[cfe-dev] Cross Translational Unit Analysis in Clang Static Analyzer

Anna Zaks via cfe-dev cfe-dev at lists.llvm.org
Fri Apr 7 15:04:14 PDT 2017


Hi Daniel,

Thank you for sending the patch! While I think that doing whole project analysis via “inlining” is not a scalable solution, this prototype could be useful for the community to experiment with. It can also serve as bases for other two stage analysis, where we collect some data about functions in the first pass and use it in the second pass. 

A side benefit is that this direction exercises the ASTImporter and would benefit other uses of it such as lldb.

I am sure there will be a few comments about the patch itself and it’s important to have the workflow integrated into scan-build, which is our user facing tool.

For those interested in the topic, I recommend watching Gabor’s talk at LLVM Euro 2017 once the video is available:
http://llvm.org/devmtg/2017-03//2017/02/20/accepted-sessions.html#7

Thank you!
Anna
> On Mar 31, 2017, at 8:28 AM, Dániel Krupp via cfe-dev <cfe-dev at lists.llvm.org> wrote:
> 
> Hi All,
>  
> at the EuroLLVM’17 conference we presented our results  about a new analysis mode in clang static analyzer: Cross Translational Unit analysis.
> See patch https://reviews.llvm.org/D30691 <https://reviews.llvm.org/D30691>
> which is based on the work of A. Sidorin et al. http://lists.llvm.org/pipermail/cfe-dev/2015-October/045730.html <http://lists.llvm.org/pipermail/cfe-dev/2015-October/045730.html>, but without function summaries and updated to the newest Clang.
>  
> The CTU mode allows the analyzer to “inline” function calls that are defined in another TU than the one currently analyzed.
> So it allows to find bugs that span multiple source files.
> Without this patch the static analyzer engine, when meets an external function call,
> cannot reason about the return value of a function (unknown) and the pointed values, references passed to a function as parameter are invalidated.
>  
> You can find a full patched clang 4.0 (use it with llvm commit 01609a325b5f85d88e3ab5c7d470409092436cb2 )
> https://github.com/dkrupp/clang/tree/ctu-master <https://github.com/dkrupp/clang/tree/ctu-master>
>  
> We have run the analysis on some reasonably-sized  (ffmpeg, curl, vim, openssl, postgresql) open source C projects and found many additional true positive reports compared to the traditional single TU mode in all projects.
> This indicates that this feature would give many new results on any project.
>  
> We measured the heap usage, the analysis time and the number of new findings.
> You can find the detailed comparison results here:
> http://cc.elte.hu/clang-ctu/ <http://cc.elte.hu/clang-ctu/>
> In summary, the number of reported bugs is ~1.5-5x times the original single TU analysis, at the cost of 1.5-5x higher analysis time, 1.5-5x max heap usage (roughly in proportion to the increase in the number of reported faults).
>  
> The design concept is described shortly in this document: http://cc.elte.hu/clang-ctu/eurollvm17/abstract.pdf <http://cc.elte.hu/clang-ctu/eurollvm17/abstract.pdf>
>  
> If you would like to try this analysis mode on your project please find the description of the 2 new additional analyzer scripts here:
> https://github.com/dkrupp/clang/blob/ctu-master/tools/xtu-build-new/readme.md <https://github.com/dkrupp/clang/blob/ctu-master/tools/xtu-build-new/readme.md>
>  
> Would be  happy to hear your opinion and experiences with this feature and would appreciate your help in reviewing the patch.
>  
> Thanks & Regards,
> Daniel
>  
> _______________________________________________
> cfe-dev mailing list
> cfe-dev at lists.llvm.org <mailto:cfe-dev at lists.llvm.org>
> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev <http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20170407/8d6a48bc/attachment.html>


More information about the cfe-dev mailing list