This is an archive of the discontinued LLVM Phabricator instance.

Differential D115235

[clang][dataflow] Implement a basic algorithm for dataflow analysis
ClosedPublic

Authored by sgatev on Dec 7 2021, 4:18 AM.

Details

Reviewers
ymandel
NoQ
xazax.hun
gribozavr2
Commits
rG8dcaf3aa0bf2: [clang][dataflow] Implement a basic algorithm for dataflow analysis
Summary

This is part of the implementation of the dataflow analysis framework.
See "[RFC] A dataflow analysis framework for Clang AST" on cfe-dev.

Diff Detail

Event Timeline

sgatev created this revision.Dec 7 2021, 4:18 AM
Herald added subscribers: rnkovacs, mgorny. · View Herald TranscriptDec 7 2021, 4:18 AM
sgatev requested review of this revision.Dec 7 2021, 4:18 AM
Herald added a project: Restricted Project. · View Herald TranscriptDec 7 2021, 4:18 AM
sgatev updated this revision to Diff 392346.Dec 7 2021, 4:28 AM

Minor changes to parameter names.

Harbormaster completed remote builds in B137871: Diff 392346.Dec 7 2021, 5:00 AM
gribozavr2 added a comment.Dec 7 2021, 8:37 AM

LGTM but deferring approval to @xazax.hun .

clang/unittests/Analysis/FlowSensitive/TypeErasedDataflowAnalysisTest.cpp
31

Add assert(BlockStates.empty()); ?

59

Please prefer StringRef to const char * if possible.

xazax.hun accepted this revision.Dec 7 2021, 9:32 AM

This patch looks good to me, most of my comments are things to consider in follow-up patches.

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
32

Alternatively, if we have a bottom, forall e in lattice join(e, bottom) == e, so we do not really need optionals and can express nodes that do not contribute to the state using the bottom value. (Or using top, depending on the orientation for our lattices, unfortunately the literature is using both orientations which is really confusing.)

I'm fine with the current approach, but I'd love to see a function level comment about nullopts representing nodes that were not yet evaluated.

35

I did not catch this earlier, but I wonder if we should pass the block in to typeErasedInitialElement. There are some analysis where the initial element might be different for certain nodes. E.g. here is the algorithms for computing dominators from wikipedia:

// dominator of the start node is the start itself
Dom(n0) = {n0}
// for all other nodes, set all nodes as the dominators
for each n in N - {n0}
    Dom(n) = N;
// iteratively eliminate nodes that are not dominators
while changes in any Dom(n)
    for each n in N - {n0}:
        Dom(n) = {n} union with intersection over Dom(p) for all p in pred(n)

Here the initial analysis state for the entry node differs from the initial state for the rest of the nodes.

69

I think this is fine for now, but in general, CFGStmt is probably not the only kind of CFGElement that we want to evaluate.

E.g., CFGImplicitDtor or CFGLifetimeEnds might also be interesting in the future if we want to find certain problems, like dereferencing an invalid pointer. I'd love to see a FIXME.

109

I'd strongly suggest setting up some statistics in the future: https://llvm.org/docs/ProgrammersManual.html#the-statistic-class-stats-option

Having some counters, like how many function timed out, what is the average iteration count and so on could be very handy to monitor the performance of the analysis before and after some changes (both for client analyses or for the framework itself).

139

If a block still has None as its state at this point, it is unreachable in the CFG. One option is to ignore them, as we do at the moment and it is completely fine and should not change this patch. But for some analysis in the future, we might want to check dead code as well (it might be dead for the current platform due to some preprocessor defines but alive for some other). E.g., it would also be nice to diagnose a null dereference in a block that was not reached.

clang/unittests/Analysis/FlowSensitive/TypeErasedDataflowAnalysisTest.cpp
38–41

I wonder if the dataflow analysis framework should provide a factory that that returns a CFG::BuildOptions which is a good default for most clients. Can be in a follow-up patch, or completely ignored. Or maybe even a convenience function running the analysis on a function definition without the user having to know about the CFG.

This revision is now accepted and ready to land.Dec 7 2021, 9:32 AM
ymandel added inline comments.Dec 7 2021, 12:24 PM
clang/unittests/Analysis/FlowSensitive/CMakeLists.txt
2

Why create a new sub directory? From what I've seen elsewhere, it seems uncommon. I'm fine either way, but want to be sure we have a good reason for differing.

ymandel added a child revision: D115341: [clang][dataflow] Add framework for testing analyses..Dec 8 2021, 6:26 AM
sgatev updated this revision to Diff 392772.Dec 8 2021, 7:35 AM
sgatev marked 8 inline comments as done.

