This is an archive of the discontinued LLVM Phabricator instance.

Differential D131187

[analyzer] Add more information to the Exploded Graph
ClosedPublic

Authored by isuckatcs on Aug 4 2022, 11:08 AM.

Details

Reviewers
NoQ
xazax.hun
Szelethus
t-rasmud
martong
usama54321
ziqingluo-90
Commits
rGb5147937b2a9: [analyzer] Add more information to the Exploded Graph
Summary

During non-POD array construction and destruction we store additional data in the program state.

Right now only the index of the actual element being constructed is dumped into the egraph in case
of simple construction invoked by CXXConstructExpr.

This patch dumps information about pending ArrayInitLoopExprs and destructors.

Depends on: D130737

The resulting nodes:

Diff Detail

Event Timeline

isuckatcs created this revision.Aug 4 2022, 11:08 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 4 2022, 11:08 AM
Herald added subscribers: steakhal, manas, ASDenysPetrov and 7 others. · View Herald Transcript
isuckatcs requested review of this revision.Aug 4 2022, 11:08 AM
isuckatcs updated this revision to Diff 450073.

Updated

isuckatcs mentioned this in D130737: [analyzer] Process non-POD array element destructors.Aug 4 2022, 11:10 AM
isuckatcs added a parent revision: D130737: [analyzer] Process non-POD array element destructors.
NoQ added a comment.Aug 4 2022, 11:23 AM

Beautiful!!

I think we should add an exploded-graph-rewriter test in which these new traits aren't null.

At this point, with all these Environment-like traits, maybe we can combine them into a single table? (Would be a separate patch).

----
Environment:

  #0 Call S::S (test.cpp:16:19)
    Expressions:
      S1002  .x  &Element{arr,0 S64b,struct S}.x
      S1008  .x  1 S32b

   #1 Call main
      Expressions:
        S967   arr     &arr
        S9088  arr[*]  &Element{arr,0S64b,struct S}
      Objects Under Construction:
        S1058  (construct into local variable)  auto = {arr[*]}  &Element{NonParamVarRegion{D952},0 S64b,struct S}
      Indices Of Elements Under Construction:
        S1018  (Cur: 0)  CXXConstructExpr <test.cpp:16:19, col:10>  'S'  Next: 1
      Pending Array Init Loop Expressions:
        S1018            CXXConstructExpr <test.cpp:16:19, col:10>  'S'  Size: 2
----
clang/test/Analysis/exploded-graph-rewriter/checker_messages_diff.dot
72–76

It may also make sense to drop the : null traits entirely and have the python script treat it as the default value, this may win like 10% performance at this point. Not necessarily worth it given that the primary bottleneck is still the viewer.

Harbormaster completed remote builds in B179347: Diff 450073.Aug 4 2022, 12:59 PM
xazax.hun accepted this revision.Aug 8 2022, 9:46 AM

Very minor nit: In the construction we have "Size" in the destruction we have "Size of the array". Is it the case that the first size is the flattened size the second in is the currently destroyed array's size only? (I.e., not modified by nesting.) If that is the case, I think the name of the field could be clearer for the ArrayInitLoopExprs, like "Flattened size".

This revision is now accepted and ready to land.Aug 8 2022, 9:46 AM
isuckatcs updated this revision to Diff 455611.Aug 25 2022, 9:12 AM
isuckatcs edited the summary of this revision. (Show Details)
  • Rebased
  • Updated how the information is displayed.
  • Updated the screenshots of the nodes in the description to reflect the changes.
Harbormaster completed remote builds in B183389: Diff 455611.Aug 25 2022, 9:44 AM
isuckatcs updated this revision to Diff 456117.Aug 27 2022, 7:27 AM
isuckatcs marked an inline comment as done.

Empty traits are no longer dumped. This also solves the reverse compatibility issue caused by D127973.

isuckatcs mentioned this in D127973: [analyzer] Eval construction of non POD type arrays..Aug 27 2022, 7:29 AM
Harbormaster completed remote builds in B183752: Diff 456117.Aug 27 2022, 8:34 AM
xazax.hun added inline comments.Aug 29 2022, 9:02 AM
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
776

Nit: is there any reason to have a string literal here instead of a character literal?

781

Same as above.

808

Same as above, and for a few other locations below.

isuckatcs added inline comments.Aug 29 2022, 10:05 AM
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
776

I though the code will look more uniform like this. Are there cons of using a string literal instead of a character literal here?

xazax.hun added inline comments.Aug 29 2022, 10:54 AM
clang/lib/StaticAnalyzer/Core/ExprEngine.cpp
776

Piping a character is more efficient. A string literal decays to a pointer that needs to be dereferenced and we also need to store the closing null character. Passing a literal will save us storing the closing null and the dereference. Although we are on a path where we do IO, so micro-optimizations like this make little difference (if anything at all). So, I'm also fine with the uniformity argument.

isuckatcs updated this revision to Diff 456476.Aug 29 2022, 3:31 PM
isuckatcs marked 4 inline comments as done.

