For the test files where plist files have changed: (note to self: there has got to be a better way to show this off)

(same for the .*objcpp file)

Yay, this thing really works!

Now, whether this change is any good is practically impossible to tell without evaluation on production code, so I'll get back with that once I gather some data.

Yes. This patch deserves some data on how much have reports grown in length (i.e., how many have grown in length and how much did they do so). Ideally we should also have a look at how many of the new notes were truly useful. Eg., you can start with the old report, understand it (or fail to do so), then take the new report. If you get this feeling that's like "ugh, if i've seen this note before i would have figured this out much sooner!", then it's a good note. If the bug report was obvious to begin with and the note didn't add much, it's probably not a good note. But it's not necessarily bad as long as the report remains readable.

Additionally, it's likely that some reports will in fact get suppressed due to inline defensive checks suppressions kicking in over condition values. That'd be a lot of fun to see as well.

I think we should make clear that this visitor only operates within one function and does not track controll dependencies across functions.

Hmm, maybe it's worth investigating whether if we pop the call stack, does the bug report improve if we update the visitor to build control dependencies for the recent function, and update the origin block to be the one where the function call was located.

I implemented the fixes you commented on, but during evaluation it turned out that my visitor eats ram for breakfast, and then goes for seconds. I mean, like 5-30x the normal memory consumption, and the same for analysis speed. I counted the number of concurrent instances (incrementing a static counter in ctor, decrementing in dtor), and it seems to go up into the hundreds of thousands, even millions before restarting the counter. I killed the process before crippling the server.

I'm not sure how long it'll take for me to figure out what's wrong, but these numbers are so ridiculous, I suspect a programming error rather then an algorithmic issue.

edit: I seem to have found a solution, I'll share more later when I get to evaluate this :)

In D62883#1536894, @Szelethus wrote:

I'm not sure how long it'll take for me to figure out what's wrong, but these numbers are so ridiculous, I suspect a programming error rather then an algorithmic issue.

edit: I seem to have found a solution, I'll share more later when I get to evaluate this :)

At a glance, it might be that bugreporter::trackExpressionValue() is called on every node within the block, rather than only once in a lifetime of the visitor.

I marked reports, confusingly, "Confirmed" if the extra notes were meaningful, "Intentional" if they were meaningless, and "False positive" if it's in between.

I took a look at the results. You can take a look at selected ones here:

http://cc.elte.hu:15001/Default/#report-hash=&run=LLVM%2FClang%2FClang-tools-extra%20AFTER%20tracking%20conditions&review-status=Confirmed&review-status=False%20positive&review-status=Intentional&detection-status=New&detection-status=Reopened&detection-status=Unresolved&tab=LLVM%2FClang%2FClang-tools-extra%20AFTER%20tracking%20conditions&is-unique=on

Due to the lack of better categorization, I used the following (so this has in fact no relation to whether the report is correct or not):

• Intentional reports (green x) are the ones where the bugreport got unquestionably worse.
• Confirmed reports (red check mark) got definitely better
• False positives (grey line) are in between.

If you hover your mouse over the icon, you can also read a comment of mine. When you open a report, in the right corner of the source code you'll find a dropdown menu, allowing you to see the report without this patch applied:

Some conclusions:

• Cases where the condition is also a variable initialization tend to expand the bug path greatly. This isn't always bad, but should be noted. In general, unless we have a good heuristic to figure out whether there is meaningful information on the right hand side of the initialization, I think we just shouldn't track these. A good example for this is this one. The 37th event contains pretty much every information we need, it's obvious that the optional could either be None or non-None, since it's in a condition. dyn_cast is a prime example too: in this case, note 9 is all we really need.
• We should probably believe that operator bool() is implemented correctly, and shouldn't track the value all the way there (at least, when we're only tracking the condition). Example
• We shouldn't ever track assert-like conditions. Example (note 38-41)
• When the report didn't suffer from any of the above issues, I found the extra notes to be helpful! :D

