This is an archive of the discontinued LLVM Phabricator instance.

Differential D123858

[clang][dataflow] Ensure well-formed flow conditions.
ClosedPublic

Authored by ymandel on Apr 15 2022, 8:10 AM.

Details

Reviewers
xazax.hun
sgatev
Commits
rGc8f822ad5195: [clang][dataflow] Ensure well-formed flow conditions.
Summary

Ensure that the expressions associated with terminators are associated with a
value. Otherwise, we can generate degenerate flow conditions, where both
branches share the same condition.

Diff Detail

Event Timeline

ymandel created this revision.Apr 15 2022, 8:10 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 15 2022, 8:10 AM
Herald added subscribers: tschuett, steakhal, rnkovacs. · View Herald Transcript
ymandel requested review of this revision.Apr 15 2022, 8:10 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 15 2022, 8:10 AM
Harbormaster completed remote builds in B159846: Diff 423113.Apr 15 2022, 8:44 AM
sgatev added inline comments.Apr 19 2022, 4:22 AM
clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
112–113

What does it mean for flow conditions to be mutually exclusive? Why is this a requirement?

123–136

Let's also add tests for these two paths.

ymandel updated this revision to Diff 423682.Apr 19 2022, 11:10 AM

address comments; move tests to proper locations

ymandel marked an inline comment as done.Apr 19 2022, 11:18 AM
ymandel added inline comments.
clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
123–136

Turns out this code was overkill -- the conditions are rvalues (even lvalues have an implicit cast inserted), so regardless of any pre-existing form, we should just replace it unconditionally with a simple boolean representation.

I've added a new test, though, for fields (vs the existing one for functions), which should exercise the path of Loc != nullptr, vs the function which (with current implementation) will exercise Loc == nullptr.

xazax.hun accepted this revision.Apr 19 2022, 11:18 AM
xazax.hun added inline comments.
clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
110

I am still not convinced why would we ever need SkipPast, as the AST will always have the necessary LValueToRValue conversions when we need to look past references. But this is unrelated to this patch.

117

I think this get or create pattern is getting more and more widespread. At some point we might want a helper.

This revision is now accepted and ready to land.Apr 19 2022, 11:18 AM
ymandel updated this revision to Diff 423690.Apr 19 2022, 11:32 AM

add comments to tests.

ymandel updated this revision to Diff 423693.Apr 19 2022, 11:37 AM
ymandel marked 2 inline comments as done.

added fixme

ymandel added a comment.Apr 19 2022, 11:37 AM

Thanks for the review!

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp
110

Agreed. But, I tried to pull out the SkipPast and it crashed (hence the FIXME). I'll try to track down what's happening, but it may be related to our conflation of ReferenceValue for normal lvalues and reference-typed declarations. Regardless, we want to reconsider our treatment of the different value classes.

117

agreed. Added fixme.

Harbormaster completed remote builds in B160292: Diff 423693.Apr 19 2022, 12:25 PM
sgatev accepted this revision.Apr 20 2022, 6:53 AM
sgatev added inline comments.
clang/unittests/Analysis/FlowSensitive/TypeErasedDataflowAnalysisTest.cpp
884 ↗(On Diff #423693)

What does "abstract" mean here? Perhaps "arbitrary"?

ymandel updated this revision to Diff 423945.Apr 20 2022, 9:55 AM

address comments

ymandel marked an inline comment as done.Apr 20 2022, 9:56 AM
This revision was landed with ongoing or failed builds.Apr 20 2022, 10:02 AM
Closed by commit rGc8f822ad5195: [clang][dataflow] Ensure well-formed flow conditions. (authored by ymandel). · Explain Why
This revision was automatically updated to reflect the committed changes.
ymandel added a commit: rGc8f822ad5195: [clang][dataflow] Ensure well-formed flow conditions..
Harbormaster completed remote builds in B160477: Diff 423945.Apr 20 2022, 10:42 AM

Revision Contents

PathSize
clang/
lib/
Analysis/
FlowSensitive/
29 lines
unittests/
Analysis/
FlowSensitive/
62 lines

