This is an archive of the discontinued LLVM Phabricator instance.

Differential D121797

[clang][dataflow] Add modeling of Chromium's CHECK functionality
ClosedPublic

Authored by ymandel on Mar 16 2022, 6:00 AM.

Details

Reviewers
xazax.hun
sgatev
Commits
rGa36c2dd6d54c: [clang][dataflow] Add modeling of Chromium's CHECK functionality
Summary

Chromium's implementation of assertions (CHECK, DCHECK, etc.) are not
annotated with "noreturn", by default. This patch adds a model of the logical
implications of successfully executing one of these assertions.

Diff Detail

Unit TestsFailed

TimeTest
1,520 msx64 debian > AddressSanitizer-x86_64-linux-dynamic.TestCases::large_func_test.cpp
1,990 msx64 debian > AddressSanitizer-x86_64-linux.TestCases::large_func_test.cpp

Event Timeline

ymandel created this revision.Mar 16 2022, 6:00 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 16 2022, 6:00 AM
Herald added subscribers: tschuett, steakhal, rnkovacs, mgorny. · View Herald Transcript
ymandel requested review of this revision.Mar 16 2022, 6:00 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 16 2022, 6:00 AM
Harbormaster completed remote builds in B154581: Diff 415796.Mar 16 2022, 6:01 AM
ymandel added a parent revision: D121796: [clang][dataflow] Add an API for dataflow "models" -- reusable analysis components..Mar 16 2022, 6:01 AM
gribozavr2 added inline comments.Mar 16 2022, 7:08 AM
clang/lib/Analysis/FlowSensitive/Models/ChromiumCheckModel.cpp
17–18

Please don't repeat the comment from the header in the cc file.

36
clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
207

Sorry, could you explain how this works? I think the flow condition should not be implying 'Foo' since we're supposed to ignore this unrelated Check() call.

ymandel updated this revision to Diff 415821.Mar 16 2022, 7:17 AM

fix test

ymandel marked 3 inline comments as done.Mar 16 2022, 7:19 AM
ymandel added inline comments.
clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
207

Good catch -- that was a typo (and the test was failing -- I'd gone back and forth on the formulation and uploaded at the wrong point).

Harbormaster completed remote builds in B154596: Diff 415821.Mar 16 2022, 7:55 AM
ymandel updated this revision to Diff 415936.Mar 16 2022, 12:13 PM
ymandel marked an inline comment as done.

removed lattice dependency.

xazax.hun accepted this revision.Mar 16 2022, 12:49 PM
xazax.hun added inline comments.
clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
122

I wonder whether the models should actually be called by the framework at some point.
E.g. imagine the following scenario:

void f()
{
    std::optional<int> o(5);
    if (o)
    {
        // dead code here;
    }
}

In an ideal case, an analysis could use the std::optional modeling to realize that the code in the if statement is dead and use this fact to improve its precision. Explicitly request the modeling in the transfer function works OK when we only have a couple things to model. But it might not scale in the future. When we model dozens of standard types and functions we would not want all the analysis clients to invoke all the transfers for all the models individually.

This revision is now accepted and ready to land.Mar 16 2022, 12:49 PM
Harbormaster completed remote builds in B154669: Diff 415936.Mar 16 2022, 12:50 PM
ymandel marked an inline comment as done.Mar 16 2022, 12:57 PM

Thanks for the review!

clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
122

Agreed. It seems similar the problems that motivated DLLs back in the day. there's clearly a lot to be worked out here in terms of how best to support composition. It's probably worth a RFC or somesuch to discuss in more depth.

xazax.hun added inline comments.Mar 16 2022, 3:23 PM
clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
122

Having an RFC and some deeper discussions would be great. I also wonder whether modeling arbitrary Stmts is the right approach. The peculiarities of the language should probably be modelled by the framework itself without any extensions. Maybe we only want the modeling of certain function calls to be customizable?

sgatev accepted this revision.Mar 18 2022, 3:55 AM
sgatev added inline comments.
clang/include/clang/Analysis/FlowSensitive/Models/ChromiumCheckModel.h
15

This is unnecessary.

clang/lib/Analysis/FlowSensitive/Models/ChromiumCheckModel.cpp
49–55
51

Shouldn't this be part of isCheckLikeMethod?

