[clang] skip initialisation of large compound values

Summary: It's easy to create large arrays in code, eg `int x[1UL << 16];`, but these can generate huge nodes in SIL because zero-initialization is translated by zero-ing structures element by element. Introduce a builtin to use instead. Keep the naive method for small structures (with a configurable limit on "small"). Reviewed By: dulmarod Differential Revision: D20836836 fbshipit-source-id: 6bf5410f8
5 years ago · 66ed16fd27
parent 271946a178
commit 66ed16fd27
12 changed files with 179 additions and 52 deletions
--- a/infer/man/man1/infer-analyze.txt
+++ b/infer/man/man1/infer-analyze.txt
@ -371,6 +371,11 @@ CLANG OPTIONS
           Override sources in all cxx annotation reachability specs with the
           given sources spec

+       --clang-compound-literal-init-limit int
+           Limit after which initialization of compound types (structs and
+           arrays) is not done element by element but using a builtin
+           function that each analysis has to model.
+
       --cxx-scope-guards json
           Specify scope guard classes that can be read only by destructors
           without being reported as dead stores.
--- a/infer/man/man1/infer-capture.txt
+++ b/infer/man/man1/infer-capture.txt
@ -218,6 +218,11 @@ CLANG OPTIONS
       --clang-blacklisted-flags-with-arg +string
           Clang flags (taking args) to filter out

+       --clang-compound-literal-init-limit int
+           Limit after which initialization of compound types (structs and
+           arrays) is not done element by element but using a builtin
+           function that each analysis has to model.
+
       --compilation-database +path
           File that contain compilation commands (can be specified multiple
           times)
--- a/infer/man/man1/infer-full.txt
+++ b/infer/man/man1/infer-full.txt
@ -220,6 +220,11 @@ OPTIONS
       --clang-blacklisted-flags-with-arg +string
           Clang flags (taking args) to filter out           See also infer-capture(1).

+       --clang-compound-literal-init-limit int
+           Limit after which initialization of compound types (structs and
+           arrays) is not done element by element but using a builtin
+           function that each analysis has to model.           See also infer-analyze(1) and infer-capture(1).
+
       --class-loads
           Activates: Java class loading analysis (Conversely:
           --no-class-loads)           See also infer-analyze(1).
--- a/infer/man/man1/infer.txt
+++ b/infer/man/man1/infer.txt
@ -220,6 +220,11 @@ OPTIONS
       --clang-blacklisted-flags-with-arg +string
           Clang flags (taking args) to filter out           See also infer-capture(1).

+       --clang-compound-literal-init-limit int
+           Limit after which initialization of compound types (structs and
+           arrays) is not done element by element but using a builtin
+           function that each analysis has to model.           See also infer-analyze(1) and infer-capture(1).
+
       --class-loads
           Activates: Java class loading analysis (Conversely:
           --no-class-loads)           See also infer-analyze(1).
--- a/infer/src/IR/BUILTINS.ml
+++ b/infer/src/IR/BUILTINS.ml
@ -135,4 +135,6 @@ module type S = sig
  val vwscanf : t

  val wscanf : t
+
+  val zero_initialization : t
 end
--- a/infer/src/IR/BuiltinDecl.ml
+++ b/infer/src/IR/BuiltinDecl.ml
@ -174,3 +174,5 @@ let vswscanf = create_procname "vswscanf"
 let vwscanf = create_procname "vwscanf"

 let wscanf = create_procname "wscanf"
+
+let zero_initialization = create_procname "__infer_zero_initialization"
--- a/infer/src/base/Config.ml
+++ b/infer/src/base/Config.ml
@ -851,6 +851,13 @@ and clang_biniou_file =
    ~meta:"file" "Specify a file containing the AST of the program, in biniou format"