Address reviewers' comments.

sgatev added a comment.Dec 8 2021, 7:37 AM

Thanks everyone!

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
32

Right. Perhaps we can use Analysis.typeErasedInitialElement() and InitEnv to express states of blocks that were not evaluated? In practice, these often coincide with bottom. In that case we're loosing the ability to understand which blocks have been evaluated. An alternative, as you mentioned, would be to require an additional bottom element to be provided by the analysis. I added a function level comment for now and will consider this a bit more.

35

Good point, though, I'm not sure if this algorithm is the best choice for such an analysis. It seems that in that case we don't need to evaluate the statements in the basic blocks, right? Perhaps we can generalize the algorithm or offer a separate one for more efficient implementation of such analyses. I added a FIXME and will consider this a bit more.

139

I added a FIXME to consider evaluating unreachable blocks. However, I think it's preferable to run the analysis with the same configuration that will be used to compile the code. Do you think this isn't always possible/practical?

clang/unittests/Analysis/FlowSensitive/CMakeLists.txt
2

I created the directory to match the structure in llvm-project/clang/include/clang/Analysis/FlowSensitive and llvm-project/clang/lib/Analysis/FlowSensitive. In general, I think it'd be easier to find related code if it's structured similarly. If this doesn't follow the established practices for the project I'd be happy to change it.

clang/unittests/Analysis/FlowSensitive/TypeErasedDataflowAnalysisTest.cpp
31

Done, and also changed the other ASSERT_THAT to assert.

38–41

I added a FIXME. A utility that runs an analysis on a function definition would mean that the CFG will need to be built each time we want to run an analysis which could be wasteful if we want to run several analyses on the same CFG. Perhaps we can consider providing a function that builds the CFG using default options and returns it, possibly wrapped in another type.

Harbormaster completed remote builds in B138162: Diff 392772.Dec 8 2021, 8:09 AM
xazax.hun accepted this revision.Dec 8 2021, 9:18 AM

Thanks!

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
35

Dominators is one example, but there might be other analyses where the initial state differs :)
Since this change is really easy to make, I'm ok deferring this until we see the actual need.

ymandel added inline comments.Dec 8 2021, 2:47 PM
clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
31

should this be declared in the header? If not, please mark static.

62

Please declare this function in the header.

sgatev updated this revision to Diff 393156.Dec 9 2021, 7:09 AM

Declare transferBlock in the header.

sgatev marked 4 inline comments as done.Dec 9 2021, 7:10 AM
sgatev added inline comments.
clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
31

Marked it as static.

Harbormaster completed remote builds in B138444: Diff 393156.Dec 9 2021, 8:10 AM
gribozavr2 accepted this revision.Dec 10 2021, 1:39 AM
Closed by commit rG8dcaf3aa0bf2: [clang][dataflow] Implement a basic algorithm for dataflow analysis (authored by sgatev, committed by gribozavr). · Explain WhyDec 10 2021, 2:44 AM
This revision was automatically updated to reflect the committed changes.
gribozavr added a commit: rG8dcaf3aa0bf2: [clang][dataflow] Implement a basic algorithm for dataflow analysis.
thakis added a subscriber: thakis.Dec 10 2021, 4:45 AM
thakis added inline comments.
clang/unittests/Analysis/FlowSensitive/CMakeLists.txt
2

I'm also confused by this.

Would this work:

% git diff
diff --git a/clang/lib/Analysis/CMakeLists.txt b/clang/lib/Analysis/CMakeLists.txt
index 16e3f474060c..eec02b31a9a8 100644
--- a/clang/lib/Analysis/CMakeLists.txt
+++ b/clang/lib/Analysis/CMakeLists.txt
@@ -18,6 +18,7 @@ add_clang_library(clangAnalysis
   CodeInjector.cpp
   Dominators.cpp
   ExprMutationAnalyzer.cpp
+  FlowSensitive/TypeErasedDataflowAnalysis.cpp
   IssueHash.cpp
   LiveVariables.cpp
   MacroExpansionContext.cpp
@@ -44,4 +45,3 @@ add_clang_library(clangAnalysis
   )

 add_subdirectory(plugins)
-add_subdirectory(FlowSensitive)
diff --git a/clang/unittests/Analysis/CMakeLists.txt b/clang/unittests/Analysis/CMakeLists.txt
index 7e2a00b96057..f1cb402268c0 100644
--- a/clang/unittests/Analysis/CMakeLists.txt
+++ b/clang/unittests/Analysis/CMakeLists.txt
@@ -8,6 +8,7 @@ add_clang_unittest(ClangAnalysisTests
   CFGTest.cpp
   CloneDetectionTest.cpp
   ExprMutationAnalyzerTest.cpp
+  FlowSensitive/TypeErasedDataflowAnalysisTest.cpp
   MacroExpansionContextTest.cpp
   )

Or do the flow-sensitive analyses have different library dependencies and there are places that want to depend on analysis without the flow sensitive bits or the other way round?