Replaced one length string literals with char literals

Harbormaster completed remote builds in B184027: Diff 456476.Aug 29 2022, 4:44 PM
isuckatcs updated this revision to Diff 456948.Aug 31 2022, 6:51 AM

Added a new test case where the program states are not empty in the dot files

Harbormaster completed remote builds in B184355: Diff 456948.Aug 31 2022, 7:20 AM
NoQ accepted this revision.Sep 1 2022, 9:04 PM

Thanks a lot!!

Closed by commit rGb5147937b2a9: [analyzer] Add more information to the Exploded Graph (authored by isuckatcs). · Explain WhySep 2 2022, 3:21 PM
This revision was automatically updated to reflect the committed changes.
isuckatcs added a commit: rGb5147937b2a9: [analyzer] Add more information to the Exploded Graph.
Herald added a project: Restricted Project. · View Herald TranscriptSep 2 2022, 3:21 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
195 lines
test/
Analysis/
exploded-graph-rewriter/
4 lines
8 lines
4 lines
12 lines
4 lines
12 lines
237 lines
4 lines
8 lines
4 lines
2 lines
utils/
analyzer/
74 lines

Diff 457716

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 687 Lines▼ Show 20 LinesprintObjectsUnderConstructionJson(raw_ostream &Out, ProgramStateRef State,
// Store the last key. // Store the last key.
const ConstructedObjectKey *LastKey = nullptr; const ConstructedObjectKey *LastKey = nullptr;
for (const auto &I : State->get<ObjectsUnderConstruction>()) { for (const auto &I : State->get<ObjectsUnderConstruction>()) {
const ConstructedObjectKey &Key = I.first; const ConstructedObjectKey &Key = I.first;
if (Key.getLocationContext() != LCtx) if (Key.getLocationContext() != LCtx)
continue; continue;
if (!HasItem) { if (!HasItem) {
Out << "[" << NL; Out << '[' << NL;
HasItem = true; HasItem = true;
} }
LastKey = &Key; LastKey = &Key;
} }
for (const auto &I : State->get<ObjectsUnderConstruction>()) { for (const auto &I : State->get<ObjectsUnderConstruction>()) {
const ConstructedObjectKey &Key = I.first; const ConstructedObjectKey &Key = I.first;
Show All 14 Lines if (HasItem)
Indent(Out, --Space, IsDot) << ']'; // End of "location_context". Indent(Out, --Space, IsDot) << ']'; // End of "location_context".
else { else {
Out << "null "; Out << "null ";
} }
} }
static void printIndicesOfElementsToConstructJson( static void printIndicesOfElementsToConstructJson(
raw_ostream &Out, ProgramStateRef State, const char *NL, raw_ostream &Out, ProgramStateRef State, const char *NL,
const LocationContext *LCtx, const ASTContext &Context, const LocationContext *LCtx, unsigned int Space = 0, bool IsDot = false) {
unsigned int Space = 0, bool IsDot = false) {
using KeyT = std::pair<const Expr *, const LocationContext *>; using KeyT = std::pair<const Expr *, const LocationContext *>;
PrintingPolicy PP = const auto &Context = LCtx->getAnalysisDeclContext()->getASTContext();
LCtx->getAnalysisDeclContext()->getASTContext().getPrintingPolicy(); PrintingPolicy PP = Context.getPrintingPolicy();
++Space; ++Space;
bool HasItem = false; bool HasItem = false;
// Store the last key. // Store the last key.
KeyT LastKey; KeyT LastKey;
for (const auto &I : State->get<IndexOfElementToConstruct>()) { for (const auto &I : State->get<IndexOfElementToConstruct>()) {
const KeyT &Key = I.first; const KeyT &Key = I.first;
if (Key.second != LCtx) if (Key.second != LCtx)
continue; continue;
if (!HasItem) { if (!HasItem) {
Out << "[" << NL; Out << '[' << NL;
HasItem = true; HasItem = true;
} }
LastKey = Key; LastKey = Key;
} }
for (const auto &I : State->get<IndexOfElementToConstruct>()) { for (const auto &I : State->get<IndexOfElementToConstruct>()) {
const KeyT &Key = I.first; const KeyT &Key = I.first;
unsigned Value = I.second; unsigned Value = I.second;
if (Key.second != LCtx) if (Key.second != LCtx)
continue; continue;
Indent(Out, Space, IsDot) << "{ "; Indent(Out, Space, IsDot) << "{ ";
// Expr // Expr
const Expr *E = Key.first; const Expr *E = Key.first;
Out << "\"stmt_id\": " << E->getID(Context); Out << "\"stmt_id\": " << E->getID(Context);
// Kind - hack to display the current index // Kind
Out << ", \"kind\": \"Cur: " << Value - 1 << "\""; Out << ", \"kind\": null";
// Pretty-print // Pretty-print
Out << ", \"pretty\": "; Out << ", \"pretty\": ";
Out << "\"" << E->getStmtClassName() << " " Out << "\"" << E->getStmtClassName() << ' '
<< E->getSourceRange().printToString(Context.getSourceManager()) << " '" << E->getSourceRange().printToString(Context.getSourceManager()) << " '"
<< QualType::getAsString(E->getType().split(), PP); << QualType::getAsString(E->getType().split(), PP);
Out << "'\""; Out << "'\"";
Out << ", \"value\": \"Next: " << Value << "\" }"; Out << ", \"value\": \"Current index: " << Value - 1 << "\" }";
if (Key != LastKey) if (Key != LastKey)
Out << ','; Out << ',';
xazax.hunUnsubmitted
Done
ReplyInline Actions