Diff 423113

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp

Show All 26 Lines
#include "clang/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.h" #include "clang/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.h"
#include "clang/Analysis/FlowSensitive/Value.h" #include "clang/Analysis/FlowSensitive/Value.h"
#include "llvm/ADT/ArrayRef.h" #include "llvm/ADT/ArrayRef.h"
#include "llvm/ADT/DenseSet.h" #include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/None.h" #include "llvm/ADT/None.h"
#include "llvm/ADT/Optional.h" #include "llvm/ADT/Optional.h"
#include "llvm/ADT/STLExtras.h" #include "llvm/ADT/STLExtras.h"
#include "llvm/Support/Error.h" #include "llvm/Support/Error.h"
#include "llvm/Support/ErrorHandling.h"
namespace clang { namespace clang {
namespace dataflow { namespace dataflow {
class StmtToEnvMapImpl : public StmtToEnvMap { class StmtToEnvMapImpl : public StmtToEnvMap {
public: public:
StmtToEnvMapImpl( StmtToEnvMapImpl(
const ControlFlowContext &CFCtx, const ControlFlowContext &CFCtx,
▲ Show 20 LinesShow All 58 Lines▼ Show 20 Linespublic:
} }
private: private:
void extendFlowCondition(const Expr &Cond) { void extendFlowCondition(const Expr &Cond) {
// The terminator sub-expression might not be evaluated. // The terminator sub-expression might not be evaluated.
if (Env.getValue(Cond, SkipPast::None) == nullptr) if (Env.getValue(Cond, SkipPast::None) == nullptr)
transfer(StmtToEnv, Cond, Env); transfer(StmtToEnv, Cond, Env);
auto *Val = auto *Val =
xazax.hunUnsubmitted
Done
ReplyInline Actions

I am still not convinced why would we ever need SkipPast, as the AST will always have the necessary LValueToRValue conversions when we need to look past references. But this is unrelated to this patch.

xazax.hun: I am still not convinced why would we ever need `SkipPast`, as the AST will always have the…
ymandelAuthorUnsubmitted
Done
ReplyInline Actions

Agreed. But, I tried to pull out the SkipPast and it crashed (hence the FIXME). I'll try to track down what's happening, but it may be related to our conflation of ReferenceValue for normal lvalues and reference-typed declarations. Regardless, we want to reconsider our treatment of the different value classes.

ymandel: Agreed. But, I tried to pull out the `SkipPast` and it crashed (hence the FIXME). I'll try to…
cast_or_null<BoolValue>(Env.getValue(Cond, SkipPast::Reference)); cast_or_null<BoolValue>(Env.getValue(Cond, SkipPast::Reference));
if (Val == nullptr) // Value merging depends on flow conditions from different environments
return; // being mutually exclusive. So, we need *some* value for the condition
sgatevUnsubmitted
Done
ReplyInline Actions

What does it mean for flow conditions to be mutually exclusive? Why is this a requirement?

sgatev: What does it mean for flow conditions to be mutually exclusive? Why is this a requirement?
// expression, even if just an atom.
if (Val == nullptr) {
Val = &Env.makeAtomicBoolValue();
QualType Type = Cond.getType();
xazax.hunUnsubmitted
Done
ReplyInline Actions

I think this get or create pattern is getting more and more widespread. At some point we might want a helper.

xazax.hun: I think this get or create pattern is getting more and more widespread. At some point we might…
ymandelAuthorUnsubmitted
Done
ReplyInline Actions

agreed. Added fixme.

ymandel: agreed. Added fixme.
assert(Type->isBooleanType() || Type->isReferenceType());
if (Type->isBooleanType()) {
auto &Loc = Env.createStorageLocation(Cond);
Env.setStorageLocation(Cond, Loc);
Env.setValue(Loc, *Val);
} else if (auto *CondVal = cast_or_null<ReferenceValue>(
Env.getValue(Cond, SkipPast::None))) {
Env.setValue(CondVal->getPointeeLoc(), *Val);
} else {
QualType PointeeType = Type->castAs<ReferenceType>()->getPointeeType();
StorageLocation &PointeeLoc = Env.createStorageLocation(PointeeType);
Env.setValue(PointeeLoc, *Val);
auto *Loc = Env.getStorageLocation(Cond, SkipPast::None);
// `Cond` must have been processed already (and so must have an
// associated location) since it came from the predecessor block.
assert(Loc != nullptr);
Env.setValue(*Loc, Env.takeOwnership(
std::make_unique<ReferenceValue>(PointeeLoc)));
}
sgatevUnsubmitted
Not Done
ReplyInline Actions

