Revert "Revert "[clang][dataflow] Only model struct fields that are used in the function being analyzed.""

This reverts commit 2b1a517a92bfdfa3b692a660e19a2bb22513a567. It's a fix forward
with two m

Revert "Revert "[clang][dataflow] Only model struct fields that are used in the function being analyzed.""

This reverts commit 2b1a517a92bfdfa3b692a660e19a2bb22513a567. It's a fix forward
with two memory errors fixed, one of which was the cause of the build breakage
in the buildbots.

Original message:

Previously, the model for structs modeled all fields in a struct when
`createValue` was called for that type. This patch adds a prepass on the
function under analysis to discover the fields referenced in the scope and then
limits modeling to only those fields. This reduces wasted memory usage
(modeling unused fields) which can be important for programs that use large
structs.

Note: This patch obviates the need for https://reviews.llvm.org/D123032.

show more ...

Revert "[clang][dataflow] Only model struct fields that are used in the function being analyzed."

This reverts commit 5e8f597c2fedc740b71f07dfdb1ef3c2d348b193. It caused msan and ubsan breakages.

[clang][dataflow] Only model struct fields that are used in the function being analyzed.

Previously, the model for structs modeled all fields in a struct when
`createValue` was called for that type.

[clang][dataflow] Only model struct fields that are used in the function being analyzed.

Previously, the model for structs modeled all fields in a struct when
`createValue` was called for that type. This patch adds a prepass on the
function under analysis to discover the fields referenced in the scope and then
limits modeling to only those fields. This reduces wasted memory usage
(modeling unused fields) which can be important for programss that use large
structs.

Note: This patch obviates the need for https://reviews.llvm.org/D123032.

Differential Revision: https://reviews.llvm.org/D140694

show more ...

[clang][dataflow] Treat unions as structs.

This is a straightfoward way to handle unions in dataflow analysis. Without this change, nullability verification crashes on files that contain unions.

Re

[clang][dataflow] Treat unions as structs.

This is a straightfoward way to handle unions in dataflow analysis. Without this change, nullability verification crashes on files that contain unions.

Reviewed By: gribozavr2, ymandel

Differential Revision: https://reviews.llvm.org/D140696

show more ...

[clang][dataflow] Fix bug in handling of `return` statements.

The handling of return statements, added in support of context-sensitive
analysis, has a bug relating to functions that return reference

[clang][dataflow] Fix bug in handling of `return` statements.

The handling of return statements, added in support of context-sensitive
analysis, has a bug relating to functions that return reference
types. Specifically, interpretation of such functions can result in a crash from
a bad cast. This patch fixes the bug and guards all of that code with the
context-sensitive option, since there's no reason to execute at all when
context-sensitive analysis is off.

Differential Revision: https://reviews.llvm.org/D140430

show more ...

[clang][dataflow] Add support for structured bindings of tuple-like types.

This patch adds interpretation of binding declarations resulting from a
structured binding (`DecompositionDecl`) to a tuple

[clang][dataflow] Add support for structured bindings of tuple-like types.

This patch adds interpretation of binding declarations resulting from a
structured binding (`DecompositionDecl`) to a tuple-like type. Currently, the
framework only supports binding to a struct.

Fixes issue #57252.

Differential Revision: https://reviews.llvm.org/D139544

show more ...

[clang/unittests] Use std::nullopt instead of None (NFC)

This patch mechanically replaces None with std::nullopt where the
compiler would warn if None were deprecated. The intent is to reduce
the a

[clang/unittests] Use std::nullopt instead of None (NFC)

This patch mechanically replaces None with std::nullopt where the
compiler would warn if None were deprecated. The intent is to reduce
the amount of manual work required in migrating from Optional to
std::optional.

This is part of an effort to migrate from llvm::Optional to
std::optional:

https://discourse.llvm.org/t/deprecating-llvm-optional-x-hasvalue-getvalue-getvalueor/63716

show more ...

[clang][dataflow] Add widening API and implement it for built-in boolean model.

