clang static analyzer中的数据结构及内存分配策略 - ImmutableMap & ImmutableSet篇

clang static analyzer中使用到的数据结构

注:这篇博客的初衷来源于[Analyzer] Attempting to speed up static analysis
clang static analyzer中使用到的数据结构大致有以下几种,ImmutableMapImmutableSetFoldingSetNodeSmallVectorStringRef以及ArrayRef,这几种数据结构也可以说是llvm和clang中的血与肉。


  • BitVector
  • DenseMap
  • DenseSet
  • ImmutableList
  • ImmutableMap
  • ImmutableSet
  • IntervalMap
  • IndexedMap
  • MapVector
  • PriorityQueue
  • SetVector
  • ScopedHashTable
  • SmallBitVector
  • SmallPtrSet
  • SmallSet
  • SmallString
  • SmallVector
  • SparseBitVector
  • SparseSet
  • StringMap
  • StringRef
  • StringSet
  • Triple,
  • TinyPtrVector
  • PackedVector
  • FoldingSet
  • UniqueVector
  • ValueMap


ImmutableMap最开始的commit message如下,Ted Kremenek借鉴了OCaml中Map的实现,OCaml中的Map就是Immutable的。

implemented on top of a functional AVL tree. The AVL balancing code
is inspired by the OCaml implementation of Map, which also uses a functional
AVL tree.

ImmutableMap这类具有immutable属性的数据结构通称为Persistent data structure,实现persistent有如下两种方式:

  • Fat node
  • Path copying

Fat node应该是TARJAN在文章《Planar Point Location Using Persistent Search Trees 》中首次提出来的,而path copying按照这篇文章中介绍的应该是多人同时独立想到的。fat node内存开销小,但是时间开销大,而path copying是内存开销大(非线性log(n),树高),时间开销小,关于两者的介绍,wiki给出的信息很详尽。

A more direct approach is to start with an ephemeral data structure for sorted sets or lists and make it persistent. This idea was pursued independently by Myers [27, 281, Krijnen and Meertens [al], Reps, Teitelbaum, and Demers [33], and Swart [36], who independently proposed essentially the same idea, which we shall call path copying.

The resulting data structure can be used to represent both persistent sorted sets and persistent lists with an O(log m) time bound per operation and an O(log m) space bound per update.

ImmutableMap实现persistent的方式是path copyingImmutableMap的核心是ImutAVLTreeImutAVLTree类似于其它的平衡二叉树,区别主要集中在前缀Imut上。


Since ProgramStates are likely to differ only slightly from each other, we use a functional data structure, ImmutableMap, that represents a mapping using a functional AVL tree. When you add a value to an ImmutableMap, you really just create a new ImmutableMap and the original stays intact. The trick is that ImmutableMaps share large amounts of their map representation (subtrees of the AVL tree) between each other, which represents a significant memory savings.


template <typename ImutInfo>
class ImutAVLTree {
// public Interface.

ImutAVLTree *getLeft() const { return left; }
ImutAVlTree *getRight() const { return right; }
unsigned getHeight() const { return height; }
const value_type& getValue() const { return value; }

/// find - Finds the subtree associated with the specified key value.
/// This method returns NULL if no matching subtree is found.
ImutAVLTree* find(key_type_ref K) {
  ImutAVLTree *T = this;
  while(T) {
    key_type_ref CurrentKey = ImutInfo::KeyOfValue(T->getValue());
    if (ImutInfo::isEual(K, CurrentKey))
      return T;
     else if (ImutInfo::isLess(K, CurrentKey))
       T = T->getLeft();
       T = T->getRight();
  return nullptr;

ImutAVLTree* getMaxElement() {
  ImutAVLTree *T = this;
  ImutAVLTree *Right = T->getRight();
  while(Right) { T = Right; Right = T->getRight(); }
  return T;