Let's also add tests for these two paths.

sgatev: Let's also add tests for these two paths.
ymandelAuthorUnsubmitted
Done
ReplyInline Actions

Turns out this code was overkill -- the conditions are rvalues (even lvalues have an implicit cast inserted), so regardless of any pre-existing form, we should just replace it unconditionally with a simple boolean representation.

I've added a new test, though, for fields (vs the existing one for functions), which should exercise the path of Loc != nullptr, vs the function which (with current implementation) will exercise Loc == nullptr.

ymandel: Turns out this code was overkill -- the conditions are rvalues (even lvalues have an implicit…
}
// The condition must be inverted for the successor that encompasses the // The condition must be inverted for the successor that encompasses the
// "else" branch, if such exists. // "else" branch, if such exists.
if (BlockSuccIdx == 1) if (BlockSuccIdx == 1)
Val = &Env.makeNot(*Val); Val = &Env.makeNot(*Val);
Env.addToFlowCondition(*Val); Env.addToFlowCondition(*Val);
} }
▲ Show 20 LinesShow All 237 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/TransferTest.cpp

Show First 20 LinesShow All 2,884 Lines▼ Show 20 Lines runDataflow(
EXPECT_FALSE(EnvThen.flowConditionImplies(BarValThen)); EXPECT_FALSE(EnvThen.flowConditionImplies(BarValThen));
auto &BarValElse = auto &BarValElse =
*cast<BoolValue>(EnvElse.getValue(*BarDecl, SkipPast::None)); *cast<BoolValue>(EnvElse.getValue(*BarDecl, SkipPast::None));
EXPECT_TRUE(EnvElse.flowConditionImplies(BarValElse)); EXPECT_TRUE(EnvElse.flowConditionImplies(BarValElse));
}); });
} }
TEST_F(TransferTest, OpaqueFlowConditionMergesToOpaqueBool) {
std::string Code = R"(
bool foo();
void target() {
bool Bar = true;
if (foo())
Bar = false;
(void)0;
/*[[p]]*/
}
)";
runDataflow(
Code, [](llvm::ArrayRef<
std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
Results,
ASTContext &ASTCtx) {
ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
const Environment &Env = Results[0].second.Env;
const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar");
ASSERT_THAT(BarDecl, NotNull());
auto &BarVal =
*cast<BoolValue>(Env.getValue(*BarDecl, SkipPast::Reference));
EXPECT_FALSE(Env.flowConditionImplies(BarVal));
});
}
TEST_F(TransferTest, OpaqueFlowConditionInsideBranchMergesToOpaqueBool) {
std::string Code = R"(
bool foo();
void target(bool Cond) {
bool Bar = true;
if (Cond) {
if (foo())
Bar = false;
(void)0;
/*[[p]]*/
}
}
)";
runDataflow(
Code, [](llvm::ArrayRef<
std::pair<std::string, DataflowAnalysisState<NoopLattice>>>
Results,
ASTContext &ASTCtx) {
ASSERT_THAT(Results, ElementsAre(Pair("p", _)));
const Environment &Env = Results[0].second.Env;
const ValueDecl *BarDecl = findValueDecl(ASTCtx, "Bar");
ASSERT_THAT(BarDecl, NotNull());
auto &BarVal =
*cast<BoolValue>(Env.getValue(*BarDecl, SkipPast::Reference));
EXPECT_FALSE(Env.flowConditionImplies(BarVal));
});
}
TEST_F(TransferTest, CorrelatedBranches) { TEST_F(TransferTest, CorrelatedBranches) {
std::string Code = R"( std::string Code = R"(
void target(bool B, bool C) { void target(bool B, bool C) {
if (B) { if (B) {
return; return;
} }
(void)0; (void)0;
/*[[p0]]*/ /*[[p0]]*/
▲ Show 20 LinesShow All 114 LinesShow Last 20 Lines