Hi!

Always great to see a new checker! I've started working in this project little over half a year ago, so I don't claim to be an expert, read my remarks as such! It'll be some time before I go through the entire code, but so far here are the things that caught my eye.

I think you should move the checker related files to a new folder, maybe StackOverflow/?

I think the idea for a checker like this is great! I left some inline comments, but most of them are minor nits. I have some general remarks to make however:

• Your code lacks comments, especially a nice documentation describing this problem, how you approach it, what the general algorithm is etc. For example, you use Usage extensively, but I am still a little unsure what the difference is between Empty and EmptyFlagged. I'd encourage you to look at a couple nice examples:
  1. @baloghadamsoftware's [[ https://github.com/llvm-mirror/clang/blob/master/lib/StaticAnalyzer/Checkers/IteratorChecker.cpp | IteratorChecker]] (A long code with fairly long comments to support it),
  2. @rnkovacs's [[https://github.com/llvm-mirror/clang/blob/master/lib/StaticAnalyzer/Checkers/DeleteWithNonVirtualDtorChecker.cpp | DeleteWithNonVirtualDtorChecker ]] (A shorter code with shorter explanation),
  3. My [[ https://github.com/llvm-mirror/clang/tree/master/lib/StaticAnalyzer/Checkers/UninitializedObject | UninitializedObjectChecker ]] (Very similar to your checker in terms of quantity of files etc)

• Make sure you follow the LLVM Coding Standards.
• As stated before, should move this to a new directory.
• For the amount of checker implementation you have, there aren't no many test cases. I can see that you handle CXXTryStmt, but there are no test cases for it.
• This revision is way too large for comfortable reading, you can help this by learning from my mistake and split it up into smaller patches. @NoQ summarized the reasons for this very nicely here: D45532#1083670
  1. Post a checker class with an empty callback [1]. Even in this stage, some discussion could be had with the general direction the implementation should go. This avoids the potential of investing a lot of effort into a project that could be wrong from the get-go. Don't get me wrong, I'm not at all saying this is the case here!
  2. Add implementation for checking a very easy case, such as a function with 10 array declarations, each having an absurd size.
  3. Add each new functionality as a separate patch, and add dependencies with "Edit Related Revisions". For example, one for handling branches, one for loops, etc.

Let me emphasize that I'm a beginner myself, so I could be wrong on many of these ^-^

[1] This could be a nice first patch:

//=======- StackSizeChecker.cpp ----------------------------------*- C++ -*-==//
//
//                     The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
//
//  This file defines a checker that checks for suspiciously high stack use.
//  The checker produces a warning whenever the given stack limit is exceeded.
//  The limit is defined by the "StackUsageLimit" analyzer parameter,
//  or defaults to 100000 bytes.
//
//===----------------------------------------------------------------------===//

class StackSizeChecker
    : public Checker<check::PreCall, check::PostCall, check::EndFunction> {
  mutable std::unique_ptr<BugType> StackOverflowBugType;

public:
  int StackUsageLimit;

  void checkPreCall(const CallEvent &Call, CheckerContext &C) const {}
  void checkPostCall(const CallEvent &Call, CheckerContext &C) const {}
  void checkEndFunction(CheckerContext &C) const {}
};

void clang::ento::registerStackSizeChecker(CheckerManager &Mgr) {
  StackSizeChecker *Check = Mgr.registerChecker<StackSizeChecker>();
  Check->StackUsageLimit = Mgr.getAnalyzerOptions().getOptionAsInteger(
      "StackUsageLimit", /*DefaultVal*/ 100000, Check);
}

Without seeing the full picture (i.e. what you want to do with the clang-tidy check) it is hard to tell,
but are you *very* sure all this logic should be in clang/lib/StaticAnalyzer/, and not in clang/lib/Analysis/ ?

Hi @Szelethus !

Thanks for all your detailed and helpful input, I will make sure to go over all the comments and answer them, but it will take some time.

