This is an archive of the discontinued LLVM Phabricator instance.

Differential D42130

[analyzer] Expose return statement from CallExit program point
ClosedPublic

Authored by george.karpenkov on Jan 16 2018, 1:50 PM.

Details

Reviewers
dcoughlin
NoQ
Commits
rGfb4acffbd11a: [analyzer] Expose return statement from CallExit program point
rC324052: [analyzer] Expose return statement from CallExit program point
rL324052: [analyzer] Expose return statement from CallExit program point
Summary

If the return statement is stored, we might as well allow querying against it.
Also fix the bug where the return statement is not stored if there is no return value.
And expose the return statement through getStatement helper function.

Diff Detail

Repository
rL LLVM

Event Timeline

george.karpenkov created this revision.Jan 16 2018, 1:50 PM
Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptJan 16 2018, 1:50 PM
george.karpenkov updated this revision to Diff 130026.Jan 16 2018, 1:52 PM
george.karpenkov edited the summary of this revision. (Show Details)
george.karpenkov added a parent revision: D41848: [analyzer] mark returns of functions where the region passed as parameter was not initialized.Jan 16 2018, 3:51 PM
george.karpenkov removed a parent revision: D41848: [analyzer] mark returns of functions where the region passed as parameter was not initialized.Jan 16 2018, 5:59 PM
george.karpenkov added a child revision: D41848: [analyzer] mark returns of functions where the region passed as parameter was not initialized.
george.karpenkov added a comment.Jan 19 2018, 11:43 AM

@NoQ I think this should be OK to commit?

NoQ added inline comments.Jan 19 2018, 2:44 PM
lib/StaticAnalyzer/Core/CoreEngine.cpp
317 ↗(On Diff #130026)

All right, so this is not entirely NFC; it un-merges two ExplodedNodes during call exit when the state is otherwise identical - the CallExitBegin node itself and the "Bind Return Value"-tagged node.

For example:

 1	int coin();
 2
 3	void foo() {
 4	  int x = coin();
 5	  if (x > 0)
 6	    return;
 7	  else
 8	    return;
 9	}
10
11	void bar() {
12	  foo();
13	}

After binding the return value, removeDead is called to remove dead bindings for the entire callee context. It would therefore be called once before the patch and twice after the patch (but yielding just one node in both cases because the resulting node is identical).

Here's a CallbackOrder test that shows that checkLiveSymbols is called twice:

test.patch2 KBDownload

Note that checkDeadSymbols is not called at all because there are no dead symbols here to take care of.

Even though dead symbols is the slowest thing ever in the analyzer, i believe that the overhead here of collecting dead symbols twice would be minimal because the situation when two returns have exactly identical states is relatively rare. If it isn't, then suddenly it might make sense to create a global (path-independent) cache for results of collecting dead symbols over a program state (sounds fun).

george.karpenkov added a comment.Jan 19 2018, 3:03 PM

@NoQ I would say the patch still makes sense. We would still get the same behavior with "return 0 / return 0" in two different locations.
IMO two states for two different locations should not be merged, also it indeed seems the situation is rare enough to seriously affect the performance.

NoQ added a comment.Jan 19 2018, 3:04 PM

Yep. Could you still add the test (ideally with some explanation of what it tests because i forgot to add it^^)?

george.karpenkov added a comment.Jan 19 2018, 3:28 PM

Yep. Could you still add the test

Sure, what would be the testable observable behavior?

NoQ added a comment.Jan 19 2018, 3:35 PM

This test ensures that check::LiveSymbols is called as many times on the path through the second "return" as it is through the first "return" (three), and therefore the two paths were not merged prematurely before the respective return statement is evaluated. The paths would still be merged later, so we'd have only one post-call for foo(), but it is incorrect to merge them in the middle of evaluating two different statements.

george.karpenkov updated this revision to Diff 130727.Jan 19 2018, 5:02 PM

Adding the test by Artem.

NoQ accepted this revision.Jan 31 2018, 6:57 PM

Pls squeeze my previous comment into the test?

