[cfe-dev] [RFC] Adding lifetime analysis to clang
George Karpenkov via cfe-dev
cfe-dev at lists.llvm.org
Mon Mar 4 10:08:42 PST 2019
> I do not agree. LLVM has good coverage and tests are regularly run with
sanitizers on.
I'm not entirely convinced: coverage is only line-based and does not cover
all executions,
and e.g. fuzzers still regularly find new bugs.
But in any case it should be easy to find other projects which have more
true positives, right?
On Fri, Mar 1, 2019 at 5:03 AM Manuel Klimek <klimek at google.com> wrote:
>
>
> On Fri, Mar 1, 2019 at 1:49 PM Gábor Horváth <xazax.hun at gmail.com> wrote:
>
>>
>>
>> On Fri, 1 Mar 2019 at 12:54, Manuel Klimek <klimek at google.com> wrote:
>>
>>> (correcting dmitri's email address)
>>>
>>> On Fri, Mar 1, 2019 at 12:24 PM Gábor Horváth <xazax.hun at gmail.com>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Fri, 1 Mar 2019 at 12:13, Manuel Klimek <klimek at google.com> wrote:
>>>>
>>>>> On Fri, Mar 1, 2019 at 12:10 PM Manuel Klimek <klimek at google.com>
>>>>> wrote:
>>>>>
>>>>>> -apple George + google George to prevent bounces :)
>>>>>>
>>>>>> On Fri, Mar 1, 2019 at 12:06 PM Manuel Klimek <klimek at google.com>
>>>>>> wrote:
>>>>>>
>>>>>>> On Fri, Mar 1, 2019 at 11:51 AM Gábor Horváth <xazax.hun at gmail.com>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi Manuel,
>>>>>>>>
>>>>>>>> On Fri, 30 Nov 2018 at 12:04, Manuel Klimek <klimek at google.com>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Fri, Nov 30, 2018 at 12:00 PM Gábor Horváth <
>>>>>>>>> xazax.hun at gmail.com> wrote:
>>>>>>>>>
>>>>>>>>>> Unfortunately, we do not have real world experience on a large
>>>>>>>>>> codebase for the following reasons:
>>>>>>>>>> * The implementation we have does not support annotations yet,
>>>>>>>>>> and large projects are likely to contain exceptions to the default rules
>>>>>>>>>> (even if only a few)
>>>>>>>>>> * The analysis has an expected coding style, e.g. it does not
>>>>>>>>>> reason about arithmetic on raw pointers
>>>>>>>>>>
>>>>>>>>>> We did run it on some projects like LLVM and there were a lot of
>>>>>>>>>> noise mainly due to the unsupported language features like pointer
>>>>>>>>>> arithmetic.
>>>>>>>>>> The rest of the false positives were mostly due to the basic
>>>>>>>>>> assumption of the analysis that every path is feasible.
>>>>>>>>>> We did find some true positives with a similar analysis looking
>>>>>>>>>> for use after moves in LLVM. Those true positives were redundant
>>>>>>>>>> std::forward calls that are not going to cause any runtime error but still
>>>>>>>>>> removing them would make the code cleaner and less likely to misbehave in
>>>>>>>>>> the future. See:
>>>>>>>>>> https://github.com/llvm-mirror/llvm/blob/master/include/llvm/Support/Error.h#L894
>>>>>>>>>> (The same arguments forwarded multiple times in a loop. Since the callee
>>>>>>>>>> never actually moves the arguments we will not end up using a moved from
>>>>>>>>>> object. But if we never move the argument, why would we use std::forward in
>>>>>>>>>> the first place?)
>>>>>>>>>>
>>>>>>>>>> But even if the cfg-based lifetime analysis end up being a coding
>>>>>>>>>> style specific check, the rest of the (cfg-less) clang warnings would
>>>>>>>>>> become much more powerful after type categories are upstreamed. They could
>>>>>>>>>> catch a lot of errors without having any false positives by default. Thus,
>>>>>>>>>> I do see the value going forward, even if we do not have much real world
>>>>>>>>>> experience yet.
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Could you run the restricted checks on llvm?
>>>>>>>>>
>>>>>>>>
>>>>>>>> Sorry for the delay, but finally I found some time to actually
>>>>>>>> implement the CFG-less checks and run them on LLVM. The quick prototype is
>>>>>>>> available here:
>>>>>>>> https://github.com/mgehre/clang/commits/lifetime-warning-typecategories
>>>>>>>> Literally, all of the false positives I encountered after running
>>>>>>>> on LLVM and Clang were due to llvm::ValueHandleBase being miscategorized as
>>>>>>>> an owner (because of its user-defined destructor).