/// containts - Returns true if this tree contains a subtree (node) that 
/// has an data element that matches the specified key. Complexity is 
/// logarithmic in the size of the tree.
bool contains(key_type_ref K) { return (bool) find(K); }



template <typename ImutInfo>
class ImutAVLFactory { public: TreeTy* add(TreeTy* T, value_type_ref V) { T = add_internal(V, T); markImmutable(T); recoverNodes(); return T; } /// add_internal - Creates a new tree that includes the specified /// data and the data from the original tree. If the original tree /// already containted the data item, the original tree is returned. TreeTy* add_internal(value_type_ref V, TreeTy* T) { if (isEmpty(T)) return createNode(T, V, T); assert(!T->isMutable()); key_type_ref K = ImutInfo::KeyOfValue(V); key_type_ref KCurrent = ImutInfo::KeyOfValue(getValue(T)); if (ImutInfo::isEqual(K, KCurrent)) return createNode(getLeft(T), V, getRight(T)); else if (ImutInfo::isLess(K, KCurrent)) return balanceTree(add_internal(V, getLeft(T)), getValue(T), getRight(T)); else return balanceTree(getLeft(T), getValue(T), add_internal(V, getRight(T))); } /// balanceTree - Used by add_internal and remove_internal to /// balance a newly created tree. TreeTy* balanceTree(TreeTy* L, value_type_ref V, TreeTy* R) { unsigned hl = getHeight(L); unsigned hr = getHeight(R); if (hl > hr + 2) { TreeTy* LL = getLeft(L); TreeTy* LR = getRight(L); if (getHeight(LL) >= getHeight(LR)) return createNode(LL, L, createNode(LR, V, R)); TreeTy *LRL = getLeft(LR); TreeTy *LRR = getRight(LR); return crateNode(createNode(LL, L, LRL), LR, createNode(LRR, V, R)); } if (hr > hl + 2) { TreeTy *RL = getLeft(R); TreeTy *RR = getRight(R); if (getHeight(RR) >= getHeight(RL)) return createNode(createNode(L, V, RL), R, RR); TreeTy *RLL = getLeft(RL); TreeTy *RLR = getRight(RL); return createNode(createNode(L, V, RLL), RL, createNode(RLR, R, RR)); } return createNode(L, V, R); } };

插入的过程也与普通的AVL Tree相似,区别在于穿插其中的createNode()ImutAVLTree的插入并不会修改原有的树,而是会创建一个新的ImutAVLTree,为了节省内存,新旧两棵树共享大部分数据,而createNode()就是用来创建支撑新插入值的辅助节点。这些辅助节点连带新插入的值,会构成一条从树根到新插入值的路径。后面我们通过示例可以看到这些辅助节点就是在寻找插入位置时,访问过的节点的拷贝节点。


  • 示例1,插入过程中存在左子树树高 > 右子树树高 + 2的情形,并且左左子树高 >= 左右子树
  • 示例2,插入过程中存在左子树树高 > 右子树树高 + 2的情形,并且左左子树高 < 左右子树


  • 辅助节点的创建,辅助节点的个数最大值是旧树中的最长路径(也就是树高)
  • 树不平衡的阈值,树不平衡的阈值是左右子树的树高相差大于2,也就是差值等于3时,需要调整。该阈值相较于普通的平衡树较高,较长的查询时间换来较少的调整次数。

