This is an archive of the discontinued LLVM Phabricator instance.

Differential D85319

[analyzer][RFC] Get info from the LLVM IR for precision
Needs ReviewPublic

Authored by martong on Aug 5 2020, 8:27 AM.

Details

Reviewers
NoQ
Szelethus
balazske
vsavchenko
xazax.hun
rjmccall
Summary

This is a prototype to access the IR from the components of the Clang Static Analyzer.
This involves architectural changes and there is a related discussion here on cfe-dev: http://lists.llvm.org/pipermail/cfe-dev/2020-August/066426.html.

There are many important and useful analyses in the LLVM layer that we can use during the path
sensitive analysis. Most notably, the "readnone" and "readonly" function
attributes which can be used to identify "pure" functions (those without side
effects). Here, I am using the pureness info from the IR to avoid invalidation
of any variables during conservative evaluation (when we evaluate a pure
function).

Diff Detail

Event Timeline

martong created this revision.Aug 5 2020, 8:27 AM
Herald added a project: Restricted Project. · View Herald TranscriptAug 5 2020, 8:27 AM
Herald added subscribers: cfe-commits, ASDenysPetrov, steakhal and 12 others. · View Herald Transcript
martong requested review of this revision.Aug 5 2020, 8:27 AM
martong updated this revision to Diff 283254.Aug 5 2020, 8:32 AM
  • Remove dummy test file
martong added a reviewer: xazax.hun.Aug 5 2020, 8:43 AM
whisperity added subscribers: dcoughlin, rjmccall, rsmith.Aug 5 2020, 9:01 AM

What will happen with the ability to analyse a translation unit whose target was not part of LLVM_TARGETS_TO_BUILD of the current clang binary? Will it break, because the binary lacks the information on how to generate for the given target?

clang/include/clang/StaticAnalyzer/Core/IRContext.h
40–42

Aren't documentation comments in LLVM ///?

clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
127

Where's this CG defined?

clang/lib/StaticAnalyzer/Frontend/FrontendActions.cpp
52–56

Isn't there a lifetime issue here? LLVMCtx is given as a raw reference to the BuildCodeGen and the shared pointer leaves scope at the end of the branch.

clang/test/Analysis/ircontext.cpp
18–19

What are we testing here? Without the ability to read the pureness of foo from the IR, the knowledge about g's value would be scrapped at the call? foo is defined in the current TU.

martong marked 3 inline comments as done.Aug 5 2020, 9:14 AM
martong added inline comments.
clang/include/clang/StaticAnalyzer/Core/IRContext.h
40–42

Yep, I forgot about that.

clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp
127

In AnalysisConsumer.h. And set in FrontendActions.cpp AConsumer->setCodeGen(CGConsumer.get());

clang/lib/StaticAnalyzer/Frontend/FrontendActions.cpp
52–56

Nope, LLVMCtx is a member of AnalysisAction.

clang/test/Analysis/ircontext.cpp
18–19

We test here that with no-inlining (i.e. always doing conservative evaluation) we do not invalidate the state after a call to a pure function.

martong marked 3 inline comments as done.Aug 5 2020, 9:17 AM
In D85319#2196648, @whisperity wrote:

What will happen with the ability to analyse a translation unit whose target was not part of LLVM_TARGETS_TO_BUILD of the current clang binary? Will it break, because the binary lacks the information on how to generate for the given target?

We get the target info from the CompilerInstance that is used for the command line of the analysis. So if clang cannot handle that then we'll probably get a diagnostics anyway by the AnalysisASTConsumers diag engine.

Harbormaster completed remote builds in B67112: Diff 283252.Aug 5 2020, 9:41 AM
Harbormaster completed remote builds in B67113: Diff 283254.Aug 5 2020, 10:06 AM
rjmccall requested changes to this revision.Aug 5 2020, 11:36 AM

This seems a huge architectural change that we need to talk about.

This revision now requires changes to proceed.Aug 5 2020, 11:36 AM
NoQ added inline comments.Aug 5 2020, 11:45 AM
clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
720

Before i forget: you still need to conjure the return value.

NoQ added a comment.Aug 5 2020, 11:47 AM
In D85319#2197104, @rjmccall wrote:

This seems a huge architectural change that we need to talk about.

Absolutely.

I believe the relevant discussion is at http://lists.llvm.org/pipermail/cfe-dev/2020-August/066426.html.

rjmccall added a comment.Aug 5 2020, 11:59 AM

Thanks. It'd be a good idea to mention that this is contingent on that discussion in the patch summary.

martong added a comment.Aug 5 2020, 12:02 PM
In D85319#2197104, @rjmccall wrote:

This seems a huge architectural change that we need to talk about.

Yes, sure. I am open to and welcome any discussions and suggestions. This patch is just a prototype to demonstrate the usability and feasibility. As @NoQ indicated there is a relevant discussion in cfe-dev, maybe it's better to discuss there because of the bigger visibility.

martong retitled this revision from [analyzer] Get info from the LLVM IR for precision to [analyzer][RFC] Get info from the LLVM IR for precision.Aug 5 2020, 12:04 PM
martong edited the summary of this revision. (Show Details)
martong added inline comments.Aug 5 2020, 12:17 PM
clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp
720

Good catch, thanks!

martong added inline comments.Aug 7 2020, 1:30 AM
clang/lib/StaticAnalyzer/Frontend/FrontendActions.cpp
30

TODO overwrite ALL optimization related config.

Artem:

we should not be taking -O flags into account at all, but pick some default -O2 regardless of flags; and ideally all flags should be ignored by default, to ensure experience as consistent as possible.

xazax.hun added inline comments.Aug 7 2020, 1:38 AM
clang/lib/StaticAnalyzer/Frontend/FrontendActions.cpp
30

Additional bit of info from the mailing list: relying on the set of optimizations from O2 might not suffice as it might contain passes with bad side effects. One example is removing a static function that was inlined to all of the call sites which would make us unable to query the analysis results for that function. Overall, we might not want to make the analysis dependent on inlining heuristics. (Or we might not care. This is up for discussion.)

martong updated this revision to Diff 284738.Aug 11 2020, 8:14 AM
  • Use custom, CSA specific pipeline
  • Rename runOptimizerPipeline to runPipeline
  • Add unittest for IRContext
    • Add BuildCodeGen to CSA's FrontendAction.h
martong marked 3 inline comments as done.Aug 11 2020, 8:38 AM
martong added inline comments.
clang/lib/StaticAnalyzer/Frontend/FrontendActions.cpp
30

CodeGenOptions CGO = CodeGenOptions(); will create an options object with all value set to the default.

martong updated this revision to Diff 284760.Aug 11 2020, 8:38 AM
  • Use /// comments in IRContext.h
  • Conjure the return value even if the funciton is pure
  • Set all CodeGen options to the default (except the opt level)
Harbormaster completed remote builds in B67911: Diff 284738.Aug 11 2020, 9:33 AM
Harbormaster completed remote builds in B67922: Diff 284760.Aug 11 2020, 9:57 AM

Revision Contents

PathSize
clang/
include/
clang/
CodeGen/
27 lines
StaticAnalyzer/
Core/
5 lines
48 lines
PathSensitive/
9 lines
Frontend/
8 lines
22 lines
lib/
CodeGen/
1 line
25 lines
StaticAnalyzer/
Core/
6 lines
22 lines
19 lines
98 lines
Frontend/
7 lines
2 lines
48 lines
test/
Analysis/
1 line
2 lines
19 lines
unittests/
StaticAnalyzer/
5 lines
101 lines
11 lines

Diff 284760

clang/include/clang/CodeGen/CodeGenMangling.h

  • This file was added.
//==----- CodeGenMangling.h - Get mangled names from the CodeGenModule -----==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// CodeGenMangling provides name mangling that depends on the target set for
// the given CodeGen.
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_CODEGEN_CODEGENMANGLING_H
#define LLVM_CLANG_CODEGEN_CODEGENMANGLING_H
#include "clang/AST/GlobalDecl.h"
#include "llvm/ADT/StringRef.h"
namespace clang {
namespace CodeGen {
class CodeGenModule;
llvm::StringRef getMangledName(CodeGenModule &CGM, GlobalDecl GD);
} // namespace CodeGen
} // namespace clang
#endif