A bit more background information on this checker and how it came to be might help you and others to understand some of the choices I made, and also address some of your general questions and worries.
I was hesitant about putting too much in the summary but it seems I should have added more.

This was a university assignment and I was encouraged to put it up here. This code has seen quite a few iterations and criticism.
It was my introduction to the clang tool-chain, and the clang-tidy checker was actually the first one to exist. Explaining it briefly will help with the "bigger picture".
It focused on single function bodies and could tell you how much the maximal stack space that body can occupy is.
It was able to calculate with:

• variable lifetimes (even taking into account lifetimes extended by const references etc.)
• recycled space (if the lifetime of a variable ends you can place the new ones can take up its place)
• execution rules (for example: if there is an if statement then you take the maximal space from its branches and not add them together etc.).
• variable length arrays (it took note when it saw one and if the resulting number was close enough to the limit but not over it you still got a warning)

The final result was the all-time maximum so if you had a ... {... char c[1000]; ...} ... somewhere in the middle that was, by lifetime rules, gone by the end and nothing surpassed it, you still got the correct numbers.
To produce the result, 2-3 massive recursive functions with tons of else if-s were used to traverse the AST of the function body with an in-order traverse strategy.
Now for ordinary functions it was an easy "traverse it all then get the final number" task. But enter the templates. There seemed to be no way to tell right away that we entered a function that had dependent types.
The easiest answer to templates was going until you see something that has dependent types involved then quit right away and say "it is a template we have nothing to do here".
The implementation was crude but it got the job done. It had (and still has) tests for most of the cases (statement types, expressions, VLA, templates etc.) and those tests felt natural there because they were concerned
with the contents of a particular function body.

Now single functions are fun, but entire call chains are what usually matter. You can pack a few char[10000]-s in one body but having them in each function of a call stack may not be so good idea.
So the static analyzer checker basically uses the same logic for single functions as mentioned before but as the analyzer follows the execution paths it adds up everything.
Now you could say that simply taking the whole bodies into account is enough but consider the following example:

void f(...){
    ... some minor stack space is used
    if(...) {
        start_a_deep_and_costly_calculation();
    } else {
        char x[5000];
        ....
    }
}

Here taking the whole body of f may yield 5000+"someting" bytes, instead of the actual small space, that gets used in the call stack when the condition is true and the other function gets called.
So it is reasonable to say that partial summaries should be possible up to certain point in the body.
Having said these and the fact that the original code was even harder to read, the StackUsageMeasuringVisitor came into existence to replace those massive recursive functions.
It is based on the RecursiveASTVisitor and uses post-order traverse strategy to accomplish its goals. This is where the readability over performance aspect comes in.
Without going too deep into details my visitor assigns Usage values to the AST nodes and then their parents can calculate with that, depending on what they actually are. The aforementioned requirement to stop on templates is quite easy,
because you do not need a real answer at the end so you can stop. The requirement to leave out the parts after a certain point is trickier, because it has to assign a value to all the nodes up to the top for proper calculations.
With the specifics of the visitor base class (I've seen no in-order traverse possibility), the solution was to assign zero to everything we do not care about and basically after a certain point it is a dry run on the rest of the function body and some calculation in the parent nodes.
I saw a question about that ContinueTraversing and ExitFlag in the visitor. They are both needed, because you can use the same logic for "I don't care about anything following this statement" and "I don't care about anything if I see a template type"
with some predicates, but in the first case you still need to do stuff with the post-order strategy and can not stop the visitor right away.
Also I saw a comment about Usage::Empty and Usage::EmptyFlagged, the first one says something uses no space at all in general, the second one says that it may, but it is considered zero by decision and nothing should change that (i.e.: visiting the same node again but as a subclass of the statement or expression type).
The rest of this SA checker is basically "use the visitor on every function body you enter and add the numbers to the global picture".

