This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
-
LoopUnrolling.h
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
2
ExprEngine.cpp
5
LoopUnrolling.cpp
-
test/Analysis/
-
Analysis/
-
loop-unrolling.cpp

Differential D34812

[StaticAnalyzer] LoopUnrolling: Handling conditions with known value variables
Needs ReviewPublic

Authored by szepet on Jun 29 2017, 7:10 AM.

Download Raw Diff

Details

Reviewers

zaks.anna
NoQ
dcoughlin
xazax.hun
a.sidorin

Summary

In order to completely unroll loops with known bound I moved the marking process (markLoopASUnrolled() function call, etc.) to the processBranch callback which takes place after the bound is already modeled. This way the bound can be checked to be known. Test cases added.

Diff Detail

Event Timeline

szepet created this revision.Jun 29 2017, 7:10 AM

Herald added a subscriber: whisperity. · View Herald TranscriptJun 29 2017, 7:10 AM

While this wasn't necessary in the first patch, i think here we should start cleaning up the UnrolledLoops map when we exit the loop. Because next time we encounter the loop, we may no longer want to unroll it - the value may no longer be concrete.

lib/StaticAnalyzer/Core/LoopUnrolling.cpp
148–149	There's a FIXME in `getKnownValue()` that says that it doesn't work in some cases, eg. `$x + 1` where $x$ is constrained to a constant. Could you see if this affects your code and add a test case? We can probably fix it later because now we have `simplifySVal()`.

NoQ added inline comments.Jun 29 2017, 7:22 AM

lib/StaticAnalyzer/Core/LoopUnrolling.cpp
148–149	I mean `$x`.

whisperity removed a subscriber: whisperity.Jun 29 2017, 8:09 AM

Am i understanding correctly that this patch is waiting to be rebased on top of D35684?

In D34812#822645, @NoQ wrote:

Am i understanding correctly that this patch is waiting to be rebased on top of D35684?

Yes, you understand correctly and this raises a lot of problem which I could not solve.

If I move the updateLoopStack function call to the processBranch then it means that in processCFGBlockEntrance we wont have the information if the entered block is unrolled.
It could be OK since the loop is visited at least once so we will reach processBranch and add the loop to the LoopStack. However, in case of a nested loop, the second time we would enter the inner loop we will see that the BlockVisit counter is already higher than maxBlockVisitOnPath. So we wont even enter the block even if we would mark it as a unrolled loop.

so in the following example we wont enter the inner (and unrolled) loop the second time:

for (int i=0;i<2;i++){
  int& j = i; // outer loop not unrolled
  for (int j=0;j<5;j++){ //unrolled
      magic_stuff();
  }
}

Just to summarize the problem: the LoopStack would be updated later then we enter the first block of the loop. However, we check the counter when the block is entered.
I don't see a correct solution for that right know. The best I could come up to mark the blocks what was already unrolled and handle them as a special case.

xazax.hun added inline comments.Nov 17 2017, 6:43 AM

lib/StaticAnalyzer/Core/ExprEngine.cpp
1507	Asterisk on the wrong side.
1689	Maybe moving this check to the next if would reduce the indentation.
lib/StaticAnalyzer/Core/LoopUnrolling.cpp
47	Why did you introduce `expr`? Wouldn't binding to the `declRefExpr` part be sufficient?
135	This comment is not clear enough for me. Don't you already check for changes and escapes of the induction variable?
150	So you do not want to introduce a hard limit on the loop bound in this patch?

NoQ mentioned this in D63279: [Analyzer] Unroll for-loops where the upper boundary is a variable with know value.Jul 17 2019, 5:21 PM

Revision Contents

Path

Size

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

LoopUnrolling.h

10 lines

lib/

StaticAnalyzer/

Core/

ExprEngine.cpp

28 lines

LoopUnrolling.cpp

36 lines

test/

Analysis/

loop-unrolling.cpp

46 lines

Diff 104638

include/clang/StaticAnalyzer/Core/PathSensitive/LoopUnrolling.h

	Show All 19 Lines
	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramStateTrait.h"
	#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"			#include "clang/StaticAnalyzer/Core/PathSensitive/CheckerContext.h"

	namespace clang {			namespace clang {
	namespace ento {			namespace ento {
	ProgramStateRef markLoopAsUnrolled(const Stmt *Term, ProgramStateRef State,			ProgramStateRef markLoopAsUnrolled(const Stmt *Term, ProgramStateRef State,
	CFGStmtMap *StmtToBlockMap);			CFGStmtMap *StmtToBlockMap);
	bool isUnrolledLoopBlock(const CFGBlock *Block,			bool isUnrolledLoopBlock(const CFGBlock Block, ExplodedNode Prev);
	ExplodedNode *Prev);			bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx,
	bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx);			ExplodedNode* Pred, SValBuilder &SVB);