>>>>>>>> So annotating this class would render the LLVM codebase clean of
>>>>>>>> these new lifetime errors. Do you think this is a strong enough evidence to
>>>>>>>> start upstreaming the type categories or do you think we should do
>>>>>>>> additional measurements?
>>>>>>>>
>>>>>>>
>>>>>>> I'd like to get Richard's opinion on this.
>>>>>>>
>>>>>>
>>>>> So just to make sure I understand correctly:
>>>>> The result is that in LLVM we have:
>>>>> - 1 false positive root cause (causing X false positives)
>>>>> - 0 true positives
>>>>> ?
>>>>>
>>>>>
>>>>
>>>> Correct.
>>>>
>>>
>>> Unfortunately that doesn't sound like a really strong argument in favor
>>> - if you have something that works cleanly against clang trunk I can try to
>>> find somebody willing to try it on a bit of our internal codebase, but I
>>> can't promise anything.
>>>
>>> Basically what I'd be looking for is some evidence that the false
>>> positive ratio is not too high, and for that we'd need at least a codebase
>>> containing true positives.
>>>
>>
>> I do not agree.
>>
>
> Sorry if what I said came over stronger than I intended it to - with "not
> a strong argument in favor" I didn't mean that it's an argument against,
> just that it doesn't seem like overwhelming data for.
>
>
>> LLVM has good coverage and tests are regularly run with sanitizers on.
>> Thus, I would except most of the lifetime related issues being caught by
>> dynamic analysis in our case. I do remember, however, such problems to slip
>> through the reviews and break the build bots occasionally.
>>
>
> Would be interesting to have some evidence / examples for this that this
> check would have caught - I definitely agree that lifetime issues fall
> through the cracks, the question is whether those actually lead to true
> positives, or slip through the simple check.
>
>
>> I think, the value of those warnings are to catch those errors early,
>> saving time for the developers. So even though if it is unlikely to find
>> true positives in sanitizer clean builds for certain projects I still see
>> the value. Note that, this is true for most of the similar warnings in
>> clang. LLVM (and probably most other projects) is clean of
>> -Wreturn-stack-address, still we do not question whether that warning is
>> useful.
>>
>
> Agreed. I'm really mainly looking for evidence for the decision. I'm not
> saying that evidence doesn't exist, but that we have to make sure to find
> it.
>
>
>>
>>
>>
>>>
>>>
>>>>
>>>>
>>>>>
>>>>>>>
>>>>>>>> I also plan to look up some lifetime fixes/reverts in the commit
>>>>>>>> history to check if some of those problems would have been caught by these
>>>>>>>> warnings. I will share the results in a EuroLLVM technical talk.
>>>>>>>>
>>>>>>>> P.S.:
>>>>>>>> Does anybody have a good idea how to get a list of buildbot
>>>>>>>> breaking commits where the reason was lifetime related (other than grepping
>>>>>>>> git history)?
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Gábor
>>>>>>>>
>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> Regards,
>>>>>>>>>> Gabor
>>>>>>>>>>
>>>>>>>>>> On Thu, 29 Nov 2018 at 20:58, George Karpenkov <
>>>>>>>>>> ekarpenkov at apple.com> wrote:
>>>>>>>>>>
>>>>>>>>>>> Thanks, the idea looks great!
>>>>>>>>>>>
>>>>>>>>>>> The heuristic described in a talk on matching returned and
>>>>>>>>>>> accepted references looked fragile to me initially,
>>>>>>>>>>> but after a bit of time I could not find obvious and common
>>>>>>>>>>> counterexamples which would confuse it.
>>>>>>>>>>>
>>>>>>>>>>> Has the evaluation been done on any large project? E.g. LLVM
>>>>>>>>>>> itself, Chrome, Webkit, or any other large C++ codebase?
>>>>>>>>>>> What is the false positive rate? What is the annotation burden
>>>>>>>>>>> to suppress those?
>>>>>>>>>>> How many useful bugs were found?
>>>>>>>>>>>
>>>>>>>>>>> I’m also very happy that more dataflow analyses are being
>>>>>>>>>>> implemented in Clang,
>>>>>>>>>>> and I could help with reviews (though obviously I’m not the code
>>>>>>>>>>> owner for most of the components).
>>>>>>>>>>>
>>>>>>>>>>> On Nov 29, 2018, at 8:02 AM, Gábor Horváth via cfe-dev <
>>>>>>>>>>> cfe-dev at lists.llvm.org> wrote:
>>>>>>>>>>>
>>>>>>>>>>> Hi!
>>>>>>>>>>>
>>>>>>>>>>> This is a proposal to implement Lifetime Analysis [1] defined by
>>>>>>>>>>> Herb Sutter in Clang.
