This is an archive of the discontinued LLVM Phabricator instance.

Differential D80171

[analyzer] LoopUnrolling: fix crash when a parameter is a loop counter
ClosedPublic

Authored by AbbasSabra on May 18 2020, 4:20 PM.

Details

Reviewers
szepet
NoQ
vsavchenko
Commits
rG99b94f29ac5d: [analyzer] LoopUnrolling: fix crash when a parameter is a loop counter.
Summary

When loop counter is a function parameter "isPossiblyEscaped" will not find the variable declaration "VD" which lead to "llvm_unreachable". Parameters should be escaped like global variables to avoid a crash.

Diff Detail

Event Timeline

AbbasSabra created this revision.May 18 2020, 4:20 PM
Herald added a project: Restricted Project. · View Herald TranscriptMay 18 2020, 4:20 PM
Herald added subscribers: ASDenysPetrov, martong, Charusso and 9 others. · View Herald Transcript
Harbormaster completed remote builds in B57140: Diff 264751.May 18 2020, 5:22 PM
xazax.hun added reviewers: NoQ, vsavchenko.May 19 2020, 5:45 AM

Thanks for finding this bug! Adding some reviewers.

I think it would be perfectly fine to unroll loops where the loop counter is a pass-by-value parameter. That should not be considered escaped.

I think in case of parameters isPossiblyEscaped should return false for values and true for references.

What do you think?

xazax.hun added inline comments.May 19 2020, 5:47 AM
clang/test/Analysis/loop-unrolling.cpp
503

nit: we usually use arg for actual arguments at the call site, and use param for formal parameters. The test function should be renamed accordingly. Also, it would be great to add clang_analyzer_numTimesReached() to demonstrate whether the loop is actually unrolled or not.

vsavchenko added a comment.May 19 2020, 6:07 AM

Thanks for taking your time to find and resolve the bug.
I agree that this solution seems a bit too harsh. Technically there is no difference between local variable declaration and a parameter declaration (if we are talking about value types as pointed out by @xazax.hun).
I believe that we should actually fix the will not find the variable declaration "VD" which lead to "llvm_unreachable" part.

AbbasSabra updated this revision to Diff 265090.May 19 2020, 5:06 PM

Fix code review

Harbormaster failed remote builds in B57300: Diff 265090!May 19 2020, 5:09 PM
AbbasSabra updated this revision to Diff 265095.May 19 2020, 5:16 PM

update

AbbasSabra accepted this revision.May 19 2020, 5:26 PM
AbbasSabra marked an inline comment as done.
This revision is now accepted and ready to land.May 19 2020, 5:26 PM
AbbasSabra requested review of this revision.May 19 2020, 5:30 PM

What you both said makes sense. Now, reference parameters are escaped and value parameters are treated as the local variables.
Thanks!

AbbasSabra removed a reviewer: AbbasSabra.May 19 2020, 5:32 PM
Harbormaster failed remote builds in B57305: Diff 265095!May 19 2020, 6:11 PM
vsavchenko added inline comments.May 20 2020, 12:42 AM
clang/lib/StaticAnalyzer/Core/LoopUnrolling.cpp
167

getKind function is only an implementation detail for isa/cast/dan_cast functions (docs). So, this condition would be better in the following form: isa<ParmVarDecl>(VD).

NOTE: One good motivation here is that maybe in the future there will be some sort of new type of function parameters and it will be derived from ParmVarDecl. In this situation, direct comparison with the kind of node will not work and probably won't be fixed by developers who introduced the new node, but isa approach will stay correct.
Harbormaster completed remote builds in B57305: Diff 265095.May 20 2020, 2:07 AM
AbbasSabra updated this revision to Diff 265253.May 20 2020, 8:04 AM

Fix code review 2

AbbasSabra marked 2 inline comments as done.May 20 2020, 8:06 AM
AbbasSabra added inline comments.
clang/lib/StaticAnalyzer/Core/LoopUnrolling.cpp
167

Thanks for the detailed explanation.

AbbasSabra marked an inline comment as done.May 20 2020, 8:09 AM
Harbormaster completed remote builds in B57385: Diff 265253.May 20 2020, 9:16 AM
NoQ accepted this revision.May 20 2020, 10:39 AM

Looks great, thanks!

This is probably not the precise solution (i.e., we might be able to see where exactly is the reference taken and proceed from there) but neither is the original code - it's always been super pattern-matchy,

This revision is now accepted and ready to land.May 20 2020, 10:39 AM
vsavchenko accepted this revision.May 20 2020, 10:41 AM

LGTM! Thanks again!

AbbasSabra added a comment.May 21 2020, 8:45 AM

Great! Can someone take care of merging it? I believe I don't have access.