This revision is now accepted and ready to land.Jan 31 2018, 6:57 PM
Closed by commit rL324052: [analyzer] Expose return statement from CallExit program point (authored by george.karpenkov). · Explain WhyFeb 1 2018, 6:22 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: llvm-commits. · View Herald TranscriptFeb 1 2018, 6:22 PM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
Analysis/
4 lines
lib/
StaticAnalyzer/
Checkers/
9 lines
Core/
5 lines
2 lines
test/
Analysis/
37 lines

Diff 132525

cfe/trunk/include/clang/Analysis/ProgramPoint.h

Show First 20 LinesShow All 635 Lines▼ Show 20 Lines
/// - Run Remove dead bindings (to clean up the dead symbols from the callee). /// - Run Remove dead bindings (to clean up the dead symbols from the callee).
/// - CallExitEnd /// - CallExitEnd
class CallExitBegin : public ProgramPoint { class CallExitBegin : public ProgramPoint {
public: public:
// CallExitBegin uses the callee's location context. // CallExitBegin uses the callee's location context.
CallExitBegin(const StackFrameContext *L, const ReturnStmt *RS) CallExitBegin(const StackFrameContext *L, const ReturnStmt *RS)
: ProgramPoint(RS, CallExitBeginKind, L, nullptr) { } : ProgramPoint(RS, CallExitBeginKind, L, nullptr) { }
const ReturnStmt *getReturnStmt() const {
return static_cast<const ReturnStmt *>(getData1());
}
private: private:
friend class ProgramPoint; friend class ProgramPoint;
CallExitBegin() = default; CallExitBegin() = default;
static bool isKind(const ProgramPoint &Location) { static bool isKind(const ProgramPoint &Location) {
return Location.getKind() == CallExitBeginKind; return Location.getKind() == CallExitBeginKind;
} }
}; };
▲ Show 20 LinesShow All 99 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Checkers/AnalysisOrderChecker.cpp

Show All 31 Lines : public Checker<check::PreStmt<CastExpr>,
check::PreStmt<ArraySubscriptExpr>, check::PreStmt<ArraySubscriptExpr>,
check::PostStmt<ArraySubscriptExpr>, check::PostStmt<ArraySubscriptExpr>,
check::PreStmt<CXXNewExpr>, check::PreStmt<CXXNewExpr>,
check::PostStmt<CXXNewExpr>, check::PostStmt<CXXNewExpr>,
check::PreCall, check::PreCall,
check::PostCall, check::PostCall,
check::NewAllocator, check::NewAllocator,
check::Bind, check::Bind,
check::RegionChanges> { check::RegionChanges,
check::LiveSymbols> {
bool isCallbackEnabled(AnalyzerOptions &Opts, StringRef CallbackName) const { bool isCallbackEnabled(AnalyzerOptions &Opts, StringRef CallbackName) const {
return Opts.getBooleanOption("*", false, this) || return Opts.getBooleanOption("*", false, this) ||
Opts.getBooleanOption(CallbackName, false, this); Opts.getBooleanOption(CallbackName, false, this);
} }
bool isCallbackEnabled(CheckerContext &C, StringRef CallbackName) const { bool isCallbackEnabled(CheckerContext &C, StringRef CallbackName) const {
AnalyzerOptions &Opts = C.getAnalysisManager().getAnalyzerOptions(); AnalyzerOptions &Opts = C.getAnalysisManager().getAnalyzerOptions();
return isCallbackEnabled(Opts, CallbackName); return isCallbackEnabled(Opts, CallbackName);
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Lines if (isCallbackEnabled(C, "NewAllocator"))
llvm::errs() << "NewAllocator\n"; llvm::errs() << "NewAllocator\n";
} }
void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const { void checkBind(SVal Loc, SVal Val, const Stmt *S, CheckerContext &C) const {
if (isCallbackEnabled(C, "Bind")) if (isCallbackEnabled(C, "Bind"))
llvm::errs() << "Bind\n"; llvm::errs() << "Bind\n";
} }
void checkLiveSymbols(ProgramStateRef State, SymbolReaper &SymReaper) const {
if (isCallbackEnabled(State, "LiveSymbols"))
llvm::errs() << "LiveSymbols\n";
}
ProgramStateRef ProgramStateRef
checkRegionChanges(ProgramStateRef State, checkRegionChanges(ProgramStateRef State,
const InvalidatedSymbols *Invalidated, const InvalidatedSymbols *Invalidated,
ArrayRef<const MemRegion *> ExplicitRegions, ArrayRef<const MemRegion *> ExplicitRegions,
ArrayRef<const MemRegion *> Regions, ArrayRef<const MemRegion *> Regions,
const LocationContext *LCtx, const CallEvent *Call) const { const LocationContext *LCtx, const CallEvent *Call) const {
if (isCallbackEnabled(State, "RegionChanges")) if (isCallbackEnabled(State, "RegionChanges"))
llvm::errs() << "RegionChanges\n"; llvm::errs() << "RegionChanges\n";
Show All 12 Lines

