Download Raw Diff

Details

Reviewers

NoQ
MaskRay
xazax.hun
NutshellySima
asbirlea
kuhar

Commits

rG85211c083573: [Dominators] PR42041: Skip nullpointer successors
rC365026: [Dominators] PR42041: Skip nullpointer successors
rL365026: [Dominators] PR42041: Skip nullpointer successors

Summary

https://bugs.llvm.org/show_bug.cgi?id=42041

In Clang's CFG, we use nullpointers to represent unreachable nodes, for
example, in the included testfile, block B0 is unreachable from block
B1, resulting in a nullpointer dereference somewhere in
llvm::DominatorTreeBase<clang::CFGBlock, false>::recalculate.

This patch fixes this issue by specializing
llvm::DomTreeBuilder::SemiNCAInfo::ChildrenGetter::Get for
clang::CFG to not contain nullpointer successors.

Diff Detail

Repository: rL LLVM

Event Timeline

Szelethus created this revision.May 27 2019, 5:31 PM

Herald added subscribers: llvm-commits, gamesh411, kristina and 2 others. · View Herald TranscriptMay 27 2019, 5:31 PM

@Szelethus, could you double-check that there's no way to tweak some graph traits (or something like that) in order to filter out null-successors specifically for Clang CFG? I don't immediately see a way to do that, but i might have missed something. Given that ChildrenGetter<Direction>::Get returns a SmallVector, it shouldn't be that impossible.

Otherwise i hope an extra defensive check wouldn't hurt.

This revision is now accepted and ready to land.May 27 2019, 8:39 PM

MaskRay added inline comments.May 27 2019, 10:16 PM

llvm/include/llvm/Support/GenericDomTreeConstruction.h
242 ↗	(On Diff #201600)	I hope we can find an approach that doesn't need the defensive check here. In post dominator tree nullptr represents the virtual root, this check will cause some confusion. I also don't know if a simple check here is sufficient, I guess somewhere else might need similar checks.

In D62507#1518692, @NoQ wrote:

@Szelethus, could you double-check that there's no way to tweak some graph traits (or something like that) in order to filter out null-successors specifically for Clang CFG? I don't immediately see a way to do that, but i might have missed something. Given that ChildrenGetter<Direction>::Get returns a SmallVector, it shouldn't be that impossible.

Otherwise i hope an extra defensive check wouldn't hurt.

Yup,

diff --git a/llvm/include/llvm/Support/GenericDomTreeConstruction.h b/llvm/include/llvm/Support/GenericDomTreeConstruction.h
index c64d2030c6f..14349dbd5b5 100644
--- a/llvm/include/llvm/Support/GenericDomTreeConstruction.h
+++ b/llvm/include/llvm/Support/GenericDomTreeConstruction.h
@@ -111,12 +111,16 @@ struct SemiNCAInfo {
 
     static ResultTy Get(NodePtr N, std::integral_constant<bool, false>) {
       auto RChildren = reverse(children<NodePtr>(N));
-      return ResultTy(RChildren.begin(), RChildren.end());
+      ResultTy Ret(RChildren.begin(), RChildren.end());
+      Ret.erase(std::remove(Ret.begin(), Ret.end(), nullptr), Ret.end());
+      return Ret;
     }
 
     static ResultTy Get(NodePtr N, std::integral_constant<bool, true>) {
       auto IChildren = inverse_children<NodePtr>(N);
-      return ResultTy(IChildren.begin(), IChildren.end());
+      ResultTy Ret(IChildren.begin(), IChildren.end());
+      Ret.erase(std::remove(Ret.begin(), Ret.end(), nullptr), Ret.end());
+      return Ret;
     }
 
     using Tag = std::integral_constant<bool, Inverse>;

works perfectly, I'll just need to hide it in a template somehow.

Szelethus planned changes to this revision.May 28 2019, 6:14 AM

Szelethus marked an inline comment as done.

Szelethus added inline comments.

llvm/include/llvm/Support/GenericDomTreeConstruction.h
242 ↗	(On Diff #201600)	Yup, this isn't a good approach then. Thanks!

Like I mentioned in another thread, I really dislike this approach. The single source of truth about graph traversal in dominators is the ChildGetter structure that internally uses children and inverse_children, and expects them to only return pointers to actual successors/predecessors. It's very weird that children and inverse_children return nullptrs -- they are not valid graph nodes, and I don't see why this would be desired, despite how unreachable regions are represented in the CFG.

