CrosscheckTimeoutThreshold); // ms
71
72 ASTContext &Ctx = BRC.getASTContext();
73
74 // Add constraints to the solver
75 for (const auto &[Sym, Range] : Constraints) {
76 auto RangeIt = Range.begin();
77
78 llvm::SMTExprRef SMTConstraints = SMTConv::getRangeExpr(
79 RefutationSolver, Ctx, Sym, RangeIt->From(), RangeIt->To(),
80 /*InRange=*/true);
81 while ((++RangeIt) != Range.end()) {
82 SMTConstraints = RefutationSolver->mkOr(
83 SMTConstraints, SMTConv::getRangeExpr(RefutationSolver, Ctx, Sym,
84 RangeIt->From(), RangeIt->To(),
85 /*InRange=*/true));
86 }
87 RefutationSolver->addConstraint(SMTConstraints);
88 }
89
90 auto GetUsedRLimit = [](const llvm::SMTSolverRef &Solver) {
91 return Solver->getStatistics()->getUnsigned("rlimit count");
92 };
93
94 auto AttemptOnce = [&](const llvm::SMTSolverRef &Solver) -> Z3Result {
95 auto getCurrentTime = llvm::TimeRecord::getCurrentTime;
96 unsigned InitialRLimit = GetUsedRLimit(Solver);
97 double Start = getCurrentTime(/*Start=*/true).getWallTime();
98 std::optional<bool> IsSAT = Solver->check();
99 double End = getCurrentTime(/*Start=*/false).getWallTime();
100 return {
101 IsSAT,
102 static_cast<unsigned>((End - Start) * 1000),
103 GetUsedRLimit(Solver) - InitialRLimit,
104 };
105 };
106
107 // And check for satisfiability
108 unsigned MinQueryTimeAcrossAttempts = std::numeric_limits<unsigned>::max();
109 for (unsigned I = 0; I < Opts.Z3CrosscheckMaxAttemptsPerQuery; ++I) {
110 Result = AttemptOnce(RefutationSolver);
111 Result.Z3QueryTimeMilliseconds =
112 std::min(MinQueryTimeAcrossAttempts, Result.Z3QueryTimeMilliseconds);
113 if (Result.IsSAT.has_value())
114 return;
115 }
116}
117
118void Z3CrosscheckVisitor::addConstraints(
119 const ExplodedNode *N, bool OverwriteConstraintsOnExistingSyms) {
120 // Collect new constraints
121 ConstraintMap NewCs = getConstraintMap(N->getState());
122 ConstraintMap::Factory &CF = N->getState()->get_context<ConstraintMap>();
123
124 // Add constraints if we don't have them yet
125 for (auto const &[Sym, Range] : NewCs) {
126 if (!Constraints.contains(Sym)) {
127 // This symbol is new, just add the constraint.
128 Constraints = CF.add(Constraints, Sym, Range);
129 } else if (OverwriteConstraintsOnExistingSyms) {
130 // Overwrite the associated constraint of the Symbol.
131 Constraints = CF.remove(Constraints, Sym);
132 Constraints = CF.add(Constraints, Sym, Range);
133 }
134 }
135}
136
137PathDiagnosticPieceRef
138Z3CrosscheckVisitor::VisitNode(const ExplodedNode *N, BugReporterContext &,
139 PathSensitiveBugReport &) {
140 addConstraints(N, /*OverwriteConstraintsOnExistingSyms=*/false);
141 return nullptr;
142}
143
144void Z3CrosscheckVisitor::Profile(llvm::FoldingSetNodeID &ID) const {
145 static int Tag = 0;
146 ID.AddPointer(&Tag);
147}
148
149Z3CrosscheckOracle::Z3Decision Z3CrosscheckOracle::interpretQueryResult(
150 const Z3CrosscheckVisitor::Z3Result &Query) {
151 ++NumZ3QueriesDone;
152 AccumulatedZ3QueryTimeInEqClass += Query.Z3QueryTimeMilliseconds;
153 TimeSpentSolvingZ3Queries += Query.Z3QueryTimeMilliseconds;
154 MaxTimeSpentSolvingZ3Queries.updateMax(Query.Z3QueryTimeMilliseconds);
155
156 if (Query.IsSAT && Query.IsSAT.value()) {
157 ++NumTimesZ3QueryAcceptsReport;
158 return AcceptReport;
159 }
160
161 // Suggest cutting the EQClass if certain heuristics trigger.
