This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
docs/
2/2
ReleaseNotes.rst
-
include/clang/
-
clang/
-
CrossTU/
-
CrossTranslationUnit.h
-
StaticAnalyzer/Core/
-
Core/
4/4
AnalyzerOptions.h
3/3
AnalyzerOptions.def
-
PathSensitive/
8/8
CallEvent.h
2/2
CoreEngine.h
2/2
ExprEngine.h
-
lib/
-
CrossTU/
-
CrossTranslationUnit.cpp
-
StaticAnalyzer/
-
Core/
2/2
AnalyzerOptions.cpp
-
CallEvent.cpp
1/1
CoreEngine.cpp
-
ExprEngine.cpp
16/17
ExprEngineCallAndReturn.cpp
-
Frontend/
-
AnalysisConsumer.cpp
-
test/Analysis/
-
Analysis/
-
Inputs/
-
ctu-onego-existingdef-other.cpp
2/2
ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt
-
ctu-onego-indirect-other.cpp
-
ctu-onego-indirect-other.cpp.externalDefMap.ast-dump.txt
-
ctu-onego-small-other.cpp
-
ctu-onego-small-other.cpp.externalDefMap.ast-dump.txt
-
ctu-onego-toplevel-other.cpp
-
ctu-onego-toplevel-other.cpp.externalDefMap.ast-dump.txt
-
analyzer-config.c
-
ctu-implicit.c
-
ctu-main.c
1/1
ctu-main.cpp
2/2
ctu-on-demand-parsing.c
1/1
ctu-on-demand-parsing.cpp
-
ctu-onego-existingdef.cpp
-
ctu-onego-indirect.cpp
-
ctu-onego-small.cpp
4/4
ctu-onego-toplevel.cpp

Differential D123773

[clang][analyzer][ctu] Make CTU a two phase analysis
ClosedPublic

Authored by martong on Apr 14 2022, 2:40 AM.

Download Raw Diff

Details

Reviewers

steakhal
NoQ
Szelethus
xazax.hun
shafik

Commits

rG56b9b97c1ef5: [clang][analyzer][ctu] Make CTU a two phase analysis

Summary

This new CTU implementation is the natural extension of the normal single TU
analysis. The approach consists of two analysis phases. During the first phase,
we do a normal single TU analysis. During this phase, if we find a foreign
function (that could be inlined from another TU) then we don’t inline that
immediately, we rather mark that to be analysed later.
When the first phase is finished then we start the second phase, the CTU phase.
In this phase, we continue the analysis from those points (exploded nodes)
which had been enqueued during the first phase. We gradually extend the
exploded graph of the single TU analysis with new nodes that are created by the
inlining of foreign functions.

We count the number of analysis steps of the first phase and we limit the
second (ctu) phase with this number.

This new implementation makes it convenient for the users to run the single-TU
and the CTU analysis in one go, they don't need to run the two analysis separately.
Thus, we name this new implementation as onego CTU.

Discussion:
https://discourse.llvm.org/t/rfc-much-faster-cross-translation-unit-ctu-analysis-implementation/61728

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

martong created this revision.Apr 14 2022, 2:40 AM

Herald added a reviewer: Szelethus. · View Herald TranscriptApr 14 2022, 2:40 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: manas, ASDenysPetrov, gamesh411 and 9 others. · View Herald Transcript

martong requested review of this revision.Apr 14 2022, 2:40 AM

Herald added a project: Restricted Project. · View Herald TranscriptApr 14 2022, 2:40 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

martong added a parent revision: D123685: [clang][ASTImporter] Add isNewDecl.Apr 14 2022, 2:40 AM

martong added a reviewer: xazax.hun.

martong added inline comments.Apr 14 2022, 2:48 AM

clang/test/Analysis/ctu-main.cpp
161	This FIXME is outdated, got here during rebase.

martong added inline comments.Apr 14 2022, 2:48 AM

clang/lib/StaticAnalyzer/Core/CoreEngine.cpp
167	Well, not just for lit tests, I'll update the comment.

Harbormaster completed remote builds in B159639: Diff 422785.Apr 14 2022, 2:57 AM

martong added a child revision: D123784: [clang][analyzer][ctu] Traverse the ctu CallEnter nodes in reverse order.Apr 14 2022, 5:00 AM

> Make CTU a two phase analysis

At this point maybe it will be a three phase, as we might dump the ASTs/create index in phase 1 :)

During this phase, if we find a foreign function (that could be inlined from another TU) then we don’t inline that immediately, we rather mark that to be analysed later.

I wonder whether this is the right approach. Not inlining a function can also introduce false positives. While I do see why we do not want to inline ALL functions upfront, I wonder if we actually want to inline small functions. The CSA already has heuristics like this, to always inline really small functions (defined by the number of nodes in the Cfg) despite other cut heuristics and it was found to improve the quality of the results overall. I think doing something similar for CTU might ultimately improve the precision of the analysis. What do you think?

Add an option to config the inlining mode during the first phase
Change the ctu-main.c[pp] tests to have a RUN line with this new config option that mimics the old ctu implementation's behavor.
Change the on-demand-parsing tests back as they were in the baseline. Those files are sheer copies of the ctu-main files, actually, the on demand testing should be done in the ctu-main test files as well (added a fixme for that).

Harbormaster completed remote builds in B161798: Diff 425782.Apr 28 2022, 8:05 AM

Chosing the correct baseline this time

Harbormaster completed remote builds in B161800: Diff 425784.Apr 28 2022, 8:07 AM

martong added inline comments.Apr 28 2022, 8:10 AM

clang/test/Analysis/ctu-on-demand-parsing.c
23

Add more explanatory comments to the values of ctu-phase1-inlining
Fix typo in comments in ctu-on-demand-parsing tests
Remove stale comment, config options are desribed elsewhere

Harbormaster completed remote builds in B161972: Diff 426037.Apr 29 2022, 6:19 AM

xazax.hun added inline comments.May 6 2022, 9:08 AM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
116	I feel that we use different terms for the imported declarations. Sometimes we call them `new`, sometimes `imported`, sometimes `foreign`. In case all of these means the same thing, it would be nice to standardize on a single way of naming. If there is a subtle difference between them, let's document that in a comment. It would be nice if we did not need the comment after the declaration but it would be obvious from the variable name.
156	Why do we need this to be mutable? Shouldn't we have this information when the CallEvent is created?
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h
176	I think we do not expect the STU WorkList to ever be null, maybe it is time to clean this up and return a reference.
clang/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp
91	The `CTUPhase1InliningMode` is coming from the user, right? Unless we have some validation in place before this code get called, I think it might not be a good idea to assert fail on certain user inputs.
clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
432	What is the meaning if the return value? It looks like the function always returns true.
446	So if we see the same foreign function called in multiple contexts, we will only queue one of the contexts for the CTU. Is this the intended design? So if I see: foreign(true); foreign(false); The new CTU will only evaluate `foreign(true)` but not `foreign(false)`.
513	So `getCTUWorkList` will return `nullptr` in the second phase? Reading this code first I had the impression we will skip doing marking them visited in the first phase. I think having a helper like `IsSecondCTUPhase` or something would make this a bit less confusing.
1123–1124	I think this is getting really confusing here. The comment saying we are not bifurcating and we call `ctuBifurcate`. While I do understand these are two different kinds of bifurcation but I think we should rethink how to name some of these functions.

Thanks for the review Gabor, I'll update soon and hope I could answer your questions.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
116	Yes, I agree that this should deserver some more explanation. Maybe right above this declaration? So, `new` means that a declaration is created newly by the ASTImporter. `imported` means it has been imported, but not necessarily `new`. Think about this case, we import `foo`'s definition. // to.cpp void bar() {} // from a.h // from.cpp void bar() {} // from a.h void foo() { bar(); } Then `foo` will be `new` and `imported`, `bar` will be `imported` and not `new`. `foreign` basically means `imported` and `new`.
156	Unfortunately, we get this from the `RuntimeDefinition` which is not available during the creation of the `CallEvent`. We use `getRuntimeDefinition()` to retrieve the definition and attach that to the already existent `CallEvent`.
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h
176	I'd rather do that independently, so this patch can be focused and kept minimal, if you don't mind. (I mean `WorkList &getWorkList` would introduce irrelevant scattered changes.)
clang/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp
91	Yeah, I've copied this from below `assert(K.hasValue() && "IPA Mode is invalid.");`. Seems like the pattern we have everywhere. I suggest to get rid of this wrong pattern independently, but I'd not deviate from the pattern here, making it easier to do a bulk update once we do it.
clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
432	Nothing. It is being used by `inlineCall` but there are no callers of `inlineCall` that would use it because `inlineCall` does return true on all paths as well. Good point, this is again a rotten legacy. I am going update this soon.
446	This is intentional. foreign(true); foreign(false); The new CTU will evaluate the following paths in the exploded graph: foreign(true); // conservative evaluated foreign(false); // conservative evaluated foreign(true); // inlined foreign(false); // inlined The point is to keep bifurcation to a minimum and avoid the exponential blow up. So, we will never have a path like this: foreign(true); // conservative evaluated foreign(false); // inlined Actually, this is the same strategy that we use during the dynamic dispatch of C++ virtual calls. See `DynamicDispatchBifurcationMap`. The conservative evaluation happens in the first phase, the inlining in the second phase (assuming the phase1 inlining option is set to none).
513	Fair enough. I am going to update.
1123–1124	Yeah, good point, the comment is meaningless and confusing from this point, I'll just delete it.

Add explanatory comment to RuntimeDefinition::Foreign field
Changed the return value from bool to void in ctuBifurcate and in inlineCall
Add isCTUInFirtstPhase()
Remove stale comment

Herald added a reviewer: shafik. · View Herald TranscriptMay 9 2022, 6:05 AM

Harbormaster completed remote builds in B163466: Diff 428055.May 9 2022, 6:06 AM

martong added inline comments.May 9 2022, 6:09 AM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
116	I've just added an explanatory comment for this field.
clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
432	I've changed the return value from bool to void, both in `ctuBifurcate` and in `inlineCall`.
513	I've added `isCTUInFirtstPhase()`.
1123–1124	I removed the comment.

xazax.hun added inline comments.May 11 2022, 9:49 AM

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
446	The new CTU will evaluate the following paths in the exploded graph: foreign(true); // conservative evaluated foreign(false); // conservative evaluated foreign(true); // inlined foreign(false); // inlined When we encounter `foreign(true)`, we would add the decl to `CTUDispatchBifurcationSet`. So the second time we see a call to the function `foreign(false);`, we will just do the conservative evaluation and will not add the call to the CTU worklist. So how will `foreign(false);` be inlined in the second pass? Do I miss something?

xazax.hun added inline comments.May 11 2022, 9:51 AM

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
446	Oh, I think I now understand. Do you expect `foreign(false);` to be inlined after we return from `foreign(true);` in the second pass? Sorry for the confusion, in that case it looks good to me.

xazax.hun added inline comments.May 11 2022, 9:56 AM

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
116	Foreign means new and imported. But is there a way for a declaration to be new and not to be imported? If no, in that case it feels like new and foreign are actually the same and we should standardize on a single name.

Overall looks good to me. I wish some parts would be simpler but it looks like sometimes it is not easy to extend the current code and we might need to do some refactoring at some point.

This revision is now accepted and ready to land.May 11 2022, 10:08 AM

martong marked 3 inline comments as done.May 12 2022, 1:36 AM

martong added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
116	Yeah, you are right, `new` and `foreign` are the same in this sense. However, I think the term `foreign` is more expressive in the sense that is suggests that the definition is coming from another translation unit.
clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
446	Oh, I think I now understand. Do you expect `foreign(false);` to be inlined after we return from `foreign(true);` in the second pass? Yes, that's right.

whisperity added a subscriber: whisperity.May 12 2022, 3:05 AM

whisperity added inline comments.

clang/include/clang/AST/ASTImporterSharedState.h
83 ↗	(On Diff #428055)	(The naming of this function feels a bit odd. `markAsNewDecl` or just `markNewDecl`?)
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
414
414–420	Couldn't this description here be simplified to say something along the lines of "the percentage of single-TU analysed nodes that the CTU analysis is allowed to visit"? Is the calculation method needed from the user's perspective? The examples talk about percentage too.
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h
141	Is this configuration inherent to the static analyser, and not the CrossTU library?
141	(Documentation for the options are missing.)
clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h
156
clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
815–817	How and why is this needed? Could you call it `isSingleTUOr1stPhaseCTU` instead? Rather, if this is used as a distinction input in conditionals, could you invert the branches and have a function `isSecondPhaseCTU`, and do the inverted logic where this function is consumed?
clang/test/Analysis/Inputs/ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt
2	Why is there only 1 symbol in this file, when the file above contains two function definitions?
clang/test/Analysis/ctu-on-demand-parsing.c
22
clang/test/Analysis/ctu-on-demand-parsing.cpp
33
clang/test/Analysis/ctu-onego-toplevel.cpp
25	Are the lines below related to the execution of the command above? If not, could you please break the comment?
29
31	One-go? And what does that refer to? Is "Onego" analysis the one this patch is introducing?

martong edited the summary of this revision. (Show Details)May 13 2022, 2:26 AM

martong marked 15 inline comments as done.

martong added inline comments.

clang/include/clang/AST/ASTImporterSharedState.h
83 ↗	(On Diff #428055)	Good point, `markAsNewDecl` sounds better. I'll update this in the parent patch https://reviews.llvm.org/D123685 though (and rebase this).
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def
414–420	Thanks, this is so true, very good point. I've changed it. And also changed the name to suffix `-pct` instead of `-mul` to reflect this.
clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h
141	Yes, this is only for the analyzer.
141	This is the direct representation of the analyzer option `ctu-phase1-inlining` and there is a bulky documentation for that in `AnalyzerOptions.def`. I'd rather not repeat that documentation here.
clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h
815–817	Yep, very good point, thanks again. Changed it with the inverted branch version.
clang/test/Analysis/Inputs/ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt
2	Good catch. I've added the other function. Besides, I had the wrong filename provided, it should have been `ctu-onego-existingdef-other.cpp.ast`, the `existingdef` was missing. Fixed that too, plus added and extra `FileCheck` to the `existingdef` test that detects if the ast file is not loaded.
clang/test/Analysis/ctu-onego-toplevel.cpp
31	Yes. I've updated the summary of the patch to make this clear.

Change -mul to -pct
Change default values to ctu-max-nodes-pct = 50 and ctu-max-nodes-min = 10000
Rename isCTUInFirtstPhase to isSecondPhaseCTU and invert the condition
Check that the AST file is loaded in existingdef test file
Set CTUWlist as nullptr in single-TU mode
Add bar to ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt
Changes in comments of test files

Harbormaster completed remote builds in B164268: Diff 429172.May 13 2022, 2:29 AM

xazax.hun added inline comments.May 13 2022, 8:38 AM

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
446	Actually, in this case I wonder whether we really need a set of declarations. Wouldn't a boolean be sufficient for each path? So in case of: foreign1(true); foreign2(false); Why would we want to add `foreign2` to the CTU worklist? More specifically, why is it important whether a foreign call is actually the same declaration that we saw earlier on the path? Isn't being foreign the only important information in this case?

martong marked an inline comment as done.May 17 2022, 6:15 AM

martong added inline comments.

