Lower Bounds Inference (#718)

This pull requests extends array bounds inference to support inferring lower
bounds for array pointers and inserting using Checked C range bounds.

For example:

    char simple_lower_bound(int *a, int l) {
      int *b = a;
      while (b - a < l && *b != 42)
        b++;
      return b - a < l;
    }

3C can now infer bounds for b even though a standard count bound would be
invalidated by the increment b++.

    char simple_lower_bound(_Array_ptr<int> a : count(l), int l) {
      _Array_ptr<int> b : bounds(a, a + l) = a;
      while (b - a < l && *b != 42)
        b++;
      return b - a < l;
    }

The inference is also able to automatically fatten pointers by generating lower
bounds where none exists in the source code. 

Co-authored-by: Matt McCutchen (Correct Computation) <[email protected]>

Author: john-h-kastner

clang/include/clang/3C/ABounds.h

@@ -32,17 +32,26 @@ class ABounds {
     CountPlusOneBoundKind,
     // Bounds that represent number of bytes.
     ByteBoundKind,
-    // Bounds that represent range.
-    RangeBoundKind,
   };
   BoundsKind getKind() const { return Kind; }
 
 protected:
+  ABounds(BoundsKind K, BoundsKey L, BoundsKey B) : Kind(K), LengthKey(L),
+                                                    LowerBoundKey(B) {}
+  ABounds(BoundsKind K, BoundsKey L) : ABounds(K, L, 0) {}
+
   BoundsKind Kind;
 
-protected:
-  ABounds(BoundsKind K) : Kind(K) {}
-  void addBoundsUsedKey(BoundsKey);
+  // Bounds key representing the length of the bounds from the base pointer of
+  // the range. The exact interpretation of this field varies by subclass.
+  BoundsKey LengthKey;
+
+  // The base pointer representing the start of the range of the bounds. If this
+  // is not equal to 0, then this ABounds has a specific lower bound that should
+  // be used when emitting array pointer bounds. Otherwise, if it is 0, then the
+  // lower bound should implicitly be the pointer the bound is applied to.
+  BoundsKey LowerBoundKey;
+
   // Get the variable name of the the given bounds key that corresponds
   // to the given declaration.
   static std::string getBoundsKeyStr(BoundsKey, AVarBoundsInfo *,
@@ -51,50 +60,69 @@ class ABounds {
 public:
   virtual ~ABounds() {}
 
-  virtual std::string mkString(AVarBoundsInfo *, clang::Decl *D = nullptr) = 0;
+  // Make a string representation of this array bound. If the array has a
+  // defined lower bound pointer that is not the same as the pointer for which
+  // the bound string is being generated (passed as parameter BK), then a range
+  // bound is generated using that lower bound. Otherwise, a standard count
+  // bound is generated.
+  std::string
+  mkString(AVarBoundsInfo *ABI, clang::Decl *D = nullptr, BoundsKey BK = 0);
+
+  // Make a string representation of this array bound always generating explicit
+  // lower bounds in range bounds expressions.
+  virtual std::string
+  mkStringWithLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) = 0;
+
+  // Make a string representation of this array bound ignoring any lower bound
+  // information. A standard count bound is always generated.
+  virtual std::string
+  mkStringWithoutLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) = 0;
+
   virtual bool areSame(ABounds *, AVarBoundsInfo *) = 0;
-  virtual BoundsKey getBKey() = 0;
   virtual ABounds *makeCopy(BoundsKey NK) = 0;
 
-  // Set that maintains all the bound keys that are used inin
-  // TODO: Is this still needed?
-  static std::set<BoundsKey> KeysUsedInBounds;
-  static bool isKeyUsedInBounds(BoundsKey ToCheck);
+  BoundsKey getLengthKey() const { return LengthKey; }
+  BoundsKey getLowerBoundKey() const { return LowerBoundKey; }
+  void setLowerBoundKey(BoundsKey LB) { LowerBoundKey = LB; }
 
   static ABounds *getBoundsInfo(AVarBoundsInfo *AVBInfo, BoundsExpr *BExpr,
                                 const ASTContext &C);
 };
 
 class CountBound : public ABounds {
 public:
-  CountBound(BoundsKey Var) : ABounds(CountBoundKind), CountVar(Var) {
-    addBoundsUsedKey(Var);
-  }
+  CountBound(BoundsKey L, BoundsKey B) : ABounds(CountBoundKind, L, B) {}
+  CountBound(BoundsKey L) : ABounds(CountBoundKind, L) {}
 
