This is an archive of the discontinued LLVM Phabricator instance.

Differential D129289

[clang][dataflow] Use dedicated tokens to encode which branch was taken
AbandonedPublicDraft

Authored by samestep on Jul 7 2022, 6:49 AM.

Details

Reviewers
NoQ
Summary

This patch attempts to resolve a FIXME in DataflowEnvironment.cpp about merging BoolValues when the two flow conditions are not mutually exclusive. The issue here is that we are using the truth value of each flow condition as a proxy for the idea of whether or not we took that branch, which breaks down on backedges.

To try to resolve the issue, this patch creates two additional AtomicBoolValues to directly represent which branch we took, and uses those directly within mergeDistinctValues. As currently written, this doesn't quite work: it compiles, but 20 tests from ClangAnalysisFlowSensitiveTests fail. This patch is therefore simply meant as a starting point for discussion on how to properly resolve this issue.

Diff Detail

Unit TestsFailed

TimeTest
10 msx64 debian > Clang-Unit.Analysis/FlowSensitive/_/ClangAnalysisFlowSensitiveTests/ChromiumCheckModelTest::UnrelatedCheckIgnored
0 msx64 debian > Clang-Unit.Analysis/FlowSensitive/_/ClangAnalysisFlowSensitiveTests/DataflowAnalysisContextTest::JoinFlowConditions
0 msx64 debian > Clang-Unit.Analysis/FlowSensitive/_/ClangAnalysisFlowSensitiveTests/DataflowAnalysisContextTest::SubstituteFlowConditionsJoinedFC
10 msx64 debian > Clang-Unit.Analysis/FlowSensitive/_/ClangAnalysisFlowSensitiveTests/FlowConditionTest::Conjunction
10 msx64 debian > Clang-Unit.Analysis/FlowSensitive/_/ClangAnalysisFlowSensitiveTests/FlowConditionTest::DeMorgan
View Full Test Results (21 Failed)

Event Timeline

samestep created this revision.Jul 7 2022, 6:49 AM
Herald added a reviewer: NoQ. · View Herald TranscriptJul 7 2022, 6:49 AM
Herald added a project: Restricted Project. · View Herald Transcript
Herald added subscribers: martong, tschuett, xazax.hun. · View Herald Transcript
samestep edited the summary of this revision. (Show Details)Jul 7 2022, 6:53 AM
Harbormaster completed remote builds in B174146: Diff 442895.Jul 7 2022, 7:55 AM
ymandel added a subscriber: ymandel.Jul 8 2022, 6:31 AM

Can you give some examples (or the whole list) of failing tests?

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
154–156

Should we also include TookFirstBranchToken \/ TookSecondBranchToken? If so, i suppose we could also rephrase as (NOT First AND Second) OR (First AND NOT Second) which may get at the point a bit more directly.

samestep added a comment.Jul 8 2022, 7:09 AM
In D129289#3638756, @ymandel wrote:

Can you give some examples (or the whole list) of failing tests?

Yeah, I was going to do that originally but the log was too long so I couldn't scroll all the way up in my terminal history. Anyways, here's a pastebin: https://pastebin.com/uir7YKNL

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
154–156

That should already be covered by the other constraint added below, right? Although actually, now I'm thinking that since we have exactly two choices, maybe we should just use one single TookFirstBranchToken, where "true" means we took the first branch and "false" means we took the second branch.

ymandel added a comment.Jul 8 2022, 7:16 AM
In D129289#3638847, @samestep wrote:
In D129289#3638756, @ymandel wrote:

Can you give some examples (or the whole list) of failing tests?

Yeah, I was going to do that originally but the log was too long so I couldn't scroll all the way up in my terminal history. Anyways, here's a pastebin: https://pastebin.com/uir7YKNL

Based on those failures, looks like it broke something fundamental. Basically, lots of conditions are now true that shouldn't be. I'd start with the FlowConditionTest cases since those are simple and their failure will probably indicate the problem pretty quickly. But, I'd first recommend making the single-bool change you mentioned.

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
154–156

right. I hadn't thought it through. that said, I agree with your intuition of just using one boolean.

sgatev added a subscriber: sgatev.Jul 15 2022, 2:43 AM
sgatev added inline comments.
clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h
219

Let's not call the new params "tokens" since they are plain bool values, not flow condition tokens.