* Adds API support for widening of lattice elements and environments,
* Updates the algorithm to apply widening where

[clang][dataflow] Add widening API and implement it for built-in boolean model.

* Adds API support for widening of lattice elements and environments,
* Updates the algorithm to apply widening where appropriate,
* Implements widening for boolean values. In the process, moves the unsoundness
of comparison from the default implementation of
`Environment::ValueModel::compare` to model-specific handling inside
`DataflowEnvironment::equivalentTo`. This change is intended to clarify
the source and location of unsoundess.

This patch is a replacement for, and was based substantially on, https://reviews.llvm.org/D131645.

Differential Revision: https://reviews.llvm.org/D137948

show more ...

[clang][dataflow] Add support for nested method calls.

Extend the context-sensitive analysis to handle a call to a method (of the same
class) from within a method. That, is a member-call expression

[clang][dataflow] Add support for nested method calls.

Extend the context-sensitive analysis to handle a call to a method (of the same
class) from within a method. That, is a member-call expression through `this`.

Differential Revision: https://reviews.llvm.org/D134432

show more ...

[clang][dataflow] Replace usage of the deprecated overload of `checkDataflow`.

Updated files:
- `ChromiumCheckModelTest.cpp`.
- `MatchSwitchTest.cpp`.
- `MultiVarConstantPropagationTest.cpp`.
- `Sin

[clang][dataflow] Replace usage of the deprecated overload of `checkDataflow`.

Updated files:
- `ChromiumCheckModelTest.cpp`.
- `MatchSwitchTest.cpp`.
- `MultiVarConstantPropagationTest.cpp`.
- `SingleVarConstantPropagationTest.cpp`.
- `TestingSupportTest.cpp`.
- `TransferTest.cpp`.

Reviewed By: gribozavr2, sgatev

Differential Revision: https://reviews.llvm.org/D133865

show more ...

[clang][dataflow] Use `StringMap` for storing analysis states at annotated points instead of `vector<pair<string, StateT>>`.

Reviewed By: gribozavr2, sgatev, ymandel

Differential Revision: https://

[clang][dataflow] Use `StringMap` for storing analysis states at annotated points instead of `vector<pair<string, StateT>>`.

Reviewed By: gribozavr2, sgatev, ymandel

Differential Revision: https://reviews.llvm.org/D132763

show more ...

[clang][dataflow] Add an option for context-sensitive depth

This patch adds a `Depth` field (default value 2) to `ContextSensitiveOptions`, allowing context-sensitive analysis of functions that call

[clang][dataflow] Add an option for context-sensitive depth

This patch adds a `Depth` field (default value 2) to `ContextSensitiveOptions`, allowing context-sensitive analysis of functions that call other functions. This also requires replacing the `DeclCtx` field on `Environment` with a `CallString` field that contains a vector of decl contexts, to ensure that the analysis doesn't try to analyze recursive or mutually recursive calls (which would result in a crash, due to the way we handle `StorageLocation`s).

Reviewed By: xazax.hun

Differential Revision: https://reviews.llvm.org/D131809

show more ...

[clang][dataflow] Encode options using llvm::Optional

This patch restructures `DataflowAnalysisOptions` and `TransferOptions` to use `llvm::Optional`, in preparation for adding more sub-options to t

[clang][dataflow] Encode options using llvm::Optional

This patch restructures `DataflowAnalysisOptions` and `TransferOptions` to use `llvm::Optional`, in preparation for adding more sub-options to the `ContextSensitiveOptions` struct introduced here.

Reviewed By: sgatev, xazax.hun

Differential Revision: https://reviews.llvm.org/D131779

show more ...

[clang][dataflow] Don't crash when caller args are missing storage locations

This patch modifies `Environment`'s `pushCall` method to pass over arguments that are missing storage locations, instead

[clang][dataflow] Don't crash when caller args are missing storage locations

This patch modifies `Environment`'s `pushCall` method to pass over arguments that are missing storage locations, instead of crashing.