-  ~CountBound() override {}
+  std::string
+  mkStringWithLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) override;
+  std::string
+  mkStringWithoutLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) override;
 
-  std::string mkString(AVarBoundsInfo *ABI, clang::Decl *D = nullptr) override;
   bool areSame(ABounds *O, AVarBoundsInfo *ABI) override;
-  BoundsKey getBKey() override;
+
   ABounds *makeCopy(BoundsKey NK) override;
 
   static bool classof(const ABounds *S) {
     return S->getKind() == CountBoundKind;
   }
-
-  BoundsKey getCountVar() { return CountVar; }
-
-protected:
-  BoundsKey CountVar;
 };
 
 class CountPlusOneBound : public CountBound {
 public:
-  CountPlusOneBound(BoundsKey Var) : CountBound(Var) {
+  CountPlusOneBound(BoundsKey L, BoundsKey B) : CountBound(L, B) {
     this->Kind = CountPlusOneBoundKind;
   }
 
-  std::string mkString(AVarBoundsInfo *ABI, clang::Decl *D = nullptr) override;
+  CountPlusOneBound(BoundsKey L) : CountBound(L) {
+    this->Kind = CountPlusOneBoundKind;
+  }
+
+  std::string
+  mkStringWithLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) override;
+  std::string
+  mkStringWithoutLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) override;
+
   bool areSame(ABounds *O, AVarBoundsInfo *ABI) override;
 
   static bool classof(const ABounds *S) {
@@ -104,54 +132,20 @@ class CountPlusOneBound : public CountBound {
 
 class ByteBound : public ABounds {
 public:
-  ByteBound(BoundsKey Var) : ABounds(ByteBoundKind), ByteVar(Var) {
-    addBoundsUsedKey(Var);
-  }
+  ByteBound(BoundsKey L, BoundsKey B) : ABounds(ByteBoundKind, L, B) {}
+  ByteBound(BoundsKey L) : ABounds(ByteBoundKind, L) {}
 
-  ~ByteBound() override {}
+  std::string
+  mkStringWithLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) override;
+  std::string
+  mkStringWithoutLowerBound(AVarBoundsInfo *ABI, clang::Decl *D) override;
 
-  std::string mkString(AVarBoundsInfo *ABI, clang::Decl *D = nullptr) override;
   bool areSame(ABounds *O, AVarBoundsInfo *ABI) override;
-  BoundsKey getBKey() override;
   ABounds *makeCopy(BoundsKey NK) override;
 
   static bool classof(const ABounds *S) {
     return S->getKind() == ByteBoundKind;
   }
-  BoundsKey getByteVar() { return ByteVar; }
-
-private:
-  BoundsKey ByteVar;
 };
 
-class RangeBound : public ABounds {
-public:
-  RangeBound(BoundsKey L, BoundsKey R) : ABounds(RangeBoundKind), LB(L), UB(R) {
-    addBoundsUsedKey(L);
-    addBoundsUsedKey(R);
-  }
-
-  ~RangeBound() override {}
-
-  std::string mkString(AVarBoundsInfo *ABI, clang::Decl *D = nullptr) override;
-  bool areSame(ABounds *O, AVarBoundsInfo *ABI) override;
-
-  BoundsKey getBKey() override {
-    assert(false && "Not implemented.");
-    return 0;
-  }
-
-  ABounds *makeCopy(BoundsKey NK) override {
-    assert(false && "Not Implemented");
-    return nullptr;
-  }
-
-  static bool classof(const ABounds *S) {
-    return S->getKind() == RangeBoundKind;
-  }
-
-private:
-  BoundsKey LB;
-  BoundsKey UB;
-};
 #endif // LLVM_CLANG_3C_ABOUNDS_H

clang/include/clang/3C/AVarBoundsInfo.h

@@ -148,7 +148,7 @@ class AvarBoundsInference {
   // BoundsKey that failed the flow inference.
   std::set<BoundsKey> BKsFailedFlowInference;
 
-  static ABounds *getPreferredBound(const BndsKindMap &BKindMap);
+  ABounds *getPreferredBound(BoundsKey BK);
 };
 
 // Class that maintains information about potential bounds for
@@ -181,7 +181,8 @@ class AVarBoundsInfo {
 public:
   AVarBoundsInfo()
       : ProgVarGraph(this), CtxSensProgVarGraph(this),
-        RevCtxSensProgVarGraph(this), CSBKeyHandler(this) {
+        RevCtxSensProgVarGraph(this), CSBKeyHandler(this),
+        LowerBoundGraph(this) {
     BCount = 1;
     PVarInfo.clear();
     InProgramArrPtrBoundsKeys.clear();
@@ -231,11 +232,9 @@ class AVarBoundsInfo {
 
