This is an archive of the discontinued LLVM Phabricator instance.

[dataflow] improve determinism of generated SAT system
ClosedPublic

Authored by sammccall on Jul 11 2023, 4:02 AM.

Download Raw Diff

Details

Reviewers

ymandel
xazax.hun
NoQ
gribozavr2

Commits

rG7d935d083659: [dataflow] improve determinism of generated SAT system

Summary

Fixes two places where we relied on map iteration order when processing
values, which leaked nondeterminism into the generated SAT formulas.
Adds a couple of tests that directly assert that the SAT system is
equivalent on each run.

It's desirable that the formulas are deterministic based on the input:

our SAT solver is naive and perfermance is sensitive to even simple semantics-preserving transformations like A|B to B|A. (e.g. it's likely to choose a different variable to split on). Timeout failures are bad, but *flaky* ones are terrible to debug.
similarly when debugging, it's important to have a consistent understanding of what e.g. "V23" means across runs.

Both changes in this patch were isolated from a nullability analysis of
real-world code which was extremely slow, spending ages in the SAT
solver at "random" points that varied on each run.
I've included a reduced version of the code as a regression test.

One of the changes shows up directly as flow-condition nondeterminism
with a no-op analysis, the other relied on bits of the nullability
analysis but I found a synthetic example to show the problem.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

sammccall created this revision.Jul 11 2023, 4:02 AM

Herald added a reviewer: NoQ. · View Herald TranscriptJul 11 2023, 4:02 AM

Herald added a project: Restricted Project. · View Herald Transcript

Herald added subscribers: ChuanqiXu, martong, mgrang. · View Herald Transcript

sammccall requested review of this revision.Jul 11 2023, 4:02 AM

Herald added a project: Restricted Project. · View Herald TranscriptJul 11 2023, 4:02 AM

Herald added a subscriber: cfe-commits. · View Herald Transcript

gribozavr2 accepted this revision.Jul 11 2023, 4:39 AM

gribozavr2 added a subscriber: gribozavr2.

gribozavr2 added inline comments.

clang/unittests/Analysis/FlowSensitive/DeterminismTest.cpp
63

This revision is now accepted and ready to land.Jul 11 2023, 4:39 AM

Thank you, Sam!

Harbormaster completed remote builds in B244411: Diff 539012.Jul 11 2023, 6:25 AM

xazax.hun accepted this revision.Jul 11 2023, 7:23 AM

This revision was landed with ongoing or failed builds.Jul 11 2023, 11:09 PM

Closed by commit rG7d935d083659: [dataflow] improve determinism of generated SAT system (authored by sammccall). · Explain Why

This revision was automatically updated to reflect the committed changes.

sammccall added a commit: rG7d935d083659: [dataflow] improve determinism of generated SAT system.

Revision Contents

Path

Size

clang/

include/

clang/

Analysis/

FlowSensitive/

DataflowEnvironment.h

6 lines

lib/

Analysis/

FlowSensitive/

DataflowEnvironment.cpp

3 lines

TypeErasedDataflowAnalysis.cpp

5 lines

unittests/

Analysis/

FlowSensitive/

CMakeLists.txt

1 line

DeterminismTest.cpp

137 lines

Diff 539393

clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h

Show All 22 Lines
#include "clang/Analysis/FlowSensitive/DataflowAnalysisContext.h"		#include "clang/Analysis/FlowSensitive/DataflowAnalysisContext.h"
#include "clang/Analysis/FlowSensitive/DataflowLattice.h"		#include "clang/Analysis/FlowSensitive/DataflowLattice.h"
#include "clang/Analysis/FlowSensitive/Formula.h"		#include "clang/Analysis/FlowSensitive/Formula.h"
#include "clang/Analysis/FlowSensitive/Logger.h"		#include "clang/Analysis/FlowSensitive/Logger.h"
#include "clang/Analysis/FlowSensitive/StorageLocation.h"		#include "clang/Analysis/FlowSensitive/StorageLocation.h"
#include "clang/Analysis/FlowSensitive/Value.h"		#include "clang/Analysis/FlowSensitive/Value.h"
#include "llvm/ADT/DenseMap.h"		#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/DenseSet.h"		#include "llvm/ADT/DenseSet.h"
		#include "llvm/ADT/MapVector.h"
#include "llvm/Support/Compiler.h"		#include "llvm/Support/Compiler.h"
#include "llvm/Support/ErrorHandling.h"		#include "llvm/Support/ErrorHandling.h"
#include <memory>		#include <memory>
#include <type_traits>		#include <type_traits>
#include <utility>		#include <utility>