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def

Show First 20 LinesShow All 308 Lines▼ Show 20 Lines
ANALYZER_OPTION(bool, ShouldApplyFixIts, "apply-fixits", ANALYZER_OPTION(bool, ShouldApplyFixIts, "apply-fixits",
"Apply the fix-it hints to the files", "Apply the fix-it hints to the files",
false) false)
ANALYZER_OPTION(bool, ShouldDisplayCheckerNameForText, "display-checker-name", ANALYZER_OPTION(bool, ShouldDisplayCheckerNameForText, "display-checker-name",
"Display the checker name for textual outputs", "Display the checker name for textual outputs",
true) true)
ANALYZER_OPTION(bool, GenerateLLVMIR, "generate-llvm-ir",
"Whether to generate LLVM IR for the translation unit. "
"The analyzer can be more precise by using info from the IR.",
false)
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Unsigned analyzer options. // Unsigned analyzer options.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold", ANALYZER_OPTION(unsigned, CTUImportThreshold, "ctu-import-threshold",
"The maximal amount of translation units that is considered " "The maximal amount of translation units that is considered "
"for import when inlining functions during CTU analysis. " "for import when inlining functions during CTU analysis. "
"Lowering this threshold can alleviate the memory burden of " "Lowering this threshold can alleviate the memory burden of "
▲ Show 20 LinesShow All 115 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Core/IRContext.h

  • This file was added.
//== IRContext.h - Get info from the IR in CSA -*- C++ -*--------------------=//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file defines auxilary structures for getting data from the IR inside
// the Clang Static Analyzer.
//
//===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_CORE_IRCONTEXT_H
#define LLVM_CLANG_STATICANALYZER_CORE_IRCONTEXT_H
#include "clang/AST/GlobalDecl.h"
namespace llvm {
class Function;
} // namespace llvm
namespace clang {
class CodeGenerator;
class FunctionDecl;
namespace ento {
/// Static Analyzer components can get access to the LLVM IR of a translation
/// unit throught this class.
class IRContext {
/// Set by AnalysisAction if the AnalyzerOptions requires that.
clang::CodeGenerator *&CodeGen;
public:
IRContext(clang::CodeGenerator *&CodeGen) : CodeGen(CodeGen) {}
void runPipeline();
llvm::Function *getFunction(GlobalDecl GD);
/// Get the LLVM code for a function. We use the complete versions of the
/// constructors and desctructors in this overload. Use the other overload to
/// get the base object ctor/dtor.
llvm::Function *getFunction(const FunctionDecl *FD);
whisperityUnsubmitted
Done
ReplyInline Actions

Aren't documentation comments in LLVM ///?

whisperity: Aren't documentation comments in LLVM `///`?
martongAuthorUnsubmitted
Done
ReplyInline Actions

Yep, I forgot about that.

martong: Yep, I forgot about that.
};
} // namespace ento
} // namespace clang
#endif

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

Show First 20 LinesShow All 81 Lines▼ Show 20 Lines
class CallEvent; class CallEvent;
class CheckerManager; class CheckerManager;
class ConstraintManager; class ConstraintManager;
class CXXTempObjectRegion; class CXXTempObjectRegion;
class EndOfFunctionNodeBuilder; class EndOfFunctionNodeBuilder;
class ExplodedNodeSet; class ExplodedNodeSet;
class ExplodedNode; class ExplodedNode;
class IndirectGotoNodeBuilder; class IndirectGotoNodeBuilder;
class IRContext;
class MemRegion; class MemRegion;
struct NodeBuilderContext; struct NodeBuilderContext;
class NodeBuilderWithSinks; class NodeBuilderWithSinks;
class ProgramState; class ProgramState;
class ProgramStateManager; class ProgramStateManager;
class RegionAndSymbolInvalidationTraits; class RegionAndSymbolInvalidationTraits;
class SymbolManager; class SymbolManager;
class SwitchNodeBuilder; class SwitchNodeBuilder;
Show All 37 Lines enum InliningModes {
/// Do minimal inlining of callees. /// Do minimal inlining of callees.
Inline_Minimal = 0x1 Inline_Minimal = 0x1
}; };
private: private:
cross_tu::CrossTranslationUnitContext &CTU; cross_tu::CrossTranslationUnitContext &CTU;
IRContext &IRCtx;
AnalysisManager &AMgr; AnalysisManager &AMgr;
AnalysisDeclContextManager &AnalysisDeclContexts; AnalysisDeclContextManager &AnalysisDeclContexts;
CoreEngine Engine; CoreEngine Engine;
/// G - the simulation graph. /// G - the simulation graph.
ExplodedGraph &G; ExplodedGraph &G;
Show All 25 Linesprivate:
/// The functions which have been analyzed through inlining. This is owned by /// The functions which have been analyzed through inlining. This is owned by
/// AnalysisConsumer. It can be null. /// AnalysisConsumer. It can be null.
SetOfConstDecls *VisitedCallees; SetOfConstDecls *VisitedCallees;
/// The flag, which specifies the mode of inlining for the engine. /// The flag, which specifies the mode of inlining for the engine.
InliningModes HowToInline; InliningModes HowToInline;
public: public:
ExprEngine(cross_tu::CrossTranslationUnitContext &CTU, AnalysisManager &mgr, ExprEngine(cross_tu::CrossTranslationUnitContext &CTU, IRContext &IRCtx,
SetOfConstDecls *VisitedCalleesIn, AnalysisManager &mgr, SetOfConstDecls *VisitedCalleesIn,
FunctionSummariesTy *FS, InliningModes HowToInlineIn); FunctionSummariesTy *FS, InliningModes HowToInlineIn);
virtual ~ExprEngine() = default; virtual ~ExprEngine() = default;
/// Returns true if there is still simulation state on the worklist. /// Returns true if there is still simulation state on the worklist.
bool ExecuteWorkList(const LocationContext *L, unsigned Steps = 150000) { bool ExecuteWorkList(const LocationContext *L, unsigned Steps = 150000) {
return Engine.ExecuteWorkList(L, Steps, nullptr); return Engine.ExecuteWorkList(L, Steps, nullptr);
} }
Show All 25 Linespublic:
BugReporter &getBugReporter() { return BR; } BugReporter &getBugReporter() { return BR; }
cross_tu::CrossTranslationUnitContext * cross_tu::CrossTranslationUnitContext *
getCrossTranslationUnitContext() { getCrossTranslationUnitContext() {
return &CTU; return &CTU;
} }
IRContext *getIRContext() { return &IRCtx; }
const NodeBuilderContext &getBuilderContext() { const NodeBuilderContext &getBuilderContext() {
assert(currBldrCtx); assert(currBldrCtx);
return *currBldrCtx; return *currBldrCtx;
} }
const Stmt *getStmt() const; const Stmt *getStmt() const;
void GenerateAutoTransition(ExplodedNode *N); void GenerateAutoTransition(ExplodedNode *N);
▲ Show 20 LinesShow All 701 LinesShow Last 20 Lines