I'm contradicting my previous example here a bit, but if you take the SA approach, probably what you are *really* interested in the grand picture is the fact that the checker can follow the execution path and not make too big mistakes during calculations.
That is what the currently included tests try to aim for. The real "nit picky" ones like const references or ones about casts and such are left in the tidy checker. There you are really interested in them because you want to really focus on one function at a time and get the best possible result.
I realize this breakdown might not be the best, and anyone is welcome to suggest a proper test layout. The other concern I had about tests is the fact that these warnings contain numbers that the checker has to match exactly with the ones in the test, and sometimes it feels a bit forced to require exactly 238 bytes in the message instead of "somewhere between 230-250" if we are talking about some f --> g --> h call graph. I'm fine with doing the "exact" math for a single function f but it gets redundant and cumbersome.
Also if someone says for example that something that has been assumed to take up some space on the stack should just be zero because clang always optimizes it out no matter what (just a thought, but may happen with the various types of casts that the AST can include), then you may have to recalculate more tests than it should be necessary. Again if I have slipped over some fact about the capabilities of the testing system please correct me.

About your suggestion with the folder, it seems reasonable, but I'm not sure about the name.

I hope this helps some of the general questions, I will post other answers as I get to them. Thanks again for your comments!

Hi @lebedev.ri!

Thanks for the question. I was not sure as to where exactly put the files. The important thing for me is that the StackUsageMeasuringVisitor should be reachable from the clang-tidy checker. (For the bigger picture please refer to my answer to @Szelethus). I was not able to find documentation I could use to put the extra logic in the right place (may be my fault). Any suggestions and references are welcome!

In D52390#1243228, @mate1214 wrote:

Hi @lebedev.ri!

Thanks for the question. I was not sure as to where exactly put the files. The important thing for me is that the StackUsageMeasuringVisitor should be reachable from the clang-tidy checker. (For the bigger picture please refer to my answer to @Szelethus). I was not able to find documentation I could use to put the extra logic in the right place (may be my fault). Any suggestions and references are welcome!

Reachable *how*?
Is clang-tidy check using this very same logic?
For recent examples, see ExprMutationAnalyzer, how it is structured (especially the tests, they are so nice!).
It started in clang-tidy, but then was promoted to analysis/.
So i'm wondering if the same should happen here, too.

Thanks for all your detailed and helpful input, I will make sure to go over all the comments and answer them, but it will take some time.

Cheers! I can't emphasize enough however that I might be wrong on what I've said, or say in this comment.

It was my introduction to the clang tool-chain

I always struggled getting enough literature about the static analyzer, if you didn't come across these works already, it might be worth taking a look :)

1. http://lcs.ios.ac.cn/~xuzb/canalyze/memmodel.pdf
2. https://github.com/llvm-mirror/clang/blob/master/lib/StaticAnalyzer/README.txt
3. https://clang-analyzer.llvm.org/checker_dev_manual.html
4. https://github.com/llvm-mirror/clang/blob/master/docs/analyzer/RegionStore.txt
5. https://github.com/haoNoQ/clang-analyzer-guide/releases/download/v0.1/clang-analyzer-guide-v0.1.pdf <--- by far the best guide for the static analyzer at the moment.
6. https://github.com/llvm-mirror/clang/blob/master/docs/analyzer/IPA.txt

A bit more background information on this checker and how it came to be might help you and others to understand some of the choices I made, and also address some of your general questions and worries.
I was hesitant about putting too much in the summary but it seems I should have added more.

Summaries are one thing, that most likely won't be (and shouldn't have to be) read by a future maintainer, the code should speak for itself.

This was a university assignment and I was encouraged to put it up here. This code has seen quite a few iterations and criticism.

It's great that you put it up here! New checkers (which from what I've seen are mostly written by beginners) tend to go through in some cases a many month long review process, so I guess be prepared for some back and forth, but I personally really enjoyed the process, I hope you will too.

