[PATCH] D12358: [Analyzer] Handling constant bound loops

Sean Eveson via cfe-commits cfe-commits at lists.llvm.org
Thu Aug 27 08:57:04 PDT 2015 

seaneveson added a comment.

In http://reviews.llvm.org/D12358#233983, @zaks.anna wrote:

> This will leave us in a state that is wrong and will likely lead to false positives and inconsistencies, avoiding which is extremely important.


I accept that my current patch is not a comprehensive solution to the problem and that it may introduce false positives, however I do think it is an improvement, where it is preferable to have false positives over doing no analysis after the loop.

In http://reviews.llvm.org/D12358#234016, @krememek wrote:

> My recommendation is that we still unroll loops a couple times, getting full precision, and then employ a widening technique like the ones being discussed to allow the last loop iteration to act as the last one, but as a conservative over-approximation.


In the patch, constant bound loops are unrolled with the “max-loop” setting (default of 4), (i = 0, 1, 2, 99) rather than (i = 0, 1, 2, 3); as such, we analyze the same number of paths through the loop body.

In my experience, constant bound loops are normally used to make simple modifications to fixed length collections of data, I think the behaviour of the majority of these loops will be represented by the first and last iteration.

In http://reviews.llvm.org/D12358#234016, @krememek wrote:

> Another, more principled hack, would be to look at all DeclRefExprs within a loop and invalidate all memory in the cone-of-influence of those variables (i.e., values they point to, etc.), but that's it.


Could this be done easily with a visitor and the existing invalidate methods? In cases where the anaylzer is unsure which values might be modified by the loop, it could fall back to invalidating all the values in the state.

In http://reviews.llvm.org/D12358#234016, @krememek wrote:

> Then there is the problem of called functions within the loop, as they won't be analyzed. Those could interfere with the ability of a checker to do its job.
>
> My recommendation is that we still unroll loops a couple times, getting full precision, and then employ a widening technique like the ones being discussed to allow the last loop iteration to act as the last one, but as a conservative over-approximation.


Wouldn’t widening before the last iteration result in more paths being explored than additional unrolling? i.e. as a result of values in conditions being unknown.

Regards,

Sean Eveson
SN Systems - Sony Computer Entertainment Group


http://reviews.llvm.org/D12358

More information about the cfe-commits mailing list