clang/include/clang/StaticAnalyzer/Frontend/AnalysisConsumer.h

Show All 18 Lines
#include <functional> #include <functional>
#include <memory> #include <memory>
namespace clang { namespace clang {
class Preprocessor; class Preprocessor;
class DiagnosticsEngine; class DiagnosticsEngine;
class CodeInjector; class CodeInjector;
class CodeGenerator;
class CompilerInstance; class CompilerInstance;
namespace ento { namespace ento {
class PathDiagnosticConsumer; class PathDiagnosticConsumer;
class CheckerManager; class CheckerManager;
class CheckerRegistry; class CheckerRegistry;
class AnalysisASTConsumer : public ASTConsumer { class AnalysisASTConsumer : public ASTConsumer {
protected:
CodeGenerator *CG = nullptr;
public: public:
virtual void AddDiagnosticConsumer(PathDiagnosticConsumer *Consumer) = 0; virtual void AddDiagnosticConsumer(PathDiagnosticConsumer *Consumer) = 0;
/// This method allows registering statically linked custom checkers that are /// This method allows registering statically linked custom checkers that are
/// not a part of the Clang tree. It employs the same mechanism that is used /// not a part of the Clang tree. It employs the same mechanism that is used
/// by plugins. /// by plugins.
/// ///
/// Example: /// Example:
/// ///
/// Consumer->AddCheckerRegistrationFn([] (CheckerRegistry& Registry) { /// Consumer->AddCheckerRegistrationFn([] (CheckerRegistry& Registry) {
/// Registry.addChecker<MyCustomChecker>("example.MyCustomChecker", /// Registry.addChecker<MyCustomChecker>("example.MyCustomChecker",
/// "Description"); /// "Description");
/// }); /// });
virtual void virtual void
AddCheckerRegistrationFn(std::function<void(CheckerRegistry &)> Fn) = 0; AddCheckerRegistrationFn(std::function<void(CheckerRegistry &)> Fn) = 0;
void setCodeGen(CodeGenerator *Cg) { CG = Cg; }
}; };
/// CreateAnalysisConsumer - Creates an ASTConsumer to run various code /// CreateAnalysisConsumer - Creates an ASTConsumer to run various code
/// analysis passes. (The set of analyses run is controlled by command-line /// analysis passes. (The set of analyses run is controlled by command-line
/// options.) /// options.)
std::unique_ptr<AnalysisASTConsumer> std::unique_ptr<AnalysisASTConsumer>
CreateAnalysisConsumer(CompilerInstance &CI); CreateAnalysisConsumer(CompilerInstance &CI);
} // namespace ento } // namespace ento
} // end clang namespace } // namespace clang
#endif #endif

clang/include/clang/StaticAnalyzer/Frontend/FrontendActions.h

//===-- FrontendActions.h - Useful Frontend Actions -------------*- C++ -*-===// //===-- FrontendActions.h - Useful Frontend Actions -------------*- C++ -*-===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_STATICANALYZER_FRONTEND_FRONTENDACTIONS_H #ifndef LLVM_CLANG_STATICANALYZER_FRONTEND_FRONTENDACTIONS_H
#define LLVM_CLANG_STATICANALYZER_FRONTEND_FRONTENDACTIONS_H #define LLVM_CLANG_STATICANALYZER_FRONTEND_FRONTENDACTIONS_H
#include "clang/Frontend/FrontendAction.h" #include "clang/Frontend/FrontendAction.h"
#include "llvm/ADT/StringMap.h" #include "llvm/ADT/StringMap.h"
#include "llvm/ADT/StringRef.h" #include "llvm/ADT/StringRef.h"
namespace clang { #include <memory>
namespace llvm {
class LLVMContext;
} // namespace llvm
namespace clang {
class CodeGenerator;
class Stmt; class Stmt;
class AnalyzerOptions;
namespace ento { namespace ento {
class CheckerManager; class CheckerManager;
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// AST Consumer Actions // AST Consumer Actions
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
class AnalysisAction : public ASTFrontendAction { class AnalysisAction : public ASTFrontendAction {
// Cannot be a unique_ptr because then ClangFrontendTool would
// depend on this lib.
std::shared_ptr<llvm::LLVMContext> LLVMCtx;
std::unique_ptr<DiagnosticsEngine> CodeGenDiags;
protected: protected:
std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &CI, std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &CI,
StringRef InFile) override; StringRef InFile) override;
public:
~AnalysisAction();
}; };
std::unique_ptr<AnalysisAction> CreateAnalysisAction();
std::unique_ptr<CodeGenerator> BuildCodeGen(CompilerInstance &CI,
llvm::LLVMContext &LLVMCtx,
DiagnosticsEngine &CodeGenDiags);
/// Frontend action to parse model files. /// Frontend action to parse model files.
/// ///
/// This frontend action is responsible for parsing model files. Model files can /// This frontend action is responsible for parsing model files. Model files can
/// not be parsed on their own, they rely on type information that is available /// not be parsed on their own, they rely on type information that is available
/// in another translation unit. The parsing of model files is done by a /// in another translation unit. The parsing of model files is done by a
/// separate compiler instance that reuses the ASTContext and othen information /// separate compiler instance that reuses the ASTContext and othen information
/// from the main translation unit that is being compiled. After a model file is /// from the main translation unit that is being compiled. After a model file is
/// parsed, the function definitions will be collected into a StringMap. /// parsed, the function definitions will be collected into a StringMap.
Show All 17 Lines

clang/lib/CodeGen/CMakeLists.txt

Show First 20 LinesShow All 62 Lines▼ Show 20 Linesadd_clang_library(clangCodeGen
CGRecordLayoutBuilder.cpp CGRecordLayoutBuilder.cpp
CGStmt.cpp CGStmt.cpp
CGStmtOpenMP.cpp CGStmtOpenMP.cpp
CGVTT.cpp CGVTT.cpp
CGVTables.cpp CGVTables.cpp
CodeGenABITypes.cpp CodeGenABITypes.cpp
CodeGenAction.cpp CodeGenAction.cpp
CodeGenFunction.cpp CodeGenFunction.cpp
CodeGenMangling.cpp
CodeGenModule.cpp CodeGenModule.cpp
CodeGenPGO.cpp CodeGenPGO.cpp
CodeGenTBAA.cpp CodeGenTBAA.cpp
CodeGenTypes.cpp CodeGenTypes.cpp
ConstantInitBuilder.cpp ConstantInitBuilder.cpp
CoverageMappingGen.cpp CoverageMappingGen.cpp
ItaniumCXXABI.cpp ItaniumCXXABI.cpp
MacroPPCallbacks.cpp MacroPPCallbacks.cpp
Show All 21 Lines

clang/lib/CodeGen/CodeGenMangling.cpp

  • This file was added.
//==--- CodeGenMangling.cpp - Get mangled names from the CodeGenModule -----==//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// CodeGenMangling provides name mangling that depends on the target set for
// the given CodeGen.
//===----------------------------------------------------------------------===//
#include "clang/CodeGen/CodeGenMangling.h"
#include "CodeGenModule.h"
using namespace llvm;
namespace clang {
namespace CodeGen {
StringRef getMangledName(CodeGenModule &CGM, GlobalDecl GD) {
return CGM.getMangledName(GD);
}
} // namespace CodeGen
} // namespace clang

clang/lib/StaticAnalyzer/Core/CMakeLists.txt

Show All 25 Linesadd_clang_library(clangStaticAnalyzerCore
ExplodedGraph.cpp ExplodedGraph.cpp
ExprEngine.cpp ExprEngine.cpp
ExprEngineC.cpp ExprEngineC.cpp
ExprEngineCXX.cpp ExprEngineCXX.cpp
ExprEngineCallAndReturn.cpp ExprEngineCallAndReturn.cpp
ExprEngineObjC.cpp ExprEngineObjC.cpp
FunctionSummary.cpp FunctionSummary.cpp
HTMLDiagnostics.cpp HTMLDiagnostics.cpp
IRContext.cpp
IssueHash.cpp IssueHash.cpp
LoopUnrolling.cpp LoopUnrolling.cpp
LoopWidening.cpp LoopWidening.cpp
MemRegion.cpp MemRegion.cpp
PlistDiagnostics.cpp PlistDiagnostics.cpp
ProgramState.cpp ProgramState.cpp
RangeConstraintManager.cpp RangeConstraintManager.cpp
RangedConstraintManager.cpp RangedConstraintManager.cpp
RegionStore.cpp RegionStore.cpp
SarifDiagnostics.cpp SarifDiagnostics.cpp
SimpleConstraintManager.cpp SimpleConstraintManager.cpp
SimpleSValBuilder.cpp SimpleSValBuilder.cpp
SMTConstraintManager.cpp SMTConstraintManager.cpp
Store.cpp Store.cpp
SValBuilder.cpp SValBuilder.cpp
SVals.cpp SVals.cpp
SymbolManager.cpp SymbolManager.cpp
TextDiagnostics.cpp TextDiagnostics.cpp
WorkList.cpp WorkList.cpp
LINK_LIBS LINK_LIBS
LLVMAnalysis
LLVMCore
LLVMipo
LLVMPasses
clangAST clangAST
clangASTMatchers clangASTMatchers
clangAnalysis clangAnalysis
clangBasic clangBasic
clangCodeGen
clangCrossTU clangCrossTU
clangFrontend clangFrontend
clangLex clangLex
clangRewrite clangRewrite
clangToolingCore clangToolingCore
DEPENDS DEPENDS
omp_gen omp_gen
) )

