Control dependency computation fix

[danpoe]

Fixes a bug in the control dependency computation of the dependency graph (see regression test goto-instrument/dependence-graph4)

[hannes-steffenhagen-diffblue]

Can you explain in more detail what you are doing here? What bug are you fixing here? Also, this seems to be a fairly significant change in the code - is this also a significant change in behavior, or did you combine your bug fix with a refactoring?

[danpoe]

The PR does three things:

(1)

It fixes a bug in the control dependency computation. Previously in transform() only the control dependencies in the set control_deps (plus gotos and assumes at the from location) were considered candidates for the control dependencies at the to location. With this scheme however one misses control dependencies when there are nested if statements.

We use the following definition of control dependencies: A node N is control dependent on a node M iff N postdominates one but not all of M's CFG successors.

Consider the following example:

 1 void main(void)
 2 {
 3   if (a)
 4   {
 5     if (b)
 6       c=0; // no cd on if(a)
 7     else
 8       c=1; // no cd on if(a)
 9
10     d = 1; // cd on if(a)
11   }
12 }

Lines 6 and 8 do not have a control dependency on line 3, line 10 does have a control dependency on line 3. However, the previous implementation missed the latter dependency. The reason is that when computing the control dependencies at a node (e.g., line 10), only the control dependencies at the CFG predecessors (in this case lines 6 and 8) were considered candidates for the control dependencies.

This PR introduces a new set control_dep_candidates in addition to control_deps, which contains all control statements encountered so far.

(2)

It fixes an issue where merge() did not return true in a case where it should. The dependency graph has special handling for function entry edges (in transform()) where it merges the current state into the state of the return location before entering the function. This may change the abstract state at the return location. When later the function exit edge is handled, the merge() into the return location may not change the state, thus merge() may not return true, and thus the return location may not be inserted into the worklist of the fixpoint computation when it should.

This PR introduces a flag has_changed that records whether the abstract state has changed on the handling of the function entry edge. On the function return edge later, merge() checks the flag to know whether it needs to return true.

(3)

It simplifies the merging of the abstract states.

[thk123]

It would be helpful to have these as separate commits (or even PRs) to make it easier to review.

For 3), does this PR help to address that/make it worse: #1843 In any case, could you have use goto_programt::get_function_id

[thk123]

I don't fully understand the definition of the control dependency so going to pause reviewing. How come in your example line 6 doesn't have control dependency on line 3? My reading of your definition led me to,

3 -> 5 -> 6 -> 10 (postdominates one)
3 -> 5 -> 7 -> 8 -> 10 (doesn't postdominate them all)

[thk123]

What's with the dash at the end?

[danpoe]

--text takes an argument which is the file to print to, - means print to stdout.

[thk123]

I've not looked a the output of --dependence-graph, but what does the presence of this line signify? Should you be checking t=1 is not present?

Consider converting this to a unit test so you can be more precise.

[danpoe]

It checks that there is a control dependency (the previous version wrongly reported no control dependency). It does however not check that the control dependency is to the correct instruction. This seems not to be possible easily in regression tests as control dependencies are reported as location numbers which are not stable across different systems.

I'll add a unit test for this.

[thk123]

has_changed already includes the case that has_values.is_false()? I this is just has_changed && data_deps.empty()

[thk123]

To reduce the cognitive load, it would be great if all deps could be renamed to dependencies

[thk123]

Perhaps n could be original_control_deps_size

[thk123]

And this n could be original_control_dep_candidate_size

[thk123]

PRECONDITION probably makes more sense here

[thk123]

const goto_programt::const_targett next=std::next(from);

[thk123]

Why is this assert no longer required?

[martin-cs]

Is this assertion no longer true?

[martin-cs]

Didn't we just remove this method?

[danpoe]

Indeed 5df3fca removes this method. It seems that since by f443b18 cbmc does not do partial inlining anymore, the function field of an instruction is now guaranteed to contain the id of the function it is in. I'll remove the method again.

(In goto-instrument there are still a few cases where the function field is not adjusted when the inliner is called explicitely, but we can fix this in the future.)

[martin-cs]

I'm tempted to be lazy and say +1 "what @thk123" said. Separate commits would be great. The brilliant explanations here : #1858 (comment) as commit messages would be even better.

[danpoe]

@thk123 Line 6 does not have a control dependency on line 3 as it does not postdominate a CFG successor of line 3 (i.e., postdominates_one is false). The two CFG successors of line 3 are line 5 and line 11. Starting from line 5, line 6 does not occur on all paths to the exit point. Similarly, starting from line 11, line 6 also does not occur on all paths to the exit point. Thus, line 6 does not postdominate a CFG successor of line 3.