Nit: is there any reason to have a string literal here instead of a character literal?

xazax.hun: Nit: is there any reason to have a string literal here instead of a character literal?
isuckatcsAuthorUnsubmitted
Done
ReplyInline Actions

I though the code will look more uniform like this. Are there cons of using a string literal instead of a character literal here?

isuckatcs: I though the code will look more uniform like this. Are there cons of using a string literal…
xazax.hunUnsubmitted
Done
ReplyInline Actions

Piping a character is more efficient. A string literal decays to a pointer that needs to be dereferenced and we also need to store the closing null character. Passing a literal will save us storing the closing null and the dereference. Although we are on a path where we do IO, so micro-optimizations like this make little difference (if anything at all). So, I'm also fine with the uniformity argument.

xazax.hun: Piping a character is more efficient. A string literal decays to a pointer that needs to be…
Out << NL; Out << NL;
} }
if (HasItem) if (HasItem)
Indent(Out, --Space, IsDot) << ']'; // End of "location_context". Indent(Out, --Space, IsDot) << ']'; // End of "location_context".
xazax.hunUnsubmitted
Done
ReplyInline Actions

Same as above.

xazax.hun: Same as above.
else { else {
Out << "null "; Out << "null ";
} }
} }
void ExprEngine::printJson(raw_ostream &Out, ProgramStateRef State, static void printPendingInitLoopJson(raw_ostream &Out, ProgramStateRef State,
const LocationContext *LCtx, const char *NL, const char *NL,
unsigned int Space, bool IsDot) const { const LocationContext *LCtx,
Indent(Out, Space, IsDot) << "\"constructing_objects\": "; unsigned int Space = 0,
bool IsDot = false) {
using KeyT = std::pair<const CXXConstructExpr *, const LocationContext *>;
const auto &Context = LCtx->getAnalysisDeclContext()->getASTContext();
PrintingPolicy PP = Context.getPrintingPolicy();
if (LCtx && !State->get<ObjectsUnderConstruction>().isEmpty()) {
++Space; ++Space;
bool HasItem = false;
// Store the last key.
KeyT LastKey;
for (const auto &I : State->get<PendingInitLoop>()) {
const KeyT &Key = I.first;
if (Key.second != LCtx)
continue;
if (!HasItem) {
Out << '[' << NL; Out << '[' << NL;
xazax.hunUnsubmitted
Done
ReplyInline Actions

Same as above, and for a few other locations below.