clang/lib/StaticAnalyzer/Core/ExprEngine.cpp

Show First 20 LinesShow All 194 Lines▼ Show 20 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// Engine construction and deletion. // Engine construction and deletion.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
static const char* TagProviderName = "ExprEngine"; static const char* TagProviderName = "ExprEngine";
ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU, ExprEngine::ExprEngine(cross_tu::CrossTranslationUnitContext &CTU,
AnalysisManager &mgr, IRContext &IRCtx, AnalysisManager &mgr,
SetOfConstDecls *VisitedCalleesIn, SetOfConstDecls *VisitedCalleesIn,
FunctionSummariesTy *FS, FunctionSummariesTy *FS, InliningModes HowToInlineIn)
InliningModes HowToInlineIn) : CTU(CTU), IRCtx(IRCtx), AMgr(mgr),
: CTU(CTU), AMgr(mgr),
AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()), AnalysisDeclContexts(mgr.getAnalysisDeclContextManager()),
Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()), Engine(*this, FS, mgr.getAnalyzerOptions()), G(Engine.getGraph()),
StateMgr(getContext(), mgr.getStoreManagerCreator(), StateMgr(getContext(), mgr.getStoreManagerCreator(),
mgr.getConstraintManagerCreator(), G.getAllocator(), mgr.getConstraintManagerCreator(), G.getAllocator(), this),
this), SymMgr(StateMgr.getSymbolManager()), MRMgr(StateMgr.getRegionManager()),
SymMgr(StateMgr.getSymbolManager()), svalBuilder(StateMgr.getSValBuilder()), ObjCNoRet(mgr.getASTContext()),
MRMgr(StateMgr.getRegionManager()), BR(mgr, *this), VisitedCallees(VisitedCalleesIn),
svalBuilder(StateMgr.getSValBuilder()), HowToInline(HowToInlineIn) {
ObjCNoRet(mgr.getASTContext()),
BR(mgr, *this),
VisitedCallees(VisitedCalleesIn),
HowToInline(HowToInlineIn)
{
unsigned TrimInterval = mgr.options.GraphTrimInterval; unsigned TrimInterval = mgr.options.GraphTrimInterval;
if (TrimInterval != 0) { if (TrimInterval != 0) {
// Enable eager node reclamation when constructing the ExplodedGraph. // Enable eager node reclamation when constructing the ExplodedGraph.
G.enableNodeReclamation(TrimInterval); G.enableNodeReclamation(TrimInterval);
} }
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
▲ Show 20 LinesShow All 3,000 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/ExprEngineCallAndReturn.cpp

Show All 11 Lines
#include "PrettyStackTraceLocationContext.h" #include "PrettyStackTraceLocationContext.h"
#include "clang/AST/CXXInheritance.h" #include "clang/AST/CXXInheritance.h"
#include "clang/AST/Decl.h" #include "clang/AST/Decl.h"
#include "clang/AST/DeclCXX.h" #include "clang/AST/DeclCXX.h"
#include "clang/Analysis/Analyses/LiveVariables.h" #include "clang/Analysis/Analyses/LiveVariables.h"
#include "clang/Analysis/ConstructionContext.h" #include "clang/Analysis/ConstructionContext.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/IRContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h" #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/SmallSet.h" #include "llvm/ADT/SmallSet.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/IR/Function.h"
#include "llvm/Support/Casting.h" #include "llvm/Support/Casting.h"
#include "llvm/Support/Compiler.h" #include "llvm/Support/Compiler.h"
#include "llvm/Support/SaveAndRestore.h" #include "llvm/Support/SaveAndRestore.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
#define DEBUG_TYPE "ExprEngine" #define DEBUG_TYPE "ExprEngine"
▲ Show 20 LinesShow All 670 Lines▼ Show 20 LinesProgramStateRef ExprEngine::bindReturnValue(const CallEvent &Call,
} }
return State->BindExpr(E, LCtx, R); return State->BindExpr(E, LCtx, R);
} }
// Conservatively evaluate call by invalidating regions and binding // Conservatively evaluate call by invalidating regions and binding
// a conjured return value. // a conjured return value.
void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr, void ExprEngine::conservativeEvalCall(const CallEvent &Call, NodeBuilder &Bldr,
ExplodedNode *Pred, ProgramStateRef State) { ExplodedNode *Pred, ProgramStateRef State) {
// Query the LLVM IR whether this function is pure.
// This is false, if the IR for the function is not available.
const bool IsPure = [this](const CallEvent &Call) {
if (const Decl *D = Call.getRuntimeDefinition().getDecl())
if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(D))
if (FD->getDefinition())
if (auto *F = getIRContext()->getFunction(FD))
// Pure function.
if (F->getAttributes().hasFnAttribute(llvm::Attribute::ReadNone) ||
NoQUnsubmitted
Done
ReplyInline Actions

Before i forget: you still need to conjure the return value.

NoQ: Before i forget: you still need to conjure the return value.
martongAuthorUnsubmitted
Done
ReplyInline Actions

Good catch, thanks!

martong: Good catch, thanks!
F->getAttributes().hasFnAttribute(llvm::Attribute::ReadOnly))
return true;
return false;
}(Call);
if (!IsPure)
State = Call.invalidateRegions(currBldrCtx->blockCount(), State); State = Call.invalidateRegions(currBldrCtx->blockCount(), State);
State = bindReturnValue(Call, Pred->getLocationContext(), State); State = bindReturnValue(Call, Pred->getLocationContext(), State);
// And make the result node. // And make the result node.
Bldr.generateNode(Call.getProgramPoint(), State, Pred); Bldr.generateNode(Call.getProgramPoint(), State, Pred);
} }
ExprEngine::CallInlinePolicy ExprEngine::CallInlinePolicy
ExprEngine::mayInlineCallKind(const CallEvent &Call, const ExplodedNode *Pred, ExprEngine::mayInlineCallKind(const CallEvent &Call, const ExplodedNode *Pred,
▲ Show 20 LinesShow All 429 LinesShow Last 20 Lines

clang/lib/StaticAnalyzer/Core/IRContext.cpp

  • This file was added.
//===-------------- IRContext.cpp -----------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Core/IRContext.h"
#include "clang/CodeGen/CodeGenMangling.h"
#include "clang/CodeGen/ModuleBuilder.h"
#include "llvm/IR/Module.h"
#include "llvm/IR/PassManager.h"
#include "llvm/Passes/PassBuilder.h"
#include "llvm/Transforms/IPO/FunctionAttrs.h"
using namespace llvm;
using namespace clang;
using namespace ento;
void IRContext::runPipeline() {
if (CodeGen == nullptr)
return;
// TargetMachine is not set, so we will not do optimizations based on
// target-aware cost modeling of IR contructs. Still, a default
// TargetIRAnalysis is registerd in registerFunctionAnalyses. That will use
// the module's datalayout to construct a baseline conservative result.
PassBuilder PB;
// FIXME make this an option.
constexpr const bool Debug = false;
LoopAnalysisManager LAM(Debug);
FunctionAnalysisManager FAM(Debug);
CGSCCAnalysisManager CGAM(Debug);
ModuleAnalysisManager MAM(Debug);
// Register the AA manager first so that our version is the one used.
FAM.registerPass([&] { return PB.buildDefaultAAPipeline(); });
auto *M = CodeGen->GetModule();
// Register the target library analysis directly and give it a customized
// preset TLI.
Triple TargetTriple(M->getTargetTriple());
std::unique_ptr<TargetLibraryInfoImpl> TLII(
new TargetLibraryInfoImpl(TargetTriple));
FAM.registerPass([&] { return TargetLibraryAnalysis(*TLII); });
// Register all the basic analyses with the managers.
PB.registerModuleAnalyses(MAM);
PB.registerCGSCCAnalyses(CGAM);
PB.registerFunctionAnalyses(FAM);
PB.registerLoopAnalyses(LAM);
PB.crossRegisterProxies(LAM, FAM, CGAM, MAM);
ModulePassManager MPM(Debug);
MPM.addPass(RequireAnalysisPass<GlobalsAA, llvm::Module>());
// Deduce any function attributes based in the current code.
MPM.addPass(createModuleToPostOrderCGSCCPassAdaptor(
Lint: Pre-merge checks
Inline Actions