52
57
clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
90

Perhaps "Incorrect" instead of "Bad" and comment on what makes it incorrect?

133

We're not testing with other standards so remove this?

ymandel updated this revision to Diff 416479.Mar 18 2022, 6:28 AM
ymandel marked an inline comment as done.

address comments

ymandel updated this revision to Diff 416494.Mar 18 2022, 7:06 AM
ymandel marked 6 inline comments as done.

address comments

ymandel marked an inline comment as done.Mar 18 2022, 7:07 AM
ymandel added inline comments.Mar 18 2022, 7:10 AM
clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
122

Good question. It would be really nice if we could draw this line, but I have a bad feeling that it won't be so simple. :) Still, worth looking at our existing models, and new ones that we're developing, to see if we can find a clear "bounding box".

What does CSA do in this regard?

This revision was landed with ongoing or failed builds.Mar 18 2022, 7:40 AM
Closed by commit rGa36c2dd6d54c: [clang][dataflow] Add modeling of Chromium's CHECK functionality (authored by ymandel). · Explain Why
This revision was automatically updated to reflect the committed changes.
ymandel added a commit: rGa36c2dd6d54c: [clang][dataflow] Add modeling of Chromium's CHECK functionality.
Harbormaster completed remote builds in B155044: Diff 416494.Mar 18 2022, 7:43 AM
xbolva00 added a subscriber: xbolva00.Mar 18 2022, 8:12 AM

Why this should be maintained and developed by LLVM/Clang developers and not by Chromium?

ymandel added a comment.Mar 18 2022, 9:23 AM
In D121797#3392444, @xbolva00 wrote:

Why this should be maintained and developed by LLVM/Clang developers and not by Chromium?

That's a good question. I think the short answer, that skirts around the issue, is that this is targeted for use in an upcoming clang-tidy check, and we don't have any framework for clients developing their own pluggable models for individual checks. Chromium could find some way to patch their clang-tidy source, I suppose, but we'd rather not encourage that. This framework is new and under development and the benefit of accomodating Chromium (in this very small way) seems worth the feedback from them applying it to their codebase.

That said, we are *also* in discussions with them to change their implement of CHECK, etc. so as to obviate the need for this model at all.

xazax.hun added inline comments.Mar 18 2022, 9:46 AM
clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp
122

In the CSA, there is no clear distinction between modeling and diagnostics, each check can do both. Historically, this turned out to be a bad idea. When we have a check that is doing both modeling and diagnostics, users can end up turning the check off due to some false positives and end up getting worse results from other checks because some critical piece of modeling is also turned off. (E.g., even if there are a couple of false positives from a std::optional check, it might still be beneficial to do the modeling in the background without the diagnostics because it might help discover infeasible paths and that can improve the precision of other checks).

Nowadays, we try to make the distinction clear, some checks are modeling only and others are diagnostic only (they might still have their own modeling but they do not affect the global analysis state, i.e., the diagnostic only checks should not be able to affect each other). This distinction is currently a best effort approach and not enforced by any of the APIs.

In CSA, the checker APIs are very powerful. E.g., if there is a pointer with an unknown value and we see a dereference, we can continue the analysis with the assumption that the pointer is not-null. These assumptions could be added by the framework itself or just a regular check. Over time, we are trying to move as much modeling to (non-diagnostic) checks as possible to keep the framework lightweight but most of the meat is still in the framework.

To model libraries, we are using the evalCall callback: https://github.com/llvm/llvm-project/blob/main/clang/lib/StaticAnalyzer/Checkers/CheckerDocumentation.cpp#L229

Roughly speaking the model looks like this:

  • The analyzer encounters a function call, so it asks all the checks in a sequence if any of them wants to model it
  • A check gets the evalCall callback and can do whatever it wants to do. Most of them will return false most of the time as they are only expected to handle a small subset of the functions.
  • This first check returning true will short-circuit this process.
  • If none of the checks returned true, the framework will fall back to a default modeling which is a conservative approximation of the call, i.e., invalidating the bindings that could be changes by the function (globals, output arguments, return values etc.)