xazax.hun: Same as above, and for a few other locations below.
LCtx->printJson(Out, NL, Space, IsDot, [&](const LocationContext *LC) { HasItem = true;
printObjectsUnderConstructionJson(Out, State, NL, LC, Space, IsDot); }
});
--Space; LastKey = Key;
Indent(Out, Space, IsDot) << "]," << NL; // End of "constructing_objects".
} else {
Out << "null," << NL;
} }
Indent(Out, Space, IsDot) << "\"index_of_element\": "; for (const auto &I : State->get<PendingInitLoop>()) {
if (LCtx && !State->get<IndexOfElementToConstruct>().isEmpty()) { const KeyT &Key = I.first;
unsigned Value = I.second;
if (Key.second != LCtx)
continue;
Indent(Out, Space, IsDot) << "{ ";
const CXXConstructExpr *E = Key.first;
Out << "\"stmt_id\": " << E->getID(Context);
Out << ", \"kind\": null";
Out << ", \"pretty\": ";
Out << '\"' << E->getStmtClassName() << ' '
<< E->getSourceRange().printToString(Context.getSourceManager()) << " '"
<< QualType::getAsString(E->getType().split(), PP);
Out << "'\"";
Out << ", \"value\": \"Flattened size: " << Value << "\"}";
if (Key != LastKey)
Out << ',';
Out << NL;
}
if (HasItem)
Indent(Out, --Space, IsDot) << ']'; // End of "location_context".
else {
Out << "null ";
}
}
static void
printPendingArrayDestructionsJson(raw_ostream &Out, ProgramStateRef State,
const char *NL, const LocationContext *LCtx,
unsigned int Space = 0, bool IsDot = false) {
using KeyT = const LocationContext *;
++Space; ++Space;
bool HasItem = false;
// Store the last key.
KeyT LastKey = nullptr;
for (const auto &I : State->get<PendingArrayDestruction>()) {
const KeyT &Key = I.first;
if (Key != LCtx)
continue;
auto &Context = getContext(); if (!HasItem) {
Out << '[' << NL;
HasItem = true;
}
LastKey = Key;
}
for (const auto &I : State->get<PendingArrayDestruction>()) {
const KeyT &Key = I.first;
if (Key != LCtx)
continue;
Indent(Out, Space, IsDot) << "{ ";
Out << "\"stmt_id\": null";
Out << ", \"kind\": null";
Out << ", \"pretty\": \"Current index: \"";
Out << ", \"value\": \"" << I.second << "\" }";
if (Key != LastKey)
Out << ',';
Out << NL;
}
if (HasItem)
Indent(Out, --Space, IsDot) << ']'; // End of "location_context".
else {
Out << "null ";
}
}
/// A helper function to generalize program state trait printing.
/// The function invokes Printer as 'Printer(Out, State, NL, LC, Space, IsDot,
/// std::forward<Args>(args)...)'. \n One possible type for Printer is
/// 'void()(raw_ostream &, ProgramStateRef, const char *, const LocationContext
/// *, unsigned int, bool, ...)' \n \param Trait The state trait to be printed.
/// \param Printer A void function that prints Trait.
/// \param Args An additional parameter pack that is passed to Print upon
/// invocation.
template <typename Trait, typename Printer, typename... Args>
static void printStateTraitWithLocationContextJson(
raw_ostream &Out, ProgramStateRef State, const LocationContext *LCtx,
const char *NL, unsigned int Space, bool IsDot,
const char *jsonPropertyName, Printer printer, Args &&...args) {
using RequiredType =
void (*)(raw_ostream &, ProgramStateRef, const char *,
const LocationContext *, unsigned int, bool, Args &&...);
// Try to do as much compile time checking as possible.
// FIXME: check for invocable instead of function?
static_assert(std::is_function<std::remove_pointer_t<Printer>>::value,
"Printer is not a function!");
static_assert(std::is_convertible<Printer, RequiredType>::value,
"Printer doesn't have the required type!");
if (LCtx && !State->get<Trait>().isEmpty()) {
Indent(Out, Space, IsDot) << '\"' << jsonPropertyName << "\": ";
++Space;
Out << '[' << NL; Out << '[' << NL;
LCtx->printJson(Out, NL, Space, IsDot, [&](const LocationContext *LC) { LCtx->printJson(Out, NL, Space, IsDot, [&](const LocationContext *LC) {
printIndicesOfElementsToConstructJson(Out, State, NL, LC, Context, Space, printer(Out, State, NL, LC, Space, IsDot, std::forward<Args>(args)...);
IsDot);
}); });
--Space; --Space;
Indent(Out, Space, IsDot) << "]," << NL; // End of "index_of_element". Indent(Out, Space, IsDot) << "]," << NL; // End of "jsonPropertyName".
} else {
Out << "null," << NL;
} }
}
void ExprEngine::printJson(raw_ostream &Out, ProgramStateRef State,
const LocationContext *LCtx, const char *NL,
unsigned int Space, bool IsDot) const {
printStateTraitWithLocationContextJson<ObjectsUnderConstruction>(
Out, State, LCtx, NL, Space, IsDot, "constructing_objects",
printObjectsUnderConstructionJson);
printStateTraitWithLocationContextJson<IndexOfElementToConstruct>(
Out, State, LCtx, NL, Space, IsDot, "index_of_element",
printIndicesOfElementsToConstructJson);
printStateTraitWithLocationContextJson<PendingInitLoop>(
Out, State, LCtx, NL, Space, IsDot, "pending_init_loops",
printPendingInitLoopJson);
printStateTraitWithLocationContextJson<PendingArrayDestruction>(
Out, State, LCtx, NL, Space, IsDot, "pending_destructors",
printPendingArrayDestructionsJson);
getCheckerManager().runCheckersForPrintStateJson(Out, State, NL, Space, getCheckerManager().runCheckersForPrintStateJson(Out, State, NL, Space,
IsDot); IsDot);
} }
void ExprEngine::processEndWorklist() { void ExprEngine::processEndWorklist() {
// This prints the name of the top-level function if we crash. // This prints the name of the top-level function if we crash.
PrettyStackTraceLocationContext CrashInfo(getRootLocationContext()); PrettyStackTraceLocationContext CrashInfo(getRootLocationContext());
▲ Show 20 LinesShow All 2,879 Lines▼ Show 20 Lines static std::string getNodeLabel(const ExplodedNode *N, ExplodedGraph *G){
// Dump program point for all the previously skipped nodes. // Dump program point for all the previously skipped nodes.
traverseHiddenNodes( traverseHiddenNodes(
N, N,
[&](const ExplodedNode *OtherNode) { [&](const ExplodedNode *OtherNode) {
Indent(Out, Space + 1, IsDot) << "{ "; Indent(Out, Space + 1, IsDot) << "{ ";
OtherNode->getLocation().printJson(Out, /*NL=*/"\\l"); OtherNode->getLocation().printJson(Out, /*NL=*/"\\l");
Out << ", \"tag\": "; Out << ", \"tag\": ";
if (const ProgramPointTag *Tag = OtherNode->getLocation().getTag()) if (const ProgramPointTag *Tag = OtherNode->getLocation().getTag())
Out << '\"' << Tag->getTagDescription() << "\""; Out << '\"' << Tag->getTagDescription() << '\"';
else else
Out << "null"; Out << "null";
Out << ", \"node_id\": " << OtherNode->getID() << Out << ", \"node_id\": " << OtherNode->getID() <<
", \"is_sink\": " << OtherNode->isSink() << ", \"is_sink\": " << OtherNode->isSink() <<
", \"has_report\": " << nodeHasBugReport(OtherNode) << " }"; ", \"has_report\": " << nodeHasBugReport(OtherNode) << " }";
}, },
// Adds a comma and a new-line between each program point. // Adds a comma and a new-line between each program point.
[&](const ExplodedNode *) { Out << ",\\l"; }, [&](const ExplodedNode *) { Out << ",\\l"; },
▲ Show 20 LinesShow All 67 LinesShow Last 20 Lines

