Static Analysis with SAS: a Test with G4 V10 Danilo Piparo PH-SFT

Static analysis with SAS: a test with G4 v10

Danilo Piparo PH-SFT

SFT Simulation Meeting 27-01-2014 • Static analysis can be helpful in automatically spotting thread unsafe constructs • The Static Analysis Suite is a free and open source, easy to use tool to put static analysis in place – Leveraging LLVM & Clang • The test carried out with G4 10 tells us that: – We could proﬁt from static analysis – We need some work to eliminate false positives when big projects are analysed

Disclaimer: This is work in progress, kicked off after a statement of John A. at the concurrency forum 2 weeks ago.

21/01/14 2 • Static analysis: “customisable warnings” • Relies on a compiler, takes place at compile time – By deﬁnition unable to intercept all runtime bugs – But an useful fence! • Clang SA: emit special warnings. Enable default checkers with “--analyze” – Eg: Uninitialized argument value, Dead Initialization … – Scan-build: perl script to automatically wrap calls to compilers in order to run SA. Produces HTML output. Useful but not necessary. • Possibility to create custom checkers – Using the clang API to access the Abstract Syntax Tree, checker are C++ classes acting on AST nodes, checkers compiled together in a shared lib make a static analysis plugin • GCC offers also something similar, but it’s in an early stage. Not treated today

27/01/14 3 • Clang is free and open-source • What the compiler can compile, can be statically analysed (C++0y?) • Shipped with quite many standard checkers • Apple pushes for it in Xcode (not relevant per se, but puts some heat under the developer of the clang SA) • Needs some expertise with the Clang API to code custom checkers • The rate is improving, but there are false positives • For the moment analysis limited to the compilation unit (promise to do better via scan-build one day)

27/01/14 4 • Static Analysis Suite: a package to build a plugin for Clang Static Analyzer • Started from the work of Thomas Hauth and DP in CMS • Took over last summer in SFT by a SS: Filip Bartek • Offers the “thread safety” checkers “of CMS” – Mutable – non-const static local – non-const static variable – const cast away – const_cast used • … Plus a little more (eg performance). • Presentation at the SFT group meeting: https://indico.cern.ch/conferenceDisplay.py?confId=267747 All details there!

27/01/14 5 • Since this is a concern, SAS provides a way to get rid of them • Another way would be to use C++11 generic attributes

27/01/14 6 mkdir SasTest cd SasTest git clone https://:@git.cern.ch/kerberos/sas cd sas cmake -D LLVM_DEV_DIR=/usr/lib/llvm-3.5/ . make -j 5 export SAS_DIR=`pwd` cd ../ echo List all the checkers clang -cc1 -load $SAS_DIR/lib/libSas.so -analyzer-checker-help echo list the sas checkers clang -cc1 -load $SAS_DIR/lib/libSas.so -analyzer-checker-help |grep sas echo now, analyse an example: observe what scan build does wget https://dpiparo.web.cern.ch/dpiparo/StaticAnalysis/example.cpp scan-build -load-plugin $SAS_DIR/lib/libSas.so -enable-checker sas.threadsafety -o myFirstSa g+ +-4.8 example.cpp -fsyntax-only

27/01/14 7 scan-build cmake ../geant4.10.00 scan-build –load-plugin=libSas.so –enable-checker sas.thre make –j 9 à https://dpiparo.web.cern.ch/dpiparo/G410StaticAnalysis

G4 built and scanned, a web report created. Price: compilation time + analysis time (~2xcompile time) Way to mitigate this: use ccache, distcc (or both J)

27/01/14 8 27/01/14 9 27/01/14 10 Tcling::ReadRootMap cling::Transaction* T = 0; fInterpreter->declare(line.c_str(), &T); // Annotate all template params with default args to come from // a rootmap file, such that we avoid diagnostics about duplicate // default arguments. TmpltParamAnnotator TPA; TPA.TraverseDecl(T->getFirstDecl().getSingleDecl()); // <---- OUCH: if T==nullptr?

/root/core/meta/src/TCling.cxx:3390:12: warning: Null pointer passed as an argument to a 'nonnull' parameter int l = strlen(t); ^~~~~~~~~ root/core/meta/src/TCling.cxx:3999:7: warning: Value stored to 'ND' is never read ND = td;

27/01/14 11 Why keeping it if it’s superfluous? If it’s not, why isn’t it read again?

27/01/14 12 Why keeping it if it’s superfluous? If it’s not, why isn’t it read again?

What? This seems to be a false positive J

27/01/14 13 graphics_reps /include /G4VisExtent.hh

This is a sas checker: all mutable members trigger a warning.

27/01/14 14 graphics_reps /include /G4VisExtent.hh

This is a sas checker: all mutable members trigger a warning.

processes /cuts /src /G4ProductionCutsTable.cc

Another sas checker…

27/01/14 15 externals /clhep /include /CLHEP /Random /RandomEngine.icc

Impossible to hide from the compiler…

27/01/14 16 A false positive J

processes /hadronic /models /lend /src /tpia_particle.cc

27/01/14 17 One may expect it to be const and assume it therefore thread safe… processes /hadronic /models /im_r_matrix /src /G4CollisionComposite.cc

27/01/14 18 • Write a checker in 24h http://llvm.org/devmtg/2012-11/Zaks-Rose-Checker24Hours.pdf • LLVM site: http://clang-analyzer.llvm.org/ • Cern Expertise with Clang: B32 1st floor C corridor

27/01/14 19