I'm doing another analysis to help a bit on evaluation with the following modification:

diff --git a/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp b/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
index 9c40ebead56..4ac4b873675 100644
--- a/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
+++ b/clang/lib/StaticAnalyzer/Core/BugReporterVisitors.cpp
@@ -1892,12 +1892,28 @@ TrackControlDependencyCondBRVisitor::VisitNode(const ExplodedNode *N,
   if (!OriginB || !NB)
     return nullptr;
 
-  if (ControlDepTree.isControlDependency(OriginB, NB))
-    if (const Expr *Condition = getTerminatorCondition(NB))
-      if (BR.addTrackedCondition(Condition))
+  if (ControlDepTree.isControlDependency(OriginB, NB)) {
+    if (const Expr *Condition = getTerminatorCondition(NB)) {
+      if (BR.addTrackedCondition(Condition)) {
         bugreporter::trackExpressionValue(
             N, Condition, BR, /*EnableNullFPSuppression=*/false);
 
+        if (BRC.getAnalyzerOptions().AnalysisDiagOpt == PD_NONE)
+          return nullptr;
+
+        std::string ConditionText = Lexer::getSourceText(
+            CharSourceRange::getTokenRange(Condition->getSourceRange()),
+                                           BRC.getSourceManager(),
+                                           BRC.getASTContext().getLangOpts());
+
+        return std::make_shared<PathDiagnosticEventPiece>(
+            PathDiagnosticLocation::createEnd(
+                Condition, BRC.getSourceManager(), N->getLocationContext()),
+                "Tracking condition " + ConditionText);
+      }
+    }
+  }
+
   return nullptr;
 }

*sloowly catches up >.<*

I looked at bug path with the Optional. I did not debug into the analyzer but my intuition is the following: DefChainEnd is interesting. TerminatedPaths is the control dependency of DefChainEnd. And there are probably other things that are the control and/or value dependency of TerminatedPaths . One trick we could try is to limit the number of dependencies we track. For example, we could try what happens if we only track the immediate control dependencies of the original interesting region/symbol and does not add more control dependency recursively.

In case we find limiting the number of dependencies useful, I could imagine a user-facing flag like report-verbosity. The default one could include only the notes we find useful after limiting the tracking. A detailed option could add all the notes from the transitive tracking of dependencies. A verbose option could remove path pruning as well. This is just random brainstorming :) First, we need to so whether non-transitive tracking it is actually improving the situation.

I am not sure about assuming operator bool being correct. I think we first could think about other tricks to limit the tracking (see my idea above) and if we fail I would only add such rules as a last resort.

I don't understand why the visibility had to be changed (especially without explanation), and unless there's a good reason for it, I strongly disagree with it.

I am not sure about assuming operator bool being correct. I think we first could think about other tricks to limit the tracking (see my idea above) and if we fail I would only add such rules as a last resort.

I think this depends greatly on the stack frame layout. I seem to be perfectly fine with not tracking the value within foo() in

if (foo()) {
  ...
}

whenever foo() returns a bool. Simply because "why else would you add a check if it always returns the same value?".

However, this heuristic breaks when the same code appears in an inlined stack frame. Because given the context, we need to prove that this check makes sense *in this context*.

I strongly suspect that all of the heuristics that you're talking about depend significantly on the surrounding call stacks. Like, i suspect it so strongly that i'm ready to admit that i've no idea what we're doing anymore, and it makes sense to take a pen and a sheet of paper and try to write down the tracking rules, and then come up with an easily editable and extensible architecture for tweaking those rules as we discover more and more of them.

