This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
clang/
-
include/clang/StaticAnalyzer/Core/PathSensitive/
-
clang/
-
StaticAnalyzer/
-
Core/
-
PathSensitive/
1
MemRegion.h
-
Store.h
-
lib/StaticAnalyzer/Core/
-
StaticAnalyzer/
-
Core/
4/5
RegionStore.cpp

Differential D51397

[analyzer] Remove the "postponed" hack, deal with derived symbols using an extra map
ClosedPublic

Authored by george.karpenkov on Aug 28 2018, 5:44 PM.

Download Raw Diff

Details

Reviewers

dcoughlin
NoQ

Commits

rG5577cb70e135: [analyzer] Remove the "postponed" hack, deal with derived symbols using an…
rC341722: [analyzer] Remove the "postponed" hack, deal with derived symbols using an…
rL341722: [analyzer] Remove the "postponed" hack, deal with derived symbols using an…

Summary

The "derived" symbols indicate children fields of a larger symbol.
As parents do not have pointers to their children, the garbage collection algorithm the analyzer currently uses adds such symbols into a "postponed" category, and then keeps running through the worklist until the fixed point is reached.

The current patch rectifies that by instead using a helper map which stores pointers from parents to children, so that no fixed point calculation is necessary.

The current patch yields ~5% improvement in running time on sqlite.

Diff Detail

Event Timeline

george.karpenkov created this revision.Aug 28 2018, 5:44 PM

Herald added subscribers: Szelethus, mikhail.ramalho, a.sidorin and 3 others. · View Herald TranscriptAug 28 2018, 5:44 PM

NoQ added inline comments.Aug 29 2018, 2:24 PM

clang/lib/StaticAnalyzer/Core/RegionStore.cpp
2509	I suspect that this is unnecessary. We are guaranteed that `R` is live, therefore we are guaranteed that `RVS` is live.
2539–2541	`Loc::isLocType()`?
2544	Let's make whitespace consistent.
2548–2549	The constructor of `SymbolicRegion` contains an assertion that no other symbolic regions are possible. Let's add comment to that assertion that `RegionStore` now relies on that and needs to be updated if more cases are introduced.

george.karpenkov updated this revision to Diff 163238.Aug 29 2018, 5:44 PM

george.karpenkov marked 4 inline comments as done.

NoQ accepted this revision.Sep 6 2018, 3:20 PM

NoQ added inline comments.

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h
773	Actually, let's assert even more: in the `HeapSpaceRegion` case, `s` is always `SymbolConjured`. Also maybe let's point directly to `populateWorklistFromSymbol()` in the comment, otherwise nobody would have an idea what to look for, but if we point to a function then even if the function gets renamed the reader would be able to pick it up from the history.
clang/lib/StaticAnalyzer/Core/RegionStore.cpp
2527	Formatting.

This revision is now accepted and ready to land.Sep 6 2018, 3:20 PM

Closed by commit rL341722: [analyzer] Remove the "postponed" hack, deal with derived symbols using an… (authored by george.karpenkov). · Explain WhySep 7 2018, 3:11 PM

This revision was automatically updated to reflect the committed changes.

Herald added a subscriber: llvm-commits. · View Herald TranscriptSep 7 2018, 3:11 PM

NoQ added inline comments.Jan 30 2019, 3:32 PM

cfe/trunk/lib/StaticAnalyzer/Core/RegionStore.cpp
2539–2543 ↗	(On Diff #164526)	Argh, this isn't enough. In a nutshell, this code says "Uhm, is this symbol `$x` (say, `reg_$N<x>`) now live and it is a pointer? Ok, `RegionStore`, re-check the symbolic region `$x` (aka `SymRegion{reg_$N<x>}`)." Which is good. By "re-check" we mean "add it to the `RegionStore`'s worklist", which would cause re-exploration of bindings* within it. However, not every value stored in a region is a binding within the region! For instance, all values within `*$x` (aka `SymRegion{reg_$M<SymRegion{reg_$N<x>}}` are also kept alive, which we will fail to mark live when, say, `x` has no bindings at all - `SymbolRegionValue` is still presumed to be there. It would have been fine if it was just sub-regions, but in fact an infinite tree of base regions (namely, symbolic regions of non-assigned/invalidated pointer-type sub-regions) also become live every time a region becomes live, while only a finite amount of base regions become reachable when the traversal method implemented here gets applied.

