I didn't run this on big projects just yet, and judging from the fact that Environment only contained ObjetiveC examples of non-expression statements, I might need a tip on how to test on ObjC code :)

I always wondered if we actually need to track the liveness of exprs at all. We could just kill all subexpr at the end of the full expression without precomputing anything. But I might miss something.

In D82598#2115656, @NoQ wrote:

We could just kill all subexpr at the end of the full expression

I suspect that it would be pretty bad if you, say, kill the condition of the if-statement before picking the branch. Or kill the initializer in the DeclStmt before putting it into the variable (same for CXXCtorInitializer which isn't even a Stmt!).

I would argue that the end of the full expression is AFTER the if was evaluated in this case. But I do see what you mean, thanks :)

In D82598#2116373, @xazax.hun wrote:

I suspect that it would be pretty bad if you, say, kill the condition of the if-statement before picking the branch. Or kill the initializer in the DeclStmt before putting it into the variable (same for CXXCtorInitializer which isn't even a Stmt!).

I would argue that the end of the full expression is AFTER the if was evaluated in this case. But I do see what you mean, thanks :)

Well, formally it isn't. The notion of full-expression is defined pretty strictly because that's the moment of time when temporary destructors are invoked. So the language pays a lot of attention to what exactly constitutes an expression, and as of now if-statements don't. In particular, temporary destructors will run before the branch is chosen.

I guess your point is that live expressions analysis could be replaced with imperative cleanup requests from, say, ExprEngine to the Environment. I.e., "We've just finished evaluating the if-statement, now we should actively tell the Environment to remove the condition expression". I guess it could totally work that way, but it'd be pretty hard to not forget such cleanups. Given that we'd also barely ever notice that we forgot one of those, i'm very much in favor of having liveness analysis instead, that would declaratively describe which expressions are live when, so that to automatically guarantee that we always only track what's necessary and never snowball our state with dead expressions.

Note to self: rename debug.DumpLiveStmts to debug.DumpLiveExprs. Thanks for the review btw! I don't immediately have something to add to your discussion though :)

In D82598#2119545, @xazax.hun wrote:

Given that we'd also barely ever notice that we forgot one of those, i'm very much in favor of having liveness analysis instead, that would declaratively describe which expressions are live when, so that to automatically guarantee that we always only track what's necessary and never snowball our state with dead expressions.

Fair point. I do not remember any problem with the current liveness analysis so I guess if something is not broken do not fix it. We also don't have any evidence of this being a bottleneck.

D55566!

I chased my own tail for weeks before realizing that there is indeed another instance when a live statement is stored, other then ObjCForCollectionStmt...

void clang_analyzer_eval(bool);

void test_lambda_refcapture() {
  int a = 6;
  [&](int &a) { a = 42; }(a);
  clang_analyzer_eval(a == 42); // expected-warning{{TRUE}}
}

// CHECK: [ B0 (live statements at block exit) ]
// CHECK-EMPTY:
// CHECK-EMPTY:
// CHECK-NEXT: [ B1 (live statements at block exit) ]
// CHECK-EMPTY:
// CHECK-EMPTY:
// CHECK-NEXT: [ B2 (live statements at block exit) ]
// CHECK-EMPTY:
// CHECK-NEXT: CompoundStmt {{.*}}
// CHECK-NEXT: `-BinaryOperator {{.*}} 'int' lvalue '='
// CHECK-NEXT:   |-DeclRefExpr {{.*}} 'int' lvalue ParmVar {{.*}} 'a' 'int &'
// CHECK-NEXT:   `-IntegerLiteral {{.*}} 'int' 42

In D82598#2162239, @Szelethus wrote:

I chased my own tail for weeks before realizing that there is indeed another instance when a live statement is stored, other then ObjCForCollectionStmt...

void clang_analyzer_eval(bool);

void test_lambda_refcapture() {
  int a = 6;
  [&](int &a) { a = 42; }(a);
  clang_analyzer_eval(a == 42); // expected-warning{{TRUE}}
}

Hmm, interesting. I don't really understand why do we need to keep that block live, as we definitely won't use any of the value it provides (since it does not provide a value at all).

I am only doing guessing here, but maybe the side effect of the statement is pruned from the store as soon as it is no longer live?

I might be wrong here, but maybe solving this problem would not be the job of the liveness analysis but we have a bug elsewhere, as this binding should be pruned when a is a dead variable.