template <typename ImutInfo>
class ImutAVLFactory { public: /// remove_internal - Creates a new tree that includes all the data /// from the original tree except the specified data. If the specified /// data did not exist in the original tree, the original tree is /// returned. TreeTy* remove_internal(key_type_ref K, TreeTy* T) { if (isEmpty(T)) return T; key_type_ref KCurrent = ImutInfo::KeyOfValue(getValue(T)); if (ImutInfo::isEqual(K, KCurrent)) { return combineTrees(getLeft(T), getRight(T)); } else if (ImutInfo::isLess(K, KCurrent)) { return balanceTree(remove_internal(K, getLeft(T)), getValue(T), getRigth(T)); } else { return balanceTree(getLeft(T), getValue(T), remove_internal(K, getRight(T))); } } TreeTy* remove(TreeTy* T, key_type_ref V) { T = remove_internal(V, T); markImmutable(T); recoverNodes(); return T; } TreeTy* combineTrees(TreeTy* L, TreeTy* R) { if (isEmpty(L)) return R; if (isEmpty(R)) return L; TreeTy* OldNode; TreeTy* newRight = removeMinBinding(R, OldNode); return balanceTree(L, getValue(OldNode), newRight); } TreeTy* removeMinBinding(TreeTy* T, TreeTy*& Noderemoved) { if (isEmpty(getLeft(T))) { Noderemoved = T; return getRight(T); } return balanceTree(removeMinBinding(getLeft(T), Noderemoved), getValue(T), getRight(T)); } };

remove()相比于add()大概思路差不多,都是基于path copying的机制。只是由于删除一个节点,需要选择原树中的一个节点去“填充“该节点,所以remove()会有一个寻找“填充节点“的过程。“填充节点“是待删除节点右子树中的最小节点,这样填充以后,能够维持平衡树的特性。

~ImmutableMap() {
  if (Root) { Root->release(); }


void retain() { ++refCount; }
void release() {
  assert(refCount > 0);
  if (--refCount == 0)

void destroy() {
  if (left)
  else (right)

  if (IsCanonicalized) {
    if (next)
      next->prev = prev;
    if (prev)
      prev->next = next;
      factory->Cache[factory->maskCacheIndex(computeDigest())] = next;

  // We need to clear the mutability bit in case we are
  // destroying the node as part of a sweep in ImutAVLFactory::recoverNodes().
  IsMutable = false;


TreeTy* createNode(TreeTy* L, value_type_ref V, TreeTy* R) {
  BumpPtrAllocator& A = getAllocator();
  TreeTy* T;
  if (!freeNodes.empty()) {
    T = freeNodes.back();
  } else {
    T = (TreeTy*) A.Allocate<TreeTy>();
  new (T) TreeTy(this, L, R, V, incrementHeight(L, R));
  return T;



template <typename KeyT, typename ValT, 
          typename ValInfo = ImmutableValueInfo<KeyT, ValT>>
class ImmutableMap {
  using TreeTy = ImutAVLTree<ValInfo>;
  TreeTy* Root;
  /// Construct a map from a pointer to a tree root. In general one
  /// should use a Factory object to create maps instead of directly
  /// invoking the constructor, but there are cases where make this
  /// constructor public is useful.
  explicit ImmutableMap(const TreeTy *R) : Root(const_cast<TreeTy*>(R)) {
    if (Root) { Root->retain(); }

  ImmutableMap(const ImmutableMap &X) : Root(X.Root) {
    if (Root) { Root->retain(); }

  ~ImmutableMap() {
    if (Root) { Root->release(); }

  ImmutableMap &operator=(const ImmutableMap &X) {
    if (Root != X.Root) {
      if (X.Root) {X.Root->retain(); }
      if (Root) { Root->release(); }
      Root = X.Root;
    return *this;

  bool contains(key_type_ref K) const {
    return Root ? Root->contains(K) : false;

  bool operator==(const ImmutableMap &RHS) const {
    return Root && RHS.Root ? Root->isEqual(*RHS.Root) : Root == RHS.Root;

  bool operator!=(const ImmutableMap &RHS) const {
    return Root && RHS.Root ? Root->isNotEqual(*RHS.Root) : Root != RHS.Root;


getCanonicalTree() gets called when we unique the maps. This uniquing is critical for de-duplication of ProgramStates, but we don’t always need to de-duplicate ProgramStates unless we think there is a strong possibility we will want to merge two paths together. That said, recall I mentioned that saving memory was also important. We also want to de-duplicate ImmutableMaps, since they are used everywhere, for memory savings. - [Analyzer] Attempting to speed up static analysis


template <typename ImutInfo>
class ImutAVLFactory {
  using CacheTy = DenseMap<unsigned, TreeTy*>;

