This is an archive of the discontinued LLVM Phabricator instance.

Differential D124674

[analyzer] Indicate if a parent state is infeasible
ClosedPublic

Authored by martong on Apr 29 2022, 8:15 AM.

Details

Reviewers
NoQ
steakhal
ASDenysPetrov
Szelethus
xazax.hun
Commits
rGc4fa05f5f778: [analyzer] Indicate if a parent state is infeasible
Summary

In some cases a parent State is already infeasible, but we recognize
this only if an additonal constraint is added. This patch is the first
of a series to address this issue. In this patch assumeDual is changed
to clone the parent State but with an Infeasible flag set, and this
infeasible-parent is returned both for the true and false case. Then
when we add a new transition in the exploded graph and the destination
is marked as infeasible, the node will be a sink node.

Related bug:
https://github.com/llvm/llvm-project/issues/50883
Actually, this patch does not solve that bug in the solver, rather with
this patch we can handle the general parent-infeasible cases.

Next step would be to change the State API and require all checkers to
use the assume*Dual API and deprecate the simple assume calls.

Hopefully, the next patch will introduce assumeInBoundDual and will
solve the CRASH we have here:
https://github.com/llvm/llvm-project/issues/54272

Diff Detail

Event Timeline

martong created this revision.Apr 29 2022, 8:15 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 29 2022, 8:15 AM
Herald added subscribers: manas, gamesh411, dkrupp and 6 others. · View Herald Transcript
martong requested review of this revision.Apr 29 2022, 8:15 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 29 2022, 8:15 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong added inline comments.Apr 29 2022, 8:21 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
96–97

This statement is false because our constraint solver is not precise.

steakhal added a comment.Apr 29 2022, 9:01 AM

Finally, we have this!

Can we have this https://godbolt.org/z/oferc6P5Y in addition to the one you proposed?
I find it more readable.

What performance hit will we suffer from this change?
Please do a differential analysis.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h
93

I would leave a note here that these two states might be equal in a very rare case (*); but one should not depend on that.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h
293
clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
86

For the record, back then we had such flag. IDK when did we remove it, but we had it for sure.

113–115

These should not be public. Make friends if required.

clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
51

Should we mark this LLVM_UNLIKELY(cond)?
I would expect this function to be quite hot, and infeasible states rare.

Could we measure this one?

52–54

Add here some comments on why we return (Infeasible,Infeasible).
I would rather see StInfeasible to better discriminate what we are talking about. We already use StTrue and StFalse in this context though.

clang/test/Analysis/sink-infeasible.c
37–48

You could use a non-default check prefix.

Harbormaster completed remote builds in B161985: Diff 426061.Apr 29 2022, 9:05 AM
martong added a child revision: D124758: [analyzer] Implement assume in terms of assumeDual.May 2 2022, 4:48 AM
martong added a child revision: D124761: [analyzer] Replace adjacent assumeInBound calls to assumeInBoundDual.May 2 2022, 5:12 AM
martong updated this revision to Diff 426635.May 3 2022, 3:52 AM
martong marked 6 inline comments as done.
  • Update according to review comments
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
51

Yes, it could be.

Let me come back with some measurement results soon. I am going to use llvm statistics macros to measure this, but that makes sense on top of D124758

clang/test/Analysis/sink-infeasible.c
37–48

No I can't, because this test code in the comment is meaningful only in the baseline, I cannot run both clang versions from lit.

So, actually there is no RUN line for these, it is here only to demonstrate what happens in the baseline.

martong added a comment.May 3 2022, 4:01 AM
In D124674#3482765, @steakhal wrote:

Finally, we have this!

Thanks for the review.

Can we have this https://godbolt.org/z/oferc6P5Y in addition to the one you proposed?
I find it more readable.

Sure, I find it also more readable. I will update soon.

What performance hit will we suffer from this change?
Please do a differential analysis.