The model above assumes that when a check return true it will end up modeling all the aspects of a function (like invalidation). A downside might be that it will not solve the composition, when multiple checks want to model the same function, well, the framework will just pick one of them. Also, modeling types is really challenging. E.g., if a modeling check models the constructor of a type but does not model the destructor, the framework will end up using the default modeling for the dtor. The problem is that, in that case the ctor was not modeled by the framework (but the modeling checker) so some invariants were not established. This can result in false positives or even crashes. Overall, it looks like modeling types is almost an all or nothing endeavor. If a check models at least one method of a type it is really likely that it will need to model at least a bunch more to ensure a good experience.

At Microsoft, we have a similar framework to CSA called EspXEngine. In EspXEngine, we have different APIs for modeling and diagnostic so the API enforce that diagnostic checks cannot influence each other. Our model for the modeling checks is very similar to CSA but the idea is that the modeling checks are maintained by the authors of EspXEngine (while diagnostic checks could be written by anyone), so conflicting models are less of a problem.

Both EspXEngine and CSA has problems chaining modeling checks. E.g., if CSA has modeling for unique_ptr and optional, optional<unique_ptr<int>> or unique_ptr<optional<int>> will not model every aspects of the inner type out of the box.

ymandel added a comment.Mar 21 2022, 6:57 AM

Thanks, Gabor -- that's a really helpful summary!

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
FlowSensitive/
Models/
40 lines
lib/
Analysis/
FlowSensitive/
Models/
1 line
59 lines
unittests/
Analysis/
FlowSensitive/
1 line
222 lines

Diff 415936

clang/include/clang/Analysis/FlowSensitive/Models/ChromiumCheckModel.h

  • This file was added.
//===-- ChromiumCheckModel.h ------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines a dataflow model for Chromium's family of CHECK functions.
//
//===----------------------------------------------------------------------===//
#ifndef CLANG_ANALYSIS_FLOWSENSITIVE_MODELS_CHROMIUMCHECKMODEL_H
#define CLANG_ANALYSIS_FLOWSENSITIVE_MODELS_CHROMIUMCHECKMODEL_H
#include "clang/AST/ASTContext.h"
sgatevUnsubmitted
Done
ReplyInline Actions

This is unnecessary.

sgatev: This is unnecessary.
#include "clang/AST/DeclCXX.h"
#include "clang/AST/Stmt.h"
#include "clang/Analysis/FlowSensitive/DataflowAnalysis.h"
#include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"
#include "llvm/ADT/DenseSet.h"
namespace clang {
namespace dataflow {
/// Models the behavior of Chromium's CHECK, DCHECK, etc. macros, so that code
/// after a call to `*CHECK` can rely on the condition being true.
class ChromiumCheckModel : public DataflowModel {
public:
ChromiumCheckModel() = default;
bool transfer(const Stmt *Stmt, Environment &Env) override;
private:
/// Declarations for `::logging::CheckError::.*Check`, lazily initialized.
llvm::SmallDenseSet<const CXXMethodDecl *> CheckDecls;
};
} // namespace dataflow
} // namespace clang
#endif // CLANG_ANALYSIS_FLOWSENSITIVE_MODELS_CHROMIUMCHECKMODEL_H

clang/lib/Analysis/FlowSensitive/Models/CMakeLists.txt

add_clang_library(clangAnalysisFlowSensitiveModels add_clang_library(clangAnalysisFlowSensitiveModels
ChromiumCheckModel.cpp
UncheckedOptionalAccessModel.cpp UncheckedOptionalAccessModel.cpp
LINK_LIBS LINK_LIBS
clangAnalysis clangAnalysis
clangAnalysisFlowSensitive clangAnalysisFlowSensitive
clangAST clangAST
clangASTMatchers clangASTMatchers
clangBasic clangBasic
) )

clang/lib/Analysis/FlowSensitive/Models/ChromiumCheckModel.cpp

  • This file was added.
//===-- ChromiumCheckModel.cpp ----------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "clang/Analysis/FlowSensitive/Models/ChromiumCheckModel.h"
#include "clang/AST/Decl.h"
#include "clang/AST/DeclCXX.h"
#include "llvm/ADT/DenseSet.h"
namespace clang {
namespace dataflow {
/// Determines whether `D` is one of the methods used to implement Chromium's
/// `CHECK` macros. Populates `CheckDecls`, if empty.
gribozavr2Unsubmitted
Done
ReplyInline Actions

Please don't repeat the comment from the header in the cc file.