+and clang_compound_literal_init_limit =
+  CLOpt.mk_int ~default:5 ~long:"clang-compound-literal-init-limit"
+    ~in_help:InferCommand.[(Analyze, manual_clang); (Capture, manual_clang)]
+    "Limit after which initialization of compound types (structs and arrays) is not done element \
+     by element but using a builtin function that each analysis has to model."
+
+
 and clang_extra_flags =
  CLOpt.mk_string_list ~long:"Xclang"
    ~in_help:InferCommand.[(Capture, manual_clang)]
@ -2637,6 +2644,8 @@ and checkers = List.map !all_checkers ~f:(fun (checker, _, var) -> (checker, !va

 and clang_biniou_file = !clang_biniou_file

+and clang_compound_literal_init_limit = !clang_compound_literal_init_limit
+
 and clang_extra_flags = !clang_extra_flags

 and clang_blacklisted_flags = !clang_blacklisted_flags
--- a/infer/src/base/Config.mli
+++ b/infer/src/base/Config.mli
@ -260,6 +260,8 @@ val check_version : string option

 val clang_biniou_file : string option

+val clang_compound_literal_init_limit : int
+
 val clang_extra_flags : string list

 val clang_blacklisted_flags : string list
--- a/infer/src/biabduction/BuiltinDefn.ml
+++ b/infer/src/biabduction/BuiltinDefn.ml
@ -1006,6 +1006,8 @@ let vwscanf = Builtin.register BuiltinDecl.vwscanf (execute_scan_function 1)

 let wscanf = Builtin.register BuiltinDecl.wscanf (execute_scan_function 1)

+let zero_initialization = Builtin.register BuiltinDecl.zero_initialization execute_skip
+
 (* Function exists to load module and guarantee that the side-effects of Builtin.register
   calls have been done. *)
 let init () = ()
--- a/infer/src/clang/cTrans.ml
+++ b/infer/src/clang/cTrans.ml
@ -387,57 +387,6 @@ module CTrans_funct (F : CModule_type.CFrontend) : CModule_type.CTranslation = s
    mk_trans_result (zero, typ) empty_control


-  (** Create instructions to initialize record with zeroes. It needs to traverse whole type
-      structure, to assign 0 values to all transitive fields because of AST construction in C
-      translation *)
-  let implicitValueInitExpr_trans trans_state stmt_info =
-    match trans_state.var_exp_typ with
-    | Some var_exp_typ ->
-        (* This node will always be child of InitListExpr, claiming priority will always fail *)
-        let tenv = trans_state.context.CContext.tenv in
-        let sil_loc =
-          CLocation.location_of_stmt_info
-            trans_state.context.CContext.translation_unit_context.source_file stmt_info
-        in
-        (* Traverse structure of a type and initialize int/float/ptr fields with zero *)
-        let rec fill_typ_with_zero ((exp, typ) as exp_typ) =
-          match typ.Typ.desc with
-          | Tstruct tn ->
-              let field_exp_typs =
-                match Tenv.lookup tenv tn with
-                | Some {fields} ->
-                    List.map fields ~f:(fun (fieldname, fieldtype, _) ->
-                        (Exp.Lfield (exp, fieldname, typ), fieldtype) )
-                | None ->
-                    assert false
-              in
-              List.map field_exp_typs ~f:(fun exp_typ -> (fill_typ_with_zero exp_typ).control)
-              |> collect_controls trans_state.context.procdesc
-              |> mk_trans_result exp_typ
-          | Tarray {elt= field_typ; length= Some n} ->
-              let size = IntLit.to_int_exn n in
-              let indices = CGeneral_utils.list_range 0 (size - 1) in
-              List.map indices ~f:(fun i ->
-                  let idx_exp = Exp.Const (Const.Cint (IntLit.of_int i)) in
-                  let field_exp = Exp.Lindex (exp, idx_exp) in
-                  (fill_typ_with_zero (field_exp, field_typ)).control )
-              |> collect_controls trans_state.context.procdesc
-              |> mk_trans_result exp_typ
-          | Tint _ | Tfloat _ | Tptr _ ->
-              let zero_exp = Exp.zero_of_type_exn typ in
-              let instrs = [Sil.Store {e1= exp; root_typ= typ; typ; e2= zero_exp; loc= sil_loc}] in
-              mk_trans_result (exp, typ) {empty_control with instrs}
-          | Tfun | Tvoid | Tarray _ | TVar _ ->
-              CFrontend_errors.unimplemented __POS__ stmt_info.Clang_ast_t.si_source_range
-                "fill_typ_with_zero on type %a" (Typ.pp Pp.text) typ
-        in
-        let res_trans = fill_typ_with_zero var_exp_typ in
-        {res_trans with control= {res_trans.control with initd_exps= [fst var_exp_typ]}}
-    | None ->
-        CFrontend_errors.unimplemented __POS__ stmt_info.Clang_ast_t.si_source_range
-          "Retrieving var from non-InitListExpr parent"
-
-
  let no_op_trans succ_nodes =
    mk_trans_result (mk_fresh_void_exp_typ ()) {empty_control with root_nodes= succ_nodes}