(Why are these files in a subdirectory at all?)

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
FlowSensitive/
11 lines
9 lines
14 lines
lib/
Analysis/
FlowSensitive/
124 lines
unittests/
Analysis/
2 lines
FlowSensitive/
20 lines
148 lines

Diff 393418

clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h

Show All 9 Lines
// that run over Control-Flow Graphs (CFGs) to keep track of the state of the // that run over Control-Flow Graphs (CFGs) to keep track of the state of the
// program at given program points. // program at given program points.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWENVIRONMENT_H #ifndef LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWENVIRONMENT_H
#define LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWENVIRONMENT_H #define LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWENVIRONMENT_H
#include "clang/Analysis/FlowSensitive/DataflowLattice.h"
namespace clang { namespace clang {
namespace dataflow { namespace dataflow {
/// Holds the state of the program (store and heap) at a given program point. /// Holds the state of the program (store and heap) at a given program point.
class Environment {}; class Environment {
public:
bool operator==(const Environment &) const { return true; }
LatticeJoinEffect join(const Environment &) {
return LatticeJoinEffect::Unchanged;
}
};
} // namespace dataflow } // namespace dataflow
} // namespace clang } // namespace clang
#endif // LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWENVIRONMENT_H #endif // LLVM_CLANG_ANALYSIS_FLOWSENSITIVE_DATAFLOWENVIRONMENT_H

clang/include/clang/Analysis/FlowSensitive/DataflowWorklist.h

Show First 20 LinesShow All 55 Lines▼ Show 20 Linesstruct ReversePostOrderCompare {
} }
}; };
/// A worklist implementation for forward dataflow analysis. The enqueued /// A worklist implementation for forward dataflow analysis. The enqueued
/// blocks will be dequeued in reverse post order. The worklist cannot contain /// blocks will be dequeued in reverse post order. The worklist cannot contain
/// the same block multiple times at once. /// the same block multiple times at once.
struct ForwardDataflowWorklist struct ForwardDataflowWorklist
: DataflowWorklistBase<ReversePostOrderCompare, 20> { : DataflowWorklistBase<ReversePostOrderCompare, 20> {
ForwardDataflowWorklist(const CFG &Cfg, PostOrderCFGView *POV)
: DataflowWorklistBase(Cfg, POV,
ReversePostOrderCompare{POV->getComparator()}) {}
ForwardDataflowWorklist(const CFG &Cfg, AnalysisDeclContext &Ctx) ForwardDataflowWorklist(const CFG &Cfg, AnalysisDeclContext &Ctx)
: DataflowWorklistBase( : ForwardDataflowWorklist(Cfg, Ctx.getAnalysis<PostOrderCFGView>()) {}
Cfg, Ctx.getAnalysis<PostOrderCFGView>(),
ReversePostOrderCompare{
Ctx.getAnalysis<PostOrderCFGView>()->getComparator()}) {}
void enqueueSuccessors(const CFGBlock *Block) { void enqueueSuccessors(const CFGBlock *Block) {
for (auto B : Block->succs()) for (auto B : Block->succs())
enqueueBlock(B); enqueueBlock(B);
} }
}; };
/// A worklist implementation for backward dataflow analysis. The enqueued /// A worklist implementation for backward dataflow analysis. The enqueued
Show All 18 Lines