162 if (Opts.Z3CrosscheckTimeoutThreshold &&
163 Query.Z3QueryTimeMilliseconds >= Opts.Z3CrosscheckTimeoutThreshold) {
164 ++NumTimesZ3TimedOut;
165 ++NumTimesZ3QueryRejectEQClass;
166 return RejectEQClass;
167 }
168
169 if (Opts.Z3CrosscheckRLimitThreshold &&
170 Query.UsedRLimit >= Opts.Z3CrosscheckRLimitThreshold) {
171 ++NumTimesZ3ExhaustedRLimit;
172 ++NumTimesZ3QueryRejectEQClass;
173 return RejectEQClass;
174 }
175
176 if (Opts.Z3CrosscheckEQClassTimeoutThreshold &&
177 AccumulatedZ3QueryTimeInEqClass >
178 Opts.Z3CrosscheckEQClassTimeoutThreshold) {
179 ++NumTimesZ3SpendsTooMuchTimeOnASingleEQClass;
180 ++NumTimesZ3QueryRejectEQClass;
181 return RejectEQClass;
182 }
183
184 // If no cutoff heuristics trigger, and the report is "unsat" or "undef",
185 // then reject the report.
186 ++NumTimesZ3QueryRejectReport;
187 return RejectReport;
188}
STAT_COUNTER
#define STAT_COUNTER(VARNAME, DESC)
Definition: EntryPointStats.h:151
STAT_MAX
#define STAT_MAX(VARNAME, DESC)
Definition: EntryPointStats.h:155
clang::ASTContext
Holds long-lived AST nodes (such as types and decls) that can be referred to throughout the semantic ...
Definition: ASTContext.h:188
clang::AnalyzerOptions
Stores options for the analyzer from the command line.
Definition: AnalyzerOptions.h:180
clang::ento::BugReporterContext::getASTContext
ASTContext & getASTContext() const
Definition: BugReporter.h:740
clang::ento::ExplodedNode::getState
const ProgramStateRef & getState() const
Definition: ExplodedGraph.h:169
clang::ento::Range
A Range represents the closed range [from, to].
Definition: RangedConstraintManager.h:29
clang::ento::SMTConv::getRangeExpr
static llvm::SMTExprRef getRangeExpr(llvm::SMTSolverRef &Solver, ASTContext &Ctx, SymbolRef Sym, const llvm::APSInt &From, const llvm::APSInt &To, bool InRange)
Definition: SMTConv.h:534
clang::ento::Z3CrosscheckOracle::interpretQueryResult
Z3Decision interpretQueryResult(const Z3CrosscheckVisitor::Z3Result &Meta)
Updates the internal state with the new Z3Result and makes a decision how to proceed:
Definition: Z3CrosscheckVisitor.cpp:149
clang::ento::Z3CrosscheckVisitor::VisitNode
PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, BugReporterContext &BRC, PathSensitiveBugReport &BR) override
Return a diagnostic piece which should be associated with the given node.
Definition: Z3CrosscheckVisitor.cpp:138
clang::ento::Z3CrosscheckVisitor::Profile
void Profile(llvm::FoldingSetNodeID &ID) const override
Definition: Z3CrosscheckVisitor.cpp:144
clang::ento::Z3CrosscheckVisitor::Z3CrosscheckVisitor
Z3CrosscheckVisitor(Z3CrosscheckVisitor::Z3Result &Result, const AnalyzerOptions &Opts)
Definition: Z3CrosscheckVisitor.cpp:52
clang::ento::Z3CrosscheckVisitor::finalizeVisitor
void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode, PathSensitiveBugReport &BR) override
Last function called on the visitor, no further calls to VisitNode would follow.
Definition: Z3CrosscheckVisitor.cpp:57
clang::ento::ConstraintMap
llvm::ImmutableMap< SymbolRef, RangeSet > ConstraintMap
Definition: RangedConstraintManager.h:404
clang::ento::ObjKind::CF
@ CF
Indicates that the tracked object is a CF object.
clang::ento::PathDiagnosticPieceRef
std::shared_ptr< PathDiagnosticPiece > PathDiagnosticPieceRef
Definition: PathDiagnostic.h:492
clang::ento::getConstraintMap
ConstraintMap getConstraintMap(ProgramStateRef State)
Definition: RangeConstraintManager.cpp:2280
clang
The JSON file list parser is used to communicate input to InstallAPI.
Definition: CalledOnceCheck.h:17
Generated on Tue Sep 2 2025 18:41:21 for clang by doxygen 1.9.6