cfe/trunk/lib/StaticAnalyzer/Core/CoreEngine.cpp

Show First 20 LinesShow All 301 Lines▼ Show 20 Lines if (Blk == &(L.getLocationContext()->getCFG()->getExit())) {
assert (L.getLocationContext()->getCFG()->getExit().size() == 0 assert (L.getLocationContext()->getCFG()->getExit().size() == 0
&& "EXIT block cannot contain Stmts."); && "EXIT block cannot contain Stmts.");
// Get return statement.. // Get return statement..
const ReturnStmt *RS = nullptr; const ReturnStmt *RS = nullptr;
if (!L.getSrc()->empty()) { if (!L.getSrc()->empty()) {
if (Optional<CFGStmt> LastStmt = L.getSrc()->back().getAs<CFGStmt>()) { if (Optional<CFGStmt> LastStmt = L.getSrc()->back().getAs<CFGStmt>()) {
if ((RS = dyn_cast<ReturnStmt>(LastStmt->getStmt()))) { RS = dyn_cast<ReturnStmt>(LastStmt->getStmt());
if (!RS->getRetValue())
RS = nullptr;
}
} }
} }
// Process the final state transition. // Process the final state transition.
SubEng.processEndOfFunction(BuilderCtx, Pred, RS); SubEng.processEndOfFunction(BuilderCtx, Pred, RS);
// This path is done. Don't enqueue any more nodes. // This path is done. Don't enqueue any more nodes.
return; return;
▲ Show 20 LinesShow All 432 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/PathDiagnostic.cpp

Show First 20 LinesShow All 736 Lines▼ Show 20 Linesconst Stmt *PathDiagnosticLocation::getStmt(const ExplodedNode *N) {
if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) if (Optional<BlockEdge> BE = P.getAs<BlockEdge>())
return BE->getSrc()->getTerminator(); return BE->getSrc()->getTerminator();
if (Optional<CallEnter> CE = P.getAs<CallEnter>()) if (Optional<CallEnter> CE = P.getAs<CallEnter>())
return CE->getCallExpr(); return CE->getCallExpr();
if (Optional<CallExitEnd> CEE = P.getAs<CallExitEnd>()) if (Optional<CallExitEnd> CEE = P.getAs<CallExitEnd>())
return CEE->getCalleeContext()->getCallSite(); return CEE->getCalleeContext()->getCallSite();
if (Optional<PostInitializer> PIPP = P.getAs<PostInitializer>()) if (Optional<PostInitializer> PIPP = P.getAs<PostInitializer>())
return PIPP->getInitializer()->getInit(); return PIPP->getInitializer()->getInit();
if (Optional<CallExitBegin> CEB = P.getAs<CallExitBegin>())
return CEB->getReturnStmt();
return nullptr; return nullptr;
} }
const Stmt *PathDiagnosticLocation::getNextStmt(const ExplodedNode *N) { const Stmt *PathDiagnosticLocation::getNextStmt(const ExplodedNode *N) {
for (N = N->getFirstSucc(); N; N = N->getFirstSucc()) { for (N = N->getFirstSucc(); N; N = N->getFirstSucc()) {
if (const Stmt *S = getStmt(N)) { if (const Stmt *S = getStmt(N)) {
// Check if the statement is '?' or '&&'/'||'. These are "merges", // Check if the statement is '?' or '&&'/'||'. These are "merges",
▲ Show 20 LinesShow All 495 LinesShow Last 20 Lines

cfe/trunk/test/Analysis/return-stmt-merge.cpp

// RUN: %clang_analyze_cc1 -analyzer-checker=debug.AnalysisOrder,debug.ExprInspection -analyzer-config debug.AnalysisOrder:PreCall=true,debug.AnalysisOrder:PostCall=true,debug.AnalysisOrder:LiveSymbols=true %s 2>&1 | FileCheck %s
// This test ensures that check::LiveSymbols is called as many times on the
// path through the second "return" as it is through the first "return"
// (three), and therefore the two paths were not merged prematurely before the
// respective return statement is evaluated.
// The paths would still be merged later, so we'd have only one post-call for
// foo(), but it is incorrect to merge them in the middle of evaluating two
// different statements.
int coin();
void foo() {
int x = coin();
if (x > 0)
return;
else
return;
}
void bar() {
foo();
}
// CHECK: LiveSymbols
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: PreCall (foo)
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: PreCall (coin)
// CHECK-NEXT: PostCall (coin)
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: PostCall (foo)
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: LiveSymbols
// CHECK-NEXT: LiveSymbols