In D82598#2162496, @xazax.hun wrote:

In D82598#2162239, @Szelethus wrote:

I chased my own tail for weeks before realizing that there is indeed another instance when a live statement is stored, other then ObjCForCollectionStmt...

void clang_analyzer_eval(bool);

void test_lambda_refcapture() {
  int a = 6;
  [&](int &a) { a = 42; }(a);
  clang_analyzer_eval(a == 42); // expected-warning{{TRUE}}
}

Hmm, interesting. I don't really understand why do we need to keep that block live, as we definitely won't use any of the value it provides (since it does not provide a value at all).

Actually, what I said initially is true:

[...] the only non-expression statements it queried are ObjCForCollectionStmts [...]

so I think it'd be okay to simply drop this. Also, its easy to see why this popped up, because... (cont. in inline)

In D82598#2164363, @Szelethus wrote:

Hmm, interesting. I don't really understand why do we need to keep that block live, as we definitely won't use any of the value it provides (since it does not provide a value at all).

Actually, what I said initially is true:

[...] the only non-expression statements it queried are ObjCForCollectionStmts [...]

so I think it'd be okay to simply drop this.

Yeah, that sounds about right; you observed the current behavior to be a counterexample but found no evidence that the current behavior makes any sense.

P.S. We've found an example where ObjCForCollectionStmts break (i.e., your recently added assertion gets hit), i'll reduce and think of a patch. Still shocked this wasn't covered with tests.

Ouch. Let me know how severe this is, because this is a big milestone in my project.

In D82598#2164363, @Szelethus wrote:

Actually, what I said initially is true:

[...] the only non-expression statements it queried are ObjCForCollectionStmts [...]

Btw, sorry. I somehow misunderstood the snippet and tought that the test fails after the change. I am also ok with dropping this.

Ok, here's the crashing example with ObjCForCollectionStmt. It should be saved as an .mm file and it crashes under pure --analyze.

@interface Item
// ...
@end

@interface Collection
// ...
@end

typedef void (^Blk)();

struct RAII {
  Blk blk;

public:
  RAII(Blk blk): blk(blk) {}
  ~RAII() { blk(); }
};

void foo(Collection *coll) {
  RAII raii(^{});
  for (Item *item in coll) {}
}

The CFG ("allocate a variable, pick the item and put it into that variable, execute the body, repeat"):

The interesting part of the ExplodedGraph:

And here's the FIXME that you're looking for:

...
44 /// Generate a node in \p Bldr for an iteration statement using ObjC
45 /// for-loop iterator.
46 static void populateObjCForDestinationSet(
47     ExplodedNodeSet &dstLocation, SValBuilder &svalBuilder,
48     const ObjCForCollectionStmt *S, const Stmt *elem, SVal elementV,
49     SymbolManager &SymMgr, const NodeBuilderContext *currBldrCtx,
50     StmtNodeBuilder &Bldr, bool hasElements) {
...
56     SVal hasElementsV = svalBuilder.makeTruthVal(hasElements);
57
58     // FIXME: S is not an expression. We should not be binding values to it.
59     ProgramStateRef nextState = state->BindExpr(S, LCtx, hasElementsV);
...

So, like, the engine is conveniently assigning 0 or 1 to the collection-statement in the Environment when the collection is assumed to be empty or not.

It's obviously a hack. This shouldn't be in the Environment. This should have been a GDM trait attached to the collection. Ideally it should also be modeled, i.e. sometimes we do know whether the collection is empty, and it might even be modeled occasionally. But in any case this shouldn't be in the Environment.

Thank you so much, you really went out of your way to dig that out! I'll try to patch this somehow.

Wow, I never realized I accidentally landed that assert (D82122#2172360), but I guess its great to have that covered. Would you prefer to have that reverted as I'm looking to fix this for good?

I still wonder what made this statement live in my example. There must have been some non-trivial liveness analysis going on that caused a statement to be live; probably something to do with the C++ destructor elements.

In D82598#2172371, @Szelethus wrote:

Wow, I never realized I accidentally landed that assert (D82122#2172360), but I guess its great to have that covered. Would you prefer to have that reverted as I'm looking to fix this for good?

It doesn't add any actual functionality so i think it makes sense to revert unless you have a quick fix.

Also if the assert is in fact true then i'd rather make a much stronger statement by banning statements from the Environment entirely, as in, like, at compile time by making it accept Expr * instead of Stmt *.

In D82598#2172416, @NoQ wrote:

I still wonder what made this statement live in my example. There must have been some non-trivial liveness analysis going on that caused a statement to be live; probably something to do with the C++ destructor elements.

Pushed rG032b78a0762bee129f33e4255ada6d374aa70c71. Mind that no ObjCForCollectionStmt was found in the DumpLiveStms run.