clang-format: please reformat the code

-  MPM.addPass(createModuleToPostOrderCGSCCPassAdaptor(
-              PostOrderFunctionAttrsPass()));
+  MPM.addPass(
+      createModuleToPostOrderCGSCCPassAdaptor(PostOrderFunctionAttrsPass()));
Lint: Pre-merge checks: clang-format: please reformat the code ``` - MPM.addPass…
PostOrderFunctionAttrsPass()));
MPM.run(*M, MAM);
}
llvm::Function *IRContext::getFunction(GlobalDecl GD) {
if (CodeGen == nullptr)
return nullptr;
CodeGen::CodeGenModule &CGM = CodeGen->CGM();
StringRef Name = getMangledName(CGM, GD);
auto *M = CodeGen->GetModule();
// There are functions which are not generated. E.g. not used operator=, etc.
return M->getFunction(Name);
}
llvm::Function *IRContext::getFunction(const FunctionDecl *FD) {
if (CodeGen == nullptr)
return nullptr;
// We use the complete versions of the constructors and desctructors.
// Use the other overload of getFunction to get the base object ctor/dtor.
GlobalDecl GD;
if (const auto *CD = dyn_cast<CXXConstructorDecl>(FD))
GD = GlobalDecl(CD, Ctor_Complete);
else if (const auto *DD = dyn_cast<CXXDestructorDecl>(FD))
GD = GlobalDecl(DD, Dtor_Complete);
else if (FD->hasAttr<CUDAGlobalAttr>())
GD = GlobalDecl(FD, KernelReferenceKind::Kernel);
else
GD = GlobalDecl(FD);
return getFunction(GD);
}

clang/lib/StaticAnalyzer/Frontend/AnalysisConsumer.cpp

Show All 24 Lines
#include "clang/CrossTU/CrossTranslationUnit.h" #include "clang/CrossTU/CrossTranslationUnit.h"
#include "clang/Frontend/CompilerInstance.h" #include "clang/Frontend/CompilerInstance.h"
#include "clang/Lex/Preprocessor.h" #include "clang/Lex/Preprocessor.h"
#include "clang/Rewrite/Core/Rewriter.h" #include "clang/Rewrite/Core/Rewriter.h"
#include "clang/StaticAnalyzer/Checkers/LocalCheckers.h" #include "clang/StaticAnalyzer/Checkers/LocalCheckers.h"
#include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h"
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
#include "clang/StaticAnalyzer/Core/CheckerManager.h" #include "clang/StaticAnalyzer/Core/CheckerManager.h"
#include "clang/StaticAnalyzer/Core/IRContext.h"
#include "clang/StaticAnalyzer/Core/PathDiagnosticConsumers.h" #include "clang/StaticAnalyzer/Core/PathDiagnosticConsumers.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
#include "llvm/ADT/PostOrderIterator.h" #include "llvm/ADT/PostOrderIterator.h"
#include "llvm/ADT/Statistic.h" #include "llvm/ADT/Statistic.h"
#include "llvm/Support/FileSystem.h" #include "llvm/Support/FileSystem.h"
#include "llvm/Support/Path.h" #include "llvm/Support/Path.h"
#include "llvm/Support/Program.h" #include "llvm/Support/Program.h"
▲ Show 20 LinesShow All 44 Lines▼ Show 20 Lines
public: public:
ASTContext *Ctx; ASTContext *Ctx;
Preprocessor &PP; Preprocessor &PP;
const std::string OutDir; const std::string OutDir;
AnalyzerOptionsRef Opts; AnalyzerOptionsRef Opts;
ArrayRef<std::string> Plugins; ArrayRef<std::string> Plugins;
CodeInjector *Injector; CodeInjector *Injector;
cross_tu::CrossTranslationUnitContext CTU; cross_tu::CrossTranslationUnitContext CTU;
IRContext IRCtx;
/// Stores the declarations from the local translation unit. /// Stores the declarations from the local translation unit.
/// Note, we pre-compute the local declarations at parse time as an /// Note, we pre-compute the local declarations at parse time as an
/// optimization to make sure we do not deserialize everything from disk. /// optimization to make sure we do not deserialize everything from disk.
/// The local declaration to all declarations ratio might be very small when /// The local declaration to all declarations ratio might be very small when
/// working with a PCH file. /// working with a PCH file.
SetOfDecls LocalTUDecls; SetOfDecls LocalTUDecls;
Show All 16 Linespublic:
/// translation unit. /// translation unit.
FunctionSummariesTy FunctionSummaries; FunctionSummariesTy FunctionSummaries;
AnalysisConsumer(CompilerInstance &CI, const std::string &outdir, AnalysisConsumer(CompilerInstance &CI, const std::string &outdir,
AnalyzerOptionsRef opts, ArrayRef<std::string> plugins, AnalyzerOptionsRef opts, ArrayRef<std::string> plugins,
CodeInjector *injector) CodeInjector *injector)
: RecVisitorMode(0), RecVisitorBR(nullptr), Ctx(nullptr), : RecVisitorMode(0), RecVisitorBR(nullptr), Ctx(nullptr),
PP(CI.getPreprocessor()), OutDir(outdir), Opts(std::move(opts)), PP(CI.getPreprocessor()), OutDir(outdir), Opts(std::move(opts)),
Plugins(plugins), Injector(injector), CTU(CI) { Plugins(plugins), Injector(injector), CTU(CI), IRCtx(CG) {
whisperityUnsubmitted
Done
ReplyInline Actions

Where's this CG defined?

whisperity: Where's this `CG` defined?
martongAuthorUnsubmitted
Done
ReplyInline Actions

In AnalysisConsumer.h. And set in FrontendActions.cpp AConsumer->setCodeGen(CGConsumer.get());

