[analyzer] Limit Store by region-store-binding-limit (llvm#127602)

In our test pool, the max entry point RT was improved by this change:
1'181 seconds (~19.7 minutes) -> 94 seconds (1.6 minutes)

BTW, the 1.6 minutes is still really bad. But a few orders of magnitude
better than it was before.

This was the most servere RT edge-case as you can see from the numbers.
There are are more known RT bottlenecks, such as:

- Large environment sizes, and `removeDead`. See more about the failed
attempt on improving it at:
https://discourse.llvm.org/t/unsuccessful-attempts-to-fix-a-slow-analysis-case-related-to-removedead-and-environment-size/84650

- Large chunk of time could be spend inside `assume`, to reach a fixed
point. This is something we want to look into a bit later if we have
time.

We have 3'075'607 entry points in our test set.
About 393'352 entry points ran longer than 1 second when measured.

To give a sense of the distribution, if we ignore the slowest 500 entry
points, then the maximum entry point runs for about 14 seconds. These
500 slow entry points are in 332 translation units.

By this patch, out of the slowest 500 entry points, 72 entry points were
improved by at least 10x after this change.

We measured no RT regression on the "usual" entry points.


![slow-entrypoints-before-and-after-bind-limit](https://github.com/user-attachments/assets/44425a76-f1cb-449c-bc3e-f44beb8c5dc7)
(The dashed lines represent the maximum of their RT)

CPP-6092

Author: balazs-benics-sonarsource

clang/include/clang/StaticAnalyzer/Core/AnalyzerOptions.def

@@ -483,6 +483,14 @@ ANALYZER_OPTION(
     "behavior, set the option to 0.",
     5)
 
+ANALYZER_OPTION(
+    unsigned, RegionStoreMaxBindingFanOut, "region-store-max-binding-fanout",
+    "This option limits how many sub-bindings a single binding operation can "
+    "scatter into. For example, binding an array would scatter into binding "
+    "each individual element. Setting this to zero means unlimited, but then "
+    "modelling large array initializers may take proportional time to their "
+    "size.", 128)
+
 //===----------------------------------------------------------------------===//
 // String analyzer options.
 //===----------------------------------------------------------------------===//

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h

@@ -659,13 +659,13 @@ class ExprEngine {
                               SVal Loc, SVal Val,
                               const LocationContext *LCtx);
 
+public:
   /// A simple wrapper when you only need to notify checkers of pointer-escape
   /// of some values.
   ProgramStateRef escapeValues(ProgramStateRef State, ArrayRef<SVal> Vs,
                                PointerEscapeKind K,
                                const CallEvent *Call = nullptr) const;
 
-public:
   // FIXME: 'tag' should be removed, and a LocationContext should be used
   // instead.
   // FIXME: Comment on the meaning of the arguments, when 'St' may not

clang/include/clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h

@@ -126,6 +126,7 @@ class ProgramState : public llvm::FoldingSetNode {
   /// makeWithStore - Return a ProgramState with the same values as the current
   ///  state with the exception of using the specified Store.
   ProgramStateRef makeWithStore(const StoreRef &store) const;
+  ProgramStateRef makeWithStore(const BindResult &BindRes) const;
 
   void setStore(const StoreRef &storeRef);
 

clang/include/clang/StaticAnalyzer/Core/PathSensitive/Store.h

@@ -50,6 +50,14 @@ class SymbolReaper;
 
 using InvalidatedSymbols = llvm::DenseSet<SymbolRef>;
 
+struct BindResult {
+  StoreRef ResultingStore;
+
+  // If during the bind operation we exhaust the allowed binding budget, we set
+  // this to the beginning of the escaped part of the region.
+  llvm::SmallVector<SVal, 0> FailedToBindValues;
+};
+
 class StoreManager {
 protected:
   SValBuilder &svalBuilder;
@@ -105,17 +113,17 @@ class StoreManager {
   /// \return A StoreRef object that contains the same
   ///   bindings as \c store with the addition of having the value specified
   ///   by \c val bound to the location given for \c loc.
-  virtual StoreRef Bind(Store store, Loc loc, SVal val) = 0;
+  virtual BindResult Bind(Store store, Loc loc, SVal val) = 0;
 
   /// Return a store with the specified value bound to all sub-regions of the
   /// region. The region must not have previous bindings. If you need to
   /// invalidate existing bindings, consider invalidateRegions().
-  virtual StoreRef BindDefaultInitial(Store store, const MemRegion *R,
-                                      SVal V) = 0;
+  virtual BindResult BindDefaultInitial(Store store, const MemRegion *R,
+                                        SVal V) = 0;
 
   /// Return a store with in which all values within the given region are
   /// reset to zero. This method is allowed to overwrite previous bindings.
-  virtual StoreRef BindDefaultZero(Store store, const MemRegion *R) = 0;
+  virtual BindResult BindDefaultZero(Store store, const MemRegion *R) = 0;
 
