blob: 01e73cec7ff0be4aa32219cc12218ec6581bb77d [file] [log] [blame]
Jordan Rose0564c752012-08-17 02:11:35 +00001Inlining
2========
3
Jordan Rose219c9d02012-08-31 17:06:49 +00004There are several options that control which calls the analyzer will consider for
Anna Zaks70aa5312013-01-30 19:12:26 +00005inlining. The major one is -analyzer-config ipa:
Jordan Rose219c9d02012-08-31 17:06:49 +00006
Anna Zaks70aa5312013-01-30 19:12:26 +00007 -analyzer-config ipa=none - All inlining is disabled. This is the only mode
8 available in LLVM 3.1 and earlier and in Xcode 4.3 and earlier.
Ted Kremenek98b771e2012-08-22 01:20:05 +00009
Anna Zaks70aa5312013-01-30 19:12:26 +000010 -analyzer-config ipa=basic-inlining - Turns on inlining for C functions, C++
11 static member functions, and blocks -- essentially, the calls that behave
12 like simple C function calls. This is essentially the mode used in
13 Xcode 4.4.
Ted Kremenek98b771e2012-08-22 01:20:05 +000014
Anna Zaks70aa5312013-01-30 19:12:26 +000015 -analyzer-config ipa=inlining - Turns on inlining when we can confidently find
16 the function/method body corresponding to the call. (C functions, static
Ted Kremenek98b771e2012-08-22 01:20:05 +000017 functions, devirtualized C++ methods, Objective-C class methods, Objective-C
18 instance methods when ExprEngine is confident about the dynamic type of the
19 instance).
20
Anna Zaks70aa5312013-01-30 19:12:26 +000021 -analyzer-config ipa=dynamic - Inline instance methods for which the type is
Ted Kremenek98b771e2012-08-22 01:20:05 +000022 determined at runtime and we are not 100% sure that our type info is
23 correct. For virtual calls, inline the most plausible definition.
24
Anna Zaks70aa5312013-01-30 19:12:26 +000025 -analyzer-config ipa=dynamic-bifurcate - Same as -analyzer-config ipa=dynamic,
26 but the path is split. We inline on one branch and do not inline on the
27 other. This mode does not drop the coverage in cases when the parent class
28 has code that is only exercised when some of its methods are overridden.
Jordan Rose0564c752012-08-17 02:11:35 +000029
Anna Zaks70aa5312013-01-30 19:12:26 +000030Currently, -analyzer-config ipa=dynamic-bifurcate is the default mode.
Jordan Rose0564c752012-08-17 02:11:35 +000031
Anna Zaks70aa5312013-01-30 19:12:26 +000032While -analyzer-config ipa determines in general how aggressively the analyzer
33will try to inline functions, several additional options control which types of
34functions can inlined, in an all-or-nothing way. These options use the
35analyzer's configuration table, so they are all specified as follows:
Jordan Rose219c9d02012-08-31 17:06:49 +000036
Jordan Rosec6fcbf02012-09-10 21:54:24 +000037 -analyzer-config OPTION=VALUE
Jordan Rose219c9d02012-08-31 17:06:49 +000038
Jordan Rosec6fcbf02012-09-10 21:54:24 +000039### c++-inlining ###
40
41This option controls which C++ member functions may be inlined.
42
43 -analyzer-config c++-inlining=[none | methods | constructors | destructors]
Jordan Rose219c9d02012-08-31 17:06:49 +000044
45Each of these modes implies that all the previous member function kinds will be
46inlined as well; it doesn't make sense to inline destructors without inlining
47constructors, for example.
48
Jordan Rose2de3daa2013-04-04 23:10:29 +000049The default c++-inlining mode is 'destructors', meaning that all member
50functions with visible definitions will be considered for inlining. In some
51cases the analyzer may still choose not to inline the function.
52
53Note that under 'constructors', constructors for types with non-trivial
54destructors will not be inlined. Additionally, no C++ member functions will be
55inlined under -analyzer-config ipa=none or -analyzer-config ipa=basic-inlining,
56regardless of the setting of the c++-inlining mode.