	} // end namespace ento			} // end namespace ento
	} // end namespace clang			} // end namespace clang

	#endif			#endif

lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 Lines • Show All 1,498 Lines • ▼ Show 20 Lines
/// Block entrance. (Update counters).		/// Block entrance. (Update counters).
void ExprEngine::processCFGBlockEntrance(const BlockEdge &L,		void ExprEngine::processCFGBlockEntrance(const BlockEdge &L,
NodeBuilderWithSinks &nodeBuilder,		NodeBuilderWithSinks &nodeBuilder,
ExplodedNode *Pred) {		ExplodedNode *Pred) {
PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());		PrettyStackTraceLocationContext CrashInfo(Pred->getLocationContext());
// If this block is terminated by a loop which has a known bound (and meets		// If this block is terminated by a loop which has a known bound (and meets
// other constraints) then consider completely unrolling it.		// other constraints) then consider completely unrolling it.
if (AMgr.options.shouldUnrollLoops()) {		if (AMgr.options.shouldUnrollLoops()) {
const CFGBlock *ActualBlock = nodeBuilder.getContext().getBlock();		const CFGBlock* ActualBlock = nodeBuilder.getContext().getBlock();
		xazax.hunUnsubmitted Not Done Reply Inline Actions Asterisk on the wrong side. xazax.hun: Asterisk on the wrong side.
const Stmt *Term = ActualBlock->getTerminator();
if (Term && shouldCompletelyUnroll(Term, AMgr.getASTContext())) {
ProgramStateRef UnrolledState =
markLoopAsUnrolled(Term, Pred->getState(), Pred->getLocationContext()->getAnalysisDeclContext()->getCFGStmtMap());
if (UnrolledState != Pred->getState())
nodeBuilder.generateNode(UnrolledState, Pred);
return;
}

if (isUnrolledLoopBlock(ActualBlock, Pred))		if (isUnrolledLoopBlock(ActualBlock, Pred))
return;		return;
if (ActualBlock->empty())		if (ActualBlock->empty())
return;		return;
}		}

// If this block is terminated by a loop and it has already been visited the		// If this block is terminated by a loop and it has already been visited the
// maximum number of times, widen the loop.		// maximum number of times, widen the loop.
▲ Show 20 Lines • Show All 165 Lines • ▼ Show 20 Lines	void ExprEngine::processBranch(const Stmt Condition, const Stmt Term,
// Check for NULL conditions; e.g. "for(;;)"		// Check for NULL conditions; e.g. "for(;;)"
if (!Condition) {		if (!Condition) {
BranchNodeBuilder NullCondBldr(Pred, Dst, BldCtx, DstT, DstF);		BranchNodeBuilder NullCondBldr(Pred, Dst, BldCtx, DstT, DstF);
NullCondBldr.markInfeasible(false);		NullCondBldr.markInfeasible(false);
NullCondBldr.generateNode(Pred->getState(), true, Pred);		NullCondBldr.generateNode(Pred->getState(), true, Pred);
return;		return;
}		}

		if (AMgr.options.shouldUnrollLoops()) {
		xazax.hunUnsubmitted Not Done Reply Inline Actions Maybe moving this check to the next if would reduce the indentation. xazax.hun: Maybe moving this check to the next if would reduce the indentation.
		if (shouldCompletelyUnroll(Term, AMgr.getASTContext(), Pred, svalBuilder)) {
		ProgramStateRef UnrolledState =
		markLoopAsUnrolled(Term, Pred->getState(),
		Pred->getLocationContext()->
		getAnalysisDeclContext()->getCFGStmtMap());
		if(UnrolledState != Pred->getState()) {
		NodeBuilder UnrolledStateBldr(Pred, Dst, BldCtx);
		UnrolledStateBldr.generateNode(Pred->getLocation(), UnrolledState,
		Pred);
		assert(Dst.size() == 1);
		Pred = *Dst.begin();
		Dst.clear();
		}
		}
		}

if (const Expr *Ex = dyn_cast<Expr>(Condition))		if (const Expr *Ex = dyn_cast<Expr>(Condition))
Condition = Ex->IgnoreParens();		Condition = Ex->IgnoreParens();