I have read the rest of your comment, thanks for the details! I can't say that I understand every aspect of your algorithm, but I have a couple question for the grand picture (but feel free to correct me if I misunderstood anything):

I can see that you use check::PreCall, check::PostCall, check::EndFunction, and you also modifiy the program state to have a fairly good idea about what execution path did the analyzer take, but a function's stack usage is calculated very roughly. Let's imagine that in the next example, f is only called after heavy stack usage:

// Let's just pretend that this function actually
// has a meaningful implementation that the analyzer
// knows will return false in this case.
bool hasStackEnoughSpace() { return false; }

void f() {
  if (hasStackEnoughSpace())
    // use the stack like an absolute madman
  else
    chill();
}

This is silly, but what it wants to demonstrate, that you could report a false positive here, despite the analyzer potentially knowing that that path will never be taken. To me it seems like you don't utilize the actual ProgramState, but I think you should( edit: nvm, partially, see my next comment).

To me it also seems like that you pretty much reinvent the compiler in this patch, by modeling almost everything the compiler does by itself. I'm sadly nowhere near an expert on this topic, but it begs the question whether there's an already existing solution to this. Let's wait for others to weigh in on this, maybe I'm wrong and this is what has to be done.

A couple tips for easier development and review process:

• I think before deep diving into the fixes, you really should split up this patch into an empty callback (essentially an announcement), and add each feature as a separate patch. Ideally, each time you implement a new feature, such as handling branches, you should make a neat patch with a small implementation and related test cases. As a beginner (and I suffered from this myself) this is exceptionally hard to do, because you can often find yourself deleting everything and starting all over, but I've grown to appreciate this principle as I often saved myself a whole lot of effort due to some feedback. However, making a rough proof of concept is in this case IMO a good idea, because it's hard to see at the start where the code will end up, but later it should be split up.
• Comment everything. I mean, bool isSuccessful() const { return IsSuccessful; } and similar functions speak for themselves, but ideally every non-trivial function and structure should be documented, as well as any non-trivial hackery inside a function.

One important thing I forgot, that you cant rely on ProgramState due to tidy's constraints. Btw, how do you plan to make this into a tidy checker? To me it seems like it would amplify the already existing false positive issues (if I understand your currect way of thinking correctly).

One final nit apart from a few in-line comments (most of them are just arguing with @Szelethus anyways 😛): KB vs. KiB (remember how a 2 TB hard drive appears as 1.8 TB on your machine? Because it's TiB!) is one of my pet peeves especially that Windows and most people still get it wrong nowadays (and they also teach it wrong). Can we change the default from 100 000 to 102 400? That would make it truly 100 KiB in the proper sense.

@Szelethus, thank you a lot for covering this review!

@mate1214, yes, please please split this up, like @Szelethus described.

At the moment this patch is not only huge, it is very under-tested. Eg., the Visitor promises support for C++ temporaries (which can potentially be a very difficult problem), but tests don't contain even a single class. If the functionality was added incrementally, it would have been easy to make sure every improvement is covered by regression tests.

Am i understanding correctly that the visitor is capable of summing up stack usage on the current path, i.e. ignoring objects that are put on the stack only within parts of the function that were not in fact executed on the current path, while also ignoring objects that are already removed from the stack? It should indeed be possible to accomplish this by only looking at the AST (unless VLAs or alloca() calls are used excessively), but in this case why is the checkEndFunction() callback not specifying the current path?

I guess a good idea for this checker would be to add a BugReporterVisitor to it in order to highlight where exactly does the stack usage go up. It is allowed to be slow, so it might be reasonable to just outright re-run the Visitor on every statement in the bug path.

I approve moving the visitor into lib/Analysis. That's indeed the library into which we dump all static analysis that is not specific to Static Analyzer.

Once out of alpha, this checker will look great in optin.performance, where we already have a checker for excessive structure padding.

In D52390#1251526, @NoQ wrote:

I approve moving the visitor into lib/Analysis. That's indeed the library into which we dump all static analysis that is not specific to Static Analyzer.

@rsmith disagrees though, and he has a point: http://lists.llvm.org/pipermail/cfe-commits/Week-of-Mon-20181001/245294.html

Let's keep this in lib/StaticAnalyzer then!

It'd also be good to have an entry in www/analyzer/alpha_checks.html. We've been neglecting it for long enough :/.