This is an archive of the discontinued LLVM Phabricator instance.

Differential D31886

[analyzer] Simplify values in binary operations more aggressively
ClosedPublic

Authored by NoQ on Apr 10 2017, 8:08 AM.

Details

Reviewers
dcoughlin
a.sidorin
zaks.anna
xazax.hun
Commits
rG12294f8d2ecf: [analyzer] Simplify values in binary operations a bit more aggressively.
rC300178: [analyzer] Simplify values in binary operations a bit more aggressively.
rL300178: [analyzer] Simplify values in binary operations a bit more aggressively.
Summary

SValBuilder tries to constant-fold symbols in the left-hand side of the symbolic expression whenever it fails to evaluate the expression directly. However, it only constant-folds them when they are atomic expressions, not when they are complicated expressions themselves. This patch adds recursive constant-folding to the left-hand side expression (there's a lack of symmetry because we're trying to have symbols on the left and constants on the right). As an example, we'd now be able to handle operations similar to "$x + 1 < $y", when $x is constrained to a constant.

The constant-folding procedure, which i put into SValBuilder::simplifySVal(), is reusable, and i suspect that there are numerous places around SValBuilder, ConstraintManager, and our checkers, where it could be useful, but this patch tries to be relatively careful.

I'm still to see how it affects performance.

Diff Detail

Repository
rL LLVM

Event Timeline

NoQ created this revision.Apr 10 2017, 8:08 AM
xazax.hun edited edge metadata.Apr 10 2017, 11:30 AM

This is a very welcome addition. I hope the performance will be still good :)

lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
1023 ↗(On Diff #94670)

We do not expect to see IntSymExpr? Maybe it is worth to document why.

1024 ↗(On Diff #94670)

Maybe worth to have this as a member instead of query it every time?

1027 ↗(On Diff #94670)

Why are these ops special?

1033 ↗(On Diff #94670)

Maybe this can be hoisted?

danielmarjamaki added a subscriber: danielmarjamaki.Apr 12 2017, 4:12 AM
danielmarjamaki added inline comments.
lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp
49 ↗(On Diff #94670)

thier => their

NoQ updated this revision to Diff 94955.Apr 12 2017, 5:23 AM
NoQ marked 5 inline comments as done.

Thanks for the comments! Updated.

Performance didn't degrade in my test runs.

xazax.hun accepted this revision.Apr 12 2017, 6:45 AM

LGTM! Thank you for working on this!

This revision is now accepted and ready to land.Apr 12 2017, 6:45 AM
xazax.hun added a comment.Apr 12 2017, 6:48 AM

One last question: maybe we want to skip this kind of simplification in case of Z3?
Probably the constraint managers could have a flag like "wantsSimplifiedConstraints"?
Maybe somehow the checkers that are doing their own simplification could respect this flag as well somehow?

NoQ added a comment.Apr 12 2017, 9:04 AM
In D31886#724796, @xazax.hun wrote:

maybe we want to skip this kind of simplification in case of Z3?

Hmm, that depends on how would we want to use it eventually.

  • If Z3 acts all alone and fires only over actual bug reports, then yeah, it turns this simplification procedure into a dry-run no-op. However, the much bigger performance problem would be the increased path explosion from not removing infeasible paths early on.
  • If we try to filter out infeasible paths continuously, either by employing RangeConstraintManager as a filter, or by employing Z3 as a filter, then Z3 would anyway benefit from simpler symbolic expressions. In the worst case ("that's what Z3 would have done itself anyway), we'd, i guess, have little effect on quality *or* performance

Generally, i've a feeling that simplifying SVals is a safe thing to do.

Closed by commit rL300178: [analyzer] Simplify values in binary operations a bit more aggressively. (authored by dergachev). · Explain WhyApr 13 2017, 12:32 AM
This revision was automatically updated to reflect the committed changes.
dkrupp added a subscriber: dkrupp.May 3 2017, 9:01 AM
ddcc mentioned this in D28953: [analyzer] Eliminate analyzer limitations on symbolic constraint generation.May 17 2017, 10:10 PM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
PathSensitive/
5 lines
lib/
StaticAnalyzer/
Core/
87 lines
test/
Analysis/
9 lines