Closed by commit rG99b94f29ac5d: [analyzer] LoopUnrolling: fix crash when a parameter is a loop counter. (authored by dergachev.a). · Explain WhyMay 22 2020, 6:24 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
clang/
lib/
StaticAnalyzer/
Core/
10 lines
test/
Analysis/
12 lines

Diff 265731

clang/lib/StaticAnalyzer/Core/LoopUnrolling.cpp

Show First 20 LinesShow All 158 Lines▼ Show 20 Lines return forStmt(
unless(hasBody(hasSuspiciousStmt("initVarName")))).bind("forLoop"); unless(hasBody(hasSuspiciousStmt("initVarName")))).bind("forLoop");
} }
static bool isPossiblyEscaped(const VarDecl *VD, ExplodedNode *N) { static bool isPossiblyEscaped(const VarDecl *VD, ExplodedNode *N) {
// Global variables assumed as escaped variables. // Global variables assumed as escaped variables.
if (VD->hasGlobalStorage()) if (VD->hasGlobalStorage())
return true; return true;
const bool isParm = isa<ParmVarDecl>(VD);
vsavchenkoUnsubmitted
Done
ReplyInline Actions

getKind function is only an implementation detail for isa/cast/dan_cast functions (docs). So, this condition would be better in the following form: isa<ParmVarDecl>(VD).

NOTE: One good motivation here is that maybe in the future there will be some sort of new type of function parameters and it will be derived from ParmVarDecl. In this situation, direct comparison with the kind of node will not work and probably won't be fixed by developers who introduced the new node, but isa approach will stay correct.
vsavchenko: `getKind` function is only an implementation detail for `isa`/`cast`/`dan_cast` functions…
AbbasSabraAuthorUnsubmitted
Done
ReplyInline Actions

Thanks for the detailed explanation.

AbbasSabra: Thanks for the detailed explanation.
// Reference parameters are assumed as escaped variables.
if (isParm && VD->getType()->isReferenceType())
return true;
while (!N->pred_empty()) { while (!N->pred_empty()) {
// FIXME: getStmtForDiagnostics() does nasty things in order to provide // FIXME: getStmtForDiagnostics() does nasty things in order to provide
// a valid statement for body farms, do we need this behavior here? // a valid statement for body farms, do we need this behavior here?
const Stmt *S = N->getStmtForDiagnostics(); const Stmt *S = N->getStmtForDiagnostics();
if (!S) { if (!S) {
N = N->getFirstPred(); N = N->getFirstPred();
continue; continue;
} }
Show All 13 Lines auto Match =
match(stmt(anyOf(callByRef(equalsNode(VD)), getAddrTo(equalsNode(VD)), match(stmt(anyOf(callByRef(equalsNode(VD)), getAddrTo(equalsNode(VD)),
assignedToRef(equalsNode(VD)))), assignedToRef(equalsNode(VD)))),
*S, ASTCtx); *S, ASTCtx);
if (!Match.empty()) if (!Match.empty())
return true; return true;
N = N->getFirstPred(); N = N->getFirstPred();
} }
// Parameter declaration will not be found.
if (isParm)
return false;
llvm_unreachable("Reached root without finding the declaration of VD"); llvm_unreachable("Reached root without finding the declaration of VD");
} }
bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx, bool shouldCompletelyUnroll(const Stmt *LoopStmt, ASTContext &ASTCtx,
ExplodedNode *Pred, unsigned &maxStep) { ExplodedNode *Pred, unsigned &maxStep) {
if (!isLoopStmt(LoopStmt)) if (!isLoopStmt(LoopStmt))
return false; return false;
▲ Show 20 LinesShow All 92 LinesShow Last 20 Lines

clang/test/Analysis/loop-unrolling.cpp

Show First 20 LinesShow All 493 Lines▼ Show 20 Lines
} }
void pr34943() { void pr34943() {
for (int i = 0; i < 6L; ++i) { for (int i = 0; i < 6L; ++i) {
clang_analyzer_numTimesReached(); // expected-warning {{6}} clang_analyzer_numTimesReached(); // expected-warning {{6}}
} }
} }
void parm_by_value_as_loop_counter(int i) {
xazax.hunUnsubmitted
Done
ReplyInline Actions

nit: we usually use arg for actual arguments at the call site, and use param for formal parameters. The test function should be renamed accordingly. Also, it would be great to add clang_analyzer_numTimesReached() to demonstrate whether the loop is actually unrolled or not.

xazax.hun: nit: we usually use `arg` for actual arguments at the call site, and use `param` for formal…
for (i = 0; i < 10; ++i) {
clang_analyzer_numTimesReached(); // expected-warning {{10}}
}
}
void parm_by_ref_as_loop_counter(int &i) {
for (i = 0; i < 10; ++i) {
clang_analyzer_numTimesReached(); // expected-warning {{4}}
}
}