This is an archive of the discontinued LLVM Phabricator instance.

Differential D103434

[analyzer] Allow visitors to run callbacks on completion
AbandonedPublic

Authored by RedDocMD on May 31 2021, 10:57 PM.

Details

Reviewers
NoQ
vsavchenko
xazax.hun
teemperor
Summary

This patch introduces the concept of *Stoppable* visitors, ie, a
visitor that must perform some task when it runs out of nodes on which
it has work to do.
Initially, the ReturnVisitor is being made *stoppable*, thus allowing
it to run callbacks on completion. These callbacks are meant to be
supplied from trackExpressionValue.
Thus, this patch will also allow trackExpressionValue to recieve a
callback to run when it is done tracking.

Diff Detail

Unit TestsFailed

TimeTest
510 msx64 debian > Clang.Analysis::placement-new.cpp
480 msx64 debian > Clang.Analysis::track-control-dependency-conditions.m
430 msx64 debian > Clang.Analysis::uninit-vals.c
460 msx64 debian > Clang.Analysis/inlining::false-positive-suppression.m
150 msx64 windows > Clang.Analysis::placement-new.cpp
View Full Test Results (8 Failed)

Event Timeline

RedDocMD created this revision.May 31 2021, 10:57 PM
Herald added subscribers: manas, steakhal, ASDenysPetrov and 9 others. · View Herald TranscriptMay 31 2021, 10:57 PM
RedDocMD requested review of this revision.May 31 2021, 10:57 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 31 2021, 10:57 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
RedDocMD added a comment.May 31 2021, 11:00 PM

Note: This patch is only partially done.

The following things are still left:

  • trackExpressionValue must receive a callback
  • The callback must be passed to a visitor (ReturnVisitor for now)
  • Tests to verify that ReturnVisitor actually does what we intend it to do (call the callback at the right place).
Harbormaster completed remote builds in B106974: Diff 348882.Jun 1 2021, 12:17 AM
vsavchenko added inline comments.Jun 1 2021, 12:44 AM
clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
895

function_ref is a reference, it doesn't own the function. It means that it shouldn't outlive the actual function object (very similar to StringRef).

xazax.hun added inline comments.Jun 1 2021, 9:02 PM
clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
95

Are we anticipating visitors that do something else other than calling a callback when they are stopped? If that is not the case, I wonder if storing/invoking the visitor in this class would make more sense.

97

Should we allow derived classes or even others query if a visitor was stopped? Or is this only for catching bugs?

101

I prefer really small functions, like this dtor to be in header files. Feel free to ignore.

104

Do you anticipate cases where the visitor itself does not know that it needs to stop (e.g. in the Visit functions) so someone needs to call this from the outside?

RedDocMD added inline comments.Jun 1 2021, 9:58 PM
clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
95

I think it was decided in the last meet that we should not make this new abstraction overtly specific. So a stoppable visitor is free to have a callback (like the ReturnVisitor now does) and is also free to have some more behavior in the OnStop method. Also making the OnStop method pure-virtual means that the sub-classes are required to override it (so it can't be ignored).

97

Right now it can't be queried. The purpose of the Stopped field is primarily for catching bugs. (this ensures visitors are stopped exactly once).

104

No, I don't. Are you suggesting I should make it a protected method?

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
895

So I guess this means that the callback must be a method/lambda that persists (ie, it can't be a lambda in a VisitNode method, but must be stored a field in the class).

1156

I am not entirely certain this is the right place to call the Stop method. It seems reasonable but I am not sure.

RedDocMD updated this revision to Diff 349295.Jun 2 2021, 9:02 AM

trackExpressionValue recieving callback, passing it to ReturnVisitor

RedDocMD added a comment.Jun 2 2021, 9:06 AM

The following things are now done:

  • trackExpressionValue must receive a callback
  • The callback must be passed to a visitor (ReturnVisitor for now)

I still don't know a good way to test the following:

  • Tests to verify that ReturnVisitor actually does what we intend it to do (call the callback at the right place).

@vsavchenko, @NoQ, @xazax.hun, @teemperor can you give some suggestions?

Harbormaster completed remote builds in B107261: Diff 349295.Jun 2 2021, 10:54 AM
NoQ added a comment.Jun 2 2021, 10:25 PM

Tests to verify that ReturnVisitor actually does what we intend it to do (call the callback at the right place).

You mean write a test that demonstrates that? I guess unless we're willing to wait for the checker to catch up, a good approach to this would be to write a unit test. See unittests/StaticAnalyzer - there aren't many of them because they're relatively hard to write but these days they're getting more and more popular as we're trying to eliminate mutually exclusive bugs invisible on LIT tests. You can mock some code, emit a warning against it from a mocked checker, and test directly that the visitor is stopped at, say, a given node or a given line number.