martong: In `AnalysisConsumer.h`. And set in `FrontendActions.cpp` `AConsumer->setCodeGen(CGConsumer.get…
DigestAnalyzerOptions(); DigestAnalyzerOptions();
if (Opts->PrintStats || Opts->ShouldSerializeStats) { if (Opts->PrintStats || Opts->ShouldSerializeStats) {
AnalyzerTimers = std::make_unique<llvm::TimerGroup>( AnalyzerTimers = std::make_unique<llvm::TimerGroup>(
"analyzer", "Analyzer timers"); "analyzer", "Analyzer timers");
SyntaxCheckTimer = std::make_unique<llvm::Timer>( SyntaxCheckTimer = std::make_unique<llvm::Timer>(
"syntaxchecks", "Syntax-based analysis time", *AnalyzerTimers); "syntaxchecks", "Syntax-based analysis time", *AnalyzerTimers);
ExprEngineTimer = std::make_unique<llvm::Timer>( ExprEngineTimer = std::make_unique<llvm::Timer>(
"exprengine", "Path exploration time", *AnalyzerTimers); "exprengine", "Path exploration time", *AnalyzerTimers);
▲ Show 20 LinesShow All 402 Lines▼ Show 20 Lines if (isBisonFile(C)) {
reportAnalyzerProgress("Skipping bison-generated file\n"); reportAnalyzerProgress("Skipping bison-generated file\n");
} else if (Opts->DisableAllCheckers) { } else if (Opts->DisableAllCheckers) {
// Don't analyze if the user explicitly asked for no checks to be performed // Don't analyze if the user explicitly asked for no checks to be performed
// on this file. // on this file.
reportAnalyzerProgress("All checks are disabled using a supplied option\n"); reportAnalyzerProgress("All checks are disabled using a supplied option\n");
} else { } else {
// Otherwise, just run the analysis. // Otherwise, just run the analysis.
IRCtx.runPipeline();
runAnalysisOnTranslationUnit(C); runAnalysisOnTranslationUnit(C);
} }
// Count how many basic blocks we have not covered. // Count how many basic blocks we have not covered.
NumBlocksInAnalyzedFunctions = FunctionSummaries.getTotalNumBasicBlocks(); NumBlocksInAnalyzedFunctions = FunctionSummaries.getTotalNumBasicBlocks();
NumVisitedBlocksInAnalyzedFunctions = NumVisitedBlocksInAnalyzedFunctions =
FunctionSummaries.getTotalNumVisitedBasicBlocks(); FunctionSummaries.getTotalNumVisitedBasicBlocks();
if (NumBlocksInAnalyzedFunctions > 0) if (NumBlocksInAnalyzedFunctions > 0)
▲ Show 20 LinesShow All 136 Lines▼ Show 20 Linesvoid AnalysisConsumer::RunPathSensitiveChecks(Decl *D,
// FIXME: Inter-procedural analysis will need to handle invalid CFGs. // FIXME: Inter-procedural analysis will need to handle invalid CFGs.
if (!Mgr->getCFG(D)) if (!Mgr->getCFG(D))
return; return;
// See if the LiveVariables analysis scales. // See if the LiveVariables analysis scales.
if (!Mgr->getAnalysisDeclContext(D)->getAnalysis<RelaxedLiveVariables>()) if (!Mgr->getAnalysisDeclContext(D)->getAnalysis<RelaxedLiveVariables>())
return; return;
ExprEngine Eng(CTU, *Mgr, VisitedCallees, &FunctionSummaries, IMode); ExprEngine Eng(CTU, IRCtx, *Mgr, VisitedCallees, &FunctionSummaries, IMode);
// Execute the worklist algorithm. // Execute the worklist algorithm.
if (ExprEngineTimer) if (ExprEngineTimer)
ExprEngineTimer->startTimer(); ExprEngineTimer->startTimer();
Eng.ExecuteWorkList(Mgr->getAnalysisDeclContextManager().getStackFrame(D), Eng.ExecuteWorkList(Mgr->getAnalysisDeclContextManager().getStackFrame(D),
Mgr->options.MaxNodesPerTopLevelFunction); Mgr->options.MaxNodesPerTopLevelFunction);
if (ExprEngineTimer) if (ExprEngineTimer)
ExprEngineTimer->stopTimer(); ExprEngineTimer->stopTimer();
Show All 33 Lines

clang/lib/StaticAnalyzer/Frontend/CMakeLists.txt

include_directories( ${CMAKE_CURRENT_BINARY_DIR}/../Checkers ) include_directories( ${CMAKE_CURRENT_BINARY_DIR}/../Checkers )
set(LLVM_LINK_COMPONENTS set(LLVM_LINK_COMPONENTS
Support Support
) )
add_clang_library(clangStaticAnalyzerFrontend add_clang_library(clangStaticAnalyzerFrontend
AnalysisConsumer.cpp AnalysisConsumer.cpp
AnalyzerHelpFlags.cpp AnalyzerHelpFlags.cpp
CheckerRegistry.cpp CheckerRegistry.cpp
CreateCheckerManager.cpp CreateCheckerManager.cpp
FrontendActions.cpp FrontendActions.cpp
ModelConsumer.cpp ModelConsumer.cpp
ModelInjector.cpp ModelInjector.cpp
LINK_LIBS LINK_LIBS
LLVMCore
clangAST clangAST
clangASTMatchers clangASTMatchers
clangAnalysis clangAnalysis
clangBasic clangBasic
clangCodeGen
clangCrossTU clangCrossTU
clangFrontend clangFrontend
clangLex clangLex
clangStaticAnalyzerCheckers clangStaticAnalyzerCheckers
clangStaticAnalyzerCore clangStaticAnalyzerCore
DEPENDS DEPENDS
omp_gen omp_gen
) )

clang/lib/StaticAnalyzer/Frontend/FrontendActions.cpp

//===--- FrontendActions.cpp ----------------------------------------------===// //===--- FrontendActions.cpp ----------------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "clang/StaticAnalyzer/Frontend/FrontendActions.h" #include "clang/StaticAnalyzer/Frontend/FrontendActions.h"
#include "clang/Frontend/MultiplexConsumer.h"
#include "clang/StaticAnalyzer/Frontend/AnalysisConsumer.h" #include "clang/StaticAnalyzer/Frontend/AnalysisConsumer.h"
#include "clang/StaticAnalyzer/Frontend/ModelConsumer.h" #include "clang/StaticAnalyzer/Frontend/ModelConsumer.h"
#include "clang/CodeGen/ModuleBuilder.h"
#include "clang/Frontend/CompilerInstance.h"
#include "llvm/IR/LLVMContext.h"
using namespace clang; using namespace clang;
using namespace ento; using namespace ento;
std::unique_ptr<CodeGenerator>
clang::ento::BuildCodeGen(CompilerInstance &CI, llvm::LLVMContext &LLVMCtx,
DiagnosticsEngine &CodeGenDiags) {
StringRef ModuleName("csa_module");
// Set all CodeGen options to the default.
CodeGenOptions CGO = CodeGenOptions();
// Set the optimization level, so CodeGenFunciton would emit lifetime
// markers which are used by some LLVM analysis (e.g. AliasAnalysis).
CGO.OptimizationLevel = 2; // -O2
martongAuthorUnsubmitted
Done
ReplyInline Actions

TODO overwrite ALL optimization related config.

Artem:

we should not be taking -O flags into account at all, but pick some default -O2 regardless of flags; and ideally all flags should be ignored by default, to ensure experience as consistent as possible.

martong: TODO overwrite ALL optimization related config. Artem: > we should not be taking -O flags into…
xazax.hunUnsubmitted
Done
ReplyInline Actions

Additional bit of info from the mailing list: relying on the set of optimizations from O2 might not suffice as it might contain passes with bad side effects. One example is removing a static function that was inlined to all of the call sites which would make us unable to query the analysis results for that function. Overall, we might not want to make the analysis dependent on inlining heuristics. (Or we might not care. This is up for discussion.)

xazax.hun: Additional bit of info from the mailing list: relying on the set of optimizations from O2 might…
martongAuthorUnsubmitted
Done
ReplyInline Actions

CodeGenOptions CGO = CodeGenOptions(); will create an options object with all value set to the default.

martong: `CodeGenOptions CGO = CodeGenOptions(); ` will create an options object with all value set to…
return std::unique_ptr<CodeGenerator>(
CreateLLVMCodeGen(CodeGenDiags, ModuleName, CI.getHeaderSearchOpts(),
CI.getPreprocessorOpts(), CGO, LLVMCtx));
}
AnalysisAction::~AnalysisAction() {}
std::unique_ptr<ASTConsumer> std::unique_ptr<ASTConsumer>
AnalysisAction::CreateASTConsumer(CompilerInstance &CI, StringRef InFile) { AnalysisAction::CreateASTConsumer(CompilerInstance &CI, StringRef InFile) {
return CreateAnalysisConsumer(CI); std::vector<std::unique_ptr<ASTConsumer>> ASTConsumers;
auto AConsumer = CreateAnalysisConsumer(CI);
AnalyzerOptionsRef Opts = CI.getAnalyzerOpts();
if (Opts->GenerateLLVMIR) {
DiagnosticsEngine &SADiagEng = CI.getDiagnostics();
// Supress diagnostics during CodeGen.
CodeGenDiags = std::make_unique<DiagnosticsEngine>(
SADiagEng.getDiagnosticIDs(), &SADiagEng.getDiagnosticOptions(),
SADiagEng.getClient(), /*ShouldOwnClient=*/false);
CodeGenDiags->setSuppressAllDiagnostics(true);
LLVMCtx = std::make_shared<llvm::LLVMContext>();
auto CGConsumer = BuildCodeGen(CI, *LLVMCtx, *CodeGenDiags);
AConsumer->setCodeGen(CGConsumer.get());
ASTConsumers.push_back(std::move(CGConsumer));
}
whisperityUnsubmitted
Done
ReplyInline Actions

Isn't there a lifetime issue here? LLVMCtx is given as a raw reference to the BuildCodeGen and the shared pointer leaves scope at the end of the branch.

whisperity: Isn't there a lifetime issue here? `LLVMCtx` is given as a raw reference to the `BuildCodeGen`…
martongAuthorUnsubmitted
Done
ReplyInline Actions