clang/test/Analysis/exploded-graph-rewriter/checker_messages.dot

Show All 16 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"environment": null, "environment": null,
"checker_messages": [ "checker_messages": [
{ "checker": "alpha.core.FooChecker", "messages": [ { "checker": "alpha.core.FooChecker", "messages": [
"Foo stuff:", "Foo stuff:",
"Foo: Bar" "Foo: Bar"
]} ]}
] ]
} }
} }
\l}"]; \l}"];

clang/test/Analysis/exploded-graph-rewriter/checker_messages_diff.dot

Show All 9 Lines "{
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"environment": null, "environment": null,
"store": null, "store": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": [ "checker_messages": [
{ "checker": "FooChecker", "messages": [ { "checker": "FooChecker", "messages": [
"Foo: Bar" "Foo: Bar"
]}, ]},
{ "checker": "BarChecker", "messages": [ { "checker": "BarChecker", "messages": [
"Bar: Foo" "Bar: Foo"
]} ]}
] ]
Show All 37 Lines "{
{ {
"kind": "BlockEntrance", "block_id": 1, "kind": "BlockEntrance", "block_id": 1,
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"environment": null, "environment": null,
"store": null, "store": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": [ "checker_messages": [
NoQUnsubmitted
Done
ReplyInline Actions

It may also make sense to drop the : null traits entirely and have the python script treat it as the default value, this may win like 10% performance at this point. Not necessarily worth it given that the primary bottleneck is still the viewer.

NoQ: It may also make sense to drop the `: null` traits entirely and have the python script treat it…
{ "checker": "FooChecker", "messages": [ { "checker": "FooChecker", "messages": [
"Foo: Bar", "Foo: Bar",
"Bar: Foo" "Bar: Foo"
]}, ]},
{ "checker": "DunnoWhateverSomeOtherChecker", "messages": [ { "checker": "DunnoWhateverSomeOtherChecker", "messages": [
"Dunno, some other message." "Dunno, some other message."
]} ]}
] ]
Show All 20 Lines

clang/test/Analysis/exploded-graph-rewriter/constraints.dot

Show All 16 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"environment": null, "environment": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"constraints": [ "constraints": [
{ "symbol": "reg_$0<x>", "range": "{ [0, 0] }" } { "symbol": "reg_$0<x>", "range": "{ [0, 0] }" }
] ]
} }
} }
\l}"]; \l}"];

clang/test/Analysis/exploded-graph-rewriter/constraints_diff.dot

Show All 9 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"environment": null, "environment": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"constraints": [ "constraints": [
{ "symbol": "reg_$0<x>", "range": "{ [0, 10] }" } { "symbol": "reg_$0<x>", "range": "{ [0, 10] }" }
] ]
} }
} }
\l}"]; \l}"];
Show All 20 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"environment": null, "environment": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"constraints": [ "constraints": [
{ "symbol": "reg_$0<x>", "range": "{ [0, 5] }" } { "symbol": "reg_$0<x>", "range": "{ [0, 5] }" }
] ]
} }
} }
\l}"]; \l}"];
Show All 10 Lines "{
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"environment": null, "environment": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null "checker_messages": null
} }
} }
\l}"]; \l}"];

clang/test/Analysis/exploded-graph-rewriter/environment.dot

Show All 38 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"environment": { "environment": {
"pointer": "0x2", "pointer": "0x2",
"items": [ "items": [
{ {
"location_context": "#0 Call", "location_context": "#0 Call",
"lctx_id": 3, "lctx_id": 3,
"calling": "foo", "calling": "foo",
Show All 23 Lines

clang/test/Analysis/exploded-graph-rewriter/environment_diff.dot

Show All 10 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"environment": { "environment": {
"pointer": "0x2", "pointer": "0x2",
"items": [ "items": [
{ {
"location_context": "#0 Call", "location_context": "#0 Call",
"lctx_id": 3, "lctx_id": 3,
"calling": "foo", "calling": "foo",
Show All 37 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"environment": { "environment": {
"pointer": "0x2", "pointer": "0x2",
"items": [ "items": [
{ {
"location_context": "#0 Call", "location_context": "#0 Call",
"lctx_id": 3, "lctx_id": 3,
"calling": "foo", "calling": "foo",
Show All 31 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"store": null, "store": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"environment": { "environment": {
"pointer": "0x2", "pointer": "0x2",
"items": [ "items": [
{ {
"location_context": "#0 Call", "location_context": "#0 Call",
"lctx_id": 3, "lctx_id": 3,
"calling": "foo", "calling": "foo",
Show All 14 Lines

