1 //===- BugReporter.cpp - Generate PathDiagnostics for bugs ----------------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines BugReporter, a utility class for generating 11 // PathDiagnostics. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16 #include "clang/AST/Decl.h" 17 #include "clang/AST/DeclBase.h" 18 #include "clang/AST/DeclObjC.h" 19 #include "clang/AST/Expr.h" 20 #include "clang/AST/ExprCXX.h" 21 #include "clang/AST/ParentMap.h" 22 #include "clang/AST/Stmt.h" 23 #include "clang/AST/StmtCXX.h" 24 #include "clang/AST/StmtObjC.h" 25 #include "clang/Analysis/AnalysisDeclContext.h" 26 #include "clang/Analysis/CFG.h" 27 #include "clang/Analysis/CFGStmtMap.h" 28 #include "clang/Analysis/ProgramPoint.h" 29 #include "clang/Basic/LLVM.h" 30 #include "clang/Basic/SourceLocation.h" 31 #include "clang/Basic/SourceManager.h" 32 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 33 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 34 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 35 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 36 #include "clang/StaticAnalyzer/Core/Checker.h" 37 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 38 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 39 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 40 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 41 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 42 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 43 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 44 #include "llvm/ADT/ArrayRef.h" 45 #include "llvm/ADT/DenseMap.h" 46 #include "llvm/ADT/DenseSet.h" 47 #include "llvm/ADT/FoldingSet.h" 48 #include "llvm/ADT/None.h" 49 #include "llvm/ADT/Optional.h" 50 #include "llvm/ADT/STLExtras.h" 51 #include "llvm/ADT/SmallPtrSet.h" 52 #include "llvm/ADT/SmallString.h" 53 #include "llvm/ADT/SmallVector.h" 54 #include "llvm/ADT/Statistic.h" 55 #include "llvm/ADT/StringRef.h" 56 #include "llvm/ADT/iterator_range.h" 57 #include "llvm/Support/Casting.h" 58 #include "llvm/Support/Compiler.h" 59 #include "llvm/Support/ErrorHandling.h" 60 #include "llvm/Support/MemoryBuffer.h" 61 #include "llvm/Support/raw_ostream.h" 62 #include <algorithm> 63 #include <cassert> 64 #include <cstddef> 65 #include <iterator> 66 #include <memory> 67 #include <queue> 68 #include <string> 69 #include <tuple> 70 #include <utility> 71 #include <vector> 72 73 using namespace clang; 74 using namespace ento; 75 76 #define DEBUG_TYPE "BugReporter" 77 78 STATISTIC(MaxBugClassSize, 79 "The maximum number of bug reports in the same equivalence class"); 80 STATISTIC(MaxValidBugClassSize, 81 "The maximum number of bug reports in the same equivalence class " 82 "where at least one report is valid (not suppressed)"); 83 84 BugReporterVisitor::~BugReporterVisitor() = default; 85 86 void BugReporterContext::anchor() {} 87 88 //===----------------------------------------------------------------------===// 89 // Helper routines for walking the ExplodedGraph and fetching statements. 90 //===----------------------------------------------------------------------===// 91 92 static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 93 for (N = N->getFirstPred(); N; N = N->getFirstPred()) 94 if (const Stmt *S = PathDiagnosticLocation::getStmt(N)) 95 return S; 96 97 return nullptr; 98 } 99 100 static inline const Stmt* 101 GetCurrentOrPreviousStmt(const ExplodedNode *N) { 102 if (const Stmt *S = PathDiagnosticLocation::getStmt(N)) 103 return S; 104 105 return GetPreviousStmt(N); 106 } 107 108 //===----------------------------------------------------------------------===// 109 // Diagnostic cleanup. 110 //===----------------------------------------------------------------------===// 111 112 static PathDiagnosticEventPiece * 113 eventsDescribeSameCondition(PathDiagnosticEventPiece *X, 114 PathDiagnosticEventPiece *Y) { 115 // Prefer diagnostics that come from ConditionBRVisitor over 116 // those that came from TrackConstraintBRVisitor, 117 // unless the one from ConditionBRVisitor is 118 // its generic fallback diagnostic. 119 const void *tagPreferred = ConditionBRVisitor::getTag(); 120 const void *tagLesser = TrackConstraintBRVisitor::getTag(); 121 122 if (X->getLocation() != Y->getLocation()) 123 return nullptr; 124 125 if (X->getTag() == tagPreferred && Y->getTag() == tagLesser) 126 return ConditionBRVisitor::isPieceMessageGeneric(X) ? Y : X; 127 128 if (Y->getTag() == tagPreferred && X->getTag() == tagLesser) 129 return ConditionBRVisitor::isPieceMessageGeneric(Y) ? X : Y; 130 131 return nullptr; 132 } 133 134 /// An optimization pass over PathPieces that removes redundant diagnostics 135 /// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both 136 /// BugReporterVisitors use different methods to generate diagnostics, with 137 /// one capable of emitting diagnostics in some cases but not in others. This 138 /// can lead to redundant diagnostic pieces at the same point in a path. 139 static void removeRedundantMsgs(PathPieces &path) { 140 unsigned N = path.size(); 141 if (N < 2) 142 return; 143 // NOTE: this loop intentionally is not using an iterator. Instead, we 144 // are streaming the path and modifying it in place. This is done by 145 // grabbing the front, processing it, and if we decide to keep it append 146 // it to the end of the path. The entire path is processed in this way. 147 for (unsigned i = 0; i < N; ++i) { 148 auto piece = std::move(path.front()); 149 path.pop_front(); 150 151 switch (piece->getKind()) { 152 case PathDiagnosticPiece::Call: 153 removeRedundantMsgs(cast<PathDiagnosticCallPiece>(*piece).path); 154 break; 155 case PathDiagnosticPiece::Macro: 156 removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(*piece).subPieces); 157 break; 158 case PathDiagnosticPiece::ControlFlow: 159 break; 160 case PathDiagnosticPiece::Event: { 161 if (i == N-1) 162 break; 163 164 if (auto *nextEvent = 165 dyn_cast<PathDiagnosticEventPiece>(path.front().get())) { 166 auto *event = cast<PathDiagnosticEventPiece>(piece.get()); 167 // Check to see if we should keep one of the two pieces. If we 168 // come up with a preference, record which piece to keep, and consume 169 // another piece from the path. 170 if (auto *pieceToKeep = 171 eventsDescribeSameCondition(event, nextEvent)) { 172 piece = std::move(pieceToKeep == event ? piece : path.front()); 173 path.pop_front(); 174 ++i; 175 } 176 } 177 break; 178 } 179 case PathDiagnosticPiece::Note: 180 break; 181 } 182 path.push_back(std::move(piece)); 183 } 184 } 185 186 /// A map from PathDiagnosticPiece to the LocationContext of the inlined 187 /// function call it represents. 188 using LocationContextMap = 189 llvm::DenseMap<const PathPieces *, const LocationContext *>; 190 191 /// Recursively scan through a path and prune out calls and macros pieces 192 /// that aren't needed. Return true if afterwards the path contains 193 /// "interesting stuff" which means it shouldn't be pruned from the parent path. 194 static bool removeUnneededCalls(PathPieces &pieces, BugReport *R, 195 LocationContextMap &LCM) { 196 bool containsSomethingInteresting = false; 197 const unsigned N = pieces.size(); 198 199 for (unsigned i = 0 ; i < N ; ++i) { 200 // Remove the front piece from the path. If it is still something we 201 // want to keep once we are done, we will push it back on the end. 202 auto piece = std::move(pieces.front()); 203 pieces.pop_front(); 204 205 switch (piece->getKind()) { 206 case PathDiagnosticPiece::Call: { 207 auto &call = cast<PathDiagnosticCallPiece>(*piece); 208 // Check if the location context is interesting. 209 assert(LCM.count(&call.path)); 210 if (R->isInteresting(LCM[&call.path])) { 211 containsSomethingInteresting = true; 212 break; 213 } 214 215 if (!removeUnneededCalls(call.path, R, LCM)) 216 continue; 217 218 containsSomethingInteresting = true; 219 break; 220 } 221 case PathDiagnosticPiece::Macro: { 222 auto ¯o = cast<PathDiagnosticMacroPiece>(*piece); 223 if (!removeUnneededCalls(macro.subPieces, R, LCM)) 224 continue; 225 containsSomethingInteresting = true; 226 break; 227 } 228 case PathDiagnosticPiece::Event: { 229 auto &event = cast<PathDiagnosticEventPiece>(*piece); 230 231 // We never throw away an event, but we do throw it away wholesale 232 // as part of a path if we throw the entire path away. 233 containsSomethingInteresting |= !event.isPrunable(); 234 break; 235 } 236 case PathDiagnosticPiece::ControlFlow: 237 break; 238 239 case PathDiagnosticPiece::Note: 240 break; 241 } 242 243 pieces.push_back(std::move(piece)); 244 } 245 246 return containsSomethingInteresting; 247 } 248 249 /// Returns true if the given decl has been implicitly given a body, either by 250 /// the analyzer or by the compiler proper. 251 static bool hasImplicitBody(const Decl *D) { 252 assert(D); 253 return D->isImplicit() || !D->hasBody(); 254 } 255 256 /// Recursively scan through a path and make sure that all call pieces have 257 /// valid locations. 258 static void 259 adjustCallLocations(PathPieces &Pieces, 260 PathDiagnosticLocation *LastCallLocation = nullptr) { 261 for (const auto &I : Pieces) { 262 auto *Call = dyn_cast<PathDiagnosticCallPiece>(I.get()); 263 264 if (!Call) 265 continue; 266 267 if (LastCallLocation) { 268 bool CallerIsImplicit = hasImplicitBody(Call->getCaller()); 269 if (CallerIsImplicit || !Call->callEnter.asLocation().isValid()) 270 Call->callEnter = *LastCallLocation; 271 if (CallerIsImplicit || !Call->callReturn.asLocation().isValid()) 272 Call->callReturn = *LastCallLocation; 273 } 274 275 // Recursively clean out the subclass. Keep this call around if 276 // it contains any informative diagnostics. 277 PathDiagnosticLocation *ThisCallLocation; 278 if (Call->callEnterWithin.asLocation().isValid() && 279 !hasImplicitBody(Call->getCallee())) 280 ThisCallLocation = &Call->callEnterWithin; 281 else 282 ThisCallLocation = &Call->callEnter; 283 284 assert(ThisCallLocation && "Outermost call has an invalid location"); 285 adjustCallLocations(Call->path, ThisCallLocation); 286 } 287 } 288 289 /// Remove edges in and out of C++ default initializer expressions. These are 290 /// for fields that have in-class initializers, as opposed to being initialized 291 /// explicitly in a constructor or braced list. 292 static void removeEdgesToDefaultInitializers(PathPieces &Pieces) { 293 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 294 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 295 removeEdgesToDefaultInitializers(C->path); 296 297 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 298 removeEdgesToDefaultInitializers(M->subPieces); 299 300 if (auto *CF = dyn_cast<PathDiagnosticControlFlowPiece>(I->get())) { 301 const Stmt *Start = CF->getStartLocation().asStmt(); 302 const Stmt *End = CF->getEndLocation().asStmt(); 303 if (Start && isa<CXXDefaultInitExpr>(Start)) { 304 I = Pieces.erase(I); 305 continue; 306 } else if (End && isa<CXXDefaultInitExpr>(End)) { 307 PathPieces::iterator Next = std::next(I); 308 if (Next != E) { 309 if (auto *NextCF = 310 dyn_cast<PathDiagnosticControlFlowPiece>(Next->get())) { 311 NextCF->setStartLocation(CF->getStartLocation()); 312 } 313 } 314 I = Pieces.erase(I); 315 continue; 316 } 317 } 318 319 I++; 320 } 321 } 322 323 /// Remove all pieces with invalid locations as these cannot be serialized. 324 /// We might have pieces with invalid locations as a result of inlining Body 325 /// Farm generated functions. 326 static void removePiecesWithInvalidLocations(PathPieces &Pieces) { 327 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 328 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 329 removePiecesWithInvalidLocations(C->path); 330 331 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 332 removePiecesWithInvalidLocations(M->subPieces); 333 334 if (!(*I)->getLocation().isValid() || 335 !(*I)->getLocation().asLocation().isValid()) { 336 I = Pieces.erase(I); 337 continue; 338 } 339 I++; 340 } 341 } 342 343 //===----------------------------------------------------------------------===// 344 // PathDiagnosticBuilder and its associated routines and helper objects. 345 //===----------------------------------------------------------------------===// 346 347 namespace { 348 349 class NodeMapClosure : public BugReport::NodeResolver { 350 InterExplodedGraphMap &M; 351 352 public: 353 NodeMapClosure(InterExplodedGraphMap &m) : M(m) {} 354 355 const ExplodedNode *getOriginalNode(const ExplodedNode *N) override { 356 return M.lookup(N); 357 } 358 }; 359 360 class PathDiagnosticBuilder : public BugReporterContext { 361 BugReport *R; 362 PathDiagnosticConsumer *PDC; 363 NodeMapClosure NMC; 364 365 public: 366 const LocationContext *LC; 367 368 PathDiagnosticBuilder(GRBugReporter &br, 369 BugReport *r, InterExplodedGraphMap &Backmap, 370 PathDiagnosticConsumer *pdc) 371 : BugReporterContext(br), R(r), PDC(pdc), NMC(Backmap), 372 LC(r->getErrorNode()->getLocationContext()) {} 373 374 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 375 376 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 377 const ExplodedNode *N); 378 379 BugReport *getBugReport() { return R; } 380 381 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 382 383 ParentMap& getParentMap() { return LC->getParentMap(); } 384 385 const Stmt *getParent(const Stmt *S) { 386 return getParentMap().getParent(S); 387 } 388 389 NodeMapClosure& getNodeResolver() override { return NMC; } 390 391 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 392 393 PathDiagnosticConsumer::PathGenerationScheme getGenerationScheme() const { 394 return PDC ? PDC->getGenerationScheme() : PathDiagnosticConsumer::Extensive; 395 } 396 397 bool supportsLogicalOpControlFlow() const { 398 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 399 } 400 }; 401 402 } // namespace 403 404 PathDiagnosticLocation 405 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 406 if (const Stmt *S = PathDiagnosticLocation::getNextStmt(N)) 407 return PathDiagnosticLocation(S, getSourceManager(), LC); 408 409 return PathDiagnosticLocation::createDeclEnd(N->getLocationContext(), 410 getSourceManager()); 411 } 412 413 PathDiagnosticLocation 414 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 415 const ExplodedNode *N) { 416 // Slow, but probably doesn't matter. 417 if (os.str().empty()) 418 os << ' '; 419 420 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 421 422 if (Loc.asStmt()) 423 os << "Execution continues on line " 424 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 425 << '.'; 426 else { 427 os << "Execution jumps to the end of the "; 428 const Decl *D = N->getLocationContext()->getDecl(); 429 if (isa<ObjCMethodDecl>(D)) 430 os << "method"; 431 else if (isa<FunctionDecl>(D)) 432 os << "function"; 433 else { 434 assert(isa<BlockDecl>(D)); 435 os << "anonymous block"; 436 } 437 os << '.'; 438 } 439 440 return Loc; 441 } 442 443 static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) { 444 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 445 return PM.getParentIgnoreParens(S); 446 447 const Stmt *Parent = PM.getParentIgnoreParens(S); 448 if (!Parent) 449 return nullptr; 450 451 switch (Parent->getStmtClass()) { 452 case Stmt::ForStmtClass: 453 case Stmt::DoStmtClass: 454 case Stmt::WhileStmtClass: 455 case Stmt::ObjCForCollectionStmtClass: 456 case Stmt::CXXForRangeStmtClass: 457 return Parent; 458 default: 459 break; 460 } 461 462 return nullptr; 463 } 464 465 static PathDiagnosticLocation 466 getEnclosingStmtLocation(const Stmt *S, SourceManager &SMgr, const ParentMap &P, 467 const LocationContext *LC, bool allowNestedContexts) { 468 if (!S) 469 return {}; 470 471 while (const Stmt *Parent = getEnclosingParent(S, P)) { 472 switch (Parent->getStmtClass()) { 473 case Stmt::BinaryOperatorClass: { 474 const auto *B = cast<BinaryOperator>(Parent); 475 if (B->isLogicalOp()) 476 return PathDiagnosticLocation(allowNestedContexts ? B : S, SMgr, LC); 477 break; 478 } 479 case Stmt::CompoundStmtClass: 480 case Stmt::StmtExprClass: 481 return PathDiagnosticLocation(S, SMgr, LC); 482 case Stmt::ChooseExprClass: 483 // Similar to '?' if we are referring to condition, just have the edge 484 // point to the entire choose expression. 