clang/include/clang/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.h

Show First 20 LinesShow All 70 Lines▼ Show 20 Lines
struct TypeErasedDataflowAnalysisState { struct TypeErasedDataflowAnalysisState {
/// Type-erased model of a program property. /// Type-erased model of a program property.
TypeErasedLattice Lattice; TypeErasedLattice Lattice;
/// Model of the state of the program (store and heap). /// Model of the state of the program (store and heap).
Environment Env; Environment Env;
}; };
/// Transfers the state of a basic block by evaluating each of its statements in
/// the context of `Analysis` and the states of its predecessors that are
/// available in `BlockStates`.
///
/// Requirements:
///
/// All predecessors of `Block` except those with loop back edges must have
/// already been transferred. States in `BlockStates` that are set to
/// `llvm::None` represent basic blocks that are not evaluated yet.
TypeErasedDataflowAnalysisState transferBlock(
std::vector<llvm::Optional<TypeErasedDataflowAnalysisState>> &BlockStates,
const CFGBlock &Block, const Environment &InitEnv,
TypeErasedDataflowAnalysis &Analysis);
/// Performs dataflow analysis and returns a mapping from basic block IDs to /// Performs dataflow analysis and returns a mapping from basic block IDs to
/// dataflow analysis states that model the respective basic blocks. Indices /// dataflow analysis states that model the respective basic blocks. Indices
/// of the returned vector correspond to basic block IDs. /// of the returned vector correspond to basic block IDs.
/// ///
/// Requirements: /// Requirements:
/// ///
/// `Cfg` must have been built with `CFG::BuildOptions::setAllAlwaysAdd()` to /// `Cfg` must have been built with `CFG::BuildOptions::setAllAlwaysAdd()` to
/// ensure that all sub-expressions in a basic block are evaluated. /// ensure that all sub-expressions in a basic block are evaluated.
Show All 9 Lines

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp

//===- TypeErasedDataflowAnalysis.cpp -------------------------------------===// //===- TypeErasedDataflowAnalysis.cpp -------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines type-erased base types and functions for building dataflow // This file defines type-erased base types and functions for building dataflow
// analyses that run over Control-Flow Graphs (CFGs). // analyses that run over Control-Flow Graphs (CFGs).
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include <utility>
#include <vector> #include <vector>
#include "clang/Analysis/Analyses/PostOrderCFGView.h"
#include "clang/Analysis/CFG.h" #include "clang/Analysis/CFG.h"
#include "clang/Analysis/FlowSensitive/DataflowEnvironment.h" #include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"
#include "clang/Analysis/FlowSensitive/DataflowWorklist.h"
#include "clang/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.h" #include "clang/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.h"
#include "llvm/ADT/None.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include "llvm/Support/raw_ostream.h"
using namespace clang; namespace clang {
using namespace dataflow; namespace dataflow {
/// Computes the input state for a given basic block by joining the output
/// states of its predecessors.
///
ymandelUnsubmitted
Not Done
ReplyInline Actions

should this be declared in the header? If not, please mark static.

ymandel: should this be declared in the header? If not, please mark static.
sgatevAuthorUnsubmitted
Done
ReplyInline Actions

Marked it as static.

sgatev: Marked it as static.
/// Requirements:
xazax.hunUnsubmitted
Done
ReplyInline Actions

Alternatively, if we have a bottom, forall e in lattice join(e, bottom) == e, so we do not really need optionals and can express nodes that do not contribute to the state using the bottom value. (Or using top, depending on the orientation for our lattices, unfortunately the literature is using both orientations which is really confusing.)

I'm fine with the current approach, but I'd love to see a function level comment about nullopts representing nodes that were not yet evaluated.

xazax.hun: Alternatively, if we have a bottom, `forall e in lattice join(e, bottom) == e`, so we do not…
sgatevAuthorUnsubmitted
Done
ReplyInline Actions

Right. Perhaps we can use Analysis.typeErasedInitialElement() and InitEnv to express states of blocks that were not evaluated? In practice, these often coincide with bottom. In that case we're loosing the ability to understand which blocks have been evaluated. An alternative, as you mentioned, would be to require an additional bottom element to be provided by the analysis. I added a function level comment for now and will consider this a bit more.

sgatev: Right. Perhaps we can use `Analysis.typeErasedInitialElement()` and `InitEnv` to express states…
///
/// All predecessors of `Block` except those with loop back edges must have
/// already been transferred. States in `BlockStates` that are set to
xazax.hunUnsubmitted
Done
ReplyInline Actions

I did not catch this earlier, but I wonder if we should pass the block in to typeErasedInitialElement. There are some analysis where the initial element might be different for certain nodes. E.g. here is the algorithms for computing dominators from wikipedia:

// dominator of the start node is the start itself
Dom(n0) = {n0}
// for all other nodes, set all nodes as the dominators
for each n in N - {n0}
    Dom(n) = N;
// iteratively eliminate nodes that are not dominators
while changes in any Dom(n)
    for each n in N - {n0}:
        Dom(n) = {n} union with intersection over Dom(p) for all p in pred(n)