gribozavr2: Please don't repeat the comment from the header in the cc file.
bool isCheckLikeMethod(llvm::SmallDenseSet<const CXXMethodDecl *> &CheckDecls,
const CXXMethodDecl &D) {
if (CheckDecls.empty()) {
// Attempt to initialize `CheckDecls` with the methods in class
// `CheckError`.
const CXXRecordDecl *ParentClass = D.getParent();
if (ParentClass == nullptr || !ParentClass->getDeclName().isIdentifier() ||
ParentClass->getName() != "CheckError")
return false;
// Check whether namespace is "logging".
const auto *N =
dyn_cast_or_null<NamespaceDecl>(ParentClass->getDeclContext());
if (N == nullptr || !N->getDeclName().isIdentifier() ||
N->getName() != "logging")
return false;
// Check whether "logging" is a top-level namespace.
gribozavr2Unsubmitted
Done
ReplyInline Actions
return false;
- // Check whether "logging" is as a top-level namespace.
+ // Check whether "logging" is a top-level namespace.
if (N->getParent() == nullptr || !N->getParent()->isTranslationUnit())
gribozavr2:
if (N->getParent() == nullptr || !N->getParent()->isTranslationUnit())
return false;
for (const CXXMethodDecl *M : ParentClass->methods())
if (M->getDeclName().isIdentifier() && M->getName().endswith("Check"))
CheckDecls.insert(M);
}
return CheckDecls.contains(&D);
}
bool ChromiumCheckModel::transfer(const Stmt *Stmt, Environment &Env) {
if (const auto *Call = dyn_cast<CallExpr>(Stmt))
if (const auto *M = dyn_cast<CXXMethodDecl>(Call->getDirectCallee()))
if (M->isStatic() && isCheckLikeMethod(CheckDecls, *M)) {
sgatevUnsubmitted
Done
ReplyInline Actions

Shouldn't this be part of isCheckLikeMethod?

sgatev: Shouldn't this be part of `isCheckLikeMethod`?
// Logically, mark this branch as unreachable.
sgatevUnsubmitted
Done
ReplyInline Actions
if (M->isStatic() && isCheckLikeMethod(CheckDecls, *M)) {
- // Logically, mark this branch as unreachable.
+ // Mark this branch as unreachable.
Env.addToFlowCondition(Env.getBoolLiteralValue(false));
sgatev:
Env.addToFlowCondition(Env.getBoolLiteralValue(false));
return true;
}
sgatevUnsubmitted
Done
ReplyInline Actions
bool ChromiumCheckModel::transfer(const Stmt *Stmt, Environment &Env) {
- if (const auto *Call = dyn_cast<CallExpr>(Stmt))
- if (const auto *M = dyn_cast<CXXMethodDecl>(Call->getDirectCallee()))
+ if (const auto *Call = dyn_cast<CallExpr>(Stmt)) {
+ if (const auto *M = dyn_cast<CXXMethodDecl>(Call->getDirectCallee())) {
if (M->isStatic() && isCheckLikeMethod(CheckDecls, *M)) {
// Logically, mark this branch as unreachable.
Env.addToFlowCondition(Env.getBoolLiteralValue(false));
return true;
}
+ }
+ }
return false;
sgatev:
return false;
}
sgatevUnsubmitted
Done
ReplyInline Actions
return false;
}
+
} // namespace dataflow
sgatev:
} // namespace dataflow
} // namespace clang

clang/unittests/Analysis/FlowSensitive/CMakeLists.txt

set(LLVM_LINK_COMPONENTS set(LLVM_LINK_COMPONENTS
FrontendOpenMP FrontendOpenMP
Support Support
) )
add_clang_unittest(ClangAnalysisFlowSensitiveTests add_clang_unittest(ClangAnalysisFlowSensitiveTests
ChromiumCheckModelTest.cpp
DataflowAnalysisContextTest.cpp DataflowAnalysisContextTest.cpp
DataflowEnvironmentTest.cpp DataflowEnvironmentTest.cpp
MapLatticeTest.cpp MapLatticeTest.cpp
MatchSwitchTest.cpp MatchSwitchTest.cpp
MultiVarConstantPropagationTest.cpp MultiVarConstantPropagationTest.cpp
SingleVarConstantPropagationTest.cpp SingleVarConstantPropagationTest.cpp
SourceLocationsLatticeTest.cpp SourceLocationsLatticeTest.cpp
TestingSupport.cpp TestingSupport.cpp
Show All 26 Lines