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
446	Good point. By using the set of declarations we might have a path where `foreign1` is conservatively evaluated and then `foreign2` is inlined. I was having a hard time to find any use-cases where this would be useful, but could not find one. On the other hand, by using a `bool`, as you suggest, no such superfluous path would exist. Plus, the dependent child patch (D123784) is becoming unnecessary because the CTUWorklist will have at most one element during the first phase. Besides, I've made measurements comparing the `bool` and the `set` implementation. The results are quite similar. Both have lost the same amount of bugreports compared to the single-tu analysis and the average length of the bugpaths are also similar. stats.html226 KBDownload

Change ctuBifurcate to use bool in GDM

martong mentioned this in D123784: [clang][analyzer][ctu] Traverse the ctu CallEnter nodes in reverse order.May 17 2022, 6:29 AM

Update ReleaseNotes.rst

Harbormaster completed remote builds in B164884: Diff 430047.May 17 2022, 8:22 AM

xazax.hun accepted this revision.May 17 2022, 9:00 AM

xazax.hun added inline comments.

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
446	Great news! :) Looks like this was a nice simplification, thanks for looking into it!

xazax.hun added inline comments.May 17 2022, 9:02 AM

clang/docs/ReleaseNotes.rst
487	I wonder if you also want to mention that this still finds most of the CTU findings in most cases.

martong marked an inline comment as done.May 18 2022, 1:25 AM

martong added inline comments.

clang/docs/ReleaseNotes.rst
487	Yes, I do, thanks.

This revision was landed with ongoing or failed builds.May 18 2022, 1:37 AM

Closed by commit rG56b9b97c1ef5: [clang][analyzer][ctu] Make CTU a two phase analysis (authored by martong). · Explain Why

This revision was automatically updated to reflect the committed changes.

martong marked an inline comment as done.

martong added a commit: rG56b9b97c1ef5: [clang][analyzer][ctu] Make CTU a two phase analysis.

Revision Contents

Path

Size

clang/

docs/

ReleaseNotes.rst

7 lines

include/

clang/

CrossTU/

CrossTranslationUnit.h

8 lines

StaticAnalyzer/

Core/

AnalyzerOptions.h

3 lines

AnalyzerOptions.def

28 lines

PathSensitive/

CallEvent.h

13 lines

CoreEngine.h

4 lines

ExprEngine.h

11 lines

lib/

CrossTU/

CrossTranslationUnit.cpp

13 lines

StaticAnalyzer/

Core/

11 lines

22 lines

71 lines

25 lines

ExprEngineCallAndReturn.cpp

65 lines

Frontend/

AnalysisConsumer.cpp

12 lines

test/

Analysis/

Inputs/

ctu-onego-existingdef-other.cpp

7 lines

ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt

2 lines

ctu-onego-indirect-other.cpp

7 lines

ctu-onego-indirect-other.cpp.externalDefMap.ast-dump.txt

2 lines

ctu-onego-small-other.cpp

3 lines

ctu-onego-small-other.cpp.externalDefMap.ast-dump.txt

1 line

ctu-onego-toplevel-other.cpp

4 lines

ctu-onego-toplevel-other.cpp.externalDefMap.ast-dump.txt

1 line

3 lines

4 lines

51 lines

151 lines

ctu-on-demand-parsing.c

4 lines

ctu-on-demand-parsing.cpp

4 lines

ctu-onego-existingdef.cpp

67 lines

ctu-onego-indirect.cpp

58 lines

ctu-onego-small.cpp

51 lines

ctu-onego-toplevel.cpp

54 lines

Diff 430273

clang/docs/ReleaseNotes.rst

	Show First 20 Lines • Show All 473 Lines • ▼ Show 20 Lines

	libclang			libclang
	--------			--------

	- ...			- ...

	Static Analyzer			Static Analyzer
	---------------			---------------
				- `New CTU implementation
				<https://discourse.llvm.org/t/rfc-much-faster-cross-translation-unit-ctu-analysis-implementation/61728>`_
				that keeps the slow-down around 2x compared to the single-TU analysis, even
				in case of complex C++ projects. Still, it finds the majority of the "old"
				CTU findings. Besides, not more than ~3% of the bug reports are lost compared
				to single-TU analysis, the lost reports are highly likely to be false
				xazax.hunUnsubmitted Done Reply Inline Actions I wonder if you also want to mention that this still finds most of the CTU findings in most cases. xazax.hun: I wonder if you also want to mention that this still finds most of the CTU findings in most…
				martongAuthorUnsubmitted Done Reply Inline Actions Yes, I do, thanks. martong: Yes, I do, thanks.
				positives.

	- Added a new checker ``alpha.unix.cstring.UninitializedRead`` this will check for uninitialized reads			- Added a new checker ``alpha.unix.cstring.UninitializedRead`` this will check for uninitialized reads
	from common memory copy/manipulation functions such as ``memcpy``, ``mempcpy``, ``memmove``, ``memcmp``, `			from common memory copy/manipulation functions such as ``memcpy``, ``mempcpy``, ``memmove``, ``memcmp``, `
	`strcmp``, ``strncmp``, ``strcpy``, ``strlen``, ``strsep`` and many more. Although			`strcmp``, ``strncmp``, ``strcpy``, ``strlen``, ``strsep`` and many more. Although
	this checker currently is in list of alpha checkers due to a false positive.			this checker currently is in list of alpha checkers due to a false positive.

	.. _release-notes-ubsan:			.. _release-notes-ubsan:

	Show All 36 Lines

clang/include/clang/CrossTU/CrossTranslationUnit.h

Show First 20 Lines • Show All 191 Lines • ▼ Show 20 Lines	public:
/// \note If any error happens such as \p ToLoc is a non-imported		/// \note If any error happens such as \p ToLoc is a non-imported
/// source-location, empty is returned.		/// source-location, empty is returned.
/// \note Macro expansion tracking for imported TUs is not implemented yet.		/// \note Macro expansion tracking for imported TUs is not implemented yet.
/// It returns empty unconditionally.		/// It returns empty unconditionally.
llvm::Optional<clang::MacroExpansionContext>		llvm::Optional<clang::MacroExpansionContext>
getMacroExpansionContextForSourceLocation(		getMacroExpansionContextForSourceLocation(
const clang::SourceLocation &ToLoc) const;		const clang::SourceLocation &ToLoc) const;

		/// Returns true if the given Decl is newly created during the import.
		bool isImportedAsNew(const Decl *ToDecl) const;

		/// Returns true if the given Decl is mapped (or created) during an import
		/// but there was an unrecoverable error (the AST node cannot be erased, it
		/// is marked with an Error object in this case).
		bool hasError(const Decl *ToDecl) const;

private:		private:
void lazyInitImporterSharedSt(TranslationUnitDecl *ToTU);		void lazyInitImporterSharedSt(TranslationUnitDecl *ToTU);
ASTImporter &getOrCreateASTImporter(ASTUnit *Unit);		ASTImporter &getOrCreateASTImporter(ASTUnit *Unit);
template <typename T>		template <typename T>
llvm::Expected<const T > getCrossTUDefinitionImpl(const T D,		llvm::Expected<const T > getCrossTUDefinitionImpl(const T D,
StringRef CrossTUDir,		StringRef CrossTUDir,
StringRef IndexName,		StringRef IndexName,
bool DisplayCTUProgress);		bool DisplayCTUProgress);
▲ Show 20 Lines • Show All 139 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h

Show First 20 Lines • Show All 132 Lines • ▼ Show 20 Lines
enum UserModeKind {		enum UserModeKind {
/// Perform shallow but fast analyzes.		/// Perform shallow but fast analyzes.
UMK_Shallow = 1,		UMK_Shallow = 1,

/// Perform deep analyzes.		/// Perform deep analyzes.
UMK_Deep = 2		UMK_Deep = 2
};		};

		enum class CTUPhase1InliningKind { None, Small, All };
		whisperityUnsubmitted Done Reply Inline Actions Is this configuration inherent to the static analyser, and not the CrossTU library? whisperity: Is this configuration inherent to the static analyser, and not the //CrossTU// library?
		martongAuthorUnsubmitted Done Reply Inline Actions Yes, this is only for the analyzer. martong: Yes, this is only for the analyzer.
		whisperityUnsubmitted Done Reply Inline Actions (Documentation for the options are missing.) whisperity: (Documentation for the options are missing.)
		martongAuthorUnsubmitted Done Reply Inline Actions This is the direct representation of the analyzer option `ctu-phase1-inlining` and there is a bulky documentation for that in `AnalyzerOptions.def`. I'd rather not repeat that documentation here. martong: This is the direct representation of the analyzer option `ctu-phase1-inlining` and there is a…

/// Stores options for the analyzer from the command line.		/// Stores options for the analyzer from the command line.
///		///
/// Some options are frontend flags (e.g.: -analyzer-output), but some are		/// Some options are frontend flags (e.g.: -analyzer-output), but some are
/// analyzer configuration options, which are preceded by -analyzer-config		/// analyzer configuration options, which are preceded by -analyzer-config
/// (e.g.: -analyzer-config notes-as-events=true).		/// (e.g.: -analyzer-config notes-as-events=true).
///		///
/// If you'd like to add a new frontend flag, add it to		/// If you'd like to add a new frontend flag, add it to
/// include/clang/Driver/CC1Options.td, add a new field to store the value of		/// include/clang/Driver/CC1Options.td, add a new field to store the value of
▲ Show 20 Lines • Show All 225 Lines • ▼ Show 20 Lines	StringRef getCheckerStringOption(const ento::CheckerBase *C,
bool SearchInParents = false) const;		bool SearchInParents = false) const;

/// Retrieves and sets the UserMode. This is a high-level option,		/// Retrieves and sets the UserMode. This is a high-level option,
/// which is used to set other low-level options. It is not accessible		/// which is used to set other low-level options. It is not accessible
/// outside of AnalyzerOptions.		/// outside of AnalyzerOptions.
UserModeKind getUserMode() const;		UserModeKind getUserMode() const;

ExplorationStrategyKind getExplorationStrategy() const;		ExplorationStrategyKind getExplorationStrategy() const;
		CTUPhase1InliningKind getCTUPhase1Inlining() const;

/// Returns the inter-procedural analysis mode.		/// Returns the inter-procedural analysis mode.
IPAKind getIPAMode() const;		IPAKind getIPAMode() const;

/// Returns the option controlling which C++ member functions will be		/// Returns the option controlling which C++ member functions will be
/// considered for inlining.		/// considered for inlining.
///		///
/// This is controlled by the 'c++-inlining' config option.		/// This is controlled by the 'c++-inlining' config option.
▲ Show 20 Lines • Show All 78 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def

Show First 20 Lines • Show All 404 Lines • ▼ Show 20 Lines

ANALYZER_OPTION_DEPENDS_ON_USER_MODE( ANALYZER_OPTION_DEPENDS_ON_USER_MODE(

unsigned, MaxNodesPerTopLevelFunction, "max-nodes", unsigned, MaxNodesPerTopLevelFunction, "max-nodes",

"The maximum number of nodes the analyzer can generate while exploring a " "The maximum number of nodes the analyzer can generate while exploring a "

"top level function (for each exploded graph). 0 means no limit.", "top level function (for each exploded graph). 0 means no limit.",

/* SHALLOW_VAL */ 75000, /* DEEP_VAL */ 225000) /* SHALLOW_VAL */ 75000, /* DEEP_VAL */ 225000)

ANALYZER_OPTION( ANALYZER_OPTION(

unsigned, CTUMaxNodesPercentage, "ctu-max-nodes-pct",

"The percentage of single-TU analysed nodes that the CTU analysis is "

whisperityUnsubmitted

Done

unsigned, CTUMaxNodesMultiplier, "ctu-max-nodes-mul",

- "We count the nodes for a normal single tu analysis. We multiply that "

+ "We count the nodes for a normal single TU analysis. We multiply that "

"number with this config value then we divide the result by 100 to get "

whisperity:

"allowed to visit.", 50)

ANALYZER_OPTION(

unsigned, CTUMaxNodesMin, "ctu-max-nodes-min",

"The maximum number of nodes in CTU mode is determinded by "

"'ctu-max-nodes-pct'. However, if the number of nodes in single-TU "

whisperityUnsubmitted

Done

Couldn't this description here be simplified to say something along the lines of "the percentage of single-TU analysed nodes that the CTU analysis is allowed to visit"? Is the calculation method needed from the user's perspective? The examples talk about percentage too.

whisperity: Couldn't this description here be simplified to say something along the lines of //"the…

martongAuthorUnsubmitted

Done

Thanks, this is so true, very good point. I've changed it. And also changed the name to suffix -pct instead of -mul to reflect this.

martong: Thanks, this is so true, very good point. I've changed it. And also changed the name to suffix…

"analysis is too low, it is meaningful to provide a minimum value that "

"serves as an upper bound instead.", 10000)

ANALYZER_OPTION(

StringRef, CTUPhase1InliningMode, "ctu-phase1-inlining",

"Controls which functions will be inlined during the first phase of the ctu "

"analysis. "

"If the value is set to 'all' then all foreign functions are inlinied "

"immediately during the first phase, thus rendering the second phase a noop. "

"The 'ctu-max-nodes-*' budge has no effect in this case. "

"If the value is 'small' then only functions with a linear CFG and with a "

"limited number of statements would be inlined during the first phase. The "

"long and/or nontrivial functions are handled in the second phase and are "

"controlled by the 'ctu-max-nodes-*' budge. "

"The value 'none' means that all foreign functions are inlined only in the "

"second phase, 'ctu-max-nodes-*' budge limits the second phase. "

"Value: \"none\", \"small\", \"all\".",

"small")

ANALYZER_OPTION(

unsigned, RegionStoreSmallStructLimit, "region-store-small-struct-limit", unsigned, RegionStoreSmallStructLimit, "region-store-small-struct-limit",

"The largest number of fields a struct can have and still be considered " "The largest number of fields a struct can have and still be considered "

"small This is currently used to decide whether or not it is worth forcing " "small This is currently used to decide whether or not it is worth forcing "

"a LazyCompoundVal on bind. To disable all small-struct-dependent " "a LazyCompoundVal on bind. To disable all small-struct-dependent "

"behavior, set the option to 0.", "behavior, set the option to 0.",

2) 2)

//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//

▲ Show 20 Lines • Show All 59 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

Show First 20 Lines • Show All 107 Lines • ▼ Show 20 Lines class RuntimeDefinition {

const Decl *D = nullptr; const Decl *D = nullptr;

/// The region representing an object (ObjC/C++) on which the method is /// The region representing an object (ObjC/C++) on which the method is

/// called. With dynamic dispatch, the method definition depends on the /// called. With dynamic dispatch, the method definition depends on the

/// runtime type of this object. NULL when the DynamicTypeInfo is /// runtime type of this object. NULL when the DynamicTypeInfo is

/// precise. /// precise.

const MemRegion *R = nullptr; const MemRegion *R = nullptr;

/// A definition is foreign if it has been imported and newly created by the

xazax.hunUnsubmitted

Done

I feel that we use different terms for the imported declarations. Sometimes we call them new, sometimes imported, sometimes foreign. In case all of these means the same thing, it would be nice to standardize on a single way of naming. If there is a subtle difference between them, let's document that in a comment. It would be nice if we did not need the comment after the declaration but it would be obvious from the variable name.

xazax.hun: I feel that we use different terms for the imported declarations. Sometimes we call them `new`…

martongAuthorUnsubmitted

Done

Yes, I agree that this should deserver some more explanation. Maybe right above this declaration?