>>>>>>>>>>> Summary from the paper:
>>>>>>>>>>> “This analysis shows how to efficiently diagnose many common
>>>>>>>>>>> cases of dangling (use-after-free) in C++ code, using only local analysis
>>>>>>>>>>> to report them as deterministic readable errors at compile time. The
>>>>>>>>>>> approach is to identify variables that are of generalized “Owner” types
>>>>>>>>>>> (e.g., smart pointers, containers, string) and “Pointer” types (e.g., int*,
>>>>>>>>>>> string_view, span, iterators, and ranges), and then use a local simple
>>>>>>>>>>> acyclic control flow graph (ACFG) analysis to track what each Pointer
>>>>>>>>>>> points to and identify when modifying an Owner invalidates a Pointer. The
>>>>>>>>>>> analysis leverages C++’s existing strong notions of scopes, object
>>>>>>>>>>> lifetimes, and const that carry rich information already available in
>>>>>>>>>>> reasonably modern C++ source code. Interestingly, it appears that with
>>>>>>>>>>> minor extension this analysis can also detect uses of local moved-from
>>>>>>>>>>> variables (use-after-move), which are a form of dangling.”
>>>>>>>>>>> More details can be found in the paper [1] or in the CppCon
>>>>>>>>>>> keynote [3].
>>>>>>>>>>>
>>>>>>>>>>> Matthias Gehre and myself had been working on a prototype in
>>>>>>>>>>> Clang [2]. The changes are rather large, so we are planning to take an
>>>>>>>>>>> incremental approach to upstreaming the features should the community want
>>>>>>>>>>> to see this upstream.
>>>>>>>>>>>
>>>>>>>>>>> *Plans for upstreaming*
>>>>>>>>>>>
>>>>>>>>>>> 1. Upstream Type Categorization
>>>>>>>>>>>
>>>>>>>>>>> Clang already performs statement-local lifetime analyses that
>>>>>>>>>>> would benefit from type categorization even before adding any other
>>>>>>>>>>> analysis.
>>>>>>>>>>>
>>>>>>>>>>> This includes annotating types as Owners and Pointers, and
>>>>>>>>>>> automatically inferring Owner or Point without annotation to minimize
>>>>>>>>>>> annotation burden.
>>>>>>>>>>>
>>>>>>>>>>> Consider the following code example:
>>>>>>>>>>>
>>>>>>>>>>> std::reference_wrapper<const int> get_data() {
>>>>>>>>>>> const int i = 3;
>>>>>>>>>>> return {i};
>>>>>>>>>>> }
>>>>>>>>>>>
>>>>>>>>>>> Unfortunately, today compilers do not warn on this case of
>>>>>>>>>>> returning a dangling reference. They do warn if we return a raw pointer or
>>>>>>>>>>> reference, but the compiler does not know that std::reference_wrapper also
>>>>>>>>>>> is a non-owning indirection. In the Lifetime analysis, this is diagnosed
>>>>>>>>>>> because std::reference_wrapper is recognized as a Pointer type.
>>>>>>>>>>>
>>>>>>>>>>> As a first step we would upstream the type categorization part
>>>>>>>>>>> of the analysis and make some clang warnings optionally use it. We would
>>>>>>>>>>> also upstream a set of annotations to give the users a way to fix potential
>>>>>>>>>>> false positives due to miscategorization. (This should be very rare
>>>>>>>>>>> according to our experience so far). By default, we could constrain the
>>>>>>>>>>> categorization for std types, whose semantics are known.
>>>>>>>>>>>
>>>>>>>>>>> 2. Extensions of existing CFG-less analyses
>>>>>>>>>>>
>>>>>>>>>>> 2a. Initialization from temporaries
>>>>>>>>>>> The goal is to detect Pointers that dangle on initialization,
>>>>>>>>>>> such as
>>>>>>>>>>> std::string_view sv = “test”s;
>>>>>>>>>>> By restricting the analysis to single statements, it has a low
>>>>>>>>>>> false-positive rate and can be done without building a CFG (i.e. faster).
>>>>>>>>>>>
>>>>>>>>>>> 2b. Return of locals
>>>>>>>>>>> The goal is to detect returning Pointers to local variables, e.g.
>>>>>>>>>>> std::reference_wrapper<const int> get_data() {
>>>>>>>>>>> const int i = 3;
>>>>>>>>>>> return {i};
>>>>>>>>>>> }
>>>>>>>>>>> Similar to 2a also restricted to single statement.