I am doing that with the dependent patch https://reviews.llvm.org/D124758

Harbormaster completed remote builds in B162413: Diff 426635.May 3 2022, 4:53 AM
steakhal added a comment.May 3 2022, 5:02 AM

I think I don't have anything left.
Let's see the numbers.

clang/test/Analysis/sink-infeasible.c
37–48

Okay, why don't we drop these if these are only applicable to the baseline?
Should we really introduce 'stale' comments?

martong updated this revision to Diff 426715.May 3 2022, 8:11 AM
  • Add a simpler test case
martong added inline comments.May 3 2022, 8:27 AM
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
51

This is what I use for the measurement, stay tuned for the results.

diff --git a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
index ef98ed7d36e9..82097d67ec0f 100644
--- a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
@@ -16,10 +16,16 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/Statistic.h"

 using namespace clang;
 using namespace ento;

+#define DEBUG_TYPE "CoreEngine"
+
+STATISTIC(NumInfeasible, "The # of infeasible states");
+STATISTIC(NumFeasible, "The # of feasible states");
+
 ConstraintManager::~ConstraintManager() = default;

 static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,
@@ -51,16 +57,20 @@ ConstraintManager::assumeDual(ProgramStateRef State, DefinedSVal Cond) {
     if (!StFalse) { // both infeasible
       ProgramStateRef Infeasible = State->cloneAsInfeasible();
       assert(Infeasible->isInfeasible());
+      ++NumInfeasible;
       return ProgramStatePair(Infeasible, Infeasible);
     }
+    ++NumFeasible;
     return ProgramStatePair(nullptr, StFalse);
   }

   ProgramStateRef StFalse = assumeInternal(State, Cond, false);
   if (!StFalse) {
+    ++NumFeasible;
     return ProgramStatePair(StTrue, nullptr);
   }

+  ++NumFeasible;
   return ProgramStatePair(StTrue, StFalse);
 }
martong marked an inline comment as done.May 3 2022, 8:30 AM
martong added inline comments.
clang/test/Analysis/sink-infeasible.c
37–48

Ok, I can remove them if you insist, but I thought it might make it easier to understand what is changed.

martong marked an inline comment as done.May 3 2022, 8:36 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
51

Ups, the purpose of the measure is to determine if UNLIKELY is justified, so this diff seems better, restarted the measurement with it.

--- a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
@@ -16,10 +16,16 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/Statistic.h"

 using namespace clang;
 using namespace ento;

+#define DEBUG_TYPE "CoreEngine"
+
+STATISTIC(NumInfeasible, "The # of infeasible states");
+STATISTIC(NumFeasible, "The # of feasible states");
+
 ConstraintManager::~ConstraintManager() = default;

 static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,
@@ -51,8 +57,10 @@ ConstraintManager::assumeDual(ProgramStateRef State, DefinedSVal Cond) {
     if (!StFalse) { // both infeasible
       ProgramStateRef Infeasible = State->cloneAsInfeasible();
       assert(Infeasible->isInfeasible());
+      ++NumInfeasible;
       return ProgramStatePair(Infeasible, Infeasible);
     }
+    ++NumFeasible;
     return ProgramStatePair(nullptr, StFalse);
   }
Harbormaster completed remote builds in B162466: Diff 426715.May 3 2022, 9:14 AM
martong added inline comments.May 3 2022, 10:47 AM
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
51

This is indeed UNLIKELY. Seems like a good upper-bound for the ratio's order of magnitude is around 1000 / 10 million i.e. 0.0001.

martong updated this revision to Diff 426785.May 3 2022, 11:14 AM
  • Add LLVM_UNLIKELY
steakhal accepted this revision.May 3 2022, 11:15 AM
This revision is now accepted and ready to land.May 3 2022, 11:15 AM
Harbormaster completed remote builds in B162520: Diff 426785.May 3 2022, 1:23 PM
martong added a comment.May 4 2022, 7:43 AM

@NoQ Could you please take a look? This change effects the very core of the analyzer.

NoQ added a comment.May 4 2022, 10:41 AM

Yes, we've discussed this before, and I'm very much in favor of this change. This is assertion removal, and the assertion has been really useful back in the day, but the assertion doesn't seem to be realistic to maintain with all the new logic in the constraint solver coming in in recent years.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
86

The reader deserves a massive amount of explanation here. Normally infeasible states are just null states. We need to explain how these new infeasible states are different.