[danpoe]

I'll split the PR up into several commits.

[smowton]

Main problem here: this absolutely cries out for a reasonably-thorough batch of test cases, since this is the 3rd slicer correctness fix to be PR'd in the last 6 months.

[smowton]

Explain why when our own data deps are non-empty, we don't use src's data deps at all?

[danpoe]

We wouldn't actually need a fixpoint computation for the data dependency analysis as it merely uses the result of the prior reaching definitions analysis to compute the data dependencies at each location. For this we need to inspect each location only once. Thus if the set data_deps is non-empty it means we have handled that location already.

That's one reason why it may be good to split up the data dependency and control dependency analysis (see issue #1859), and then implement the data dependency analysis without ait by simply iterating over all instructions.

[smowton]

"all existing control dependencies on nodes" is less clear than the original phrasing I think. How about "all nodes X such that N is control-dependent on X"

[danpoe]

I just realized that this comment is not accurate anymore in the fixed version. Now we consider all control statements in the current function from which there is a path to the current statement (i.e., to) as potential sources of control dependency edges. I'll add a comment to explain this.

[smowton]

I think this bit is just cleanup for clarity and not a substantial change? If so, if not already, move it into a different commit than the substantial change.

[danpoe]

The set control_dep_candidates was introduced in the fix so this is new code.

[smowton]

It seems a shame to degrade the previous more-efficient algorithm that makes a single walk over the target set into this one that makes |other_control_deps| searches from the root. If it bothers you that the old algorithm is less clear, how about factoring it into a util called union_ordered_range or something?

[danpoe]

Indeed. I assumed that it would implement the same algorithm if both ranges are sorted but it's not the case. I'll add a union_ordered_range utility function.

[danpoe]

@smowton I'll add some more dependence graph tests.

[danpoe]

@smowton, @thk123, @martin-cs: CI is passing and I've addressed all the comments. I think this is now ready to be merged.

[thk123]

Changes and commits look good.
Some requests for docs
I am not familiar enough with this to work out if the tests are correct - though it would be easier to check them if there was a comment at the bottom of the desc decoding the regex to see what is expected

[thk123]

Document please

[thk123]

In particular any requirements on what C can be (e.g. iterable, ordered?)

[thk123]

It would be good to document here what the difference between a control dependency and a control dependency candidate is

[thk123]

Expand cd (and possibly call it control_dep_candidate since it is a candidate not a control dependency(?? - I don't really know the difference)

[thk123]

The wording for this invariant is a little confusing - do you mean cfg should have an entry for every location?

[thk123]

Nit: this commit message (Fix issue where merge() did not return true in the dependence graph w) isn't rendering correctly so I suggest the title is too long. Suggest making the short text:

Make dependency graph merge() return true when abstract state changes

I think that is short enough

[thk123]

Suggest something like the above comment goes into the code as this is entirely non-obvious!

It also might be clear to do:

if(changed)
{
  // ...
  // comment explaining why not if data_deps in non-empty
  if(!data_deps.empty())
  {
    data_deps = src.data_deps;
  }
}

[danpoe]

@thk123 By adding a comment to the desc file which decodes the regex, do you mean adding an example (possibly with some placeholders for e.g. location numbers) for the portion of the output that the regex is designed to match?

[thk123]

Comments can be added after two sets of -- (sorry if you already knew that). Then my suggested comment would be:

CORE
main.c
--dependence-graph --show
activate-multi-line-match
EXIT=0
SIGNAL=0
// First assignment has a control dependency on the if
\/\/ ([0-9]+).*\n.*IF.*i < 10.*THEN(.*\n)*Control dependencies: \1\n(.*\n){2,3}.*a = 1
// Second assignment has a control dependency on the if
\/\/ ([0-9]+).*\n.*IF.*i < 10.*THEN(.*\n)*Control dependencies: \1\n(.*\n){2,3}.*a = 2
--
^warning: ignoring
--
Matches:
// IF i < 10 THEN
// Control dependencies: 1
// a = 1
and
// IF i < 10 THEN 
// Control dependencies: 1
// a = 2

Assuming of course I've decoded your regex to approx right thing

[thk123]

Someone with a good understanding of control dependencies should check the tests!