namespace clang {		namespace clang {
namespace dataflow {		namespace dataflow {
▲ Show 20 Lines • Show All 590 Lines • ▼ Show 20 Lines	private:
AggregateStorageLocation *ThisPointeeLoc = nullptr;		AggregateStorageLocation *ThisPointeeLoc = nullptr;

// Maps from program declarations and statements to storage locations that are		// Maps from program declarations and statements to storage locations that are
// assigned to them. Unlike the maps in `DataflowAnalysisContext`, these		// assigned to them. Unlike the maps in `DataflowAnalysisContext`, these
// include only storage locations that are in scope for a particular basic		// include only storage locations that are in scope for a particular basic
// block.		// block.
llvm::DenseMap<const ValueDecl , StorageLocation > DeclToLoc;		llvm::DenseMap<const ValueDecl , StorageLocation > DeclToLoc;
llvm::DenseMap<const Expr , StorageLocation > ExprToLoc;		llvm::DenseMap<const Expr , StorageLocation > ExprToLoc;
		// We preserve insertion order so that join/widen process values in
llvm::DenseMap<const StorageLocation , Value > LocToVal;		// deterministic sequence. This in turn produces deterministic SAT formulas.
		llvm::MapVector<const StorageLocation , Value > LocToVal;

// Maps locations of struct members to symbolic values of the structs that own		// Maps locations of struct members to symbolic values of the structs that own
// them and the decls of the struct members.		// them and the decls of the struct members.
llvm::DenseMap<const StorageLocation *,		llvm::DenseMap<const StorageLocation *,
std::pair<StructValue , const ValueDecl >>		std::pair<StructValue , const ValueDecl >>
MemberLocToStruct;		MemberLocToStruct;

Atom FlowConditionToken;		Atom FlowConditionToken;
Show All 23 Lines

clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp

Show All 14 Lines
#include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"		#include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"
#include "clang/AST/Decl.h"		#include "clang/AST/Decl.h"
#include "clang/AST/DeclCXX.h"		#include "clang/AST/DeclCXX.h"
#include "clang/AST/Type.h"		#include "clang/AST/Type.h"
#include "clang/Analysis/FlowSensitive/DataflowLattice.h"		#include "clang/Analysis/FlowSensitive/DataflowLattice.h"
#include "clang/Analysis/FlowSensitive/Value.h"		#include "clang/Analysis/FlowSensitive/Value.h"
#include "llvm/ADT/DenseMap.h"		#include "llvm/ADT/DenseMap.h"
#include "llvm/ADT/DenseSet.h"		#include "llvm/ADT/DenseSet.h"
		#include "llvm/ADT/MapVector.h"
#include "llvm/ADT/STLExtras.h"		#include "llvm/ADT/STLExtras.h"
#include "llvm/Support/Casting.h"		#include "llvm/Support/Casting.h"
#include "llvm/Support/ErrorHandling.h"		#include "llvm/Support/ErrorHandling.h"
#include <cassert>		#include <cassert>
#include <memory>		#include <memory>
#include <utility>		#include <utility>

