This is an archive of the discontinued LLVM Phabricator instance.

Differential D43354

[analyzer] Exploration strategy prioritizing unexplored nodes first
ClosedPublic

Authored by george.karpenkov on Feb 15 2018, 2:31 PM.

Details

Reviewers
dcoughlin
NoQ
Commits
rG6dcbc1dbb387: [analyzer] Exploration strategy prioritizing unexplored nodes first
rL326136: [analyzer] Exploration strategy prioritizing unexplored nodes first
rC326136: [analyzer] Exploration strategy prioritizing unexplored nodes first
Summary

See D42775 for discussion.
Turns out, just exploring nodes which weren't explored first is not quite enough, as e.g. the first quick traversal resulting in a report can mark everything as "visited", and then subsequent traversals of the same region will get all the pitfalls of DFS.
Priority queue-based approach in comparison shows much greater increase in coverage and even performance, without sacrificing memory.

Diff Detail

Repository
rC Clang

Event Timeline

george.karpenkov created this revision.Feb 15 2018, 2:31 PM
Herald added subscribers: a.sidorin, szepet, xazax.hun. · View Herald TranscriptFeb 15 2018, 2:31 PM
george.karpenkov updated this revision to Diff 134528.Feb 15 2018, 4:20 PM
NoQ added a comment.Feb 23 2018, 1:42 PM

Looks great. Do you have any tests to demonstrate the difference?

lib/StaticAnalyzer/Core/CoreEngine.cpp
198

Uhm, this should have been typedef-ed in CFGBlock.

241

Because nobody knows what type -NumVIsited is and if it's going to be properly sign-extended and truncated into int, maybe lets just make all of these ints?

george.karpenkov added a comment.Feb 23 2018, 2:29 PM

Do you have any tests to demonstrate the difference?

Not on small files, unfortunately. Differences on large projects in performance, coverage and path lengths are very noticeable though.

george.karpenkov updated this revision to Diff 135751.Feb 23 2018, 6:01 PM
george.karpenkov marked an inline comment as done.
george.karpenkov updated this revision to Diff 135958.Feb 26 2018, 1:11 PM
NoQ accepted this revision.Feb 26 2018, 1:13 PM

All right, so at least we know that it works. I guess we need a better testing system to test exploration order, and please keep us informed if you manage to reduce an example for us :)

This revision is now accepted and ready to land.Feb 26 2018, 1:13 PM
george.karpenkov added a child revision: D43782: [analyzer] Switch the default exploration strategy to priority queue based on coverage.Feb 26 2018, 1:18 PM
Closed by commit rC326136: [analyzer] Exploration strategy prioritizing unexplored nodes first (authored by george.karpenkov). · Explain WhyFeb 26 2018, 2:16 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: cfe-commits. · View Herald TranscriptFeb 26 2018, 2:16 PM

Revision Contents

PathSize
include/
clang/
StaticAnalyzer/
Core/
1 line
PathSensitive/
1 line
lib/
StaticAnalyzer/
Core/
2 lines
64 lines
test/
Analysis/
exploration_order/
1 line

Diff 135980

include/clang/StaticAnalyzer/Core/AnalyzerOptions.h

Show First 20 LinesShow All 186 Lines▼ Show 20 Linespublic:
/// \brief The mode of function selection used during inlining. /// \brief The mode of function selection used during inlining.
AnalysisInliningMode InliningMode; AnalysisInliningMode InliningMode;
enum class ExplorationStrategyKind { enum class ExplorationStrategyKind {
DFS, DFS,
BFS, BFS,
UnexploredFirst, UnexploredFirst,
UnexploredFirstQueue,
BFSBlockDFSContents, BFSBlockDFSContents,
NotSet NotSet
}; };
private: private:
ExplorationStrategyKind ExplorationStrategy; ExplorationStrategyKind ExplorationStrategy;
▲ Show 20 LinesShow All 470 LinesShow Last 20 Lines

include/clang/StaticAnalyzer/Core/PathSensitive/WorkList.h

Show First 20 LinesShow All 78 Lines▼ Show 20 Linespublic:
void setBlockCounter(BlockCounter C) { CurrentCounter = C; } void setBlockCounter(BlockCounter C) { CurrentCounter = C; }
BlockCounter getBlockCounter() const { return CurrentCounter; } BlockCounter getBlockCounter() const { return CurrentCounter; }
static std::unique_ptr<WorkList> makeDFS(); static std::unique_ptr<WorkList> makeDFS();
static std::unique_ptr<WorkList> makeBFS(); static std::unique_ptr<WorkList> makeBFS();
static std::unique_ptr<WorkList> makeBFSBlockDFSContents(); static std::unique_ptr<WorkList> makeBFSBlockDFSContents();
static std::unique_ptr<WorkList> makeUnexploredFirst(); static std::unique_ptr<WorkList> makeUnexploredFirst();
static std::unique_ptr<WorkList> makeUnexploredFirstPriorityQueue();
}; };
} // end GR namespace } // end GR namespace
} // end clang namespace } // end clang namespace
#endif #endif