485 if (allowNestedContexts || cast<ChooseExpr>(Parent)->getCond() == S) 486 return PathDiagnosticLocation(Parent, SMgr, LC); 487 else 488 return PathDiagnosticLocation(S, SMgr, LC); 489 case Stmt::BinaryConditionalOperatorClass: 490 case Stmt::ConditionalOperatorClass: 491 // For '?', if we are referring to condition, just have the edge point 492 // to the entire '?' expression. 493 if (allowNestedContexts || 494 cast<AbstractConditionalOperator>(Parent)->getCond() == S) 495 return PathDiagnosticLocation(Parent, SMgr, LC); 496 else 497 return PathDiagnosticLocation(S, SMgr, LC); 498 case Stmt::CXXForRangeStmtClass: 499 if (cast<CXXForRangeStmt>(Parent)->getBody() == S) 500 return PathDiagnosticLocation(S, SMgr, LC); 501 break; 502 case Stmt::DoStmtClass: 503 return PathDiagnosticLocation(S, SMgr, LC); 504 case Stmt::ForStmtClass: 505 if (cast<ForStmt>(Parent)->getBody() == S) 506 return PathDiagnosticLocation(S, SMgr, LC); 507 break; 508 case Stmt::IfStmtClass: 509 if (cast<IfStmt>(Parent)->getCond() != S) 510 return PathDiagnosticLocation(S, SMgr, LC); 511 break; 512 case Stmt::ObjCForCollectionStmtClass: 513 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 514 return PathDiagnosticLocation(S, SMgr, LC); 515 break; 516 case Stmt::WhileStmtClass: 517 if (cast<WhileStmt>(Parent)->getCond() != S) 518 return PathDiagnosticLocation(S, SMgr, LC); 519 break; 520 default: 521 break; 522 } 523 524 S = Parent; 525 } 526 527 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 528 529 return PathDiagnosticLocation(S, SMgr, LC); 530 } 531 532 PathDiagnosticLocation 533 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 534 assert(S && "Null Stmt passed to getEnclosingStmtLocation"); 535 return ::getEnclosingStmtLocation(S, getSourceManager(), getParentMap(), LC, 536 /*allowNestedContexts=*/false); 537 } 538 539 //===----------------------------------------------------------------------===// 540 // "Visitors only" path diagnostic generation algorithm. 541 //===----------------------------------------------------------------------===// 542 static bool GenerateVisitorsOnlyPathDiagnostic( 543 PathDiagnostic &PD, PathDiagnosticBuilder &PDB, const ExplodedNode *N, 544 ArrayRef<std::unique_ptr<BugReporterVisitor>> visitors) { 545 // All path generation skips the very first node (the error node). 546 // This is because there is special handling for the end-of-path note. 547 N = N->getFirstPred(); 548 if (!N) 549 return true; 550 551 BugReport *R = PDB.getBugReport(); 552 while (const ExplodedNode *Pred = N->getFirstPred()) { 553 for (auto &V : visitors) 554 // Visit all the node pairs, but throw the path pieces away. 555 V->VisitNode(N, Pred, PDB, *R); 556 557 N = Pred; 558 } 559 560 return R->isValid(); 561 } 562 563 //===----------------------------------------------------------------------===// 564 // "Minimal" path diagnostic generation algorithm. 565 //===----------------------------------------------------------------------===// 566 using StackDiagPair = 567 std::pair<PathDiagnosticCallPiece *, const ExplodedNode *>; 568 using StackDiagVector = SmallVector<StackDiagPair, 6>; 569 570 static void updateStackPiecesWithMessage(PathDiagnosticPiece &P, 571 StackDiagVector &CallStack) { 572 // If the piece contains a special message, add it to all the call 573 // pieces on the active stack. 574 if (auto *ep = dyn_cast<PathDiagnosticEventPiece>(&P)) { 575 if (ep->hasCallStackHint()) 576 for (const auto &I : CallStack) { 577 PathDiagnosticCallPiece *CP = I.first; 578 const ExplodedNode *N = I.second; 579 std::string stackMsg = ep->getCallStackMessage(N); 580 581 // The last message on the path to final bug is the most important 582 // one. Since we traverse the path backwards, do not add the message 583 // if one has been previously added. 584 if (!CP->hasCallStackMessage()) 585 CP->setCallStackMessage(stackMsg); 586 } 587 } 588 } 589 590 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM); 591 592 /// Add path diagnostic for statement associated with node \p N 593 /// to diagnostics \p PD. 594 /// Precondition: location associated with \p N is a \c BlockEdge. 595 static void generateMinimalDiagnosticsForBlockEdge(const ExplodedNode *N, 596 PathDiagnosticBuilder &PDB, 597 PathDiagnostic &PD) { 598 const LocationContext *LC = N->getLocationContext(); 599 SourceManager& SMgr = PDB.getSourceManager(); 600 BlockEdge BE = N->getLocation().castAs<BlockEdge>(); 601 const CFGBlock *Src = BE.getSrc(); 602 const CFGBlock *Dst = BE.getDst(); 603 const Stmt *T = Src->getTerminator(); 604 if (!T) 605 return; 606 607 auto Start = PathDiagnosticLocation::createBegin(T, SMgr, LC); 608 switch (T->getStmtClass()) { 609 default: 610 break; 611 612 case Stmt::GotoStmtClass: 613 case Stmt::IndirectGotoStmtClass: { 614 const Stmt *S = PathDiagnosticLocation::getNextStmt(N); 615 616 if (!S) 617 break; 618 619 std::string sbuf; 620 llvm::raw_string_ostream os(sbuf); 621 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 622 623 os << "Control jumps to line " << End.asLocation().getExpansionLineNumber(); 624 PD.getActivePath().push_front( 625 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 626 break; 627 } 628 629 case Stmt::SwitchStmtClass: { 630 // Figure out what case arm we took. 631 std::string sbuf; 632 llvm::raw_string_ostream os(sbuf); 633 634 if (const Stmt *S = Dst->getLabel()) { 635 PathDiagnosticLocation End(S, SMgr, LC); 636 637 switch (S->getStmtClass()) { 638 default: 639 os << "No cases match in the switch statement. " 640 "Control jumps to line " 641 << End.asLocation().getExpansionLineNumber(); 642 break; 643 case Stmt::DefaultStmtClass: 644 os << "Control jumps to the 'default' case at line " 645 << End.asLocation().getExpansionLineNumber(); 646 break; 647 648 case Stmt::CaseStmtClass: { 649 os << "Control jumps to 'case "; 650 const auto *Case = cast<CaseStmt>(S); 651 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 652 653 // Determine if it is an enum. 654 bool GetRawInt = true; 655 656 if (const auto *DR = dyn_cast<DeclRefExpr>(LHS)) { 657 // FIXME: Maybe this should be an assertion. Are there cases 658 // were it is not an EnumConstantDecl? 659 const auto *D = dyn_cast<EnumConstantDecl>(DR->getDecl()); 660 661 if (D) { 662 GetRawInt = false; 663 os << *D; 664 } 665 } 666 667 if (GetRawInt) 668 os << LHS->EvaluateKnownConstInt(PDB.getASTContext()); 669 670 os << ":' at line " << End.asLocation().getExpansionLineNumber(); 671 break; 672 } 673 } 674 PD.getActivePath().push_front( 675 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 676 os.str())); 677 } else { 678 os << "'Default' branch taken. "; 679 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 680 PD.getActivePath().push_front( 681 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 682 os.str())); 683 } 684 685 break; 686 } 687 688 case Stmt::BreakStmtClass: 689 case Stmt::ContinueStmtClass: { 690 std::string sbuf; 691 llvm::raw_string_ostream os(sbuf); 692 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 693 PD.getActivePath().push_front( 694 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 695 break; 696 } 697 698 // Determine control-flow for ternary '?'. 699 case Stmt::BinaryConditionalOperatorClass: 700 case Stmt::ConditionalOperatorClass: { 701 std::string sbuf; 702 llvm::raw_string_ostream os(sbuf); 703 os << "'?' condition is "; 704 705 if (*(Src->succ_begin() + 1) == Dst) 706 os << "false"; 707 else 708 os << "true"; 709 710 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 711 712 if (const Stmt *S = End.asStmt()) 713 End = PDB.getEnclosingStmtLocation(S); 714 715 PD.getActivePath().push_front( 716 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 717 break; 718 } 719 720 // Determine control-flow for short-circuited '&&' and '||'. 721 case Stmt::BinaryOperatorClass: { 722 if (!PDB.supportsLogicalOpControlFlow()) 723 break; 724 725 const auto *B = cast<BinaryOperator>(T); 726 std::string sbuf; 727 llvm::raw_string_ostream os(sbuf); 728 os << "Left side of '"; 729 730 if (B->getOpcode() == BO_LAnd) { 731 os << "&&" 732 << "' is "; 733 734 if (*(Src->succ_begin() + 1) == Dst) { 735 os << "false"; 736 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 737 PathDiagnosticLocation Start = 738 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 739 PD.getActivePath().push_front( 740 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 741 os.str())); 742 } else { 743 os << "true"; 744 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 745 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 746 PD.getActivePath().push_front( 747 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 748 os.str())); 749 } 750 } else { 751 assert(B->getOpcode() == BO_LOr); 752 os << "||" 753 << "' is "; 754 755 if (*(Src->succ_begin() + 1) == Dst) { 756 os << "false"; 757 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 758 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 759 PD.getActivePath().push_front( 760 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 761 os.str())); 762 } else { 763 os << "true"; 764 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 765 PathDiagnosticLocation Start = 766 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 767 PD.getActivePath().push_front( 768 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 769 os.str())); 770 } 771 } 772 773 break; 774 } 775 776 case Stmt::DoStmtClass: 777 if (*(Src->succ_begin()) == Dst) { 778 std::string sbuf; 779 llvm::raw_string_ostream os(sbuf); 780 781 os << "Loop condition is true. "; 782 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 783 784 if (const Stmt *S = End.asStmt()) 785 End = PDB.getEnclosingStmtLocation(S); 786 787 PD.getActivePath().push_front( 788 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 789 os.str())); 790 } else { 791 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 792 793 if (const Stmt *S = End.asStmt()) 794 End = PDB.getEnclosingStmtLocation(S); 795 796 PD.getActivePath().push_front( 797 std::make_shared<PathDiagnosticControlFlowPiece>( 798 Start, End, "Loop condition is false. Exiting loop")); 799 } 800 break; 801 802 case Stmt::WhileStmtClass: 803 case Stmt::ForStmtClass: 804 if (*(Src->succ_begin() + 1) == Dst) { 805 std::string sbuf; 806 llvm::raw_string_ostream os(sbuf); 807 808 os << "Loop condition is false. "; 809 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 810 if (const Stmt *S = End.asStmt()) 811 End = PDB.getEnclosingStmtLocation(S); 812 813 PD.getActivePath().push_front( 814 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 815 os.str())); 816 } else { 817 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 818 if (const Stmt *S = End.asStmt()) 819 End = PDB.getEnclosingStmtLocation(S); 820 821 PD.getActivePath().push_front( 822 std::make_shared<PathDiagnosticControlFlowPiece>( 823 Start, End, "Loop condition is true. Entering loop body")); 824 } 825 826 break; 827 828 case Stmt::IfStmtClass: { 829 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 830 831 if (const Stmt *S = End.asStmt()) 832 End = PDB.getEnclosingStmtLocation(S); 833 834 if (*(Src->succ_begin() + 1) == Dst) 835 PD.getActivePath().push_front( 836 std::make_shared<PathDiagnosticControlFlowPiece>( 837 Start, End, "Taking false branch")); 838 else 839 PD.getActivePath().push_front( 840 std::make_shared<PathDiagnosticControlFlowPiece>( 841 Start, End, "Taking true branch")); 842 843 break; 844 } 845 } 846 } 847 848 /// Generate minimal diagnostics for node \p N, and write it into path 849 /// diagnostics \p PD. 850 void generateMinimalDiagnosticsForNode(const ExplodedNode *N, 851 PathDiagnosticBuilder &PDB, 852 PathDiagnostic &PD, 853 LocationContextMap &LCM, 854 StackDiagVector &CallStack) { 855 SourceManager &SMgr = PDB.getSourceManager(); 856 ProgramPoint P = N->getLocation(); 857 858 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 859 auto C = PathDiagnosticCallPiece::construct(N, *CE, SMgr); 860 // Record the mapping from call piece to LocationContext. 861 LCM[&C->path] = CE->getCalleeContext(); 862 auto *P = C.get(); 863 PD.getActivePath().push_front(std::move(C)); 864 PD.pushActivePath(&P->path); 865 CallStack.push_back(StackDiagPair(P, N)); 866 } else if (Optional<CallEnter> CE = P.getAs<CallEnter>()) { 867 // Flush all locations, and pop the active path. 868 bool VisitedEntireCall = PD.isWithinCall(); 869 PD.popActivePath(); 870 871 // Either we just added a bunch of stuff to the top-level path, or 872 // we have a previous CallExitEnd. If the former, it means that the 873 // path terminated within a function call. We must then take the 874 // current contents of the active path and place it within 875 // a new PathDiagnosticCallPiece. 876 PathDiagnosticCallPiece *C; 877 if (VisitedEntireCall) { 878 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front().get()); 879 } else { 880 const Decl *Caller = CE->getLocationContext()->getDecl(); 881 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 882 // Record the mapping from call piece to LocationContext. 883 LCM[&C->path] = CE->getCalleeContext(); 884 } 885 886 C->setCallee(*CE, SMgr); 887 if (!CallStack.empty()) { 888 assert(CallStack.back().first == C); 889 CallStack.pop_back(); 890 } 891 } else if (P.getKind() == ProgramPoint::BlockEdgeKind) { 892 generateMinimalDiagnosticsForBlockEdge(N, PDB, PD); 893 } 894 } 895 896 static bool GenerateMinimalPathDiagnostic( 897 PathDiagnostic &PD, PathDiagnosticBuilder &PDB, const ExplodedNode *N, 898 LocationContextMap &LCM, 899 ArrayRef<std::unique_ptr<BugReporterVisitor>> visitors) { 900 const ExplodedNode *NextNode = N->pred_empty() 901 ? nullptr : *(N->pred_begin()); 902 StackDiagVector CallStack; 903 904 while (NextNode) { 905 N = NextNode; 906 PDB.LC = N->getLocationContext(); 907 NextNode = N->getFirstPred(); 908 909 generateMinimalDiagnosticsForNode(N, PDB, PD, LCM, CallStack); 910 911 if (NextNode) { 912 // Add diagnostic pieces from custom visitors. 913 BugReport *R = PDB.getBugReport(); 914 llvm::FoldingSet<PathDiagnosticPiece> DeduplicationSet; 915 for (auto &V : visitors) { 916 if (auto p = V->VisitNode(N, NextNode, PDB, *R)) { 917 if (DeduplicationSet.GetOrInsertNode(p.get()) != p.get()) 918 continue; 919 920 updateStackPiecesWithMessage(*p, CallStack); 921 PD.getActivePath().push_front(std::move(p)); 922 } 923 } 924 } 925 } 926 927 if (!PDB.getBugReport()->isValid()) 928 return false; 929 930 // After constructing the full PathDiagnostic, do a pass over it to compact 931 // PathDiagnosticPieces that occur within a macro. 932 CompactPathDiagnostic(PD.getMutablePieces(), PDB.getSourceManager()); 933 return true; 934 } 935 936 //===----------------------------------------------------------------------===// 937 // "Extensive" PathDiagnostic generation. 