Condition = ResolveCondition(Condition, BldCtx.getBlock());		Condition = ResolveCondition(Condition, BldCtx.getBlock());
PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),		PrettyStackTraceLoc CrashInfo(getContext().getSourceManager(),
Condition->getLocStart(),		Condition->getLocStart(),
"Error evaluating branch");		"Error evaluating branch");

▲ Show 20 Lines • Show All 1,201 Lines • Show Last 20 Lines

lib/StaticAnalyzer/Core/LoopUnrolling.cpp

Show All 38 Lines
static bool isLoopStmt(const Stmt *S) {		static bool isLoopStmt(const Stmt *S) {
return S && (isa<ForStmt>(S) \|\| isa<WhileStmt>(S) \|\| isa<DoStmt>(S));		return S && (isa<ForStmt>(S) \|\| isa<WhileStmt>(S) \|\| isa<DoStmt>(S));
}		}

static internal::Matcher<Stmt> simpleCondition(StringRef BindName) {		static internal::Matcher<Stmt> simpleCondition(StringRef BindName) {
return binaryOperator(		return binaryOperator(
anyOf(hasOperatorName("<"), hasOperatorName(">"), hasOperatorName("<="),		anyOf(hasOperatorName("<"), hasOperatorName(">"), hasOperatorName("<="),
hasOperatorName(">="), hasOperatorName("!=")),		hasOperatorName(">="), hasOperatorName("!=")),
hasEitherOperand(ignoringParenImpCasts(		hasEitherOperand(expr(ignoringParenImpCasts(declRefExpr(
		xazax.hunUnsubmitted Not Done Reply Inline Actions Why did you introduce `expr`? Wouldn't binding to the `declRefExpr` part be sufficient? xazax.hun: Why did you introduce `expr`? Wouldn't binding to the `declRefExpr` part be sufficient?
declRefExpr(to(varDecl(hasType(isInteger())).bind(BindName))))),		to(varDecl(hasType(isInteger())).bind(BindName)))))
hasEitherOperand(ignoringParenImpCasts(integerLiteral())));		.bind("CounterExp")),
		hasEitherOperand(
		expr(unless(equalsBoundNode("CounterExp"))).bind("BoundExp")));
}		}

static internal::Matcher<Stmt> changeIntBoundNode(StringRef NodeName) {		static internal::Matcher<Stmt> changeIntBoundNode(StringRef NodeName) {
return hasDescendant(binaryOperator(		return hasDescendant(binaryOperator(
anyOf(hasOperatorName("="), hasOperatorName("+="), hasOperatorName("/="),		anyOf(hasOperatorName("="), hasOperatorName("+="), hasOperatorName("/="),
hasOperatorName("*="), hasOperatorName("-=")),		hasOperatorName("*="), hasOperatorName("-=")),
hasLHS(ignoringParenImpCasts(		hasLHS(ignoringParenImpCasts(
declRefExpr(to(varDecl(equalsBoundNode(NodeName))))))));		declRefExpr(to(varDecl(equalsBoundNode(NodeName))))))));
▲ Show 20 Lines • Show All 61 Lines • ▼ Show 20 Lines	return doStmt(hasCondition(simpleCondition("initVarName")),
changeIntBoundNode("initVarName"), callByRef("initVarName"),		changeIntBoundNode("initVarName"), callByRef("initVarName"),
getAddrTo("initVarName"))))).bind("whileLoop");		getAddrTo("initVarName"))))).bind("whileLoop");
}		}

static internal::Matcher<Stmt> loopMatcher() {		static internal::Matcher<Stmt> loopMatcher() {
return anyOf(doWhileLoopMatcher(), whileLoopMatcher(), forLoopMatcher());		return anyOf(doWhileLoopMatcher(), whileLoopMatcher(), forLoopMatcher());
}		}

bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx) {		bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx,
		ExplodedNode *Pred, SValBuilder &SVB) {

if (!isLoopStmt(LoopStmt))		if (!isLoopStmt(LoopStmt))
return false;		return false;