lib/StaticAnalyzer/Core/AnalyzerOptions.cpp

Show First 20 LinesShow All 62 Lines▼ Show 20 Lines StringRef StratStr =
.insert(std::make_pair("exploration_strategy", "dfs")) .insert(std::make_pair("exploration_strategy", "dfs"))
.first->second; .first->second;
ExplorationStrategy = ExplorationStrategy =
llvm::StringSwitch<ExplorationStrategyKind>(StratStr) llvm::StringSwitch<ExplorationStrategyKind>(StratStr)
.Case("dfs", ExplorationStrategyKind::DFS) .Case("dfs", ExplorationStrategyKind::DFS)
.Case("bfs", ExplorationStrategyKind::BFS) .Case("bfs", ExplorationStrategyKind::BFS)
.Case("unexplored_first", .Case("unexplored_first",
ExplorationStrategyKind::UnexploredFirst) ExplorationStrategyKind::UnexploredFirst)
.Case("unexplored_first_queue",
ExplorationStrategyKind::UnexploredFirstQueue)
.Case("bfs_block_dfs_contents", .Case("bfs_block_dfs_contents",
ExplorationStrategyKind::BFSBlockDFSContents) ExplorationStrategyKind::BFSBlockDFSContents)
.Default(ExplorationStrategyKind::NotSet); .Default(ExplorationStrategyKind::NotSet);
assert(ExplorationStrategy != ExplorationStrategyKind::NotSet && assert(ExplorationStrategy != ExplorationStrategyKind::NotSet &&
"User mode is invalid."); "User mode is invalid.");
} }
return ExplorationStrategy; return ExplorationStrategy;
} }
▲ Show 20 LinesShow All 355 LinesShow Last 20 Lines

lib/StaticAnalyzer/Core/CoreEngine.cpp

Show All 14 Lines
#include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CoreEngine.h"
#include "clang/AST/Expr.h" #include "clang/AST/Expr.h"
#include "clang/AST/ExprCXX.h" #include "clang/AST/ExprCXX.h"
#include "clang/AST/StmtCXX.h" #include "clang/AST/StmtCXX.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/ADT/DenseSet.h" #include "llvm/ADT/DenseSet.h"
#include "llvm/ADT/DenseMap.h"
#include "llvm/Support/Casting.h" #include "llvm/Support/Casting.h"
#include "llvm/ADT/PriorityQueue.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
#define DEBUG_TYPE "CoreEngine" #define DEBUG_TYPE "CoreEngine"
STATISTIC(NumSteps, STATISTIC(NumSteps,
"The # of steps executed."); "The # of steps executed.");
▲ Show 20 LinesShow All 155 Lines▼ Show 20 Linespublic:
} }
}; };
} // end anonymous namespace } // end anonymous namespace
std::unique_ptr<WorkList> WorkList::makeUnexploredFirst() { std::unique_ptr<WorkList> WorkList::makeUnexploredFirst() {
return llvm::make_unique<UnexploredFirstStack>(); return llvm::make_unique<UnexploredFirstStack>();
} }
class UnexploredFirstPriorityQueue : public WorkList {
typedef unsigned BlockID;
NoQUnsubmitted
Not Done
ReplyInline Actions

Uhm, this should have been typedef-ed in CFGBlock.