Herald added subscribers: dkrupp, donat.nagy. · View Herald TranscriptJan 30 2019, 3:32 PM

NoQ mentioned this in D57554: [analyzer] Revert D51397 "Remove the "postponed" hack..."..Jan 31 2019, 4:28 PM

Revision Contents

Path

Size

clang/

include/

clang/

StaticAnalyzer/

Core/

PathSensitive/

MemRegion.h

3 lines

Store.h

2 lines

lib/

StaticAnalyzer/

Core/

RegionStore.cpp

62 lines

Diff 163238

clang/include/clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h

Show First 20 Lines • Show All 761 Lines • ▼ Show 20 Lines	class SymbolicRegion : public SubRegion {
const SymbolRef sym;		const SymbolRef sym;

SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg)		SymbolicRegion(const SymbolRef s, const MemSpaceRegion *sreg)
: SubRegion(sreg, SymbolicRegionKind), sym(s) {		: SubRegion(sreg, SymbolicRegionKind), sym(s) {
assert(s);		assert(s);
assert(s->getType()->isAnyPointerType() \|\|		assert(s->getType()->isAnyPointerType() \|\|
s->getType()->isReferenceType() \|\|		s->getType()->isReferenceType() \|\|
s->getType()->isBlockPointerType());		s->getType()->isBlockPointerType());

		// Region store relies on this assertion, and needs to be updated if
		// more cases are introduced.
assert(isa<UnknownSpaceRegion>(sreg) \|\| isa<HeapSpaceRegion>(sreg));		assert(isa<UnknownSpaceRegion>(sreg) \|\| isa<HeapSpaceRegion>(sreg));
		NoQUnsubmitted Not Done Reply Inline Actions Actually, let's assert even more: in the `HeapSpaceRegion` case, `s` is always `SymbolConjured`. Also maybe let's point directly to `populateWorklistFromSymbol()` in the comment, otherwise nobody would have an idea what to look for, but if we point to a function then even if the function gets renamed the reader would be able to pick it up from the history. NoQ: Actually, let's assert even more: in the `HeapSpaceRegion` case, `s` is always `SymbolConjured`.
}		}

public:		public:
SymbolRef getSymbol() const { return sym; }		SymbolRef getSymbol() const { return sym; }

bool isBoundable() const override { return true; }		bool isBoundable() const override { return true; }

DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override;		DefinedOrUnknownSVal getExtent(SValBuilder &svalBuilder) const override;
▲ Show 20 Lines • Show All 704 Lines • Show Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h

Show First 20 Lines • Show All 124 Lines • ▼ Show 20 Lines	public:
/// getInitialStore - Returns the initial "empty" store representing the		/// getInitialStore - Returns the initial "empty" store representing the
/// value bindings upon entry to an analyzed function.		/// value bindings upon entry to an analyzed function.
virtual StoreRef getInitialStore(const LocationContext *InitLoc) = 0;		virtual StoreRef getInitialStore(const LocationContext *InitLoc) = 0;

/// getRegionManager - Returns the internal RegionManager object that is		/// getRegionManager - Returns the internal RegionManager object that is
/// used to query and manipulate MemRegion objects.		/// used to query and manipulate MemRegion objects.
MemRegionManager& getRegionManager() { return MRMgr; }		MemRegionManager& getRegionManager() { return MRMgr; }

		SValBuilder& getSValBuilder() { return svalBuilder; }

virtual Loc getLValueVar(const VarDecl VD, const LocationContext LC) {		virtual Loc getLValueVar(const VarDecl VD, const LocationContext LC) {
return svalBuilder.makeLoc(MRMgr.getVarRegion(VD, LC));		return svalBuilder.makeLoc(MRMgr.getVarRegion(VD, LC));
}		}