// TODO: In cases of while and do..while statements the value of initVarName		// TODO: Check for possibilities of changing the bound expression.
		xazax.hunUnsubmitted Not Done Reply Inline Actions This comment is not clear enough for me. Don't you already check for changes and escapes of the induction variable? xazax.hun: This comment is not clear enough for me. Don't you already check for changes and escapes of the…
// should be checked to be known
// TODO: Match the cases where the bound is not a concrete literal but an
// integer with known value

auto Matches = match(loopMatcher(), *LoopStmt, ASTCtx);		auto Matches = match(loopMatcher(), *LoopStmt, ASTCtx);
return !Matches.empty();		if (Matches.empty())
		return false;

		const Expr *BoundExp = Matches[0].getNodeAs<Expr>("BoundExp");
		const Expr *CounterExp = Matches[0].getNodeAs<Expr>("CounterExp");
		auto State = Pred->getState();
		auto LCtx = Pred->getLocationContext();
		SVal BoundVal = State->getSVal(BoundExp, LCtx);
		SVal CounterVal = State->getSVal(CounterExp, LCtx);

		if (!SVB.getKnownValue(State, BoundVal) \|\|
		!SVB.getKnownValue(State, CounterVal))
		NoQUnsubmitted Not Done Reply Inline Actions There's a FIXME in `getKnownValue()` that says that it doesn't work in some cases, eg. `$x + 1` where $x$ is constrained to a constant. Could you see if this affects your code and add a test case? We can probably fix it later because now we have `simplifySVal()`. NoQ: There's a FIXME in `getKnownValue()` that says that it doesn't work in some cases, eg. `$x + 1`…
		NoQUnsubmitted Not Done Reply Inline Actions I mean `$x`. NoQ: I mean `$x`.
		return false;
		xazax.hunUnsubmitted Not Done Reply Inline Actions So you do not want to introduce a hard limit on the loop bound in this patch? xazax.hun: So you do not want to introduce a hard limit on the loop bound in this patch?

		return true;
}		}

namespace {		namespace {
class LoopBlockVisitor : public ConstStmtVisitor<LoopBlockVisitor> {		class LoopBlockVisitor : public ConstStmtVisitor<LoopBlockVisitor> {
public:		public:
LoopBlockVisitor(llvm::SmallPtrSet<const CFGBlock *, 8> &BS)		LoopBlockVisitor(llvm::SmallPtrSet<const CFGBlock *, 8> &BS)
: BlockSet(BS), Found(false) {}		: BlockSet(BS), Found(false) {}

Show All 23 Lines	private:
llvm::SmallPtrSet<const CFGBlock *, 8> &BlockSet;		llvm::SmallPtrSet<const CFGBlock *, 8> &BlockSet;
bool Found;		bool Found;
const CFGStmtMap *StmtToBlockMap;		const CFGStmtMap *StmtToBlockMap;
const Stmt *LoopStmt;		const Stmt *LoopStmt;
};		};
}		}

bool isUnrolledLoopBlock(const CFGBlock Block, ExplodedNode Prev) {		bool isUnrolledLoopBlock(const CFGBlock Block, ExplodedNode Prev) {
const Stmt* Term = Block->getTerminator();		const Stmt *Term = Block->getTerminator();
auto State = Prev->getState();		auto State = Prev->getState();
// In case of nested loops in an inlined function should not be unrolled only		// In case of nested loops in an inlined function should not be unrolled only
// if the inner loop is marked.		// if the inner loop is marked.
if (Term && isLoopStmt(Term) && !State->contains<UnrolledLoops>(Term))		if (Term && isLoopStmt(Term) && !State->contains<UnrolledLoops>(Term))
return false;		return false;

