This is an archive of the discontinued LLVM Phabricator instance.

Differential D42775

[analyzer] Exploration strategy prioritizing unexplored coverage first
ClosedPublic

Authored by george.karpenkov on Jan 31 2018, 5:54 PM.

Details

Reviewers
dcoughlin
NoQ
zaks.anna
Commits
rG1235a63df528: [analyzer] Exploration strategy prioritizing unexplored coverage first
rL324956: [analyzer] Exploration strategy prioritizing unexplored coverage first
rC324956: [analyzer] Exploration strategy prioritizing unexplored coverage first
Summary

See reviews.llvm.org/M1 for evaluation, and lists.llvm.org/pipermail/cfe-dev/2018-January/056718.html for discussion.

Diff Detail

Repository
rC Clang

Event Timeline

george.karpenkov created this revision.Jan 31 2018, 5:54 PM
Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptJan 31 2018, 5:54 PM
george.karpenkov added parent revisions: D42774: [analyzer] Expose setting exploration strategy through an analyzer option, D42773: [analyzer] Remove crashing unneeded assert.Jan 31 2018, 5:55 PM
george.karpenkov edited the summary of this revision. (Show Details)
george.karpenkov updated this revision to Diff 132427.Feb 1 2018, 10:56 AM
MTC added a subscriber: MTC.Feb 1 2018, 10:53 PM
george.karpenkov updated this revision to Diff 132710.Feb 2 2018, 5:07 PM
george.karpenkov edited the summary of this revision. (Show Details)

Switching to CFGBlocks made # of bug reports / % coverage slightly worse compared to the version using Stmt *, I am still confused as to why.
Removing StackFrameContext* from location identifier makes everything considerably worse.

@NoQ I think this version can go in.

NoQ added a comment.Feb 2 2018, 5:10 PM

I think you should add a test with foo() in else-branch as well, which has always passed, just to demonstrate that regardless of accidental if-branch analysis order we're doing the right thing.

NoQ added a comment.Feb 2 2018, 5:18 PM

More minor nits, but yeah, this is great :)

lib/StaticAnalyzer/Core/CoreEngine.cpp
137

Does this invariant keep holding after we put the node here? Like, what if it wasn't traversed when we were putting it here, but while it's in the stack we've traversed it on a different path?

Suggests: NormalPriorityStack, LowPriorityStack. Explaining that the latter contains beginnings of paths that were down-prioritized because they lead into blocks that we've already visited in this function.

145

Capitalize?

157

Essentially we assume that we made the right choice on the block edge and the node is now being explored for a good reason, and now that we went down this path, there's no need to downprioritize other elements in this block.

george.karpenkov added inline comments.Feb 6 2018, 11:11 AM
lib/StaticAnalyzer/Core/CoreEngine.cpp
137

Like, what if it wasn't traversed when we were putting it here, but while it's in the stack we've traversed it on a different path?

Surprisingly, it does: the key here is that we check exploration at the push-time, not at the pop-time. That is, the block is added to "reachable" not when we explore it, but when we put the corresponding node into queue.
Thus it's not possible for the node in stackUnexplored to become explored via some other path.

george.karpenkov updated this revision to Diff 133345.Feb 7 2018, 5:22 PM
george.karpenkov marked 2 inline comments as done.
george.karpenkov updated this revision to Diff 133347.Feb 7 2018, 5:46 PM
NoQ accepted this revision.Feb 7 2018, 6:26 PM

All right, so for now it is under the flag (-analyzer-config exploration_strategy=unexplored_first), it already makes a huge lot of sense, and it has tests, so i think we should land it now and flip the flag when we're ready.

It'd be great to have more direct tests for the exploration order, not just for the bugs. Probably dump CFG blocks in the traversal order, or even dump whole worklist snapshots for every analysis step - the latter seemed very useful while understanding the issue (we did it on the whiteboard, but i've no idea how huge would it be in practice, even if we still dump only CFG blocks of worklist units), because, as the original issue has demonstrated, even our simple DFS exploration may be completely counter-intuitive sometimes.

This revision is now accepted and ready to land.Feb 7 2018, 6:26 PM
george.karpenkov added a comment.Feb 7 2018, 6:29 PM

@NoQ

but i've no idea how huge would it be in practice

It's actually pretty small if we only do it for BlockEntrance edges.
Do you have any concrete ideas on how such dumping could be done? I could debug it by printing to llvm::errs(), but that's obviously not optimal.
I could use DEBUG(), but that's hacky, fragile, and would not even work in release builds.
I don't think I have good ideas left.