938 //===----------------------------------------------------------------------===// 939 940 static bool IsControlFlowExpr(const Stmt *S) { 941 const auto *E = dyn_cast<Expr>(S); 942 943 if (!E) 944 return false; 945 946 E = E->IgnoreParenCasts(); 947 948 if (isa<AbstractConditionalOperator>(E)) 949 return true; 950 951 if (const auto *B = dyn_cast<BinaryOperator>(E)) 952 if (B->isLogicalOp()) 953 return true; 954 955 return false; 956 } 957 958 namespace { 959 960 class ContextLocation : public PathDiagnosticLocation { 961 bool IsDead; 962 963 public: 964 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 965 : PathDiagnosticLocation(L), IsDead(isdead) {} 966 967 void markDead() { IsDead = true; } 968 bool isDead() const { return IsDead; } 969 }; 970 971 } // namespace 972 973 static PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 974 const LocationContext *LC, 975 bool firstCharOnly = false) { 976 if (const Stmt *S = L.asStmt()) { 977 const Stmt *Original = S; 978 while (true) { 979 // Adjust the location for some expressions that are best referenced 980 // by one of their subexpressions. 981 switch (S->getStmtClass()) { 982 default: 983 break; 984 case Stmt::ParenExprClass: 985 case Stmt::GenericSelectionExprClass: 986 S = cast<Expr>(S)->IgnoreParens(); 987 firstCharOnly = true; 988 continue; 989 case Stmt::BinaryConditionalOperatorClass: 990 case Stmt::ConditionalOperatorClass: 991 S = cast<AbstractConditionalOperator>(S)->getCond(); 992 firstCharOnly = true; 993 continue; 994 case Stmt::ChooseExprClass: 995 S = cast<ChooseExpr>(S)->getCond(); 996 firstCharOnly = true; 997 continue; 998 case Stmt::BinaryOperatorClass: 999 S = cast<BinaryOperator>(S)->getLHS(); 1000 firstCharOnly = true; 1001 continue; 1002 } 1003 break; 1004 } 1005 1006 if (S != Original) 1007 L = PathDiagnosticLocation(S, L.getManager(), LC); 1008 } 1009 1010 if (firstCharOnly) 1011 L = PathDiagnosticLocation::createSingleLocation(L); 1012 1013 return L; 1014 } 1015 1016 namespace { 1017 1018 class EdgeBuilder { 1019 std::vector<ContextLocation> CLocs; 1020 1021 using iterator = std::vector<ContextLocation>::iterator; 1022 1023 PathDiagnostic &PD; 1024 PathDiagnosticBuilder &PDB; 1025 PathDiagnosticLocation PrevLoc; 1026 1027 bool IsConsumedExpr(const PathDiagnosticLocation &L); 1028 1029 bool containsLocation(const PathDiagnosticLocation &Container, 1030 const PathDiagnosticLocation &Containee); 1031 1032 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 1033 1034 void popLocation() { 1035 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 1036 // For contexts, we only one the first character as the range. 1037 rawAddEdge(cleanUpLocation(CLocs.back(), PDB.LC, true)); 1038 } 1039 CLocs.pop_back(); 1040 } 1041 1042 public: 1043 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 1044 : PD(pd), PDB(pdb) { 1045 // If the PathDiagnostic already has pieces, add the enclosing statement 1046 // of the first piece as a context as well. 1047 if (!PD.path.empty()) { 1048 PrevLoc = (*PD.path.begin())->getLocation(); 1049 1050 if (const Stmt *S = PrevLoc.asStmt()) 1051 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1052 } 1053 } 1054 1055 ~EdgeBuilder() { 1056 while (!CLocs.empty()) popLocation(); 1057 1058 // Finally, add an initial edge from the start location of the first 1059 // statement (if it doesn't already exist). 1060 PathDiagnosticLocation L = PathDiagnosticLocation::createDeclBegin( 1061 PDB.LC, 1062 PDB.getSourceManager()); 1063 if (L.isValid()) 1064 rawAddEdge(L); 1065 } 1066 1067 void flushLocations() { 1068 while (!CLocs.empty()) 1069 popLocation(); 1070 PrevLoc = PathDiagnosticLocation(); 1071 } 1072 1073 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false, 1074 bool IsPostJump = false); 1075 1076 void rawAddEdge(PathDiagnosticLocation NewLoc); 1077 1078 void addContext(const Stmt *S); 1079 void addContext(const PathDiagnosticLocation &L); 1080 void addExtendedContext(const Stmt *S); 1081 }; 1082 1083 } // namespace 1084 1085 PathDiagnosticLocation 1086 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 1087 if (const Stmt *S = L.asStmt()) { 1088 if (IsControlFlowExpr(S)) 1089 return L; 1090 1091 return PDB.getEnclosingStmtLocation(S); 1092 } 1093 1094 return L; 1095 } 1096 1097 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 1098 const PathDiagnosticLocation &Containee) { 1099 if (Container == Containee) 1100 return true; 1101 1102 if (Container.asDecl()) 1103 return true; 1104 1105 if (const Stmt *S = Containee.asStmt()) 1106 if (const Stmt *ContainerS = Container.asStmt()) { 1107 while (S) { 1108 if (S == ContainerS) 1109 return true; 1110 S = PDB.getParent(S); 1111 } 1112 return false; 1113 } 1114 1115 // Less accurate: compare using source ranges. 1116 SourceRange ContainerR = Container.asRange(); 1117 SourceRange ContaineeR = Containee.asRange(); 1118 1119 SourceManager &SM = PDB.getSourceManager(); 1120 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 1121 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 1122 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 1123 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 1124 1125 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 1126 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 1127 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 1128 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 1129 1130 assert(ContainerBegLine <= ContainerEndLine); 1131 assert(ContaineeBegLine <= ContaineeEndLine); 1132 1133 return (ContainerBegLine <= ContaineeBegLine && 1134 ContainerEndLine >= ContaineeEndLine && 1135 (ContainerBegLine != ContaineeBegLine || 1136 SM.getExpansionColumnNumber(ContainerRBeg) <= 1137 SM.getExpansionColumnNumber(ContaineeRBeg)) && 1138 (ContainerEndLine != ContaineeEndLine || 1139 SM.getExpansionColumnNumber(ContainerREnd) >= 1140 SM.getExpansionColumnNumber(ContaineeREnd))); 1141 } 1142 1143 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 1144 if (!PrevLoc.isValid()) { 1145 PrevLoc = NewLoc; 1146 return; 1147 } 1148 1149 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc, PDB.LC); 1150 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc, PDB.LC); 1151 1152 if (PrevLocClean.asLocation().isInvalid()) { 1153 PrevLoc = NewLoc; 1154 return; 1155 } 1156 1157 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1158 return; 1159 1160 // FIXME: Ignore intra-macro edges for now. 1161 if (NewLocClean.asLocation().getExpansionLoc() == 1162 PrevLocClean.asLocation().getExpansionLoc()) 1163 return; 1164 1165 PD.getActivePath().push_front( 1166 std::make_shared<PathDiagnosticControlFlowPiece>(NewLocClean, 1167 PrevLocClean)); 1168 PrevLoc = NewLoc; 1169 } 1170 1171 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd, 1172 bool IsPostJump) { 1173 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1174 return; 1175 1176 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1177 1178 while (!CLocs.empty()) { 1179 ContextLocation &TopContextLoc = CLocs.back(); 1180 1181 // Is the top location context the same as the one for the new location? 1182 if (TopContextLoc == CLoc) { 1183 if (alwaysAdd) { 1184 if (IsConsumedExpr(TopContextLoc)) 1185 TopContextLoc.markDead(); 1186 1187 rawAddEdge(NewLoc); 1188 } 1189 1190 if (IsPostJump) 1191 TopContextLoc.markDead(); 1192 return; 1193 } 1194 1195 if (containsLocation(TopContextLoc, CLoc)) { 1196 if (alwaysAdd) { 1197 rawAddEdge(NewLoc); 1198 1199 if (IsConsumedExpr(CLoc)) { 1200 CLocs.push_back(ContextLocation(CLoc, /*IsDead=*/true)); 1201 return; 1202 } 1203 } 1204 1205 CLocs.push_back(ContextLocation(CLoc, /*IsDead=*/IsPostJump)); 1206 return; 1207 } 1208 1209 // Context does not contain the location. Flush it. 1210 popLocation(); 1211 } 1212 1213 // If we reach here, there is no enclosing context. Just add the edge. 1214 rawAddEdge(NewLoc); 1215 } 1216 1217 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1218 if (const auto *X = dyn_cast_or_null<Expr>(L.asStmt())) 1219 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1220 1221 return false; 1222 } 1223 1224 void EdgeBuilder::addExtendedContext(const Stmt *S) { 1225 if (!S) 1226 return; 1227 1228 const Stmt *Parent = PDB.getParent(S); 1229 while (Parent) { 1230 if (isa<CompoundStmt>(Parent)) 1231 Parent = PDB.getParent(Parent); 1232 else 1233 break; 1234 } 1235 1236 if (Parent) { 1237 switch (Parent->getStmtClass()) { 1238 case Stmt::DoStmtClass: 1239 case Stmt::ObjCAtSynchronizedStmtClass: 1240 addContext(Parent); 1241 break; 1242 default: 1243 break; 1244 } 1245 } 1246 1247 addContext(S); 1248 } 1249 1250 void EdgeBuilder::addContext(const Stmt *S) { 1251 if (!S) 1252 return; 1253 1254 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.LC); 1255 addContext(L); 1256 } 1257 1258 void EdgeBuilder::addContext(const PathDiagnosticLocation &L) { 1259 while (!CLocs.empty()) { 1260 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1261 1262 // Is the top location context the same as the one for the new location? 1263 if (TopContextLoc == L) 1264 return; 1265 1266 if (containsLocation(TopContextLoc, L)) { 1267 CLocs.push_back(L); 1268 return; 1269 } 1270 1271 // Context does not contain the location. Flush it. 1272 popLocation(); 1273 } 1274 1275 CLocs.push_back(L); 1276 } 1277 1278 // Cone-of-influence: support the reverse propagation of "interesting" symbols 1279 // and values by tracing interesting calculations backwards through evaluated 1280 // expressions along a path. This is probably overly complicated, but the idea 1281 // is that if an expression computed an "interesting" value, the child 1282 // expressions are are also likely to be "interesting" as well (which then 1283 // propagates to the values they in turn compute). This reverse propagation 1284 // is needed to track interesting correlations across function call boundaries, 1285 // where formal arguments bind to actual arguments, etc. This is also needed 1286 // because the constraint solver sometimes simplifies certain symbolic values 1287 // into constants when appropriate, and this complicates reasoning about 1288 // interesting values. 1289 using InterestingExprs = llvm::DenseSet<const Expr *>; 1290 1291 static void reversePropagateIntererstingSymbols(BugReport &R, 1292 InterestingExprs &IE, 1293 const ProgramState *State, 1294 const Expr *Ex, 1295 const LocationContext *LCtx) { 1296 SVal V = State->getSVal(Ex, LCtx); 1297 if (!(R.isInteresting(V) || IE.count(Ex))) 1298 return; 1299 1300 switch (Ex->getStmtClass()) { 1301 default: 1302 if (!isa<CastExpr>(Ex)) 1303 break; 1304 // Fall through. 1305 case Stmt::BinaryOperatorClass: 1306 case Stmt::UnaryOperatorClass: { 1307 for (const Stmt *SubStmt : Ex->children()) { 1308 if (const auto *child = dyn_cast_or_null<Expr>(SubStmt)) { 1309 IE.insert(child); 1310 SVal ChildV = State->getSVal(child, LCtx); 1311 R.markInteresting(ChildV); 1312 } 1313 } 1314 break; 1315 } 1316 } 1317 1318 R.markInteresting(V); 1319 } 1320 1321 static void reversePropagateInterestingSymbols(BugReport &R, 1322 InterestingExprs &IE, 1323 const ProgramState *State, 1324 const LocationContext *CalleeCtx, 1325 const LocationContext *CallerCtx) 1326 { 1327 // FIXME: Handle non-CallExpr-based CallEvents. 1328 const StackFrameContext *Callee = CalleeCtx->getCurrentStackFrame(); 1329 const Stmt *CallSite = Callee->getCallSite(); 1330 if (const auto *CE = dyn_cast_or_null<CallExpr>(CallSite)) { 1331 if (const auto *FD = dyn_cast<FunctionDecl>(CalleeCtx->getDecl())) { 1332 FunctionDecl::param_const_iterator PI = FD->param_begin(), 1333 PE = FD->param_end(); 1334 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end(); 1335 for (; AI != AE && PI != PE; ++AI, ++PI) { 1336 if (const Expr *ArgE = *AI) { 1337 if (const ParmVarDecl *PD = *PI) { 1338 Loc LV = State->getLValue(PD, CalleeCtx); 1339 if (R.isInteresting(LV) || R.isInteresting(State->getRawSVal(LV))) 1340 IE.insert(ArgE); 1341 } 1342 } 1343 } 1344 } 1345 } 1346 } 1347 1348 //===----------------------------------------------------------------------===// 1349 // Functions for determining if a loop was executed 0 times. 1350 //===----------------------------------------------------------------------===// 1351 1352 static bool isLoop(const Stmt *Term) { 1353 switch (Term->getStmtClass()) { 1354 case Stmt::ForStmtClass: 1355 case Stmt::WhileStmtClass: 1356 case Stmt::ObjCForCollectionStmtClass: 1357 case Stmt::CXXForRangeStmtClass: 1358 return true; 1359 default: 1360 // Note that we intentionally do not include do..while here. 1361 return false; 1362 } 1363 } 1364 1365 static bool isJumpToFalseBranch(const BlockEdge *BE) { 1366 const CFGBlock *Src = BE->getSrc(); 1367 assert(Src->succ_size() == 2); 1368 return (*(Src->succ_begin()+1) == BE->getDst()); 1369 } 1370 1371 /// Return true if the terminator is a loop and the destination is the 1372 /// false branch. 1373 static bool isLoopJumpPastBody(const Stmt *Term, const BlockEdge *BE) { 1374 if (!isLoop(Term)) 1375 return false; 1376 1377 // Did we take the false branch? 1378 return isJumpToFalseBranch(BE); 1379 } 1380 1381 static bool isContainedByStmt(ParentMap &PM, const Stmt *S, const Stmt *SubS) { 1382 while (SubS) { 1383 if (SubS == S) 1384 return true; 1385 SubS = PM.getParent(SubS); 1386 } 1387 return false; 1388 } 1389 1390 static const Stmt *getStmtBeforeCond(ParentMap &PM, const Stmt *Term, 1391 const ExplodedNode *N) { 1392 while (N) { 1393 Optional<StmtPoint> SP = N->getLocation().getAs<StmtPoint>(); 1394 if (SP) { 1395 const Stmt *S = SP->getStmt(); 1396 if (!isContainedByStmt(PM, Term, S)) 1397 return S; 1398 } 1399 N = N->getFirstPred(); 1400 } 1401 return nullptr; 1402 } 1403 1404 static bool isInLoopBody(ParentMap &PM, const Stmt *S, const Stmt *Term) { 1405 const Stmt *LoopBody = nullptr; 1406 switch (Term->getStmtClass()) { 1407 case Stmt::CXXForRangeStmtClass: { 1408 const auto *FR = cast<CXXForRangeStmt>(Term); 1409 if (isContainedByStmt(PM, FR->getInc(), S)) 1410 return true; 1411 if (isContainedByStmt(PM, FR->getLoopVarStmt(), S)) 1412 return true; 1413 LoopBody = FR->getBody(); 1414 break; 1415 } 1416 case Stmt::ForStmtClass: { 1417 const auto *FS = cast<ForStmt>(Term); 1418 if (isContainedByStmt(PM, FS->getInc(), S)) 1419 return true; 1420 LoopBody = FS->getBody(); 1421 break; 1422 } 1423 case Stmt::ObjCForCollectionStmtClass: { 1424 const auto *FC = cast<ObjCForCollectionStmt>(Term); 1425 LoopBody = FC->getBody(); 1426 break; 1427 } 1428 case Stmt::WhileStmtClass: 1429 LoopBody = cast<WhileStmt>(Term)->getBody(); 1430 break; 1431 default: 1432 return false; 1433 } 1434 return isContainedByStmt(PM, LoopBody, S); 1435 } 1436 1437 /// Generate extensive diagnostics for statement associated with node \p N, 1438 /// and write it into \p PD. 1439 static void generateExtensiveDiagnosticsForNode( 1440 const ExplodedNode *N, 1441 PathDiagnosticBuilder &PDB, 1442 LocationContextMap &LCM, 1443 EdgeBuilder &EB, 1444 StackDiagVector &CallStack, 1445 PathDiagnostic &PD, 1446 InterestingExprs &IE) { 1447 const ExplodedNode *NextNode = N->getFirstPred(); 1448 ProgramPoint P = N->getLocation(); 1449 const SourceManager& SM = PDB.getSourceManager(); 1450 1451 if (Optional<PostStmt> PS = P.getAs<PostStmt>()) { 1452 if (const Expr *Ex = PS->getStmtAs<Expr>()) 1453 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1454 N->getState().get(), Ex, 1455 N->getLocationContext()); 1456 return; 1457 } else if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 1458 const Stmt *S = CE->getCalleeContext()->getCallSite(); 1459 if (const auto *Ex = dyn_cast_or_null<Expr>(S)) { 1460 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1461 N->getState().get(), Ex, 1462 N->getLocationContext()); 1463 } 1464 1465 auto C = PathDiagnosticCallPiece::construct(N, *CE, SM); 1466 LCM[&C->path] = CE->getCalleeContext(); 1467 1468 EB.addEdge(C->callReturn, /*AlwaysAdd=*/true, /*IsPostJump=*/true); 1469 EB.flushLocations(); 1470 1471 auto *P = C.get(); 1472 PD.getActivePath().push_front(std::move(C)); 1473 PD.pushActivePath(&P->path); 1474 CallStack.push_back(StackDiagPair(P, N)); 1475 return; 1476 } else if (Optional<CallEnter> CE = P.getAs<CallEnter>()) { 1477 // Pop the call hierarchy if we are done walking the contents 1478 // of a function call. 1479 1480 // Add an edge to the start of the function. 