In D62883#1542802, @Szelethus wrote:

Some conclusions:

• Cases where the condition is also a variable initialization tend to expand the bug path greatly. This isn't always bad, but should be noted. In general, unless we have a good heuristic to figure out whether there is meaningful information on the right hand side of the initialization, I think we just shouldn't track these. A good example for this is this one. The 37th event contains pretty much every information we need, it's obvious that the optional could either be None or non-None, since it's in a condition. dyn_cast is a prime example too: in this case, note 9 is all we really need.
• We should probably believe that operator bool() is implemented correctly, and shouldn't track the value all the way there (at least, when we're only tracking the condition). Example
• We shouldn't ever track assert-like conditions. Example (note 38-41)
• When the report didn't suffer from any of the above issues, I found the extra notes to be helpful! :D

On the other hand, all of these problems seem to be examples of the problem of D62978. Might it be that it's the only thing that we're missing? Like, we need to formulate a rule that'll give us an understanding of when do we track the value past the point where it has been constrained to true or false - do we care about the origins of the value or do we care about its constraints only? In case of flag in the test examples, we clearly do. In case of these bools that come from boolean conversions and assertions and such, we clearly don't. What's the difference?

How about we track the condition value past its collapse point only if it involves an overwrite of a variable (or other region) from which the value is loaded? Like, if there are no overwrites, stop at the collapse point. If there are overwrites, stop at the oldest overwrite point (i.e., the value was loaded from 'x' which was previously overwritten by the value of value 'y' which was previously overwritten by the initial value of variable 'z' => stop at the overwrite point of 'y').

(then, again, not sure what happens if more nested stack frames are around)

In D62883#1544283, @NoQ wrote:

However, this heuristic breaks when the same code appears in an inlined stack frame. Because given the context, we need to prove that this check makes sense *in this context*. I strongly suspect that all of the heuristics that you're talking about depend significantly on the surrounding call stacks.

I don't follow you here, unfortunately, could you please elaborate? Also, I'll come out with this right now: I never really understood these contexts, is there a handy doc or a paper I could take a look at?

Like, i suspect it so strongly that i'm ready to admit that i've no idea what we're doing anymore, and it makes sense to take a pen and a sheet of paper and try to write down the tracking rules, and then come up with an easily editable and extensible architecture for tweaking those rules as we discover more and more of them.

That sounds great. The should-not-have-happened and the must-have-happened cases will all rely on this (since in both cases, at least for now, we'd like to use the extra information to track conditions), so maybe it's due to refresh trackExpressionValue. It would also make publishing and reviewing my works a lot easier.

In D62883#1544302, @NoQ wrote:

On the other hand, all of these problems seem to be examples of the problem of D62978. Might it be that it's the only thing that we're missing? Like, we need to formulate a rule that'll give us an understanding of when do we track the value past the point where it has been constrained to true or false - do we care about the origins of the value or do we care about its constraints only? In case of flag in the test examples, we clearly do. In case of these bools that come from boolean conversions and assertions and such, we clearly don't. What's the difference?

How about we track the condition value past its collapse point only if it involves an overwrite of a variable (or other region) from which the value is loaded? Like, if there are no overwrites, stop at the collapse point. If there are overwrites, stop at the oldest overwrite point (i.e., the value was loaded from 'x' which was previously overwritten by the value of value 'y' which was previously overwritten by the initial value of variable 'z' => stop at the overwrite point of 'y').

(then, again, not sure what happens if more nested stack frames are around)

For now, I'd like to restrict my efforts to simply "we should track this" or "we shouldn't track this". I think simply not tracking cases where the condition is a single variable assignment is a good initial approach. Let how the tracking is done be a worry for another day. Also, I'm a little confused, isn't this comment about how D62978 could be solved?

In D62883#1542802, @Szelethus wrote:

If you hover your mouse over the icon, you can also read a comment of mine. When you open a report, in the right corner of the source code you'll find a dropdown menu, allowing you to see the report without this patch applied:

I added another run that displays notes at each condition that this new visitor tracks.

In D62883#1545324, @Charusso wrote:

Hey! It is a cool patch as the smallest the scope the better to understand what is going on. I like the direction, but we saw with @NoQ, we have to think about "In which range do we track?".

In D62883#1545282, @Szelethus wrote:

• Hide the current implementation behind the off-by-default analyzer config "track-conditions"

Do you think that this patch looks good enough now that it's off by default? Maybe it'd be easier to develop/review followup changes separately.

It would be helpful to see what is exactly new, what trackExpressionValue() cannot provide. Could you adjust the test case with a second run, where you switch off that new feature, please? (I highly recommend that for future developments also.)