@ -747,6 +696,86 @@ module CTrans_funct (F : CModule_type.CFrontend) : CModule_type.CTranslation = s
      {empty_control with root_nodes= [root_node']; leaf_nodes= trans_state.succ_nodes}


+  (** Create instructions to initialize record with zeroes. It needs to traverse whole type
+      structure, to assign 0 values to all transitive fields because of AST construction in C
+      translation *)
+  and implicitValueInitExpr_trans trans_state stmt_info =
+    match trans_state.var_exp_typ with
+    | None ->
+        CFrontend_errors.unimplemented __POS__ stmt_info.Clang_ast_t.si_source_range
+          "Retrieving var from non-InitListExpr parent"
+    | Some var_exp_typ ->
+        (* This node will always be child of InitListExpr, claiming priority will always fail *)
+        let tenv = trans_state.context.CContext.tenv in
+        let sil_loc =
+          CLocation.location_of_stmt_info
+            trans_state.context.CContext.translation_unit_context.source_file stmt_info
+        in
+        (* Traverse structure of a type and initialize int/float/ptr fields with zero *)
+        let rec fill_typ_with_zero ((exp, typ) as exp_typ) =
+          let init_with_builtin =
+            match typ.Typ.desc with
+            | Tstruct tn -> (
+              match Tenv.lookup tenv tn with
+              | Some {fields} ->
+                  List.length fields > Config.clang_compound_literal_init_limit
+              | None ->
+                  assert false )
+            | Tarray {length= Some n} ->
+                IntLit.gt n (IntLit.of_int Config.clang_compound_literal_init_limit)
+            | Tint _ | Tfloat _ | Tptr _ ->
+                false
+            | Tfun | Tvoid | Tarray _ | TVar _ ->
+                true
+          in
+          if init_with_builtin then
+            let ret_id = Ident.create_fresh Ident.knormal in
+            let call_instr =
+              Sil.Call
+                ( (ret_id, Typ.void)
+                , Const (Cfun BuiltinDecl.zero_initialization)
+                , [exp_typ]
+                , sil_loc
+                , CallFlags.default )
+            in
+            mk_trans_result exp_typ {empty_control with instrs= [call_instr]}
+          else
+            match typ.Typ.desc with
+            | Tstruct tn ->
+                let field_exp_typs =
+                  match Tenv.lookup tenv tn with
+                  | Some {fields} ->
+                      List.map fields ~f:(fun (fieldname, fieldtype, _) ->
+                          (Exp.Lfield (exp, fieldname, typ), fieldtype) )
+                  | None ->
+                      assert false
+                in
+                List.map field_exp_typs ~f:(fun exp_typ -> (fill_typ_with_zero exp_typ).control)
+                |> collect_controls trans_state.context.procdesc
+                |> mk_trans_result exp_typ
+            | Tarray {elt= field_typ; length= Some n} ->
+                let size = IntLit.to_int_exn n in