Jordan Rose219c9d02012-08-31 17:06:49 +000057
Jordan Rosec6fcbf02012-09-10 21:54:24 +000058### c++-template-inlining ###
59
60This option controls whether C++ templated functions may be inlined.
61
62 -analyzer-config c++-template-inlining=[true | false]
63
64Currently, template functions are considered for inlining by default.
65
66The motivation behind this option is that very generic code can be a source
67of false positives, either by considering paths that the caller considers
68impossible (by some unstated precondition), or by inlining some but not all
69of a deep implementation of a function.
70
71### c++-stdlib-inlining ###
72
73This option controls whether functions from the C++ standard library, including
74methods of the container classes in the Standard Template Library, should be
75considered for inlining.
76
77 -analyzer-config c++-template-inlining=[true | false]
78
Jordan Rose2de3daa2013-04-04 23:10:29 +000079Currently, C++ standard library functions are considered for inlining by
80default.
Jordan Rosec6fcbf02012-09-10 21:54:24 +000081
82The standard library functions and the STL in particular are used ubiquitously
83enough that our tolerance for false positives is even lower here. A false
84positive due to poor modeling of the STL leads to a poor user experience, since
85most users would not be comfortable adding assertions to system headers in order
86to silence analyzer warnings.
87
Jordan Rose2de3daa2013-04-04 23:10:29 +000088### c++-container-inlining ###
89
90This option controls whether constructors and destructors of "container" types
91should be considered for inlining.
92
93 -analyzer-config c++-container-inlining=[true | false]
94
95Currently, these constructors and destructors are NOT considered for inlining
96by default.
97
98The current implementation of this setting checks whether a type has a member
99named 'iterator' or a member named 'begin'; these names are idiomatic in C++,
100with the latter specified in the C++11 standard. The analyzer currently does a
101fairly poor job of modeling certain data structure invariants of container-like
102objects. For example, these three expressions should be equivalent:
103
104 std::distance(c.begin(), c.end()) == 0
105 c.begin() == c.end()
106 c.empty())
107
108Many of these issues are avoided if containers always have unknown, symbolic
109state, which is what happens when their constructors are treated as opaque.
110In the future, we may decide specific containers are "safe" to model through
111inlining, or choose to model them directly using checkers instead.
112
Jordan Rose219c9d02012-08-31 17:06:49 +0000113
Jordan Rose0564c752012-08-17 02:11:35 +0000114Basics of Implementation
115-----------------------
116
Ted Kremenek98b771e2012-08-22 01:20:05 +0000117The low-level mechanism of inlining a function is handled in
118ExprEngine::inlineCall and ExprEngine::processCallExit.
Jordan Rose0564c752012-08-17 02:11:35 +0000119
Ted Kremenek98b771e2012-08-22 01:20:05 +0000120If the conditions are right for inlining, a CallEnter node is created and added
121to the analysis work list. The CallEnter node marks the change to a new
122LocationContext representing the called function, and its state includes the
123contents of the new stack frame. When the CallEnter node is actually processed,
124its single successor will be a edge to the first CFG block in the function.
125
126Exiting an inlined function is a bit more work, fortunately broken up into
127reasonable steps:
128
1291. The CoreEngine realizes we're at the end of an inlined call and generates a
130 CallExitBegin node.
131
1322. ExprEngine takes over (in processCallExit) and finds the return value of the
133 function, if it has one. This is bound to the expression that triggered the
134 call. (In the case of calls without origin expressions, such as destructors,
135 this step is skipped.)
136
1373. Dead symbols and bindings are cleaned out from the state, including any local
138 bindings.
139
1404. A CallExitEnd node is generated, which marks the transition back to the
141 caller's LocationContext.
142
1435. Custom post-call checks are processed and the final nodes are pushed back
144 onto the work list, so that evaluation of the caller can continue.
Jordan Rose0564c752012-08-17 02:11:35 +0000145
146Retry Without Inlining
Ted Kremenek98b771e2012-08-22 01:20:05 +0000147----------------------
148
Jordan Rose40dd4d92012-08-22 17:13:27 +0000149In some cases, we would like to retry analysis without inlining a particular
Ted Kremenek98b771e2012-08-22 01:20:05 +0000150call.