Diff 95084

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h

Show First 20 LinesShow All 106 Lines▼ Show 20 Linespublic:
/// location and non-location operands. For example, this would be used to /// location and non-location operands. For example, this would be used to
/// evaluate a pointer arithmetic operation. /// evaluate a pointer arithmetic operation.
virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, virtual SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op,
Loc lhs, NonLoc rhs, QualType resultTy) = 0; Loc lhs, NonLoc rhs, QualType resultTy) = 0;
/// Evaluates a given SVal. If the SVal has only one possible (integer) value, /// Evaluates a given SVal. If the SVal has only one possible (integer) value,
/// that value is returned. Otherwise, returns NULL. /// that value is returned. Otherwise, returns NULL.
virtual const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal val) = 0; virtual const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal val) = 0;
/// Simplify symbolic expressions within a given SVal. Return an SVal
/// that represents the same value, but is hopefully easier to work with
/// than the original SVal.
virtual SVal simplifySVal(ProgramStateRef State, SVal Val) = 0;
/// Constructs a symbolic expression for two non-location values. /// Constructs a symbolic expression for two non-location values.
SVal makeSymExprValNN(ProgramStateRef state, BinaryOperator::Opcode op, SVal makeSymExprValNN(ProgramStateRef state, BinaryOperator::Opcode op,
NonLoc lhs, NonLoc rhs, QualType resultTy); NonLoc lhs, NonLoc rhs, QualType resultTy);
SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op, SVal evalBinOp(ProgramStateRef state, BinaryOperator::Opcode op,
SVal lhs, SVal rhs, QualType type); SVal lhs, SVal rhs, QualType type);
DefinedOrUnknownSVal evalEQ(ProgramStateRef state, DefinedOrUnknownSVal lhs, DefinedOrUnknownSVal evalEQ(ProgramStateRef state, DefinedOrUnknownSVal lhs,
▲ Show 20 LinesShow All 227 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/SimpleSValBuilder.cpp

// SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*- // SimpleSValBuilder.cpp - A basic SValBuilder -----------------------*- C++ -*-
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file defines SimpleSValBuilder, a basic implementation of SValBuilder. // This file defines SimpleSValBuilder, a basic implementation of SValBuilder.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h" #include "clang/StaticAnalyzer/Core/PathSensitive/SValBuilder.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h" #include "clang/StaticAnalyzer/Core/PathSensitive/APSIntType.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/SValVisitor.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
namespace { namespace {
class SimpleSValBuilder : public SValBuilder { class SimpleSValBuilder : public SValBuilder {
protected: protected:
SVal dispatchCast(SVal val, QualType castTy) override; SVal dispatchCast(SVal val, QualType castTy) override;
Show All 14 Lines SVal evalBinOpLL(ProgramStateRef state, BinaryOperator::Opcode op,
Loc lhs, Loc rhs, QualType resultTy) override; Loc lhs, Loc rhs, QualType resultTy) override;
SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op, SVal evalBinOpLN(ProgramStateRef state, BinaryOperator::Opcode op,
Loc lhs, NonLoc rhs, QualType resultTy) override; Loc lhs, NonLoc rhs, QualType resultTy) override;
/// getKnownValue - evaluates a given SVal. If the SVal has only one possible /// getKnownValue - evaluates a given SVal. If the SVal has only one possible
/// (integer) value, that value is returned. Otherwise, returns NULL. /// (integer) value, that value is returned. Otherwise, returns NULL.
const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V) override; const llvm::APSInt *getKnownValue(ProgramStateRef state, SVal V) override;
/// Recursively descends into symbolic expressions and replaces symbols
/// with their known values (in the sense of the getKnownValue() method).
SVal simplifySVal(ProgramStateRef State, SVal V) override;
SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op, SVal MakeSymIntVal(const SymExpr *LHS, BinaryOperator::Opcode op,
const llvm::APSInt &RHS, QualType resultTy); const llvm::APSInt &RHS, QualType resultTy);
}; };
} // end anonymous namespace } // end anonymous namespace
SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc, SValBuilder *ento::createSimpleSValBuilder(llvm::BumpPtrAllocator &alloc,
ASTContext &context, ASTContext &context,
ProgramStateManager &stateMgr) { ProgramStateManager &stateMgr) {
▲ Show 20 LinesShow All 477 Lines▼ Show 20 Lines case nonloc::SymbolValKind: {
// Otherwise, make a SymIntExpr out of the expression. // Otherwise, make a SymIntExpr out of the expression.
return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy); return MakeSymIntVal(symIntExpr, op, *RHSValue, resultTy);
} }
} }
// Does the symbolic expression simplify to a constant? // Does the symbolic expression simplify to a constant?
// If so, "fold" the constant by setting 'lhs' to a ConcreteInt // If so, "fold" the constant by setting 'lhs' to a ConcreteInt
// and try again. // and try again.
ConstraintManager &CMgr = state->getConstraintManager(); SVal simplifiedLhs = simplifySVal(state, lhs);
if (const llvm::APSInt *Constant = CMgr.getSymVal(state, Sym)) { if (simplifiedLhs != lhs)
lhs = nonloc::ConcreteInt(*Constant); if (auto simplifiedLhsAsNonLoc = simplifiedLhs.getAs<NonLoc>()) {
lhs = *simplifiedLhsAsNonLoc;
continue; continue;
} }
// Is the RHS a constant? // Is the RHS a constant?
if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs)) if (const llvm::APSInt *RHSValue = getKnownValue(state, rhs))
return MakeSymIntVal(Sym, op, *RHSValue, resultTy); return MakeSymIntVal(Sym, op, *RHSValue, resultTy);
// Give up -- this is not a symbolic expression we can handle. // Give up -- this is not a symbolic expression we can handle.
return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy); return makeSymExprValNN(state, op, InputLHS, InputRHS, resultTy);
} }
▲ Show 20 LinesShow All 435 Lines▼ Show 20 Lines if (Optional<nonloc::ConcreteInt> X = V.getAs<nonloc::ConcreteInt>())
return &X->getValue(); return &X->getValue();
if (SymbolRef Sym = V.getAsSymbol()) if (SymbolRef Sym = V.getAsSymbol())
return state->getConstraintManager().getSymVal(state, Sym); return state->getConstraintManager().getSymVal(state, Sym);
// FIXME: Add support for SymExprs. // FIXME: Add support for SymExprs.
return nullptr; return nullptr;
} }
SVal SimpleSValBuilder::simplifySVal(ProgramStateRef State, SVal V) {
// For now, this function tries to constant-fold symbols inside a
// nonloc::SymbolVal, and does nothing else. More simplifications should
// be possible, such as constant-folding an index in an ElementRegion.
class Simplifier : public FullSValVisitor<Simplifier, SVal> {
ProgramStateRef State;
SValBuilder &SVB;
public:
Simplifier(ProgramStateRef State)
: State(State), SVB(State->getStateManager().getSValBuilder()) {}
SVal VisitSymbolData(const SymbolData *S) {
if (const llvm::APSInt *I =
SVB.getKnownValue(State, nonloc::SymbolVal(S)))
return Loc::isLocType(S->getType()) ? (SVal)SVB.makeIntLocVal(*I)
: (SVal)SVB.makeIntVal(*I);
return nonloc::SymbolVal(S);
}
// TODO: Support SymbolCast. Support IntSymExpr when/if we actually
// start producing them.
SVal VisitSymIntExpr(const SymIntExpr *S) {
SVal LHS = Visit(S->getLHS());
SVal RHS;
// By looking at the APSInt in the right-hand side of S, we cannot
// figure out if it should be treated as a Loc or as a NonLoc.
// So make our guess by recalling that we cannot multiply pointers
// or compare a pointer to an integer.
if (Loc::isLocType(S->getLHS()->getType()) &&
BinaryOperator::isComparisonOp(S->getOpcode())) {
// The usual conversion of $sym to &SymRegion{$sym}, as they have
// the same meaning for Loc-type symbols, but the latter form
// is preferred in SVal computations for being Loc itself.
if (SymbolRef Sym = LHS.getAsSymbol()) {
assert(Loc::isLocType(Sym->getType()));
LHS = SVB.makeLoc(Sym);
}
RHS = SVB.makeIntLocVal(S->getRHS());
} else {
RHS = SVB.makeIntVal(S->getRHS());
}
return SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType());
}
SVal VisitSymSymExpr(const SymSymExpr *S) {
SVal LHS = Visit(S->getLHS());
SVal RHS = Visit(S->getRHS());
return SVB.evalBinOp(State, S->getOpcode(), LHS, RHS, S->getType());
}
SVal VisitSymExpr(SymbolRef S) { return nonloc::SymbolVal(S); }
SVal VisitMemRegion(const MemRegion *R) { return loc::MemRegionVal(R); }
SVal VisitNonLocSymbolVal(nonloc::SymbolVal V) {
// Simplification is much more costly than computing complexity.
// For high complexity, it may be not worth it.
if (V.getSymbol()->computeComplexity() > 100)
return V;
return Visit(V.getSymbol());
}
SVal VisitSVal(SVal V) { return V; }
};
return Simplifier(State).Visit(V);
}

cfe/trunk/test/Analysis/additive-folding.cpp

Show First 20 LinesShow All 199 Lines▼ Show 20 Lines
void multiplicativeSanityTest(int x) { void multiplicativeSanityTest(int x) {
// At one point we were ignoring the *4 completely -- the constraint manager // At one point we were ignoring the *4 completely -- the constraint manager
// would see x < 8 and then declare the assertion to be known false. // would see x < 8 and then declare the assertion to be known false.
if (x*4 < 8) if (x*4 < 8)
return; return;
clang_analyzer_eval(x == 3); // expected-warning{{UNKNOWN}} clang_analyzer_eval(x == 3); // expected-warning{{UNKNOWN}}
} }
void additiveSymSymFolding(int x, int y) {
// We should simplify 'x - 1' to '0' and handle the comparison,
// despite both sides being complicated symbols.
int z = x - 1;
if (x == 1)
if (y >= 0)
clang_analyzer_eval(z <= y); // expected-warning{{TRUE}}
}