Nope, LLVMCtx is a member of AnalysisAction.

martong: Nope, `LLVMCtx` is a member of `AnalysisAction`.
ASTConsumers.push_back(std::move(AConsumer));
return std::make_unique<MultiplexConsumer>(std::move(ASTConsumers));
}
std::unique_ptr<AnalysisAction> CreateAnalysisAction() {
return std::make_unique<AnalysisAction>();
} }
ParseModelFileAction::ParseModelFileAction(llvm::StringMap<Stmt *> &Bodies) ParseModelFileAction::ParseModelFileAction(llvm::StringMap<Stmt *> &Bodies)
: Bodies(Bodies) {} : Bodies(Bodies) {}
std::unique_ptr<ASTConsumer> std::unique_ptr<ASTConsumer>
ParseModelFileAction::CreateASTConsumer(CompilerInstance &CI, ParseModelFileAction::CreateASTConsumer(CompilerInstance &CI,
StringRef InFile) { StringRef InFile) {
return std::make_unique<ModelConsumer>(Bodies); return std::make_unique<ModelConsumer>(Bodies);
} }

clang/test/Analysis/analyzer-config.c

Show First 20 LinesShow All 74 Lines▼ Show 20 Lines
// CHECK-NEXT: display-checker-name = true // CHECK-NEXT: display-checker-name = true
// CHECK-NEXT: display-ctu-progress = false // CHECK-NEXT: display-ctu-progress = false
// CHECK-NEXT: eagerly-assume = true // CHECK-NEXT: eagerly-assume = true
// CHECK-NEXT: elide-constructors = true // CHECK-NEXT: elide-constructors = true
// CHECK-NEXT: expand-macros = false // CHECK-NEXT: expand-macros = false
// CHECK-NEXT: experimental-enable-naive-ctu-analysis = false // CHECK-NEXT: experimental-enable-naive-ctu-analysis = false
// CHECK-NEXT: exploration_strategy = unexplored_first_queue // CHECK-NEXT: exploration_strategy = unexplored_first_queue
// CHECK-NEXT: faux-bodies = true // CHECK-NEXT: faux-bodies = true
// CHECK-NEXT: generate-llvm-ir = false
// CHECK-NEXT: graph-trim-interval = 1000 // CHECK-NEXT: graph-trim-interval = 1000
// CHECK-NEXT: inline-lambdas = true // CHECK-NEXT: inline-lambdas = true
// CHECK-NEXT: ipa = dynamic-bifurcate // CHECK-NEXT: ipa = dynamic-bifurcate
// CHECK-NEXT: ipa-always-inline-size = 3 // CHECK-NEXT: ipa-always-inline-size = 3
// CHECK-NEXT: max-inlinable-size = 100 // CHECK-NEXT: max-inlinable-size = 100
// CHECK-NEXT: max-nodes = 225000 // CHECK-NEXT: max-nodes = 225000
// CHECK-NEXT: max-symbol-complexity = 35 // CHECK-NEXT: max-symbol-complexity = 35
// CHECK-NEXT: max-times-inline-large = 32 // CHECK-NEXT: max-times-inline-large = 32
Show All 31 Lines

clang/test/Analysis/ctu-different-triples.cpp

// RUN: rm -rf %t && mkdir %t // RUN: rm -rf %t && mkdir %t
// RUN: mkdir -p %t/ctudir // RUN: mkdir -p %t/ctudir
// RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \ // RUN: %clang_cc1 -std=c++14 -triple x86_64-pc-linux-gnu \
// RUN: -emit-pch -o %t/ctudir/ctu-other.cpp.ast %S/Inputs/ctu-other.cpp // RUN: -emit-pch -o %t/ctudir/ctu-other.cpp.ast %S/Inputs/ctu-other.cpp
// RUN: cp %S/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt // RUN: cp %S/Inputs/ctu-other.cpp.externalDefMap.ast-dump.txt %t/ctudir/externalDefMap.txt
// RUN: %clang_analyze_cc1 -std=c++14 -triple powerpc64-montavista-linux-gnu \ // RUN: %clang_analyze_cc1 -std=c++14 -triple powerpc64-montavista-linux-gnu \
// RUN: -analyzer-checker=core,debug.ExprInspection \ // RUN: -analyzer-checker=core,debug.ExprInspection \
// RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \ // RUN: -analyzer-config experimental-enable-naive-ctu-analysis=true \
// RUN: -analyzer-config ctu-dir=%t/ctudir \ // RUN: -analyzer-config ctu-dir=%t/ctudir \
// RUN: -Werror=ctu \ // RUN: -Werror=ctu \
// RUN: -verify %s // RUN: -verify %s
// We expect an error in this file, but without a location. // We expect an error in this file, but without a location.
// expected-error-re@./ctu-different-triples.cpp:*{{imported AST from {{.*}} had been generated for a different target, current: powerpc64-montavista-linux-gnu, imported: x86_64-pc-linux-gnu}} // expected-error-re@./ctu-different-triples.cpp:*{{imported AST from {{.*}} had been generated for a different target, current: powerpc64-montavista-linux-gnu, imported: x86_64-pc-linux-gnu}}
// FIXME Why do we get the error twice?
// expected-error-re@./ctu-different-triples.cpp:*{{imported AST from {{.*}} had been generated for a different target, current: powerpc64-montavista-linux-gnu, imported: x86_64-pc-linux-gnu}}
int f(int); int f(int);
int main() { int main() {
return f(5); return f(5);
} }

clang/test/Analysis/ircontext.cpp

  • This file was added.
// RUN: %clang_analyze_cc1 %s \
// RUN: -analyzer-checker=core,debug.ExprInspection \
// RUN: -analyzer-config eagerly-assume=false \
// RUN: -analyzer-config ipa=none \
// RUN: -analyzer-config generate-llvm-ir=true \
// RUN: -triple i686-unknown-linux \
// RUN: -verify
void clang_analyzer_eval(int);
int g = 0;
static int foo(int *x) { return *x; }
void test() {
g = 3;
int l = 0;
foo(&l);
clang_analyzer_eval(g == 3); // expected-warning{{TRUE}}
}
whisperityUnsubmitted
Done
ReplyInline Actions

What are we testing here? Without the ability to read the pureness of foo from the IR, the knowledge about g's value would be scrapped at the call? foo is defined in the current TU.

whisperity: What are we testing here? Without the ability to read the pureness of `foo` from the IR, the…
martongAuthorUnsubmitted
Done
ReplyInline Actions

We test here that with no-inlining (i.e. always doing conservative evaluation) we do not invalidate the state after a call to a pure function.

martong: We test here that with no-inlining (i.e. always doing conservative evaluation) we do not…

clang/unittests/StaticAnalyzer/CMakeLists.txt

set(LLVM_LINK_COMPONENTS set(LLVM_LINK_COMPONENTS
FrontendOpenMP FrontendOpenMP
Support Support
) )
add_clang_unittest(StaticAnalysisTests add_clang_unittest(StaticAnalysisTests
AnalyzerOptionsTest.cpp AnalyzerOptionsTest.cpp
CallDescriptionTest.cpp CallDescriptionTest.cpp
CallEventTest.cpp CallEventTest.cpp
FalsePositiveRefutationBRVisitorTest.cpp FalsePositiveRefutationBRVisitorTest.cpp
IRContextTest.cpp
ParamRegionTest.cpp ParamRegionTest.cpp
RangeSetTest.cpp RangeSetTest.cpp
RegisterCustomCheckersTest.cpp RegisterCustomCheckersTest.cpp
StoreTest.cpp StoreTest.cpp
SymbolReaperTest.cpp SymbolReaperTest.cpp
TestReturnValueUnderConstruction.cpp TestReturnValueUnderConstruction.cpp
) )
clang_target_link_libraries(StaticAnalysisTests clang_target_link_libraries(StaticAnalysisTests
PRIVATE PRIVATE
LLVMCore
clangBasic clangBasic
clangAnalysis clangAnalysis
clangAST clangAST
clangASTMatchers clangASTMatchers
clangCodeGen
clangCrossTU clangCrossTU
clangFrontend clangFrontend
clangSerialization clangSerialization
clangStaticAnalyzerCore clangStaticAnalyzerCore
clangStaticAnalyzerFrontend clangStaticAnalyzerFrontend
clangTooling clangTooling
) )