   /// Create a new store with the specified binding removed.
   /// \param ST the original store, that is the basis for the new store.
@@ -240,9 +248,8 @@ class StoreManager {
 
   /// enterStackFrame - Let the StoreManager to do something when execution
   /// engine is about to execute into a callee.
-  StoreRef enterStackFrame(Store store,
-                           const CallEvent &Call,
-                           const StackFrameContext *CalleeCtx);
+  BindResult enterStackFrame(Store store, const CallEvent &Call,
+                             const StackFrameContext *CalleeCtx);
 
   /// Finds the transitive closure of symbols within the given region.
   ///

clang/lib/StaticAnalyzer/Core/ProgramState.cpp

@@ -116,32 +116,33 @@ ProgramStateRef ProgramState::bindLoc(Loc LV,
                                       const LocationContext *LCtx,
                                       bool notifyChanges) const {
   ProgramStateManager &Mgr = getStateManager();
-  ProgramStateRef newState = makeWithStore(Mgr.StoreMgr->Bind(getStore(),
-                                                             LV, V));
+  ExprEngine &Eng = Mgr.getOwningEngine();
+  ProgramStateRef State = makeWithStore(Mgr.StoreMgr->Bind(getStore(), LV, V));
   const MemRegion *MR = LV.getAsRegion();
+
   if (MR && notifyChanges)
-    return Mgr.getOwningEngine().processRegionChange(newState, MR, LCtx);
+    return Eng.processRegionChange(State, MR, LCtx);
 
-  return newState;
+  return State;
 }
 
 ProgramStateRef
 ProgramState::bindDefaultInitial(SVal loc, SVal V,
                                  const LocationContext *LCtx) const {
   ProgramStateManager &Mgr = getStateManager();
   const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion();
-  const StoreRef &newStore = Mgr.StoreMgr->BindDefaultInitial(getStore(), R, V);
-  ProgramStateRef new_state = makeWithStore(newStore);
-  return Mgr.getOwningEngine().processRegionChange(new_state, R, LCtx);
+  BindResult BindRes = Mgr.StoreMgr->BindDefaultInitial(getStore(), R, V);
+  ProgramStateRef State = makeWithStore(BindRes);
+  return Mgr.getOwningEngine().processRegionChange(State, R, LCtx);
 }
 
 ProgramStateRef
 ProgramState::bindDefaultZero(SVal loc, const LocationContext *LCtx) const {
   ProgramStateManager &Mgr = getStateManager();
   const MemRegion *R = loc.castAs<loc::MemRegionVal>().getRegion();
-  const StoreRef &newStore = Mgr.StoreMgr->BindDefaultZero(getStore(), R);
-  ProgramStateRef new_state = makeWithStore(newStore);
-  return Mgr.getOwningEngine().processRegionChange(new_state, R, LCtx);
+  BindResult BindRes = Mgr.StoreMgr->BindDefaultZero(getStore(), R);
+  ProgramStateRef State = makeWithStore(BindRes);
+  return Mgr.getOwningEngine().processRegionChange(State, R, LCtx);
 }
 
 typedef ArrayRef<const MemRegion *> RegionList;
@@ -232,9 +233,8 @@ SVal ProgramState::wrapSymbolicRegion(SVal Val) const {
 ProgramStateRef
 ProgramState::enterStackFrame(const CallEvent &Call,
                               const StackFrameContext *CalleeCtx) const {
-  const StoreRef &NewStore =
-    getStateManager().StoreMgr->enterStackFrame(getStore(), Call, CalleeCtx);
-  return makeWithStore(NewStore);
+  return makeWithStore(
+      getStateManager().StoreMgr->enterStackFrame(getStore(), Call, CalleeCtx));
 }
 
 SVal ProgramState::getSelfSVal(const LocationContext *LCtx) const {
@@ -437,6 +437,18 @@ ProgramStateRef ProgramState::makeWithStore(const StoreRef &store) const {
   return getStateManager().getPersistentState(NewSt);
 }
 
+ProgramStateRef ProgramState::makeWithStore(const BindResult &BindRes) const {
+  ExprEngine &Eng = getStateManager().getOwningEngine();
+  ProgramStateRef State = makeWithStore(BindRes.ResultingStore);
+
+  // We must always notify the checkers for failing binds because otherwise they
+  // may keep stale traits for these symbols.
+  // Eg., Malloc checker may report leaks if we failed to bind that symbol.
+  if (BindRes.FailedToBindValues.empty())
+    return State;
+  return Eng.escapeValues(State, BindRes.FailedToBindValues, PSK_EscapeOnBind);
+}
+
 ProgramStateRef ProgramState::cloneAsPosteriorlyOverconstrained() const {
   ProgramState NewSt(*this);
   NewSt.PosteriorlyOverconstrained = true;