clang/unittests/Analysis/FlowSensitive/ChromiumCheckModelTest.cpp

  • This file was added.
//===- ChromiumCheckModelTest.cpp -----------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// FIXME: Move this to clang/unittests/Analysis/FlowSensitive/Models.
#include "clang/Analysis/FlowSensitive/Models/ChromiumCheckModel.h"
#include "NoopAnalysis.h"
#include "TestingSupport.h"
#include "clang/AST/ASTContext.h"
#include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/Tooling/Tooling.h"
#include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/StringExtras.h"
#include "llvm/Support/Error.h"
#include "llvm/Testing/Support/Error.h"
#include "gmock/gmock.h"
#include "gtest/gtest.h"
#include <string>
using namespace clang;
using namespace dataflow;
using namespace test;
namespace {
using ::testing::_;
using ::testing::ElementsAre;
using ::testing::NotNull;
using ::testing::Pair;
static constexpr char ChromiumCheckHeader[] = R"(
namespace std {
class ostream;
} // namespace std
namespace logging {
class VoidifyStream {
public:
VoidifyStream() = default;
void operator&(std::ostream&) {}
};
class CheckError {
public:
static CheckError Check(const char* file, int line, const char* condition);
static CheckError DCheck(const char* file, int line, const char* condition);
static CheckError PCheck(const char* file, int line, const char* condition);
static CheckError PCheck(const char* file, int line);
static CheckError DPCheck(const char* file, int line, const char* condition);
std::ostream& stream();
~CheckError();
CheckError(const CheckError& other) = delete;
CheckError& operator=(const CheckError& other) = delete;
CheckError(CheckError&& other) = default;
CheckError& operator=(CheckError&& other) = default;
};
} // namespace logging
#define LAZY_CHECK_STREAM(stream, condition) \
!(condition) ? (void)0 : ::logging::VoidifyStream() & (stream)
#define CHECK(condition) \
LAZY_CHECK_STREAM( \
::logging::CheckError::Check(__FILE__, __LINE__, #condition).stream(), \
!(condition))
#define PCHECK(condition) \
LAZY_CHECK_STREAM( \
::logging::CheckError::PCheck(__FILE__, __LINE__, #condition).stream(), \
!(condition))
#define DCHECK(condition) \
LAZY_CHECK_STREAM( \
::logging::CheckError::DCheck(__FILE__, __LINE__, #condition).stream(), \
!(condition))
#define DPCHECK(condition) \
LAZY_CHECK_STREAM( \
::logging::CheckError::DPCheck(__FILE__, __LINE__, #condition).stream(), \
!(condition))
)";
static constexpr char BadChromiumCheckHeader[] = R"(
sgatevUnsubmitted
Done
ReplyInline Actions

Perhaps "Incorrect" instead of "Bad" and comment on what makes it incorrect?

sgatev: Perhaps "Incorrect" instead of "Bad" and comment on what makes it incorrect?
namespace other {
namespace logging {
class CheckError {
public:
static CheckError Check(const char* file, int line, const char* condition);
};
} // namespace logging
} // namespace other
)";
/// Replaces all occurrences of `Pattern` in `S` with `Replacement`.
std::string ReplacePattern(std::string S, const std::string &Pattern,
const std::string &Replacement) {
size_t Pos = 0;
Pos = S.find(Pattern, Pos);
if (Pos != std::string::npos)
S.replace(Pos, Pattern.size(), Replacement);
return S;
}
template <typename Model>
class ModelAdaptorAnalysis
: public DataflowAnalysis<ModelAdaptorAnalysis<Model>, NoopLattice> {
public:
explicit ModelAdaptorAnalysis(ASTContext &Context)
: DataflowAnalysis<ModelAdaptorAnalysis, NoopLattice>(
Context, /*ApplyBuiltinTransfer=*/true) {}
static NoopLattice initialElement() { return NoopLattice(); }
void transfer(const Stmt *S, NoopLattice &, Environment &Env) {
M.transfer(S, Env);
xazax.hunUnsubmitted
Done
ReplyInline Actions