Maybe a longer name? IsPostOverconstrained or something like that.

martong mentioned this in D119270: [analyzer] Re-enables trustnonnullchecker_test and removes redundant code from TrustNonNullChecker.May 5 2022, 7:39 AM
martong marked an inline comment as done.May 6 2022, 3:58 AM
In D124674#3491710, @NoQ wrote:

Yes, we've discussed this before, and I'm very much in favor of this change. This is assertion removal, and the assertion has been really useful back in the day, but the assertion doesn't seem to be realistic to maintain with all the new logic in the constraint solver coming in in recent years.

Thanks for your review and support!

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
86

Okay, I've added an essay that explains these differences.

Maybe a longer name? IsPostOverconstrained or something like that.

Yeah, I agree a longer name could reflect that this is something that requires special handling. I chose PosteriorlyOverconstrained.

martong updated this revision to Diff 427594.May 6 2022, 3:58 AM
martong marked an inline comment as done.
  • Add explanatory comment, rename to PosteriorlyOverconstrained
steakhal accepted this revision.May 6 2022, 5:05 AM

only a few typos

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
87–112
Harbormaster completed remote builds in B163114: Diff 427594.May 6 2022, 5:08 AM
martong added inline comments.May 6 2022, 5:54 AM
clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h
97

Yeah, thx, I've also found one more typo. That's the problem with long comments :D

martong updated this revision to Diff 427625.May 6 2022, 6:54 AM
martong marked 2 inline comments as done.
  • Fix typos in essay
martong removed a child revision: D124761: [analyzer] Replace adjacent assumeInBound calls to assumeInBoundDual.May 6 2022, 6:57 AM
Harbormaster completed remote builds in B163137: Diff 427625.May 6 2022, 7:51 AM
Closed by commit rGc4fa05f5f778: [analyzer] Indicate if a parent state is infeasible (authored by martong). · Explain WhyMay 10 2022, 1:17 AM
This revision was automatically updated to reflect the committed changes.
martong added a commit: rGc4fa05f5f778: [analyzer] Indicate if a parent state is infeasible.
thakis added a subscriber: thakis.May 10 2022, 2:07 AM

One of your 3 commits in https://github.com/llvm/llvm-project/compare/3d888b0491f8...34ac048aef29 broke check-clang on Windows: http://45.33.8.238/win/57870/step_7.txt

Please take a look, and revert for now if it takes a while to fix.

thakis added a comment.May 10 2022, 2:40 AM

https://github.com/llvm/llvm-project/commit/21feafaeb85aad2847db44aa2208999b166ba4a9 fixed it, thanks!

martong added inline comments.May 12 2022, 1:01 AM
clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
46

TODO We should have a very similar implementation for assumeInclusiveRangeDual! (Not that high prio, that is used only by the BoolAssignmentChecker).

martong mentioned this in D127190: [analyzer][NFC] Add LLVM_UNLIKELY to assumeDualImpl.Jun 7 2022, 1:33 AM
martong mentioned this in rG17e9ea613894: [analyzer][NFC] Add LLVM_UNLIKELY to assumeDualImpl.Jun 7 2022, 3:49 AM
galapoz1996 added a subscriber: galapoz1996.Feb 24 2023, 8:25 PM
This comment was removed by mehdi_amini.
mehdi_amini added a subscriber: mehdi_amini.Feb 27 2023, 7:25 AM
Balazom added a subscriber: Balazom.Mar 21 2023, 11:49 AM
This comment was removed by mehdi_amini.

Revision Contents

PathSize
clang/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
23 lines
2 lines
5 lines
lib/
StaticAnalyzer/
Core/
22 lines
8 lines
test/
Analysis/
59 lines

Diff 426061

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ConstraintManager.h

Show First 20 LinesShow All 84 Lines▼ Show 20 Linespublic:
virtual ProgramStateRef assume(ProgramStateRef state, virtual ProgramStateRef assume(ProgramStateRef state,
DefinedSVal Cond, DefinedSVal Cond,
bool Assumption) = 0; bool Assumption) = 0;
using ProgramStatePair = std::pair<ProgramStateRef, ProgramStateRef>; using ProgramStatePair = std::pair<ProgramStateRef, ProgramStateRef>;
/// Returns a pair of states (StTrue, StFalse) where the given condition is /// Returns a pair of states (StTrue, StFalse) where the given condition is
/// assumed to be true or false, respectively. /// assumed to be true or false, respectively.
ProgramStatePair assumeDual(ProgramStateRef State, DefinedSVal Cond) { ProgramStatePair assumeDual(ProgramStateRef State, DefinedSVal Cond);
steakhalUnsubmitted
Done
ReplyInline Actions