1481 const Decl *D = CE->getCalleeContext()->getDecl(); 1482 PathDiagnosticLocation pos = 1483 PathDiagnosticLocation::createBegin(D, SM); 1484 EB.addEdge(pos); 1485 1486 // Flush all locations, and pop the active path. 1487 bool VisitedEntireCall = PD.isWithinCall(); 1488 EB.flushLocations(); 1489 PD.popActivePath(); 1490 PDB.LC = N->getLocationContext(); 1491 1492 // Either we just added a bunch of stuff to the top-level path, or 1493 // we have a previous CallExitEnd. If the former, it means that the 1494 // path terminated within a function call. We must then take the 1495 // current contents of the active path and place it within 1496 // a new PathDiagnosticCallPiece. 1497 PathDiagnosticCallPiece *C; 1498 if (VisitedEntireCall) { 1499 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front().get()); 1500 } else { 1501 const Decl *Caller = CE->getLocationContext()->getDecl(); 1502 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 1503 LCM[&C->path] = CE->getCalleeContext(); 1504 } 1505 1506 C->setCallee(*CE, SM); 1507 EB.addContext(C->getLocation()); 1508 1509 if (!CallStack.empty()) { 1510 assert(CallStack.back().first == C); 1511 CallStack.pop_back(); 1512 } 1513 return; 1514 } 1515 1516 // Note that is important that we update the LocationContext 1517 // after looking at CallExits. CallExit basically adds an 1518 // edge in the *caller*, so we don't want to update the LocationContext 1519 // too soon. 1520 PDB.LC = N->getLocationContext(); 1521 1522 if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) { 1523 // Does this represent entering a call? If so, look at propagating 1524 // interesting symbols across call boundaries. 1525 if (NextNode) { 1526 const LocationContext *CallerCtx = NextNode->getLocationContext(); 1527 const LocationContext *CalleeCtx = PDB.LC; 1528 if (CallerCtx != CalleeCtx) { 1529 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE, 1530 N->getState().get(), 1531 CalleeCtx, CallerCtx); 1532 } 1533 } 1534 1535 // Are we jumping to the head of a loop? Add a special diagnostic. 1536 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1537 PathDiagnosticLocation L(Loop, SM, PDB.LC); 1538 const CompoundStmt *CS = nullptr; 1539 1540 if (const auto *FS = dyn_cast<ForStmt>(Loop)) 1541 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1542 else if (const auto *WS = dyn_cast<WhileStmt>(Loop)) 1543 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1544 1545 auto p = std::make_shared<PathDiagnosticEventPiece>( 1546 L, "Looping back to the head of the loop"); 1547 p->setPrunable(true); 1548 1549 EB.addEdge(p->getLocation(), true); 1550 PD.getActivePath().push_front(std::move(p)); 1551 1552 if (CS) { 1553 PathDiagnosticLocation BL = 1554 PathDiagnosticLocation::createEndBrace(CS, SM); 1555 EB.addEdge(BL); 1556 } 1557 } 1558 1559 const CFGBlock *BSrc = BE->getSrc(); 1560 ParentMap &PM = PDB.getParentMap(); 1561 1562 if (const Stmt *Term = BSrc->getTerminator()) { 1563 // Are we jumping past the loop body without ever executing the 1564 // loop (because the condition was false)? 1565 if (isLoopJumpPastBody(Term, &*BE) && 1566 !isInLoopBody(PM, 1567 getStmtBeforeCond(PM, 1568 BSrc->getTerminatorCondition(), 1569 N), 1570 Term)) { 1571 PathDiagnosticLocation L(Term, SM, PDB.LC); 1572 auto PE = std::make_shared<PathDiagnosticEventPiece>( 1573 L, "Loop body executed 0 times"); 1574 PE->setPrunable(true); 1575 1576 EB.addEdge(PE->getLocation(), true); 1577 PD.getActivePath().push_front(std::move(PE)); 1578 } 1579 1580 // In any case, add the terminator as the current statement 1581 // context for control edges. 1582 EB.addContext(Term); 1583 } 1584 } else if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) { 1585 Optional<CFGElement> First = BE->getFirstElement(); 1586 if (Optional<CFGStmt> S = First ? First->getAs<CFGStmt>() : None) { 1587 const Stmt *stmt = S->getStmt(); 1588 if (IsControlFlowExpr(stmt)) { 1589 // Add the proper context for '&&', '||', and '?'. 1590 EB.addContext(stmt); 1591 } 1592 else 1593 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1594 } 1595 } 1596 } 1597 1598 //===----------------------------------------------------------------------===// 1599 // Top-level logic for generating extensive path diagnostics. 1600 //===----------------------------------------------------------------------===// 1601 1602 static bool GenerateExtensivePathDiagnostic( 1603 PathDiagnostic &PD, PathDiagnosticBuilder &PDB, const ExplodedNode *N, 1604 LocationContextMap &LCM, 1605 ArrayRef<std::unique_ptr<BugReporterVisitor>> visitors) { 1606 EdgeBuilder EB(PD, PDB); 1607 StackDiagVector CallStack; 1608 1609 InterestingExprs IE; 1610 const ExplodedNode *NextNode = N->pred_empty() ? nullptr : *(N->pred_begin()); 1611 while (NextNode) { 1612 N = NextNode; 1613 NextNode = N->getFirstPred(); 1614 1615 generateExtensiveDiagnosticsForNode(N, PDB, LCM, EB, CallStack, PD, IE); 1616 1617 if (!NextNode) 1618 continue; 1619 1620 // Add pieces from custom visitors. 1621 BugReport *R = PDB.getBugReport(); 1622 llvm::FoldingSet<PathDiagnosticPiece> DeduplicationSet; 1623 for (auto &V : visitors) { 1624 if (auto p = V->VisitNode(N, NextNode, PDB, *R)) { 1625 if (DeduplicationSet.GetOrInsertNode(p.get()) != p.get()) 1626 continue; 1627 1628 const PathDiagnosticLocation &Loc = p->getLocation(); 1629 EB.addEdge(Loc, true); 1630 updateStackPiecesWithMessage(*p, CallStack); 1631 PD.getActivePath().push_front(std::move(p)); 1632 1633 if (const Stmt *S = Loc.asStmt()) 1634 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1635 } 1636 } 1637 } 1638 1639 return PDB.getBugReport()->isValid(); 1640 } 1641 1642 /// \brief Adds a sanitized control-flow diagnostic edge to a path. 1643 static void addEdgeToPath(PathPieces &path, 1644 PathDiagnosticLocation &PrevLoc, 1645 PathDiagnosticLocation NewLoc, 1646 const LocationContext *LC) { 1647 if (!NewLoc.isValid()) 1648 return; 1649 1650 SourceLocation NewLocL = NewLoc.asLocation(); 1651 if (NewLocL.isInvalid()) 1652 return; 1653 1654 if (!PrevLoc.isValid() || !PrevLoc.asLocation().isValid()) { 1655 PrevLoc = NewLoc; 1656 return; 1657 } 1658 1659 // Ignore self-edges, which occur when there are multiple nodes at the same 1660 // statement. 1661 if (NewLoc.asStmt() && NewLoc.asStmt() == PrevLoc.asStmt()) 1662 return; 1663 1664 path.push_front( 1665 std::make_shared<PathDiagnosticControlFlowPiece>(NewLoc, PrevLoc)); 1666 PrevLoc = NewLoc; 1667 } 1668 1669 /// A customized wrapper for CFGBlock::getTerminatorCondition() 1670 /// which returns the element for ObjCForCollectionStmts. 1671 static const Stmt *getTerminatorCondition(const CFGBlock *B) { 1672 const Stmt *S = B->getTerminatorCondition(); 1673 if (const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(S)) 1674 return FS->getElement(); 1675 return S; 1676 } 1677 1678 static const char StrEnteringLoop[] = "Entering loop body"; 1679 static const char StrLoopBodyZero[] = "Loop body executed 0 times"; 1680 static const char StrLoopRangeEmpty[] = 1681 "Loop body skipped when range is empty"; 1682 static const char StrLoopCollectionEmpty[] = 1683 "Loop body skipped when collection is empty"; 1684 1685 /// Generate alternate-extensive diagnostics for the node \p N, 1686 /// and write it into \p PD. 1687 static void generateAlternateExtensiveDiagnosticsForNode(const ExplodedNode *N, 1688 PathDiagnostic &PD, 1689 PathDiagnosticLocation &PrevLoc, 1690 PathDiagnosticBuilder &PDB, 1691 LocationContextMap &LCM, 1692 StackDiagVector &CallStack, 1693 InterestingExprs &IE) { 1694 const ExplodedNode *NextNode = N->getFirstPred(); 1695 ProgramPoint P = N->getLocation(); 1696 const SourceManager& SM = PDB.getSourceManager(); 1697 1698 // Have we encountered an entrance to a call? It may be 1699 // the case that we have not encountered a matching 1700 // call exit before this point. This means that the path 1701 // terminated within the call itself. 1702 if (Optional<CallEnter> CE = P.getAs<CallEnter>()) { 1703 // Add an edge to the start of the function. 1704 const StackFrameContext *CalleeLC = CE->getCalleeContext(); 1705 const Decl *D = CalleeLC->getDecl(); 1706 // Add the edge only when the callee has body. We jump to the beginning 1707 // of the *declaration*, however we expect it to be followed by the 1708 // body. This isn't the case for autosynthesized property accessors in 1709 // Objective-C. No need for a similar extra check for CallExit points 1710 // because the exit edge comes from a statement (i.e. return), 1711 // not from declaration. 1712 if (D->hasBody()) 1713 addEdgeToPath(PD.getActivePath(), PrevLoc, 1714 PathDiagnosticLocation::createBegin(D, SM), CalleeLC); 1715 1716 // Did we visit an entire call? 1717 bool VisitedEntireCall = PD.isWithinCall(); 1718 PD.popActivePath(); 1719 1720 PathDiagnosticCallPiece *C; 1721 if (VisitedEntireCall) { 1722 PathDiagnosticPiece *P = PD.getActivePath().front().get(); 1723 C = cast<PathDiagnosticCallPiece>(P); 1724 } else { 1725 const Decl *Caller = CE->getLocationContext()->getDecl(); 1726 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 1727 1728 // Since we just transferred the path over to the call piece, 1729 // reset the mapping from active to location context. 1730 assert(PD.getActivePath().size() == 1 && 1731 PD.getActivePath().front().get() == C); 1732 LCM[&PD.getActivePath()] = nullptr; 1733 1734 // Record the location context mapping for the path within 1735 // the call. 1736 assert(LCM[&C->path] == nullptr || 1737 LCM[&C->path] == CE->getCalleeContext()); 1738 LCM[&C->path] = CE->getCalleeContext(); 1739 1740 // If this is the first item in the active path, record 1741 // the new mapping from active path to location context. 1742 const LocationContext *&NewLC = LCM[&PD.getActivePath()]; 1743 if (!NewLC) 1744 NewLC = N->getLocationContext(); 1745 1746 PDB.LC = NewLC; 1747 } 1748 C->setCallee(*CE, SM); 1749 1750 // Update the previous location in the active path. 1751 PrevLoc = C->getLocation(); 1752 1753 if (!CallStack.empty()) { 1754 assert(CallStack.back().first == C); 1755 CallStack.pop_back(); 1756 } 1757 return; 1758 } 1759 1760 // Query the location context here and the previous location 1761 // as processing CallEnter may change the active path. 1762 PDB.LC = N->getLocationContext(); 1763 1764 // Record the mapping from the active path to the location 1765 // context. 1766 assert(!LCM[&PD.getActivePath()] || 1767 LCM[&PD.getActivePath()] == PDB.LC); 1768 LCM[&PD.getActivePath()] = PDB.LC; 1769 1770 // Have we encountered an exit from a function call? 1771 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 1772 const Stmt *S = CE->getCalleeContext()->getCallSite(); 1773 // Propagate the interesting symbols accordingly. 1774 if (const auto *Ex = dyn_cast_or_null<Expr>(S)) { 1775 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1776 N->getState().get(), Ex, 1777 N->getLocationContext()); 1778 } 1779 1780 // We are descending into a call (backwards). Construct 1781 // a new call piece to contain the path pieces for that call. 1782 auto C = PathDiagnosticCallPiece::construct(N, *CE, SM); 1783 1784 // Record the location context for this call piece. 1785 LCM[&C->path] = CE->getCalleeContext(); 1786 1787 // Add the edge to the return site. 1788 addEdgeToPath(PD.getActivePath(), PrevLoc, C->callReturn, PDB.LC); 1789 auto *P = C.get(); 1790 PD.getActivePath().push_front(std::move(C)); 1791 PrevLoc.invalidate(); 1792 1793 // Make the contents of the call the active path for now. 1794 PD.pushActivePath(&P->path); 1795 CallStack.push_back(StackDiagPair(P, N)); 1796 } else if (Optional<PostStmt> PS = P.getAs<PostStmt>()) { 1797 // For expressions, make sure we propagate the 1798 // interesting symbols correctly. 1799 if (const Expr *Ex = PS->getStmtAs<Expr>()) 1800 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1801 N->getState().get(), Ex, 1802 N->getLocationContext()); 1803 1804 // Add an edge. If this is an ObjCForCollectionStmt do 1805 // not add an edge here as it appears in the CFG both 1806 // as a terminator and as a terminator condition. 1807 if (!isa<ObjCForCollectionStmt>(PS->getStmt())) { 1808 PathDiagnosticLocation L = 1809 PathDiagnosticLocation(PS->getStmt(), SM, PDB.LC); 1810 addEdgeToPath(PD.getActivePath(), PrevLoc, L, PDB.LC); 1811 } 1812 } else if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) { 1813 // Does this represent entering a call? If so, look at propagating 1814 // interesting symbols across call boundaries. 1815 if (NextNode) { 1816 const LocationContext *CallerCtx = NextNode->getLocationContext(); 1817 const LocationContext *CalleeCtx = PDB.LC; 1818 if (CallerCtx != CalleeCtx) { 1819 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE, 1820 N->getState().get(), 1821 CalleeCtx, CallerCtx); 1822 } 1823 } 1824 1825 // Are we jumping to the head of a loop? Add a special diagnostic. 1826 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1827 PathDiagnosticLocation L(Loop, SM, PDB.LC); 1828 const Stmt *Body = nullptr; 1829 1830 if (const auto *FS = dyn_cast<ForStmt>(Loop)) 1831 Body = FS->getBody(); 1832 else if (const auto *WS = dyn_cast<WhileStmt>(Loop)) 1833 Body = WS->getBody(); 1834 else if (const auto *OFS = dyn_cast<ObjCForCollectionStmt>(Loop)) { 1835 Body = OFS->getBody(); 1836 } else if (const auto *FRS = dyn_cast<CXXForRangeStmt>(Loop)) { 1837 Body = FRS->getBody(); 1838 } 1839 // do-while statements are explicitly excluded here 1840 1841 auto p = std::make_shared<PathDiagnosticEventPiece>( 1842 L, "Looping back to the head " 1843 "of the loop"); 1844 p->setPrunable(true); 1845 1846 addEdgeToPath(PD.getActivePath(), PrevLoc, p->getLocation(), PDB.LC); 1847 PD.getActivePath().push_front(std::move(p)); 1848 1849 if (const auto *CS = dyn_cast_or_null<CompoundStmt>(Body)) { 1850 addEdgeToPath(PD.getActivePath(), PrevLoc, 1851 PathDiagnosticLocation::createEndBrace(CS, SM), 1852 PDB.LC); 1853 } 1854 } 1855 1856 const CFGBlock *BSrc = BE->getSrc(); 1857 ParentMap &PM = PDB.getParentMap(); 1858 1859 if (const Stmt *Term = BSrc->getTerminator()) { 1860 // Are we jumping past the loop body without ever executing the 1861 // loop (because the condition was false)? 1862 if (isLoop(Term)) { 1863 const Stmt *TermCond = getTerminatorCondition(BSrc); 1864 bool IsInLoopBody = 1865 isInLoopBody(PM, getStmtBeforeCond(PM, TermCond, N), Term); 1866 1867 const char *str = nullptr; 1868 1869 if (isJumpToFalseBranch(&*BE)) { 1870 if (!IsInLoopBody) { 1871 if (isa<ObjCForCollectionStmt>(Term)) { 1872 str = StrLoopCollectionEmpty; 1873 } else if (isa<CXXForRangeStmt>(Term)) { 1874 str = StrLoopRangeEmpty; 1875 } else { 1876 str = StrLoopBodyZero; 1877 } 1878 } 1879 } else { 1880 str = StrEnteringLoop; 1881 } 1882 1883 if (str) { 1884 PathDiagnosticLocation L(TermCond ? TermCond : Term, SM, PDB.LC); 1885 auto PE = std::make_shared<PathDiagnosticEventPiece>(L, str); 1886 PE->setPrunable(true); 1887 addEdgeToPath(PD.getActivePath(), PrevLoc, 1888 PE->getLocation(), PDB.LC); 1889 PD.getActivePath().push_front(std::move(PE)); 1890 } 1891 } else if (isa<BreakStmt>(Term) || isa<ContinueStmt>(Term) || 1892 isa<GotoStmt>(Term)) { 1893 PathDiagnosticLocation L(Term, SM, PDB.LC); 1894 addEdgeToPath(PD.getActivePath(), PrevLoc, L, PDB.LC); 1895 } 1896 } 1897 } 1898 } 1899 1900 static bool GenerateAlternateExtensivePathDiagnostic( 1901 PathDiagnostic &PD, PathDiagnosticBuilder &PDB, const ExplodedNode *N, 1902 LocationContextMap &LCM, 1903 ArrayRef<std::unique_ptr<BugReporterVisitor>> visitors) { 1904 BugReport *report = PDB.getBugReport(); 1905 const SourceManager& SM = PDB.getSourceManager(); 1906 StackDiagVector CallStack; 1907 InterestingExprs IE; 1908 1909 PathDiagnosticLocation PrevLoc = PD.getLocation(); 1910 1911 const ExplodedNode *NextNode = N->getFirstPred(); 1912 while (NextNode) { 1913 N = NextNode; 1914 NextNode = N->getFirstPred(); 1915 1916 generateAlternateExtensiveDiagnosticsForNode( 1917 N, PD, PrevLoc, PDB, LCM, CallStack, IE); 1918 1919 if (!NextNode) 1920 continue; 1921 1922 // Add pieces from custom visitors. 