Closed by commit rC324956: [analyzer] Exploration strategy prioritizing unexplored coverage first (authored by george.karpenkov). · Explain WhyFeb 12 2018, 2:42 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: cfe-commits. · View Herald TranscriptFeb 12 2018, 2:42 PM
george.karpenkov mentioned this in D43354: [analyzer] Exploration strategy prioritizing unexplored nodes first.Feb 15 2018, 2:31 PM
george.karpenkov mentioned this in rL326136: [analyzer] Exploration strategy prioritizing unexplored nodes first.Feb 26 2018, 2:16 PM
george.karpenkov mentioned this in rC326136: [analyzer] Exploration strategy prioritizing unexplored nodes first.

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
1 line
PathSensitive/
1 line
lib/
StaticAnalyzer/
Core/
27 lines
64 lines
test/
Analysis/
exploration_order/
39 lines

Diff 133943

include/clang/StaticAnalyzer/Core/AnalyzerOptions.h

Show First 20 LinesShow All 185 Lines▼ Show 20 Linespublic:
unsigned InlineMaxStackDepth; unsigned InlineMaxStackDepth;
/// \brief The mode of function selection used during inlining. /// \brief The mode of function selection used during inlining.
AnalysisInliningMode InliningMode; AnalysisInliningMode InliningMode;
enum class ExplorationStrategyKind { enum class ExplorationStrategyKind {
DFS, DFS,
BFS, BFS,
UnexploredFirst,
BFSBlockDFSContents, BFSBlockDFSContents,
NotSet NotSet
}; };
private: private:
ExplorationStrategyKind ExplorationStrategy; ExplorationStrategyKind ExplorationStrategy;
▲ Show 20 LinesShow All 456 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/WorkList.h

Show First 20 LinesShow All 77 Lines▼ Show 20 Linespublic:
virtual WorkListUnit dequeue() = 0; virtual WorkListUnit dequeue() = 0;
void setBlockCounter(BlockCounter C) { CurrentCounter = C; } void setBlockCounter(BlockCounter C) { CurrentCounter = C; }
BlockCounter getBlockCounter() const { return CurrentCounter; } BlockCounter getBlockCounter() const { return CurrentCounter; }
static std::unique_ptr<WorkList> makeDFS(); static std::unique_ptr<WorkList> makeDFS();
static std::unique_ptr<WorkList> makeBFS(); static std::unique_ptr<WorkList> makeBFS();
static std::unique_ptr<WorkList> makeBFSBlockDFSContents(); static std::unique_ptr<WorkList> makeBFSBlockDFSContents();
static std::unique_ptr<WorkList> makeUnexploredFirst();
}; };
} // end GR namespace } // end GR namespace
} // end clang namespace } // end clang namespace
#endif #endif

lib/StaticAnalyzer/Core/AnalyzerOptions.cpp

Show First 20 LinesShow All 52 Lines▼ Show 20 Lines if (UserMode == UMK_NotSet) {
assert(UserMode != UMK_NotSet && "User mode is invalid."); assert(UserMode != UMK_NotSet && "User mode is invalid.");
} }
return UserMode; return UserMode;
} }
AnalyzerOptions::ExplorationStrategyKind AnalyzerOptions::ExplorationStrategyKind
AnalyzerOptions::getExplorationStrategy() { AnalyzerOptions::getExplorationStrategy() {
if (ExplorationStrategy == ExplorationStrategyKind::NotSet) { if (ExplorationStrategy == ExplorationStrategyKind::NotSet) {
StringRef StratStr = Config.insert( StringRef StratStr =
std::make_pair("exploration_strategy", "dfs")).first->second; Config
ExplorationStrategy = llvm::StringSwitch<ExplorationStrategyKind>(StratStr) .insert(std::make_pair("exploration_strategy", "dfs"))
.first->second;
ExplorationStrategy =
llvm::StringSwitch<ExplorationStrategyKind>(StratStr)
.Case("dfs", ExplorationStrategyKind::DFS) .Case("dfs", ExplorationStrategyKind::DFS)
.Case("bfs", ExplorationStrategyKind::BFS) .Case("bfs", ExplorationStrategyKind::BFS)
.Case("bfs_block_dfs_contents", ExplorationStrategyKind::BFSBlockDFSContents) .Case("unexplored_first",
ExplorationStrategyKind::UnexploredFirst)
.Case("bfs_block_dfs_contents",
ExplorationStrategyKind::BFSBlockDFSContents)
.Default(ExplorationStrategyKind::NotSet); .Default(ExplorationStrategyKind::NotSet);
assert(ExplorationStrategy != ExplorationStrategyKind::NotSet assert(ExplorationStrategy != ExplorationStrategyKind::NotSet &&
&& "User mode is invalid."); "User mode is invalid.");
} }
return ExplorationStrategy; return ExplorationStrategy;
} }
IPAKind AnalyzerOptions::getIPAMode() { IPAKind AnalyzerOptions::getIPAMode() {
if (IPAMode == IPAK_NotSet) { if (IPAMode == IPAK_NotSet) {
// Use the User Mode to set the default IPA value. // Use the User Mode to set the default IPA value.
// Note, we have to add the string to the Config map for the ConfigDumper // Note, we have to add the string to the Config map for the ConfigDumper
// checker to function properly. // checker to function properly.
const char *DefaultIPA = nullptr; const char *DefaultIPA = nullptr;
UserModeKind HighLevelMode = getUserMode(); UserModeKind HighLevelMode = getUserMode();
▲ Show 20 LinesShow All 341 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/CoreEngine.cpp