clang/test/Analysis/exploded-graph-rewriter/program_state_traits.dot

  • This file was added.
// RUN: %exploded_graph_rewriter %s | FileCheck %s
// CHECK: <b>Objects Under Construction: </b>
// CHECK-SAME:<table border="0">
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><b>#0 Call</b></td>
// CHECK-SAME: <td align="left" colspan="2">
// CHECK-SAME: <font color="gray60">main </font>
// CHECK-SAME: </td>
// CHECK-SAME: </tr>
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><i>S870</i></td>
// CHECK-SAME: <td align="left">
// CHECK-SAME: <font color="darkgreen">
// CHECK-SAME: <i>(construct into local variable)</i>
// CHECK-SAME: </font>
// CHECK-SAME: </td>
// CHECK-SAME: <td align="left">S s;</td>
// CHECK-SAME: <td align="left">&amp;s</td>
// CHECK-SAME: </tr>
// CHECK-SAME:</table>
Node0x1 [shape=record,label=
"{
{
"state_id": 2,
"program_points": [
{
"kind": "BlockEntrance", "block_id": 1,
"terminator": null, "term_kind": null,
"tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0
}
],
"program_state": {
"store": null,
"environment": null,
"constraints": null,
"equivalence_classes": null,
"disequality_info": null,
"dynamic_types": null,
"dynamic_casts": null,
"constructing_objects": [
{
"lctx_id": 1, "location_context": "#0 Call", "calling": "main", "location": null, "items": [
{ "stmt_id": 870, "kind": "construct into local variable", "argument_index": null, "pretty": "S s;", "value": "&s" }
]
}
],
"checker_messages": null
}
}
\l}"];
// CHECK: <b>Indices Of Elements Under Construction: </b>
// CHECK-SAME:<table border="0">
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><b>#0 Call</b></td>
// CHECK-SAME: <td align="left" colspan="2">
// CHECK-SAME: <font color="gray60">main </font>
// CHECK-SAME: </td>
// CHECK-SAME: </tr>
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><i>S895</i></td>
// CHECK-SAME: <td align="left">
// CHECK-SAME: <font color="darkgreen"><i> </i></font>
// CHECK-SAME: </td>
// CHECK-SAME: <td align="left">
// CHECK-SAME: CXXConstructExpr <test.cpp:8:7> 'S[2]'
// CHECK-SAME: </td>
// CHECK-SAME: <td align="left">Current index: 0</td>
// CHECK-SAME: </tr>
// CHECK-SAME:</table>
Node0x2 [shape=record,label=
"{
{
"state_id": 2,
"program_points": [
{
"kind": "BlockEntrance", "block_id": 1,
"terminator": null, "term_kind": null,
"tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0
}
],
"program_state": {
"store": null,
"environment": null,
"constraints": null,
"equivalence_classes": null,
"disequality_info": null,
"dynamic_types": null,
"dynamic_casts": null,
"index_of_element": [
{
"lctx_id": 1,
"location_context": "#0 Call",
"calling": "main",
"location": null,
"items": [
{
"stmt_id": 895,
"kind": null,
"pretty": "CXXConstructExpr <test.cpp:8:7> 'S[2]'",
"value": "Current index: 0"
}
]
}
],
"checker_messages": null
}
}
\l}"];
// CHECK: <b>Pending Array Init Loop Expressions: </b>
// CHECK-SAME:<table border="0">
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><b>#0 Call</b></td>
// CHECK-SAME: <td align="left" colspan="2">
// CHECK-SAME: <font color="gray60">main </font>
// CHECK-SAME: </td>
// CHECK-SAME: </tr>
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><i>S1112</i></td>
// CHECK-SAME: <td align="left">
// CHECK-SAME: <font color="darkgreen"><i> </i></font>
// CHECK-SAME: </td>
// CHECK-SAME: <td align="left">
// CHECK-SAME: CXXConstructExpr <test.cpp:10:6> 'S'
// CHECK-SAME: </td>
// CHECK-SAME: <td align="left">Flattened size: 2</td>
// CHECK-SAME: </tr>
// CHECK-SAME:</table>
Node0x3 [shape=record,label=
"{
{
"state_id": 2,
"program_points": [
{
"kind": "BlockEntrance", "block_id": 1,
"terminator": null, "term_kind": null,
"tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0
}
],
"program_state": {
"store": null,
"environment": null,
"constraints": null,
"equivalence_classes": null,
"disequality_info": null,
"dynamic_types": null,
"dynamic_casts": null,
"pending_init_loops": [
{
"lctx_id": 1,
"location_context": "#0 Call",
"calling": "main",
"location": null,
"items": [
{
"stmt_id": 1112,
"kind": null,
"pretty": "CXXConstructExpr <test.cpp:10:6> 'S'", "value": "Flattened size: 2"
}
]
}
],
"checker_messages": null
}
}
\l}"];
// CHECK: <b>Indices of Elements Under Destruction: </b>
// CHECK-SAME:<table border="0">
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><b>#0 Call</b></td>
// CHECK-SAME: <td align="left" colspan="2">
// CHECK-SAME: <font color="gray60">main </font>
// CHECK-SAME: </td>
// CHECK-SAME: </tr>
// CHECK-SAME: <tr>
// CHECK-SAME: <td></td>
// CHECK-SAME: <td align="left"><i>SNone</i></td>
// CHECK-SAME: <td align="left">
// CHECK-SAME: <font color="darkgreen"><i> </i></font>
// CHECK-SAME: </td>
// CHECK-SAME: <td align="left">Current index: </td>
// CHECK-SAME: <td align="left">1</td>
// CHECK-SAME: </tr>
// CHECK-SAME:</table>
Node0x4 [shape=record,label=
"{
{
"state_id": 2,
"program_points": [
{
"kind": "BlockEntrance", "block_id": 1,
"terminator": null, "term_kind": null,
"tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0
}
],
"program_state": {
"store": null,
"environment": null,
"constraints": null,
"equivalence_classes": null,
"disequality_info": null,
"dynamic_types": null,
"dynamic_casts": null,
"pending_destructors": [
{
"lctx_id": 1,
"location_context": "#0 Call",
"calling": "main",
"location": null,
"items": [
{
"stmt_id": null,
"kind": null,
"pretty": "Current index: ",
"value": "1"
}
]
}
],
"checker_messages": null
}
}
\l}"];