Here the initial analysis state for the entry node differs from the initial state for the rest of the nodes.

xazax.hun: I did not catch this earlier, but I wonder if we should pass the block in to…
sgatevAuthorUnsubmitted
Done
ReplyInline Actions

Good point, though, I'm not sure if this algorithm is the best choice for such an analysis. It seems that in that case we don't need to evaluate the statements in the basic blocks, right? Perhaps we can generalize the algorithm or offer a separate one for more efficient implementation of such analyses. I added a FIXME and will consider this a bit more.

sgatev: Good point, though, I'm not sure if this algorithm is the best choice for such an analysis. It…
xazax.hunUnsubmitted
Done
ReplyInline Actions

Dominators is one example, but there might be other analyses where the initial state differs :)
Since this change is really easy to make, I'm ok deferring this until we see the actual need.

xazax.hun: Dominators is one example, but there might be other analyses where the initial state differs :)…
/// `llvm::None` represent basic blocks that are not evaluated yet.
static TypeErasedDataflowAnalysisState computeBlockInputState(
std::vector<llvm::Optional<TypeErasedDataflowAnalysisState>> &BlockStates,
const CFGBlock &Block, const Environment &InitEnv,
TypeErasedDataflowAnalysis &Analysis) {
// FIXME: Consider passing `Block` to `Analysis.typeErasedInitialElement()`
// to enable building analyses like computation of dominators that initialize
// the state of each basic block differently.
TypeErasedDataflowAnalysisState State = {Analysis.typeErasedInitialElement(),
InitEnv};
for (const CFGBlock *Pred : Block.preds()) {
// Skip if the `Block` is unreachable or control flow cannot get past it.
if (!Pred || Pred->hasNoReturnElement())
continue;
// Skip if `Pred` was not evaluated yet. This could happen if `Pred` has a
// loop back edge to `Block`.
const llvm::Optional<TypeErasedDataflowAnalysisState> &MaybePredState =
BlockStates[Pred->getBlockID()];
if (!MaybePredState.hasValue())
continue;
const TypeErasedDataflowAnalysisState &PredState =
MaybePredState.getValue();
Analysis.joinTypeErased(State.Lattice, PredState.Lattice);
State.Env.join(PredState.Env);
}
ymandelUnsubmitted
Done
ReplyInline Actions

Please declare this function in the header.

ymandel: Please declare this function in the header.
return State;
}
TypeErasedDataflowAnalysisState transferBlock(
std::vector<llvm::Optional<TypeErasedDataflowAnalysisState>> &BlockStates,
const CFGBlock &Block, const Environment &InitEnv,
TypeErasedDataflowAnalysis &Analysis) {
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think this is fine for now, but in general, CFGStmt is probably not the only kind of CFGElement that we want to evaluate.

E.g., CFGImplicitDtor or CFGLifetimeEnds might also be interesting in the future if we want to find certain problems, like dereferencing an invalid pointer. I'd love to see a FIXME.

xazax.hun: I think this is fine for now, but in general, `CFGStmt` is probably not the only kind of…
TypeErasedDataflowAnalysisState State =
computeBlockInputState(BlockStates, Block, InitEnv, Analysis);
for (const CFGElement &Element : Block) {
// FIXME: Evaluate other kinds of `CFGElement`.
const llvm::Optional<CFGStmt> Stmt = Element.getAs<CFGStmt>();
if (!Stmt.hasValue())
continue;
// FIXME: Evaluate the statement contained in `Stmt`.
State.Lattice = Analysis.transferTypeErased(Stmt.getValue().getStmt(),
State.Lattice, State.Env);
}
return State;
}
std::vector<llvm::Optional<TypeErasedDataflowAnalysisState>> std::vector<llvm::Optional<TypeErasedDataflowAnalysisState>>
runTypeErasedDataflowAnalysis(const CFG &Cfg, runTypeErasedDataflowAnalysis(const CFG &Cfg,
TypeErasedDataflowAnalysis &Analysis, TypeErasedDataflowAnalysis &Analysis,
const Environment &InitEnv) { const Environment &InitEnv) {
// FIXME: Consider enforcing that `Cfg` meets the requirements that // FIXME: Consider enforcing that `Cfg` meets the requirements that
// are specified in the header. This could be done by remembering // are specified in the header. This could be done by remembering
// what options were used to build `Cfg` and asserting on them here. // what options were used to build `Cfg` and asserting on them here.
// FIXME: Implement work list-based algorithm to compute the fixed PostOrderCFGView POV(&Cfg);
// point of `Analysis::transform` for every basic block in `Cfg`. ForwardDataflowWorklist Worklist(Cfg, &POV);
return {};
std::vector<llvm::Optional<TypeErasedDataflowAnalysisState>> BlockStates;
BlockStates.resize(Cfg.size(), llvm::None);
// The entry basic block doesn't contain statements so it can be skipped.
const CFGBlock &Entry = Cfg.getEntry();
BlockStates[Entry.getBlockID()] = {Analysis.typeErasedInitialElement(),
InitEnv};
Worklist.enqueueSuccessors(&Entry);
// Bugs in lattices and transfer functions can prevent the analysis from
// converging. To limit the damage (infinite loops) that these bugs can cause,
// limit the number of iterations.
// FIXME: Consider making the maximum number of iterations configurable.
xazax.hunUnsubmitted
Done
ReplyInline Actions