Would it be possible to change some graph traits responsible for children and inverse_children instead? Or as an alternative, let clang CFG specialize ChildGetter? Right now I'm marking this revision with 'request changes', until we explore alternative approaches.

"What's the difference between a template programmer and a monkey? A monkey uses tools."
/Zoltán Porkoláb/

Revert all changes to the dominator tree builder in LLVM, specialize ChildrenGetter::Get for clang's CFG. I'll try to explore nicer solutions, but this is clearly superior to my previous diff. Thank you all so much for the reviews!

Szelethus edited the summary of this revision. (Show Details)May 28 2019, 8:23 AM

Szelethus set the repository for this revision to rC Clang.

Herald added a subscriber: cfe-commits. · View Herald TranscriptMay 28 2019, 8:23 AM

kuhar added inline comments.May 28 2019, 8:24 AM

clang/include/clang/Analysis/Analyses/Dominators.h
190 ↗	(On Diff #201676)	Shouldn't one of the cases use `inverse_children`?

Correctly use reverse(children<NodePtr>(N)) and inverse_children<NodePtr>(N), based on the original code:

template <bool Inverse>
struct ChildrenGetter {
  using ResultTy = SmallVector<NodePtr, 8>;

  static ResultTy Get(NodePtr N, std::integral_constant<bool, false>) {
    auto RChildren = reverse(children<NodePtr>(N));
    return ResultTy(RChildren.begin(), RChildren.end());
  }

  static ResultTy Get(NodePtr N, std::integral_constant<bool, true>) {
    auto IChildren = inverse_children<NodePtr>(N);
    return ResultTy(IChildren.begin(), IChildren.end());
  }

  using Tag = std::integral_constant<bool, Inverse>;

  // etc etc...

Szelethus marked an inline comment as done.May 28 2019, 8:33 AM

Thanks, I think this is a much better solution than directly hacking on DomTreeBuilder.

Note that every time you ask DomTree about a nullptr CFG node, it understands it as a request for a virtual root. While now this should crash on forward dominators, you will get an actual tree node for a nullptr in postdominators. In the future, it may happen that forward dominators will also have a virtual root (for more efficient updates) and the users of clang CFG and dominators should be aware that not every CFG node (i.e., an unreachable successor) has a corresponding DomTreeNode.

This revision is now accepted and ready to land.May 28 2019, 8:39 AM

MaskRay accepted this revision.May 28 2019, 8:48 AM

Szelethus added a child revision: D62551: [analyzer][Dominator] Add post dominator tree builder for the CFG + a debug checker.May 28 2019, 2:04 PM

Drastically improve the readability of the test files.

Szelethus mentioned this in D63389: [IDF] Generalize IDFCalculator to be used with Clang's CFG.Jun 16 2019, 3:15 PM

Szelethus mentioned this in rL364911: [IDF] Generalize IDFCalculator to be used with Clang's CFG.Jul 2 2019, 4:30 AM

Szelethus mentioned this in rG9353421ecd12: [IDF] Generalize IDFCalculator to be used with Clang's CFG.Jul 2 2019, 4:35 AM

Closed by commit rL365026: [Dominators] PR42041: Skip nullpointer successors (authored by Szelethus). · Explain WhyJul 3 2019, 4:15 AM

This revision was automatically updated to reflect the committed changes.

Diff 207753

cfe/trunk/include/clang/Analysis/Analyses/Dominators.h

Show First 20 Lines • Show All 149 Lines • ▼ Show 20 Lines	public:
}		}

private:		private:
CFG *cfg;		CFG *cfg;
};		};

} // namespace clang		} // namespace clang

		namespace llvm {

		/// Clang's CFG contains nullpointers for unreachable succesors, e.g. when an
		/// if statement's condition is always false, it's 'then' branch is represented
		/// with a nullptr. This however will result in a nullpointer derefernece for
		/// dominator tree calculation.
		///
		/// To circumvent this, let's just crudely specialize the children getters
		/// used in LLVM's dominator tree builder.
		namespace DomTreeBuilder {

		using ClangCFGDomChildrenGetter =
		SemiNCAInfo<DomTreeBase<clang::CFGBlock>>::ChildrenGetter</Inverse=/false>;