Reviewed By: gribozavr2

Differential Revision: https://reviews.llvm.org/D131600

show more ...

[clang][dataflow] Analyze constructor bodies

This patch adds the ability to context-sensitively analyze constructor bodies, by changing `pushCall` to allow both `CallExpr` and `CXXConstructExpr`, an

[clang][dataflow] Analyze constructor bodies

This patch adds the ability to context-sensitively analyze constructor bodies, by changing `pushCall` to allow both `CallExpr` and `CXXConstructExpr`, and extracting the main context-sensitive logic out of `VisitCallExpr` into a new `transferInlineCall` method which is now also called at the end of `VisitCXXConstructExpr`.

Reviewed By: ymandel, sgatev, xazax.hun

Differential Revision: https://reviews.llvm.org/D131438

show more ...

Revert "[clang][dataflow] Analyze constructor bodies"

https://lab.llvm.org/buildbot/#/builders/74/builds/12713

This reverts commit 000c8fef86abb7f056cbea2de99f21dca4b81bf8.

Revert "[clang][dataflow] Don't crash when caller args are missing storage locations"

https://lab.llvm.org/buildbot/#/builders/74/builds/12713

This reverts commit 43b298ea1282f29d448fc0f6ca971bc5fa

Revert "[clang][dataflow] Don't crash when caller args are missing storage locations"

https://lab.llvm.org/buildbot/#/builders/74/builds/12713

This reverts commit 43b298ea1282f29d448fc0f6ca971bc5fa698355.

show more ...

[clang][dataflow] Don't crash when caller args are missing storage locations

This patch modifies `Environment`'s `pushCall` method to pass over arguments that are missing storage locations, instead

[clang][dataflow] Don't crash when caller args are missing storage locations

This patch modifies `Environment`'s `pushCall` method to pass over arguments that are missing storage locations, instead of crashing.

Reviewed By: gribozavr2

Differential Revision: https://reviews.llvm.org/D131600

show more ...

[clang][dataflow] Analyze constructor bodies

This patch adds the ability to context-sensitively analyze constructor bodies, by changing `pushCall` to allow both `CallExpr` and `CXXConstructExpr`, an

[clang][dataflow] Analyze constructor bodies

This patch adds the ability to context-sensitively analyze constructor bodies, by changing `pushCall` to allow both `CallExpr` and `CXXConstructExpr`, and extracting the main context-sensitive logic out of `VisitCallExpr` into a new `transferInlineCall` method which is now also called at the end of `VisitCXXConstructExpr`.

Reviewed By: ymandel, sgatev, xazax.hun

Differential Revision: https://reviews.llvm.org/D131438

show more ...

[clang][dataflow] Analyze method bodies

This patch adds the ability to context-sensitively analyze method bodies, by moving `ThisPointeeLoc` from `DataflowAnalysisContext` to `Environment`, and addi

[clang][dataflow] Analyze method bodies

This patch adds the ability to context-sensitively analyze method bodies, by moving `ThisPointeeLoc` from `DataflowAnalysisContext` to `Environment`, and adding code in `pushCall` to set it.

Reviewed By: ymandel, sgatev, xazax.hun

Differential Revision: https://reviews.llvm.org/D131170

show more ...

[clang][dataflow] Handle return statements

This patch adds a `ReturnLoc` field to the `Environment`, serving a similar to the `ThisPointeeLoc` field in the `DataflowAnalysisContext`. It then uses th

[clang][dataflow] Handle return statements

This patch adds a `ReturnLoc` field to the `Environment`, serving a similar to the `ThisPointeeLoc` field in the `DataflowAnalysisContext`. It then uses that (along with a new `VisitReturnStmt` method in `TransferVisitor`) to handle non-`void`-returning functions in context-sensitive analysis.

Reviewed By: ymandel, sgatev

Differential Revision: https://reviews.llvm.org/D130600

show more ...