Show All 13 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/StmtCXX.h" #include "clang/AST/StmtCXX.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/DenseSet.h"
#include "llvm/Support/Casting.h" #include "llvm/Support/Casting.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
#define DEBUG_TYPE "CoreEngine" #define DEBUG_TYPE "CoreEngine"
STATISTIC(NumSteps, STATISTIC(NumSteps,
"The # of steps executed."); "The # of steps executed.");
STATISTIC(NumReachedMaxSteps, STATISTIC(NumReachedMaxSteps,
"The # of times we reached the max number of steps."); "The # of times we reached the max number of steps.");
STATISTIC(NumPathsExplored, STATISTIC(NumPathsExplored,
"The # of paths explored by the analyzer."); "The # of paths explored by the analyzer.");
STATISTIC(MaxQueueSize, "Maximum size of the worklist");
STATISTIC(MaxReachableSize, "Maximum size of auxiliary worklist set");
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Worklist classes for exploration of reachable states. // Worklist classes for exploration of reachable states.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
class DFS : public WorkList { class DFS : public WorkList {
SmallVector<WorkListUnit,20> Stack; SmallVector<WorkListUnit,20> Stack;
public: public:
▲ Show 20 LinesShow All 79 Lines▼ Show 20 Lines public:
} }
}; };
} // end anonymous namespace } // end anonymous namespace
std::unique_ptr<WorkList> WorkList::makeBFSBlockDFSContents() { std::unique_ptr<WorkList> WorkList::makeBFSBlockDFSContents() {
return llvm::make_unique<BFSBlockDFSContents>(); return llvm::make_unique<BFSBlockDFSContents>();
} }
class UnexploredFirstStack : public WorkList {
/// Stack of nodes known to have statements we have not traversed yet.
NoQUnsubmitted
Not Done
ReplyInline Actions

Does this invariant keep holding after we put the node here? Like, what if it wasn't traversed when we were putting it here, but while it's in the stack we've traversed it on a different path?

Suggests: NormalPriorityStack, LowPriorityStack. Explaining that the latter contains beginnings of paths that were down-prioritized because they lead into blocks that we've already visited in this function.

NoQ: Does this invariant keep holding after we put the node here? Like, what if it wasn't traversed…
george.karpenkovAuthorUnsubmitted
Not Done
ReplyInline Actions

Like, what if it wasn't traversed when we were putting it here, but while it's in the stack we've traversed it on a different path?

Surprisingly, it does: the key here is that we check exploration at the push-time, not at the pop-time. That is, the block is added to "reachable" not when we explore it, but when we put the corresponding node into queue.
Thus it's not possible for the node in stackUnexplored to become explored via some other path.

george.karpenkov: > Like, what if it wasn't traversed when we were putting it here, but while it's in the stack…
SmallVector<WorkListUnit, 20> StackUnexplored;
/// Stack of all other nodes.
SmallVector<WorkListUnit, 20> StackOthers;
typedef unsigned BlockID;
typedef std::pair<BlockID, const StackFrameContext *> LocIdentifier;
llvm::DenseSet<LocIdentifier> Reachable;
NoQUnsubmitted
Done
ReplyInline Actions

Capitalize?