		template <>
		template <>
		inline ClangCFGDomChildrenGetter::ResultTy ClangCFGDomChildrenGetter::Get(
		clang::CFGBlock N, std::integral_constant<bool, /Inverse=*/false>) {
		auto RChildren = reverse(children<NodePtr>(N));
		ResultTy Ret(RChildren.begin(), RChildren.end());
		Ret.erase(std::remove(Ret.begin(), Ret.end(), nullptr), Ret.end());
		return Ret;
		}

		using ClangCFGDomReverseChildrenGetter =
		SemiNCAInfo<DomTreeBase<clang::CFGBlock>>::ChildrenGetter</Inverse=/true>;

		template <>
		template <>
		inline ClangCFGDomReverseChildrenGetter::ResultTy
		ClangCFGDomReverseChildrenGetter::Get(
		clang::CFGBlock N, std::integral_constant<bool, /Inverse=*/true>) {
		auto IChildren = inverse_children<NodePtr>(N);
		ResultTy Ret(IChildren.begin(), IChildren.end());
		Ret.erase(std::remove(Ret.begin(), Ret.end(), nullptr), Ret.end());
		return Ret;
		}

		} // end of namespace DomTreeBuilder

//===-------------------------------------		//===-------------------------------------
/// DominatorTree GraphTraits specialization so the DominatorTree can be		/// DominatorTree GraphTraits specialization so the DominatorTree can be
/// iterable by generic graph iterators.		/// iterable by generic graph iterators.
///		///
namespace llvm {		template <> struct GraphTraits<clang::DomTreeNode *> {

template <> struct GraphTraits< ::clang::DomTreeNode* > {
using NodeRef = ::clang::DomTreeNode *;		using NodeRef = ::clang::DomTreeNode *;
using ChildIteratorType = ::clang::DomTreeNode::iterator;		using ChildIteratorType = ::clang::DomTreeNode::iterator;

static NodeRef getEntryNode(NodeRef N) { return N; }		static NodeRef getEntryNode(NodeRef N) { return N; }
static ChildIteratorType child_begin(NodeRef N) { return N->begin(); }		static ChildIteratorType child_begin(NodeRef N) { return N->begin(); }
static ChildIteratorType child_end(NodeRef N) { return N->end(); }		static ChildIteratorType child_end(NodeRef N) { return N->end(); }

using nodes_iterator =		using nodes_iterator =
Show All 29 Lines

cfe/trunk/test/Analysis/domtest.c

// RUN: rm -f %t		// RUN: %clang_analyze_cc1 %s \
// RUN: %clang_analyze_cc1 -analyzer-checker=debug.DumpDominators %s > %t 2>&1		// RUN: -analyzer-checker=debug.DumpDominators \
// RUN: FileCheck --input-file=%t %s		// RUN: 2>&1 \| FileCheck %s

// Test the DominatorsTree implementation with various control flows		// Test the DominatorsTree implementation with various control flows
int test1()		int test1()
{		{
int x = 6;		int x = 6;
int y = x/2;		int y = x/2;
int z;		int z;

while(y > 0) {		while(y > 0) {
if(y < x) {		if(y < x) {
x = x/y;		x = x/y;
y = y-1;		y = y-1;
}else{		}else{
z = x - y;		z = x - y;
}		}
x = x - 1;		x = x - 1;
x = x - 1;		x = x - 1;
}		}
z = x+y;		z = x+y;
z = 3;		z = 3;
return 0;		return 0;
}		}

		// [B9 (ENTRY)] -> [B8] -> [B7] -> [B6] -> [B5] -> [B3] -> [B2]
		// \|\ \ / /
		// \| \ ---> [B4] ---> /
		// \| <---------------------------
		// V
		// [B1] -> [B0 (EXIT)]

// CHECK: Immediate dominance tree (Node#,IDom#):		// CHECK: Immediate dominance tree (Node#,IDom#):
// CHECK: (0,1)		// CHECK-NEXT: (0,1)
// CHECK: (1,7)		// CHECK-NEXT: (1,7)
// CHECK: (2,3)		// CHECK-NEXT: (2,3)
// CHECK: (3,6)		// CHECK-NEXT: (3,6)
// CHECK: (4,6)		// CHECK-NEXT: (4,6)
// CHECK: (5,6)		// CHECK-NEXT: (5,6)
// CHECK: (6,7)		// CHECK-NEXT: (6,7)
// CHECK: (7,8)		// CHECK-NEXT: (7,8)
// CHECK: (8,9)		// CHECK-NEXT: (8,9)
// CHECK: (9,9)		// CHECK-NEXT: (9,9)

int test2()		int test2()
{		{
int x,y,z;		int x,y,z;

x = 10; y = 100;		x = 10; y = 100;
if(x > 0){		if(x > 0){
y = 1;		y = 1;
}else{		}else{
while(x<=0){		while(x<=0){
x++;		x++;
y++;		y++;
}		}
}		}
z = y;		z = y;

return 0;		return 0;
}		}

		// <-------------
		// / \
		// -----------> [B4] -> [B3] -> [B2]
		// / \|
		// / V
		// [B7 (ENTRY)] -> [B6] -> [B5] -> [B1] -> [B0 (EXIT)]

