[Analyzer] The way to solve false negatives about ArrayBoundCheckerV2?

Hi all,
Due to the limitations of range-based constraint solver, ArrayBoundCheckerV2 has false negatives now.(http://clang-developers.42468.n3.nabble.com/improving-the-ArrayBoundChecker-td4037769.html#a4037803).

There are some simple false negative scenes can be tried to solve, like “index * sizeof(int) >= 10”, and there are two ways I can think of to solve this problem.

1.Modify the ArrayBoundCheckerV2, convert “symbol * sizeof(ElementType) >= RegionExtent” into “symbol >= RegionExtent / sizeof(ElementType)”, “sizeof (ElementType)” and “RegionExtent” can get as concrete int. If we’re dealing with two known constants, we can perform the operation ‘/’ directly.

2.Modify “RangedConstraintManager::computeAdjustment()”, which can support other arithmetic operators, such as ‘/’, etc. This method can slightly increase the ability of the constraint solver, so that other false negatives can also be solved. For example:


Thank you for your explanation, Gábor! My mistake. I’ll take a good look at the information you provide.

Henry Wong
Qihoo 360 Codesafe Team