1923 llvm::FoldingSet<PathDiagnosticPiece> DeduplicationSet; 1924 for (auto &V : visitors) { 1925 if (auto p = V->VisitNode(N, NextNode, PDB, *report)) { 1926 if (DeduplicationSet.GetOrInsertNode(p.get()) != p.get()) 1927 continue; 1928 1929 addEdgeToPath(PD.getActivePath(), PrevLoc, p->getLocation(), PDB.LC); 1930 updateStackPiecesWithMessage(*p, CallStack); 1931 PD.getActivePath().push_front(std::move(p)); 1932 } 1933 } 1934 } 1935 1936 // Add an edge to the start of the function. 1937 // We'll prune it out later, but it helps make diagnostics more uniform. 1938 const StackFrameContext *CalleeLC = PDB.LC->getCurrentStackFrame(); 1939 const Decl *D = CalleeLC->getDecl(); 1940 addEdgeToPath(PD.getActivePath(), PrevLoc, 1941 PathDiagnosticLocation::createBegin(D, SM), 1942 CalleeLC); 1943 1944 return report->isValid(); 1945 } 1946 1947 static const Stmt *getLocStmt(PathDiagnosticLocation L) { 1948 if (!L.isValid()) 1949 return nullptr; 1950 return L.asStmt(); 1951 } 1952 1953 static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) { 1954 if (!S) 1955 return nullptr; 1956 1957 while (true) { 1958 S = PM.getParentIgnoreParens(S); 1959 1960 if (!S) 1961 break; 1962 1963 if (isa<ExprWithCleanups>(S) || 1964 isa<CXXBindTemporaryExpr>(S) || 1965 isa<SubstNonTypeTemplateParmExpr>(S)) 1966 continue; 1967 1968 break; 1969 } 1970 1971 return S; 1972 } 1973 1974 static bool isConditionForTerminator(const Stmt *S, const Stmt *Cond) { 1975 switch (S->getStmtClass()) { 1976 case Stmt::BinaryOperatorClass: { 1977 const auto *BO = cast<BinaryOperator>(S); 1978 if (!BO->isLogicalOp()) 1979 return false; 1980 return BO->getLHS() == Cond || BO->getRHS() == Cond; 1981 } 1982 case Stmt::IfStmtClass: 1983 return cast<IfStmt>(S)->getCond() == Cond; 1984 case Stmt::ForStmtClass: 1985 return cast<ForStmt>(S)->getCond() == Cond; 1986 case Stmt::WhileStmtClass: 1987 return cast<WhileStmt>(S)->getCond() == Cond; 1988 case Stmt::DoStmtClass: 1989 return cast<DoStmt>(S)->getCond() == Cond; 1990 case Stmt::ChooseExprClass: 1991 return cast<ChooseExpr>(S)->getCond() == Cond; 1992 case Stmt::IndirectGotoStmtClass: 1993 return cast<IndirectGotoStmt>(S)->getTarget() == Cond; 1994 case Stmt::SwitchStmtClass: 1995 return cast<SwitchStmt>(S)->getCond() == Cond; 1996 case Stmt::BinaryConditionalOperatorClass: 1997 return cast<BinaryConditionalOperator>(S)->getCond() == Cond; 1998 case Stmt::ConditionalOperatorClass: { 1999 const auto *CO = cast<ConditionalOperator>(S); 2000 return CO->getCond() == Cond || 2001 CO->getLHS() == Cond || 2002 CO->getRHS() == Cond; 2003 } 2004 case Stmt::ObjCForCollectionStmtClass: 2005 return cast<ObjCForCollectionStmt>(S)->getElement() == Cond; 2006 case Stmt::CXXForRangeStmtClass: { 2007 const auto *FRS = cast<CXXForRangeStmt>(S); 2008 return FRS->getCond() == Cond || FRS->getRangeInit() == Cond; 2009 } 2010 default: 2011 return false; 2012 } 2013 } 2014 2015 static bool isIncrementOrInitInForLoop(const Stmt *S, const Stmt *FL) { 2016 if (const auto *FS = dyn_cast<ForStmt>(FL)) 2017 return FS->getInc() == S || FS->getInit() == S; 2018 if (const auto *FRS = dyn_cast<CXXForRangeStmt>(FL)) 2019 return FRS->getInc() == S || FRS->getRangeStmt() == S || 2020 FRS->getLoopVarStmt() || FRS->getRangeInit() == S; 2021 return false; 2022 } 2023 2024 using OptimizedCallsSet = llvm::DenseSet<const PathDiagnosticCallPiece *>; 2025 2026 /// Adds synthetic edges from top-level statements to their subexpressions. 2027 /// 2028 /// This avoids a "swoosh" effect, where an edge from a top-level statement A 2029 /// points to a sub-expression B.1 that's not at the start of B. In these cases, 2030 /// we'd like to see an edge from A to B, then another one from B to B.1. 2031 static void addContextEdges(PathPieces &pieces, SourceManager &SM, 2032 const ParentMap &PM, const LocationContext *LCtx) { 2033 PathPieces::iterator Prev = pieces.end(); 2034 for (PathPieces::iterator I = pieces.begin(), E = Prev; I != E; 2035 Prev = I, ++I) { 2036 auto *Piece = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 2037 2038 if (!Piece) 2039 continue; 2040 2041 PathDiagnosticLocation SrcLoc = Piece->getStartLocation(); 2042 SmallVector<PathDiagnosticLocation, 4> SrcContexts; 2043 2044 PathDiagnosticLocation NextSrcContext = SrcLoc; 2045 const Stmt *InnerStmt = nullptr; 2046 while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) { 2047 SrcContexts.push_back(NextSrcContext); 2048 InnerStmt = NextSrcContext.asStmt(); 2049 NextSrcContext = getEnclosingStmtLocation(InnerStmt, SM, PM, LCtx, 2050 /*allowNested=*/true); 2051 } 2052 2053 // Repeatedly split the edge as necessary. 2054 // This is important for nested logical expressions (||, &&, ?:) where we 2055 // want to show all the levels of context. 2056 while (true) { 2057 const Stmt *Dst = getLocStmt(Piece->getEndLocation()); 2058 2059 // We are looking at an edge. Is the destination within a larger 2060 // expression? 2061 PathDiagnosticLocation DstContext = 2062 getEnclosingStmtLocation(Dst, SM, PM, LCtx, /*allowNested=*/true); 2063 if (!DstContext.isValid() || DstContext.asStmt() == Dst) 2064 break; 2065 2066 // If the source is in the same context, we're already good. 2067 if (std::find(SrcContexts.begin(), SrcContexts.end(), DstContext) != 2068 SrcContexts.end()) 2069 break; 2070 2071 // Update the subexpression node to point to the context edge. 2072 Piece->setStartLocation(DstContext); 2073 2074 // Try to extend the previous edge if it's at the same level as the source 2075 // context. 2076 if (Prev != E) { 2077 auto *PrevPiece = dyn_cast<PathDiagnosticControlFlowPiece>(Prev->get()); 2078 2079 if (PrevPiece) { 2080 if (const Stmt *PrevSrc = getLocStmt(PrevPiece->getStartLocation())) { 2081 const Stmt *PrevSrcParent = getStmtParent(PrevSrc, PM); 2082 if (PrevSrcParent == getStmtParent(getLocStmt(DstContext), PM)) { 2083 PrevPiece->setEndLocation(DstContext); 2084 break; 2085 } 2086 } 2087 } 2088 } 2089 2090 // Otherwise, split the current edge into a context edge and a 2091 // subexpression edge. Note that the context statement may itself have 2092 // context. 2093 auto P = 2094 std::make_shared<PathDiagnosticControlFlowPiece>(SrcLoc, DstContext); 2095 Piece = P.get(); 2096 I = pieces.insert(I, std::move(P)); 2097 } 2098 } 2099 } 2100 2101 /// \brief Move edges from a branch condition to a branch target 2102 /// when the condition is simple. 2103 /// 2104 /// This restructures some of the work of addContextEdges. That function 2105 /// creates edges this may destroy, but they work together to create a more 2106 /// aesthetically set of edges around branches. After the call to 2107 /// addContextEdges, we may have (1) an edge to the branch, (2) an edge from 2108 /// the branch to the branch condition, and (3) an edge from the branch 2109 /// condition to the branch target. We keep (1), but may wish to remove (2) 2110 /// and move the source of (3) to the branch if the branch condition is simple. 2111 static void simplifySimpleBranches(PathPieces &pieces) { 2112 for (PathPieces::iterator I = pieces.begin(), E = pieces.end(); I != E; ++I) { 2113 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 2114 2115 if (!PieceI) 2116 continue; 2117 2118 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation()); 2119 const Stmt *s1End = getLocStmt(PieceI->getEndLocation()); 2120 2121 if (!s1Start || !s1End) 2122 continue; 2123 2124 PathPieces::iterator NextI = I; ++NextI; 2125 if (NextI == E) 2126 break; 2127 2128 PathDiagnosticControlFlowPiece *PieceNextI = nullptr; 2129 2130 while (true) { 2131 if (NextI == E) 2132 break; 2133 2134 const auto *EV = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 2135 if (EV) { 2136 StringRef S = EV->getString(); 2137 if (S == StrEnteringLoop || S == StrLoopBodyZero || 2138 S == StrLoopCollectionEmpty || S == StrLoopRangeEmpty) { 2139 ++NextI; 2140 continue; 2141 } 2142 break; 2143 } 2144 2145 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 2146 break; 2147 } 2148 2149 if (!PieceNextI) 2150 continue; 2151 2152 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation()); 2153 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation()); 2154 2155 if (!s2Start || !s2End || s1End != s2Start) 2156 continue; 2157 2158 // We only perform this transformation for specific branch kinds. 2159 // We don't want to do this for do..while, for example. 2160 if (!(isa<ForStmt>(s1Start) || isa<WhileStmt>(s1Start) || 2161 isa<IfStmt>(s1Start) || isa<ObjCForCollectionStmt>(s1Start) || 2162 isa<CXXForRangeStmt>(s1Start))) 2163 continue; 2164 2165 // Is s1End the branch condition? 2166 if (!isConditionForTerminator(s1Start, s1End)) 2167 continue; 2168 2169 // Perform the hoisting by eliminating (2) and changing the start 2170 // location of (3). 2171 PieceNextI->setStartLocation(PieceI->getStartLocation()); 2172 I = pieces.erase(I); 2173 } 2174 } 2175 2176 /// Returns the number of bytes in the given (character-based) SourceRange. 2177 /// 2178 /// If the locations in the range are not on the same line, returns None. 2179 /// 2180 /// Note that this does not do a precise user-visible character or column count. 2181 static Optional<size_t> getLengthOnSingleLine(SourceManager &SM, 2182 SourceRange Range) { 2183 SourceRange ExpansionRange(SM.getExpansionLoc(Range.getBegin()), 2184 SM.getExpansionRange(Range.getEnd()).second); 2185 2186 FileID FID = SM.getFileID(ExpansionRange.getBegin()); 2187 if (FID != SM.getFileID(ExpansionRange.getEnd())) 2188 return None; 2189 2190 bool Invalid; 2191 const llvm::MemoryBuffer *Buffer = SM.getBuffer(FID, &Invalid); 2192 if (Invalid) 2193 return None; 2194 2195 unsigned BeginOffset = SM.getFileOffset(ExpansionRange.getBegin()); 2196 unsigned EndOffset = SM.getFileOffset(ExpansionRange.getEnd()); 2197 StringRef Snippet = Buffer->getBuffer().slice(BeginOffset, EndOffset); 2198 2199 // We're searching the raw bytes of the buffer here, which might include 2200 // escaped newlines and such. That's okay; we're trying to decide whether the 2201 // SourceRange is covering a large or small amount of space in the user's 2202 // editor. 2203 if (Snippet.find_first_of("\r\n") != StringRef::npos) 2204 return None; 2205 2206 // This isn't Unicode-aware, but it doesn't need to be. 2207 return Snippet.size(); 2208 } 2209 2210 /// \sa getLengthOnSingleLine(SourceManager, SourceRange) 2211 static Optional<size_t> getLengthOnSingleLine(SourceManager &SM, 2212 const Stmt *S) { 2213 return getLengthOnSingleLine(SM, S->getSourceRange()); 2214 } 2215 2216 /// Eliminate two-edge cycles created by addContextEdges(). 2217 /// 2218 /// Once all the context edges are in place, there are plenty of cases where 2219 /// there's a single edge from a top-level statement to a subexpression, 2220 /// followed by a single path note, and then a reverse edge to get back out to 2221 /// the top level. If the statement is simple enough, the subexpression edges 2222 /// just add noise and make it harder to understand what's going on. 2223 /// 2224 /// This function only removes edges in pairs, because removing only one edge 2225 /// might leave other edges dangling. 2226 /// 2227 /// This will not remove edges in more complicated situations: 2228 /// - if there is more than one "hop" leading to or from a subexpression. 2229 /// - if there is an inlined call between the edges instead of a single event. 2230 /// - if the whole statement is large enough that having subexpression arrows 2231 /// might be helpful. 2232 static void removeContextCycles(PathPieces &Path, SourceManager &SM, 2233 ParentMap &PM) { 2234 for (PathPieces::iterator I = Path.begin(), E = Path.end(); I != E; ) { 2235 // Pattern match the current piece and its successor. 2236 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 2237 2238 if (!PieceI) { 2239 ++I; 2240 continue; 2241 } 2242 2243 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation()); 2244 const Stmt *s1End = getLocStmt(PieceI->getEndLocation()); 2245 2246 PathPieces::iterator NextI = I; ++NextI; 2247 if (NextI == E) 2248 break; 2249 2250 const auto *PieceNextI = 2251 dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 2252 2253 if (!PieceNextI) { 2254 if (isa<PathDiagnosticEventPiece>(NextI->get())) { 2255 ++NextI; 2256 if (NextI == E) 2257 break; 2258 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 2259 } 2260 2261 if (!PieceNextI) { 2262 ++I; 2263 continue; 2264 } 2265 } 2266 2267 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation()); 2268 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation()); 2269 2270 if (s1Start && s2Start && s1Start == s2End && s2Start == s1End) { 2271 const size_t MAX_SHORT_LINE_LENGTH = 80; 2272 Optional<size_t> s1Length = getLengthOnSingleLine(SM, s1Start); 2273 if (s1Length && *s1Length <= MAX_SHORT_LINE_LENGTH) { 2274 Optional<size_t> s2Length = getLengthOnSingleLine(SM, s2Start); 2275 if (s2Length && *s2Length <= MAX_SHORT_LINE_LENGTH) { 2276 Path.erase(I); 2277 I = Path.erase(NextI); 2278 continue; 2279 } 2280 } 2281 } 2282 2283 ++I; 2284 } 2285 } 2286 2287 /// \brief Return true if X is contained by Y. 2288 static bool lexicalContains(ParentMap &PM, const Stmt *X, const Stmt *Y) { 2289 while (X) { 2290 if (X == Y) 2291 return true; 2292 X = PM.getParent(X); 2293 } 2294 return false; 2295 } 2296 2297 // Remove short edges on the same line less than 3 columns in difference. 2298 static void removePunyEdges(PathPieces &path, SourceManager &SM, 2299 ParentMap &PM) { 2300 bool erased = false; 2301 2302 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; 2303 erased ? I : ++I) { 2304 erased = false; 2305 2306 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 2307 2308 if (!PieceI) 2309 continue; 2310 2311 const Stmt *start = getLocStmt(PieceI->getStartLocation()); 2312 const Stmt *end = getLocStmt(PieceI->getEndLocation()); 2313 2314 if (!start || !end) 2315 continue; 2316 2317 const Stmt *endParent = PM.getParent(end); 2318 if (!endParent) 2319 continue; 2320 2321 if (isConditionForTerminator(end, endParent)) 2322 continue; 2323 2324 SourceLocation FirstLoc = start->getLocStart(); 2325 SourceLocation SecondLoc = end->getLocStart(); 2326 2327 if (!SM.isWrittenInSameFile(FirstLoc, SecondLoc)) 2328 continue; 2329 if (SM.isBeforeInTranslationUnit(SecondLoc, FirstLoc)) 2330 std::swap(SecondLoc, FirstLoc); 2331 2332 SourceRange EdgeRange(FirstLoc, SecondLoc); 2333 Optional<size_t> ByteWidth = getLengthOnSingleLine(SM, EdgeRange); 2334 2335 // If the statements are on different lines, continue. 2336 if (!ByteWidth) 2337 continue; 2338 2339 const size_t MAX_PUNY_EDGE_LENGTH = 2; 2340 if (*ByteWidth <= MAX_PUNY_EDGE_LENGTH) { 2341 // FIXME: There are enough /bytes/ between the endpoints of the edge, but 2342 // there might not be enough /columns/. A proper user-visible column count 2343 // is probably too expensive, though. 