I would leave a note here that these two states might be equal in a very rare case (*); but one should not depend on that.

steakhal: I would leave a note here that these two states might be equal in a very rare case (*); but one…
ProgramStateRef StTrue = assume(State, Cond, true);
// If StTrue is infeasible, asserting the falseness of Cond is unnecessary
// because the existing constraints already establish this.
martongAuthorUnsubmitted
Done
ReplyInline Actions

This statement is false because our constraint solver is not precise.

martong: This statement is false because our constraint solver is not precise.
if (!StTrue) {
#ifdef EXPENSIVE_CHECKS
assert(assume(State, Cond, false) && "System is over constrained.");
#endif
return ProgramStatePair((ProgramStateRef)nullptr, State);
}
ProgramStateRef StFalse = assume(State, Cond, false);
if (!StFalse) {
// We are careful to return the original state, /not/ StTrue,
// because we want to avoid having callers generate a new node
// in the ExplodedGraph.
return ProgramStatePair(State, (ProgramStateRef)nullptr);
}
return ProgramStatePair(StTrue, StFalse);
}
virtual ProgramStateRef assumeInclusiveRange(ProgramStateRef State, virtual ProgramStateRef assumeInclusiveRange(ProgramStateRef State,
NonLoc Value, NonLoc Value,
const llvm::APSInt &From, const llvm::APSInt &From,
const llvm::APSInt &To, const llvm::APSInt &To,
bool InBound) = 0; bool InBound) = 0;
virtual ProgramStatePair assumeInclusiveRangeDual(ProgramStateRef State, virtual ProgramStatePair assumeInclusiveRangeDual(ProgramStateRef State,
▲ Show 20 LinesShow All 83 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h

Show First 20 LinesShow All 284 Lines▼ Show 20 Linespublic:
} }
virtual ~NodeBuilder() = default; virtual ~NodeBuilder() = default;
/// Generates a node in the ExplodedGraph. /// Generates a node in the ExplodedGraph.
ExplodedNode *generateNode(const ProgramPoint &PP, ExplodedNode *generateNode(const ProgramPoint &PP,
ProgramStateRef State, ProgramStateRef State,
ExplodedNode *Pred) { ExplodedNode *Pred) {
return generateNodeImpl(PP, State, Pred, false); return generateNodeImpl(PP, State, Pred, State->isInfeasible());
steakhalUnsubmitted
Done
ReplyInline Actions
ExplodedNode *Pred) {
- return generateNodeImpl(PP, State, Pred, State->isInfeasible());
+ return generateNodeImpl(PP, State, Pred, /*MarkAsSink=*/State->isInfeasible());
}
/// Generates a sink in the ExplodedGraph.
steakhal:
} }
/// Generates a sink in the ExplodedGraph. /// Generates a sink in the ExplodedGraph.
/// ///
/// When a node is marked as sink, the exploration from the node is stopped - /// When a node is marked as sink, the exploration from the node is stopped -
/// the node becomes the last node on the path and certain kinds of bugs are /// the node becomes the last node on the path and certain kinds of bugs are
/// suppressed. /// suppressed.
ExplodedNode *generateSink(const ProgramPoint &PP, ExplodedNode *generateSink(const ProgramPoint &PP,
▲ Show 20 LinesShow All 283 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

Show First 20 LinesShow All 77 Lines▼ Show 20 Linesprivate:
friend class ProgramStateManager; friend class ProgramStateManager;
friend class ExplodedGraph; friend class ExplodedGraph;
friend class ExplodedNode; friend class ExplodedNode;
ProgramStateManager *stateMgr; ProgramStateManager *stateMgr;
Environment Env; // Maps a Stmt to its current SVal. Environment Env; // Maps a Stmt to its current SVal.
Store store; // Maps a location to its current value. Store store; // Maps a location to its current value.
GenericDataMap GDM; // Custom data stored by a client of this class. GenericDataMap GDM; // Custom data stored by a client of this class.
bool Infeasible = false;
steakhalUnsubmitted
Done
ReplyInline Actions

For the record, back then we had such flag. IDK when did we remove it, but we had it for sure.

steakhal: For the record, back then we had such flag. IDK when did we remove it, but we had it for sure.
NoQUnsubmitted
Done
ReplyInline Actions

The reader deserves a massive amount of explanation here. Normally infeasible states are just null states. We need to explain how these new infeasible states are different.

