This is an archive of the discontinued LLVM Phabricator instance.

Differential D126281

[analyzer] Fix symbol simplification assertion failure
ClosedPublic

Authored by martong on May 24 2022, 2:47 AM.

Details

Reviewers
NoQ
steakhal
Szelethus
Commits
rGf75bc5bfc8f8: [analyzer] Fix symbol simplification assertion failure
Summary

Fixes https://github.com/llvm/llvm-project/issues/55546

The assertion mentioned in the issue is triggered because an
inconsistency is formed in the Sym->Class and Class->Sym relations. A
simpler but similar inconsistency is demonstrated here:
https://reviews.llvm.org/D114887 .

Previously in removeMember, we didn't remove the old symbol's
Sym->Class relation. Back then, we explained it with the following two
bullet points:

  1. This way constraints for the old symbol can still be found via it's

equivalence class that it used to be the member of.

  1. Performance and resource reasons. We can spare one removal and thus one

additional tree in the forest of ClassMap.

This patch do remove the old symbol's Sym->Class relation in order to
keep the Sym->Class relation consistent with the Class->Sym relations.
Point 2) above has negligible performance impact, empirical measurements
do not show any noticeable difference in the run-time. Point 1) above
seems to be a not well justified statement. This is because we cannot
create a new symbol that would be equal to the old symbol after the
simplification had happened. The reason for this is that the SValBuilder
uses the available constant constraints for each sub-symbol.

Diff Detail

Event Timeline

martong created this revision.May 24 2022, 2:47 AM
Herald added a reviewer: Szelethus. · View Herald TranscriptMay 24 2022, 2:47 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: manas, ASDenysPetrov, gamesh411 and 9 others. · View Herald Transcript
martong requested review of this revision.May 24 2022, 2:47 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 24 2022, 2:47 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript
martong added inline comments.May 24 2022, 2:48 AM
clang/test/Analysis/symbol-simplification-assertion.c
16–19

TODO remove.

martong added a comment.EditedMay 24 2022, 3:06 AM

Point 2) above has negligible performance impact, empirical measurements do not show any noticeable difference in the run-time.

Attaching the measurement results that show the run-time difference is not noticeable, or rather it is within the margin of measurement error.

Harbormaster completed remote builds in B166013: Diff 431622.May 24 2022, 3:20 AM
steakhal added a comment.May 24 2022, 3:23 AM
In D126281#3533755, @martong wrote:

Point 2) above has negligible performance impact, empirical measurements do not show any noticeable difference in the run-time.

Attaching the measurement results that show the run-time difference is not noticeable, or rather it is within the margin of measurement error.

Can C++ projects behave differently?

Please add the Fixes #55546 comment into the commit message, to let GitHub recognize this.

clang/test/Analysis/symbol-simplification-assertion.c
28

Is this statement still reachable? Demonstrate it by using the clang_analyzer_warnIfReached().

martong updated this revision to Diff 431635.May 24 2022, 3:39 AM
martong marked an inline comment as done.
  • Add clang_analyzer_warnIfReached() to the test and remove unused debug function decls
clang/test/Analysis/symbol-simplification-assertion.c
28

Ok, I've added that.

Harbormaster completed remote builds in B166022: Diff 431635.May 24 2022, 4:10 AM
steakhal accepted this revision.May 24 2022, 5:24 AM
This revision is now accepted and ready to land.May 24 2022, 5:24 AM
This revision was landed with ongoing or failed builds.May 25 2022, 2:02 AM
Closed by commit rGf75bc5bfc8f8: [analyzer] Fix symbol simplification assertion failure (authored by martong). · Explain Why
This revision was automatically updated to reflect the committed changes.
martong added a commit: rGf75bc5bfc8f8: [analyzer] Fix symbol simplification assertion failure.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
12 lines
test/
Analysis/
25 lines