const CFGBlock *SearchedBlock;		const CFGBlock *SearchedBlock;
llvm::SmallPtrSet<const CFGBlock *, 8> BlockSet;		llvm::SmallPtrSet<const CFGBlock *, 8> BlockSet;
LoopBlockVisitor LBV(BlockSet);		LoopBlockVisitor LBV(BlockSet);
// Check the CFGBlocks of every marked loop.		// Check the CFGBlocks of every marked loop.
for (auto& E : State->get<UnrolledLoops>()) {		for (auto &E : State->get<UnrolledLoops>()) {
SearchedBlock = Block;		SearchedBlock = Block;
const StackFrameContext *StackFrame = Prev->getStackFrame();		const StackFrameContext *StackFrame = Prev->getStackFrame();
LBV.setBlocksOfLoop(E.first, E.second);		LBV.setBlocksOfLoop(E.first, E.second);
// In case of an inlined function call check if any of its callSiteBlock is		// In case of an inlined function call check if any of its callSiteBlock is
// marked.		// marked.
while (SearchedBlock && BlockSet.find(SearchedBlock) == BlockSet.end()) {		while (SearchedBlock && BlockSet.find(SearchedBlock) == BlockSet.end()) {
SearchedBlock = StackFrame->getCallSiteBlock();		SearchedBlock = StackFrame->getCallSiteBlock();
StackFrame = StackFrame->getParent()->getCurrentStackFrame();		StackFrame = StackFrame->getParent()->getCurrentStackFrame();
Show All 20 Lines

test/Analysis/loop-unrolling.cpp

Show First 20 Lines • Show All 126 Lines • ▼ Show 20 Lines	int nested_inlined_no_unroll1() {
int k;		int k;
for (int i = 0; i < 9; i++) {		for (int i = 0; i < 9; i++) {
k = simple_unknown_bound_loop(); // reevaluation without inlining		k = simple_unknown_bound_loop(); // reevaluation without inlining
}		}
int a = 22 / k; // no-warning		int a = 22 / k; // no-warning
return 0;		return 0;
}		}

		int known_variable_unroll() {
		int a[9];
		int k = 42;
		for (int i = 0; i < k; i++) {
		a[i] = 42;
		}
		int b = 22 / (k - 42); // expected-warning {{Division by zero}}
		return 0;
		}

		int known_variable_unroll2() {
		int a[9];
		int k = 42;
		for (int i = 0; i < k / 2 + 12; i++) {
		a[i] = 42;
		}
		int b = 22 / (k - 42); // expected-warning {{Division by zero}}
		return 0;
		}

// Testing while loops.		// Testing while loops.
int simple_unroll3() {		int simple_unroll3() {
int a[9];		int a[9];
int k = 42;		int k = 42;
int i = 0;		int i = 0;
while (i < 9) {		while (i < 9) {
a[i] = 42 * i;		a[i] = 42 * i;
++i;		++i;
▲ Show 20 Lines • Show All 45 Lines • ▼ Show 20 Lines	int simple_unroll6() {
do {		do {
a[i] = 42 * i;		a[i] = 42 * i;
--i;		--i;
} while (i > 7);		} while (i > 7);
int b = 22 / (k - 42); // expected-warning {{Division by zero}}		int b = 22 / (k - 42); // expected-warning {{Division by zero}}
return 0;		return 0;
}		}

		int known_variable_unroll3() {
		int a[9];
		int k = 42;
		int i = 2;
		do {
		a[i] = 42 * i;
		++i;
		} while (i < 9);
		int b = 22 / (k - 42); // expected-warning {{Division by zero}}
		return 0;
		}

int simple_no_unroll5() {		int simple_no_unroll5() {
int a[9];		int a[9];
int k = 42;		int k = 42;
int i = 0;		int i = 0;
do {		do {
a[i] = 42 * i;		a[i] = 42 * i;
i += getNum();		i += getNum();
} while (i < 9);		} while (i < 9);
int b = 22 / (k - 42); // expected-warning {{Division by zero}}		int b = 22 / (k - 42); // expected-warning {{Division by zero}}
return 0;		return 0;
}		}

		int unknown_var_no_unroll1() {
		int a[9];
		int k = 42;
		int i = getNum();
		do {
		a[i] = 42 * i;
		++i;
		} while (i < 9);
		int b = 22 / (k - 42); // expected-warning {{Division by zero}}
		return 0;
		}

// CHECK: ... Statistics Collected ...		// CHECK: ... Statistics Collected ...
// CHECK: 5 ExprEngine - The # of times we re-evaluated a call without inlining		// CHECK: 5 ExprEngine - The # of times we re-evaluated a call without inlining
// CHECK: 13 LoopUnrolling - The # of times a loop has got completely unrolled		// CHECK: 16 LoopUnrolling - The # of times a loop has got completely unrolled