Maybe a longer name? IsPostOverconstrained or something like that.

NoQ: The reader deserves a massive amount of explanation here. Normally infeasible states are just…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Okay, I've added an essay that explains these differences.

Maybe a longer name? IsPostOverconstrained or something like that.

Yeah, I agree a longer name could reflect that this is something that requires special handling. I chose PosteriorlyOverconstrained.

martong: Okay, I've added an essay that explains these differences. > Maybe a longer name?
unsigned refCount; unsigned refCount;
/// makeWithStore - Return a ProgramState with the same values as the current /// makeWithStore - Return a ProgramState with the same values as the current
/// state with the exception of using the specified Store. /// state with the exception of using the specified Store.
ProgramStateRef makeWithStore(const StoreRef &store) const; ProgramStateRef makeWithStore(const StoreRef &store) const;
void setStore(const StoreRef &storeRef); void setStore(const StoreRef &storeRef);
public: public:
/// This ctor is used when creating the first ProgramState object. /// This ctor is used when creating the first ProgramState object.
ProgramState(ProgramStateManager *mgr, const Environment& env, ProgramState(ProgramStateManager *mgr, const Environment& env,
martongAuthorUnsubmitted
Done
ReplyInline Actions
// recognise that a parent is infeasible only *after* a new and more specific
- // constraint and its negation is evaluated.
+ // constraint and its negation are evaluated.
//
// Example:

Yeah, thx, I've also found one more typo. That's the problem with long comments :D

martong: Yeah, thx, I've also found one more typo. That's the problem with long comments :D
StoreRef st, GenericDataMap gdm); StoreRef st, GenericDataMap gdm);
/// Copy ctor - We must explicitly define this or else the "Next" ptr /// Copy ctor - We must explicitly define this or else the "Next" ptr
/// in FoldingSetNode will also get copied. /// in FoldingSetNode will also get copied.
ProgramState(const ProgramState &RHS); ProgramState(const ProgramState &RHS);
~ProgramState(); ~ProgramState();
int64_t getID() const; int64_t getID() const;
/// Return the ProgramStateManager associated with this state. /// Return the ProgramStateManager associated with this state.
ProgramStateManager &getStateManager() const { ProgramStateManager &getStateManager() const {
return *stateMgr; return *stateMgr;
} }
steakhalUnsubmitted
Done
ReplyInline Actions
GenericDataMap GDM; // Custom data stored by a client of this class.
// A state is infeasible if there is a contradiction among the constraints.
- // An infeasible state is represented by a nullptr.
+ // An infeasible state is represented by a `nullptr`.
// In the sense of `assumeDual`, a state can have two children by adding a
// new constraint and the negation of that new constraint. A parent state is
// over-constrained if both of its children are infeasible. In the
- // mathematical sense it means that the parent is infeasible and we should
- // have realised that at the moment when we have created it. However, we
+ // mathematical sense, it means that the parent is infeasible and we should
+ // have realized that at the moment when we have created it. However, we
// could not recognize that because of the imperfection of the underlying
// constraint solver. We say it is posteriorly over-constrained because we
- // recognise that a parent is infeasible only *after* a new and more specific
+ // recognize that a parent is infeasible only *after* a new and more specific
// constraint and its negation is evaluated.
//
// Example:
//
- // x * x = 4 and x is in the range [0 ,1]
+ // x * x = 4 and x is in the range [0, 1]
// This is an already infeasible state, but the constraint solver is not
// capable of handling sqrt, thus we don't know it yet.
//
// Then a new constraint `x = 0` is added. At this moment the constraint
// solver re-evaluates the existing constraints and realizes the
// contradiction `0 * 0 = 4`.
// We also evaluate the negated constraint `x != 0`; the constraint solver
// deduces `x = 1` and then realizes the contradiction `1 * 1 = 4`.
// Both children are infeasible, thus the parent state is marked as
// posteriorly over-constrained. These parents are handled with special care:
// we do not allow transitions to exploded nodes with such states.
bool PosteriorlyOverconstrained = false;
steakhal:
ProgramStateRef cloneAsInfeasible() const;
bool isInfeasible() const { return Infeasible; }
steakhalUnsubmitted
Done
ReplyInline Actions