+                let indices = CGeneral_utils.list_range 0 (size - 1) in
+                List.map indices ~f:(fun i ->
+                    let idx_exp = Exp.Const (Const.Cint (IntLit.of_int i)) in
+                    let field_exp = Exp.Lindex (exp, idx_exp) in
+                    (fill_typ_with_zero (field_exp, field_typ)).control )
+                |> collect_controls trans_state.context.procdesc
+                |> mk_trans_result exp_typ
+            | Tint _ | Tfloat _ | Tptr _ ->
+                let zero_exp = Exp.zero_of_type_exn typ in
+                let instrs =
+                  [Sil.Store {e1= exp; root_typ= typ; typ; e2= zero_exp; loc= sil_loc}]
+                in
+                mk_trans_result (exp, typ) {empty_control with instrs}
+            | Tfun | Tvoid | Tarray _ | TVar _ ->
+                CFrontend_errors.unimplemented __POS__ stmt_info.Clang_ast_t.si_source_range
+                  "fill_typ_with_zero on type %a" (Typ.pp Pp.text) typ
+        in
+        let res_trans = fill_typ_with_zero var_exp_typ in
+        {res_trans with control= {res_trans.control with initd_exps= [fst var_exp_typ]}}
+
+
  and var_deref_trans trans_state stmt_info (decl_ref : Clang_ast_t.decl_ref) =
    let context = trans_state.context in
    let _, _, qual_type = CAst_utils.get_info_from_decl_ref decl_ref in
@ -2292,7 +2321,7 @@ module CTrans_funct (F : CModule_type.CFrontend) : CModule_type.CTranslation = s
      in
      let all_res_trans =
        match var_typ.Typ.desc with
-        | Typ.Tarray {elt} ->
+        | Tarray {elt} ->
            initListExpr_array_trans trans_state_pri init_stmt_info stmts var_exp elt
        | Tstruct _ ->
            initListExpr_struct_trans trans_state_pri init_stmt_info stmts var_exp var_typ
--- a/infer/tests/codetoanalyze/cpp/frontend/initialization/zero_init.cpp
+++ b/infer/tests/codetoanalyze/cpp/frontend/initialization/zero_init.cpp
@ -0,0 +1,25 @@
+/*
+ * Copyright (c) Facebook, Inc. and its affiliates.
+ *
+ * This source code is licensed under the MIT license found in the
+ * LICENSE file in the root directory of this source tree.
+ */
+
+namespace zero_init {
+
+struct X {
+  // ridiculously large array's initialization should not be translated index by
+  // index by the frontend
+  static constexpr unsigned int kMaxKeys = 1UL << 16;
+  void* keys_[kMaxKeys];
+  constexpr X() : keys_() {}
+};
+
+struct Y {
+  // this is small and can be translated index by index to save modelling burden
+  // in analyses
+  void* keys_[3];
+  constexpr Y() : keys_() {}
+};
+
+} // namespace zero_init
--- a/infer/tests/codetoanalyze/cpp/frontend/initialization/zero_init.cpp.dot
+++ b/infer/tests/codetoanalyze/cpp/frontend/initialization/zero_init.cpp.dot
@ -0,0 +1,36 @@
+/* @generated */
+digraph cfg {
+"kMaxKeys#X#__infer_globals_initializer_zero_init.cd983beeff3879de64cad137bc5d5f8c_1" [label="1: Start __infer_globals_initializer_zero_init::X::kMaxKeys\nFormals: \nLocals:  \n  " color=yellow style=filled]
+	
+