I wonder whether the models should actually be called by the framework at some point.
E.g. imagine the following scenario:

void f()
{
    std::optional<int> o(5);
    if (o)
    {
        // dead code here;
    }
}

In an ideal case, an analysis could use the std::optional modeling to realize that the code in the if statement is dead and use this fact to improve its precision. Explicitly request the modeling in the transfer function works OK when we only have a couple things to model. But it might not scale in the future. When we model dozens of standard types and functions we would not want all the analysis clients to invoke all the transfers for all the models individually.

xazax.hun: I wonder whether the models should actually be called by the framework at some point. E.g.
ymandelAuthorUnsubmitted
Done
ReplyInline Actions

Agreed. It seems similar the problems that motivated DLLs back in the day. there's clearly a lot to be worked out here in terms of how best to support composition. It's probably worth a RFC or somesuch to discuss in more depth.

ymandel: Agreed. It seems similar the problems that motivated DLLs back in the day. there's clearly a…
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

Having an RFC and some deeper discussions would be great. I also wonder whether modeling arbitrary Stmts is the right approach. The peculiarities of the language should probably be modelled by the framework itself without any extensions. Maybe we only want the modeling of certain function calls to be customizable?

xazax.hun: Having an RFC and some deeper discussions would be great. I also wonder whether modeling…
ymandelAuthorUnsubmitted
Done
ReplyInline Actions

Good question. It would be really nice if we could draw this line, but I have a bad feeling that it won't be so simple. :) Still, worth looking at our existing models, and new ones that we're developing, to see if we can find a clear "bounding box".

What does CSA do in this regard?

ymandel: Good question. It would be really nice if we could draw this line, but I have a bad feeling…
xazax.hunUnsubmitted
Not Done
ReplyInline Actions

In the CSA, there is no clear distinction between modeling and diagnostics, each check can do both. Historically, this turned out to be a bad idea. When we have a check that is doing both modeling and diagnostics, users can end up turning the check off due to some false positives and end up getting worse results from other checks because some critical piece of modeling is also turned off. (E.g., even if there are a couple of false positives from a std::optional check, it might still be beneficial to do the modeling in the background without the diagnostics because it might help discover infeasible paths and that can improve the precision of other checks).

Nowadays, we try to make the distinction clear, some checks are modeling only and others are diagnostic only (they might still have their own modeling but they do not affect the global analysis state, i.e., the diagnostic only checks should not be able to affect each other). This distinction is currently a best effort approach and not enforced by any of the APIs.

In CSA, the checker APIs are very powerful. E.g., if there is a pointer with an unknown value and we see a dereference, we can continue the analysis with the assumption that the pointer is not-null. These assumptions could be added by the framework itself or just a regular check. Over time, we are trying to move as much modeling to (non-diagnostic) checks as possible to keep the framework lightweight but most of the meat is still in the framework.

To model libraries, we are using the evalCall callback: https://github.com/llvm/llvm-project/blob/main/clang/lib/StaticAnalyzer/Checkers/CheckerDocumentation.cpp#L229

Roughly speaking the model looks like this:

  • The analyzer encounters a function call, so it asks all the checks in a sequence if any of them wants to model it
  • A check gets the evalCall callback and can do whatever it wants to do. Most of them will return false most of the time as they are only expected to handle a small subset of the functions.
  • This first check returning true will short-circuit this process.
  • If none of the checks returned true, the framework will fall back to a default modeling which is a conservative approximation of the call, i.e., invalidating the bindings that could be changes by the function (globals, output arguments, return values etc.)

The model above assumes that when a check return true it will end up modeling all the aspects of a function (like invalidation). A downside might be that it will not solve the composition, when multiple checks want to model the same function, well, the framework will just pick one of them. Also, modeling types is really challenging. E.g., if a modeling check models the constructor of a type but does not model the destructor, the framework will end up using the default modeling for the dtor. The problem is that, in that case the ctor was not modeled by the framework (but the modeling checker) so some invariants were not established. This can result in false positives or even crashes. Overall, it looks like modeling types is almost an all or nothing endeavor. If a check models at least one method of a type it is really likely that it will need to model at least a bunch more to ensure a good experience.

At Microsoft, we have a similar framework to CSA called EspXEngine. In EspXEngine, we have different APIs for modeling and diagnostic so the API enforce that diagnostic checks cannot influence each other. Our model for the modeling checks is very similar to CSA but the idea is that the modeling checks are maintained by the authors of EspXEngine (while diagnostic checks could be written by anyone), so conflicting models are less of a problem.