So, new means that a declaration is created newly by the ASTImporter.
imported means it has been imported, but not necessarily new. Think about this case, we import foo's definition.

// to.cpp
void bar() {} // from a.h
// from.cpp
void bar() {} // from a.h
void foo() {
  bar();
}

Then foo will be new and imported, bar will be imported and not new.
foreign basically means imported and new.

martong: Yes, I agree that this should deserver some more explanation. Maybe right above this…

martongAuthorUnsubmitted

Done

I've just added an explanatory comment for this field.

martong: I've just added an explanatory comment for this field.

xazax.hunUnsubmitted

Done

Foreign means new and imported. But is there a way for a declaration to be new and not to be imported? If no, in that case it feels like new and foreign are actually the same and we should standardize on a single name.

xazax.hun: Foreign means new and imported. But is there a way for a declaration to be new and not to be…

martongAuthorUnsubmitted

Done

Yeah, you are right, new and foreign are the same in this sense. However, I think the term foreign is more expressive in the sense that is suggests that the definition is coming from another translation unit.

martong: Yeah, you are right, `new` and `foreign` are the same in this sense. However, I think the term…

/// ASTImporter. This can be true only if CTU is enabled.

const bool Foreign = false;

public: public:

RuntimeDefinition() = default; RuntimeDefinition() = default;

RuntimeDefinition(const Decl *InD): D(InD) {} RuntimeDefinition(const Decl *InD): D(InD) {}

RuntimeDefinition(const Decl *InD, bool Foreign) : D(InD), Foreign(Foreign) {}

RuntimeDefinition(const Decl *InD, const MemRegion *InR): D(InD), R(InR) {} RuntimeDefinition(const Decl *InD, const MemRegion *InR): D(InD), R(InR) {}

const Decl *getDecl() { return D; } const Decl *getDecl() { return D; }

bool isForeign() const { return Foreign; }

/// Check if the definition we have is precise. /// Check if the definition we have is precise.

/// If not, it is possible that the call dispatches to another definition at /// If not, it is possible that the call dispatches to another definition at

/// execution time. /// execution time.

bool mayHaveOtherDefinitions() { return R != nullptr; } bool mayHaveOtherDefinitions() { return R != nullptr; }

/// When other definitions are possible, returns the region whose runtime type /// When other definitions are possible, returns the region whose runtime type

/// determines the method definition. /// determines the method definition.

Show All 12 Lines

class CallEvent { class CallEvent {

public: public:

using Kind = CallEventKind; using Kind = CallEventKind;

private: private:

ProgramStateRef State; ProgramStateRef State;

const LocationContext *LCtx; const LocationContext *LCtx;

llvm::PointerUnion<const Expr *, const Decl *> Origin; llvm::PointerUnion<const Expr *, const Decl *> Origin;

mutable Optional<bool> Foreign; // Set by CTU analysis.

xazax.hunUnsubmitted

Done

Why do we need this to be mutable? Shouldn't we have this information when the CallEvent is created?

xazax.hun: Why do we need this to be mutable? Shouldn't we have this information when the CallEvent is…

martongAuthorUnsubmitted

Done

Unfortunately, we get this from the RuntimeDefinition which is not available during the creation of the CallEvent. We use getRuntimeDefinition() to retrieve the definition and attach that to the already existent CallEvent.

martong: Unfortunately, we get this from the `RuntimeDefinition` which is not available during the…

whisperityUnsubmitted

Done

llvm::PointerUnion<const Expr *, const Decl *> Origin;

- mutable Optional<bool> Foreign; // From CTU.

+ mutable Optional<bool> Foreign; // Set by CTU analysis.

protected:

whisperity:

protected: protected:

// This is user data for subclasses. // This is user data for subclasses.

const void *Data; const void *Data;

// This is user data for subclasses. // This is user data for subclasses.

// This should come right before RefCount, so that the two fields can be // This should come right before RefCount, so that the two fields can be

// packed together on LP64 platforms. // packed together on LP64 platforms.

▲ Show 20 Lines • Show All 45 Lines • ▼ Show 20 Lines public:

virtual StringRef getKindAsString() const = 0; virtual StringRef getKindAsString() const = 0;

/// Returns the declaration of the function or method that will be /// Returns the declaration of the function or method that will be

/// called. May be null. /// called. May be null.

virtual const Decl *getDecl() const { virtual const Decl *getDecl() const {

return Origin.dyn_cast<const Decl *>(); return Origin.dyn_cast<const Decl *>();

} }

bool isForeign() const {

assert(Foreign.hasValue() && "Foreign must be set before querying");

return *Foreign;

}

void setForeign(bool B) const { Foreign = B; }

/// The state in which the call is being evaluated. /// The state in which the call is being evaluated.

const ProgramStateRef &getState() const { const ProgramStateRef &getState() const {

return State; return State;

} }

/// The context in which the call is being evaluated. /// The context in which the call is being evaluated.

const LocationContext *getLocationContext() const { const LocationContext *getLocationContext() const {

return LCtx; return LCtx;

▲ Show 20 Lines • Show All 1,158 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h

Show First 20 Lines • Show All 72 Lines • ▼ Show 20 Lines	private:

/// G - The simulation graph. Each node is a (location,state) pair.		/// G - The simulation graph. Each node is a (location,state) pair.
mutable ExplodedGraph G;		mutable ExplodedGraph G;

/// WList - A set of queued nodes that need to be processed by the		/// WList - A set of queued nodes that need to be processed by the
/// worklist algorithm. It is up to the implementation of WList to decide		/// worklist algorithm. It is up to the implementation of WList to decide
/// the order that nodes are processed.		/// the order that nodes are processed.
std::unique_ptr<WorkList> WList;		std::unique_ptr<WorkList> WList;
		std::unique_ptr<WorkList> CTUWList;

/// BCounterFactory - A factory object for created BlockCounter objects.		/// BCounterFactory - A factory object for created BlockCounter objects.
/// These are used to record for key nodes in the ExplodedGraph the		/// These are used to record for key nodes in the ExplodedGraph the
/// number of times different CFGBlocks have been visited along a path.		/// number of times different CFGBlocks have been visited along a path.
BlockCounter::Factory BCounterFactory;		BlockCounter::Factory BCounterFactory;

/// The locations where we stopped doing work because we visited a location		/// The locations where we stopped doing work because we visited a location
/// too many times.		/// too many times.
BlocksExhausted blocksExhausted;		BlocksExhausted blocksExhausted;

/// The locations where we stopped because the engine aborted analysis,		/// The locations where we stopped because the engine aborted analysis,
/// usually because it could not reason about something.		/// usually because it could not reason about something.
BlocksAborted blocksAborted;		BlocksAborted blocksAborted;

/// The information about functions shared by the whole translation unit.		/// The information about functions shared by the whole translation unit.
/// (This data is owned by AnalysisConsumer.)		/// (This data is owned by AnalysisConsumer.)
FunctionSummariesTy *FunctionSummaries;		FunctionSummariesTy *FunctionSummaries;

/// Add path tags with some useful data along the path when we see that		/// Add path tags with some useful data along the path when we see that
/// something interesting is happening. This field is the allocator for such		/// something interesting is happening. This field is the allocator for such
/// tags.		/// tags.
DataTag::Factory DataTags;		DataTag::Factory DataTags;

		void setBlockCounter(BlockCounter C);

void generateNode(const ProgramPoint &Loc,		void generateNode(const ProgramPoint &Loc,
ProgramStateRef State,		ProgramStateRef State,
ExplodedNode *Pred);		ExplodedNode *Pred);

void HandleBlockEdge(const BlockEdge &E, ExplodedNode *Pred);		void HandleBlockEdge(const BlockEdge &E, ExplodedNode *Pred);
void HandleBlockEntrance(const BlockEntrance &E, ExplodedNode *Pred);		void HandleBlockEntrance(const BlockEntrance &E, ExplodedNode *Pred);
void HandleBlockExit(const CFGBlock B, ExplodedNode Pred);		void HandleBlockExit(const CFGBlock B, ExplodedNode Pred);

▲ Show 20 Lines • Show All 53 Lines • ▼ Show 20 Lines	public:

/// Inform the CoreEngine that a basic block was aborted because		/// Inform the CoreEngine that a basic block was aborted because
/// it could not be completely analyzed.		/// it could not be completely analyzed.
void addAbortedBlock(const ExplodedNode node, const CFGBlock block) {		void addAbortedBlock(const ExplodedNode node, const CFGBlock block) {
blocksAborted.push_back(std::make_pair(block, node));		blocksAborted.push_back(std::make_pair(block, node));
}		}

WorkList *getWorkList() const { return WList.get(); }		WorkList *getWorkList() const { return WList.get(); }
		WorkList *getCTUWorkList() const { return CTUWList.get(); }
		xazax.hunUnsubmitted Done Reply Inline Actions I think we do not expect the STU WorkList to ever be null, maybe it is time to clean this up and return a reference. xazax.hun: I think we do not expect the STU WorkList to ever be null, maybe it is time to clean this up…
		martongAuthorUnsubmitted Done Reply Inline Actions I'd rather do that independently, so this patch can be focused and kept minimal, if you don't mind. (I mean `WorkList &getWorkList` would introduce irrelevant scattered changes.) martong: I'd rather do that independently, so this patch can be focused and kept minimal, if you don't…

BlocksExhausted::const_iterator blocks_exhausted_begin() const {		BlocksExhausted::const_iterator blocks_exhausted_begin() const {
return blocksExhausted.begin();		return blocksExhausted.begin();
}		}

BlocksExhausted::const_iterator blocks_exhausted_end() const {		BlocksExhausted::const_iterator blocks_exhausted_end() const {
return blocksExhausted.end();		return blocksExhausted.end();
}		}
▲ Show 20 Lines • Show All 406 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 Lines • Show All 129 Lines • ▼ Show 20 Lines enum InliningModes {

Inline_Regular = 0, Inline_Regular = 0,

/// Do minimal inlining of callees. /// Do minimal inlining of callees.

Inline_Minimal = 0x1 Inline_Minimal = 0x1

}; };

private: private:

cross_tu::CrossTranslationUnitContext &CTU; cross_tu::CrossTranslationUnitContext &CTU;

bool IsCTUEnabled;

AnalysisManager &AMgr; AnalysisManager &AMgr;

AnalysisDeclContextManager &AnalysisDeclContexts; AnalysisDeclContextManager &AnalysisDeclContexts;

CoreEngine Engine; CoreEngine Engine;

/// G - the simulation graph. /// G - the simulation graph.

▲ Show 20 Lines • Show All 654 Lines • ▼ Show 20 Lines private:

/// should inline, just by looking at the declaration of the function. /// should inline, just by looking at the declaration of the function.

bool mayInlineDecl(AnalysisDeclContext *ADC) const; bool mayInlineDecl(AnalysisDeclContext *ADC) const;

/// Checks our policies and decides weither the given call should be inlined. /// Checks our policies and decides weither the given call should be inlined.

bool shouldInlineCall(const CallEvent &Call, const Decl *D, bool shouldInlineCall(const CallEvent &Call, const Decl *D,

const ExplodedNode *Pred, const ExplodedNode *Pred,

const EvalCallOptions &CallOpts = {}); const EvalCallOptions &CallOpts = {});

bool inlineCall(const CallEvent &Call, const Decl *D, NodeBuilder &Bldr, void inlineCall(WorkList *WList, const CallEvent &Call, const Decl *D,

NodeBuilder &Bldr, ExplodedNode *Pred, ProgramStateRef State);

void ctuBifurcate(const CallEvent &Call, const Decl *D, NodeBuilder &Bldr,

ExplodedNode *Pred, ProgramStateRef State); ExplodedNode *Pred, ProgramStateRef State);

/// Returns true if the CTU analysis is running its second phase.

bool isSecondPhaseCTU() { return IsCTUEnabled && !Engine.getCTUWorkList(); }

whisperityUnsubmitted

Done

ExplodedNode *Pred, ProgramStateRef State);

/// Returns true if the CTU analysis is running its first phase.

/// Returns true in single TU (non-CTU) mode!

- bool isCTUInFirtstPhase() { return Engine.getCTUWorkList(); }

+ bool isCTUInFirstPhase() { return Engine.getCTUWorkList(); }

/// Conservatively evaluate call by invalidating regions and binding

How and why is this needed? Could you call it isSingleTUOr1stPhaseCTU instead?

Rather, if this is used as a distinction input in conditionals, could you invert the branches and have a function isSecondPhaseCTU, and do the inverted logic where this function is consumed?

whisperity: How and why is this needed? Could you call it `isSingleTUOr1stPhaseCTU` instead? Rather, if…

martongAuthorUnsubmitted

Done

Yep, very good point, thanks again. Changed it with the inverted branch version.

martong: Yep, very good point, thanks again. Changed it with the inverted branch version.