  CacheTy Cache;
  std::vector<TreeTy*> createNodes;
  std::vector<TreeTy*> freeNodes;


static uint32_t computeDigest(ImutAVLTree *L, ImutAVLTree *R, 
                              value_type_ref V) {
  if (L)
    digest += L->computeDigest();

  // Compute digest of stored data.
  FoldingSetNodeID ID;
  ImutInfo::Profile(ID, V);
  digest += ID.ComputeHash();

  if (R)
    digest += R->computeDigest();

  return digest;

uint32_t computeDigest() {
  // Check the lowest bit to determine if digest has actually been
  // pre-computed.
  if (hasCachedDigest())
    return digest;

  uint32_t X = computeDigest(getLeft(), getRight(), getValue());
  digest = X;
  return X;

了解了ImutAVLTree哈希值的计算与存储,下面就要通过获取哈希值来判断两棵树是否相同了。获取与指定ImmutableMap对象具有相同哈希值的方法是getCanonicalTree(),该方法的定义如下。该方法首先计算当前ImmutableMap的哈希值,然后通过该哈希值,获取对应的bucket(<哈希值, ImutAVLTree>由DenseMap组织),

  • 如果bucket的entry为空,说明没有相同的ImmutableMap存储,那么将当前ImmutableMap对象作为该bucket的entry,并将当前对象返回
  • 如果bucket的entry不为空,说明可能有相同的ImmutableMap,那么依次比较当前bucket中的Map是否相同

注:现在只知道这些候选Map是以单链表的形式组织起来的 :( ?
比较两颗树是否相同的方法是compareTreeWithSection(),该方法本质上依次比较两棵树的值是否相同(使用iterator的中序遍历),然后返回相同的树,同时如果当前查询的树的refCount为0,那么就删除该树,这一步是减小内存占用关键的一步。如果没有找到相同的树,则将该带当前树插入链表中的合适位置(bucket中的对象是以链表组织的 : (?)。


TreeTy *getCanonicalTree(TreeTy *TNew) {
  if (!TNew)
    return nullptr;

  if (TNew->IsCanonicalized)
    return TNew;

  // Search the hashtable for another tree with the same digest, and
  // if find a collision compare those trees by their contents.
  unsigned digest = TNew->computeDigest();
  TreeTy *&entry = Cache[maskCacheIndex(digest)];
  do {
    if (!entry)
    for (TreeTy *T = entry; T!= nullptr; T = T->next) {
      // Compare the Contents('T') with Contents('TNew')
      typename TreeTy::iterator TI = T->begin(), TE = T->end();
      if (!compareTreeWithSection(TNew, TI, TE))
      if (TI != TE)
        continue;  // T has more contents than TNew.
      // Trees did match! Return 'T'.
      if (TNew->refCount == 0)
      return T;
    entry->prev = TNew;
    TNew->next = entry;
  } while(false);
  entry = TNew;
  TNew->IsCanonicalized = true;
  return TNew;


至此关于ImmutableMap<>已经介绍完了,ImmutableMap<>在clang static analyzer中很重要的一个数据结构,可以说它是专门为clang static analyzer设计的。clang static analyzer将ImmutableMap<>应用在以下几种场景中:

  • ProgramState - Environment
  • ProgramState - GenericDataMap
  • ProgramState - RegionStore
  • ProgramState - TaintRegion
  • ProgramState - Constraints
  • RetainCountChecker

可以说ImmutableMap<>构成了ProgramState的血与肉,后面我们在介绍clang static analyzer的内存管理和分配时,还会介绍ImmutableMap<>在clang static analyzer中所扮演的重要的角色。




