1//===-- DataflowAnalysisContext.cpp -----------------------------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file defines a DataflowAnalysisContext class that owns objects that
10// encompass the state of a program and stores context that is used during
11// dataflow analysis.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/Analysis/FlowSensitive/DataflowAnalysisContext.h"
16#include "clang/AST/Type.h"
17#include "clang/Analysis/FlowSensitive/ASTOps.h"
18#include "clang/Analysis/FlowSensitive/Formula.h"
19#include "clang/Analysis/FlowSensitive/Logger.h"
20#include "clang/Analysis/FlowSensitive/SimplifyConstraints.h"
21#include "clang/Analysis/FlowSensitive/Value.h"
22#include "clang/Basic/LLVM.h"
23#include "llvm/ADT/DenseSet.h"
24#include "llvm/ADT/SetOperations.h"
25#include "llvm/ADT/SetVector.h"
26#include "llvm/Support/CommandLine.h"
27#include "llvm/Support/Debug.h"
28#include "llvm/Support/FileSystem.h"
29#include "llvm/Support/Path.h"
30#include "llvm/Support/raw_ostream.h"
31#include <cassert>
32#include <memory>
33#include <stack>
34#include <string>
35#include <utility>
36#include <vector>
37
38static llvm::cl::opt<std::string> DataflowLog(
39 "dataflow-log", llvm::cl::Hidden, llvm::cl::ValueOptional,
40 llvm::cl::desc("Emit log of dataflow analysis. With no arg, writes textual "
41 "log to stderr. With an arg, writes HTML logs under the "
42 "specified directory (one per analyzed function)."));
43
44namespace clang {
45namespace dataflow {
46
47FieldSet DataflowAnalysisContext::computeModeledFields(QualType Type) {
48 // During context-sensitive analysis, a struct may be allocated in one
49 // function, but its field accessed in a function lower in the stack than
50 // the allocation. Since we only collect fields used in the function where
51 // the allocation occurs, we can't apply that filter when performing
52 // context-sensitive analysis. But, this only applies to storage locations,
53 // since field access it not allowed to fail. In contrast, field *values*
54 // don't need this allowance, since the API allows for uninitialized fields.
55 if (Opts.ContextSensitiveOpts)
56 return getObjectFields(Type);
57
58 return llvm::set_intersection(S1: getObjectFields(Type), S2: ModeledFields);
59}
60
61const FieldSet &DataflowAnalysisContext::getModeledFields(QualType Type) {
62 QualType CanonicalType = Type.getCanonicalType().getUnqualifiedType();
63 std::unique_ptr<FieldSet> &Fields = CachedModeledFields[CanonicalType];
64 if (Fields == nullptr)
65 Fields = std::make_unique<FieldSet>(args: computeModeledFields(Type: CanonicalType));
66 return *Fields;
67}
68
69void DataflowAnalysisContext::addModeledFields(const FieldSet &Fields) {
70 ModeledFields.set_union(Fields);
71 CachedModeledFields.clear();
72}
73
74StorageLocation &DataflowAnalysisContext::createStorageLocation(QualType Type) {
75 if (!Type.isNull() && Type->isRecordType()) {
76 llvm::DenseMap<const ValueDecl *, StorageLocation *> FieldLocs;
77 for (const FieldDecl *Field : getModeledFields(Type))
78 if (Field->getType()->isReferenceType())
79 FieldLocs.insert(KV: {Field, nullptr});
80 else
81 FieldLocs.insert(KV: {Field, &createStorageLocation(
82 Type: Field->getType().getNonReferenceType())});
83
84 RecordStorageLocation::SyntheticFieldMap SyntheticFields;
85 for (const auto &Entry : getSyntheticFields(Type))
86 SyntheticFields.insert(
87 KV: {Entry.getKey(),
88 &createStorageLocation(Type: Entry.getValue().getNonReferenceType())});
89
90 return createRecordStorageLocation(Type, FieldLocs: std::move(FieldLocs),
91 SyntheticFields: std::move(SyntheticFields));
92 }
93 return arena().create<ScalarStorageLocation>(args&: Type);
94}
95
96// Returns the keys for a given `StringMap`.