Or you mean like, add an assert that ensures that you're doing right thing? I think this is also possible to some extent. For example, you can check when the visitor is stopped that no other visitors were added during the current VisitNode() invocation (otherwise the process has to continue). Or you could assert the opposite: if the visitor has run to completion and no other visitors were added then the callback has to be invoked. I think this can get messy really quickly (esp. knowing that you can't simply count all visitors to see if more were added, given how newly added visitors may be duplicates of existing visitors). But I suspect that it could be easy to check this in at least one direction.

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
109

I think we have to use std::function here.

/// An efficient, type-erasing, non-owning reference to a callable. This is
/// intended for use as the type of a function parameter that is not used
/// after the function in question returns.
///
/// This class does not own the callable, so it is not in general safe to store
/// a function_ref.
template<typename Fn> class function_ref;

An llvm::function_ref becomes a dangling reference as soon as trackExpressionValue() returns. This is too early.

balazske added a subscriber: balazske.Jun 3 2021, 1:03 AM
balazske added inline comments.
clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
95

According to the conventions, should use stop and onStop instead of Stop, OnStop?

vsavchenko added a comment.Jun 3 2021, 3:36 AM

I was thinking a lot about this problem after our last call, and even though StoppableVisitor helps to solve the problem that we have, it is extremely unclear when this callback is called and should be called.
I decided to restore the balance (and rid of all younglings, maybe) and put together this interface: D103605. I still need to migrate the existing code into the new architecture, but it can be done incrementally.

RedDocMD added a comment.Jun 3 2021, 3:39 AM
In D103434#2795940, @vsavchenko wrote:

I was thinking a lot about this problem after our last call, and even though StoppableVisitor helps to solve the problem that we have, it is extremely unclear when this callback is called and should be called.
I decided to restore the balance (and rid of all younglings, maybe) and put together this interface: D103605. I still need to migrate the existing code into the new architecture, but it can be done incrementally.

Right. I then perhaps should focus now on D98726, and then return to GetNoteEmitter.

RedDocMD abandoned this revision.Jun 18 2021, 11:51 AM

I am closing this since it has been addressed much better by the patches from @vsavchenko.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
20 lines
lib/
StaticAnalyzer/
Core/
40 lines

Diff 348882

clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h

Show First 20 LinesShow All 79 Lines▼ Show 20 Linespublic:
virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0; virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0;
/// Generates the default final diagnostic piece. /// Generates the default final diagnostic piece.
static PathDiagnosticPieceRef static PathDiagnosticPieceRef
getDefaultEndPath(const BugReporterContext &BRC, const ExplodedNode *N, getDefaultEndPath(const BugReporterContext &BRC, const ExplodedNode *N,
const PathSensitiveBugReport &BR); const PathSensitiveBugReport &BR);
}; };
/// StoppableBugReporterVisitor is a special type of visitor that is known to
/// not have any useful work to do after it reaches a certain node in its
/// traversal. When it does reach that node, the \ref Stop method must be
/// called. This in turn calls the \ref OnStop method (which must be overriden
/// in the sub-class). Note that such visitors *must* be stopped exactly once.
class StoppableBugReporterVisitor : public BugReporterVisitor {
/// This method is run once the \ref Stop method is called.
virtual void OnStop(const ExplodedNode *Curr, BugReporterContext &BRC,
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Are we anticipating visitors that do something else other than calling a callback when they are stopped? If that is not the case, I wonder if storing/invoking the visitor in this class would make more sense.

xazax.hun: Are we anticipating visitors that do something else other than calling a callback when they are…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

I think it was decided in the last meet that we should not make this new abstraction overtly specific. So a stoppable visitor is free to have a callback (like the ReturnVisitor now does) and is also free to have some more behavior in the OnStop method. Also making the OnStop method pure-virtual means that the sub-classes are required to override it (so it can't be ignored).

RedDocMD: I think it was decided in the last meet that we should not make this new abstraction overtly…
balazskeUnsubmitted
Not Done
ReplyInline Actions

According to the conventions, should use stop and onStop instead of Stop, OnStop?

balazske: According to the conventions, should use `stop` and `onStop` instead of `Stop`, `OnStop`?
PathSensitiveBugReport &BR) const = 0;
bool Stopped;
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Should we allow derived classes or even others query if a visitor was stopped? Or is this only for catching bugs?

xazax.hun: Should we allow derived classes or even others query if a visitor was stopped? Or is this only…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

Right now it can't be queried. The purpose of the Stopped field is primarily for catching bugs. (this ensures visitors are stopped exactly once).