/// Conservatively evaluate call by invalidating regions and binding /// Conservatively evaluate call by invalidating regions and binding

/// a conjured return value. /// a conjured return value.

void conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr, void conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr,

ExplodedNode *Pred, ProgramStateRef State); ExplodedNode *Pred, ProgramStateRef State);

/// Either inline or process the call conservatively (or both), based /// Either inline or process the call conservatively (or both), based

/// on DynamicDispatchBifurcation data. /// on DynamicDispatchBifurcation data.

void BifurcateCall(const MemRegion *BifurReg, void BifurcateCall(const MemRegion *BifurReg,

▲ Show 20 Lines • Show All 129 Lines • Show Last 20 Lines

clang/lib/CrossTU/CrossTranslationUnit.cpp

	Show First 20 Lines • Show All 795 Lines • ▼ Show 20 Lines

	llvm::Optional<clang::MacroExpansionContext>			llvm::Optional<clang::MacroExpansionContext>
	CrossTranslationUnitContext::getMacroExpansionContextForSourceLocation(			CrossTranslationUnitContext::getMacroExpansionContextForSourceLocation(
	const clang::SourceLocation &ToLoc) const {			const clang::SourceLocation &ToLoc) const {
	// FIXME: Implement: Record such a context for every imported ASTUnit; lookup.			// FIXME: Implement: Record such a context for every imported ASTUnit; lookup.
	return llvm::None;			return llvm::None;
	}			}

				bool CrossTranslationUnitContext::isImportedAsNew(const Decl *ToDecl) const {
				if (!ImporterSharedSt)
				return false;
				return ImporterSharedSt->isNewDecl(const_cast<Decl *>(ToDecl));
				}

				bool CrossTranslationUnitContext::hasError(const Decl *ToDecl) const {
				if (!ImporterSharedSt)
				return false;
				return static_cast<bool>(
				ImporterSharedSt->getImportDeclErrorIfAny(const_cast<Decl *>(ToDecl)));
				}

	} // namespace cross_tu			} // namespace cross_tu
	} // namespace clang			} // namespace clang

clang/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp

Show First 20 Lines • Show All 75 Lines • ▼ Show 20 Lines	llvm::StringSwitch<llvm::Optional<ExplorationStrategyKind>>(
ExplorationStrategyKind::UnexploredFirstLocationQueue)		ExplorationStrategyKind::UnexploredFirstLocationQueue)
.Case("bfs_block_dfs_contents",		.Case("bfs_block_dfs_contents",
ExplorationStrategyKind::BFSBlockDFSContents)		ExplorationStrategyKind::BFSBlockDFSContents)
.Default(None);		.Default(None);
assert(K.hasValue() && "User mode is invalid.");		assert(K.hasValue() && "User mode is invalid.");
return K.getValue();		return K.getValue();
}		}

		CTUPhase1InliningKind AnalyzerOptions::getCTUPhase1Inlining() const {
		auto K = llvm::StringSwitch<llvm::Optional<CTUPhase1InliningKind>>(
		CTUPhase1InliningMode)
		.Case("none", CTUPhase1InliningKind::None)
		.Case("small", CTUPhase1InliningKind::Small)
		.Case("all", CTUPhase1InliningKind::All)
		.Default(None);
		assert(K.hasValue() && "CTU inlining mode is invalid.");
		xazax.hunUnsubmitted Done Reply Inline Actions The `CTUPhase1InliningMode` is coming from the user, right? Unless we have some validation in place before this code get called, I think it might not be a good idea to assert fail on certain user inputs. xazax.hun: The `CTUPhase1InliningMode` is coming from the user, right? Unless we have some validation in…
		martongAuthorUnsubmitted Done Reply Inline Actions Yeah, I've copied this from below `assert(K.hasValue() && "IPA Mode is invalid.");`. Seems like the pattern we have everywhere. I suggest to get rid of this wrong pattern independently, but I'd not deviate from the pattern here, making it easier to do a bulk update once we do it. martong: Yeah, I've copied this from below `assert(K.hasValue() && "IPA Mode is invalid.");`. Seems like…
		return K.getValue();
		}

IPAKind AnalyzerOptions::getIPAMode() const {		IPAKind AnalyzerOptions::getIPAMode() const {
auto K = llvm::StringSwitch<llvm::Optional<IPAKind>>(IPAMode)		auto K = llvm::StringSwitch<llvm::Optional<IPAKind>>(IPAMode)
.Case("none", IPAK_None)		.Case("none", IPAK_None)
.Case("basic-inlining", IPAK_BasicInlining)		.Case("basic-inlining", IPAK_BasicInlining)
.Case("inlining", IPAK_Inlining)		.Case("inlining", IPAK_Inlining)
.Case("dynamic", IPAK_DynamicDispatch)		.Case("dynamic", IPAK_DynamicDispatch)
.Case("dynamic-bifurcate", IPAK_DynamicDispatchBifurcate)		.Case("dynamic-bifurcate", IPAK_DynamicDispatchBifurcate)
.Default(None);		.Default(None);
▲ Show 20 Lines • Show All 103 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

Show First 20 Lines • Show All 509 Lines • ▼ Show 20 Lines	AnalysisDeclContext *AD =
getManager()->getContext(FD);		getManager()->getContext(FD);
bool IsAutosynthesized;		bool IsAutosynthesized;
Stmt* Body = AD->getBody(IsAutosynthesized);		Stmt* Body = AD->getBody(IsAutosynthesized);
LLVM_DEBUG({		LLVM_DEBUG({
if (IsAutosynthesized)		if (IsAutosynthesized)
llvm::dbgs() << "Using autosynthesized body for " << FD->getName()		llvm::dbgs() << "Using autosynthesized body for " << FD->getName()
<< "\n";		<< "\n";
});		});
if (Body) {
const Decl* Decl = AD->getDecl();
return RuntimeDefinition(Decl);
}

ExprEngine &Engine = getState()->getStateManager().getOwningEngine();		ExprEngine &Engine = getState()->getStateManager().getOwningEngine();
		cross_tu::CrossTranslationUnitContext &CTUCtx =
		*Engine.getCrossTranslationUnitContext();

AnalyzerOptions &Opts = Engine.getAnalysisManager().options;		AnalyzerOptions &Opts = Engine.getAnalysisManager().options;

		if (Body) {
		const Decl* Decl = AD->getDecl();
		if (Opts.IsNaiveCTUEnabled && CTUCtx.isImportedAsNew(Decl)) {
		// A newly created definition, but we had error(s) during the import.
		if (CTUCtx.hasError(Decl))
		return {};
		return RuntimeDefinition(Decl, /Foreign=/true);
		}
		return RuntimeDefinition(Decl, /Foreign=/false);
		}

// Try to get CTU definition only if CTUDir is provided.		// Try to get CTU definition only if CTUDir is provided.
if (!Opts.IsNaiveCTUEnabled)		if (!Opts.IsNaiveCTUEnabled)
return {};		return {};

cross_tu::CrossTranslationUnitContext &CTUCtx =
*Engine.getCrossTranslationUnitContext();
llvm::Expected<const FunctionDecl *> CTUDeclOrError =		llvm::Expected<const FunctionDecl *> CTUDeclOrError =
CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName,		CTUCtx.getCrossTUDefinition(FD, Opts.CTUDir, Opts.CTUIndexName,
Opts.DisplayCTUProgress);		Opts.DisplayCTUProgress);

if (!CTUDeclOrError) {		if (!CTUDeclOrError) {
handleAllErrors(CTUDeclOrError.takeError(),		handleAllErrors(CTUDeclOrError.takeError(),
[&](const cross_tu::IndexError &IE) {		[&](const cross_tu::IndexError &IE) {
CTUCtx.emitCrossTUDiagnostics(IE);		CTUCtx.emitCrossTUDiagnostics(IE);
});		});
return {};		return {};
}		}

return RuntimeDefinition(*CTUDeclOrError);		return RuntimeDefinition(CTUDeclOrError, /Foreign=*/true);
}		}

void AnyFunctionCall::getInitialStackFrameContents(		void AnyFunctionCall::getInitialStackFrameContents(
const StackFrameContext *CalleeCtx,		const StackFrameContext *CalleeCtx,
BindingsTy &Bindings) const {		BindingsTy &Bindings) const {
const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl());		const auto *D = cast<FunctionDecl>(CalleeCtx->getDecl());
SValBuilder &SVB = getState()->getStateManager().getSValBuilder();		SValBuilder &SVB = getState()->getStateManager().getSValBuilder();
addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,		addParameterValuesToBindings(CalleeCtx, Bindings, SVB, *this,
▲ Show 20 Lines • Show All 866 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/CoreEngine.cpp

Show All 37 Lines

using namespace clang;		using namespace clang;
using namespace ento;		using namespace ento;

#define DEBUG_TYPE "CoreEngine"		#define DEBUG_TYPE "CoreEngine"

STATISTIC(NumSteps,		STATISTIC(NumSteps,
"The # of steps executed.");		"The # of steps executed.");
		STATISTIC(NumSTUSteps, "The # of STU steps executed.");
		STATISTIC(NumCTUSteps, "The # of CTU steps executed.");
STATISTIC(NumReachedMaxSteps,		STATISTIC(NumReachedMaxSteps,
"The # of times we reached the max number of steps.");		"The # of times we reached the max number of steps.");
STATISTIC(NumPathsExplored,		STATISTIC(NumPathsExplored,
"The # of paths explored by the analyzer.");		"The # of paths explored by the analyzer.");

//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
// Core analysis engine.		// Core analysis engine.
//===----------------------------------------------------------------------===//		//===----------------------------------------------------------------------===//
Show All 14 Lines	case ExplorationStrategyKind::UnexploredFirstLocationQueue:
return WorkList::makeUnexploredFirstPriorityLocationQueue();		return WorkList::makeUnexploredFirstPriorityLocationQueue();
}		}
llvm_unreachable("Unknown AnalyzerOptions::ExplorationStrategyKind");		llvm_unreachable("Unknown AnalyzerOptions::ExplorationStrategyKind");
}		}

CoreEngine::CoreEngine(ExprEngine &exprengine, FunctionSummariesTy *FS,		CoreEngine::CoreEngine(ExprEngine &exprengine, FunctionSummariesTy *FS,
AnalyzerOptions &Opts)		AnalyzerOptions &Opts)
: ExprEng(exprengine), WList(generateWorkList(Opts)),		: ExprEng(exprengine), WList(generateWorkList(Opts)),
		CTUWList(Opts.IsNaiveCTUEnabled ? generateWorkList(Opts) : nullptr),
BCounterFactory(G.getAllocator()), FunctionSummaries(FS) {}		BCounterFactory(G.getAllocator()), FunctionSummaries(FS) {}

		void CoreEngine::setBlockCounter(BlockCounter C) {
		WList->setBlockCounter(C);
		if (CTUWList)
		CTUWList->setBlockCounter(C);
		}

/// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps.		/// ExecuteWorkList - Run the worklist algorithm for a maximum number of steps.
bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned Steps,		bool CoreEngine::ExecuteWorkList(const LocationContext *L, unsigned MaxSteps,
ProgramStateRef InitState) {		ProgramStateRef InitState) {
if (G.num_roots() == 0) { // Initialize the analysis by constructing		if (G.num_roots() == 0) { // Initialize the analysis by constructing
// the root if none exists.		// the root if none exists.

const CFGBlock *Entry = &(L->getCFG()->getEntry());		const CFGBlock *Entry = &(L->getCFG()->getEntry());

assert(Entry->empty() && "Entry block must be empty.");		assert(Entry->empty() && "Entry block must be empty.");

assert(Entry->succ_size() == 1 && "Entry block must have 1 successor.");		assert(Entry->succ_size() == 1 && "Entry block must have 1 successor.");

// Mark the entry block as visited.		// Mark the entry block as visited.
FunctionSummaries->markVisitedBasicBlock(Entry->getBlockID(),		FunctionSummaries->markVisitedBasicBlock(Entry->getBlockID(),
L->getDecl(),		L->getDecl(),
L->getCFG()->getNumBlockIDs());		L->getCFG()->getNumBlockIDs());

// Get the solitary successor.		// Get the solitary successor.
const CFGBlock Succ = (Entry->succ_begin());		const CFGBlock Succ = (Entry->succ_begin());

// Construct an edge representing the		// Construct an edge representing the
// starting location in the function.		// starting location in the function.
BlockEdge StartLoc(Entry, Succ, L);		BlockEdge StartLoc(Entry, Succ, L);

// Set the current block counter to being empty.		// Set the current block counter to being empty.
WList->setBlockCounter(BCounterFactory.GetEmptyCounter());		setBlockCounter(BCounterFactory.GetEmptyCounter());

if (!InitState)		if (!InitState)
InitState = ExprEng.getInitialState(L);		InitState = ExprEng.getInitialState(L);

bool IsNew;		bool IsNew;
ExplodedNode *Node = G.getNode(StartLoc, InitState, false, &IsNew);		ExplodedNode *Node = G.getNode(StartLoc, InitState, false, &IsNew);
assert(IsNew);		assert(IsNew);
G.addRoot(Node);		G.addRoot(Node);

NodeBuilderContext BuilderCtx(*this, StartLoc.getDst(), Node);		NodeBuilderContext BuilderCtx(*this, StartLoc.getDst(), Node);
ExplodedNodeSet DstBegin;		ExplodedNodeSet DstBegin;
ExprEng.processBeginOfFunction(BuilderCtx, Node, DstBegin, StartLoc);		ExprEng.processBeginOfFunction(BuilderCtx, Node, DstBegin, StartLoc);

enqueue(DstBegin);		enqueue(DstBegin);
}		}

// Check if we have a steps limit		// Check if we have a steps limit
bool UnlimitedSteps = Steps == 0;		bool UnlimitedSteps = MaxSteps == 0;

// Cap our pre-reservation in the event that the user specifies		// Cap our pre-reservation in the event that the user specifies
// a very large number of maximum steps.		// a very large number of maximum steps.
const unsigned PreReservationCap = 4000000;		const unsigned PreReservationCap = 4000000;
if(!UnlimitedSteps)		if(!UnlimitedSteps)
G.reserve(std::min(Steps,PreReservationCap));		G.reserve(std::min(MaxSteps, PreReservationCap));

		auto ProcessWList = [this, UnlimitedSteps](unsigned MaxSteps) {
		unsigned Steps = MaxSteps;
while (WList->hasWork()) {		while (WList->hasWork()) {
if (!UnlimitedSteps) {		if (!UnlimitedSteps) {
if (Steps == 0) {		if (Steps == 0) {
NumReachedMaxSteps++;		NumReachedMaxSteps++;
break;		break;
}		}
--Steps;		--Steps;
}		}

NumSteps++;		NumSteps++;

const WorkListUnit& WU = WList->dequeue();		const WorkListUnit &WU = WList->dequeue();

// Set the current block counter.		// Set the current block counter.
WList->setBlockCounter(WU.getBlockCounter());		setBlockCounter(WU.getBlockCounter());

// Retrieve the node.		// Retrieve the node.
ExplodedNode *Node = WU.getNode();		ExplodedNode *Node = WU.getNode();

dispatchWorkItem(Node, Node->getLocation(), WU);		dispatchWorkItem(Node, Node->getLocation(), WU);
}		}
		return MaxSteps - Steps;
		};
		const unsigned STUSteps = ProcessWList(MaxSteps);

		if (CTUWList) {
		NumSTUSteps += STUSteps;
		const unsigned MinCTUSteps =
		martongAuthorUnsubmitted Done Reply Inline Actions Well, not just for lit tests, I'll update the comment. martong: Well, not just for lit tests, I'll update the comment.
		this->ExprEng.getAnalysisManager().options.CTUMaxNodesMin;
		const unsigned Pct =
		this->ExprEng.getAnalysisManager().options.CTUMaxNodesPercentage;
		unsigned MaxCTUSteps = std::max(STUSteps * Pct / 100, MinCTUSteps);

		WList = std::move(CTUWList);
		const unsigned CTUSteps = ProcessWList(MaxCTUSteps);
		NumCTUSteps += CTUSteps;
		}

ExprEng.processEndWorklist();		ExprEng.processEndWorklist();
return WList->hasWork();		return WList->hasWork();
}		}

void CoreEngine::dispatchWorkItem(ExplodedNode* Pred, ProgramPoint Loc,		void CoreEngine::dispatchWorkItem(ExplodedNode* Pred, ProgramPoint Loc,
const WorkListUnit& WU) {		const WorkListUnit& WU) {
// Dispatch on the location type.		// Dispatch on the location type.
switch (Loc.getKind()) {		switch (Loc.getKind()) {
▲ Show 20 Lines • Show All 120 Lines • ▼ Show 20 Lines
void CoreEngine::HandleBlockEntrance(const BlockEntrance &L,		void CoreEngine::HandleBlockEntrance(const BlockEntrance &L,
ExplodedNode *Pred) {		ExplodedNode *Pred) {
// Increment the block counter.		// Increment the block counter.
const LocationContext *LC = Pred->getLocationContext();		const LocationContext *LC = Pred->getLocationContext();
unsigned BlockId = L.getBlock()->getBlockID();		unsigned BlockId = L.getBlock()->getBlockID();
BlockCounter Counter = WList->getBlockCounter();		BlockCounter Counter = WList->getBlockCounter();
Counter = BCounterFactory.IncrementCount(Counter, LC->getStackFrame(),		Counter = BCounterFactory.IncrementCount(Counter, LC->getStackFrame(),
BlockId);		BlockId);
WList->setBlockCounter(Counter);		setBlockCounter(Counter);