These should not be public. Make friends if required.

steakhal: These should not be public. Make friends if required.
AnalysisManager &getAnalysisManager() const; AnalysisManager &getAnalysisManager() const;
/// Return the ConstraintManager. /// Return the ConstraintManager.
ConstraintManager &getConstraintManager() const; ConstraintManager &getConstraintManager() const;
/// getEnvironment - Return the environment associated with this state. /// getEnvironment - Return the environment associated with this state.
/// The environment is the mapping from expressions to values. /// The environment is the mapping from expressions to values.
const Environment& getEnvironment() const { return Env; } const Environment& getEnvironment() const { return Env; }
Show All 10 Linespublic:
/// Profile - Profile the contents of a ProgramState object for use in a /// Profile - Profile the contents of a ProgramState object for use in a
/// FoldingSet. Two ProgramState objects are considered equal if they /// FoldingSet. Two ProgramState objects are considered equal if they
/// have the same Environment, Store, and GenericDataMap. /// have the same Environment, Store, and GenericDataMap.
static void Profile(llvm::FoldingSetNodeID& ID, const ProgramState *V) { static void Profile(llvm::FoldingSetNodeID& ID, const ProgramState *V) {
V->Env.Profile(ID); V->Env.Profile(ID);
ID.AddPointer(V->store); ID.AddPointer(V->store);
V->GDM.Profile(ID); V->GDM.Profile(ID);
ID.AddBoolean(V->Infeasible);
} }
/// Profile - Used to profile the contents of this object for inclusion /// Profile - Used to profile the contents of this object for inclusion
/// in a FoldingSet. /// in a FoldingSet.
void Profile(llvm::FoldingSetNodeID& ID) const { void Profile(llvm::FoldingSetNodeID& ID) const {
Profile(ID, this); Profile(ID, this);
} }
▲ Show 20 LinesShow All 739 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp

Show All 35 Lines DefinedSVal V = Loc::isLocType(Ty) ? getLocFromSymbol(State, Sym)
: nonloc::SymbolVal(Sym); : nonloc::SymbolVal(Sym);
const ProgramStatePair &P = assumeDual(State, V); const ProgramStatePair &P = assumeDual(State, V);
if (P.first && !P.second) if (P.first && !P.second)
return ConditionTruthVal(false); return ConditionTruthVal(false);
if (!P.first && P.second) if (!P.first && P.second)
return ConditionTruthVal(true); return ConditionTruthVal(true);
return {}; return {};
} }
ConstraintManager::ProgramStatePair
ConstraintManager::assumeDual(ProgramStateRef State, DefinedSVal Cond) {
martongAuthorUnsubmitted
Done
ReplyInline Actions

TODO We should have a very similar implementation for assumeInclusiveRangeDual! (Not that high prio, that is used only by the BoolAssignmentChecker).

martong: TODO We should have a very similar implementation for `assumeInclusiveRangeDual`! (Not that…
ProgramStateRef StTrue = assume(State, Cond, true);
if (!StTrue) {
ProgramStateRef StFalse = assume(State, Cond, false);
if (!StFalse) { // both infeasible
steakhalUnsubmitted
Done
ReplyInline Actions

Should we mark this LLVM_UNLIKELY(cond)?
I would expect this function to be quite hot, and infeasible states rare.

Could we measure this one?

steakhal: Should we mark this `LLVM_UNLIKELY(cond)`? I would expect this function to be quite hot, and…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yes, it could be.

Let me come back with some measurement results soon. I am going to use llvm statistics macros to measure this, but that makes sense on top of D124758

martong: Yes, it could be. Let me come back with some measurement results soon. I am going to use llvm…
martongAuthorUnsubmitted
Done
ReplyInline Actions

This is what I use for the measurement, stay tuned for the results.

diff --git a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
index ef98ed7d36e9..82097d67ec0f 100644
--- a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
@@ -16,10 +16,16 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/Statistic.h"

 using namespace clang;
 using namespace ento;