97// Can't use `StringSet` as the return type as it doesn't support `operator==`.
98template <typename T>
99static llvm::DenseSet<llvm::StringRef> getKeys(const llvm::StringMap<T> &Map) {
100 return llvm::DenseSet<llvm::StringRef>(llvm::from_range, Map.keys());
101}
102
103RecordStorageLocation &DataflowAnalysisContext::createRecordStorageLocation(
104 QualType Type, RecordStorageLocation::FieldToLoc FieldLocs,
105 RecordStorageLocation::SyntheticFieldMap SyntheticFields) {
106 assert(Type->isRecordType());
107 assert(containsSameFields(getModeledFields(Type), FieldLocs));
108 assert(getKeys(getSyntheticFields(Type)) == getKeys(SyntheticFields));
109
110 RecordStorageLocationCreated = true;
111 return arena().create<RecordStorageLocation>(args&: Type, args: std::move(FieldLocs),
112 args: std::move(SyntheticFields));
113}
114
115StorageLocation &
116DataflowAnalysisContext::getStableStorageLocation(const ValueDecl &D) {
117 if (auto *Loc = DeclToLoc.lookup(Val: &D))
118 return *Loc;
119 auto &Loc = createStorageLocation(Type: D.getType().getNonReferenceType());
120 DeclToLoc[&D] = &Loc;
121 return Loc;
122}
123
124StorageLocation &
125DataflowAnalysisContext::getStableStorageLocation(const Expr &E) {
126 const Expr &CanonE = ignoreCFGOmittedNodes(E);
127
128 if (auto *Loc = ExprToLoc.lookup(Val: &CanonE))
129 return *Loc;
130 auto &Loc = createStorageLocation(Type: CanonE.getType());
131 ExprToLoc[&CanonE] = &Loc;
132 return Loc;
133}
134
135PointerValue &
136DataflowAnalysisContext::getOrCreateNullPointerValue(QualType PointeeType) {
137 auto CanonicalPointeeType =
138 PointeeType.isNull() ? PointeeType : PointeeType.getCanonicalType();
139 auto Res = NullPointerVals.try_emplace(Key: CanonicalPointeeType, Args: nullptr);
140 if (Res.second) {
141 auto &PointeeLoc = createStorageLocation(Type: CanonicalPointeeType);
142 Res.first->second = &arena().create<PointerValue>(args&: PointeeLoc);
143 }
144 return *Res.first->second;
145}
146
147void DataflowAnalysisContext::addInvariant(const Formula &Constraint) {
148 if (Invariant == nullptr)
149 Invariant = &Constraint;
150 else
151 Invariant = &arena().makeAnd(LHS: *Invariant, RHS: Constraint);
152}
153
154void DataflowAnalysisContext::addFlowConditionConstraint(
155 Atom Token, const Formula &Constraint) {
156 auto Res = FlowConditionConstraints.try_emplace(Key: Token, Args: &Constraint);
157 if (!Res.second) {
158 Res.first->second =
159 &arena().makeAnd(LHS: *Res.first->second, RHS: Constraint);
160 }
161}
162
163Atom DataflowAnalysisContext::forkFlowCondition(Atom Token) {
164 Atom ForkToken = arena().makeFlowConditionToken();
165 FlowConditionDeps[ForkToken].insert(V: Token);
166 addFlowConditionConstraint(Token: ForkToken, Constraint: arena().makeAtomRef(A: Token));
167 return ForkToken;
168}
169
170Atom
171DataflowAnalysisContext::joinFlowConditions(Atom FirstToken,
172 Atom SecondToken) {
173 Atom Token = arena().makeFlowConditionToken();
174 auto &TokenDeps = FlowConditionDeps[Token];
175 TokenDeps.insert(V: FirstToken);
176 TokenDeps.insert(V: SecondToken);
177 addFlowConditionConstraint(Token,
178 Constraint: arena().makeOr(LHS: arena().makeAtomRef(A: FirstToken),
179 RHS: arena().makeAtomRef(A: SecondToken)));
180 return Token;
181}
182
183Solver::Result DataflowAnalysisContext::querySolver(
184 llvm::SetVector<const Formula *> Constraints) {
185 return S.solve(Vals: Constraints.getArrayRef());
186}
187
188bool DataflowAnalysisContext::flowConditionImplies(Atom Token,
189 const Formula &F) {
190 if (F.isLiteral(b: true))
191 return true;
192
193 // Returns true if and only if truth assignment of the flow condition implies
194 // that `F` is also true. We prove whether or not this property holds by
195 // reducing the problem to satisfiability checking. In other words, we attempt
196 // to show that assuming `F` is false makes the constraints induced by the
197 // flow condition unsatisfiable.