clang/test/Analysis/exploded-graph-rewriter/store.dot

Show All 26 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"environment": null, "environment": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"store": { "store": {
"pointer": "0x2", "pointer": "0x2",
"items": [ "items": [
{ {
"cluster": "x", "cluster": "x",
"pointer": "0x3", "pointer": "0x3",
"items": [ "items": [
Show All 12 Lines

clang/test/Analysis/exploded-graph-rewriter/store_diff.dot

Show All 12 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"environment": null, "environment": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"store": { "store": {
"pointer": "0x2", "pointer": "0x2",
"items": [ "items": [
{ {
"cluster": "x", "cluster": "x",
"pointer": "0x3", "pointer": "0x3",
"items": [ "items": [
Show All 36 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"environment": null, "environment": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": null, "checker_messages": null,
"store": { "store": {
"pointer": "0x5", "pointer": "0x5",
"items": [ "items": [
{ {
"cluster": "x", "cluster": "x",
"pointer": "0x3", "pointer": "0x3",
"items": [ "items": [
Show All 30 Lines

clang/test/Analysis/exploded-graph-rewriter/topology.dot

Show All 16 Lines "{
"terminator": null, "term_kind": null, "terminator": null, "term_kind": null,
"tag": null, "node_id": 1, "tag": null, "node_id": 1,
"has_report": 0, "is_sink": 0 "has_report": 0, "is_sink": 0
} }
], ],
"program_state": { "program_state": {
"environment": null, "environment": null,
"constraints": null, "constraints": null,
"dynamic_types": null, "dynamic_types": null,
"constructing_objects": null,
"index_of_element": null,
"checker_messages": [ "checker_messages": [
{ "checker": "foo", "messages": ["bar"] } { "checker": "foo", "messages": ["bar"] }
], ],
"store": null "store": null
} }
} }
\l}"]; \l}"];

clang/test/Analysis/expr-inspection.c

Show All 40 Lines
// CHECK-NEXT: ]}, // CHECK-NEXT: ]},
// CHECK-NEXT: "constraints": [ // CHECK-NEXT: "constraints": [
// CHECK-NEXT: { "symbol": "reg_$0<int x>", "range": "{ [-2147483648, 13] }" } // CHECK-NEXT: { "symbol": "reg_$0<int x>", "range": "{ [-2147483648, 13] }" }
// CHECK-NEXT: ], // CHECK-NEXT: ],
// CHECK-NEXT: "equivalence_classes": null, // CHECK-NEXT: "equivalence_classes": null,
// CHECK-NEXT: "disequality_info": null, // CHECK-NEXT: "disequality_info": null,
// CHECK-NEXT: "dynamic_types": null, // CHECK-NEXT: "dynamic_types": null,
// CHECK-NEXT: "dynamic_casts": null, // CHECK-NEXT: "dynamic_casts": null,
// CHECK-NEXT: "constructing_objects": null,
// CHECK-NEXT: "index_of_element": null,
// CHECK-NEXT: "checker_messages": null // CHECK-NEXT: "checker_messages": null
// CHECK-NEXT: } // CHECK-NEXT: }
struct S { struct S {
int x, y; int x, y;
}; };
void test_field_dumps(struct S s, struct S *p) { void test_field_dumps(struct S s, struct S *p) {
clang_analyzer_dump_pointer(&s.x); // expected-warning{{&s.x}} clang_analyzer_dump_pointer(&s.x); // expected-warning{{&s.x}}
clang_analyzer_dump_pointer(&p->x); // expected-warning{{&SymRegion{reg_$1<struct S * p>}.x}} clang_analyzer_dump_pointer(&p->x); // expected-warning{{&SymRegion{reg_$1<struct S * p>}.x}}
clang_analyzer_dumpSvalType_pointer(&s.x); // expected-warning {{int *}} clang_analyzer_dumpSvalType_pointer(&s.x); // expected-warning {{int *}}
} }