>>>>>>>>>>>
>>>>>>>>>>> 2c. Member pointer that dangles once construction is complete
>>>>>>>>>>> struct X {
>>>>>>>>>>> std::string_view sv;
>>>>>>>>>>> X() : sv("test"s) {} // warning: string_view member bound to
>>>>>>>>>>> string temporary whose lifetime ends within the constructor
>>>>>>>>>>> };
>>>>>>>>>>>
>>>>>>>>>>> 2d. New of a Pointer that dangles after the end of the
>>>>>>>>>>> full-expression
>>>>>>>>>>> new string_view("test"s) // warning: dynamically-allocated
>>>>>>>>>>> string_view refers to string whose lifetime ends at the end of the
>>>>>>>>>>> full-expression
>>>>>>>>>>>
>>>>>>>>>>> 3. Intra-function analysis across basic blocks, excluding
>>>>>>>>>>> function call expressions
>>>>>>>>>>> Propagate point-to sets of Pointers across branches/loops
>>>>>>>>>>> intra-function, e.g. analysing
>>>>>>>>>>>
>>>>>>>>>>> int* p = &i;
>>>>>>>>>>> if(condition)
>>>>>>>>>>> p = nullptr;
>>>>>>>>>>> *p; // ERROR: p is possibly null
>>>>>>>>>>>
>>>>>>>>>>> We have some CFG patches and some code traversing the CFG and
>>>>>>>>>>> propagating the analysis state. With the type categories already in place,
>>>>>>>>>>> this patch should be smaller. We could split these patches further by
>>>>>>>>>>> implementing null tracking in a separate patch.
>>>>>>>>>>>
>>>>>>>>>>> 4. Function calls
>>>>>>>>>>>
>>>>>>>>>>> auto find(const string& needle, const string& haystack) ->
>>>>>>>>>>> string_view [[gsl::lifetime(haystack)]];
>>>>>>>>>>>
>>>>>>>>>>> string_view sv = find(“needle”, haystack);
>>>>>>>>>>> sv[0]; // OK
>>>>>>>>>>> string_view sv = find(needle, “temporaryhaystack”);
>>>>>>>>>>> sv[0]; // ERROR: sv is dangling
>>>>>>>>>>>
>>>>>>>>>>> This includes the following subparts.
>>>>>>>>>>>
>>>>>>>>>>> 4a. Precondition checks
>>>>>>>>>>> Check that the psets of the arguments are valid at call site
>>>>>>>>>>> according to the lifetime annotations of the callee.
>>>>>>>>>>>
>>>>>>>>>>> 4b. Postcondition checks
>>>>>>>>>>> Check that the psets returned from a function adhere to its
>>>>>>>>>>> advertised return/output psets.
>>>>>>>>>>> Rigorous checking of not just the function arguments but also
>>>>>>>>>>> the returned values is crucial part of the analysis.
>>>>>>>>>>>
>>>>>>>>>>> 4c. Lifetimes annotations
>>>>>>>>>>>
>>>>>>>>>>> The analysis gets pretty usable at this point. Most of the time
>>>>>>>>>>> the user does not need any annotations, but it is crucial to have them
>>>>>>>>>>> before a project can adapt it. For example, the user will occasionally want
>>>>>>>>>>> to explicitly state that a member function is “const as far as Lifetime is
>>>>>>>>>>> concerned” even though the function itself is not actually declared const
>>>>>>>>>>> (e.g., vector::operator[] does not invalidate any Pointers, such as
>>>>>>>>>>> iterators or raw pointers).
>>>>>>>>>>>
>>>>>>>>>>> 5. Implementing use after move analysis and exception support
>>>>>>>>>>>
>>>>>>>>>>> These parts are not implemented yet in our prototype, but they
>>>>>>>>>>> will be useful additions for the analysis.
>>>>>>>>>>>
>>>>>>>>>>> *Questions*
>>>>>>>>>>>
>>>>>>>>>>> Does that make sense? What is the criteria for this work to be
>>>>>>>>>>> upstreamed? Who is willing to participate in reviewing the patches?
>>>>>>>>>>>
>>>>>>>>>>> Thanks in advance,
>>>>>>>>>>> Gabor, Matthias, and Herb
>>>>>>>>>>>
>>>>>>>>>>> [1]
>>>>>>>>>>> https://github.com/isocpp/CppCoreGuidelines/blob/master/docs/Lifetime.pdf
>>>>>>>>>>> [2] https://github.com/mgehre/clang
>>>>>>>>>>> [3] https://www.youtube.com/watch?v=80BZxujhY38
>>>>>>>>>>> [4] https://godbolt.org/z/90puuu
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> cfe-dev mailing list
>>>>>>>>>>> cfe-dev at lists.llvm.org
>>>>>>>>>>> http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-dev
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20190304/a70332f3/attachment.html>
More information about the cfe-dev
mailing list