From: George Karpenkov Date: Mon, 12 Feb 2018 22:39:57 +0000 (+0000) Subject: [analyzer] Exploration strategy prioritizing unexplored coverage first X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=59ea7a594e1c2d408eb61349cade57e7b8b28dd0;p=clang [analyzer] Exploration strategy prioritizing unexplored coverage first See reviews.llvm.org/M1 for evaluation, and lists.llvm.org/pipermail/cfe-dev/2018-January/056718.html for discussion. Differential Revision: https://reviews.llvm.org/D42775 git-svn-id: https://llvm.org/svn/llvm-project/cfe/trunk@324956 91177308-0d34-0410-b5e6-96231b3b80d8 --- diff --git a/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h b/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h index 9968797d53..bf119f6a8c 100644 --- a/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h +++ b/include/clang/StaticAnalyzer/Core/AnalyzerOptions.h @@ -191,6 +191,7 @@ public: enum class ExplorationStrategyKind { DFS, BFS, + UnexploredFirst, BFSBlockDFSContents, NotSet }; diff --git a/include/clang/StaticAnalyzer/Core/PathSensitive/WorkList.h b/include/clang/StaticAnalyzer/Core/PathSensitive/WorkList.h index a8ccb7c3f0..cc2b6af02e 100644 --- a/include/clang/StaticAnalyzer/Core/PathSensitive/WorkList.h +++ b/include/clang/StaticAnalyzer/Core/PathSensitive/WorkList.h @@ -83,6 +83,7 @@ public: static std::unique_ptr makeDFS(); static std::unique_ptr makeBFS(); static std::unique_ptr makeBFSBlockDFSContents(); + static std::unique_ptr makeUnexploredFirst(); }; } // end GR namespace diff --git a/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp b/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp index 0f07c54e39..aa3c2953d8 100644 --- a/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp +++ b/lib/StaticAnalyzer/Core/AnalyzerOptions.cpp @@ -58,22 +58,25 @@ AnalyzerOptions::UserModeKind AnalyzerOptions::getUserMode() { AnalyzerOptions::ExplorationStrategyKind AnalyzerOptions::getExplorationStrategy() { if (ExplorationStrategy == ExplorationStrategyKind::NotSet) { - StringRef StratStr = Config.insert( - std::make_pair("exploration_strategy", "dfs")).first->second; - ExplorationStrategy = llvm::StringSwitch(StratStr) - .Case("dfs", ExplorationStrategyKind::DFS) - .Case("bfs", ExplorationStrategyKind::BFS) - .Case("bfs_block_dfs_contents", ExplorationStrategyKind::BFSBlockDFSContents) - .Default(ExplorationStrategyKind::NotSet); - assert(ExplorationStrategy != ExplorationStrategyKind::NotSet - && "User mode is invalid."); + StringRef StratStr = + Config + .insert(std::make_pair("exploration_strategy", "dfs")) + .first->second; + ExplorationStrategy = + llvm::StringSwitch(StratStr) + .Case("dfs", ExplorationStrategyKind::DFS) + .Case("bfs", ExplorationStrategyKind::BFS) + .Case("unexplored_first", + ExplorationStrategyKind::UnexploredFirst) + .Case("bfs_block_dfs_contents", + ExplorationStrategyKind::BFSBlockDFSContents) + .Default(ExplorationStrategyKind::NotSet); + assert(ExplorationStrategy != ExplorationStrategyKind::NotSet && + "User mode is invalid."); } return ExplorationStrategy; - } - - IPAKind AnalyzerOptions::getIPAMode() { if (IPAMode == IPAK_NotSet) { diff --git a/lib/StaticAnalyzer/Core/CoreEngine.cpp b/lib/StaticAnalyzer/Core/CoreEngine.cpp index 115b5a1c29..4b57419fd8 100644 --- a/lib/StaticAnalyzer/Core/CoreEngine.cpp +++ b/lib/StaticAnalyzer/Core/CoreEngine.cpp @@ -19,6 +19,7 @@ #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" #include "llvm/ADT/Statistic.h" +#include "llvm/ADT/DenseSet.h" #include "llvm/Support/Casting.h" using namespace clang; @@ -33,6 +34,9 @@ STATISTIC(NumReachedMaxSteps, STATISTIC(NumPathsExplored, "The # of paths explored by the analyzer."); +STATISTIC(MaxQueueSize, "Maximum size of the worklist"); +STATISTIC(MaxReachableSize, "Maximum size of auxiliary worklist set"); + //===----------------------------------------------------------------------===// // Worklist