clang/utils/analyzer/exploded-graph-rewriter.py

Show First 20 LinesShow All 255 Lines▼ Show 20 Lines def is_different(self, prev):
removed, added, updated = self.diff_messages(prev) removed, added, updated = self.diff_messages(prev)
return len(removed) != 0 or len(added) != 0 or len(updated) != 0 return len(removed) != 0 or len(added) != 0 or len(updated) != 0
# A deserialized program state. # A deserialized program state.
class ProgramState: class ProgramState:
def __init__(self, state_id, json_ps): def __init__(self, state_id, json_ps):
logging.debug('Adding ProgramState ' + str(state_id)) logging.debug('Adding ProgramState ' + str(state_id))
store_key = 'store'
env_key = 'environment'
constraints_key = 'constraints'
dyn_ty_key = 'dynamic_types'
ctor_key = 'constructing_objects'
ind_key = 'index_of_element'
init_loop_key = 'pending_init_loops'
dtor_key = 'pending_destructors'
msg_key = 'checker_messages'
if json_ps is None: if json_ps is None:
json_ps = { json_ps = {
'store': None, store_key: None,
'environment': None, env_key: None,
'constraints': None, constraints_key: None,
'dynamic_types': None, dyn_ty_key: None,
'constructing_objects': None, ctor_key: None,
'index_of_element': None, ind_key: None,
'checker_messages': None init_loop_key: None,
dtor_key: None,
msg_key: None
} }
self.state_id = state_id self.state_id = state_id
self.store = Store(json_ps['store']) \ self.store = Store(json_ps[store_key]) \
if json_ps['store'] is not None else None if json_ps[store_key] is not None else None
self.environment = \ self.environment = \
GenericEnvironment(json_ps['environment']['items']) \ GenericEnvironment(json_ps[env_key]['items']) \
if json_ps['environment'] is not None else None if json_ps[env_key] is not None else None
self.constraints = GenericMap([ self.constraints = GenericMap([
(c['symbol'], c['range']) for c in json_ps['constraints'] (c['symbol'], c['range']) for c in json_ps[constraints_key]
]) if json_ps['constraints'] is not None else None ]) if json_ps[constraints_key] is not None else None
self.dynamic_types = GenericMap([ self.dynamic_types = GenericMap([
(t['region'], '%s%s' % (t['dyn_type'], (t['region'], '%s%s' % (t['dyn_type'],
' (or a sub-class)' ' (or a sub-class)'
if t['sub_classable'] else '')) if t['sub_classable'] else ''))
for t in json_ps['dynamic_types']]) \ for t in json_ps[dyn_ty_key]]) \
if json_ps['dynamic_types'] is not None else None if json_ps[dyn_ty_key] is not None else None
self.checker_messages = CheckerMessages(json_ps[msg_key]) \
if json_ps[msg_key] is not None else None
# State traits
#
# For traits we always check if a key exists because if a trait
# has no imformation, nothing will be printed in the .dot file
# we parse.
self.constructing_objects = \ self.constructing_objects = \
GenericEnvironment(json_ps['constructing_objects']) \ GenericEnvironment(json_ps[ctor_key]) \
if json_ps['constructing_objects'] is not None else None if ctor_key in json_ps and json_ps[ctor_key] is not None else None
self.index_of_element = \ self.index_of_element = \
GenericEnvironment(json_ps['index_of_element']) \ GenericEnvironment(json_ps[ind_key]) \
if json_ps['index_of_element'] is not None else None if ind_key in json_ps and json_ps[ind_key] is not None else None
self.checker_messages = CheckerMessages(json_ps['checker_messages']) \ self.pending_init_loops = \
if json_ps['checker_messages'] is not None else None GenericEnvironment(json_ps[init_loop_key]) \
if init_loop_key in json_ps and json_ps[init_loop_key] is not None else None
self.pending_destructors = \
GenericEnvironment(json_ps[dtor_key]) \
if dtor_key in json_ps and json_ps[dtor_key] is not None else None
# A deserialized exploded graph node. Has a default constructor because it # A deserialized exploded graph node. Has a default constructor because it
# may be referenced as part of an edge before its contents are deserialized, # may be referenced as part of an edge before its contents are deserialized,
# and in this moment we already need a room for predecessors and successors. # and in this moment we already need a room for predecessors and successors.
class ExplodedNode: class ExplodedNode:
def __init__(self): def __init__(self):
self.predecessors = [] self.predecessors = []
▲ Show 20 LinesShow All 482 Lines▼ Show 20 Lines def visit_state(self, s, prev_s):
self.visit_generic_map_in_state('dynamic_types', 'Dynamic Types', self.visit_generic_map_in_state('dynamic_types', 'Dynamic Types',
s, prev_s) s, prev_s)
self.visit_environment_in_state('constructing_objects', self.visit_environment_in_state('constructing_objects',
'Objects Under Construction', 'Objects Under Construction',
s, prev_s) s, prev_s)
self.visit_environment_in_state('index_of_element', self.visit_environment_in_state('index_of_element',
'Indices Of Elements Under Construction', 'Indices Of Elements Under Construction',
s, prev_s) s, prev_s)
self.visit_environment_in_state('pending_init_loops',
'Pending Array Init Loop Expressions',
s, prev_s)
self.visit_environment_in_state('pending_destructors',
'Indices of Elements Under Destruction',
s, prev_s)
self.visit_checker_messages_in_state(s, prev_s) self.visit_checker_messages_in_state(s, prev_s)
def visit_node(self, node): def visit_node(self, node):
self._dump('%s [shape=record,' self._dump('%s [shape=record,'
% (node.node_name())) % (node.node_name()))
if self._dark_mode: if self._dark_mode:
self._dump('color="white",fontcolor="gray80",') self._dump('color="white",fontcolor="gray80",')
self._dump('label=<<table border="0">') self._dump('label=<<table border="0">')
▲ Show 20 LinesShow All 239 LinesShow Last 20 Lines