2344 I = path.erase(I); 2345 erased = true; 2346 continue; 2347 } 2348 } 2349 } 2350 2351 static void removeIdenticalEvents(PathPieces &path) { 2352 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ++I) { 2353 const auto *PieceI = dyn_cast<PathDiagnosticEventPiece>(I->get()); 2354 2355 if (!PieceI) 2356 continue; 2357 2358 PathPieces::iterator NextI = I; ++NextI; 2359 if (NextI == E) 2360 return; 2361 2362 const auto *PieceNextI = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 2363 2364 if (!PieceNextI) 2365 continue; 2366 2367 // Erase the second piece if it has the same exact message text. 2368 if (PieceI->getString() == PieceNextI->getString()) { 2369 path.erase(NextI); 2370 } 2371 } 2372 } 2373 2374 static bool optimizeEdges(PathPieces &path, SourceManager &SM, 2375 OptimizedCallsSet &OCS, 2376 LocationContextMap &LCM) { 2377 bool hasChanges = false; 2378 const LocationContext *LC = LCM[&path]; 2379 assert(LC); 2380 ParentMap &PM = LC->getParentMap(); 2381 2382 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ) { 2383 // Optimize subpaths. 2384 if (auto *CallI = dyn_cast<PathDiagnosticCallPiece>(I->get())) { 2385 // Record the fact that a call has been optimized so we only do the 2386 // effort once. 2387 if (!OCS.count(CallI)) { 2388 while (optimizeEdges(CallI->path, SM, OCS, LCM)) {} 2389 OCS.insert(CallI); 2390 } 2391 ++I; 2392 continue; 2393 } 2394 2395 // Pattern match the current piece and its successor. 2396 auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 2397 2398 if (!PieceI) { 2399 ++I; 2400 continue; 2401 } 2402 2403 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation()); 2404 const Stmt *s1End = getLocStmt(PieceI->getEndLocation()); 2405 const Stmt *level1 = getStmtParent(s1Start, PM); 2406 const Stmt *level2 = getStmtParent(s1End, PM); 2407 2408 PathPieces::iterator NextI = I; ++NextI; 2409 if (NextI == E) 2410 break; 2411 2412 const auto *PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 2413 2414 if (!PieceNextI) { 2415 ++I; 2416 continue; 2417 } 2418 2419 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation()); 2420 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation()); 2421 const Stmt *level3 = getStmtParent(s2Start, PM); 2422 const Stmt *level4 = getStmtParent(s2End, PM); 2423 2424 // Rule I. 2425 // 2426 // If we have two consecutive control edges whose end/begin locations 2427 // are at the same level (e.g. statements or top-level expressions within 2428 // a compound statement, or siblings share a single ancestor expression), 2429 // then merge them if they have no interesting intermediate event. 2430 // 2431 // For example: 2432 // 2433 // (1.1 -> 1.2) -> (1.2 -> 1.3) becomes (1.1 -> 1.3) because the common 2434 // parent is '1'. Here 'x.y.z' represents the hierarchy of statements. 2435 // 2436 // NOTE: this will be limited later in cases where we add barriers 2437 // to prevent this optimization. 2438 if (level1 && level1 == level2 && level1 == level3 && level1 == level4) { 2439 PieceI->setEndLocation(PieceNextI->getEndLocation()); 2440 path.erase(NextI); 2441 hasChanges = true; 2442 continue; 2443 } 2444 2445 // Rule II. 2446 // 2447 // Eliminate edges between subexpressions and parent expressions 2448 // when the subexpression is consumed. 2449 // 2450 // NOTE: this will be limited later in cases where we add barriers 2451 // to prevent this optimization. 2452 if (s1End && s1End == s2Start && level2) { 2453 bool removeEdge = false; 2454 // Remove edges into the increment or initialization of a 2455 // loop that have no interleaving event. This means that 2456 // they aren't interesting. 2457 if (isIncrementOrInitInForLoop(s1End, level2)) 2458 removeEdge = true; 2459 // Next only consider edges that are not anchored on 2460 // the condition of a terminator. This are intermediate edges 2461 // that we might want to trim. 2462 else if (!isConditionForTerminator(level2, s1End)) { 2463 // Trim edges on expressions that are consumed by 2464 // the parent expression. 2465 if (isa<Expr>(s1End) && PM.isConsumedExpr(cast<Expr>(s1End))) { 2466 removeEdge = true; 2467 } 2468 // Trim edges where a lexical containment doesn't exist. 2469 // For example: 2470 // 2471 // X -> Y -> Z 2472 // 2473 // If 'Z' lexically contains Y (it is an ancestor) and 2474 // 'X' does not lexically contain Y (it is a descendant OR 2475 // it has no lexical relationship at all) then trim. 2476 // 2477 // This can eliminate edges where we dive into a subexpression 2478 // and then pop back out, etc. 2479 else if (s1Start && s2End && 2480 lexicalContains(PM, s2Start, s2End) && 2481 !lexicalContains(PM, s1End, s1Start)) { 2482 removeEdge = true; 2483 } 2484 // Trim edges from a subexpression back to the top level if the 2485 // subexpression is on a different line. 2486 // 2487 // A.1 -> A -> B 2488 // becomes 2489 // A.1 -> B 2490 // 2491 // These edges just look ugly and don't usually add anything. 2492 else if (s1Start && s2End && 2493 lexicalContains(PM, s1Start, s1End)) { 2494 SourceRange EdgeRange(PieceI->getEndLocation().asLocation(), 2495 PieceI->getStartLocation().asLocation()); 2496 if (!getLengthOnSingleLine(SM, EdgeRange).hasValue()) 2497 removeEdge = true; 2498 } 2499 } 2500 2501 if (removeEdge) { 2502 PieceI->setEndLocation(PieceNextI->getEndLocation()); 2503 path.erase(NextI); 2504 hasChanges = true; 2505 continue; 2506 } 2507 } 2508 2509 // Optimize edges for ObjC fast-enumeration loops. 2510 // 2511 // (X -> collection) -> (collection -> element) 2512 // 2513 // becomes: 2514 // 2515 // (X -> element) 2516 if (s1End == s2Start) { 2517 const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(level3); 2518 if (FS && FS->getCollection()->IgnoreParens() == s2Start && 2519 s2End == FS->getElement()) { 2520 PieceI->setEndLocation(PieceNextI->getEndLocation()); 2521 path.erase(NextI); 2522 hasChanges = true; 2523 continue; 2524 } 2525 } 2526 2527 // No changes at this index? Move to the next one. 2528 ++I; 2529 } 2530 2531 if (!hasChanges) { 2532 // Adjust edges into subexpressions to make them more uniform 2533 // and aesthetically pleasing. 2534 addContextEdges(path, SM, PM, LC); 2535 // Remove "cyclical" edges that include one or more context edges. 2536 removeContextCycles(path, SM, PM); 2537 // Hoist edges originating from branch conditions to branches 2538 // for simple branches. 2539 simplifySimpleBranches(path); 2540 // Remove any puny edges left over after primary optimization pass. 2541 removePunyEdges(path, SM, PM); 2542 // Remove identical events. 2543 removeIdenticalEvents(path); 2544 } 2545 2546 return hasChanges; 2547 } 2548 2549 /// Drop the very first edge in a path, which should be a function entry edge. 2550 /// 2551 /// If the first edge is not a function entry edge (say, because the first 2552 /// statement had an invalid source location), this function does nothing. 2553 // FIXME: We should just generate invalid edges anyway and have the optimizer 2554 // deal with them. 2555 static void dropFunctionEntryEdge(PathPieces &Path, LocationContextMap &LCM, 2556 SourceManager &SM) { 2557 const auto *FirstEdge = 2558 dyn_cast<PathDiagnosticControlFlowPiece>(Path.front().get()); 2559 if (!FirstEdge) 2560 return; 2561 2562 const Decl *D = LCM[&Path]->getDecl(); 2563 PathDiagnosticLocation EntryLoc = PathDiagnosticLocation::createBegin(D, SM); 2564 if (FirstEdge->getStartLocation() != EntryLoc) 2565 return; 2566 2567 Path.pop_front(); 2568 } 2569 2570 //===----------------------------------------------------------------------===// 2571 // Methods for BugType and subclasses. 2572 //===----------------------------------------------------------------------===// 2573 2574 void BugType::anchor() {} 2575 2576 void BugType::FlushReports(BugReporter &BR) {} 2577 2578 void BuiltinBug::anchor() {} 2579 2580 //===----------------------------------------------------------------------===// 2581 // Methods for BugReport and subclasses. 2582 //===----------------------------------------------------------------------===// 2583 2584 void BugReport::NodeResolver::anchor() {} 2585 2586 void BugReport::addVisitor(std::unique_ptr<BugReporterVisitor> visitor) { 2587 if (!visitor) 2588 return; 2589 2590 llvm::FoldingSetNodeID ID; 2591 visitor->Profile(ID); 2592 void *InsertPos; 2593 2594 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) 2595 return; 2596 2597 CallbacksSet.InsertNode(visitor.get(), InsertPos); 2598 Callbacks.push_back(std::move(visitor)); 2599 ++ConfigurationChangeToken; 2600 } 2601 2602 BugReport::~BugReport() { 2603 while (!interestingSymbols.empty()) { 2604 popInterestingSymbolsAndRegions(); 2605 } 2606 } 2607 2608 const Decl *BugReport::getDeclWithIssue() const { 2609 if (DeclWithIssue) 2610 return DeclWithIssue; 2611 2612 const ExplodedNode *N = getErrorNode(); 2613 if (!N) 2614 return nullptr; 2615 2616 const LocationContext *LC = N->getLocationContext(); 2617 return LC->getCurrentStackFrame()->getDecl(); 2618 } 2619 2620 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const { 2621 hash.AddPointer(&BT); 2622 hash.AddString(Description); 2623 PathDiagnosticLocation UL = getUniqueingLocation(); 2624 if (UL.isValid()) { 2625 UL.Profile(hash); 2626 } else if (Location.isValid()) { 2627 Location.Profile(hash); 2628 } else { 2629 assert(ErrorNode); 2630 hash.AddPointer(GetCurrentOrPreviousStmt(ErrorNode)); 2631 } 2632 2633 for (SourceRange range : Ranges) { 2634 if (!range.isValid()) 2635 continue; 2636 hash.AddInteger(range.getBegin().getRawEncoding()); 2637 hash.AddInteger(range.getEnd().getRawEncoding()); 2638 } 2639 } 2640 2641 void BugReport::markInteresting(SymbolRef sym) { 2642 if (!sym) 2643 return; 2644 2645 // If the symbol wasn't already in our set, note a configuration change. 2646 if (getInterestingSymbols().insert(sym).second) 2647 ++ConfigurationChangeToken; 2648 2649 if (const auto *meta = dyn_cast<SymbolMetadata>(sym)) 2650 getInterestingRegions().insert(meta->getRegion()); 2651 } 2652 2653 void BugReport::markInteresting(const MemRegion *R) { 2654 if (!R) 2655 return; 2656 2657 // If the base region wasn't already in our set, note a configuration change. 2658 R = R->getBaseRegion(); 2659 if (getInterestingRegions().insert(R).second) 2660 ++ConfigurationChangeToken; 2661 2662 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2663 getInterestingSymbols().insert(SR->getSymbol()); 2664 } 2665 2666 void BugReport::markInteresting(SVal V) { 2667 markInteresting(V.getAsRegion()); 2668 markInteresting(V.getAsSymbol()); 2669 } 2670 2671 void BugReport::markInteresting(const LocationContext *LC) { 2672 if (!LC) 2673 return; 2674 InterestingLocationContexts.insert(LC); 2675 } 2676 2677 bool BugReport::isInteresting(SVal V) { 2678 return isInteresting(V.getAsRegion()) || isInteresting(V.getAsSymbol()); 2679 } 2680 2681 bool BugReport::isInteresting(SymbolRef sym) { 2682 if (!sym) 2683 return false; 2684 // We don't currently consider metadata symbols to be interesting 2685 // even if we know their region is interesting. Is that correct behavior? 2686 return getInterestingSymbols().count(sym); 2687 } 2688 2689 bool BugReport::isInteresting(const MemRegion *R) { 2690 if (!R) 2691 return false; 2692 R = R->getBaseRegion(); 2693 bool b = getInterestingRegions().count(R); 2694 if (b) 2695 return true; 2696 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2697 return getInterestingSymbols().count(SR->getSymbol()); 2698 return false; 2699 } 2700 2701 bool BugReport::isInteresting(const LocationContext *LC) { 2702 if (!LC) 2703 return false; 2704 return InterestingLocationContexts.count(LC); 2705 } 2706 2707 void BugReport::lazyInitializeInterestingSets() { 2708 if (interestingSymbols.empty()) { 2709 interestingSymbols.push_back(new Symbols()); 2710 interestingRegions.push_back(new Regions()); 2711 } 2712 } 2713 2714 BugReport::Symbols &BugReport::getInterestingSymbols() { 2715 lazyInitializeInterestingSets(); 2716 return *interestingSymbols.back(); 2717 } 2718 2719 BugReport::Regions &BugReport::getInterestingRegions() { 2720 lazyInitializeInterestingSets(); 2721 return *interestingRegions.back(); 2722 } 2723 2724 void BugReport::pushInterestingSymbolsAndRegions() { 2725 interestingSymbols.push_back(new Symbols(getInterestingSymbols())); 2726 interestingRegions.push_back(new Regions(getInterestingRegions())); 2727 } 2728 2729 void BugReport::popInterestingSymbolsAndRegions() { 2730 delete interestingSymbols.pop_back_val(); 2731 delete interestingRegions.pop_back_val(); 2732 } 2733 2734 const Stmt *BugReport::getStmt() const { 2735 if (!ErrorNode) 2736 return nullptr; 2737 2738 ProgramPoint ProgP = ErrorNode->getLocation(); 2739 const Stmt *S = nullptr; 2740 2741 if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) { 2742 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 2743 if (BE->getBlock() == &Exit) 2744 S = GetPreviousStmt(ErrorNode); 2745 } 2746 if (!S) 2747 S = PathDiagnosticLocation::getStmt(ErrorNode); 2748 2749 return S; 2750 } 2751 2752 llvm::iterator_range<BugReport::ranges_iterator> BugReport::getRanges() { 2753 // If no custom ranges, add the range of the statement corresponding to 2754 // the error node. 2755 if (Ranges.empty()) { 2756 if (const auto *E = dyn_cast_or_null<Expr>(getStmt())) 2757 addRange(E->getSourceRange()); 2758 else 2759 return llvm::make_range(ranges_iterator(), ranges_iterator()); 2760 } 2761 2762 // User-specified absence of range info. 2763 if (Ranges.size() == 1 && !Ranges.begin()->isValid()) 2764 return llvm::make_range(ranges_iterator(), ranges_iterator()); 2765 2766 return llvm::make_range(Ranges.begin(), Ranges.end()); 2767 } 2768 2769 PathDiagnosticLocation BugReport::getLocation(const SourceManager &SM) const { 2770 if (ErrorNode) { 2771 assert(!Location.isValid() && 2772 "Either Location or ErrorNode should be specified but not both."); 2773 return PathDiagnosticLocation::createEndOfPath(ErrorNode, SM); 2774 } 2775 2776 assert(Location.isValid()); 2777 return Location; 2778 } 2779 2780 //===----------------------------------------------------------------------===// 2781 // Methods for BugReporter and subclasses. 2782 //===----------------------------------------------------------------------===// 2783 2784 BugReportEquivClass::~BugReportEquivClass() = default; 2785 2786 GRBugReporter::~GRBugReporter() = default; 2787 2788 BugReporterData::~BugReporterData() = default; 2789 2790 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 2791 2792 ProgramStateManager& 2793 GRBugReporter::getStateManager() { return Eng.getStateManager(); } 2794 2795 BugReporter::~BugReporter() { 2796 FlushReports(); 2797 2798 // Free the bug reports we are tracking. 2799 for (const auto I : EQClassesVector) 2800 delete I; 2801 } 2802 2803 void BugReporter::FlushReports() { 2804 if (BugTypes.isEmpty()) 2805 return; 2806 2807 // First flush the warnings for each BugType. This may end up creating new 2808 // warnings and new BugTypes. 2809 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 2810 // Turn NSErrorChecker into a proper checker and remove this. 2811 SmallVector<const BugType *, 16> bugTypes(BugTypes.begin(), BugTypes.end()); 2812 for (const auto I : bugTypes) 2813 const_cast<BugType*>(I)->FlushReports(*this); 2814 2815 // We need to flush reports in deterministic order to ensure the order 2816 // of the reports is consistent between runs. 2817 for (const auto EQ : EQClassesVector) 2818 FlushReport(*EQ); 2819 2820 // BugReporter owns and deletes only BugTypes created implicitly through 2821 // EmitBasicReport. 2822 // FIXME: There are leaks from checkers that assume that the BugTypes they 2823 // create will be destroyed by the BugReporter. 2824 llvm::DeleteContainerSeconds(StrBugTypes); 2825 2826 // Remove all references to the BugType objects. 2827 BugTypes = F.getEmptySet(); 2828 } 2829 2830 //===----------------------------------------------------------------------===// 2831 // PathDiagnostics generation. 