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp
151–152

This shouldn't be necessary - TookFirstBranchToken and TookSecondBranchToken are not flow condition tokens.

samestep mentioned this in D130270: [clang][dataflow] Use a dedicated bool to encode which branch was taken.Jul 21 2022, 7:00 AM
samestep abandoned this revision.Jul 21 2022, 7:01 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 21 2022, 7:01 AM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
include/
clang/
Analysis/
FlowSensitive/
4 lines
lib/
Analysis/
FlowSensitive/
19 lines
22 lines
unittests/
Analysis/
FlowSensitive/
8 lines

Diff 442895

clang/include/clang/Analysis/FlowSensitive/DataflowAnalysisContext.h

Show First 20 LinesShow All 209 Lines▼ Show 20 Linespublic:
/// Creates a new flow condition with the same constraints as the flow /// Creates a new flow condition with the same constraints as the flow
/// condition identified by `Token` and returns its token. /// condition identified by `Token` and returns its token.
AtomicBoolValue &forkFlowCondition(AtomicBoolValue &Token); AtomicBoolValue &forkFlowCondition(AtomicBoolValue &Token);
/// Creates a new flow condition that represents the disjunction of the flow /// Creates a new flow condition that represents the disjunction of the flow
/// conditions identified by `FirstToken` and `SecondToken`, and returns its /// conditions identified by `FirstToken` and `SecondToken`, and returns its
/// token. /// token.
AtomicBoolValue &joinFlowConditions(AtomicBoolValue &FirstToken, AtomicBoolValue &joinFlowConditions(AtomicBoolValue &FirstToken,
AtomicBoolValue &SecondToken); AtomicBoolValue &SecondToken,
AtomicBoolValue &TookFirstBranchToken,
sgatevUnsubmitted
Not Done
ReplyInline Actions

Let's not call the new params "tokens" since they are plain bool values, not flow condition tokens.

sgatev: Let's not call the new params "tokens" since they are plain bool values, not flow condition…
AtomicBoolValue &TookSecondBranchToken);
// FIXME: This function returns the flow condition expressed directly as its // FIXME: This function returns the flow condition expressed directly as its
// constraints: (C1 AND C2 AND ...). This differs from the general approach in // constraints: (C1 AND C2 AND ...). This differs from the general approach in
// the framework where a flow condition is represented as a token (an atomic // the framework where a flow condition is represented as a token (an atomic
// boolean) with dependencies and constraints tracked in `FlowConditionDeps` // boolean) with dependencies and constraints tracked in `FlowConditionDeps`
// and `FlowConditionConstraints`: (FC <=> C1 AND C2 AND ...). // and `FlowConditionConstraints`: (FC <=> C1 AND C2 AND ...).
// Consider if we should make the representation of flow condition consistent, // Consider if we should make the representation of flow condition consistent,
// returning an atomic boolean token with separate constraints instead. // returning an atomic boolean token with separate constraints instead.
▲ Show 20 LinesShow All 134 LinesShow Last 20 Lines

clang/lib/Analysis/FlowSensitive/DataflowAnalysisContext.cpp

Show First 20 LinesShow All 137 Lines▼ Show 20 Lines
AtomicBoolValue & AtomicBoolValue &
DataflowAnalysisContext::forkFlowCondition(AtomicBoolValue &Token) { DataflowAnalysisContext::forkFlowCondition(AtomicBoolValue &Token) {
auto &ForkToken = makeFlowConditionToken(); auto &ForkToken = makeFlowConditionToken();
FlowConditionDeps[&ForkToken].insert(&Token); FlowConditionDeps[&ForkToken].insert(&Token);
addFlowConditionConstraint(ForkToken, Token); addFlowConditionConstraint(ForkToken, Token);
return ForkToken; return ForkToken;
} }
AtomicBoolValue & AtomicBoolValue &DataflowAnalysisContext::joinFlowConditions(
DataflowAnalysisContext::joinFlowConditions(AtomicBoolValue &FirstToken, AtomicBoolValue &FirstToken, AtomicBoolValue &SecondToken,
AtomicBoolValue &SecondToken) { AtomicBoolValue &TookFirstBranchToken,
AtomicBoolValue &TookSecondBranchToken) {
auto &Token = makeFlowConditionToken(); auto &Token = makeFlowConditionToken();
FlowConditionDeps[&Token].insert(&TookFirstBranchToken);
FlowConditionDeps[&Token].insert(&TookSecondBranchToken);
sgatevUnsubmitted
Not Done
ReplyInline Actions