198 llvm::SetVector<const Formula *> Constraints;
199 Constraints.insert(X: &arena().makeAtomRef(A: Token));
200 Constraints.insert(X: &arena().makeNot(Val: F));
201 addTransitiveFlowConditionConstraints(Token, Out&: Constraints);
202 return isUnsatisfiable(Constraints: std::move(Constraints));
203}
204
205bool DataflowAnalysisContext::flowConditionAllows(Atom Token,
206 const Formula &F) {
207 if (F.isLiteral(b: false))
208 return false;
209
210 llvm::SetVector<const Formula *> Constraints;
211 Constraints.insert(X: &arena().makeAtomRef(A: Token));
212 Constraints.insert(X: &F);
213 addTransitiveFlowConditionConstraints(Token, Out&: Constraints);
214 return isSatisfiable(Constraints: std::move(Constraints));
215}
216
217bool DataflowAnalysisContext::equivalentFormulas(const Formula &Val1,
218 const Formula &Val2) {
219 llvm::SetVector<const Formula *> Constraints;
220 Constraints.insert(X: &arena().makeNot(Val: arena().makeEquals(LHS: Val1, RHS: Val2)));
221 return isUnsatisfiable(Constraints: std::move(Constraints));
222}
223
224llvm::DenseSet<Atom> DataflowAnalysisContext::collectDependencies(
225 llvm::DenseSet<Atom> Tokens) const {
226 // Use a worklist algorithm, with `Remaining` holding the worklist and
227 // `Tokens` tracking which atoms have already been added to the worklist.
228 std::vector<Atom> Remaining(Tokens.begin(), Tokens.end());
229 while (!Remaining.empty()) {
230 Atom CurrentToken = Remaining.back();
231 Remaining.pop_back();
232 if (auto DepsIt = FlowConditionDeps.find(Val: CurrentToken);
233 DepsIt != FlowConditionDeps.end())
234 for (Atom A : DepsIt->second)
235 if (Tokens.insert(V: A).second)
236 Remaining.push_back(x: A);
237 }
238
239 return Tokens;
240}
241
242void DataflowAnalysisContext::addTransitiveFlowConditionConstraints(
243 Atom Token, llvm::SetVector<const Formula *> &Constraints) {
244 llvm::DenseSet<Atom> AddedTokens;
245 std::vector<Atom> Remaining = {Token};
246
247 if (Invariant)
248 Constraints.insert(X: Invariant);
249 // Define all the flow conditions that might be referenced in constraints.
250 while (!Remaining.empty()) {
251 auto Token = Remaining.back();
252 Remaining.pop_back();
253 if (!AddedTokens.insert(V: Token).second)
254 continue;
255
256 auto ConstraintsIt = FlowConditionConstraints.find(Val: Token);
257 if (ConstraintsIt == FlowConditionConstraints.end()) {
258 // The flow condition is unconstrained. Just add the atom directly, which
259 // is equivalent to asserting it is true.