namespace clang {		namespace clang {
▲ Show 20 Lines • Show All 469 Lines • ▼ Show 20 Lines	LatticeJoinEffect Environment::widen(const Environment &PrevEnv,
// `join` can cause the map size to increase (when we add fresh data in places		// `join` can cause the map size to increase (when we add fresh data in places
// of conflict). Once this issue with join is resolved, re-enable the		// of conflict). Once this issue with join is resolved, re-enable the
// assertion below or replace with something that captures the desired		// assertion below or replace with something that captures the desired
// invariant.		// invariant.
assert(DeclToLoc.size() <= PrevEnv.DeclToLoc.size());		assert(DeclToLoc.size() <= PrevEnv.DeclToLoc.size());
assert(ExprToLoc.size() <= PrevEnv.ExprToLoc.size());		assert(ExprToLoc.size() <= PrevEnv.ExprToLoc.size());
// assert(MemberLocToStruct.size() <= PrevEnv.MemberLocToStruct.size());		// assert(MemberLocToStruct.size() <= PrevEnv.MemberLocToStruct.size());

llvm::DenseMap<const StorageLocation , Value > WidenedLocToVal;		llvm::MapVector<const StorageLocation , Value > WidenedLocToVal;
for (auto &Entry : LocToVal) {		for (auto &Entry : LocToVal) {
const StorageLocation *Loc = Entry.first;		const StorageLocation *Loc = Entry.first;
assert(Loc != nullptr);		assert(Loc != nullptr);

Value *Val = Entry.second;		Value *Val = Entry.second;
assert(Val != nullptr);		assert(Val != nullptr);

auto PrevIt = PrevEnv.LocToVal.find(Loc);		auto PrevIt = PrevEnv.LocToVal.find(Loc);
▲ Show 20 Lines • Show All 462 Lines • Show Last 20 Lines

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp

Show First 20 Lines • Show All 269 Lines • ▼ Show 20 Lines
///		///
/// Requirements:		/// Requirements:
///		///
/// All predecessors of `Block` except those with loop back edges must have		/// All predecessors of `Block` except those with loop back edges must have
/// already been transferred. States in `AC.BlockStates` that are set to		/// already been transferred. States in `AC.BlockStates` that are set to
/// `std::nullopt` represent basic blocks that are not evaluated yet.		/// `std::nullopt` represent basic blocks that are not evaluated yet.
static TypeErasedDataflowAnalysisState		static TypeErasedDataflowAnalysisState
computeBlockInputState(const CFGBlock &Block, AnalysisContext &AC) {		computeBlockInputState(const CFGBlock &Block, AnalysisContext &AC) {
llvm::DenseSet<const CFGBlock *> Preds;		std::vector<const CFGBlock *> Preds(Block.pred_begin(), Block.pred_end());
Preds.insert(Block.pred_begin(), Block.pred_end());
if (Block.getTerminator().isTemporaryDtorsBranch()) {		if (Block.getTerminator().isTemporaryDtorsBranch()) {
// This handles a special case where the code that produced the CFG includes		// This handles a special case where the code that produced the CFG includes
// a conditional operator with a branch that constructs a temporary and		// a conditional operator with a branch that constructs a temporary and
// calls a destructor annotated as noreturn. The CFG models this as follows:		// calls a destructor annotated as noreturn. The CFG models this as follows:
//		//
// B1 (contains the condition of the conditional operator) - succs: B2, B3		// B1 (contains the condition of the conditional operator) - succs: B2, B3
// B2 (contains code that does not call a noreturn destructor) - succs: B4		// B2 (contains code that does not call a noreturn destructor) - succs: B4
// B3 (contains code that calls a noreturn destructor) - succs: B4		// B3 (contains code that calls a noreturn destructor) - succs: B4
Show All 12 Lines	if (Block.getTerminator().isTemporaryDtorsBranch()) {
// operator includes a branch that contains a noreturn destructor call.		// operator includes a branch that contains a noreturn destructor call.
//		//
// See `NoreturnDestructorTest` for concrete examples.		// See `NoreturnDestructorTest` for concrete examples.
if (Block.succ_begin()->getReachableBlock() != nullptr &&		if (Block.succ_begin()->getReachableBlock() != nullptr &&
Block.succ_begin()->getReachableBlock()->hasNoReturnElement()) {		Block.succ_begin()->getReachableBlock()->hasNoReturnElement()) {
auto &StmtToBlock = AC.CFCtx.getStmtToBlock();		auto &StmtToBlock = AC.CFCtx.getStmtToBlock();
auto StmtBlock = StmtToBlock.find(Block.getTerminatorStmt());		auto StmtBlock = StmtToBlock.find(Block.getTerminatorStmt());
assert(StmtBlock != StmtToBlock.end());		assert(StmtBlock != StmtToBlock.end());
Preds.erase(StmtBlock->getSecond());		llvm::erase_value(Preds, StmtBlock->getSecond());
}		}
}		}