+#define DEBUG_TYPE "CoreEngine"
+
+STATISTIC(NumInfeasible, "The # of infeasible states");
+STATISTIC(NumFeasible, "The # of feasible states");
+
 ConstraintManager::~ConstraintManager() = default;

 static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,
@@ -51,16 +57,20 @@ ConstraintManager::assumeDual(ProgramStateRef State, DefinedSVal Cond) {
     if (!StFalse) { // both infeasible
       ProgramStateRef Infeasible = State->cloneAsInfeasible();
       assert(Infeasible->isInfeasible());
+      ++NumInfeasible;
       return ProgramStatePair(Infeasible, Infeasible);
     }
+    ++NumFeasible;
     return ProgramStatePair(nullptr, StFalse);
   }

   ProgramStateRef StFalse = assumeInternal(State, Cond, false);
   if (!StFalse) {
+    ++NumFeasible;
     return ProgramStatePair(StTrue, nullptr);
   }

+  ++NumFeasible;
   return ProgramStatePair(StTrue, StFalse);
 }
martong: This is what I use for the measurement, stay tuned for the results. ``` diff --git…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ups, the purpose of the measure is to determine if UNLIKELY is justified, so this diff seems better, restarted the measurement with it.

--- a/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
+++ b/clang/lib/StaticAnalyzer/Core/ConstraintManager.cpp
@@ -16,10 +16,16 @@
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState_Fwd.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
+#include "llvm/ADT/Statistic.h"

 using namespace clang;
 using namespace ento;

+#define DEBUG_TYPE "CoreEngine"
+
+STATISTIC(NumInfeasible, "The # of infeasible states");
+STATISTIC(NumFeasible, "The # of feasible states");
+
 ConstraintManager::~ConstraintManager() = default;

 static DefinedSVal getLocFromSymbol(const ProgramStateRef &State,
@@ -51,8 +57,10 @@ ConstraintManager::assumeDual(ProgramStateRef State, DefinedSVal Cond) {
     if (!StFalse) { // both infeasible
       ProgramStateRef Infeasible = State->cloneAsInfeasible();
       assert(Infeasible->isInfeasible());
+      ++NumInfeasible;
       return ProgramStatePair(Infeasible, Infeasible);
     }
+    ++NumFeasible;
     return ProgramStatePair(nullptr, StFalse);
   }
martong: Ups, the purpose of the measure is to determine if UNLIKELY is justified, so this diff seems…
martongAuthorUnsubmitted
Done
ReplyInline Actions

This is indeed UNLIKELY. Seems like a good upper-bound for the ratio's order of magnitude is around 1000 / 10 million i.e. 0.0001.

martong: This is indeed UNLIKELY. Seems like a good upper-bound for the ratio's order of magnitude is…
ProgramStateRef Infeasible = State->cloneAsInfeasible();
assert(Infeasible->isInfeasible());
return ProgramStatePair(Infeasible, Infeasible);
steakhalUnsubmitted
Done
ReplyInline Actions

Add here some comments on why we return (Infeasible,Infeasible).
I would rather see StInfeasible to better discriminate what we are talking about. We already use StTrue and StFalse in this context though.

steakhal: Add here some comments on why we return (`Infeasible`,`Infeasible`). I would rather see…
}
return ProgramStatePair(nullptr, StFalse);
}
ProgramStateRef StFalse = assume(State, Cond, false);
if (!StFalse) {
return ProgramStatePair(StTrue, nullptr);
}
return ProgramStatePair(StTrue, StFalse);
}