2832 //===----------------------------------------------------------------------===// 2833 2834 namespace { 2835 2836 /// A wrapper around a report graph, which contains only a single path, and its 2837 /// node maps. 2838 class ReportGraph { 2839 public: 2840 InterExplodedGraphMap BackMap; 2841 std::unique_ptr<ExplodedGraph> Graph; 2842 const ExplodedNode *ErrorNode; 2843 size_t Index; 2844 }; 2845 2846 /// A wrapper around a trimmed graph and its node maps. 2847 class TrimmedGraph { 2848 InterExplodedGraphMap InverseMap; 2849 2850 using PriorityMapTy = llvm::DenseMap<const ExplodedNode *, unsigned>; 2851 2852 PriorityMapTy PriorityMap; 2853 2854 using NodeIndexPair = std::pair<const ExplodedNode *, size_t>; 2855 2856 SmallVector<NodeIndexPair, 32> ReportNodes; 2857 2858 std::unique_ptr<ExplodedGraph> G; 2859 2860 /// A helper class for sorting ExplodedNodes by priority. 2861 template <bool Descending> 2862 class PriorityCompare { 2863 const PriorityMapTy &PriorityMap; 2864 2865 public: 2866 PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {} 2867 2868 bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const { 2869 PriorityMapTy::const_iterator LI = PriorityMap.find(LHS); 2870 PriorityMapTy::const_iterator RI = PriorityMap.find(RHS); 2871 PriorityMapTy::const_iterator E = PriorityMap.end(); 2872 2873 if (LI == E) 2874 return Descending; 2875 if (RI == E) 2876 return !Descending; 2877 2878 return Descending ? LI->second > RI->second 2879 : LI->second < RI->second; 2880 } 2881 2882 bool operator()(const NodeIndexPair &LHS, const NodeIndexPair &RHS) const { 2883 return (*this)(LHS.first, RHS.first); 2884 } 2885 }; 2886 2887 public: 2888 TrimmedGraph(const ExplodedGraph *OriginalGraph, 2889 ArrayRef<const ExplodedNode *> Nodes); 2890 2891 bool popNextReportGraph(ReportGraph &GraphWrapper); 2892 }; 2893 2894 } // namespace 2895 2896 TrimmedGraph::TrimmedGraph(const ExplodedGraph *OriginalGraph, 2897 ArrayRef<const ExplodedNode *> Nodes) { 2898 // The trimmed graph is created in the body of the constructor to ensure 2899 // that the DenseMaps have been initialized already. 2900 InterExplodedGraphMap ForwardMap; 2901 G = OriginalGraph->trim(Nodes, &ForwardMap, &InverseMap); 2902 2903 // Find the (first) error node in the trimmed graph. We just need to consult 2904 // the node map which maps from nodes in the original graph to nodes 2905 // in the new graph. 2906 llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes; 2907 2908 for (unsigned i = 0, count = Nodes.size(); i < count; ++i) { 2909 if (const ExplodedNode *NewNode = ForwardMap.lookup(Nodes[i])) { 2910 ReportNodes.push_back(std::make_pair(NewNode, i)); 2911 RemainingNodes.insert(NewNode); 2912 } 2913 } 2914 2915 assert(!RemainingNodes.empty() && "No error node found in the trimmed graph"); 2916 2917 // Perform a forward BFS to find all the shortest paths. 2918 std::queue<const ExplodedNode *> WS; 2919 2920 assert(G->num_roots() == 1); 2921 WS.push(*G->roots_begin()); 2922 unsigned Priority = 0; 2923 2924 while (!WS.empty()) { 2925 const ExplodedNode *Node = WS.front(); 2926 WS.pop(); 2927 2928 PriorityMapTy::iterator PriorityEntry; 2929 bool IsNew; 2930 std::tie(PriorityEntry, IsNew) = 2931 PriorityMap.insert(std::make_pair(Node, Priority)); 2932 ++Priority; 2933 2934 if (!IsNew) { 2935 assert(PriorityEntry->second <= Priority); 2936 continue; 2937 } 2938 2939 if (RemainingNodes.erase(Node)) 2940 if (RemainingNodes.empty()) 2941 break; 2942 2943 for (ExplodedNode::const_pred_iterator I = Node->succ_begin(), 2944 E = Node->succ_end(); 2945 I != E; ++I) 2946 WS.push(*I); 2947 } 2948 2949 // Sort the error paths from longest to shortest. 2950 std::sort(ReportNodes.begin(), ReportNodes.end(), 2951 PriorityCompare<true>(PriorityMap)); 2952 } 2953 2954 bool TrimmedGraph::popNextReportGraph(ReportGraph &GraphWrapper) { 2955 if (ReportNodes.empty()) 2956 return false; 2957 2958 const ExplodedNode *OrigN; 2959 std::tie(OrigN, GraphWrapper.Index) = ReportNodes.pop_back_val(); 2960 assert(PriorityMap.find(OrigN) != PriorityMap.end() && 2961 "error node not accessible from root"); 2962 2963 // Create a new graph with a single path. This is the graph 2964 // that will be returned to the caller. 2965 auto GNew = llvm::make_unique<ExplodedGraph>(); 2966 GraphWrapper.BackMap.clear(); 2967 2968 // Now walk from the error node up the BFS path, always taking the 2969 // predeccessor with the lowest number. 2970 ExplodedNode *Succ = nullptr; 2971 while (true) { 2972 // Create the equivalent node in the new graph with the same state 2973 // and location. 2974 ExplodedNode *NewN = GNew->createUncachedNode(OrigN->getLocation(), OrigN->getState(), 2975 OrigN->isSink()); 2976 2977 // Store the mapping to the original node. 2978 InterExplodedGraphMap::const_iterator IMitr = InverseMap.find(OrigN); 2979 assert(IMitr != InverseMap.end() && "No mapping to original node."); 2980 GraphWrapper.BackMap[NewN] = IMitr->second; 2981 2982 // Link up the new node with the previous node. 2983 if (Succ) 2984 Succ->addPredecessor(NewN, *GNew); 2985 else 2986 GraphWrapper.ErrorNode = NewN; 2987 2988 Succ = NewN; 2989 2990 // Are we at the final node? 2991 if (OrigN->pred_empty()) { 2992 GNew->addRoot(NewN); 2993 break; 2994 } 2995 2996 // Find the next predeccessor node. We choose the node that is marked 2997 // with the lowest BFS number. 2998 OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(), 2999 PriorityCompare<false>(PriorityMap)); 3000 } 3001 3002 GraphWrapper.Graph = std::move(GNew); 3003 3004 return true; 3005 } 3006 3007 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 3008 /// and collapses PathDiagosticPieces that are expanded by macros. 3009 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM) { 3010 using MacroStackTy = 3011 std::vector< 3012 std::pair<std::shared_ptr<PathDiagnosticMacroPiece>, SourceLocation>>; 3013 3014 using PiecesTy = std::vector<std::shared_ptr<PathDiagnosticPiece>>; 3015 3016 MacroStackTy MacroStack; 3017 PiecesTy Pieces; 3018 3019 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 3020 I != E; ++I) { 3021 const auto &piece = *I; 3022 3023 // Recursively compact calls. 3024 if (auto *call = dyn_cast<PathDiagnosticCallPiece>(&*piece)) { 3025 CompactPathDiagnostic(call->path, SM); 3026 } 3027 3028 // Get the location of the PathDiagnosticPiece. 3029 const FullSourceLoc Loc = piece->getLocation().asLocation(); 3030 3031 // Determine the instantiation location, which is the location we group 3032 // related PathDiagnosticPieces. 3033 SourceLocation InstantiationLoc = Loc.isMacroID() ? 3034 SM.getExpansionLoc(Loc) : 3035 SourceLocation(); 3036 3037 if (Loc.isFileID()) { 3038 MacroStack.clear(); 3039 Pieces.push_back(piece); 3040 continue; 3041 } 3042 3043 assert(Loc.isMacroID()); 3044 3045 // Is the PathDiagnosticPiece within the same macro group? 3046 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 3047 MacroStack.back().first->subPieces.push_back(piece); 3048 continue; 3049 } 3050 3051 // We aren't in the same group. Are we descending into a new macro 3052 // or are part of an old one? 3053 std::shared_ptr<PathDiagnosticMacroPiece> MacroGroup; 3054 3055 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 3056 SM.getExpansionLoc(Loc) : 3057 SourceLocation(); 3058 3059 // Walk the entire macro stack. 3060 while (!MacroStack.empty()) { 3061 if (InstantiationLoc == MacroStack.back().second) { 3062 MacroGroup = MacroStack.back().first; 3063 break; 3064 } 3065 3066 if (ParentInstantiationLoc == MacroStack.back().second) { 3067 MacroGroup = MacroStack.back().first; 3068 break; 3069 } 3070 3071 MacroStack.pop_back(); 3072 } 3073 3074 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 3075 // Create a new macro group and add it to the stack. 3076 auto NewGroup = std::make_shared<PathDiagnosticMacroPiece>( 3077 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 3078 3079 if (MacroGroup) 3080 MacroGroup->subPieces.push_back(NewGroup); 3081 else { 3082 assert(InstantiationLoc.isFileID()); 3083 Pieces.push_back(NewGroup); 3084 } 3085 3086 MacroGroup = NewGroup; 3087 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 3088 } 3089 3090 // Finally, add the PathDiagnosticPiece to the group. 3091 MacroGroup->subPieces.push_back(piece); 3092 } 3093 3094 // Now take the pieces and construct a new PathDiagnostic. 3095 path.clear(); 3096 3097 path.insert(path.end(), Pieces.begin(), Pieces.end()); 3098 } 3099 3100 bool GRBugReporter::generatePathDiagnostic(PathDiagnostic& PD, 3101 PathDiagnosticConsumer &PC, 3102 ArrayRef<BugReport *> &bugReports) { 3103 assert(!bugReports.empty()); 3104 3105 bool HasValid = false; 3106 bool HasInvalid = false; 3107 SmallVector<const ExplodedNode *, 32> errorNodes; 3108 for (const auto I : bugReports) { 3109 if (I->isValid()) { 3110 HasValid = true; 3111 errorNodes.push_back(I->getErrorNode()); 3112 } else { 3113 // Keep the errorNodes list in sync with the bugReports list. 3114 HasInvalid = true; 3115 errorNodes.push_back(nullptr); 3116 } 3117 } 3118 3119 // If all the reports have been marked invalid by a previous path generation, 3120 // we're done. 3121 if (!HasValid) 3122 return false; 3123 3124 using PathGenerationScheme = PathDiagnosticConsumer::PathGenerationScheme; 3125 3126 PathGenerationScheme ActiveScheme = PC.getGenerationScheme(); 3127 3128 if (ActiveScheme == PathDiagnosticConsumer::Extensive) { 3129 AnalyzerOptions &options = getAnalyzerOptions(); 3130 if (options.getBooleanOption("path-diagnostics-alternate", true)) { 3131 ActiveScheme = PathDiagnosticConsumer::AlternateExtensive; 3132 } 3133 } 3134 3135 TrimmedGraph TrimG(&getGraph(), errorNodes); 3136 ReportGraph ErrorGraph; 3137 3138 while (TrimG.popNextReportGraph(ErrorGraph)) { 3139 // Find the BugReport with the original location. 3140 assert(ErrorGraph.Index < bugReports.size()); 3141 BugReport *R = bugReports[ErrorGraph.Index]; 3142 assert(R && "No original report found for sliced graph."); 3143 assert(R->isValid() && "Report selected by trimmed graph marked invalid."); 3144 3145 // Start building the path diagnostic... 3146 PathDiagnosticBuilder PDB(*this, R, ErrorGraph.BackMap, &PC); 3147 const ExplodedNode *N = ErrorGraph.ErrorNode; 3148 3149 // Register additional node visitors. 3150 R->addVisitor(llvm::make_unique<NilReceiverBRVisitor>()); 3151 R->addVisitor(llvm::make_unique<ConditionBRVisitor>()); 3152 R->addVisitor(llvm::make_unique<LikelyFalsePositiveSuppressionBRVisitor>()); 3153 R->addVisitor(llvm::make_unique<CXXSelfAssignmentBRVisitor>()); 3154 3155 BugReport::VisitorList visitors; 3156 unsigned origReportConfigToken, finalReportConfigToken; 3157 LocationContextMap LCM; 3158 3159 // While generating diagnostics, it's possible the visitors will decide 3160 // new symbols and regions are interesting, or add other visitors based on 3161 // the information they find. If they do, we need to regenerate the path 3162 // based on our new report configuration. 3163 do { 3164 // Get a clean copy of all the visitors. 3165 for (BugReport::visitor_iterator I = R->visitor_begin(), 3166 E = R->visitor_end(); I != E; ++I) 3167 visitors.push_back((*I)->clone()); 3168 3169 // Clear out the active path from any previous work. 3170 PD.resetPath(); 3171 origReportConfigToken = R->getConfigurationChangeToken(); 3172 3173 // Generate the very last diagnostic piece - the piece is visible before 3174 // the trace is expanded. 3175 std::unique_ptr<PathDiagnosticPiece> LastPiece; 3176 for (BugReport::visitor_iterator I = visitors.begin(), E = visitors.end(); 3177 I != E; ++I) { 3178 if (std::unique_ptr<PathDiagnosticPiece> Piece = 3179 (*I)->getEndPath(PDB, N, *R)) { 3180 assert(!LastPiece && 3181 "There can only be one final piece in a diagnostic."); 3182 LastPiece = std::move(Piece); 3183 } 3184 } 3185 3186 if (ActiveScheme != PathDiagnosticConsumer::None) { 3187 if (!LastPiece) 3188 LastPiece = BugReporterVisitor::getDefaultEndPath(PDB, N, *R); 3189 assert(LastPiece); 3190 PD.setEndOfPath(std::move(LastPiece)); 3191 } 3192 3193 // Make sure we get a clean location context map so we don't 3194 // hold onto old mappings. 3195 LCM.clear(); 3196 3197 switch (ActiveScheme) { 3198 case PathDiagnosticConsumer::AlternateExtensive: 3199 GenerateAlternateExtensivePathDiagnostic(PD, PDB, N, LCM, visitors); 3200 break; 3201 case PathDiagnosticConsumer::Extensive: 3202 GenerateExtensivePathDiagnostic(PD, PDB, N, LCM, visitors); 3203 break; 3204 case PathDiagnosticConsumer::Minimal: 3205 GenerateMinimalPathDiagnostic(PD, PDB, N, LCM, visitors); 3206 break; 3207 case PathDiagnosticConsumer::None: 3208 GenerateVisitorsOnlyPathDiagnostic(PD, PDB, N, visitors); 3209 break; 3210 } 3211 3212 // Clean up the visitors we used. 3213 visitors.clear(); 3214 3215 // Did anything change while generating this path? 3216 finalReportConfigToken = R->getConfigurationChangeToken(); 3217 } while (finalReportConfigToken != origReportConfigToken); 3218 3219 if (!R->isValid()) 3220 continue; 3221 3222 // Finally, prune the diagnostic path of uninteresting stuff. 3223 if (!PD.path.empty()) { 3224 if (R->shouldPrunePath() && getAnalyzerOptions().shouldPrunePaths()) { 3225 bool stillHasNotes = removeUnneededCalls(PD.getMutablePieces(), R, LCM); 3226 assert(stillHasNotes); 3227 (void)stillHasNotes; 3228 } 3229 3230 // Redirect all call pieces to have valid locations. 3231 adjustCallLocations(PD.getMutablePieces()); 3232 removePiecesWithInvalidLocations(PD.getMutablePieces()); 3233 3234 if (ActiveScheme == PathDiagnosticConsumer::AlternateExtensive) { 3235 SourceManager &SM = getSourceManager(); 3236 3237 // Reduce the number of edges from a very conservative set 3238 // to an aesthetically pleasing subset that conveys the 3239 // necessary information. 3240 OptimizedCallsSet OCS; 3241 while (optimizeEdges(PD.getMutablePieces(), SM, OCS, LCM)) {} 3242 3243 // Drop the very first function-entry edge. It's not really necessary 3244 // for top-level functions. 3245 dropFunctionEntryEdge(PD.getMutablePieces(), LCM, SM); 3246 } 3247 3248 // Remove messages that are basically the same, and edges that may not 3249 // make sense. 3250 // We have to do this after edge optimization in the Extensive mode. 3251 removeRedundantMsgs(PD.getMutablePieces()); 3252 removeEdgesToDefaultInitializers(PD.getMutablePieces()); 3253 } 3254 3255 // We found a report and didn't suppress it. 3256 return true; 3257 } 3258 3259 // We suppressed all the reports in this equivalence class. 3260 assert(!HasInvalid && "Inconsistent suppression"); 3261 (void)HasInvalid; 3262 return false; 3263 } 3264 3265 void BugReporter::Register(BugType *BT) { 3266 BugTypes = F.add(BugTypes, BT); 3267 } 3268 3269 void BugReporter::emitReport(std::unique_ptr<BugReport> R) { 3270 if (const ExplodedNode *E = R->getErrorNode()) { 3271 // An error node must either be a sink or have a tag, otherwise 3272 // it could get reclaimed before the path diagnostic is created. 3273 assert((E->isSink() || E->getLocation().getTag()) && 3274 "Error node must either be a sink or have a tag"); 3275 3276 const AnalysisDeclContext *DeclCtx = 3277 E->getLocationContext()->getAnalysisDeclContext(); 3278 // The source of autosynthesized body can be handcrafted AST or a model 3279 // file. The locations from handcrafted ASTs have no valid source locations 3280 // and have to be discarded. Locations from model files should be preserved 3281 // for processing and reporting. 3282 if (DeclCtx->isBodyAutosynthesized() && 3283 !DeclCtx->isBodyAutosynthesizedFromModelFile()) 3284 return; 3285 } 3286 3287 bool ValidSourceLoc = R->getLocation(getSourceManager()).isValid(); 3288 assert(ValidSourceLoc); 3289 // If we mess up in a release build, we'd still prefer to just drop the bug 3290 // instead of trying to go on. 3291 if (!ValidSourceLoc) 3292 return; 3293 3294 // Compute the bug report's hash to determine its equivalence class. 