[clang][dataflow] Handle multiple context-sensitive calls to the same function

This patch enables context-sensitive analysis of multiple different calls to the same function (see the `ContextSensiti

[clang][dataflow] Handle multiple context-sensitive calls to the same function

This patch enables context-sensitive analysis of multiple different calls to the same function (see the `ContextSensitiveSetBothTrueAndFalse` example in the `TransferTest` suite) by replacing the `Environment` copy-assignment with a call to the new `popCall` method, which `std::move`s some fields but specifically does not move `DeclToLoc` and `ExprToLoc` from the callee back to the caller.

To enable this, the `StorageLocation` for a given parameter needs to be stable across different calls to the same function, so this patch also improves the modeling of parameter initialization, using `ReferenceValue` when necessary (for arguments passed by reference).

This approach explicitly does not work for recursive calls, because we currently only plan to use this context-sensitive machinery to support specialized analysis models we write, not analysis of arbitrary callees.

Reviewed By: ymandel, xazax.hun

Differential Revision: https://reviews.llvm.org/D130726

show more ...

[clang][dataflow] Analyze calls to in-TU functions

This patch adds initial support for context-sensitive analysis of simple functions whose definition is available in the translation unit, guarded b

[clang][dataflow] Analyze calls to in-TU functions

This patch adds initial support for context-sensitive analysis of simple functions whose definition is available in the translation unit, guarded by the `ContextSensitive` flag in the new `TransferOptions` struct. When this option is true, the `VisitCallExpr` case in the builtin transfer function has a fallthrough case which checks for a direct callee with a body. In that case, it constructs a CFG from that callee body, uses the new `pushCall` method on the `Environment` to make an environment to analyze the callee, and then calls `runDataflowAnalysis` with a `NoopAnalysis` (disabling context-sensitive analysis on that sub-analysis, to avoid problems with recursion). After the sub-analysis completes, the `Environment` from its exit block is simply assigned back to the environment at the callsite.

The `pushCall` method (which currently only supports non-method functions with some restrictions) maps the `SourceLocation`s for all the parameters to the existing source locations for the corresponding arguments from the callsite.

This patch adds a few tests to check that this context-sensitive analysis works on simple functions. More sophisticated functionality will be added later; the most important next step is to explicitly model context in some fields of the `DataflowAnalysisContext` class, as mentioned in a `FIXME` comment in the `pushCall` implementation.

Reviewed By: ymandel, xazax.hun

Differential Revision: https://reviews.llvm.org/D130306

show more ...

Revert "[clang][dataflow] Analyze calls to in-TU functions"

This reverts commit fa2b83d07ecab3b24b4c5ee2e7dc4b6bbc895317.

[clang][dataflow] Analyze calls to in-TU functions

Depends On D130305

This patch adds initial support for context-sensitive analysis of simple functions whose definition is available in the transla

[clang][dataflow] Analyze calls to in-TU functions

Depends On D130305

This patch adds initial support for context-sensitive analysis of simple functions whose definition is available in the translation unit, guarded by the `ContextSensitive` flag in the new `TransferOptions` struct. When this option is true, the `VisitCallExpr` case in the builtin transfer function has a fallthrough case which checks for a direct callee with a body. In that case, it constructs a CFG from that callee body, uses the new `pushCall` method on the `Environment` to make an environment to analyze the callee, and then calls `runDataflowAnalysis` with a `NoopAnalysis` (disabling context-sensitive analysis on that sub-analysis, to avoid problems with recursion). After the sub-analysis completes, the `Environment` from its exit block is simply assigned back to the environment at the callsite.

The `pushCall` method (which currently only supports non-method functions with some restrictions) first calls `initGlobalVars`, then maps the `SourceLocation`s for all the parameters to the existing source locations for the corresponding arguments from the callsite.

This patch adds a few tests to check that this context-sensitive analysis works on simple functions. More sophisticated functionality will be added later; the most important next step is to explicitly model context in some fields of the `DataflowAnalysisContext` class, as mentioned in a `TODO` comment in the `pushCall` implementation.

Reviewed By: ymandel, xazax.hun

Differential Revision: https://reviews.llvm.org/D130306

show more ...