JoinedStateBuilder Builder(AC);		JoinedStateBuilder Builder(AC);
for (const CFGBlock *Pred : Preds) {		for (const CFGBlock *Pred : Preds) {
// Skip if the `Block` is unreachable or control flow cannot get past it.		// Skip if the `Block` is unreachable or control flow cannot get past it.
if (!Pred \|\| Pred->hasNoReturnElement())		if (!Pred \|\| Pred->hasNoReturnElement())
continue;		continue;
▲ Show 20 Lines • Show All 274 Lines • Show Last 20 Lines

clang/unittests/Analysis/FlowSensitive/CMakeLists.txt

	set(LLVM_LINK_COMPONENTS			set(LLVM_LINK_COMPONENTS
	FrontendOpenMP			FrontendOpenMP
	Support			Support
	)			)

	add_clang_unittest(ClangAnalysisFlowSensitiveTests			add_clang_unittest(ClangAnalysisFlowSensitiveTests
	ArenaTest.cpp			ArenaTest.cpp
	CFGMatchSwitchTest.cpp			CFGMatchSwitchTest.cpp
	ChromiumCheckModelTest.cpp			ChromiumCheckModelTest.cpp
	DataflowAnalysisContextTest.cpp			DataflowAnalysisContextTest.cpp
	DataflowEnvironmentTest.cpp			DataflowEnvironmentTest.cpp
	DebugSupportTest.cpp			DebugSupportTest.cpp
				DeterminismTest.cpp
	LoggerTest.cpp			LoggerTest.cpp
	MapLatticeTest.cpp			MapLatticeTest.cpp
	MatchSwitchTest.cpp			MatchSwitchTest.cpp
	MultiVarConstantPropagationTest.cpp			MultiVarConstantPropagationTest.cpp
	RecordOpsTest.cpp			RecordOpsTest.cpp
	SignAnalysisTest.cpp			SignAnalysisTest.cpp
	SingleVarConstantPropagationTest.cpp			SingleVarConstantPropagationTest.cpp
	SolverTest.cpp			SolverTest.cpp
	Show All 29 Lines

clang/unittests/Analysis/FlowSensitive/DeterminismTest.cpp

This file was added.

//===- unittests/Analysis/FlowSensitive/DeterminismTest.cpp ---------------===//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//===----------------------------------------------------------------------===//

#include "TestingSupport.h"

#include "clang/AST/Decl.h"

#include "clang/Analysis/FlowSensitive/ControlFlowContext.h"

#include "clang/Analysis/FlowSensitive/DataflowAnalysis.h"

#include "clang/Analysis/FlowSensitive/DataflowAnalysisContext.h"

#include "clang/Analysis/FlowSensitive/DataflowEnvironment.h"

#include "clang/Analysis/FlowSensitive/Formula.h"

#include "clang/Analysis/FlowSensitive/NoopAnalysis.h"

#include "clang/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.h"

#include "clang/Analysis/FlowSensitive/WatchedLiteralsSolver.h"

#include "clang/Basic/LLVM.h"

#include "clang/Testing/TestAST.h"

#include "llvm/Support/Error.h"

#include "llvm/Support/raw_ostream.h"

#include "gtest/gtest.h"