You can see how this would look like by checking the history of this revision: https://reviews.llvm.org/D62883?vs=204554&id=204973&whitespace=ignore-most#toc. Adding a second RUN: line might be a good idea though.

In D62883#1544609, @Szelethus wrote:

In D62883#1544302, @NoQ wrote:

On the other hand, all of these problems seem to be examples of the problem of D62978. Might it be that it's the only thing that we're missing? Like, we need to formulate a rule that'll give us an understanding of when do we track the value past the point where it has been constrained to true or false - do we care about the origins of the value or do we care about its constraints only? In case of flag in the test examples, we clearly do. In case of these bools that come from boolean conversions and assertions and such, we clearly don't. What's the difference?

How about we track the condition value past its collapse point only if it involves an overwrite of a variable (or other region) from which the value is loaded? Like, if there are no overwrites, stop at the collapse point. If there are overwrites, stop at the oldest overwrite point (i.e., the value was loaded from 'x' which was previously overwritten by the value of value 'y' which was previously overwritten by the initial value of variable 'z' => stop at the overwrite point of 'y').

(then, again, not sure what happens if more nested stack frames are around)

For now, I'd like to restrict my efforts to simply "we should track this" or "we shouldn't track this". I think simply not tracking cases where the condition is a single variable assignment is a good initial approach. Let how the tracking is done be a worry for another day. Also, I'm a little confused, isn't this comment about how D62978 could be solved?

As @NoQ pointed out we have some problem with that function. We are tracking *values* without using the redecl()-chain (see in https://clang.llvm.org/doxygen/DeclBase_8h_source.html#l00948), or without tracking conditions. You have solved(?) the latter, but the former is equally important to solve.

I'm a little confused, which is the "former" and "latter" you're referring to?

As I see that is the current situation:

• ReturnVisitor: give us too much unrelated information as we go out of scope.
• FindLastStoreBRVisitor: do not use redecls() so gets confused with all the hackish SVal conversions.
• TrackControlDependencyCondBRVisitor: swaps notes which is questionable if I want to see what the above two kindly provides for me, or I would remove them instead.

I believe this patch should be on by default, but it requires to fix the "In which range do we track?" problem with D62978.

I disagree with this. The reason why I'd like to make this an off-by-default option is to implement my followup improvements incrementally (not only that, but a whole family of conditions is going to be added), and allow us to observe the changes those make in relation to this patch -- besides, I don't really see this patch changing even if I manage to fix those issues. Would you like to see a change being made to this specific patch?

In D62883#1545341, @Szelethus wrote:

In D62883#1545324, @Charusso wrote:

As @NoQ pointed out we have some problem with that function. We are tracking *values* without using the redecl()-chain (see in https://clang.llvm.org/doxygen/DeclBase_8h_source.html#l00948), or without tracking conditions. You have solved(?) the latter, but the former is equally important to solve.

I'm a little confused, which is the "former" and "latter" you're referring to?

I believe you have solved the condition tracking as you move in-place what is going on.

I believe this patch should be on by default, but it requires to fix the "In which range do we track?" problem with D62978.

I disagree with this. The reason why I'd like to make this an off-by-default option is to implement my followup improvements incrementally (not only that, but a whole family of conditions is going to be added), and allow us to observe the changes those make in relation to this patch -- besides, I don't really see this patch changing even if I manage to fix those issues. Would you like to see a change being made to this specific patch?

As you moving stuff around it just bypasses the usefulness of the mentioned two visitors, which is a problem. Also you have mentioned some very crazy bad side-effects which is yes, related to in which range do we operate.

In D62883#1545343, @Charusso wrote:

In D62883#1545341, @Szelethus wrote:

In D62883#1545324, @Charusso wrote:

As @NoQ pointed out we have some problem with that function. We are tracking *values* without using the redecl()-chain (see in https://clang.llvm.org/doxygen/DeclBase_8h_source.html#l00948), or without tracking conditions. You have solved(?) the latter, but the former is equally important to solve.