+	 "kMaxKeys#X#__infer_globals_initializer_zero_init.cd983beeff3879de64cad137bc5d5f8c_1" -> "kMaxKeys#X#__infer_globals_initializer_zero_init.cd983beeff3879de64cad137bc5d5f8c_3" ;
+"kMaxKeys#X#__infer_globals_initializer_zero_init.cd983beeff3879de64cad137bc5d5f8c_2" [label="2: Exit __infer_globals_initializer_zero_init::X::kMaxKeys \n  " color=yellow style=filled]
+	
+
+"kMaxKeys#X#__infer_globals_initializer_zero_init.cd983beeff3879de64cad137bc5d5f8c_3" [label="3:  DeclStmt \n   VARIABLE_DECLARED(#GB<codetoanalyze/cpp/frontend/initialization/zero_init.cpp|const|ice>$zero_init::X::kMaxKeys:unsigned int const ); [line 13, column 3]\n  *&#GB<codetoanalyze/cpp/frontend/initialization/zero_init.cpp|const|ice>$zero_init::X::kMaxKeys:unsigned int const =(unsigned int const )(1 << 16) [line 13, column 3]\n " shape="box"]
+	
+
+	 "kMaxKeys#X#__infer_globals_initializer_zero_init.cd983beeff3879de64cad137bc5d5f8c_3" -> "kMaxKeys#X#__infer_globals_initializer_zero_init.cd983beeff3879de64cad137bc5d5f8c_2" ;
+"X#X#zero_init#{277870330798338824|constexpr}.16c2d483086de887db705c1e51a1bf78_1" [label="1: Start zero_init::X::X\nFormals:  this:zero_init::X*\nLocals:  \n  " color=yellow style=filled]
+	
+
+	 "X#X#zero_init#{277870330798338824|constexpr}.16c2d483086de887db705c1e51a1bf78_1" -> "X#X#zero_init#{277870330798338824|constexpr}.16c2d483086de887db705c1e51a1bf78_3" ;
+"X#X#zero_init#{277870330798338824|constexpr}.16c2d483086de887db705c1e51a1bf78_2" [label="2: Exit zero_init::X::X \n  " color=yellow style=filled]
+	
+
+"X#X#zero_init#{277870330798338824|constexpr}.16c2d483086de887db705c1e51a1bf78_3" [label="3:  Constructor Init \n   n$1=*&this:zero_init::X* [line 15, column 19]\n  n$2=_fun___infer_zero_initialization(n$1.keys_:void*[65536*8]) [line 15, column 25]\n " shape="box"]
+	
+
+	 "X#X#zero_init#{277870330798338824|constexpr}.16c2d483086de887db705c1e51a1bf78_3" -> "X#X#zero_init#{277870330798338824|constexpr}.16c2d483086de887db705c1e51a1bf78_2" ;
+"Y#Y#zero_init#{11751607535979846847|constexpr}.3d7bacd58f9f66a28604db198e91fa11_1" [label="1: Start zero_init::Y::Y\nFormals:  this:zero_init::Y*\nLocals:  \n  " color=yellow style=filled]
+	
+
+	 "Y#Y#zero_init#{11751607535979846847|constexpr}.3d7bacd58f9f66a28604db198e91fa11_1" -> "Y#Y#zero_init#{11751607535979846847|constexpr}.3d7bacd58f9f66a28604db198e91fa11_3" ;
+"Y#Y#zero_init#{11751607535979846847|constexpr}.3d7bacd58f9f66a28604db198e91fa11_2" [label="2: Exit zero_init::Y::Y \n  " color=yellow style=filled]
+	
+
+"Y#Y#zero_init#{11751607535979846847|constexpr}.3d7bacd58f9f66a28604db198e91fa11_3" [label="3:  Constructor Init \n   n$1=*&this:zero_init::Y* [line 22, column 19]\n  *n$1.keys_[0]:void*=null [line 22, column 25]\n  *n$1.keys_[1]:void*=null [line 22, column 25]\n  *n$1.keys_[2]:void*=null [line 22, column 25]\n " shape="box"]
+	
+
+	 "Y#Y#zero_init#{11751607535979846847|constexpr}.3d7bacd58f9f66a28604db198e91fa11_3" -> "Y#Y#zero_init#{11751607535979846847|constexpr}.3d7bacd58f9f66a28604db198e91fa11_2" ;
+}