// Process the entrance of the block.		// Process the entrance of the block.
if (Optional<CFGElement> E = L.getFirstElement()) {		if (Optional<CFGElement> E = L.getFirstElement()) {
NodeBuilderContext Ctx(*this, L.getBlock(), Pred);		NodeBuilderContext Ctx(*this, L.getBlock(), Pred);
ExprEng.processCFGElement(*E, Pred, 0, &Ctx);		ExprEng.processCFGElement(*E, Pred, 0, &Ctx);
}		}
else		else
HandleBlockExit(L.getBlock(), Pred);		HandleBlockExit(L.getBlock(), Pred);
▲ Show 20 Lines • Show All 414 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

	Show First 20 Lines • Show All 194 Lines • ▼ Show 20 Lines

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	// Engine construction and deletion.			// Engine construction and deletion.
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	static const char* TagProviderName = "ExprEngine";			static const char* TagProviderName = "ExprEngine";

	ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,			ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
	AnalysisManager &mgr,			AnalysisManager &mgr, SetOfConstDecls *VisitedCalleesIn,
	SetOfConstDecls *VisitedCalleesIn,			FunctionSummariesTy *FS, InliningModes HowToInlineIn)
	FunctionSummariesTy *FS,			: CTU(CTU), IsCTUEnabled(mgr.getAnalyzerOptions().IsNaiveCTUEnabled),
	InliningModes HowToInlineIn)			AMgr(mgr), AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()),
	: CTU(CTU), AMgr(mgr),
	AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()),
	Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()),			Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()),
	StateMgr(getContext(), mgr.getStoreManagerCreator(),			StateMgr(getContext(), mgr.getStoreManagerCreator(),
	mgr.getConstraintManagerCreator(), G.getAllocator(),			mgr.getConstraintManagerCreator(), G.getAllocator(), this),
	this),			SymMgr(StateMgr.getSymbolManager()), MRMgr(StateMgr.getRegionManager()),
	SymMgr(StateMgr.getSymbolManager()),			svalBuilder(StateMgr.getSValBuilder()), ObjCNoRet(mgr.getASTContext()),
	MRMgr(StateMgr.getRegionManager()),			BR(mgr, *this), VisitedCallees(VisitedCalleesIn),
	svalBuilder(StateMgr.getSValBuilder()),			HowToInline(HowToInlineIn) {
	ObjCNoRet(mgr.getASTContext()),
	BR(mgr, *this),
	VisitedCallees(VisitedCalleesIn),
	HowToInline(HowToInlineIn)
	{
	unsigned TrimInterval = mgr.options.GraphTrimInterval;			unsigned TrimInterval = mgr.options.GraphTrimInterval;
	if (TrimInterval != 0) {			if (TrimInterval != 0) {
	// Enable eager node reclamation when constructing the ExplodedGraph.			// Enable eager node reclamation when constructing the ExplodedGraph.
	G.enableNodeReclamation(TrimInterval);			G.enableNodeReclamation(TrimInterval);
	}			}
	}			}

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	▲ Show 20 Lines • Show All 3,044 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show First 20 Lines • Show All 421 Lines • ▼ Show 20 Lines	namespace {
enum DynamicDispatchMode {		enum DynamicDispatchMode {
DynamicDispatchModeInlined = 1,		DynamicDispatchModeInlined = 1,
DynamicDispatchModeConservative		DynamicDispatchModeConservative
};		};
} // end anonymous namespace		} // end anonymous namespace

REGISTER_MAP_WITH_PROGRAMSTATE(DynamicDispatchBifurcationMap,		REGISTER_MAP_WITH_PROGRAMSTATE(DynamicDispatchBifurcationMap,
const MemRegion *, unsigned)		const MemRegion *, unsigned)
		REGISTER_TRAIT_WITH_PROGRAMSTATE(CTUDispatchBifurcation, bool)

bool ExprEngine::inlineCall(const CallEvent &Call, const Decl *D,		void ExprEngine::ctuBifurcate(const CallEvent &Call, const Decl *D,
		xazax.hunUnsubmitted Done Reply Inline Actions What is the meaning if the return value? It looks like the function always returns true. xazax.hun: What is the meaning if the return value? It looks like the function always returns true.
		martongAuthorUnsubmitted Done Reply Inline Actions Nothing. It is being used by `inlineCall` but there are no callers of `inlineCall` that would use it because `inlineCall` does return true on all paths as well. Good point, this is again a rotten legacy. I am going update this soon. martong: Nothing. It is being used by `inlineCall` but there are no callers of `inlineCall` that would…
		martongAuthorUnsubmitted Done Reply Inline Actions I've changed the return value from bool to void, both in `ctuBifurcate` and in `inlineCall`. martong: I've changed the return value from bool to void, both in `ctuBifurcate` and in `inlineCall`.
NodeBuilder &Bldr, ExplodedNode *Pred,		NodeBuilder &Bldr, ExplodedNode *Pred,
ProgramStateRef State) {		ProgramStateRef State) {
		ProgramStateRef ConservativeEvalState = nullptr;
		if (Call.isForeign() && !isSecondPhaseCTU()) {
		const auto IK = AMgr.options.getCTUPhase1Inlining();
		const bool DoInline = IK == CTUPhase1InliningKind::All \|\|
		(IK == CTUPhase1InliningKind::Small &&
		isSmall(AMgr.getAnalysisDeclContext(D)));
		if (DoInline) {
		inlineCall(Engine.getWorkList(), Call, D, Bldr, Pred, State);
		return;
		}
		const bool BState = State->get<CTUDispatchBifurcation>();
		if (!BState) { // This is the first time we see this foreign function.
		xazax.hunUnsubmitted Done Reply Inline Actions So if we see the same foreign function called in multiple contexts, we will only queue one of the contexts for the CTU. Is this the intended design? So if I see: foreign(true); foreign(false); The new CTU will only evaluate `foreign(true)` but not `foreign(false)`. xazax.hun: So if we see the same foreign function called in multiple contexts, we will only queue one of…
		martongAuthorUnsubmitted Done Reply Inline Actions This is intentional. foreign(true); foreign(false); The new CTU will evaluate the following paths in the exploded graph: foreign(true); // conservative evaluated foreign(false); // conservative evaluated foreign(true); // inlined foreign(false); // inlined The point is to keep bifurcation to a minimum and avoid the exponential blow up. So, we will never have a path like this: foreign(true); // conservative evaluated foreign(false); // inlined Actually, this is the same strategy that we use during the dynamic dispatch of C++ virtual calls. See `DynamicDispatchBifurcationMap`. The conservative evaluation happens in the first phase, the inlining in the second phase (assuming the phase1 inlining option is set to none). martong: This is intentional. ``` foreign(true); foreign(false); ``` The new CTU will evaluate the…
		xazax.hunUnsubmitted Done Reply Inline Actions The new CTU will evaluate the following paths in the exploded graph: foreign(true); // conservative evaluated foreign(false); // conservative evaluated foreign(true); // inlined foreign(false); // inlined When we encounter `foreign(true)`, we would add the decl to `CTUDispatchBifurcationSet`. So the second time we see a call to the function `foreign(false);`, we will just do the conservative evaluation and will not add the call to the CTU worklist. So how will `foreign(false);` be inlined in the second pass? Do I miss something? xazax.hun: > The new CTU will evaluate the following paths in the exploded graph: > ``` > foreign(true)…
		xazax.hunUnsubmitted Done Reply Inline Actions Oh, I think I now understand. Do you expect `foreign(false);` to be inlined after we return from `foreign(true);` in the second pass? Sorry for the confusion, in that case it looks good to me. xazax.hun: Oh, I think I now understand. Do you expect `foreign(false);` to be inlined after we return…
		martongAuthorUnsubmitted Done Reply Inline Actions Oh, I think I now understand. Do you expect `foreign(false);` to be inlined after we return from `foreign(true);` in the second pass? Yes, that's right. martong: > Oh, I think I now understand. Do you expect `foreign(false);` to be inlined after we return…
		xazax.hunUnsubmitted Done Reply Inline Actions Actually, in this case I wonder whether we really need a set of declarations. Wouldn't a boolean be sufficient for each path? So in case of: foreign1(true); foreign2(false); Why would we want to add `foreign2` to the CTU worklist? More specifically, why is it important whether a foreign call is actually the same declaration that we saw earlier on the path? Isn't being foreign the only important information in this case? xazax.hun: Actually, in this case I wonder whether we really need a set of declarations. Wouldn't a…
		martongAuthorUnsubmitted Done Reply Inline Actions Good point. By using the set of declarations we might have a path where `foreign1` is conservatively evaluated and then `foreign2` is inlined. I was having a hard time to find any use-cases where this would be useful, but could not find one. On the other hand, by using a `bool`, as you suggest, no such superfluous path would exist. Plus, the dependent child patch (D123784) is becoming unnecessary because the CTUWorklist will have at most one element during the first phase. Besides, I've made measurements comparing the `bool` and the `set` implementation. The results are quite similar. Both have lost the same amount of bugreports compared to the single-tu analysis and the average length of the bugpaths are also similar. stats.html226 KBDownload martong: Good point. By using the set of declarations we might have a path where `foreign1` is…
		xazax.hunUnsubmitted Not Done Reply Inline Actions Great news! :) Looks like this was a nice simplification, thanks for looking into it! xazax.hun: Great news! :) Looks like this was a nice simplification, thanks for looking into it!
		// Enqueue it to be analyzed in the second (ctu) phase.
		inlineCall(Engine.getCTUWorkList(), Call, D, Bldr, Pred, State);
		// Conservatively evaluate in the first phase.
		ConservativeEvalState = State->set<CTUDispatchBifurcation>(true);
		conservativeEvalCall(Call, Bldr, Pred, ConservativeEvalState);
		} else {
		conservativeEvalCall(Call, Bldr, Pred, State);
		}
		return;
		}
		inlineCall(Engine.getWorkList(), Call, D, Bldr, Pred, State);
		}

		void ExprEngine::inlineCall(WorkList *WList, const CallEvent &Call,
		const Decl *D, NodeBuilder &Bldr,
		ExplodedNode *Pred, ProgramStateRef State) {
assert(D);		assert(D);

const LocationContext *CurLC = Pred->getLocationContext();		const LocationContext *CurLC = Pred->getLocationContext();
const StackFrameContext *CallerSFC = CurLC->getStackFrame();		const StackFrameContext *CallerSFC = CurLC->getStackFrame();
const LocationContext *ParentOfCallee = CallerSFC;		const LocationContext *ParentOfCallee = CallerSFC;
if (Call.getKind() == CE_Block &&		if (Call.getKind() == CE_Block &&
!cast<BlockCall>(Call).isConversionFromLambda()) {		!cast<BlockCall>(Call).isConversionFromLambda()) {
const BlockDataRegion *BR = cast<BlockCall>(Call).getBlockRegion();		const BlockDataRegion *BR = cast<BlockCall>(Call).getBlockRegion();
Show All 18 Lines	void ExprEngine::inlineCall(WorkList *WList, const CallEvent &Call,
// Construct a new state which contains the mapping from actual to		// Construct a new state which contains the mapping from actual to
// formal arguments.		// formal arguments.
State = State->enterStackFrame(Call, CalleeSFC);		State = State->enterStackFrame(Call, CalleeSFC);

bool isNew;		bool isNew;
if (ExplodedNode *N = G.getNode(Loc, State, false, &isNew)) {		if (ExplodedNode *N = G.getNode(Loc, State, false, &isNew)) {
N->addPredecessor(Pred, G);		N->addPredecessor(Pred, G);
if (isNew)		if (isNew)
Engine.getWorkList()->enqueue(N);		WList->enqueue(N);
}		}

// If we decided to inline the call, the successor has been manually		// If we decided to inline the call, the successor has been manually
// added onto the work list so remove it from the node builder.		// added onto the work list so remove it from the node builder.
Bldr.takeNodes(Pred);		Bldr.takeNodes(Pred);

NumInlinedCalls++;		NumInlinedCalls++;
Engine.FunctionSummaries->bumpNumTimesInlined(D);		Engine.FunctionSummaries->bumpNumTimesInlined(D);

		// Do not mark as visited in the 2nd run (CTUWList), so the function will
		// be visited as top-level, this way we won't loose reports in non-ctu
		// mode. Considering the case when a function in a foreign TU calls back
		// into the main TU.
		// Note, during the 1st run, it doesn't matter if we mark the foreign
		// functions as visited (or not) because they can never appear as a top level
		// function in the main TU.
		xazax.hunUnsubmitted Done Reply Inline Actions So `getCTUWorkList` will return `nullptr` in the second phase? Reading this code first I had the impression we will skip doing marking them visited in the first phase. I think having a helper like `IsSecondCTUPhase` or something would make this a bit less confusing. xazax.hun: So `getCTUWorkList` will return `nullptr` in the second phase? Reading this code first I had…
		martongAuthorUnsubmitted Done Reply Inline Actions Fair enough. I am going to update. martong: Fair enough. I am going to update.
		martongAuthorUnsubmitted Done Reply Inline Actions I've added `isCTUInFirtstPhase()`. martong: I've added `isCTUInFirtstPhase()`.
		if (!isSecondPhaseCTU())
// Mark the decl as visited.		// Mark the decl as visited.
if (VisitedCallees)		if (VisitedCallees)
VisitedCallees->insert(D);		VisitedCallees->insert(D);

return true;
}		}

static ProgramStateRef getInlineFailedState(ProgramStateRef State,		static ProgramStateRef getInlineFailedState(ProgramStateRef State,
const Stmt *CallE) {		const Stmt *CallE) {
const void *ReplayState = State->get<ReplayWithoutInlining>();		const void *ReplayState = State->get<ReplayWithoutInlining>();
if (!ReplayState)		if (!ReplayState)
return nullptr;		return nullptr;

▲ Show 20 Lines • Show All 572 Lines • ▼ Show 20 Lines	void ExprEngine::defaultEvalCall(NodeBuilder &Bldr, ExplodedNode *Pred,
const Expr *E = Call->getOriginExpr();		const Expr *E = Call->getOriginExpr();

ProgramStateRef InlinedFailedState = getInlineFailedState(State, E);		ProgramStateRef InlinedFailedState = getInlineFailedState(State, E);
if (InlinedFailedState) {		if (InlinedFailedState) {
// If we already tried once and failed, make sure we don't retry later.		// If we already tried once and failed, make sure we don't retry later.
State = InlinedFailedState;		State = InlinedFailedState;
} else {		} else {
RuntimeDefinition RD = Call->getRuntimeDefinition();		RuntimeDefinition RD = Call->getRuntimeDefinition();
		Call->setForeign(RD.isForeign());
const Decl *D = RD.getDecl();		const Decl *D = RD.getDecl();
if (shouldInlineCall(*Call, D, Pred, CallOpts)) {		if (shouldInlineCall(*Call, D, Pred, CallOpts)) {
if (RD.mayHaveOtherDefinitions()) {		if (RD.mayHaveOtherDefinitions()) {
AnalyzerOptions &Options = getAnalysisManager().options;		AnalyzerOptions &Options = getAnalysisManager().options;