// CHECK: Immediate dominance tree (Node#,IDom#):		// CHECK: Immediate dominance tree (Node#,IDom#):
// CHECK: (0,1)		// CHECK-NEXT: (0,1)
// CHECK: (1,6)		// CHECK-NEXT: (1,6)
// CHECK: (2,3)		// CHECK-NEXT: (2,3)
// CHECK: (3,4)		// CHECK-NEXT: (3,4)
// CHECK: (4,6)		// CHECK-NEXT: (4,6)
// CHECK: (5,6)		// CHECK-NEXT: (5,6)
// CHECK: (6,7)		// CHECK-NEXT: (6,7)
// CHECK: (7,7)		// CHECK-NEXT: (7,7)

int test3()		int test3()
{		{
int x,y,z;		int x,y,z;

x = y = z = 1;		x = y = z = 1;
if(x>0) {		if(x>0) {
while(x>=0){		while(x>=0){
while(y>=x) {		while(y>=x) {
x = x-1;		x = x-1;
y = y/2;		y = y/2;
}		}
}		}
}		}
z = y;		z = y;

return 0;		return 0;
}		}

		// <-------------
		// / \
		// \| ---> [B2]
		// \| /
		// [B8 (ENTRY)] -> [B7] -> [B6] -> [B5] -> [B4] -> [B3]
		// \ \| \ /
		// \ \| <-------------
		// \ \
		// --------> [B1] -> [B0 (EXIT)]

// CHECK: Immediate dominance tree (Node#,IDom#):		// CHECK: Immediate dominance tree (Node#,IDom#):
// CHECK: (0,1)		// CHECK-NEXT: (0,1)
// CHECK: (1,7)		// CHECK-NEXT: (1,7)
// CHECK: (2,5)		// CHECK-NEXT: (2,5)
// CHECK: (3,4)		// CHECK-NEXT: (3,4)
// CHECK: (4,5)		// CHECK-NEXT: (4,5)
// CHECK: (5,6)		// CHECK-NEXT: (5,6)
// CHECK: (6,7)		// CHECK-NEXT: (6,7)
// CHECK: (7,8)		// CHECK-NEXT: (7,8)
// CHECK: (8,8)		// CHECK-NEXT: (8,8)

int test4()		int test4()
{		{
int y = 3;		int y = 3;
while(y > 0) {		while(y > 0) {
if(y < 3) {		if(y < 3) {
while(y>0)		while(y>0)
y ++;		y ++;
}else{		}else{
while(y<10)		while(y<10)
y ++;		y ++;
}		}
}		}
return 0;		return 0;
}		}

		// <----------------------------------
		// / <----------------- \
		// / / \ \
		// [B12 (ENTRY)] -> [B11] -> [B10]-> [B9] -> [B8] ---> [B7] -> [B6] \|
		// \| \ \ /
		// \| \ -----> [B2] --------/
		// \| \ /
		// \| -> [B5] -> [B4] -> [B3]
		// \| \ /
		// \| <------------
		// \
		// -> [B1] -> [B0 (EXIT)]

// CHECK: Immediate dominance tree (Node#,IDom#):		// CHECK: Immediate dominance tree (Node#,IDom#):
// CHECK: (0,1)		// CHECK-NEXT: (0,1)
// CHECK: (1,10)		// CHECK-NEXT: (1,10)
// CHECK: (2,9)		// CHECK-NEXT: (2,9)
// CHECK: (3,4)		// CHECK-NEXT: (3,4)
// CHECK: (4,5)		// CHECK-NEXT: (4,5)
// CHECK: (5,9)		// CHECK-NEXT: (5,9)
// CHECK: (6,7)		// CHECK-NEXT: (6,7)
// CHECK: (7,8)		// CHECK-NEXT: (7,8)
// CHECK: (8,9)		// CHECK-NEXT: (8,9)
// CHECK: (9,10)		// CHECK-NEXT: (9,10)
// CHECK: (10,11)		// CHECK-NEXT: (10,11)
// CHECK: (11,12)		// CHECK-NEXT: (11,12)
// CHECK: (12,12)		// CHECK-NEXT: (12,12)