Diff 431912

clang/lib/StaticAnalyzer/Core/RangeConstraintManager.cpp

Show First 20 LinesShow All 2,502 Lines▼ Show 20 Lines
} }
LLVM_NODISCARD ProgramStateRef LLVM_NODISCARD ProgramStateRef
EquivalenceClass::removeMember(ProgramStateRef State, const SymbolRef Old) { EquivalenceClass::removeMember(ProgramStateRef State, const SymbolRef Old) {
SymbolSet ClsMembers = getClassMembers(State); SymbolSet ClsMembers = getClassMembers(State);
assert(ClsMembers.contains(Old)); assert(ClsMembers.contains(Old));
// We don't remove `Old`'s Sym->Class relation for two reasons:
// 1) This way constraints for the old symbol can still be found via it's
// equivalence class that it used to be the member of.
// 2) Performance and resource reasons. We can spare one removal and thus one
// additional tree in the forest of `ClassMap`.
// Remove `Old`'s Class->Sym relation. // Remove `Old`'s Class->Sym relation.
SymbolSet::Factory &F = getMembersFactory(State); SymbolSet::Factory &F = getMembersFactory(State);
ClassMembersTy::Factory &EMFactory = State->get_context<ClassMembers>(); ClassMembersTy::Factory &EMFactory = State->get_context<ClassMembers>();
ClsMembers = F.remove(ClsMembers, Old); ClsMembers = F.remove(ClsMembers, Old);
// Ensure another precondition of the removeMember function (we can check // Ensure another precondition of the removeMember function (we can check
// this only with isEmpty, thus we have to do the remove first). // this only with isEmpty, thus we have to do the remove first).
assert(!ClsMembers.isEmpty() && assert(!ClsMembers.isEmpty() &&
"Class should have had at least two members before member removal"); "Class should have had at least two members before member removal");
// Overwrite the existing members assigned to this class. // Overwrite the existing members assigned to this class.
ClassMembersTy ClassMembersMap = State->get<ClassMembers>(); ClassMembersTy ClassMembersMap = State->get<ClassMembers>();
ClassMembersMap = EMFactory.add(ClassMembersMap, *this, ClsMembers); ClassMembersMap = EMFactory.add(ClassMembersMap, *this, ClsMembers);
State = State->set<ClassMembers>(ClassMembersMap); State = State->set<ClassMembers>(ClassMembersMap);
// Remove `Old`'s Sym->Class relation.
ClassMapTy Classes = State->get<ClassMap>();
ClassMapTy::Factory &CMF = State->get_context<ClassMap>();
Classes = CMF.remove(Classes, Old);
State = State->set<ClassMap>(Classes);
return State; return State;
} }
// Re-evaluate an SVal with top-level `State->assume` logic. // Re-evaluate an SVal with top-level `State->assume` logic.
LLVM_NODISCARD ProgramStateRef reAssume(ProgramStateRef State, LLVM_NODISCARD ProgramStateRef reAssume(ProgramStateRef State,
const RangeSet *Constraint, const RangeSet *Constraint,
SVal TheValue) { SVal TheValue) {
if (!Constraint) if (!Constraint)
▲ Show 20 LinesShow All 796 LinesShow Last 20 Lines

clang/test/Analysis/symbol-simplification-assertion.c

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core \
// RUN: -analyzer-checker=debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=true \
// RUN: -verify
// Here we test that no assertion is fired during symbol simplification.
// Related issue: https://github.com/llvm/llvm-project/issues/55546
extern void abort() __attribute__((__noreturn__));
#define assert(expr) ((expr) ? (void)(0) : abort())
void clang_analyzer_warnIfReached();
int a, b, c;
long L, L1;
void test() {
assert(a + L + 1 + b != c);
assert(L == a);
martongAuthorUnsubmitted
Done
ReplyInline Actions

TODO remove.

martong: TODO remove.
assert(c == 0);
L1 = 0;
assert(a + L1 + 1 + b != c);
assert(a == 0); // no-assertion
clang_analyzer_warnIfReached(); // expected-warning{{REACHABLE}}
}
steakhalUnsubmitted
Done
ReplyInline Actions

Is this statement still reachable? Demonstrate it by using the clang_analyzer_warnIfReached().

steakhal: Is this statement still reachable? Demonstrate it by using the `clang_analyzer_warnIfReached()`.
martongAuthorUnsubmitted
Done
ReplyInline Actions

Ok, I've added that.

martong: Ok, I've added that.