// Explore with and without inlining the call.		// Explore with and without inlining the call.
if (Options.getIPAMode() == IPAK_DynamicDispatchBifurcate) {		if (Options.getIPAMode() == IPAK_DynamicDispatchBifurcate) {
BifurcateCall(RD.getDispatchRegion(), *Call, D, Bldr, Pred);		BifurcateCall(RD.getDispatchRegion(), *Call, D, Bldr, Pred);
return;		return;
}		}

// Don't inline if we're not in any dynamic dispatch mode.		// Don't inline if we're not in any dynamic dispatch mode.
if (Options.getIPAMode() != IPAK_DynamicDispatch) {		if (Options.getIPAMode() != IPAK_DynamicDispatch) {
conservativeEvalCall(*Call, Bldr, Pred, State);		conservativeEvalCall(*Call, Bldr, Pred, State);
return;		return;
}		}
}		}
		ctuBifurcate(*Call, D, Bldr, Pred, State);
		xazax.hunUnsubmitted Done Reply Inline Actions I think this is getting really confusing here. The comment saying we are not bifurcating and we call `ctuBifurcate`. While I do understand these are two different kinds of bifurcation but I think we should rethink how to name some of these functions. xazax.hun: I think this is getting really confusing here. The comment saying we are not bifurcating and we…
		martongAuthorUnsubmitted Done Reply Inline Actions Yeah, good point, the comment is meaningless and confusing from this point, I'll just delete it. martong: Yeah, good point, the comment is meaningless and confusing from this point, I'll just delete it.
		martongAuthorUnsubmitted Done Reply Inline Actions I removed the comment. martong: I removed the comment.
// We are not bifurcating and we do have a Decl, so just inline.
if (inlineCall(*Call, D, Bldr, Pred, State))
return;		return;
}		}
}		}

// If we can't inline it, handle the return value and invalidate the regions.		// If we can't inline it, handle the return value and invalidate the regions.
conservativeEvalCall(*Call, Bldr, Pred, State);		conservativeEvalCall(*Call, Bldr, Pred, State);
}		}

void ExprEngine::BifurcateCall(const MemRegion *BifurReg,		void ExprEngine::BifurcateCall(const MemRegion *BifurReg,
const CallEvent &Call, const Decl *D,		const CallEvent &Call, const Decl *D,
NodeBuilder &Bldr, ExplodedNode *Pred) {		NodeBuilder &Bldr, ExplodedNode *Pred) {
assert(BifurReg);		assert(BifurReg);
BifurReg = BifurReg->StripCasts();		BifurReg = BifurReg->StripCasts();

// Check if we've performed the split already - note, we only want		// Check if we've performed the split already - note, we only want
// to split the path once per memory region.		// to split the path once per memory region.
ProgramStateRef State = Pred->getState();		ProgramStateRef State = Pred->getState();
const unsigned *BState =		const unsigned *BState =
State->get<DynamicDispatchBifurcationMap>(BifurReg);		State->get<DynamicDispatchBifurcationMap>(BifurReg);
if (BState) {		if (BState) {
// If we are on "inline path", keep inlining if possible.		// If we are on "inline path", keep inlining if possible.
if (*BState == DynamicDispatchModeInlined)		if (*BState == DynamicDispatchModeInlined)
if (inlineCall(Call, D, Bldr, Pred, State))		ctuBifurcate(Call, D, Bldr, Pred, State);
return;
// If inline failed, or we are on the path where we assume we		// If inline failed, or we are on the path where we assume we
// don't have enough info about the receiver to inline, conjure the		// don't have enough info about the receiver to inline, conjure the
// return value and invalidate the regions.		// return value and invalidate the regions.
conservativeEvalCall(Call, Bldr, Pred, State);		conservativeEvalCall(Call, Bldr, Pred, State);
return;		return;
}		}

// If we got here, this is the first time we process a message to this		// If we got here, this is the first time we process a message to this
// region, so split the path.		// region, so split the path.
ProgramStateRef IState =		ProgramStateRef IState =
State->set<DynamicDispatchBifurcationMap>(BifurReg,		State->set<DynamicDispatchBifurcationMap>(BifurReg,
DynamicDispatchModeInlined);		DynamicDispatchModeInlined);
inlineCall(Call, D, Bldr, Pred, IState);		ctuBifurcate(Call, D, Bldr, Pred, IState);

ProgramStateRef NoIState =		ProgramStateRef NoIState =
State->set<DynamicDispatchBifurcationMap>(BifurReg,		State->set<DynamicDispatchBifurcationMap>(BifurReg,
DynamicDispatchModeConservative);		DynamicDispatchModeConservative);
conservativeEvalCall(Call, Bldr, Pred, NoIState);		conservativeEvalCall(Call, Bldr, Pred, NoIState);

NumOfDynamicDispatchPathSplits++;		NumOfDynamicDispatchPathSplits++;
}		}
Show All 15 Lines

clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

Show First 20 Lines • Show All 470 Lines • ▼ Show 20 Lines	for (auto &N : RPOT) {
if (!D)		if (!D)
continue;		continue;

// Skip the functions which have been processed already or previously		// Skip the functions which have been processed already or previously
// inlined.		// inlined.
if (shouldSkipFunction(D, Visited, VisitedAsTopLevel))		if (shouldSkipFunction(D, Visited, VisitedAsTopLevel))
continue;		continue;

		// The CallGraph might have declarations as callees. However, during CTU
		// the declaration might form a declaration chain with the newly imported
		// definition from another TU. In this case we don't want to analyze the
		// function definition as toplevel.
		if (const auto *FD = dyn_cast<FunctionDecl>(D)) {
		// Calling 'hasBody' replaces 'FD' in place with the FunctionDecl
		// that has the body.
		FD->hasBody(FD);
		if (CTU.isImportedAsNew(FD))
		continue;
		}

// Analyze the function.		// Analyze the function.
SetOfConstDecls VisitedCallees;		SetOfConstDecls VisitedCallees;

HandleCode(D, AM_Path, getInliningModeForFunction(D, Visited),		HandleCode(D, AM_Path, getInliningModeForFunction(D, Visited),
(Mgr->options.InliningMode == All ? nullptr : &VisitedCallees));		(Mgr->options.InliningMode == All ? nullptr : &VisitedCallees));

// Add the visited callees to the global visited set.		// Add the visited callees to the global visited set.
for (const Decl *Callee : VisitedCallees)		for (const Decl *Callee : VisitedCallees)
▲ Show 20 Lines • Show All 277 Lines • Show Last 20 Lines

clang/test/Analysis/Inputs/ctu-onego-existingdef-other.cpp

This file was added.

				int bar() {
				return 0;
				}

				void other() {
				bar();
				}

clang/test/Analysis/Inputs/ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt

This file was added.

				9:c:@F@bar# ctu-onego-existingdef-other.cpp.ast
				11:c:@F@other# ctu-onego-existingdef-other.cpp.ast
				whisperityUnsubmitted Done Reply Inline Actions Why is there only 1 symbol in this file, when the file above contains two function definitions? whisperity: Why is there only 1 symbol in this file, when the file above contains two function definitions?
				martongAuthorUnsubmitted Done Reply Inline Actions Good catch. I've added the other function. Besides, I had the wrong filename provided, it should have been `ctu-onego-existingdef-other.cpp.ast`, the `existingdef` was missing. Fixed that too, plus added and extra `FileCheck` to the `existingdef` test that detects if the ast file is not loaded. martong: Good catch. I've added the other function. Besides, I had the wrong filename provided, it…

clang/test/Analysis/Inputs/ctu-onego-indirect-other.cpp

This file was added.

				int bar() {
				return 0;
				}

				void other() {
				bar();
				}

clang/test/Analysis/Inputs/ctu-onego-indirect-other.cpp.externalDefMap.ast-dump.txt

This file was added.

				11:c:@F@other# ctu-onego-indirect-other.cpp.ast
				9:c:@F@bar# ctu-onego-indirect-other.cpp.ast

clang/test/Analysis/Inputs/ctu-onego-small-other.cpp

This file was added.

				int bar() {
				return 0;
				}

clang/test/Analysis/Inputs/ctu-onego-small-other.cpp.externalDefMap.ast-dump.txt

This file was added.

9:c:@F@bar# ctu-onego-small-other.cpp.ast

clang/test/Analysis/Inputs/ctu-onego-toplevel-other.cpp

This file was added.

				void b(int x);
				void other(int y) {
				b(1);
				}

clang/test/Analysis/Inputs/ctu-onego-toplevel-other.cpp.externalDefMap.ast-dump.txt

This file was added.

13:c:@F@other#I# ctu-onego-toplevel-other.cpp.ast

clang/test/Analysis/analyzer-config.c

	Show First 20 Lines • Show All 44 Lines • ▼ Show 20 Lines
	// CHECK-NEXT: cplusplus.Move:WarnOn = KnownsAndLocals			// CHECK-NEXT: cplusplus.Move:WarnOn = KnownsAndLocals
	// CHECK-NEXT: cplusplus.SmartPtrModeling:ModelSmartPtrDereference = false			// CHECK-NEXT: cplusplus.SmartPtrModeling:ModelSmartPtrDereference = false
	// CHECK-NEXT: crosscheck-with-z3 = false			// CHECK-NEXT: crosscheck-with-z3 = false
	// CHECK-NEXT: ctu-dir = ""			// CHECK-NEXT: ctu-dir = ""
	// CHECK-NEXT: ctu-import-cpp-threshold = 8			// CHECK-NEXT: ctu-import-cpp-threshold = 8
	// CHECK-NEXT: ctu-import-threshold = 24			// CHECK-NEXT: ctu-import-threshold = 24
	// CHECK-NEXT: ctu-index-name = externalDefMap.txt			// CHECK-NEXT: ctu-index-name = externalDefMap.txt
	// CHECK-NEXT: ctu-invocation-list = invocations.yaml			// CHECK-NEXT: ctu-invocation-list = invocations.yaml
				// CHECK-NEXT: ctu-max-nodes-min = 10000
				// CHECK-NEXT: ctu-max-nodes-pct = 50
				// CHECK-NEXT: ctu-phase1-inlining = small
	// CHECK-NEXT: deadcode.DeadStores:ShowFixIts = false			// CHECK-NEXT: deadcode.DeadStores:ShowFixIts = false
	// CHECK-NEXT: deadcode.DeadStores:WarnForDeadNestedAssignments = true			// CHECK-NEXT: deadcode.DeadStores:WarnForDeadNestedAssignments = true
	// CHECK-NEXT: debug.AnalysisOrder:* = false			// CHECK-NEXT: debug.AnalysisOrder:* = false
	// CHECK-NEXT: debug.AnalysisOrder:Bind = false			// CHECK-NEXT: debug.AnalysisOrder:Bind = false
	// CHECK-NEXT: debug.AnalysisOrder:EndAnalysis = false			// CHECK-NEXT: debug.AnalysisOrder:EndAnalysis = false
	// CHECK-NEXT: debug.AnalysisOrder:EndFunction = false			// CHECK-NEXT: debug.AnalysisOrder:EndFunction = false
	// CHECK-NEXT: debug.AnalysisOrder:EvalCall = false			// CHECK-NEXT: debug.AnalysisOrder:EvalCall = false
	// CHECK-NEXT: debug.AnalysisOrder:LiveSymbols = false			// CHECK-NEXT: debug.AnalysisOrder:LiveSymbols = false
	▲ Show 20 Lines • Show All 69 Lines • Show Last 20 Lines

clang/test/Analysis/ctu-implicit.c

	// RUN: rm -rf %t && mkdir %t			// RUN: rm -rf %t && mkdir %t
	// RUN: mkdir -p %t/ctudir2			// RUN: mkdir -p %t/ctudir2
	// RUN: %clang_cc1 \			// RUN: %clang_cc1 \
	// RUN: -emit-pch -o %t/ctudir2/ctu-import.c.ast %S/Inputs/ctu-import.c			// RUN: -emit-pch -o %t/ctudir2/ctu-import.c.ast %S/Inputs/ctu-import.c
	// RUN: cp %S/Inputs/ctu-import.c.externalDefMap.ast-dump.txt %t/ctudir2/externalDefMap.txt			// RUN: cp %S/Inputs/ctu-import.c.externalDefMap.ast-dump.txt %t/ctudir2/externalDefMap.txt
	// RUN: %clang_cc1 -analyze \			// RUN: %clang_cc1 -analyze \
	// RUN: -analyzer-checker=core,debug.ExprInspection \			// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
	// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \			// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
	// RUN: -analyzer-config display-ctu-progress=true \			// RUN: -analyzer-config display-ctu-progress=true \
	// RUN: -analyzer-config ctu-dir=%t/ctudir2 \			// RUN: -analyzer-config ctu-dir=%t/ctudir2 \
	// RUN: -verify %s			// RUN: -verify %s

	void clang_analyzer_eval(int);			void clang_analyzer_eval(int);

	int testStaticImplicit(void);			int testStaticImplicit(void);
	int func(void) {			int func(void) {
	int ret = testStaticImplicit();			int ret = testStaticImplicit();
	clang_analyzer_eval(ret == 4); // expected-warning{{TRUE}}			clang_analyzer_eval(ret == 4); // expected-warning{{TRUE}} ctu
				// expected-warning@-1{{UNKNOWN}} stu
	return testStaticImplicit();			return testStaticImplicit();
	}			}

clang/test/Analysis/ctu-main.c

	// RUN: rm -rf %t && mkdir %t			// RUN: rm -rf %t && mkdir %t
	// RUN: mkdir -p %t/ctudir2			// RUN: mkdir -p %t/ctudir2
	// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu \			// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu \
	// RUN: -emit-pch -o %t/ctudir2/ctu-other.c.ast %S/Inputs/ctu-other.c			// RUN: -emit-pch -o %t/ctudir2/ctu-other.c.ast %S/Inputs/ctu-other.c
	// RUN: cp %S/Inputs/ctu-other.c.externalDefMap.ast-dump.txt %t/ctudir2/externalDefMap.txt			// RUN: cp %S/Inputs/ctu-other.c.externalDefMap.ast-dump.txt %t/ctudir2/externalDefMap.txt

				// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -fsyntax-only -std=c89 -analyze \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir2 \
				// RUN: -analyzer-config ctu-phase1-inlining=none \
				// RUN: -verify=newctu %s

				// Simulate the behavior of the previous CTU implementation by inlining all
				// functions during the first phase. This way, the second phase is a noop.
	// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -fsyntax-only -std=c89 -analyze \			// RUN: %clang_cc1 -triple x86_64-pc-linux-gnu -fsyntax-only -std=c89 -analyze \
	// RUN: -analyzer-checker=core,debug.ExprInspection \			// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
	// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \			// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
	// RUN: -analyzer-config ctu-dir=%t/ctudir2 \			// RUN: -analyzer-config ctu-dir=%t/ctudir2 \
	// RUN: -verify %s			// RUN: -analyzer-config ctu-phase1-inlining=all \
				// RUN: -verify=oldctu %s

	void clang_analyzer_eval(int);			void clang_analyzer_eval(int);