int test5()		int test5()
{		{
int x,y,z,a,b,c;		int x,y,z,a,b,c;
x = 1;		x = 1;
y = 2;		y = 2;
z = 3;		z = 3;
a = 4;		a = 4;
Show All 13 Lines	if ( x < 10 ) {
b = 10;		b = 10;
} else {		} else {
x = 7;		x = 7;
}		}
c = 11;		c = 11;
return 0;		return 0;
}		}

// CHECK: Immediate dominance tree (Node#,IDom#):		// [B0 (EXIT)] <--
// CHECK: (0,1)		// \
// CHECK: (1,10)		// [B11 (ENTY)] -> [B10] -> [B9] -> [B8] -> [B7] -> [B5] -> [B3] -> [B1]
// CHECK: (2,10)		// \| \| \| / / /
// CHECK: (3,9)		// \| \| V / / /
// CHECK: (4,9)		// \| V [B6] --> / /
// CHECK: (5,8)		// V [B4] -----------------> /
// CHECK: (6,8)		// [B2]--------------------------------->
// CHECK: (7,8)
// CHECK: (8,9)
// CHECK: (9,10)
// CHECK: (10,11)
// CHECK: (11,11)


		// CHECK: Immediate dominance tree (Node#,IDom#):
		// CHECK-NEXT: (0,1)
		// CHECK-NEXT: (1,10)
		// CHECK-NEXT: (2,10)
		// CHECK-NEXT: (3,9)
		// CHECK-NEXT: (4,9)
		// CHECK-NEXT: (5,8)
		// CHECK-NEXT: (6,8)
		// CHECK-NEXT: (7,8)
		// CHECK-NEXT: (8,9)
		// CHECK-NEXT: (9,10)
		// CHECK-NEXT: (10,11)
		// CHECK-NEXT: (11,11)

cfe/trunk/test/Analysis/domtest.cpp

				// RUN: %clang_analyze_cc1 %s \
				// RUN: -analyzer-checker=debug.DumpDominators \
				// RUN: 2>&1 \| FileCheck %s

				bool coin();

				namespace pr42041_unreachable_cfg_successor {
				enum Kind {
				A
				};

				void f() {
				switch(Kind{}) {
				case A:
				break;
				}
				}
				} // end of namespace pr42041_unreachable_cfg_successor

				// [B3 (ENTRY)] -> [B1] -> [B2] -> [B0 (EXIT)]

				// CHECK: Immediate dominance tree (Node#,IDom#):
				// CHECK-NEXT: (0,2)
				// CHECK-NEXT: (1,3)
				// CHECK-NEXT: (2,1)
				// CHECK-NEXT: (3,3)

				void funcWithBranch() {
				int x = 0;
				if (coin()) {
				if (coin()) {
				x = 5;
				}
				int j = 10 / x;
				(void)j;
				}
				}

				// ----> [B2] ---->
				// / \
				// [B5 (ENTRY)] -> [B4] -> [B3] -----------> [B1]
				// \ /
				// ----> [B0 (EXIT)] <----

				// CHECK: Immediate dominance tree (Node#,IDom#):
				// CHECK-NEXT: (0,4)
				// CHECK-NEXT: (1,3)
				// CHECK-NEXT: (2,3)
				// CHECK-NEXT: (3,4)
				// CHECK-NEXT: (4,5)
				// CHECK-NEXT: (5,5)

This is an archive of the discontinued LLVM Phabricator instance.

[Dominators] PR42041: Skip nullpointer successors
ClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 207753

cfe/trunk/include/clang/Analysis/Analyses/Dominators.h

cfe/trunk/test/Analysis/domtest.c

cfe/trunk/test/Analysis/domtest.cpp

This is an archive of the discontinued LLVM Phabricator instance.

[Dominators] PR42041: Skip nullpointer successorsClosedPublic

Details

Diff Detail

Event Timeline

Revision Contents

Diff 207753

cfe/trunk/include/clang/Analysis/Analyses/Dominators.h

cfe/trunk/test/Analysis/domtest.c

cfe/trunk/test/Analysis/domtest.cpp

[Dominators] PR42041: Skip nullpointer successors
ClosedPublic