NoQ: Uhm, this should have been typedef-ed in `CFGBlock`.
typedef std::pair<BlockID, const StackFrameContext *> LocIdentifier;
// How many times each location was visited.
// Is signed because we negate it later in order to have a reversed
// comparison.
typedef llvm::DenseMap<LocIdentifier, int> VisitedTimesMap;
// Compare by number of times the location was visited first (negated
// to prefer less often visited locations), then by insertion time (prefer
// expanding nodes inserted sooner first).
typedef std::pair<int, unsigned long> QueuePriority;
typedef std::pair<WorkListUnit, QueuePriority> QueueItem;
struct ExplorationComparator {
bool operator() (const QueueItem &LHS, const QueueItem &RHS) {
return LHS.second < RHS.second;
}
};
// Number of inserted nodes, used to emulate DFS ordering in the priority
// queue when insertions are equal.
unsigned long Counter = 0;
// Number of times a current location was reached.
VisitedTimesMap NumReached;
// The top item is the largest one.
llvm::PriorityQueue<QueueItem, std::vector<QueueItem>, ExplorationComparator>
queue;
public:
bool hasWork() const override {
return !queue.empty();
}
void enqueue(const WorkListUnit &U) override {
const ExplodedNode *N = U.getNode();
unsigned NumVisited = 0;
if (auto BE = N->getLocation().getAs<BlockEntrance>()) {
LocIdentifier LocId = std::make_pair(
BE->getBlock()->getBlockID(), N->getStackFrame());
NumVisited = NumReached[LocId]++;
}
NoQUnsubmitted
Done
ReplyInline Actions

Because nobody knows what type -NumVIsited is and if it's going to be properly sign-extended and truncated into int, maybe lets just make all of these ints?

NoQ: Because nobody knows what type `-NumVIsited` is and if it's going to be properly sign-extended…
queue.push(std::make_pair(U, std::make_pair(-NumVisited, ++Counter)));
}
WorkListUnit dequeue() override {
QueueItem U = queue.top();
queue.pop();
return U.first;
}
};
std::unique_ptr<WorkList> WorkList::makeUnexploredFirstPriorityQueue() {
return llvm::make_unique<UnexploredFirstPriorityQueue>();
}
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Core analysis engine. // Core analysis engine.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static std::unique_ptr<WorkList> generateWorkList(AnalyzerOptions &Opts) { static std::unique_ptr<WorkList> generateWorkList(AnalyzerOptions &Opts) {
switch (Opts.getExplorationStrategy()) { switch (Opts.getExplorationStrategy()) {
case AnalyzerOptions::ExplorationStrategyKind::DFS: case AnalyzerOptions::ExplorationStrategyKind::DFS:
return WorkList::makeDFS(); return WorkList::makeDFS();
case AnalyzerOptions::ExplorationStrategyKind::BFS: case AnalyzerOptions::ExplorationStrategyKind::BFS:
return WorkList::makeBFS(); return WorkList::makeBFS();
case AnalyzerOptions::ExplorationStrategyKind::BFSBlockDFSContents: case AnalyzerOptions::ExplorationStrategyKind::BFSBlockDFSContents:
return WorkList::makeBFSBlockDFSContents(); return WorkList::makeBFSBlockDFSContents();
case AnalyzerOptions::ExplorationStrategyKind::UnexploredFirst: case AnalyzerOptions::ExplorationStrategyKind::UnexploredFirst:
return WorkList::makeUnexploredFirst(); return WorkList::makeUnexploredFirst();
case AnalyzerOptions::ExplorationStrategyKind::UnexploredFirstQueue:
return WorkList::makeUnexploredFirstPriorityQueue();
default: default:
llvm_unreachable("Unexpected case"); llvm_unreachable("Unexpected case");
} }
} }
CoreEngine::CoreEngine(SubEngine &subengine, CoreEngine::CoreEngine(SubEngine &subengine,
FunctionSummariesTy *FS, FunctionSummariesTy *FS,
AnalyzerOptions &Opts) : SubEng(subengine), AnalyzerOptions &Opts) : SubEng(subengine),
▲ Show 20 LinesShow All 600 LinesShow Last 20 Lines

test/Analysis/exploration_order/prefer_unexplored.cc

// RUN: %clang_analyze_cc1 -w -analyzer-checker=core -analyzer-config exploration_strategy=unexplored_first -analyzer-output=text -verify %s | FileCheck %s // RUN: %clang_analyze_cc1 -w -analyzer-checker=core -analyzer-config exploration_strategy=unexplored_first -analyzer-output=text -verify %s | FileCheck %s
// RUN: %clang_analyze_cc1 -w -analyzer-checker=core -analyzer-config exploration_strategy=unexplored_first_queue -analyzer-output=text -verify %s | FileCheck %s
extern int coin(); extern int coin();
int foo() { int foo() {
int *x = 0; // expected-note {{'x' initialized to a null pointer value}} int *x = 0; // expected-note {{'x' initialized to a null pointer value}}
while (coin()) { // expected-note{{Loop condition is true}} while (coin()) { // expected-note{{Loop condition is true}}
if (coin()) // expected-note {{Taking true branch}} if (coin()) // expected-note {{Taking true branch}}
return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}}
Show All 30 Lines