				// A function that's definition is unknown both for single-tu (stu) and ctu
				// mode.
				int unknown(int);
				void test_unknown() {
				int res = unknown(6);
				clang_analyzer_eval(res == 6); // newctu-warning{{UNKNOWN}}
				// oldctu-warning@-1{{UNKNOWN}}
				}

	// Test typedef and global variable in function.			// Test typedef and global variable in function.
	typedef struct {			typedef struct {
	int a;			int a;
	int b;			int b;
	} FooBar;			} FooBar;
	extern FooBar fb;			extern FooBar fb;
	int f(int);			int f(int);
	void testGlobalVariable(void) {			void testGlobalVariable() {
	clang_analyzer_eval(f(5) == 1); // expected-warning{{TRUE}}			clang_analyzer_eval(f(5) == 1); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
	}			}

	// Test enums.			// Test enums.
	int enumCheck(void);			int enumCheck(void);
	enum A { x,			enum A { x,
	y,			y,
	z };			z };
	void testEnum(void) {			void testEnum(void) {
	clang_analyzer_eval(x == 0); // expected-warning{{TRUE}}			clang_analyzer_eval(x == 0); // newctu-warning{{TRUE}}
	clang_analyzer_eval(enumCheck() == 42); // expected-warning{{TRUE}}			// oldctu-warning@-1{{TRUE}}
				clang_analyzer_eval(enumCheck() == 42); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
	}			}

	// Test that asm import does not fail.			// Test that asm import does not fail.
	int inlineAsm(void);			int inlineAsm(void);
	int testInlineAsm(void) {			int testInlineAsm(void) {
	return inlineAsm();			return inlineAsm();
	}			}

	// Test reporting error in a macro.			// Test reporting error in a macro.
	struct S;			struct S;
	int g(struct S *);			int g(struct S *);
	void testMacro(void) {			void testMacro(void) {
	g(0); // expected-warning@Inputs/ctu-other.c:29 {{Access to field 'a' results in a dereference of a null pointer (loaded from variable 'ctx')}}			g(0); // newctu-warning@Inputs/ctu-other.c:29 {{Access to field 'a' results in a dereference of a null pointer (loaded from variable 'ctx')}}
				// oldctu-warning@Inputs/ctu-other.c:29 {{Access to field 'a' results in a dereference of a null pointer (loaded from variable 'ctx')}}
	}			}

	// The external function prototype is incomplete.			// The external function prototype is incomplete.
	// warning:implicit functions are prohibited by c99			// warning:implicit functions are prohibited by c99
	void testImplicit(void) {			void testImplicit(void) {
	int res = identImplicit(6); // external implicit functions are not inlined			int res = identImplicit(6); // external implicit functions are not inlined
	clang_analyzer_eval(res == 6); // expected-warning{{TRUE}}			clang_analyzer_eval(res == 6); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
	// Call something with uninitialized from the same function in which the implicit was called.			// Call something with uninitialized from the same function in which the implicit was called.
	// This is necessary to reproduce a special bug in NoStoreFuncVisitor.			// This is necessary to reproduce a special bug in NoStoreFuncVisitor.
	int uninitialized;			int uninitialized;
	h(uninitialized); // expected-warning{{1st function call argument is an uninitialized value}}			h(uninitialized); // newctu-warning{{1st function call argument is an uninitialized value}}
				// oldctu-warning@-1{{1st function call argument is an uninitialized value}}
	}			}

	// Tests the import of functions that have a struct parameter			// Tests the import of functions that have a struct parameter
	// defined in its prototype.			// defined in its prototype.
	struct DataType {			struct DataType {
	int a;			int a;
	int b;			int b;
	};			};
	int structInProto(struct DataType *d);			int structInProto(struct DataType *d);
	void testStructDefInArgument(void) {			void testStructDefInArgument(void) {
	struct DataType d;			struct DataType d;
	d.a = 1;			d.a = 1;
	d.b = 0;			d.b = 0;
	clang_analyzer_eval(structInProto(&d) == 0); // expected-warning{{TRUE}} expected-warning{{FALSE}}			// Not imported, thus remains unknown both in stu and ctu.
				clang_analyzer_eval(structInProto(&d) == 0); // newctu-warning{{UNKNOWN}}
				// oldctu-warning@-1{{UNKNOWN}}
	}			}

	int switchWithoutCases(int);			int switchWithoutCases(int);
	void testSwitchStmtCrash(int x) {			void testSwitchStmtCrash(int x) {
	switchWithoutCases(x);			switchWithoutCases(x);
	}			}

clang/test/Analysis/ctu-main.cpp

	// RUN: rm -rf %t && mkdir %t			// RUN: rm -rf %t && mkdir %t
	// RUN: mkdir -p %t/ctudir			// RUN: mkdir -p %t/ctudir
	// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \			// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
	// RUN: -emit-pch -o %t/ctudir/ctu-other.cpp.ast %S/Inputs/ctu-other.cpp			// RUN: -emit-pch -o %t/ctudir/ctu-other.cpp.ast %S/Inputs/ctu-other.cpp
	// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \			// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
	// RUN: -emit-pch -o %t/ctudir/ctu-chain.cpp.ast %S/Inputs/ctu-chain.cpp			// RUN: -emit-pch -o %t/ctudir/ctu-chain.cpp.ast %S/Inputs/ctu-chain.cpp
	// RUN: cp %S/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt			// RUN: cp %S/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt

				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -analyzer-config ctu-phase1-inlining=none \
				// RUN: -verify=newctu %s

				// Simulate the behavior of the previous CTU implementation by inlining all
				// functions during the first phase. This way, the second phase is a noop.
	// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \			// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
	// RUN: -analyzer-checker=core,debug.ExprInspection \			// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
	// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \			// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
	// RUN: -analyzer-config ctu-dir=%t/ctudir \			// RUN: -analyzer-config ctu-dir=%t/ctudir \
	// RUN: -verify %s			// RUN: -analyzer-config ctu-phase1-inlining=all \
				// RUN: -verify=oldctu %s

	// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \			// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
	// RUN: -analyzer-checker=core,debug.ExprInspection \			// RUN: -analyzer-checker=core,debug.ExprInspection \
	// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \			// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
	// RUN: -analyzer-config ctu-dir=%t/ctudir \			// RUN: -analyzer-config ctu-dir=%t/ctudir \
	// RUN: -analyzer-config display-ctu-progress=true 2>&1 %s \| FileCheck %s			// RUN: -analyzer-config display-ctu-progress=true 2>&1 %s \| FileCheck %s

	// CHECK: CTU loaded AST file: {{.*}}ctu-other.cpp.ast			// CHECK: CTU loaded AST file: {{.*}}ctu-other.cpp.ast
	// CHECK: CTU loaded AST file: {{.*}}ctu-chain.cpp.ast			// CHECK: CTU loaded AST file: {{.*}}ctu-chain.cpp.ast
	▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines
	union U {			union U {
	const int a;			const int a;
	const unsigned int b;			const unsigned int b;
	};			};
	extern const U extU;			extern const U extU;

	void test_virtual_functions(mycls* obj) {			void test_virtual_functions(mycls* obj) {
	// The dynamic type is known.			// The dynamic type is known.
	clang_analyzer_eval(mycls().fvcl(1) == 8); // expected-warning{{TRUE}}			clang_analyzer_eval(mycls().fvcl(1) == 8); // newctu-warning{{TRUE}} ctu
	clang_analyzer_eval(derived().fvcl(1) == 9); // expected-warning{{TRUE}}			// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
				clang_analyzer_eval(derived().fvcl(1) == 9); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
	// We cannot decide about the dynamic type.			// We cannot decide about the dynamic type.
	clang_analyzer_eval(obj->fvcl(1) == 8); // expected-warning{{FALSE}} expected-warning{{TRUE}}			clang_analyzer_eval(obj->fvcl(1) == 8); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} ctu, stu
				// oldctu-warning@-2{{TRUE}}
				// oldctu-warning@-3{{UNKNOWN}}
	}			}

	class TestAnonUnionUSR {			class TestAnonUnionUSR {
	public:			public:
	inline float f(int value) {			inline float f(int value) {
	union {			union {
	float f;			float f;
	int i;			int i;
	};			};
	i = value;			i = value;
	return f;			return f;
	}			}
	static const int Test;			static const int Test;
	};			};

	extern int testImportOfIncompleteDefaultParmDuringImport(int);			extern int testImportOfIncompleteDefaultParmDuringImport(int);

	extern int testImportOfDelegateConstructor(int);			extern int testImportOfDelegateConstructor(int);

	int main() {			int main() {
	clang_analyzer_eval(f(3) == 2); // expected-warning{{TRUE}}			clang_analyzer_eval(f(3) == 2); // newctu-warning{{TRUE}} ctu
				martongAuthorUnsubmitted Done Reply Inline Actions This FIXME is outdated, got here during rebase. martong: This FIXME is outdated, got here during rebase.
	clang_analyzer_eval(f(4) == 3); // expected-warning{{TRUE}}			// newctu-warning@-1{{UNKNOWN}} stu
	clang_analyzer_eval(f(5) == 3); // expected-warning{{FALSE}}			// oldctu-warning@-2{{TRUE}}
	clang_analyzer_eval(g(4) == 6); // expected-warning{{TRUE}}			clang_analyzer_eval(f(4) == 3); // newctu-warning{{TRUE}} ctu
	clang_analyzer_eval(h(2) == 8); // expected-warning{{TRUE}}			// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
	clang_analyzer_eval(myns::fns(2) == 9); // expected-warning{{TRUE}}			clang_analyzer_eval(f(5) == 3); // newctu-warning{{FALSE}} ctu
	clang_analyzer_eval(myns::embed_ns::fens(2) == -1); // expected-warning{{TRUE}}			// newctu-warning@-1{{UNKNOWN}} stu
	clang_analyzer_eval(mycls().fcl(1) == 6); // expected-warning{{TRUE}}			// oldctu-warning@-2{{FALSE}}
	clang_analyzer_eval(mycls::fscl(1) == 7); // expected-warning{{TRUE}}			clang_analyzer_eval(g(4) == 6); // newctu-warning{{TRUE}} ctu
	clang_analyzer_eval(myns::embed_cls().fecl(1) == -6); // expected-warning{{TRUE}}			// newctu-warning@-1{{UNKNOWN}} stu
	clang_analyzer_eval(mycls::embed_cls2().fecl2(0) == -11); // expected-warning{{TRUE}}			// oldctu-warning@-2{{TRUE}}
				clang_analyzer_eval(h(2) == 8); // newctu-warning{{TRUE}} ctu
	clang_analyzer_eval(chns::chf1(4) == 12); // expected-warning{{TRUE}}			// newctu-warning@-1{{UNKNOWN}} stu
	clang_analyzer_eval(fun_using_anon_struct(8) == 8); // expected-warning{{TRUE}}			// oldctu-warning@-2{{TRUE}}

	clang_analyzer_eval(other_macro_diag(1) == 1); // expected-warning{{TRUE}}			clang_analyzer_eval(myns::fns(2) == 9); // newctu-warning{{TRUE}} ctu
	// expected-warning@Inputs/ctu-other.cpp:93{{REACHABLE}}			// newctu-warning@-1{{UNKNOWN}} stu
	MACRODIAG(); // expected-warning{{REACHABLE}}			// oldctu-warning@-2{{TRUE}}
				clang_analyzer_eval(myns::embed_ns::fens(2) == -1); // newctu-warning{{TRUE}} ctu
	clang_analyzer_eval(extInt == 2); // expected-warning{{TRUE}}			// newctu-warning@-1{{UNKNOWN}} stu
	clang_analyzer_eval(intns::extInt == 3); // expected-warning{{TRUE}}			// oldctu-warning@-2{{TRUE}}
	clang_analyzer_eval(extS.a == 4); // expected-warning{{TRUE}}			clang_analyzer_eval(mycls().fcl(1) == 6); // newctu-warning{{TRUE}} ctu
	clang_analyzer_eval(extNonConstS.a == 4); // expected-warning{{TRUE}} expected-warning{{FALSE}}			// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
				clang_analyzer_eval(mycls::fscl(1) == 7); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
				clang_analyzer_eval(myns::embed_cls().fecl(1) == -6); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
				clang_analyzer_eval(mycls::embed_cls2().fecl2(0) == -11); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}

				clang_analyzer_eval(chns::chf1(4) == 12); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
				clang_analyzer_eval(fun_using_anon_struct(8) == 8); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}

				clang_analyzer_eval(other_macro_diag(1) == 1); // newctu-warning{{TRUE}} ctu
				// newctu-warning@-1{{UNKNOWN}} stu
				// oldctu-warning@-2{{TRUE}}
				// newctu-warning@Inputs/ctu-other.cpp:93{{REACHABLE}}
				// oldctu-warning@Inputs/ctu-other.cpp:93{{REACHABLE}}
				MACRODIAG(); // newctu-warning{{REACHABLE}}
				// oldctu-warning@-1{{REACHABLE}}

				// FIXME we should report an UNKNOWN as well for all external variables!
				clang_analyzer_eval(extInt == 2); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
				clang_analyzer_eval(intns::extInt == 3); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
				clang_analyzer_eval(extS.a == 4); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
				clang_analyzer_eval(extNonConstS.a == 4); // newctu-warning{{UNKNOWN}}
				// oldctu-warning@-1{{UNKNOWN}}
	// Do not import non-trivial classes' initializers.			// Do not import non-trivial classes' initializers.
	clang_analyzer_eval(extNTS.a == 4); // expected-warning{{TRUE}} expected-warning{{FALSE}}			clang_analyzer_eval(extNTS.a == 4); // newctu-warning{{UNKNOWN}}
	clang_analyzer_eval(extHere == 6); // expected-warning{{TRUE}}			// oldctu-warning@-1{{UNKNOWN}}
	clang_analyzer_eval(A::a == 3); // expected-warning{{TRUE}}			clang_analyzer_eval(extHere == 6); // newctu-warning{{TRUE}}
	clang_analyzer_eval(extSC.a == 8); // expected-warning{{TRUE}}			// oldctu-warning@-1{{TRUE}}
	clang_analyzer_eval(ST::sc.a == 2); // expected-warning{{TRUE}}			clang_analyzer_eval(A::a == 3); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
				clang_analyzer_eval(extSC.a == 8); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
				clang_analyzer_eval(ST::sc.a == 2); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
	// clang_analyzer_eval(extSCN.scn.a == 9); // TODO			// clang_analyzer_eval(extSCN.scn.a == 9); // TODO
	clang_analyzer_eval(extSubSCN.a == 1); // expected-warning{{TRUE}}			clang_analyzer_eval(extSubSCN.a == 1); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
	// clang_analyzer_eval(extSCC.a == 7); // TODO			// clang_analyzer_eval(extSCC.a == 7); // TODO
	clang_analyzer_eval(extU.a == 4); // expected-warning{{TRUE}}			clang_analyzer_eval(extU.a == 4); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
	clang_analyzer_eval(TestAnonUnionUSR::Test == 5); // expected-warning{{TRUE}}			clang_analyzer_eval(TestAnonUnionUSR::Test == 5); // newctu-warning{{TRUE}}
				// oldctu-warning@-1{{TRUE}}
	clang_analyzer_eval(testImportOfIncompleteDefaultParmDuringImport(9) == 9); // expected-warning{{TRUE}}
				clang_analyzer_eval(testImportOfIncompleteDefaultParmDuringImport(9) == 9);
	clang_analyzer_eval(testImportOfDelegateConstructor(10) == 10); // expected-warning{{TRUE}}			// newctu-warning@-1{{TRUE}} ctu
				// newctu-warning@-2{{UNKNOWN}} stu
				// oldctu-warning@-3{{TRUE}}

				clang_analyzer_eval(testImportOfDelegateConstructor(10) == 10);
				// newctu-warning@-1{{TRUE}} ctu
				// newctu-warning@-2{{UNKNOWN}} stu
				// oldctu-warning@-3{{TRUE}}
	}			}

clang/test/Analysis/ctu-on-demand-parsing.c

Show All 10 Lines

// RUN: cd "%t" && %clang_extdef_map "%t/ctu-other.c" > externalDefMap.txt

// RUN: cd "%t" && %clang_cc1 -fsyntax-only -std=c89 -analyze \

// RUN: -analyzer-checker=core,debug.ExprInspection \

// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \

// RUN: -analyzer-config ctu-dir=. \

// RUN: -analyzer-config ctu-invocation-list=invocations.yaml \

// RUN: -analyzer-config ctu-phase1-inlining=all \

// RUN: -verify ctu-on-demand-parsing.c

// FIXME: On-demand ctu should be tested in the same file that we have for the

whisperityUnsubmitted

Done

// RUN: -verify ctu-on-demand-parsing.c

- // FIXME On-demand ctu should be tested in the same file that we have for the

+ // FIXME: On-demand ctu should be tested in the same file that we have for the

// PCH version, but with a different verify prefix (e.g. -verfiy=on-demand-ctu)

whisperity:

// PCH version, but with a different verify prefix (e.g. -verfiy=on-demand-ctu)

martongAuthorUnsubmitted

Done

// FIXME On-demand ctu should be tested in the very same file that we have for

- // the PCH version, but with a different a different verify prefix (e.g.

