[clang analyzer] Z3 error: Argument #x00007fff at position 1 does not match declaration (declare-fun bvsle ((_ BitVec 16) (_ BitVec 16)) Bool)

[LebedevRI]

Bugzilla Link	44030
Version	trunk
OS	Linux
Attachments	AbstractDngDecompressor-0382b2.sh, AbstractDngDecompressor-0382b2.cpp, VC5Decompressor-a956e9.cpp, VC5Decompressor-a956e9.sh
CC	@steakhal,@devincoughlin,@zmodem,@mikhailramalho,@haoNoQ

Extended Description

Was playing around with clang trunk + Z3 4.8.6 + CodeChecker --z3 on
and got the following crash

[LebedevRI]

assigned to @haoNoQ

[haoNoQ]

I don't think this should block the release because Z3 support in the Static Analyzer was never declared stable to begin with. I doubt Clang is actually ever shipped with Z3 support; even if it is, it shouldn't be. I wish we had this, but we're not there yet :(

I could try to take a look tho. bvand is a fairly basic operation, i wonder what could go wrong. Probably cast symbols messed up.

[LebedevRI]

I don't think this should block the release because Z3 support in the Static
Analyzer was never declared stable to begin with.
That's fair.

I doubt Clang is actually ever shipped with Z3 support;
It is, in apt.llvm.org debian builds, i didn't build it myself.

even if it is, it shouldn't be. I wish we had
this, but we're not there yet :(
FWIW this was the only static analyzer-Z3 bug i've encountered,
that is why i've filled a bug.

I could try to take a look tho. bvand is a fairly basic operation, i
wonder what could go wrong. Probably cast symbols messed up.

Thanks!

[mikhailramalho]

Yep, this is another issue related to the casts being dropped by the CSA :/

In particular, the haveSameType call in SimpleSValBuilder.cpp:98 returns that the two bit-vectors have the same width.

The range constraint manager is more lenient about these width mismatches, but the solver will refuse to encode the program :/

The correct fix is to implement the whole truncation/extension in the CSA.

Maybe we can have this task as part of GSOC this year? Maybe implement support for truncation/extension and floating-points :D

[zmodem]

As was mentioned above, I don't think we should block the release on this.

[steakhal]

It was really thoughtful to read this.
Unfortunately this bug can materialize during Z3 refutation as well - which is beyond doubt that useful and should be supported.

I'm also expecting to bite back in the future if we can't deal with this issue.
FYI there is a patch touching this topic: https://reviews.llvm.org/D85528

PS thanks Lebedev for the CC.