This shouldn't be necessary - TookFirstBranchToken and TookSecondBranchToken are not flow condition tokens.

sgatev: This shouldn't be necessary - `TookFirstBranchToken` and `TookSecondBranchToken` are not flow…
addFlowConditionConstraint(
Token, getOrCreateDisjunction(
getOrCreateNegation(TookFirstBranchToken),
getOrCreateNegation(TookSecondBranchToken)));
ymandelUnsubmitted
Not Done
ReplyInline Actions

Should we also include TookFirstBranchToken \/ TookSecondBranchToken? If so, i suppose we could also rephrase as (NOT First AND Second) OR (First AND NOT Second) which may get at the point a bit more directly.

ymandel: Should we also include `TookFirstBranchToken \/ TookSecondBranchToken`? If so, i suppose we…
samestepAuthorUnsubmitted
Done
ReplyInline Actions

That should already be covered by the other constraint added below, right? Although actually, now I'm thinking that since we have exactly two choices, maybe we should just use one single TookFirstBranchToken, where "true" means we took the first branch and "false" means we took the second branch.

samestep: That should already be covered by the other constraint added below, right? Although actually…
ymandelUnsubmitted
Not Done
ReplyInline Actions

right. I hadn't thought it through. that said, I agree with your intuition of just using one boolean.

ymandel: right. I hadn't thought it through. that said, I agree with your intuition of just using one…
FlowConditionDeps[&Token].insert(&FirstToken); FlowConditionDeps[&Token].insert(&FirstToken);
FlowConditionDeps[&Token].insert(&SecondToken); FlowConditionDeps[&Token].insert(&SecondToken);
addFlowConditionConstraint(Token, addFlowConditionConstraint(
getOrCreateDisjunction(FirstToken, SecondToken)); Token, getOrCreateDisjunction(
getOrCreateConjunction(TookFirstBranchToken, FirstToken),
getOrCreateConjunction(TookSecondBranchToken, SecondToken)));
return Token; return Token;
} }
Solver::Result Solver::Result
DataflowAnalysisContext::querySolver(llvm::DenseSet<BoolValue *> Constraints) { DataflowAnalysisContext::querySolver(llvm::DenseSet<BoolValue *> Constraints) {
Constraints.insert(&getBoolLiteralValue(true)); Constraints.insert(&getBoolLiteralValue(true));
Constraints.insert(&getOrCreateNegation(getBoolLiteralValue(false))); Constraints.insert(&getOrCreateNegation(getBoolLiteralValue(false)));
return S->solve(std::move(Constraints)); return S->solve(std::move(Constraints));
▲ Show 20 LinesShow All 179 LinesShow Last 20 Lines

clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp

Show First 20 LinesShow All 73 Lines▼ Show 20 Lines
/// Attempts to merge distinct values `Val1` and `Val2` in `Env1` and `Env2`, /// Attempts to merge distinct values `Val1` and `Val2` in `Env1` and `Env2`,
/// respectively, of the same type `Type`. Merging generally produces a single /// respectively, of the same type `Type`. Merging generally produces a single
/// value that (soundly) approximates the two inputs, although the actual /// value that (soundly) approximates the two inputs, although the actual
/// meaning depends on `Model`. /// meaning depends on `Model`.
static Value *mergeDistinctValues(QualType Type, Value *Val1, static Value *mergeDistinctValues(QualType Type, Value *Val1,
const Environment &Env1, Value *Val2, const Environment &Env1, Value *Val2,
const Environment &Env2, const Environment &Env2,
Environment &MergedEnv, Environment &MergedEnv,
Environment::ValueModel &Model) { Environment::ValueModel &Model,
AtomicBoolValue &TookLeftBranchToken,
AtomicBoolValue &TookRightBranchToken) {
// Join distinct boolean values preserving information about the constraints // Join distinct boolean values preserving information about the constraints
// in the respective path conditions. // in the respective path conditions.
//
// FIXME: Does not work for backedges, since the two (or more) paths will not
// have mutually exclusive conditions.
if (auto *Expr1 = dyn_cast<BoolValue>(Val1)) { if (auto *Expr1 = dyn_cast<BoolValue>(Val1)) {
auto *Expr2 = cast<BoolValue>(Val2); auto *Expr2 = cast<BoolValue>(Val2);
auto &MergedVal = MergedEnv.makeAtomicBoolValue(); auto &MergedVal = MergedEnv.makeAtomicBoolValue();
MergedEnv.addToFlowCondition(MergedEnv.makeOr( MergedEnv.addToFlowCondition(MergedEnv.makeOr(
MergedEnv.makeAnd(Env1.getFlowConditionToken(), MergedEnv.makeAnd(TookLeftBranchToken,
MergedEnv.makeIff(MergedVal, *Expr1)), MergedEnv.makeIff(MergedVal, *Expr1)),
MergedEnv.makeAnd(Env2.getFlowConditionToken(), MergedEnv.makeAnd(TookRightBranchToken,
MergedEnv.makeIff(MergedVal, *Expr2)))); MergedEnv.makeIff(MergedVal, *Expr2))));
return &MergedVal; return &MergedVal;
} }
// FIXME: add unit tests that cover this statement. // FIXME: add unit tests that cover this statement.
if (areEquivalentIndirectionValues(Val1, Val2)) { if (areEquivalentIndirectionValues(Val1, Val2)) {
return Val1; return Val1;
} }
▲ Show 20 LinesShow All 145 Lines▼ Show 20 LinesLatticeJoinEffect Environment::join(const Environment &Other,
if (ExprToLoc.size() != JoinedEnv.ExprToLoc.size()) if (ExprToLoc.size() != JoinedEnv.ExprToLoc.size())
Effect = LatticeJoinEffect::Changed; Effect = LatticeJoinEffect::Changed;
JoinedEnv.MemberLocToStruct = JoinedEnv.MemberLocToStruct =
intersectDenseMaps(MemberLocToStruct, Other.MemberLocToStruct); intersectDenseMaps(MemberLocToStruct, Other.MemberLocToStruct);
if (MemberLocToStruct.size() != JoinedEnv.MemberLocToStruct.size()) if (MemberLocToStruct.size() != JoinedEnv.MemberLocToStruct.size())
Effect = LatticeJoinEffect::Changed; Effect = LatticeJoinEffect::Changed;
auto &TookLeftBranchToken = DACtx->createAtomicBoolValue();
auto &TookRightBranchToken = DACtx->createAtomicBoolValue();
// FIXME: set `Effect` as needed. // FIXME: set `Effect` as needed.
JoinedEnv.FlowConditionToken = &DACtx->joinFlowConditions( JoinedEnv.FlowConditionToken =
*FlowConditionToken, *Other.FlowConditionToken); &DACtx->joinFlowConditions(*FlowConditionToken, *Other.FlowConditionToken,
TookLeftBranchToken, TookRightBranchToken);
for (auto &Entry : LocToVal) { for (auto &Entry : LocToVal) {
const StorageLocation *Loc = Entry.first; const StorageLocation *Loc = Entry.first;
assert(Loc != nullptr); assert(Loc != nullptr);
Value *Val = Entry.second; Value *Val = Entry.second;
assert(Val != nullptr); assert(Val != nullptr);
auto It = Other.LocToVal.find(Loc); auto It = Other.LocToVal.find(Loc);
if (It == Other.LocToVal.end()) if (It == Other.LocToVal.end())
continue; continue;
assert(It->second != nullptr); assert(It->second != nullptr);
if (Val == It->second) { if (Val == It->second) {
JoinedEnv.LocToVal.insert({Loc, Val}); JoinedEnv.LocToVal.insert({Loc, Val});
continue; continue;
} }
if (Value *MergedVal = mergeDistinctValues( if (Value *MergedVal = mergeDistinctValues(
Loc->getType(), Val, *this, It->second, Other, JoinedEnv, Model)) Loc->getType(), Val, *this, It->second, Other, JoinedEnv, Model,
TookLeftBranchToken, TookRightBranchToken))
JoinedEnv.LocToVal.insert({Loc, MergedVal}); JoinedEnv.LocToVal.insert({Loc, MergedVal});
} }
if (LocToVal.size() != JoinedEnv.LocToVal.size()) if (LocToVal.size() != JoinedEnv.LocToVal.size())
Effect = LatticeJoinEffect::Changed; Effect = LatticeJoinEffect::Changed;
*this = std::move(JoinedEnv); *this = std::move(JoinedEnv);
return Effect; return Effect;
▲ Show 20 LinesShow All 230 LinesShow Last 20 Lines