   // Add Assignments between variables. These methods will add edges between
   // corresponding BoundsKeys
-  bool addAssignment(clang::Decl *L, clang::Decl *R);
-  bool addAssignment(clang::DeclRefExpr *L, clang::DeclRefExpr *R);
   bool addAssignment(BoundsKey L, BoundsKey R);
-  bool handlePointerAssignment(clang::Stmt *St, clang::Expr *L, clang::Expr *R,
-                               ASTContext *C, ConstraintResolver *CR);
+  bool handlePointerAssignment(clang::Expr *L, clang::Expr *R, ASTContext *C,
+                               ConstraintResolver *CR);
   bool handleAssignment(clang::Expr *L, const CVarSet &LCVars,
                         const std::set<BoundsKey> &CSLKeys, clang::Expr *R,
                         const CVarSet &RCVars,
@@ -252,11 +251,40 @@ class AVarBoundsInfo {
   // for pointers that has pointer arithmetic performed on them.
   void recordArithmeticOperation(clang::Expr *E, ConstraintResolver *CR);
 
-  // Check if the given bounds key has a pointer arithmetic done on it.
-  bool hasPointerArithmetic(BoundsKey BK);
+  // Check if the given bounds key will need to be duplicated during rewriting
+  // to generate a fresh lower bound. This happens when a pointer is not a valid
+  // lower bounds due to pointer arithmetic, and lower bounds inference fails to
+  // find a consistent lower bound among existing pointers in the source code.
+  bool needsFreshLowerBound(BoundsKey BK);
+  bool needsFreshLowerBound(ConstraintVariable *CV);
+
+  // Return true when a lower bound could be inferred for the array pointer
+  // corresponding to `BK`. This is the case either when `BK` was not
+  // invalidated as lower bound by pointer arithmetic meaning it is it's own
+  // lower bound, or when `BK` was invalidated, but a valid lower bound could be
+  // inferred.
+  bool hasLowerBound(BoundsKey BK);
+
+  // Record that a pointer cannot be rewritten to use range bounds. This might
+  // be due to 3C rewriting limitations (assignments appearing inside macros),
+  // or it might be a Checked C limitation (the current style of range bounds
+  // can't properly initialized on global variables without error).
+  void markIneligibleForFreshLowerBound(BoundsKey BK);
 
   // Get the ProgramVar for the provided VarKey.
-  ProgramVar *getProgramVar(BoundsKey VK);
+  // This method can return `nullptr` if there is no corresponding ProgramVar.
+  // It's not obvious when a BoundsKey can be expected to have a ProgramVar, so
+  // callers should typically check for null.
+  ProgramVar *getProgramVar(BoundsKey VK) const;
+
+  // Get the Scope of the provided BoundsKey.
+  // This method returns nullptr if `getProgramVar(BK)` would return nullptr.
+  const ProgramVarScope *getProgramVarScope(BoundsKey BK) const;
+
+  // Return true when BoundsKey `To` can be accessed from the scope of `from`.
+  // Note that this returns false if either BoundsKey cannot be mapped to a
+  // ProgramVar (and therefore can't be mapped to a scope).
+  bool isInAccessibleScope(BoundsKey From, BoundsKey To);
 
   // Propagate the array bounds information for all array ptrs.
   void performFlowAnalysis(ProgramInfo *PI);
@@ -294,6 +322,13 @@ class AVarBoundsInfo {
 
   void addConstantArrayBounds(ProgramInfo &I);
 