classes for exploration of reachable states. //===----------------------------------------------------------------------===// @@ -128,6 +132,64 @@ std::unique_ptr WorkList::makeBFSBlockDFSContents() { return llvm::make_unique(); } +class UnexploredFirstStack : public WorkList { + + /// Stack of nodes known to have statements we have not traversed yet. + SmallVector StackUnexplored; + + /// Stack of all other nodes. + SmallVector StackOthers; + + typedef unsigned BlockID; + typedef std::pair LocIdentifier; + llvm::DenseSet Reachable; + +public: + bool hasWork() const override { + return !(StackUnexplored.empty() && StackOthers.empty()); + } + + void enqueue(const WorkListUnit &U) override { + const ExplodedNode *N = U.getNode(); + auto BE = N->getLocation().getAs(); + + if (!BE) { + + // Assume the choice of the order of the preceeding block entrance was + // correct. + StackUnexplored.push_back(U); + } else { + LocIdentifier LocId = std::make_pair( + BE->getBlock()->getBlockID(), N->getStackFrame()); + auto InsertInfo = Reachable.insert(LocId); + + if (InsertInfo.second) { + StackUnexplored.push_back(U); + } else { + StackOthers.push_back(U); + } + } + MaxReachableSize.updateMax(Reachable.size()); + MaxQueueSize.updateMax(StackUnexplored.size() + StackOthers.size()); + } + + WorkListUnit dequeue() override { + if (!StackUnexplored.empty()) { + WorkListUnit &U = StackUnexplored.back(); + StackUnexplored.pop_back(); + return U; + } else { + WorkListUnit &U = StackOthers.back(); + StackOthers.pop_back(); + return U; + } + } +}; + +std::unique_ptr WorkList::makeUnexploredFirst() { + return llvm::make_unique(); +} + //===----------------------------------------------------------------------===// // Core analysis engine. //===----------------------------------------------------------------------===// @@ -140,6 +202,8 @@ static std::unique_ptr generateWorkList(AnalyzerOptions &Opts) { return WorkList::makeBFS(); case AnalyzerOptions::ExplorationStrategyKind::BFSBlockDFSContents: return WorkList::makeBFSBlockDFSContents(); + case AnalyzerOptions::ExplorationStrategyKind::UnexploredFirst: + return WorkList::makeUnexploredFirst(); default: llvm_unreachable("Unexpected case"); } diff --git a/test/Analysis/exploration_order/prefer_unexplored.cc b/test/Analysis/exploration_order/prefer_unexplored.cc new file mode 100644 index 0000000000..e9f25edf45 --- /dev/null +++ b/test/Analysis/exploration_order/prefer_unexplored.cc @@ -0,0 +1,39 @@ +// RUN: %clang_analyze_cc1 -w -analyzer-checker=core -analyzer-config exploration_strategy=unexplored_first -analyzer-output=text -verify %s | FileCheck %s + +extern int coin(); + +int foo() { + int *x = 0; // expected-note {{'x' initialized to a null pointer value}} + while (coin()) { // expected-note{{Loop condition is true}} + if (coin()) // expected-note {{Taking true branch}} + return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} + // expected-note@-1{{Dereference of null pointer (loaded from variable 'x')}} + } + return 0; +} + +void bar() { + while(coin()) // expected-note{{Loop condition is true}} + if (coin()) // expected-note {{Assuming the condition is true}} + foo(); // expected-note{{Calling 'foo'}} +} + +int foo2() { + int *x = 0; // expected-note {{'x' initialized to a null pointer value}} + while (coin()) { // expected-note{{Loop condition is true}} + if (coin()) // expected-note {{Taking false branch}} + return false; + else + return *x; // expected-warning{{Dereference of null pointer (loaded from variable 'x')}} + // expected-note@-1{{Dereference of null pointer (loaded from variable 'x')}} + } + return 0; +} + +void bar2() { + while(coin()) // expected-note{{Loop condition is true}} + if (coin()) // expected-note {{Assuming the condition is false}} + return false; + else + foo(); // expected-note{{Calling 'foo'}} +}