clang/unittests/StaticAnalyzer/IRContextTest.cpp

  • This file was added.
//===- unittests/StaticAnalyzer/IRContextTest.cpp -------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "Reusables.h"
#include "clang/ASTMatchers/ASTMatchers.h"
#include "clang/CodeGen/ModuleBuilder.h"
#include "clang/Frontend/MultiplexConsumer.h"
#include "clang/StaticAnalyzer/Core/IRContext.h"
#include "clang/StaticAnalyzer/Frontend/AnalysisConsumer.h"
#include "clang/StaticAnalyzer/Frontend/FrontendActions.h"
#include "clang/Tooling/Tooling.h"
#include "llvm/IR/LLVMContext.h"
#include "llvm/IR/Module.h"
#include "gtest/gtest.h"
namespace clang {
namespace ento {
namespace {
using namespace ast_matchers;
const auto TestCode = R"(
int foo(int *x) { return *x; }
static int bar(int *x) { return *x; }
int baz(int *x) { int l; return foo(&l); }
// Must have at least one CallExpr for static functions, otherwise
// CodeGen will not emit the definition.
void callerOfBar() { int l; bar(&l); }
)";
class IRContextTestConsumer : public ASTConsumer {
IRContext IRCtx;
CodeGenerator *CG = nullptr;
public:
IRContextTestConsumer() : IRCtx(CG) {}
void setCodeGen(CodeGenerator *Cg) { CG = Cg; }
void HandleTranslationUnit(ASTContext &Ctx) override {
IRCtx.runPipeline();
CG->GetModule()->dump();
TranslationUnitDecl *TU = Ctx.getTranslationUnitDecl();
const FunctionDecl *Foo =
findNode<FunctionDecl>(TU, functionDecl(hasName("foo")));
ASSERT_TRUE(Foo);
const FunctionDecl *Bar =
findNode<FunctionDecl>(TU, functionDecl(hasName("bar")));
ASSERT_TRUE(Bar);
const FunctionDecl *Baz =
findNode<FunctionDecl>(TU, functionDecl(hasName("baz")));
ASSERT_TRUE(Baz);
// We should be able to get the corresponding representation in IR.
llvm::Function *IRFoo = IRCtx.getFunction(Foo);
ASSERT_TRUE(IRFoo);
llvm::Function *IRBar = IRCtx.getFunction(Bar);
ASSERT_TRUE(IRBar);
llvm::Function *IRBaz = IRCtx.getFunction(Baz);
ASSERT_TRUE(IRBaz);
// "readonly" attribute should be set for all functions.
EXPECT_TRUE(
IRFoo->getAttributes().hasFnAttribute(llvm::Attribute::ReadOnly));
EXPECT_TRUE(
IRBar->getAttributes().hasFnAttribute(llvm::Attribute::ReadOnly));
EXPECT_TRUE(
IRBaz->getAttributes().hasFnAttribute(llvm::Attribute::ReadOnly));
}
};
class IRContextTestAction : public ASTFrontendAction {
std::shared_ptr<llvm::LLVMContext> LLVMCtx;
public:
std::unique_ptr<ASTConsumer> CreateASTConsumer(CompilerInstance &CI,
StringRef File) override {
std::vector<std::unique_ptr<ASTConsumer>> ASTConsumers;
LLVMCtx = std::make_shared<llvm::LLVMContext>();
auto CGConsumer = BuildCodeGen(CI, *LLVMCtx, CI.getDiagnostics());
auto TestConsumer = std::make_unique<IRContextTestConsumer>();
TestConsumer->setCodeGen(CGConsumer.get());
ASTConsumers.push_back(std::move(CGConsumer));
ASTConsumers.push_back(std::move(TestConsumer));
return std::make_unique<MultiplexConsumer>(std::move(ASTConsumers));
}
};
TEST(IRContext, TestReadOnly) {
EXPECT_TRUE(tooling::runToolOnCode(std::make_unique<IRContextTestAction>(),
TestCode));
}
} // namespace
} // namespace ento
} // namespace clang

clang/unittests/StaticAnalyzer/Reusables.h

//===- unittests/StaticAnalyzer/Reusables.h -------------------------------===// //===- unittests/StaticAnalyzer/Reusables.h -------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifndef LLVM_CLANG_UNITTESTS_STATICANALYZER_REUSABLES_H #ifndef LLVM_CLANG_UNITTESTS_STATICANALYZER_REUSABLES_H
#define LLVM_CLANG_UNITTESTS_STATICANALYZER_REUSABLES_H #define LLVM_CLANG_UNITTESTS_STATICANALYZER_REUSABLES_H
#include "clang/ASTMatchers/ASTMatchFinder.h" #include "clang/ASTMatchers/ASTMatchFinder.h"
#include "clang/Frontend/CompilerInstance.h"
#include "clang/CrossTU/CrossTranslationUnit.h" #include "clang/CrossTU/CrossTranslationUnit.h"
#include "clang/Frontend/CompilerInstance.h"
#include "clang/StaticAnalyzer/Core/IRContext.h"
#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
namespace clang { namespace clang {
namespace ento { namespace ento {
// Find a node in the current AST that matches a matcher. // Find a node in the current AST that matches a matcher.
template <typename T, typename MatcherT> template <typename T, typename MatcherT>
const T *findNode(const Decl *Where, MatcherT What) { const T *findNode(const Decl *Where, MatcherT What) {
Show All 13 Linesconst T *findDeclByName(const Decl *Where, StringRef Name) {
using namespace ast_matchers; using namespace ast_matchers;
return findNode<T>(Where, namedDecl(hasName(Name))); return findNode<T>(Where, namedDecl(hasName(Name)));
} }
// A re-usable consumer that constructs ExprEngine out of CompilerInvocation. // A re-usable consumer that constructs ExprEngine out of CompilerInvocation.
class ExprEngineConsumer : public ASTConsumer { class ExprEngineConsumer : public ASTConsumer {
protected: protected:
CompilerInstance &C; CompilerInstance &C;
CodeGenerator *CG = nullptr;
private: private:
// We need to construct all of these in order to construct ExprEngine. // We need to construct all of these in order to construct ExprEngine.
CheckerManager ChkMgr; CheckerManager ChkMgr;
cross_tu::CrossTranslationUnitContext CTU; cross_tu::CrossTranslationUnitContext CTU;
IRContext IRCtx;
PathDiagnosticConsumers Consumers; PathDiagnosticConsumers Consumers;
AnalysisManager AMgr; AnalysisManager AMgr;
SetOfConstDecls VisitedCallees; SetOfConstDecls VisitedCallees;
FunctionSummariesTy FS; FunctionSummariesTy FS;
protected: protected:
ExprEngine Eng; ExprEngine Eng;
public: public:
ExprEngineConsumer(CompilerInstance &C) ExprEngineConsumer(CompilerInstance &C)
: C(C), : C(C),
ChkMgr(C.getASTContext(), *C.getAnalyzerOpts(), C.getPreprocessor()), ChkMgr(C.getASTContext(), *C.getAnalyzerOpts(), C.getPreprocessor()),
CTU(C), Consumers(), CTU(C), IRCtx(CG), Consumers(),
AMgr(C.getASTContext(), C.getPreprocessor(), Consumers, AMgr(C.getASTContext(), C.getPreprocessor(), Consumers,
CreateRegionStoreManager, CreateRangeConstraintManager, &ChkMgr, CreateRegionStoreManager, CreateRangeConstraintManager, &ChkMgr,
*C.getAnalyzerOpts()), *C.getAnalyzerOpts()),
VisitedCallees(), FS(), VisitedCallees(), FS(), Eng(CTU, IRCtx, AMgr, &VisitedCallees, &FS,
Eng(CTU, AMgr, &VisitedCallees, &FS, ExprEngine::Inline_Regular) {} ExprEngine::Inline_Regular) {}
}; };
} // namespace ento } // namespace ento
} // namespace clang } // namespace clang
#endif #endif