[cfe-dev] [analyzer] [GSoC 2019] Apply the Clang Static Analyzer to LLVM-based projects drafts

Artem Dergachev via cfe-dev cfe-dev at lists.llvm.org
Thu Apr 4 14:49:02 PDT 2019 

Before i jump into this: +Ravi because he was also actively expressing 
interest in this project :)

On 4/4/19 2:26 PM, Csaba Dabis wrote:
> Hey Clang developers!
>
> I would like to participate in Google Summer of Code this year. I am 
> in my fourth semester BSc student of Computer Science at Eotvos Lorand 
> University, Hungary. I have started to learn C++ parallel with Clang a 
> year and a half ago. Also that was the first time using Linux, Git, 
> VIM…. I love automation so this engine and tools based on Clang like 
> scan-build, CodeChecker, CodeCompass.
>
> I have picked the following project: 
> http://llvm.org/OpenProjects.html#analyze-llvm
> Here is the copy of the problems and their solutions from my 
> near-finished proposal:
>
> Goals
> Eliminate 90% of the false positive findings in LLVM by teaching C++ 
> to the Static Analyzer. Improve the existing debugging facilities so 
> it would be easier to investigate errors. Report and fix the 
> easy-to-fix true positives in LLVM. Report the difficult-to-fix true 
> positives in LLVM so other developers with better experience in that 
> certain area could solve those. Swift is another heavy project as an 
> example to see how an LLVM-related project reports are changing. 
> Measure the quality of the changes in Swift where no direct false 
> positive elimination happen. With these improvements let the LLVM and 
> related project contributors use the Static Analyzer sub-project 
> without any overhead in a continuous integration workflow.
>
> Overview of the debugging facilities
> The Clang Static Analyzer builds the exploded graph which consists of 
> program states as nodes. During the symbolic execution each node 
> represents everything what we know about the program at a certain 
> location.
>
> ExplodedGraph: We could investigate the graph with graphviz as an .SVN 
> file and using Google Chrome. The graph can be so enormous so that 
> Chrome crashes or even cannot load it. If you are able to load it, 
> there is too much information and it is very difficult to use. 
> Alternatively you could use LLDB debugger but because of the such a 
> complex background it is more difficult to gather information which 
> function causes the false positive.
>
> Debug checkers: debug.DumpCalls checker truly writes out every 
> function call, which is too much and too difficult to use. Expression 
> inspection checks[1] are useful for get a feeling what could go wrong 
> by writing out a certain program state, but it cannot be used to 
> compare states due to the graph structure.
>
> Proposed solutions for the debugging facilities
> ExplodedGraph: Create an .HTML frontend for the .SVG graph 
> representation. It could modify the full graph to only show 
> differences between states and it would recolour the current 
> representation for better readability.
>
> Debug checkers: Create an option for debug.DumpCalls checker to show 
> only a certain variable and if its value is unknown at the location of 
> an error, point out when it became unknown.
>
> Overview of the false positives
> My playground was the LLVM 8.0.0 bug-free release (20 March 2019). 
> With the basic scan-build command 828 bug reports found. Because of 
> our precise review system they are most likely false positive 
> findings, where the half is ‘Memory leak’ (229) and ‘Called C++ object 
> pointer is null’ (217) errors:
> - ‘Memory leak’: Half of the reports (118/229) appears in Error.h on 
> the same function call in different variations.
> - ‘Called C++ object pointer is null’: Third of the reports happen on 
> placement new operations.
>
> Proposed solutions for the false positives
> One could say creating more assertions could remove the errors and 
> document the code better. Let think about the opposite: removing every 
> assertion like ‘assert()’ and ‘LLVM_DEBUG()’[2] could show the 
> weakness of the Static Analyzer. We cannot force our users to double 
> or triple the number of assertions (even it would be very useful). 
> With that, and the new debug-facilities the door will be open to 
> mitigate the false positives.
>
> It is impossible to measure how long does it take to eliminate a false 
> positive. If we think about sets of false positives as the two most 
> common factor is already known, we could define more sets. We have to 
> start the work from the highest set. The workflow is the following: 
> pick the most common false positive, if it is necessary improve the 
> debugging facilities, mitigate the error, document that to LLVM 
> Bugzilla, inject assertions to problematic code, repeat.
>
> -------------
> [1] ExprInspection checks: 
> https://clang.llvm.org/docs/analyzer/developer-docs/DebugChecks.html#exprinspection-checks
> [2] LLVM_DEBUG(): 
> http://llvm.org/docs/ProgrammersManual.html#the-llvm-debug-macro-and-debug-option 
>
> -------------
>
> Any feedback would be really appreciated.
>
> Thanks you,
> Csaba.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190404/7e7efab6/attachment.html>

More information about the cfe-dev mailing list