NoQ: Capitalize?
public:
bool hasWork() const override {
return !(StackUnexplored.empty() && StackOthers.empty());
}
void enqueue(const WorkListUnit &U) override {
const ExplodedNode *N = U.getNode();
auto BE = N->getLocation().getAs<BlockEntrance>();
if (!BE) {
NoQUnsubmitted
Done
ReplyInline Actions

Essentially we assume that we made the right choice on the block edge and the node is now being explored for a good reason, and now that we went down this path, there's no need to downprioritize other elements in this block.

NoQ: Essentially we assume that we made the right choice on the block edge and the node is now being…
// Assume the choice of the order of the preceeding block entrance was
// correct.
StackUnexplored.push_back(U);
} else {
LocIdentifier LocId = std::make_pair(
BE->getBlock()->getBlockID(), N->getStackFrame());
auto InsertInfo = Reachable.insert(LocId);
if (InsertInfo.second) {
StackUnexplored.push_back(U);
} else {
StackOthers.push_back(U);
}
}
MaxReachableSize.updateMax(Reachable.size());
MaxQueueSize.updateMax(StackUnexplored.size() + StackOthers.size());
}
WorkListUnit dequeue() override {
if (!StackUnexplored.empty()) {
WorkListUnit &U = StackUnexplored.back();
StackUnexplored.pop_back();
return U;
} else {
WorkListUnit &U = StackOthers.back();
StackOthers.pop_back();
return U;
}
}
};
std::unique_ptr<WorkList> WorkList::makeUnexploredFirst() {
return llvm::make_unique<UnexploredFirstStack>();
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Core analysis engine. // Core analysis engine.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static std::unique_ptr<WorkList> generateWorkList(AnalyzerOptions &Opts) { static std::unique_ptr<WorkList> generateWorkList(AnalyzerOptions &Opts) {
switch (Opts.getExplorationStrategy()) { switch (Opts.getExplorationStrategy()) {
case AnalyzerOptions::ExplorationStrategyKind::DFS: case AnalyzerOptions::ExplorationStrategyKind::DFS:
return WorkList::makeDFS(); return WorkList::makeDFS();
case AnalyzerOptions::ExplorationStrategyKind::BFS: case AnalyzerOptions::ExplorationStrategyKind::BFS:
return WorkList::makeBFS(); return WorkList::makeBFS();
case AnalyzerOptions::ExplorationStrategyKind::BFSBlockDFSContents: case AnalyzerOptions::ExplorationStrategyKind::BFSBlockDFSContents:
return WorkList::makeBFSBlockDFSContents(); return WorkList::makeBFSBlockDFSContents();
case AnalyzerOptions::ExplorationStrategyKind::UnexploredFirst:
return WorkList::makeUnexploredFirst();
default: default:
llvm_unreachable("Unexpected case"); llvm_unreachable("Unexpected case");
} }
} }
CoreEngine::CoreEngine(SubEngine &subengine, CoreEngine::CoreEngine(SubEngine &subengine,
FunctionSummariesTy *FS, FunctionSummariesTy *FS,
AnalyzerOptions &Opts) : SubEng(subengine), AnalyzerOptions &Opts) : SubEng(subengine),
▲ Show 20 LinesShow All 600 LinesShow Last 20 Lines

test/Analysis/exploration_order/prefer_unexplored.cc

// RUN: %clang_analyze_cc1 -w -analyzer-checker=core -analyzer-config exploration_strategy=unexplored_first -analyzer-output=text -verify %s | FileCheck %s
extern int coin();
int foo() {
int *x = 0; // expected-note {{'x' initialized to a null pointer value}}
while (coin()) { // expected-note{{Loop condition is true}}
if (coin()) // expected-note {{Taking true branch}}
return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}}
// expected-note@-1{{Dereference of null pointer (loaded from variable 'x')}}
}
return 0;
}
void bar() {
while(coin()) // expected-note{{Loop condition is true}}
if (coin()) // expected-note {{Assuming the condition is true}}
foo(); // expected-note{{Calling 'foo'}}
}
int foo2() {
int *x = 0; // expected-note {{'x' initialized to a null pointer value}}
while (coin()) { // expected-note{{Loop condition is true}}
if (coin()) // expected-note {{Taking false branch}}
return false;
else
return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}}
// expected-note@-1{{Dereference of null pointer (loaded from variable 'x')}}
}
return 0;
}
void bar2() {
while(coin()) // expected-note{{Loop condition is true}}
if (coin()) // expected-note {{Assuming the condition is false}}
return false;
else
foo(); // expected-note{{Calling 'foo'}}
}