I'm a little confused, which is the "former" and "latter" you're referring to?

I believe you have solved the condition tracking as you move in-place what is going on.

I'm still not sure I follow :) What are the two distinct things to be solved here?

I believe this patch should be on by default, but it requires to fix the "In which range do we track?" problem with D62978.

I disagree with this. The reason why I'd like to make this an off-by-default option is to implement my followup improvements incrementally (not only that, but a whole family of conditions is going to be added), and allow us to observe the changes those make in relation to this patch -- besides, I don't really see this patch changing even if I manage to fix those issues. Would you like to see a change being made to this specific patch?

As you moving stuff around it just bypasses the usefulness of the mentioned two visitors, which is a problem. Also you have mentioned some very crazy bad side-effects which is yes, related to in which range do we operate.

Could you please elaborate? The particular thing I'm missing, I guess, is the need to get those issues fixed before this patch, and making this on-by-default. If anything, enabling a flag like this could really demonstrate changes on those problems. I also like to think that tracking a condition (especially a condition of a control dependency of yet another condition) is a drastically different case that tracking a "regular" variable (in particular, I think more aggressive pruning could be used), and such a change would definitely be out of scope for this patch.

I like to think that most of the unimportant notes can be easily categorized, as seen above. With some, admittedly crude heuristics, we could cut these down greatly, and leave some breathing room for fine-tuning it.

In D62883#1552870, @Szelethus wrote:

• Now using CFGBlock::getTerminatorConditionExpr()
• Uniqueing already tracked conditions as an (Expr, ExplodedNode) pair instead of on Expr

I would be surprised to see the same ExploderNode multiple time a lot. Also, ExploderNode will have a program point, so having both an ExploderNode and an Expr feels redundant to me.

• Add a TODO: about caching
• Add plenty of new test cases for good measure (examples from my latest mail http://lists.llvm.org/pipermail/cfe-dev/2019-June/062613.html)

In D62883#1552969, @xazax.hun wrote:

In D62883#1552870, @Szelethus wrote:

• Uniqueing already tracked conditions as an (Expr, ExplodedNode) pair instead of on Expr

I would be surprised to see the same ExploderNode multiple time a lot. Also, ExploderNode will have a program point, so having both an ExploderNode and an Expr feels redundant to me.

(Expr, LocationContext) sounds right.

Oh, wait, no, loops.

In D62883#1553248, @Szelethus wrote:

• Add a TODO: in trackExpressionValue about maybe tracking conditions to all bug locations, rather than only for tracked variables.

What do you mean by "all bug locations"?

In D62883#1554339, @NoQ wrote:

In D62883#1553248, @Szelethus wrote:

• Add a TODO: in trackExpressionValue about maybe tracking conditions to all bug locations, rather than only for tracked variables.

What do you mean by "all bug locations"?

This visitor is added when a variable is tracked, yet I feel the control dependency of every report is important (else we would never have discovered the error).

It should be pretty easy to implement, just add your new visitor to the list of default visitors in findValidReport().

Woohoo! Thanks for everything, this is the most fun I've had working on this project! Let's wait for @xazax.hun to have the final say.

In D62883#1554494, @NoQ wrote:

It should be pretty easy to implement, just add your new visitor to the list of default visitors in findValidReport().

The thinking was to preserve this patch (roughly) in the state as the analyses were run. I also plan to patch CodeChecker so that it can diff two runs only only by bug report hash, but also by bug report length, which should make evaluation a lot easier. This may imply that I'll delay tracking control dependencies to all error nodes for later, as LLVM literally takes a day to analyze each time (and the sheer size of it gives invaluable data, which is why I plan doing it, but will check other projects too).

In D62883#1554514, @Szelethus wrote:

In D62883#1554494, @NoQ wrote:

It should be pretty easy to implement, just add your new visitor to the list of default visitors in findValidReport().

The thinking was to preserve this patch (roughly) in the state as the analyses were run.

Sure!

I usually do the final update right before commiting. There still are non-accepted dependencies, who knows what'll happen.