+  // This is the main entry point to start lower bound inference. It populates
+  // the map LowerBounds and set NeedFreshLowerBounds with the result of the
+  // analysis. LowerBounds is accessed during the rest of bounds inference, so
+  // this method must be executed before performFlowAnalysis which handles the
+  // majority of the work for length inference.
+  void inferLowerBounds(ProgramInfo *PI);
+
 private:
   friend class AvarBoundsInference;
   friend class CtxSensitiveBoundsKeyHandler;
@@ -315,8 +350,17 @@ class AVarBoundsInfo {
   // Set that contains BoundsKeys of variables which have invalid bounds.
   std::set<BoundsKey> InvalidBounds;
   // These are the bounds key of the pointers that has arithmetic operations
-  // performed on them.
+  // performed on them. These pointers cannot have the standard `count(n)`
+  // bounds and instead must use range bounds with an explict lower bound
+  // e.g., `bounds(p, p + n)`.
   std::set<BoundsKey> ArrPointersWithArithmetic;
+
+  // Some pointers, however, cannot be automatically given range bounds. This
+  // includes global variables and structure fields. If a pointer is in both the
+  // above pointer arithmetic set and this set, then it cannot be assigned any
+  // bound.
+  std::set<BoundsKey> IneligibleForFreshLowerBound;
+
   // Set of BoundsKeys that correspond to pointers.
   std::set<BoundsKey> PointerBoundsKey;
   // Set of BoundsKey that correspond to array pointers.
@@ -342,6 +386,9 @@ class AVarBoundsInfo {
   // BiMap of function keys and BoundsKey for function return values.
   BiMap<std::tuple<std::string, std::string, bool>, BoundsKey> FuncDeclVarMap;
 
+  PVConstraint *
+  getConstraintVariable(const ProgramInfo *PI, BoundsKey BK) const;
+
   // Graph of all program variables.
   AVarGraph ProgVarGraph;
   // Graph that contains only edges from normal BoundsKey to
@@ -356,6 +403,31 @@ class AVarBoundsInfo {
   // Context-sensitive bounds key handler
   CtxSensitiveBoundsKeyHandler CSBKeyHandler;
 
+  // This graph is used of for determining which pointers are valid lower
+  // bounds, and so are eligible for use as their own lower bound (implicitly as
+  // a count bounds) or as the lower bound for another pointer in a range bound.
+  // It is also used to infer lower bounds for the pointers that are not
+  // eligible to be their own lower bound.
+  AVarGraph LowerBoundGraph;
+  // In the LowerBoundGraph the constant 0 is used to represent the global
+  // singleton invalid pointer.
+  const BoundsKey InvalidLowerBoundKey = 0;
+
+  // BoundsKeys that that cannot be used as a lower bound. These are used in an
+  // update such as `a = a + 1`, or are transitively assigned from such a
+  // pointer.
+  std::set<BoundsKey> InvalidLowerBounds;
+
+  // Mapping from pointers to their inferred lower bounds. A pointer maps to
+  // itself if it can use a simple count bound. Missing pointers have no valid
+  // lower bound, so no length should be inferred during bounds inference.
+  std::map<BoundsKey, BoundsKey> LowerBounds;
+
+  // Some variables have to valid lower bound in the original source code, but
+  // we are able to insert a temporary pointer variable to be the lower bound.
+  // Keep track of these for special handling during rewriting.
+  std::set<BoundsKey> NeedFreshLowerBounds;
+
   // BoundsKey helper function: These functions help in getting bounds key from
   // various artifacts.
   bool hasVarKey(PersistentSourceLoc &PSL);
@@ -389,6 +461,31 @@ class AVarBoundsInfo {
   void insertParamKey(ParamDeclType ParamDecl, BoundsKey NK);
 
   void dumpBounds();
+
+  // Compute which array pointers are not valid lower bounds. This includes any
+  // pointers directly updated in pointer arithmetic expression, as well as any
+  // pointers transitively assigned to from these pointers. This is computed
+  // using essentially the same algorithm as is used for solving the checked
+  // type constraint graph.
+  void computeInvalidLowerBounds(ProgramInfo *PI);
+
+  // During lower bound inference it may be necessary to generate temporary
+  // pointers to act as lower bounds for arrays that otherwise don't have a
+  // consistent lower bound. This method takes a bounds key for an array pointer
+  // and returns a fresh bounds key that can be used as the lower bound for the
+  // array bounds of that pointer.
+  BoundsKey getFreshLowerBound(BoundsKey Arr);
+
+  // Return true if the scope of the BoundsKey is one in which lower bounds
+  // can be inserted. BoundsKeys in context sensitive scope should not get lower
+  // bounds. The corresponding non-context-sensitive BoundsKey should instead.
+  bool scopeCanHaveLowerBound(BoundsKey BK);
+
+  // Check if a fresh lower bound can be be inserted by 3C for the pointer
+  // corresponding to the bounds key. When a pointer needs a fresh lower bound,
+  // it is possible that 3C will not support inserting the new declaration.
+  // No array bounds can be inferred for such pointers.
+  bool isEligibleForFreshLowerBound(BoundsKey BK);
 };
 
 #endif // LLVM_CLANG_3C_AVARBOUNDSINFO_H