Loc getLValueCompoundLiteral(const CompoundLiteralExpr *CL,		Loc getLValueCompoundLiteral(const CompoundLiteralExpr *CL,
const LocationContext *LC) {		const LocationContext *LC) {
return loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC));		return loc::MemRegionVal(MRMgr.getCompoundLiteralRegion(CL, LC));
}		}
▲ Show 20 Lines • Show All 198 Lines • Show Last 20 Lines

clang/lib/StaticAnalyzer/Core/RegionStore.cpp

	Show First 20 Lines • Show All 991 Lines • ▼ Show 20 Lines

	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//
	// State pruning.			// State pruning.
	//===----------------------------------------------------------------------===//			//===----------------------------------------------------------------------===//

	namespace {			namespace {
	class RemoveDeadBindingsWorker			class RemoveDeadBindingsWorker
	: public ClusterAnalysis<RemoveDeadBindingsWorker> {			: public ClusterAnalysis<RemoveDeadBindingsWorker> {
	SmallVector<const SymbolicRegion *, 12> Postponed;			using ChildrenListTy = SmallVector<const SymbolDerived *, 4>;
				using MapParentsToDerivedTy = llvm::DenseMap<SymbolRef, ChildrenListTy>;

				MapParentsToDerivedTy ParentsToDerived;
	SymbolReaper &SymReaper;			SymbolReaper &SymReaper;
	const StackFrameContext *CurrentLCtx;			const StackFrameContext *CurrentLCtx;

	public:			public:
	RemoveDeadBindingsWorker(RegionStoreManager &rm,			RemoveDeadBindingsWorker(RegionStoreManager &rm,
	ProgramStateManager &stateMgr,			ProgramStateManager &stateMgr,
	RegionBindingsRef b, SymbolReaper &symReaper,			RegionBindingsRef b, SymbolReaper &symReaper,
	const StackFrameContext *LCtx)			const StackFrameContext *LCtx)
	: ClusterAnalysis<RemoveDeadBindingsWorker>(rm, stateMgr, b),			: ClusterAnalysis<RemoveDeadBindingsWorker>(rm, stateMgr, b),
	SymReaper(symReaper), CurrentLCtx(LCtx) {}			SymReaper(symReaper), CurrentLCtx(LCtx) {}

	// Called by ClusterAnalysis.			// Called by ClusterAnalysis.
	void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C);			void VisitAddedToCluster(const MemRegion *baseR, const ClusterBindings &C);
	void VisitCluster(const MemRegion baseR, const ClusterBindings C);			void VisitCluster(const MemRegion baseR, const ClusterBindings C);
	using ClusterAnalysis<RemoveDeadBindingsWorker>::VisitCluster;			using ClusterAnalysis<RemoveDeadBindingsWorker>::VisitCluster;

	using ClusterAnalysis::AddToWorkList;			using ClusterAnalysis::AddToWorkList;

	bool AddToWorkList(const MemRegion *R);			bool AddToWorkList(const MemRegion *R);

	bool UpdatePostponed();
	void VisitBinding(SVal V);			void VisitBinding(SVal V);

				private:
				void populateWorklistFromSymbol(SymbolRef s);
	};			};
	}			}

	bool RemoveDeadBindingsWorker::AddToWorkList(const MemRegion *R) {			bool RemoveDeadBindingsWorker::AddToWorkList(const MemRegion *R) {
	const MemRegion *BaseR = R->getBaseRegion();			const MemRegion *BaseR = R->getBaseRegion();
	return AddToWorkList(WorkListElement(BaseR), getCluster(BaseR));			return AddToWorkList(WorkListElement(BaseR), getCluster(BaseR));
	}			}

	void RemoveDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR,			void RemoveDeadBindingsWorker::VisitAddedToCluster(const MemRegion *baseR,
	const ClusterBindings &C) {			const ClusterBindings &C) {