[thk123]

The wording here looks the same, I suggest "cfg must have an entry for every location"

[danpoe]

Ah yes. I thought I'd change it once #2142 is resolved, but I'll rephrase it now with must.

[thk123]

There's only one IF i < 10 how come it appears here twice with both dependencies?

[danpoe]

That's because a = 1 and a = 2 appear in the then and else branches of this if. So the statements in both branches have a control dependency on the goto that decides which branch to take.

[thk123]

This explanation is great, though I was hoping to have both lines laid about explicitly

[thk123]

Why don't we care what has a dependency on a < 7?

[danpoe]

Ok, I've had a chat with @marek-trtik who worked on the slicer recently. He's up for double checking the control dependency regression tests.

[marek-trtik]

Half done, finish on Tuesday ...

[marek-trtik]

why checking only for a=2 and not also for a=1?

[danpoe]

Yes, I can add a check for a = 1 too.

[marek-trtik]

line 11

[danpoe]

The test regexes above actually ignore the line numbers and the comments currently just give examples of the kind of output that they would match. But I can change the line numbers in the output examples to match the tests.

[marek-trtik]

line 13

[marek-trtik]

line 14

[marek-trtik]

Would it be possible to check that neither 10 nor 12 have CD on 7?

[danpoe]

Yes, I'll add a check for that too.

[marek-trtik]

Why global vars and not automatic?

[danpoe]

There is no reason for this. The variables do not matter for control dependencies.

[marek-trtik]

The regression tests look good to me.

[marek-trtik]

Should not be here rather line 8 or 9?

[danpoe]

It seems that the source location assigned to the back edge of a loop is the source location of the loop head.

[marek-trtik]

line 8

[marek-trtik]

line 10

[marek-trtik]

We focus only on CD. So, this info seams to be redundant/misleading? Remove? What do you think?

[danpoe]

The dependency graph outputs both the control dependencies and the data dependencies. The regex above ignores the data dependencies actually. But the example here shows the typical output that the dependency graph produces and which would be matched by the above regex.

[smowton]

One nitpick, otherwise lgtm.

[smowton]

Suggest _union_inplace, since set_union would usually be a binary op that returns a new set.

[tautschnig]

1. I'd suggest inplace_set_union as that would be in keeping with the STL's inplace_merge.
2. Any ideas of how much faster this implementation is over:

std::size_t before = target.size();
decltype(target) tmp;
tmp.swap(target);
std::set_union(tmp.begin(), tmp.end(), source.begin(), source.end(), target.end());
return target.size() != before;

? Just curious.

[danpoe]

I just tried this, with std::set<std::size_t>'s, both sets being of equal size, and the sets containing random values. The runtimes (in microseconds) for the unions are as follows (union1 is the version in the PR). The leftmost column gives the sizes of the two sets being merged.

       union1     union2
100        39         75
  1K      368        698
 10K    3,358      6,704
100K   54,455    104,597
  1M  592,993  1,208,903

[tautschnig]

Thank you!! I suppose that memory allocation is the dominating factor, which of course has to be done from scratch when using std::set_union. So I'd still suggest to rename the function to some variation involving "inplace", and then this PR should just be merged?!

[tautschnig]

I am confused by the comment "With this scheme however one misses control dependencies when there are nested if statements." -- are you now computing the transitive closure?

[tautschnig]

1. I'd suggest inplace_set_union as that would be in keeping with the STL's inplace_merge.
2. Any ideas of how much faster this implementation is over:

std::size_t before = target.size();
decltype(target) tmp;
tmp.swap(target);
std::set_union(tmp.begin(), tmp.end(), source.begin(), source.end(), target.end());
return target.size() != before;

? Just curious.

[danpoe]

We're not computing transitive dependencies. It's just that the bug that this PR fixes appeared when there was an if statement (with both an if and an else branch) within another if statement. Then for the code that follows the inner if statement (and is contained within the outer if statement), we would not report a control dependency on the outer if condition (as shown in the example above).

[tautschnig]

[...] we would not report a control dependency on the outer if condition [...]

It's not clear to me whether that should be reported? The control dependency on the outer if is a transitive one, and would be found by looking at the control dependency of the inner if. But maybe I'm misunderstanding.

[danpoe]

In the example above, for line 10 currently no control dependency is reported (neither on line 3 nor on line 5). It's correct that it does not have a control dependency on line 5, but we need to report a control dependency on line 3. As no control dependency is currently reported for line 10, there's no dependency chain that we could follow to know that it depends on line 3.

[tautschnig]

Thanks a lot for the clarification!