RedDocMD: Right now it can't be queried. The purpose of the `Stopped` field is primarily for catching…
public:
StoppableBugReporterVisitor() : Stopped{false} {}
virtual ~StoppableBugReporterVisitor();
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

I prefer really small functions, like this dtor to be in header files. Feel free to ignore.

xazax.hun: I prefer really small functions, like this dtor to be in header files. Feel free to ignore.
/// Call this method once the visitor runs out of useful nodes to process.
void Stop(const ExplodedNode *Curr, BugReporterContext &BRC,
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Do you anticipate cases where the visitor itself does not know that it needs to stop (e.g. in the Visit functions) so someone needs to call this from the outside?

xazax.hun: Do you anticipate cases where the visitor itself does not know that it needs to stop (e.g. in…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

No, I don't. Are you suggesting I should make it a protected method?

RedDocMD: No, I don't. Are you suggesting I should make it a protected method?
PathSensitiveBugReport &BR);
};
namespace bugreporter { namespace bugreporter {
NoQUnsubmitted
Not Done
ReplyInline Actions

I think we have to use std::function here.

/// An efficient, type-erasing, non-owning reference to a callable. This is
/// intended for use as the type of a function parameter that is not used
/// after the function in question returns.
///
/// This class does not own the callable, so it is not in general safe to store
/// a function_ref.
template<typename Fn> class function_ref;

An llvm::function_ref becomes a dangling reference as soon as trackExpressionValue() returns. This is too early.

NoQ: I think we have to use `std::function` here. > lang=c++ > /// An efficient, type-erasing…
/// Specifies the type of tracking for an expression. /// Specifies the type of tracking for an expression.
enum class TrackingKind { enum class TrackingKind {
/// Default tracking kind -- specifies that as much information should be /// Default tracking kind -- specifies that as much information should be
/// gathered about the tracked expression value as possible. /// gathered about the tracked expression value as possible.
Thorough, Thorough,
/// Specifies that a more moderate tracking should be used for the expression /// Specifies that a more moderate tracking should be used for the expression
/// value. This will essentially make sure that functions relevant to it /// value. This will essentially make sure that functions relevant to it
/// aren't pruned, but otherwise relies on the user reading the code or /// aren't pruned, but otherwise relies on the user reading the code or
▲ Show 20 LinesShow All 310 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp

Show First 20 LinesShow All 315 Lines▼ Show 20 Lines auto P = std::make_shared<PathDiagnosticEventPiece>(
L, BR.getDescription(), Ranges.begin() == Ranges.end()); L, BR.getDescription(), Ranges.begin() == Ranges.end());
for (SourceRange Range : Ranges) for (SourceRange Range : Ranges)
P->addRange(Range); P->addRange(Range);
return P; return P;
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Implementation of StoppableBugReporterVisitor
//===----------------------------------------------------------------------===//
StoppableBugReporterVisitor::~StoppableBugReporterVisitor() {
assert(Stopped && "Stoppable visitor not stopped in its lifetime");
}
void StoppableBugReporterVisitor::Stop(const ExplodedNode *Curr,
BugReporterContext &BRC,
PathSensitiveBugReport &BR) {
assert(!Stopped && "Stop() can be called only once in visitor's lifetime");
Stopped = true;
OnStop(Curr, BRC, BR);
}
//===----------------------------------------------------------------------===//
// Implementation of NoStoreFuncVisitor. // Implementation of NoStoreFuncVisitor.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
/// Put a diagnostic on return statement of all inlined functions /// Put a diagnostic on return statement of all inlined functions
/// for which the region of interest \p RegionOfInterest was passed into, /// for which the region of interest \p RegionOfInterest was passed into,
/// but not written inside, and it has caused an undefined read or a null /// but not written inside, and it has caused an undefined read or a null
▲ Show 20 LinesShow All 539 Lines▼ Show 20 Lines Optional<SourceLocation> matchAssignment(const ExplodedNode *N) {
return None; return None;
} }
}; };
} // end of anonymous namespace } // end of anonymous namespace
namespace { namespace {
using VisitorCallback = llvm::function_ref<void(
vsavchenkoUnsubmitted
Not Done
ReplyInline Actions

function_ref is a reference, it doesn't own the function. It means that it shouldn't outlive the actual function object (very similar to StringRef).

vsavchenko: `function_ref` is a reference, it doesn't own the function. It means that it shouldn't outlive…
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

So I guess this means that the callback must be a method/lambda that persists (ie, it can't be a lambda in a VisitNode method, but must be stored a field in the class).