151
Jordan Rose40dd4d92012-08-22 17:13:27 +0000152Currently, we use this technique to recover coverage in case we stop
Ted Kremenek98b771e2012-08-22 01:20:05 +0000153analyzing a path due to exceeding the maximum block count inside an inlined
154function.
155
156When this situation is detected, we walk up the path to find the first node
157before inlining was started and enqueue it on the WorkList with a special
158ReplayWithoutInlining bit added to it (ExprEngine::replayWithoutInlining). The
159path is then re-analyzed from that point without inlining that particular call.
160
161Deciding When to Inline
Jordan Rose0564c752012-08-17 02:11:35 +0000162-----------------------
163
Ted Kremenek98b771e2012-08-22 01:20:05 +0000164In general, the analyzer attempts to inline as much as possible, since it
165provides a better summary of what actually happens in the program. There are
166some cases, however, where the analyzer chooses not to inline:
Jordan Rose0564c752012-08-17 02:11:35 +0000167
Ted Kremenek98b771e2012-08-22 01:20:05 +0000168- If there is no definition available for the called function or method. In
169 this case, there is no opportunity to inline.
170
Jordan Rose40dd4d92012-08-22 17:13:27 +0000171- If the CFG cannot be constructed for a called function, or the liveness
Ted Kremenek98b771e2012-08-22 01:20:05 +0000172 cannot be computed. These are prerequisites for analyzing a function body,
173 with or without inlining.
174
175- If the LocationContext chain for a given ExplodedNode reaches a maximum cutoff
176 depth. This prevents unbounded analysis due to infinite recursion, but also
177 serves as a useful cutoff for performance reasons.
178
179- If the function is variadic. This is not a hard limitation, but an engineering
180 limitation.
181
182 Tracked by: <rdar://problem/12147064> Support inlining of variadic functions
183
Jordan Rose40dd4d92012-08-22 17:13:27 +0000184- In C++, constructors are not inlined unless the destructor call will be
185 processed by the ExprEngine. Thus, if the CFG was built without nodes for
186 implicit destructors, or if the destructors for the given object are not
Jordan Rose39fbb022012-08-27 18:39:16 +0000187 represented in the CFG, the constructor will not be inlined. (As an exception,
188 constructors for objects with trivial constructors can still be inlined.)
Jordan Rose40dd4d92012-08-22 17:13:27 +0000189 See "C++ Caveats" below.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000190
Jordan Rose39fbb022012-08-27 18:39:16 +0000191- In C++, ExprEngine does not inline custom implementations of operator 'new'
Jordan Rose561919e2012-08-27 18:39:22 +0000192 or operator 'delete', nor does it inline the constructors and destructors
193 associated with these. See "C++ Caveats" below.
Jordan Rose39fbb022012-08-27 18:39:16 +0000194
Ted Kremenek98b771e2012-08-22 01:20:05 +0000195- Calls resulting in "dynamic dispatch" are specially handled. See more below.
196
Jordan Rose40dd4d92012-08-22 17:13:27 +0000197- The FunctionSummaries map stores additional information about declarations,
198 some of which is collected at runtime based on previous analyses.
199 We do not inline functions which were not profitable to inline in a different
200 context (for example, if the maximum block count was exceeded; see
201 "Retry Without Inlining").
Jordan Rose0564c752012-08-17 02:11:35 +0000202
203
Ted Kremenek98b771e2012-08-22 01:20:05 +0000204Dynamic Calls and Devirtualization
Jordan Rose0564c752012-08-17 02:11:35 +0000205----------------------------------
Jordan Rose0564c752012-08-17 02:11:35 +0000206
Ted Kremenek98b771e2012-08-22 01:20:05 +0000207"Dynamic" calls are those that are resolved at runtime, such as C++ virtual
208method calls and Objective-C message sends. Due to the path-sensitive nature of
Jordan Rose40dd4d92012-08-22 17:13:27 +0000209the analysis, the analyzer may be able to reason about the dynamic type of the
Ted Kremenek98b771e2012-08-22 01:20:05 +0000210object whose method is being called and thus "devirtualize" the call.