260 Constraints.insert(X: &arena().makeAtomRef(A: Token));
261 } else {
262 // Bind flow condition token via `iff` to its set of constraints:
263 // FC <=> (C1 ^ C2 ^ ...), where Ci are constraints
264 Constraints.insert(X: &arena().makeEquals(LHS: arena().makeAtomRef(A: Token),
265 RHS: *ConstraintsIt->second));
266 }
267
268 if (auto DepsIt = FlowConditionDeps.find(Val: Token);
269 DepsIt != FlowConditionDeps.end())
270 for (Atom A : DepsIt->second)
271 Remaining.push_back(x: A);
272 }
273}
274
275static void getReferencedAtoms(const Formula &F,
276 llvm::DenseSet<dataflow::Atom> &Refs) {
277 // Avoid recursion to avoid stack overflows from very large formulas.
278 // The shape of the tree structure for very large formulas is such that there
279 // are at most 2 children from any node, but there may be many generations.
280 std::stack<const Formula *> WorkList;
281 WorkList.push(x: &F);
282
283 while (!WorkList.empty()) {
284 const Formula *Current = WorkList.top();
285 WorkList.pop();
286 switch (Current->kind()) {
287 case Formula::AtomRef:
288 Refs.insert(V: Current->getAtom());
289 break;
290 case Formula::Literal:
291 break;
292 case Formula::Not:
293 WorkList.push(x: Current->operands()[0]);
294 break;
295 case Formula::And:
296 case Formula::Or:
297 case Formula::Implies:
298 case Formula::Equal:
299 ArrayRef<const Formula *> Operands = Current->operands();
300 WorkList.push(x: Operands[0]);
301 WorkList.push(x: Operands[1]);
302 break;
303 }
304 }
305}
306
307SimpleLogicalContext DataflowAnalysisContext::exportLogicalContext(
308 llvm::DenseSet<dataflow::Atom> TargetTokens) const {
309 SimpleLogicalContext LC;
310
311 // Copy `Invariant` even if it is null, to initialize the field.
312 LC.Invariant = Invariant;
313 if (Invariant != nullptr)
314 getReferencedAtoms(F: *Invariant, Refs&: TargetTokens);
315
316 llvm::DenseSet<dataflow::Atom> Dependencies =
317 collectDependencies(Tokens: std::move(TargetTokens));
318
319 for (dataflow::Atom Token : Dependencies) {
320 // Only process the token if it is constrained. Unconstrained tokens don't
321 // have dependencies.
322 const Formula *Constraints = FlowConditionConstraints.lookup(Val: Token);
323 if (Constraints == nullptr)
324 continue;
325 LC.TokenDefs[Token] = Constraints;
326
327 if (auto DepsIt = FlowConditionDeps.find(Val: Token);
328 DepsIt != FlowConditionDeps.end())
329 LC.TokenDeps[Token] = DepsIt->second;
330 }
331
332 return LC;
333}
334
335void DataflowAnalysisContext::initLogicalContext(SimpleLogicalContext LC) {
336 Invariant = LC.Invariant;
337 FlowConditionConstraints = std::move(LC.TokenDefs);
338 // TODO: The dependencies in `LC.TokenDeps` can be reconstructed from
339 // `LC.TokenDefs`. Give the caller the option to reconstruct, rather than
340 // providing them directly, to save caller space (memory/disk).