clang/unittests/Analysis/FlowSensitive/DataflowAnalysisContextTest.cpp

Show First 20 LinesShow All 173 Lines▼ Show 20 LinesTEST_F(DataflowAnalysisContextTest, JoinFlowConditions) {
auto &FC1 = Context.makeFlowConditionToken(); auto &FC1 = Context.makeFlowConditionToken();
Context.addFlowConditionConstraint(FC1, C1); Context.addFlowConditionConstraint(FC1, C1);
Context.addFlowConditionConstraint(FC1, C3); Context.addFlowConditionConstraint(FC1, C3);
auto &FC2 = Context.makeFlowConditionToken(); auto &FC2 = Context.makeFlowConditionToken();
Context.addFlowConditionConstraint(FC2, C2); Context.addFlowConditionConstraint(FC2, C2);
Context.addFlowConditionConstraint(FC2, C3); Context.addFlowConditionConstraint(FC2, C3);
auto &FC3 = Context.joinFlowConditions(FC1, FC2); auto &B1 = Context.createAtomicBoolValue();
auto &B2 = Context.createAtomicBoolValue();
auto &FC3 = Context.joinFlowConditions(FC1, FC2, B1, B2);
EXPECT_FALSE(Context.flowConditionImplies(FC3, C1)); EXPECT_FALSE(Context.flowConditionImplies(FC3, C1));
EXPECT_FALSE(Context.flowConditionImplies(FC3, C2)); EXPECT_FALSE(Context.flowConditionImplies(FC3, C2));
EXPECT_TRUE(Context.flowConditionImplies(FC3, C3)); EXPECT_TRUE(Context.flowConditionImplies(FC3, C3));
} }
TEST_F(DataflowAnalysisContextTest, FlowConditionTautologies) { TEST_F(DataflowAnalysisContextTest, FlowConditionTautologies) {
// Fresh flow condition with empty/no constraints is always true. // Fresh flow condition with empty/no constraints is always true.
auto &FC1 = Context.makeFlowConditionToken(); auto &FC1 = Context.makeFlowConditionToken();
▲ Show 20 LinesShow All 240 Lines▼ Show 20 LinesTEST_F(DataflowAnalysisContextTest, SubstituteFlowConditionsJoinedFC) {
// FC1 = X // FC1 = X
auto &FC1 = Context.makeFlowConditionToken(); auto &FC1 = Context.makeFlowConditionToken();
Context.addFlowConditionConstraint(FC1, X); Context.addFlowConditionConstraint(FC1, X);
// FC2 = Y // FC2 = Y
auto &FC2 = Context.makeFlowConditionToken(); auto &FC2 = Context.makeFlowConditionToken();
Context.addFlowConditionConstraint(FC2, Y); Context.addFlowConditionConstraint(FC2, Y);
// JoinedFC = (FC1 || FC2) && Z = (X || Y) && Z // JoinedFC = (FC1 || FC2) && Z = (X || Y) && Z
auto &JoinedFC = Context.joinFlowConditions(FC1, FC2); auto &B1 = Context.createAtomicBoolValue();
auto &B2 = Context.createAtomicBoolValue();
auto &JoinedFC = Context.joinFlowConditions(FC1, FC2, B1, B2);
Context.addFlowConditionConstraint(JoinedFC, Z); Context.addFlowConditionConstraint(JoinedFC, Z);
// If any of X, Y is true in JoinedFC, JoinedFC = (X || Y) && Z is equivalent // If any of X, Y is true in JoinedFC, JoinedFC = (X || Y) && Z is equivalent
// to evaluating the remaining Z // to evaluating the remaining Z
auto &JoinedFCWithXTrue = auto &JoinedFCWithXTrue =
Context.buildAndSubstituteFlowCondition(JoinedFC, {{&X, &True}}); Context.buildAndSubstituteFlowCondition(JoinedFC, {{&X, &True}});
auto &JoinedFCWithYTrue = auto &JoinedFCWithYTrue =
Context.buildAndSubstituteFlowCondition(JoinedFC, {{&Y, &True}}); Context.buildAndSubstituteFlowCondition(JoinedFC, {{&Y, &True}});
Show All 28 Lines