RedDocMD: So I guess this means that the callback must be a method/lambda that //persists// (ie, it can't…
const ExplodedNode *, BugReporterContext &, PathSensitiveBugReport &)>;
/// Emits an extra note at the return statement of an interesting stack frame. /// Emits an extra note at the return statement of an interesting stack frame.
/// ///
/// The returned value is marked as an interesting value, and if it's null, /// The returned value is marked as an interesting value, and if it's null,
/// adds a visitor to track where it became null. /// adds a visitor to track where it became null.
/// ///
/// This visitor is intended to be used when another visitor discovers that an /// This visitor is intended to be used when another visitor discovers that an
/// interesting value comes from an inlined function call. /// interesting value comes from an inlined function call.
class ReturnVisitor : public BugReporterVisitor { class ReturnVisitor : public StoppableBugReporterVisitor {
const StackFrameContext *CalleeSFC; const StackFrameContext *CalleeSFC;
enum { enum {
Initial, Initial,
MaybeUnsuppress, MaybeUnsuppress,
Satisfied Satisfied
} Mode = Initial; } Mode = Initial;
bool EnableNullFPSuppression; bool EnableNullFPSuppression;
bool ShouldInvalidate = true; bool ShouldInvalidate = true;
AnalyzerOptions& Options; AnalyzerOptions& Options;
bugreporter::TrackingKind TKind; bugreporter::TrackingKind TKind;
VisitorCallback Callback;
public: public:
ReturnVisitor(const StackFrameContext *Frame, bool Suppressed, ReturnVisitor(const StackFrameContext *Frame, bool Suppressed,
AnalyzerOptions &Options, bugreporter::TrackingKind TKind) AnalyzerOptions &Options, bugreporter::TrackingKind TKind,
: CalleeSFC(Frame), EnableNullFPSuppression(Suppressed), VisitorCallback &&Callback = nullptr)
Options(Options), TKind(TKind) {} : CalleeSFC(Frame), EnableNullFPSuppression(Suppressed), Options(Options),
TKind(TKind), Callback(Callback) {}
static void *getTag() { static void *getTag() {
static int Tag = 0; static int Tag = 0;
return static_cast<void *>(&Tag); return static_cast<void *>(&Tag);
} }
void Profile(llvm::FoldingSetNodeID &ID) const override { void Profile(llvm::FoldingSetNodeID &ID) const override {
ID.AddPointer(ReturnVisitor::getTag()); ID.AddPointer(ReturnVisitor::getTag());
ID.AddPointer(CalleeSFC); ID.AddPointer(CalleeSFC);
ID.AddBoolean(EnableNullFPSuppression); ID.AddBoolean(EnableNullFPSuppression);
} }
void OnStop(const ExplodedNode *Curr, BugReporterContext &BRC,
PathSensitiveBugReport &BR) const override {
if (Callback) {
Callback(Curr, BRC, BR);
}
}
/// Adds a ReturnVisitor if the given statement represents a call that was /// Adds a ReturnVisitor if the given statement represents a call that was
/// inlined. /// inlined.
/// ///
/// This will search back through the ExplodedGraph, starting from the given /// This will search back through the ExplodedGraph, starting from the given
/// node, looking for when the given statement was processed. If it turns out /// node, looking for when the given statement was processed. If it turns out
/// the statement is a call that was inlined, we add the visitor to the /// the statement is a call that was inlined, we add the visitor to the
/// bug report, so it can print a note later. /// bug report, so it can print a note later.
static void addVisitorIfNecessary(const ExplodedNode *Node, const Stmt *S, static void addVisitorIfNecessary(const ExplodedNode *Node, const Stmt *S,
▲ Show 20 LinesShow All 194 Lines▼ Show 20 Lines PathDiagnosticPieceRef visitNodeInitial(const ExplodedNode *N,
// If we determined that the note is meaningless, make it prunable, and // If we determined that the note is meaningless, make it prunable, and
// don't mark the stackframe interesting. // don't mark the stackframe interesting.
if (WouldEventBeMeaningless) if (WouldEventBeMeaningless)
EventPiece->setPrunable(true); EventPiece->setPrunable(true);
else else
BR.markInteresting(CalleeSFC); BR.markInteresting(CalleeSFC);
// Since we know that no other notes will be emitted subsequently by this
// visitor.
Stop(N, BRC, BR);
RedDocMDAuthorUnsubmitted
Done
ReplyInline Actions

I am not entirely certain this is the right place to call the Stop method. It seems reasonable but I am not sure.

RedDocMD: I am **not** entirely certain this is the right place to call the Stop method. It seems…
return EventPiece; return EventPiece;
} }
PathDiagnosticPieceRef visitNodeMaybeUnsuppress(const ExplodedNode *N, PathDiagnosticPieceRef visitNodeMaybeUnsuppress(const ExplodedNode *N,
BugReporterContext &BRC, BugReporterContext &BRC,
PathSensitiveBugReport &BR) { PathSensitiveBugReport &BR) {
assert(Options.ShouldAvoidSuppressingNullArgumentPaths); assert(Options.ShouldAvoidSuppressingNullArgumentPaths);
▲ Show 20 LinesShow All 1,825 LinesShow Last 20 Lines