#include <memory>

#include <string>

namespace clang::dataflow {

// Run a no-op analysis, and return a textual representation of the

// flow-condition at function exit.

std::string analyzeAndPrintExitCondition(llvm::StringRef Code) {

DataflowAnalysisContext DACtx(std::make_unique<WatchedLiteralsSolver>());

clang::TestAST AST(Code);

const auto *Target =

cast<FunctionDecl>(test::findValueDecl(AST.context(), "target"));

Environment InitEnv(DACtx, *Target);

auto CFCtx = cantFail(ControlFlowContext::build(*Target));

NoopAnalysis Analysis(AST.context(), DataflowAnalysisOptions{});

auto Result = runDataflowAnalysis(CFCtx, Analysis, InitEnv);

EXPECT_FALSE(!Result) << Result.takeError();

Atom FinalFC = (*Result)[CFCtx.getCFG().getExit().getBlockID()]

->Env.getFlowConditionToken();

std::string Textual;

llvm::raw_string_ostream OS(Textual);

DACtx.dumpFlowCondition(FinalFC, OS);

return Textual;

}

TEST(DeterminismTest, NestedSwitch) {

// Example extracted from real-world code that had wildly nondeterministic

// analysis times.

// Its flow condition depends on the order we join predecessor blocks.

const char *Code = R"cpp(

struct Tree;

struct Rep {

Tree *tree();

int length;

};

struct Tree {

int height();

gribozavr2Unsubmitted

Not Done

int length;

};

- struct Tree{

+ struct Tree {

int height();

gribozavr2:

Rep *edge(int);

int length;

};

struct RetVal {};

int getInt();

bool maybe();

RetVal make(int size);

inline RetVal target(int size, Tree& self) {

Tree* tree = &self;

const int height = self.height();

Tree* n1 = tree;

Tree* n2 = tree;

switch (height) {

case 3:

tree = tree->edge(0)->tree();

if (maybe()) return {};

n2 = tree;

case 2:

tree = tree->edge(0)->tree();

n1 = tree;

if (maybe()) return {};

case 1:

tree = tree->edge(0)->tree();

if (maybe()) return {};

case 0:

Rep* edge = tree->edge(0);

if (maybe()) return {};

int avail = getInt();

if (avail == 0) return {};

int delta = getInt();

RetVal span = {};

edge->length += delta;

switch (height) {

case 3:

n1->length += delta;

case 2:

n1->length += delta;

case 1:

n1->length += delta;

case 0:

n1->length += delta;

return span;

}

break;

}

return make(size);

}

)cpp";

std::string Cond = analyzeAndPrintExitCondition(Code);

for (unsigned I = 0; I < 10; ++I)

EXPECT_EQ(Cond, analyzeAndPrintExitCondition(Code));

}

TEST(DeterminismTest, ValueMergeOrder) {

// Artificial example whose final flow condition variable numbering depends

// on the order in which we merge a, b, and c.

const char *Code = R"cpp(

bool target(bool a, bool b, bool c) {

if (a)

b = c;

else

c = b;

return a && b && c;

}

)cpp";

std::string Cond = analyzeAndPrintExitCondition(Code);

for (unsigned I = 0; I < 10; ++I)

EXPECT_EQ(Cond, analyzeAndPrintExitCondition(Code));

}

} // namespace clang::dataflow

This is an archive of the discontinued LLVM Phabricator instance.

[dataflow] improve determinism of generated SAT systemClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 539393

clang/include/clang/Analysis/FlowSensitive/DataflowEnvironment.h

clang/lib/Analysis/FlowSensitive/DataflowEnvironment.cpp

clang/lib/Analysis/FlowSensitive/TypeErasedDataflowAnalysis.cpp

clang/unittests/Analysis/FlowSensitive/CMakeLists.txt

clang/unittests/Analysis/FlowSensitive/DeterminismTest.cpp

[dataflow] improve determinism of generated SAT system
ClosedPublic