I'd strongly suggest setting up some statistics in the future: https://llvm.org/docs/ProgrammersManual.html#the-statistic-class-stats-option

Having some counters, like how many function timed out, what is the average iteration count and so on could be very handy to monitor the performance of the analysis before and after some changes (both for client analyses or for the framework itself).

xazax.hun: I'd strongly suggest setting up some statistics in the future: https://llvm.
// FIXME: Set up statistics (see llvm/ADT/Statistic.h) to count average number
// of iterations, number of functions that time out, etc.
unsigned Iterations = 0;
static constexpr unsigned MaxIterations = 1 << 16;
while (const CFGBlock *Block = Worklist.dequeue()) {
if (++Iterations > MaxIterations) {
llvm::errs() << "Maximum number of iterations reached, giving up.\n";
break;
}
const llvm::Optional<TypeErasedDataflowAnalysisState> &OldBlockState =
BlockStates[Block->getBlockID()];
TypeErasedDataflowAnalysisState NewBlockState =
transferBlock(BlockStates, *Block, InitEnv, Analysis);
if (OldBlockState.hasValue() &&
Analysis.isEqualTypeErased(OldBlockState.getValue().Lattice,
NewBlockState.Lattice) &&
OldBlockState->Env == NewBlockState.Env) {
// The state of `Block` didn't change after transfer so there's no need to
// revisit its successors.
continue;
} }
BlockStates[Block->getBlockID()] = std::move(NewBlockState);
// Do not add unreachable successor blocks to `Worklist`.
if (Block->hasNoReturnElement())
continue;
xazax.hunUnsubmitted
Done
ReplyInline Actions

If a block still has None as its state at this point, it is unreachable in the CFG. One option is to ignore them, as we do at the moment and it is completely fine and should not change this patch. But for some analysis in the future, we might want to check dead code as well (it might be dead for the current platform due to some preprocessor defines but alive for some other). E.g., it would also be nice to diagnose a null dereference in a block that was not reached.

xazax.hun: If a block still has `None` as its state at this point, it is unreachable in the CFG. One…
sgatevAuthorUnsubmitted
Done
ReplyInline Actions

I added a FIXME to consider evaluating unreachable blocks. However, I think it's preferable to run the analysis with the same configuration that will be used to compile the code. Do you think this isn't always possible/practical?

sgatev: I added a FIXME to consider evaluating unreachable blocks. However, I think it's preferable to…
Worklist.enqueueSuccessors(Block);
}
// FIXME: Consider evaluating unreachable basic blocks (those that have a
// state set to `llvm::None` at this point) to also analyze dead code.
return BlockStates;
}
} // namespace dataflow
} // namespace clang

clang/unittests/Analysis/CMakeLists.txt

Show All 22 Linesclang_target_link_libraries(ClangAnalysisTests
clangTesting clangTesting
clangTooling clangTooling
) )
target_link_libraries(ClangAnalysisTests target_link_libraries(ClangAnalysisTests
PRIVATE PRIVATE
LLVMTestingSupport LLVMTestingSupport
) )
add_subdirectory(FlowSensitive)

clang/unittests/Analysis/FlowSensitive/CMakeLists.txt

  • This file was added.
set(LLVM_LINK_COMPONENTS
Support
ymandelUnsubmitted
Done
ReplyInline Actions

Why create a new sub directory? From what I've seen elsewhere, it seems uncommon. I'm fine either way, but want to be sure we have a good reason for differing.

ymandel: Why create a new sub directory? From what I've seen elsewhere, it seems uncommon. I'm fine…
sgatevAuthorUnsubmitted
Done
ReplyInline Actions

I created the directory to match the structure in llvm-project/clang/include/clang/Analysis/FlowSensitive and llvm-project/clang/lib/Analysis/FlowSensitive. In general, I think it'd be easier to find related code if it's structured similarly. If this doesn't follow the established practices for the project I'd be happy to change it.

sgatev: I created the directory to match the structure in llvm…
thakisUnsubmitted
Not Done
ReplyInline Actions

I'm also confused by this.