	if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) {			if (const VarRegion *VR = dyn_cast<VarRegion>(baseR)) {
	if (SymReaper.isLive(VR))			if (SymReaper.isLive(VR))
	AddToWorkList(baseR, &C);			AddToWorkList(baseR, &C);

	return;			return;
	}			}

	if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) {			if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(baseR)) {
	if (SymReaper.isLive(SR->getSymbol()))			if (SymReaper.isLive(SR->getSymbol())) {
	AddToWorkList(SR, &C);			AddToWorkList(SR, &C);
	else			} else if (const auto *SD = dyn_cast<SymbolDerived>(SR->getSymbol())) {
	Postponed.push_back(SR);			ParentsToDerived[SD->getParentSymbol()].push_back(SD);
				}

	return;			return;
	}			}

	if (isa<NonStaticGlobalSpaceRegion>(baseR)) {			if (isa<NonStaticGlobalSpaceRegion>(baseR)) {
	AddToWorkList(baseR, &C);			AddToWorkList(baseR, &C);
	return;			return;
	}			}

	// CXXThisRegion in the current or parent location context is live.			// CXXThisRegion in the current or parent location context is live.
	if (const CXXThisRegion *TR = dyn_cast<CXXThisRegion>(baseR)) {			if (const CXXThisRegion *TR = dyn_cast<CXXThisRegion>(baseR)) {
	const StackArgumentsSpaceRegion *StackReg =			const auto *StackReg =
	cast<StackArgumentsSpaceRegion>(TR->getSuperRegion());			cast<StackArgumentsSpaceRegion>(TR->getSuperRegion());
	const StackFrameContext *RegCtx = StackReg->getStackFrame();			const StackFrameContext *RegCtx = StackReg->getStackFrame();
	if (CurrentLCtx &&			if (CurrentLCtx &&
	(RegCtx == CurrentLCtx \|\| RegCtx->isParentOf(CurrentLCtx)))			(RegCtx == CurrentLCtx \|\| RegCtx->isParentOf(CurrentLCtx)))
	AddToWorkList(TR, &C);			AddToWorkList(TR, &C);
	}			}
	}			}

	Show All 28 Lines
	VisitBinding(*I);			VisitBinding(*I);

	return;			return;
	}			}

	// If V is a region, then add it to the worklist.			// If V is a region, then add it to the worklist.
	if (const MemRegion *R = V.getAsRegion()) {			if (const MemRegion *R = V.getAsRegion()) {
	AddToWorkList(R);			AddToWorkList(R);

				if (const auto *TVR = dyn_cast<TypedValueRegion>(R)) {
				DefinedOrUnknownSVal RVS =
				RM.getSValBuilder().getRegionValueSymbolVal(TVR);
				if (const MemRegion *SR = RVS.getAsRegion()) {
				NoQUnsubmitted Done Reply Inline Actions I suspect that this is unnecessary. We are guaranteed that `R` is live, therefore we are guaranteed that `RVS` is live. NoQ: I suspect that this is unnecessary. We are guaranteed that `R` is live, therefore we are…
				AddToWorkList(SR);
				}
				}

	SymReaper.markLive(R);			SymReaper.markLive(R);

	// All regions captured by a block are also live.			// All regions captured by a block are also live.
	if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) {			if (const BlockDataRegion *BR = dyn_cast<BlockDataRegion>(R)) {
	BlockDataRegion::referenced_vars_iterator I = BR->referenced_vars_begin(),			BlockDataRegion::referenced_vars_iterator I = BR->referenced_vars_begin(),
	E = BR->referenced_vars_end();			E = BR->referenced_vars_end();
	for ( ; I != E; ++I)			for ( ; I != E; ++I)
	AddToWorkList(I.getCapturedRegion());			AddToWorkList(I.getCapturedRegion());
	}			}
	}			}


	// Update the set of live symbols.			// Update the set of live symbols.
	for (SymExpr::symbol_iterator SI = V.symbol_begin(), SE = V.symbol_end();			for (auto SI = V.symbol_begin(), SE = V.symbol_end(); SI!=SE; ++SI) {
				NoQUnsubmitted Not Done Reply Inline Actions Formatting. NoQ: Formatting.
	SI!=SE; ++SI)			populateWorklistFromSymbol(*SI);

				for (const auto SD : ParentsToDerived[SI])
				populateWorklistFromSymbol(SD);