+ // the PCH version, but with a different verify prefix (e.g.

// -verfiy=on-demanc-ctu)

martong:

// FIXME: Path handling should work on all platforms.

// REQUIRES: system-linux

void clang_analyzer_eval(int);

// Test typedef and global variable in function.

typedef struct {

int a;

▲ Show 20 Lines • Show All 55 Lines • Show Last 20 Lines

clang/test/Analysis/ctu-on-demand-parsing.cpp

Show All 12 Lines

// RUN: cd "%t" && %clang_extdef_map Inputs/ctu-chain.cpp Inputs/ctu-other.cpp > externalDefMap.txt

// RUN: cd "%t" && %clang_analyze_cc1 \

// RUN: -analyzer-checker=core,debug.ExprInspection \

// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \

// RUN: -analyzer-config ctu-dir=. \

// RUN: -analyzer-config ctu-invocation-list=invocations.yaml \

// RUN: -analyzer-config ctu-phase1-inlining=all \

// RUN: -verify ctu-on-demand-parsing.cpp

// RUN: cd "%t" && %clang_analyze_cc1 \

// RUN: -analyzer-checker=core,debug.ExprInspection \

// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \

// RUN: -analyzer-config ctu-dir=. \

// RUN: -analyzer-config ctu-invocation-list=invocations.yaml \

// RUN: -analyzer-config display-ctu-progress=true ctu-on-demand-parsing.cpp 2>&1 | FileCheck %t/ctu-on-demand-parsing.cpp

// CHECK: CTU loaded AST file: {{.*}}ctu-other.cpp

// CHECK: CTU loaded AST file: {{.*}}ctu-chain.cpp

// FIXME: On-demand ctu should be tested in the same file that we have for the

whisperityUnsubmitted

Done

// CHECK: CTU loaded AST file: {{.*}}ctu-chain.cpp

- // FIXME On-demand ctu should be tested in the same file that we have for the

+ // FIXME: On-demand ctu should be tested in the same file that we have for the

// PCH version, but with a different verify prefix (e.g. -verfiy=on-demand-ctu)

whisperity:

// PCH version, but with a different verify prefix (e.g. -verfiy=on-demand-ctu)

// FIXME: Path handling should work on all platforms.

// REQUIRES: system-linux

#include "ctu-hdr.h"

void clang_analyzer_eval(int);

▲ Show 20 Lines • Show All 73 Lines • Show Last 20 Lines

clang/test/Analysis/ctu-onego-existingdef.cpp

This file was added.

				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyze-function='baruser(int)' -x c++ \
				// RUN: -verify=nonctu %s

				// RUN: rm -rf %t && mkdir %t
				// RUN: mkdir -p %t/ctudir
				// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -emit-pch -o %t/ctudir/ctu-onego-existingdef-other.cpp.ast %S/Inputs/ctu-onego-existingdef-other.cpp
				// RUN: cp %S/Inputs/ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt

				// Existing and equal function definition in both TU. `other` calls `bar` thus
				// `bar` will be indirectly imported. During the import we recognize that there
				// is an existing definition in the main TU, so we don't create a new Decl.
				// Thus, ctu should not bifurcate on the call of `bar` it should directly
				// inlinie that as in the case of nonctu.
				// Note, we would not get a warning below, if `bar` is conservatively evaluated.
				int bar() {
				return 0;
				}

				//Here we completely supress the CTU work list execution. We should not
				//bifurcate on the call of `bar`. (We do not load the foreign AST at all.)
				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -verify=stu %s \
				// RUN: -analyze-function='baruser(int)' -x c++ \
				// RUN: -analyzer-config ctu-max-nodes-pct=0 \
				// RUN: -analyzer-config ctu-max-nodes-min=0

				//Here we enable the CTU work list execution. We should not bifurcate on the
				//call of `bar`.
				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -verify=ctu %s \
				// RUN: -analyze-function='baruser(int)' -x c++ \
				// RUN: -analyzer-config ctu-max-nodes-pct=100 \
				// RUN: -analyzer-config ctu-max-nodes-min=1000
				//Check that the AST file is loaded.
				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -analyze-function='baruser(int)' -x c++ \
				// RUN: -analyzer-config ctu-max-nodes-pct=100 \
				// RUN: -analyzer-config display-ctu-progress=true \
				// RUN: -analyzer-config ctu-max-nodes-min=1000 2>&1 %s \| FileCheck %s
				// CHECK: CTU loaded AST file

				void other(); // Defined in the other TU.

				void baruser(int) {
				other();
				int x = bar();
				(void)(1 / x);
				// ctu-warning@-1{{Division by zero}}
				// stu-warning@-2{{Division by zero}}
				// nonctu-warning@-3{{Division by zero}}
				}

clang/test/Analysis/ctu-onego-indirect.cpp

This file was added.

				// RUN: rm -rf %t && mkdir %t
				// RUN: mkdir -p %t/ctudir
				// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -emit-pch -o %t/ctudir/ctu-onego-indirect-other.cpp.ast %S/Inputs/ctu-onego-indirect-other.cpp
				// RUN: cp %S/Inputs/ctu-onego-indirect-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt

				int bar();

				// Here we have a foreign function `bar` that is imported when we analyze
				// `adirectbaruser`. During the subsequent toplevel analysis of `baruser` we
				// should bifurcate on the call of `bar`.

				//Ensure the order of the toplevel analyzed functions.
				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -analyzer-display-progress \
				// RUN: -analyzer-inlining-mode=all \
				// RUN: -analyzer-config ctu-phase1-inlining=none \
				// RUN: -analyzer-config ctu-max-nodes-pct=100 \
				// RUN: -analyzer-config ctu-max-nodes-min=1000 2>&1 %s \| FileCheck %s
				// CHECK: ANALYZE (Path, Inline_Regular):{{.*}}adirectbaruser(int)
				// CHECK: ANALYZE (Path, Inline_Regular):{{.*}}baruser(int)

				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -analyzer-display-progress \
				// RUN: -analyzer-inlining-mode=all \
				// RUN: -analyzer-config ctu-phase1-inlining=none \
				// RUN: -verify %s \
				// RUN: -analyzer-config ctu-max-nodes-pct=100 \
				// RUN: -analyzer-config ctu-max-nodes-min=1000


				void other(); // Defined in the other TU.

				void clang_analyzer_eval(int);

				void baruser(int x) {
				if (x == 1)
				return;
				int y = bar();
				clang_analyzer_eval(y == 0); // expected-warning{{TRUE}}
				// expected-warning@-1{{UNKNOWN}}
				other();
				}

				void adirectbaruser(int) {
				int y = bar();
				(void)y;
				baruser(1);
				}

clang/test/Analysis/ctu-onego-small.cpp

This file was added.

				// RUN: rm -rf %t && mkdir %t
				// RUN: mkdir -p %t/ctudir
				// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -emit-pch -o %t/ctudir/ctu-onego-small-other.cpp.ast %S/Inputs/ctu-onego-small-other.cpp
				// RUN: cp %S/Inputs/ctu-onego-small-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt

				// Small function defined in another TU.
				int bar();

				// Here we limit the ctu analysis to the first phase only (via the
				// ctu-max-nodes config options). And we check whether the small foreign
				// function `bar` is inlined.

				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -analyzer-config display-ctu-progress=true \
				// RUN: -analyzer-display-progress \
				// RUN: -analyzer-config ctu-max-nodes-pct=0 \
				// RUN: -analyzer-config ctu-max-nodes-min=0 2>&1 %s \| FileCheck %s
				// CHECK: ANALYZE (Path, Inline_Regular): {{.}} baruser(int){{.}}CTU loaded AST file

				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -analyzer-config ctu-max-nodes-pct=0 \
				// RUN: -analyzer-config ctu-phase1-inlining=none \
				// RUN: -analyzer-config ctu-max-nodes-min=0 -verify=inline-none %s

				// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
				// RUN: -analyzer-checker=core,debug.ExprInspection \
				// RUN: -analyzer-config eagerly-assume=false \
				// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
				// RUN: -analyzer-config ctu-dir=%t/ctudir \
				// RUN: -analyzer-config ctu-max-nodes-pct=0 \
				// RUN: -analyzer-config ctu-phase1-inlining=small \
				// RUN: -analyzer-config ctu-max-nodes-min=0 -verify=inline-small %s


				void clang_analyzer_eval(int);

				void baruser(int x) {
				int y = bar();
				// inline-none-warning@+2{{UNKNOWN}}
				// inline-small-warning@+1{{TRUE}}
				clang_analyzer_eval(y == 0);
				}

clang/test/Analysis/ctu-onego-toplevel.cpp

This file was added.

// RUN: rm -rf %t && mkdir %t

// RUN: mkdir -p %t/ctudir

// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \

// RUN: -emit-pch -o %t/ctudir/ctu-onego-toplevel-other.cpp.ast %S/Inputs/ctu-onego-toplevel-other.cpp

// RUN: cp %S/Inputs/ctu-onego-toplevel-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt

// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \

// RUN: -analyzer-checker=core,debug.ExprInspection \

// RUN: -analyzer-config eagerly-assume=false \

// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \

// RUN: -analyzer-config ctu-dir=%t/ctudir \

// RUN: -analyzer-config ctu-phase1-inlining=none \

// RUN: -verify=ctu %s

// RUN: %clang_analyze_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \

// RUN: -analyzer-checker=core,debug.ExprInspection \

// RUN: -analyzer-config eagerly-assume=false \

// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \

// RUN: -analyzer-config ctu-dir=%t/ctudir \

// RUN: -analyzer-config ctu-phase1-inlining=none \

// RUN: -analyzer-config display-ctu-progress=true \

// RUN: -analyzer-display-progress \

// RUN: -verify=ctu %s 2>&1 | FileCheck %s

// CallGraph: c->b

whisperityUnsubmitted

Done

Are the lines below related to the execution of the command above? If not, could you please break the comment?

whisperity: Are the lines below related to the execution of the command above? If not, could you please…

// topological sort: c, b

// Note that `other` calls into `b` but that is not visible in the CallGraph

// because that happens in another TU.

whisperityUnsubmitted

Done

// Note that `other` calls into `b` but that is not visible in the CallGraph

- // b/c that happens in another TU.

+ // because that happens in another TU.

// During the onego CTU analysis, we start with c() as top level function.

whisperity:

// During the onego CTU analysis, we start with c() as top level function.

// Then we visit b() as non-toplevel during the processing of the FWList, thus

whisperityUnsubmitted

Done

One-go? And what does that refer to? Is "Onego" analysis the one this patch is introducing?

whisperity: One-go? And what does that refer to? Is "Onego" analysis the one this patch is introducing?

martongAuthorUnsubmitted

Done

Yes. I've updated the summary of the patch to make this clear.

martong: Yes. I've updated the summary of the patch to make this clear.

// that would not be visited as toplevel without special care.

// `c` is analyzed as toplevel and during that the other TU is loaded:

// CHECK: ANALYZE (Path, Inline_Regular): {{.*}} c(int){{.*}}CTU loaded AST file

// next, `b` is analyzed as toplevel:

// CHECK: ANALYZE (Path, Inline_Regular): {{.*}} b(int)

void b(int x);

void other(int y);

void c(int y) {

other(y);

return;

// The below call is here to form the proper CallGraph, but will not be

// analyzed.

b(1);

}

void b(int x) {

if (x == 0)

(void)(1 / x);

// ctu-warning@-1{{Division by zero}}

// We receive the above warning only if `b` is analyzed as top-level.

}

This is an archive of the discontinued LLVM Phabricator instance.

[clang][analyzer][ctu] Make CTU a two phase analysisClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 430273

clang/docs/ReleaseNotes.rst

clang/include/clang/CrossTU/CrossTranslationUnit.h

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

clang/lib/CrossTU/CrossTranslationUnit.cpp

clang/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp

clang/lib/StaticAnalyzer/Core/CallEvent.cpp

clang/lib/StaticAnalyzer/Core/CoreEngine.cpp

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

clang/test/Analysis/Inputs/ctu-onego-existingdef-other.cpp

clang/test/Analysis/Inputs/ctu-onego-existingdef-other.cpp.externalDefMap.ast-dump.txt

clang/test/Analysis/Inputs/ctu-onego-indirect-other.cpp

clang/test/Analysis/Inputs/ctu-onego-indirect-other.cpp.externalDefMap.ast-dump.txt

clang/test/Analysis/Inputs/ctu-onego-small-other.cpp

clang/test/Analysis/Inputs/ctu-onego-small-other.cpp.externalDefMap.ast-dump.txt

clang/test/Analysis/Inputs/ctu-onego-toplevel-other.cpp

clang/test/Analysis/Inputs/ctu-onego-toplevel-other.cpp.externalDefMap.ast-dump.txt

clang/test/Analysis/analyzer-config.c

clang/test/Analysis/ctu-implicit.c

clang/test/Analysis/ctu-main.c

clang/test/Analysis/ctu-main.cpp

clang/test/Analysis/ctu-on-demand-parsing.c

clang/test/Analysis/ctu-on-demand-parsing.cpp

clang/test/Analysis/ctu-onego-existingdef.cpp

clang/test/Analysis/ctu-onego-indirect.cpp

clang/test/Analysis/ctu-onego-small.cpp

clang/test/Analysis/ctu-onego-toplevel.cpp

[clang][analyzer][ctu] Make CTU a two phase analysis
ClosedPublic