Would this work:

% git diff
diff --git a/clang/lib/Analysis/CMakeLists.txt b/clang/lib/Analysis/CMakeLists.txt
index 16e3f474060c..eec02b31a9a8 100644
--- a/clang/lib/Analysis/CMakeLists.txt
+++ b/clang/lib/Analysis/CMakeLists.txt
@@ -18,6 +18,7 @@ add_clang_library(clangAnalysis
   CodeInjector.cpp
   Dominators.cpp
   ExprMutationAnalyzer.cpp
+  FlowSensitive/TypeErasedDataflowAnalysis.cpp
   IssueHash.cpp
   LiveVariables.cpp
   MacroExpansionContext.cpp
@@ -44,4 +45,3 @@ add_clang_library(clangAnalysis
   )

 add_subdirectory(plugins)
-add_subdirectory(FlowSensitive)
diff --git a/clang/unittests/Analysis/CMakeLists.txt b/clang/unittests/Analysis/CMakeLists.txt
index 7e2a00b96057..f1cb402268c0 100644
--- a/clang/unittests/Analysis/CMakeLists.txt
+++ b/clang/unittests/Analysis/CMakeLists.txt
@@ -8,6 +8,7 @@ add_clang_unittest(ClangAnalysisTests
   CFGTest.cpp
   CloneDetectionTest.cpp
   ExprMutationAnalyzerTest.cpp
+  FlowSensitive/TypeErasedDataflowAnalysisTest.cpp
   MacroExpansionContextTest.cpp
   )

Or do the flow-sensitive analyses have different library dependencies and there are places that want to depend on analysis without the flow sensitive bits or the other way round?

(Why are these files in a subdirectory at all?)

thakis: I'm also confused by this. Would this work: ``` % git diff diff --git…
)
add_clang_unittest(ClangAnalysisFlowSensitiveTests
TypeErasedDataflowAnalysisTest.cpp
)
clang_target_link_libraries(ClangAnalysisFlowSensitiveTests
PRIVATE
clangAnalysis
clangAnalysisFlowSensitive
clangAST
clangASTMatchers
clangBasic
clangFrontend
clangTesting
clangTooling
)

clang/unittests/Analysis/FlowSensitive/TypeErasedDataflowAnalysisTest.cpp

  • This file was added.
//===- unittests/Analysis/FlowSensitive/TypeErasedDataflowAnalysisTest.cpp ===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "clang/AST/Decl.h"
#include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/Analysis/CFG.h"
#include "clang/Analysis/FlowSensitive/DataflowAnalysis.h"
#include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"
#include "clang/Analysis/FlowSensitive/DataflowLattice.h"
#include "clang/Tooling/Tooling.h"
#include "llvm/ADT/StringRef.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include <cassert>
#include <memory>
#include <vector>
using namespace clang;
using namespace dataflow;
template <typename AnalysisT>
class AnalysisCallback : public ast_matchers::MatchFinder::MatchCallback {
public:
void run(const ast_matchers::MatchFinder::MatchResult &Result) override {
assert(BlockStates.empty());
gribozavr2Unsubmitted
Done
ReplyInline Actions

Add assert(BlockStates.empty()); ?

gribozavr2: Add `assert(BlockStates.empty());` ?
sgatevAuthorUnsubmitted
Done
ReplyInline Actions

Done, and also changed the other ASSERT_THAT to assert.

sgatev: Done, and also changed the other `ASSERT_THAT` to `assert`.
const auto *Func = Result.Nodes.getNodeAs<FunctionDecl>("func");
assert(Func != nullptr);
Stmt *Body = Func->getBody();
assert(Body != nullptr);
// FIXME: Consider providing a utility that returns a `CFG::BuildOptions`
// which is a good default for most clients or a utility that directly
// builds the `CFG` using default `CFG::BuildOptions`.
xazax.hunUnsubmitted
Done
ReplyInline Actions