Jordan Rose0564c752012-08-17 02:11:35 +0000211
Ted Kremenek98b771e2012-08-22 01:20:05 +0000212This path-sensitive devirtualization occurs when the analyzer can determine what
213method would actually be called at runtime. This is possible when the type
Jordan Rose40dd4d92012-08-22 17:13:27 +0000214information is constrained enough for a simulated C++/Objective-C object that
215the analyzer can make such a decision.
Jordan Rose0564c752012-08-17 02:11:35 +0000216
Ted Kremenek98b771e2012-08-22 01:20:05 +0000217 == DynamicTypeInfo ==
Jordan Rose0564c752012-08-17 02:11:35 +0000218
Jordan Rose40dd4d92012-08-22 17:13:27 +0000219As the analyzer analyzes a path, it may accrue information to refine the
220knowledge about the type of an object. This can then be used to make better
221decisions about the target method of a call.
Jordan Rose0564c752012-08-17 02:11:35 +0000222
Ted Kremenek98b771e2012-08-22 01:20:05 +0000223Such type information is tracked as DynamicTypeInfo. This is path-sensitive
224data that is stored in ProgramState, which defines a mapping from MemRegions to
225an (optional) DynamicTypeInfo.
226
227If no DynamicTypeInfo has been explicitly set for a MemRegion, it will be lazily
228inferred from the region's type or associated symbol. Information from symbolic
229regions is weaker than from true typed regions.
230
231 EXAMPLE: A C++ object declared "A obj" is known to have the class 'A', but a
232 reference "A &ref" may dynamically be a subclass of 'A'.
233
234The DynamicTypePropagation checker gathers and propagates DynamicTypeInfo,
235updating it as information is observed along a path that can refine that type
236information for a region.
237
238 WARNING: Not all of the existing analyzer code has been retrofitted to use
239 DynamicTypeInfo, nor is it universally appropriate. In particular,
240 DynamicTypeInfo always applies to a region with all casts stripped
Jordan Rose40dd4d92012-08-22 17:13:27 +0000241 off, but sometimes the information provided by casts can be useful.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000242
243
Jordan Rose40dd4d92012-08-22 17:13:27 +0000244 == RuntimeDefinition ==
Ted Kremenek98b771e2012-08-22 01:20:05 +0000245
Jordan Rose40dd4d92012-08-22 17:13:27 +0000246The basis of devirtualization is CallEvent's getRuntimeDefinition() method,
247which returns a RuntimeDefinition object. When asked to provide a definition,
248the CallEvents for dynamic calls will use the DynamicTypeInfo in their
249ProgramState to attempt to devirtualize the call. In the case of no dynamic
250dispatch, or perfectly constrained devirtualization, the resulting
251RuntimeDefinition contains a Decl corresponding to the definition of the called
252function, and RuntimeDefinition::mayHaveOtherDefinitions will return FALSE.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000253
Jordan Rose40dd4d92012-08-22 17:13:27 +0000254In the case of dynamic dispatch where our information is not perfect, CallEvent
255can make a guess, but RuntimeDefinition::mayHaveOtherDefinitions will return
256TRUE. The RuntimeDefinition object will then also include a MemRegion
257corresponding to the object being called (i.e., the "receiver" in Objective-C
258parlance), which ExprEngine uses to decide whether or not the call should be
259inlined.
260
261 == Inlining Dynamic Calls ==
262
Anna Zaks70aa5312013-01-30 19:12:26 +0000263The -analyzer-config ipa option has five different modes: none, basic-inlining,
264inlining, dynamic, and dynamic-bifurcate. Under -analyzer-config ipa=dynamic,
265all dynamic calls are inlined, whether we are certain or not that this will
266actually be the definition used at runtime. Under -analyzer-config ipa=inlining,
267only "near-perfect" devirtualized calls are inlined*, and other dynamic calls
268are evaluated conservatively (as if no definition were available).