	SymReaper.markLive(*SI);			SymReaper.markLive(*SI);
				}
	}			}

	bool RemoveDeadBindingsWorker::UpdatePostponed() {			void RemoveDeadBindingsWorker::populateWorklistFromSymbol(SymbolRef S) {
	// See if any postponed SymbolicRegions are actually live now, after			if (const auto *SD = dyn_cast<SymbolData>(S)) {
	// having done a scan.			if (Loc::isLocType(SD->getType()) && !SymReaper.isLive(SD)) {
	bool changed = false;			const SymbolicRegion *SR = RM.getRegionManager().getSymbolicRegion(SD);

				NoQUnsubmitted Done Reply Inline Actions `Loc::isLocType()`? NoQ: `Loc::isLocType()`?
	for (SmallVectorImpl<const SymbolicRegion*>::iterator			if (B.contains(SR))
	I = Postponed.begin(), E = Postponed.end() ; I != E ; ++I) {			AddToWorkList(SR);
	if (const SymbolicRegion SR = I) {
				NoQUnsubmitted Done Reply Inline Actions Let's make whitespace consistent. NoQ: Let's make whitespace consistent.
	if (SymReaper.isLive(SR->getSymbol())) {			const SymbolicRegion *SHR =
	changed \|= AddToWorkList(SR);			RM.getRegionManager().getSymbolicHeapRegion(SD);
	*I = nullptr;			if (B.contains(SHR))
	}			AddToWorkList(SHR);
	}			}
				NoQUnsubmitted Done Reply Inline Actions The constructor of `SymbolicRegion` contains an assertion that no other symbolic regions are possible. Let's add comment to that assertion that `RegionStore` now relies on that and needs to be updated if more cases are introduced. NoQ: The constructor of `SymbolicRegion` contains an assertion that no other symbolic regions are…
	}			}

	return changed;
	}			}

	StoreRef RegionStoreManager::removeDeadBindings(Store store,			StoreRef RegionStoreManager::removeDeadBindings(Store store,
	const StackFrameContext *LCtx,			const StackFrameContext *LCtx,
	SymbolReaper& SymReaper) {			SymbolReaper& SymReaper) {
	RegionBindingsRef B = getRegionBindings(store);			RegionBindingsRef B = getRegionBindings(store);
	RemoveDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx);			RemoveDeadBindingsWorker W(*this, StateMgr, B, SymReaper, LCtx);
	W.GenerateClusters();			W.GenerateClusters();

	// Enqueue the region roots onto the worklist.			// Enqueue the region roots onto the worklist.
	for (SymbolReaper::region_iterator I = SymReaper.region_begin(),			for (SymbolReaper::region_iterator I = SymReaper.region_begin(),
	E = SymReaper.region_end(); I != E; ++I) {			E = SymReaper.region_end(); I != E; ++I) {
	W.AddToWorkList(*I);			W.AddToWorkList(*I);
	}			}

	do W.RunWorkList(); while (W.UpdatePostponed());			W.RunWorkList();

	// We have now scanned the store, marking reachable regions and symbols			// We have now scanned the store, marking reachable regions and symbols
	// as live. We now remove all the regions that are dead from the store			// as live. We now remove all the regions that are dead from the store
	// as well as update DSymbols with the set symbols that are now dead.			// as well as update DSymbols with the set symbols that are now dead.
	for (RegionBindingsRef::iterator I = B.begin(), E = B.end(); I != E; ++I) {			for (RegionBindingsRef::iterator I = B.begin(), E = B.end(); I != E; ++I) {
	const MemRegion *Base = I.getKey();			const MemRegion *Base = I.getKey();

	// If the cluster has been visited, we know the region has been marked.			// If the cluster has been visited, we know the region has been marked.
	Show All 35 Lines