clang/lib/StaticAnalyzer/Core/ProgramState.cpp

Show First 20 LinesShow All 49 Lines▼ Show 20 Lines : stateMgr(mgr),
store(st.getStore()), store(st.getStore()),
GDM(gdm), GDM(gdm),
refCount(0) { refCount(0) {
stateMgr->getStoreManager().incrementReferenceCount(store); stateMgr->getStoreManager().incrementReferenceCount(store);
} }
ProgramState::ProgramState(const ProgramState &RHS) ProgramState::ProgramState(const ProgramState &RHS)
: stateMgr(RHS.stateMgr), Env(RHS.Env), store(RHS.store), GDM(RHS.GDM), : stateMgr(RHS.stateMgr), Env(RHS.Env), store(RHS.store), GDM(RHS.GDM),
refCount(0) { Infeasible(RHS.Infeasible), refCount(0) {
stateMgr->getStoreManager().incrementReferenceCount(store); stateMgr->getStoreManager().incrementReferenceCount(store);
} }
ProgramState::~ProgramState() { ProgramState::~ProgramState() {
if (store) if (store)
stateMgr->getStoreManager().decrementReferenceCount(store); stateMgr->getStoreManager().decrementReferenceCount(store);
} }
▲ Show 20 LinesShow All 357 Lines▼ Show 20 Lines
} }
ProgramStateRef ProgramState::makeWithStore(const StoreRef &store) const { ProgramStateRef ProgramState::makeWithStore(const StoreRef &store) const {
ProgramState NewSt(*this); ProgramState NewSt(*this);
NewSt.setStore(store); NewSt.setStore(store);
return getStateManager().getPersistentState(NewSt); return getStateManager().getPersistentState(NewSt);
} }
ProgramStateRef ProgramState::cloneAsInfeasible() const {
ProgramState NewSt(*this);
NewSt.Infeasible = true;
return getStateManager().getPersistentState(NewSt);
}
void ProgramState::setStore(const StoreRef &newStore) { void ProgramState::setStore(const StoreRef &newStore) {
Store newStoreStore = newStore.getStore(); Store newStoreStore = newStore.getStore();
if (newStoreStore) if (newStoreStore)
stateMgr->getStoreManager().incrementReferenceCount(newStoreStore); stateMgr->getStoreManager().incrementReferenceCount(newStoreStore);
if (store) if (store)
stateMgr->getStoreManager().decrementReferenceCount(store); stateMgr->getStoreManager().decrementReferenceCount(store);
store = newStoreStore; store = newStoreStore;
} }
▲ Show 20 LinesShow All 205 LinesShow Last 20 Lines

clang/test/Analysis/sink-infeasible.c

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false \
// RUN: -verify
// Here we test that if it turns out that the parent state is infeasible then
// both children States (more precisely the ExplodedNodes) are marked as a
// Sink.
// We rely on an existing defect of the underlying constraint solver. However,
// in the future we might strengthen the solver to discover the infeasibility
// right when we create the parent state. At that point this test will fail,
// and either we shall find another solver weakness to have this test case
// functioning, or we shall simply remove this test.
void clang_analyzer_warnIfReached();
void clang_analyzer_eval(int);
int a, b, c, d, e;
void f() {
if (a == 0)
return;
if (e != c)
return;
d = e - c;
b = d;
a -= d;
if (a != 0)
return;
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
/* The BASELINE passes these checks ('wrning' is used to avoid lit to match)
// The parent state is already infeasible, look at this contradiction:
clang_analyzer_eval(b > 0); // expected-wrning{{FALSE}}
clang_analyzer_eval(b <= 0); // expected-wrning{{FALSE}}
// Crashes with expensive checks.
if (b > 0) {
clang_analyzer_warnIfReached(); // no-warning, OK
return;
}
// Should not be reachable.
clang_analyzer_warnIfReached(); // expected-wrning{{REACHABLE}}
*/
steakhalUnsubmitted
Done
ReplyInline Actions

You could use a non-default check prefix.

steakhal: You could use a non-default check prefix.
martongAuthorUnsubmitted
Done
ReplyInline Actions

No I can't, because this test code in the comment is meaningful only in the baseline, I cannot run both clang versions from lit.

So, actually there is no RUN line for these, it is here only to demonstrate what happens in the baseline.

martong: No I can't, because this test code in the comment is meaningful only in the baseline, I cannot…
steakhalUnsubmitted
Done
ReplyInline Actions

Okay, why don't we drop these if these are only applicable to the baseline?
Should we really introduce 'stale' comments?

steakhal: Okay, why don't we drop these if these are only applicable to the baseline? Should we really…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ok, I can remove them if you insist, but I thought it might make it easier to understand what is changed.

martong: Ok, I can remove them if you insist, but I thought it might make it easier to understand what…
// The parent state is already infeasible, but we realize that only if b is
// constrained.
clang_analyzer_eval(b > 0); // expected-warning{{UNKNOWN}}
clang_analyzer_eval(b <= 0); // expected-warning{{UNKNOWN}}
if (b > 0) {
clang_analyzer_warnIfReached(); // no-warning
return;
}
clang_analyzer_warnIfReached(); // no-warning
}