Ted Kremenek98b771e2012-08-22 01:20:05 +0000269
270* Currently, no Objective-C messages are not inlined under
Anna Zaks70aa5312013-01-30 19:12:26 +0000271 -analyzer-config ipa=inlining, even if we are reasonably confident of the type
272 of the receiver. We plan to enable this once we have tested our heuristics
273 more thoroughly.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000274
Anna Zaks70aa5312013-01-30 19:12:26 +0000275The last option, -analyzer-config ipa=dynamic-bifurcate, behaves similarly to
Ted Kremenek98b771e2012-08-22 01:20:05 +0000276"dynamic", but performs a conservative invalidation in the general virtual case
277in *addition* to inlining. The details of this are discussed below.
Jordan Rose0564c752012-08-17 02:11:35 +0000278
Anna Zaks70aa5312013-01-30 19:12:26 +0000279As stated above, -analyzer-config ipa=basic-inlining does not inline any C++
280member functions or Objective-C method calls, even if they are non-virtual or
281can be safely devirtualized.
Jordan Rose40dd4d92012-08-22 17:13:27 +0000282
283
Jordan Rose0564c752012-08-17 02:11:35 +0000284Bifurcation
285-----------
Jordan Rose0564c752012-08-17 02:11:35 +0000286
Anna Zaks70aa5312013-01-30 19:12:26 +0000287ExprEngine::BifurcateCall implements the -analyzer-config ipa=dynamic-bifurcate
Ted Kremenek98b771e2012-08-22 01:20:05 +0000288mode.
Jordan Rose0564c752012-08-17 02:11:35 +0000289
Jordan Rose40dd4d92012-08-22 17:13:27 +0000290When a call is made on an object with imprecise dynamic type information
Anna Zaks545588f2012-08-22 05:38:38 +0000291(RuntimeDefinition::mayHaveOtherDefinitions() evaluates to TRUE), ExprEngine
Jordan Rose40dd4d92012-08-22 17:13:27 +0000292bifurcates the path and marks the object's region (retrieved from the
293RuntimeDefinition object) with a path-sensitive "mode" in the ProgramState.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000294
295Currently, there are 2 modes:
296
297 DynamicDispatchModeInlined - Models the case where the dynamic type information
Anna Zaks545588f2012-08-22 05:38:38 +0000298 of the receiver (MemoryRegion) is assumed to be perfectly constrained so
299 that a given definition of a method is expected to be the code actually
300 called. When this mode is set, ExprEngine uses the Decl from
301 RuntimeDefinition to inline any dynamically dispatched call sent to this
302 receiver because the function definition is considered to be fully resolved.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000303
304 DynamicDispatchModeConservative - Models the case where the dynamic type
Anna Zaks545588f2012-08-22 05:38:38 +0000305 information is assumed to be incorrect, for example, implies that the method
306 definition is overriden in a subclass. In such cases, ExprEngine does not
307 inline the methods sent to the receiver (MemoryRegion), even if a candidate
308 definition is available. This mode is conservative about simulating the
309 effects of a call.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000310
Anna Zaks545588f2012-08-22 05:38:38 +0000311Going forward along the symbolic execution path, ExprEngine consults the mode
312of the receiver's MemRegion to make decisions on whether the calls should be
313inlined or not, which ensures that there is at most one split per region.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000314
315At a high level, "bifurcation mode" allows for increased semantic coverage in
316cases where the parent method contains code which is only executed when the
317class is subclassed. The disadvantages of this mode are a (considerable?)
318performance hit and the possibility of false positives on the path where the
319conservative mode is used.
Jordan Rose0564c752012-08-17 02:11:35 +0000320
321Objective-C Message Heuristics
322------------------------------
Jordan Rose0564c752012-08-17 02:11:35 +0000323
Anna Zaks545588f2012-08-22 05:38:38 +0000324ExprEngine relies on a set of heuristics to partition the set of Objective-C
325method calls into those that require bifurcation and those that do not. Below
326are the cases when the DynamicTypeInfo of the object is considered precise
Ted Kremenek98b771e2012-08-22 01:20:05 +0000327(cannot be a subclass):
328
329 - If the object was created with +alloc or +new and initialized with an -init
330 method.