I wonder if the dataflow analysis framework should provide a factory that that returns a CFG::BuildOptions which is a good default for most clients. Can be in a follow-up patch, or completely ignored. Or maybe even a convenience function running the analysis on a function definition without the user having to know about the CFG.

xazax.hun: I wonder if the dataflow analysis framework should provide a factory that that returns a `CFG…
sgatevAuthorUnsubmitted
Done
ReplyInline Actions

I added a FIXME. A utility that runs an analysis on a function definition would mean that the CFG will need to be built each time we want to run an analysis which could be wasteful if we want to run several analyses on the same CFG. Perhaps we can consider providing a function that builds the CFG using default options and returns it, possibly wrapped in another type.

sgatev: I added a FIXME. A utility that runs an analysis on a function definition would mean that the…
CFG::BuildOptions Options;
Options.AddImplicitDtors = true;
Options.AddTemporaryDtors = true;
Options.setAllAlwaysAdd();
std::unique_ptr<CFG> Cfg =
CFG::buildCFG(nullptr, Body, Result.Context, Options);
assert(Cfg != nullptr);
AnalysisT Analysis(*Result.Context);
Environment Env;
BlockStates = runDataflowAnalysis(*Cfg, Analysis, Env);
}
std::vector<
llvm::Optional<DataflowAnalysisState<typename AnalysisT::Lattice>>>
BlockStates;
};
gribozavr2Unsubmitted
Done
ReplyInline Actions

Please prefer StringRef to const char * if possible.

gribozavr2: Please prefer StringRef to `const char *` if possible.
template <typename AnalysisT>
std::vector<llvm::Optional<DataflowAnalysisState<typename AnalysisT::Lattice>>>
runAnalysis(llvm::StringRef Code) {
std::unique_ptr<ASTUnit> AST =
tooling::buildASTFromCodeWithArgs(Code, {"-std=c++11"});
AnalysisCallback<AnalysisT> Callback;
ast_matchers::MatchFinder Finder;
Finder.addMatcher(
ast_matchers::functionDecl(ast_matchers::hasName("target")).bind("func"),
&Callback);
Finder.matchAST(AST->getASTContext());
return Callback.BlockStates;
}
class NoopLattice {
public:
bool operator==(const NoopLattice &) const { return true; }
LatticeJoinEffect join(const NoopLattice &) {
return LatticeJoinEffect::Unchanged;
}
};
class NoopAnalysis : public DataflowAnalysis<NoopAnalysis, NoopLattice> {
public:
NoopAnalysis(ASTContext &Context)
: DataflowAnalysis<NoopAnalysis, NoopLattice>(Context) {}
static NoopLattice initialElement() { return {}; }
NoopLattice transfer(const Stmt *S, const NoopLattice &E, Environment &Env) {
return {};
}
};
TEST(DataflowAnalysisTest, NoopAnalysis) {
auto BlockStates = runAnalysis<NoopAnalysis>(R"(
void target() {}
)");
EXPECT_EQ(BlockStates.size(), 2u);
EXPECT_TRUE(BlockStates[0].hasValue());
EXPECT_TRUE(BlockStates[1].hasValue());
}
struct NonConvergingLattice {
int State;
bool operator==(const NonConvergingLattice &Other) const {
return State == Other.State;
}
LatticeJoinEffect join(const NonConvergingLattice &Other) {
if (Other.State == 0)
return LatticeJoinEffect::Unchanged;
State += Other.State;
return LatticeJoinEffect::Changed;
}
};
class NonConvergingAnalysis
: public DataflowAnalysis<NonConvergingAnalysis, NonConvergingLattice> {
public:
explicit NonConvergingAnalysis(ASTContext &Context)
: DataflowAnalysis<NonConvergingAnalysis, NonConvergingLattice>(Context) {
}
static NonConvergingLattice initialElement() { return {0}; }
NonConvergingLattice transfer(const Stmt *S, const NonConvergingLattice &E,
Environment &Env) {
return {E.State + 1};
}
};
TEST(DataflowAnalysisTest, NonConvergingAnalysis) {
auto BlockStates = runAnalysis<NonConvergingAnalysis>(R"(
void target() {
while(true) {}
}
)");
EXPECT_EQ(BlockStates.size(), 4u);
EXPECT_FALSE(BlockStates[0].hasValue());
EXPECT_TRUE(BlockStates[1].hasValue());
EXPECT_TRUE(BlockStates[2].hasValue());
EXPECT_TRUE(BlockStates[3].hasValue());
}