341 FlowConditionDeps = std::move(LC.TokenDeps);
342}
343
344static void printAtomList(const llvm::SmallVector<Atom> &Atoms,
345 llvm::raw_ostream &OS) {
346 OS << "(";
347 for (size_t i = 0; i < Atoms.size(); ++i) {
348 OS << Atoms[i];
349 if (i + 1 < Atoms.size())
350 OS << ", ";
351 }
352 OS << ")\n";
353}
354
355void DataflowAnalysisContext::dumpFlowCondition(Atom Token,
356 llvm::raw_ostream &OS) {
357 llvm::SetVector<const Formula *> Constraints;
358 Constraints.insert(X: &arena().makeAtomRef(A: Token));
359 addTransitiveFlowConditionConstraints(Token, Constraints);
360
361 OS << "Flow condition token: " << Token << "\n";
362 SimplifyConstraintsInfo Info;
363 llvm::SetVector<const Formula *> OriginalConstraints = Constraints;
364 simplifyConstraints(Constraints, arena&: arena(), Info: &Info);
365 if (!Constraints.empty()) {
366 OS << "Constraints:\n";
367 for (const auto *Constraint : Constraints) {
368 Constraint->print(OS);
369 OS << "\n";
370 }
371 }
372 if (!Info.TrueAtoms.empty()) {
373 OS << "True atoms: ";
374 printAtomList(Atoms: Info.TrueAtoms, OS);
375 }
376 if (!Info.FalseAtoms.empty()) {
377 OS << "False atoms: ";
378 printAtomList(Atoms: Info.FalseAtoms, OS);
379 }
380 if (!Info.EquivalentAtoms.empty()) {
381 OS << "Equivalent atoms:\n";
382 for (const llvm::SmallVector<Atom> &Class : Info.EquivalentAtoms)
383 printAtomList(Atoms: Class, OS);
384 }
385
386 OS << "\nFlow condition constraints before simplification:\n";
387 for (const auto *Constraint : OriginalConstraints) {
388 Constraint->print(OS);
389 OS << "\n";
390 }
391}
392
393const AdornedCFG *
394DataflowAnalysisContext::getAdornedCFG(const FunctionDecl *F) {
395 // Canonicalize the key:
396 F = F->getDefinition();
397 if (F == nullptr)
398 return nullptr;
399 auto It = FunctionContexts.find(Val: F);
400 if (It != FunctionContexts.end())
401 return &It->second;
402
403 if (F->doesThisDeclarationHaveABody()) {
404 auto ACFG = AdornedCFG::build(Func: *F);
405 // FIXME: Handle errors.
406 assert(ACFG);
407 auto Result = FunctionContexts.insert(KV: {F, std::move(*ACFG)});
408 return &Result.first->second;
409 }
410
411 return nullptr;
412}
413
414static std::unique_ptr<Logger> makeLoggerFromCommandLine() {
415 if (DataflowLog.empty())
416 return Logger::textual(llvm::errs());
417
418 llvm::StringRef Dir = DataflowLog;
419 if (auto EC = llvm::sys::fs::create_directories(path: Dir))
420 llvm::errs() << "Failed to create log dir: " << EC.message() << "\n";
421 // All analysis runs within a process will log to the same directory.
422 // Share a counter so they don't all overwrite each other's 0.html.
423 // (Don't share a logger, it's not threadsafe).
424 static std::atomic<unsigned> Counter = {0};
425 auto StreamFactory =
426 [Dir(Dir.str())]() mutable -> std::unique_ptr<llvm::raw_ostream> {
427 llvm::SmallString<256> File(Dir);
428 llvm::sys::path::append(path&: File,
429 a: std::to_string(val: Counter.fetch_add(i: 1)) + ".html");
430 std::error_code EC;
431 auto OS = std::make_unique<llvm::raw_fd_ostream>(args&: File, args&: EC);
432 if (EC) {
433 llvm::errs() << "Failed to create log " << File << ": " << EC.message()
434 << "\n";
435 return std::make_unique<llvm::raw_null_ostream>();
436 }
437 return OS;
438 };
439 return Logger::html(std::move(StreamFactory));
440}
441
442DataflowAnalysisContext::DataflowAnalysisContext(
443 Solver &S, std::unique_ptr<Solver> &&OwnedSolver, Options Opts)
444 : S(S), OwnedSolver(std::move(OwnedSolver)), A(std::make_unique<Arena>()),
445 Opts(Opts) {
446 // If the -dataflow-log command-line flag was set, synthesize a logger.
447 // This is ugly but provides a uniform method for ad-hoc debugging dataflow-
448 // based tools.
449 if (Opts.Log == nullptr) {
450 if (DataflowLog.getNumOccurrences() > 0) {
451 LogOwner = makeLoggerFromCommandLine();
452 this->Opts.Log = LogOwner.get();
453 // FIXME: if the flag is given a value, write an HTML log to a file.
454 } else {
455 this->Opts.Log = &Logger::null();
456 }
457 }
458}
459
460DataflowAnalysisContext::~DataflowAnalysisContext() = default;
461
462} // namespace dataflow
463} // namespace clang
464