331
332 - If the calls are property accesses using dot syntax. This is based on the
333 assumption that children rarely override properties, or do so in an
334 essentially compatible way.
335
336 - If the class interface is declared inside the main source file. In this case
337 it is unlikely that it will be subclassed.
338
339 - If the method is not declared outside of main source file, either by the
340 receiver's class or by any superclasses.
Jordan Rose0564c752012-08-17 02:11:35 +0000341
Jordan Rose40dd4d92012-08-22 17:13:27 +0000342C++ Caveats
Jordan Rose0564c752012-08-17 02:11:35 +0000343--------------------
Jordan Rose0564c752012-08-17 02:11:35 +0000344
Ted Kremenek98b771e2012-08-22 01:20:05 +0000345C++11 [class.cdtor]p4 describes how the vtable of an object is modified as it is
346being constructed or destructed; that is, the type of the object depends on
347which base constructors have been completed. This is tracked using
348DynamicTypeInfo in the DynamicTypePropagation checker.
Jordan Rose0564c752012-08-17 02:11:35 +0000349
Ted Kremenek98b771e2012-08-22 01:20:05 +0000350There are several limitations in the current implementation:
Jordan Rose0564c752012-08-17 02:11:35 +0000351
Jordan Rose40dd4d92012-08-22 17:13:27 +0000352- Temporaries are poorly modeled right now because we're not confident in the
353 placement of their destructors in the CFG. We currently won't inline their
Jordan Rose39fbb022012-08-27 18:39:16 +0000354 constructors unless the destructor is trivial, and don't process their
355 destructors at all, not even to invalidate the region.
Jordan Rose0564c752012-08-17 02:11:35 +0000356
Jordan Rose40dd4d92012-08-22 17:13:27 +0000357- 'new' is poorly modeled due to some nasty CFG/design issues. This is tracked
358 in PR12014. 'delete' is not modeled at all.
Ted Kremenek98b771e2012-08-22 01:20:05 +0000359
360- Arrays of objects are modeled very poorly right now. ExprEngine currently
Jordan Rose40dd4d92012-08-22 17:13:27 +0000361 only simulates the first constructor and first destructor. Because of this,
Ted Kremenek98b771e2012-08-22 01:20:05 +0000362 ExprEngine does not inline any constructors or destructors for arrays.
Jordan Rose0564c752012-08-17 02:11:35 +0000363
Jordan Rose40dd4d92012-08-22 17:13:27 +0000364
Jordan Rose0564c752012-08-17 02:11:35 +0000365CallEvent
Jordan Rose40dd4d92012-08-22 17:13:27 +0000366=========
Jordan Rose0564c752012-08-17 02:11:35 +0000367
Ted Kremenek98b771e2012-08-22 01:20:05 +0000368A CallEvent represents a specific call to a function, method, or other body of
369code. It is path-sensitive, containing both the current state (ProgramStateRef)
370and stack space (LocationContext), and provides uniform access to the argument
371values and return type of a call, no matter how the call is written in the
372source or what sort of code body is being invoked.
Jordan Rose0564c752012-08-17 02:11:35 +0000373
Ted Kremenek98b771e2012-08-22 01:20:05 +0000374 NOTE: For those familiar with Cocoa, CallEvent is roughly equivalent to
375 NSInvocation.
Jordan Rose0564c752012-08-17 02:11:35 +0000376
Ted Kremenek98b771e2012-08-22 01:20:05 +0000377CallEvent should be used whenever there is logic dealing with function calls
378that does not care how the call occurred.
Jordan Rose0564c752012-08-17 02:11:35 +0000379
Ted Kremenek98b771e2012-08-22 01:20:05 +0000380Examples include checking that arguments satisfy preconditions (such as
381__attribute__((nonnull))), and attempting to inline a call.
382
383CallEvents are reference-counted objects managed by a CallEventManager. While
384there is no inherent issue with persisting them (say, in a ProgramState's GDM),
385they are intended for short-lived use, and can be recreated from CFGElements or
Jordan Rose40dd4d92012-08-22 17:13:27 +0000386non-top-level StackFrameContexts fairly easily.