Both EspXEngine and CSA has problems chaining modeling checks. E.g., if CSA has modeling for unique_ptr and optional, optional<unique_ptr<int>> or unique_ptr<optional<int>> will not model every aspects of the inner type out of the box.

xazax.hun: In the CSA, there is no clear distinction between modeling and diagnostics, each check can do…
}
private:
Model M;
};
class ChromiumCheckModelTest : public ::testing::TestWithParam<std::string> {
protected:
template <typename Matcher>
void runDataflow(llvm::StringRef Code, Matcher Match,
LangStandard::Kind Std = LangStandard::lang_cxx17) {
sgatevUnsubmitted
Done
ReplyInline Actions

We're not testing with other standards so remove this?

sgatev: We're not testing with other standards so remove this?
const tooling::FileContentMappings FileContents = {
{"check.h", ChromiumCheckHeader},
{"badcheck.h", BadChromiumCheckHeader}};
ASSERT_THAT_ERROR(
test::checkDataflow<ModelAdaptorAnalysis<ChromiumCheckModel>>(
Code, "target",
[](ASTContext &C, Environment &) {
return ModelAdaptorAnalysis<ChromiumCheckModel>(C);
},
[&Match](
llvm::ArrayRef<
std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
Results,
ASTContext &ASTCtx) { Match(Results, ASTCtx); },
{"-fsyntax-only", "-fno-delayed-template-parsing",
"-std=" +
std::string(
LangStandard::getLangStandardForKind(Std).getName())},
FileContents),
llvm::Succeeded());
}
};
TEST_F(ChromiumCheckModelTest, CheckSuccessImpliesConditionHolds) {
auto Expectations =
[](llvm::ArrayRef<
std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
Results,
ASTContext &ASTCtx) {
ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
const Environment &Env = Results[0].second.Env;
const ValueDecl *FooDecl = findValueDecl(ASTCtx, "Foo");
ASSERT_THAT(FooDecl, NotNull());
auto *FooVal = cast<BoolValue>(Env.getValue(*FooDecl, SkipPast::None));
EXPECT_TRUE(Env.flowConditionImplies(*FooVal));
};
std::string Code = R"(
#include "check.h"
void target(bool Foo) {
$check(Foo);
bool X = true;
(void)X;
// [[p]]
}
)";
runDataflow(ReplacePattern(Code, "$check", "CHECK"), Expectations);
runDataflow(ReplacePattern(Code, "$check", "DCHECK"), Expectations);
runDataflow(ReplacePattern(Code, "$check", "PCHECK"), Expectations);
runDataflow(ReplacePattern(Code, "$check", "DPCHECK"), Expectations);
}
TEST_F(ChromiumCheckModelTest, UnrelatedCheckIgnored) {
auto Expectations =
[](llvm::ArrayRef<
std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
Results,
ASTContext &ASTCtx) {
ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
const Environment &Env = Results[0].second.Env;
const ValueDecl *FooDecl = findValueDecl(ASTCtx, "Foo");
ASSERT_THAT(FooDecl, NotNull());
auto *FooVal = cast<BoolValue>(Env.getValue(*FooDecl, SkipPast::None));
EXPECT_FALSE(Env.flowConditionImplies(*FooVal));
};
gribozavr2Unsubmitted
Done
ReplyInline Actions

Sorry, could you explain how this works? I think the flow condition should not be implying 'Foo' since we're supposed to ignore this unrelated Check() call.

gribozavr2: Sorry, could you explain how this works? I think the flow condition should not be implying…
ymandelAuthorUnsubmitted
Done
ReplyInline Actions

Good catch -- that was a typo (and the test was failing -- I'd gone back and forth on the formulation and uploaded at the wrong point).

ymandel: Good catch -- that was a typo (and the test was failing -- I'd gone back and forth on the…
std::string Code = R"(
#include "badcheck.h"
void target(bool Foo) {
if (!Foo) {
(void)other::logging::CheckError::Check(__FILE__, __LINE__, "Foo");
}
bool X = true;
(void)X;
// [[p]]
}
)";
runDataflow(Code, Expectations);
}
} // namespace