3295 llvm::FoldingSetNodeID ID; 3296 R->Profile(ID); 3297 3298 // Lookup the equivance class. If there isn't one, create it. 3299 BugType& BT = R->getBugType(); 3300 Register(&BT); 3301 void *InsertPos; 3302 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 3303 3304 if (!EQ) { 3305 EQ = new BugReportEquivClass(std::move(R)); 3306 EQClasses.InsertNode(EQ, InsertPos); 3307 EQClassesVector.push_back(EQ); 3308 } else 3309 EQ->AddReport(std::move(R)); 3310 } 3311 3312 //===----------------------------------------------------------------------===// 3313 // Emitting reports in equivalence classes. 3314 //===----------------------------------------------------------------------===// 3315 3316 namespace { 3317 3318 struct FRIEC_WLItem { 3319 const ExplodedNode *N; 3320 ExplodedNode::const_succ_iterator I, E; 3321 3322 FRIEC_WLItem(const ExplodedNode *n) 3323 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 3324 }; 3325 3326 } // namespace 3327 3328 static const CFGBlock *findBlockForNode(const ExplodedNode *N) { 3329 ProgramPoint P = N->getLocation(); 3330 if (auto BEP = P.getAs<BlockEntrance>()) 3331 return BEP->getBlock(); 3332 3333 // Find the node's current statement in the CFG. 3334 if (const Stmt *S = PathDiagnosticLocation::getStmt(N)) 3335 return N->getLocationContext()->getAnalysisDeclContext() 3336 ->getCFGStmtMap()->getBlock(S); 3337 3338 return nullptr; 3339 } 3340 3341 // Returns true if by simply looking at the block, we can be sure that it 3342 // results in a sink during analysis. This is useful to know when the analysis 3343 // was interrupted, and we try to figure out if it would sink eventually. 3344 // There may be many more reasons why a sink would appear during analysis 3345 // (eg. checkers may generate sinks arbitrarily), but here we only consider 3346 // sinks that would be obvious by looking at the CFG. 3347 static bool isImmediateSinkBlock(const CFGBlock *Blk) { 3348 if (Blk->hasNoReturnElement()) 3349 return true; 3350 3351 // FIXME: Throw-expressions are currently generating sinks during analysis: 3352 // they're not supported yet, and also often used for actually terminating 3353 // the program. So we should treat them as sinks in this analysis as well, 3354 // at least for now, but once we have better support for exceptions, 3355 // we'd need to carefully handle the case when the throw is being 3356 // immediately caught. 3357 if (std::any_of(Blk->begin(), Blk->end(), [](const CFGElement &Elm) { 3358 if (Optional<CFGStmt> StmtElm = Elm.getAs<CFGStmt>()) 3359 if (isa<CXXThrowExpr>(StmtElm->getStmt())) 3360 return true; 3361 return false; 3362 })) 3363 return true; 3364 3365 return false; 3366 } 3367 3368 // Returns true if by looking at the CFG surrounding the node's program 3369 // point, we can be sure that any analysis starting from this point would 3370 // eventually end with a sink. We scan the child CFG blocks in a depth-first 3371 // manner and see if all paths eventually end up in an immediate sink block. 3372 static bool isInevitablySinking(const ExplodedNode *N) { 3373 const CFG &Cfg = N->getCFG(); 3374 3375 const CFGBlock *StartBlk = findBlockForNode(N); 3376 if (!StartBlk) 3377 return false; 3378 if (isImmediateSinkBlock(StartBlk)) 3379 return true; 3380 3381 llvm::SmallVector<const CFGBlock *, 32> DFSWorkList; 3382 llvm::SmallPtrSet<const CFGBlock *, 32> Visited; 3383 3384 DFSWorkList.push_back(StartBlk); 3385 while (!DFSWorkList.empty()) { 3386 const CFGBlock *Blk = DFSWorkList.back(); 3387 DFSWorkList.pop_back(); 3388 Visited.insert(Blk); 3389 3390 for (const auto &Succ : Blk->succs()) { 3391 if (const CFGBlock *SuccBlk = Succ.getReachableBlock()) { 3392 if (SuccBlk == &Cfg.getExit()) { 3393 // If at least one path reaches the CFG exit, it means that control is 3394 // returned to the caller. For now, say that we are not sure what 3395 // happens next. If necessary, this can be improved to analyze 3396 // the parent StackFrameContext's call site in a similar manner. 3397 return false; 3398 } 3399 3400 if (!isImmediateSinkBlock(SuccBlk) && !Visited.count(SuccBlk)) { 3401 // If the block has reachable child blocks that aren't no-return, 3402 // add them to the worklist. 3403 DFSWorkList.push_back(SuccBlk); 3404 } 3405 } 3406 } 3407 } 3408 3409 // Nothing reached the exit. It can only mean one thing: there's no return. 3410 return true; 3411 } 3412 3413 static BugReport * 3414 FindReportInEquivalenceClass(BugReportEquivClass& EQ, 3415 SmallVectorImpl<BugReport*> &bugReports) { 3416 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 3417 assert(I != E); 3418 BugType& BT = I->getBugType(); 3419 3420 // If we don't need to suppress any of the nodes because they are 3421 // post-dominated by a sink, simply add all the nodes in the equivalence class 3422 // to 'Nodes'. Any of the reports will serve as a "representative" report. 3423 if (!BT.isSuppressOnSink()) { 3424 BugReport *R = &*I; 3425 for (auto &I : EQ) { 3426 const ExplodedNode *N = I.getErrorNode(); 3427 if (N) { 3428 R = &I; 3429 bugReports.push_back(R); 3430 } 3431 } 3432 return R; 3433 } 3434 3435 // For bug reports that should be suppressed when all paths are post-dominated 3436 // by a sink node, iterate through the reports in the equivalence class 3437 // until we find one that isn't post-dominated (if one exists). We use a 3438 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 3439 // this as a recursive function, but we don't want to risk blowing out the 3440 // stack for very long paths. 3441 BugReport *exampleReport = nullptr; 3442 3443 for (; I != E; ++I) { 3444 const ExplodedNode *errorNode = I->getErrorNode(); 3445 3446 if (!errorNode) 3447 continue; 3448 if (errorNode->isSink()) { 3449 llvm_unreachable( 3450 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 3451 } 3452 // No successors? By definition this nodes isn't post-dominated by a sink. 3453 if (errorNode->succ_empty()) { 3454 bugReports.push_back(&*I); 3455 if (!exampleReport) 3456 exampleReport = &*I; 3457 continue; 3458 } 3459 3460 // See if we are in a no-return CFG block. If so, treat this similarly 3461 // to being post-dominated by a sink. This works better when the analysis 3462 // is incomplete and we have never reached the no-return function call(s) 3463 // that we'd inevitably bump into on this path. 3464 if (isInevitablySinking(errorNode)) 3465 continue; 3466 3467 // At this point we know that 'N' is not a sink and it has at least one 3468 // successor. Use a DFS worklist to find a non-sink end-of-path node. 3469 using WLItem = FRIEC_WLItem; 3470 using DFSWorkList = SmallVector<WLItem, 10>; 3471 3472 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 3473 3474 DFSWorkList WL; 3475 WL.push_back(errorNode); 3476 Visited[errorNode] = 1; 3477 3478 while (!WL.empty()) { 3479 WLItem &WI = WL.back(); 3480 assert(!WI.N->succ_empty()); 3481 3482 for (; WI.I != WI.E; ++WI.I) { 3483 const ExplodedNode *Succ = *WI.I; 3484 // End-of-path node? 3485 if (Succ->succ_empty()) { 3486 // If we found an end-of-path node that is not a sink. 3487 if (!Succ->isSink()) { 3488 bugReports.push_back(&*I); 3489 if (!exampleReport) 3490 exampleReport = &*I; 3491 WL.clear(); 3492 break; 3493 } 3494 // Found a sink? Continue on to the next successor. 3495 continue; 3496 } 3497 // Mark the successor as visited. If it hasn't been explored, 3498 // enqueue it to the DFS worklist. 3499 unsigned &mark = Visited[Succ]; 3500 if (!mark) { 3501 mark = 1; 3502 WL.push_back(Succ); 3503 break; 3504 } 3505 } 3506 3507 // The worklist may have been cleared at this point. First 3508 // check if it is empty before checking the last item. 3509 if (!WL.empty() && &WL.back() == &WI) 3510 WL.pop_back(); 3511 } 3512 } 3513 3514 // ExampleReport will be NULL if all the nodes in the equivalence class 3515 // were post-dominated by sinks. 3516 return exampleReport; 3517 } 3518 3519 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 3520 SmallVector<BugReport*, 10> bugReports; 3521 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 3522 if (exampleReport) { 3523 for (PathDiagnosticConsumer *PDC : getPathDiagnosticConsumers()) { 3524 FlushReport(exampleReport, *PDC, bugReports); 3525 } 3526 } 3527 } 3528 3529 /// Insert all lines participating in the function signature \p Signature 3530 /// into \p ExecutedLines. 3531 static void populateExecutedLinesWithFunctionSignature( 3532 const Decl *Signature, SourceManager &SM, 3533 std::unique_ptr<FilesToLineNumsMap> &ExecutedLines) { 3534 SourceRange SignatureSourceRange; 3535 const Stmt* Body = Signature->getBody(); 3536 if (const auto FD = dyn_cast<FunctionDecl>(Signature)) { 3537 SignatureSourceRange = FD->getSourceRange(); 3538 } else if (const auto OD = dyn_cast<ObjCMethodDecl>(Signature)) { 3539 SignatureSourceRange = OD->getSourceRange(); 3540 } else { 3541 return; 3542 } 3543 SourceLocation Start = SignatureSourceRange.getBegin(); 3544 SourceLocation End = Body ? Body->getSourceRange().getBegin() 3545 : SignatureSourceRange.getEnd(); 3546 unsigned StartLine = SM.getExpansionLineNumber(Start); 3547 unsigned EndLine = SM.getExpansionLineNumber(End); 3548 3549 FileID FID = SM.getFileID(SM.getExpansionLoc(Start)); 3550 for (unsigned Line = StartLine; Line <= EndLine; Line++) 3551 ExecutedLines->operator[](FID.getHashValue()).insert(Line); 3552 } 3553 3554 static void populateExecutedLinesWithStmt( 3555 const Stmt *S, SourceManager &SM, 3556 std::unique_ptr<FilesToLineNumsMap> &ExecutedLines) { 3557 SourceLocation Loc = S->getSourceRange().getBegin(); 3558 SourceLocation ExpansionLoc = SM.getExpansionLoc(Loc); 3559 FileID FID = SM.getFileID(ExpansionLoc); 3560 unsigned LineNo = SM.getExpansionLineNumber(ExpansionLoc); 3561 ExecutedLines->operator[](FID.getHashValue()).insert(LineNo); 3562 } 3563 3564 /// \return all executed lines including function signatures on the path 3565 /// starting from \p N. 3566 static std::unique_ptr<FilesToLineNumsMap> 3567 findExecutedLines(SourceManager &SM, const ExplodedNode *N) { 3568 auto ExecutedLines = llvm::make_unique<FilesToLineNumsMap>(); 3569 3570 while (N) { 3571 if (N->getFirstPred() == nullptr) { 3572 // First node: show signature of the entrance point. 3573 const Decl *D = N->getLocationContext()->getDecl(); 3574 populateExecutedLinesWithFunctionSignature(D, SM, ExecutedLines); 3575 } else if (auto CE = N->getLocationAs<CallEnter>()) { 3576 // Inlined function: show signature. 3577 const Decl* D = CE->getCalleeContext()->getDecl(); 3578 populateExecutedLinesWithFunctionSignature(D, SM, ExecutedLines); 3579 } else if (const Stmt *S = PathDiagnosticLocation::getStmt(N)) { 3580 populateExecutedLinesWithStmt(S, SM, ExecutedLines); 3581 3582 // Show extra context for some parent kinds. 3583 const Stmt *P = N->getParentMap().getParent(S); 3584 3585 // The path exploration can die before the node with the associated 3586 // return statement is generated, but we do want to show the whole 3587 // return. 3588 if (const auto *RS = dyn_cast_or_null<ReturnStmt>(P)) { 3589 populateExecutedLinesWithStmt(RS, SM, ExecutedLines); 3590 P = N->getParentMap().getParent(RS); 3591 } 3592 3593 if (P && (isa<SwitchCase>(P) || isa<LabelStmt>(P))) 3594 populateExecutedLinesWithStmt(P, SM, ExecutedLines); 3595 } 3596 3597 N = N->getFirstPred(); 3598 } 3599 return ExecutedLines; 3600 } 3601 3602 void BugReporter::FlushReport(BugReport *exampleReport, 3603 PathDiagnosticConsumer &PD, 3604 ArrayRef<BugReport*> bugReports) { 3605 // FIXME: Make sure we use the 'R' for the path that was actually used. 3606 // Probably doesn't make a difference in practice. 3607 BugType& BT = exampleReport->getBugType(); 3608 3609 auto D = llvm::make_unique<PathDiagnostic>( 3610 exampleReport->getBugType().getCheckName(), 3611 exampleReport->getDeclWithIssue(), exampleReport->getBugType().getName(), 3612 exampleReport->getDescription(), 3613 exampleReport->getShortDescription(/*Fallback=*/false), BT.getCategory(), 3614 exampleReport->getUniqueingLocation(), exampleReport->getUniqueingDecl(), 3615 findExecutedLines(getSourceManager(), exampleReport->getErrorNode())); 3616 3617 if (exampleReport->isPathSensitive()) { 3618 // Generate the full path diagnostic, using the generation scheme 3619 // specified by the PathDiagnosticConsumer. Note that we have to generate 3620 // path diagnostics even for consumers which do not support paths, because 3621 // the BugReporterVisitors may mark this bug as a false positive. 3622 assert(!bugReports.empty()); 3623 3624 MaxBugClassSize.updateMax(bugReports.size()); 3625 3626 if (!generatePathDiagnostic(*D.get(), PD, bugReports)) 3627 return; 3628 3629 MaxValidBugClassSize.updateMax(bugReports.size()); 3630 3631 // Examine the report and see if the last piece is in a header. Reset the 3632 // report location to the last piece in the main source file. 3633 AnalyzerOptions &Opts = getAnalyzerOptions(); 3634 if (Opts.shouldReportIssuesInMainSourceFile() && !Opts.AnalyzeAll) 3635 D->resetDiagnosticLocationToMainFile(); 3636 } 3637 3638 // If the path is empty, generate a single step path with the location 3639 // of the issue. 3640 if (D->path.empty()) { 3641 PathDiagnosticLocation L = exampleReport->getLocation(getSourceManager()); 3642 auto piece = llvm::make_unique<PathDiagnosticEventPiece>( 3643 L, exampleReport->getDescription()); 3644 for (SourceRange Range : exampleReport->getRanges()) 3645 piece->addRange(Range); 3646 D->setEndOfPath(std::move(piece)); 3647 } 3648 3649 PathPieces &Pieces = D->getMutablePieces(); 3650 if (getAnalyzerOptions().shouldDisplayNotesAsEvents()) { 3651 // For path diagnostic consumers that don't support extra notes, 3652 // we may optionally convert those to path notes. 3653 for (auto I = exampleReport->getNotes().rbegin(), 3654 E = exampleReport->getNotes().rend(); I != E; ++I) { 3655 PathDiagnosticNotePiece *Piece = I->get(); 3656 auto ConvertedPiece = std::make_shared<PathDiagnosticEventPiece>( 3657 Piece->getLocation(), Piece->getString()); 3658 for (const auto &R: Piece->getRanges()) 3659 ConvertedPiece->addRange(R); 3660 3661 Pieces.push_front(std::move(ConvertedPiece)); 3662 } 3663 } else { 3664 for (auto I = exampleReport->getNotes().rbegin(), 3665 E = exampleReport->getNotes().rend(); I != E; ++I) 3666 Pieces.push_front(*I); 3667 } 3668 3669 // Get the meta data. 3670 const BugReport::ExtraTextList &Meta = exampleReport->getExtraText(); 3671 for (const auto &i : Meta) 3672 D->addMeta(i); 3673 3674 PD.HandlePathDiagnostic(std::move(D)); 3675 } 3676 3677 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3678 const CheckerBase *Checker, 3679 StringRef Name, StringRef Category, 3680 StringRef Str, PathDiagnosticLocation Loc, 3681 ArrayRef<SourceRange> Ranges) { 3682 EmitBasicReport(DeclWithIssue, Checker->getCheckName(), Name, Category, Str, 3683 Loc, Ranges); 3684 } 3685 3686 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3687 CheckName CheckName, 3688 StringRef name, StringRef category, 3689 StringRef str, PathDiagnosticLocation Loc, 3690 ArrayRef<SourceRange> Ranges) { 3691 // 'BT' is owned by BugReporter. 3692 BugType *BT = getBugTypeForName(CheckName, name, category); 3693 auto R = llvm::make_unique<BugReport>(*BT, str, Loc); 3694 R->setDeclWithIssue(DeclWithIssue); 3695 for (ArrayRef<SourceRange>::iterator I = Ranges.begin(), E = Ranges.end(); 3696 I != E; ++I) 3697 R->addRange(*I); 3698 emitReport(std::move(R)); 3699 } 3700 3701 BugType *BugReporter::getBugTypeForName(CheckName CheckName, StringRef name, 3702 StringRef category) { 3703 SmallString<136> fullDesc; 3704 llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name 3705 << ":" << category; 3706 BugType *&BT = StrBugTypes[fullDesc]; 3707 if (!BT) 3708 BT = new BugType(CheckName, name, category); 3709 return BT; 3710 } 3711 3712 LLVM_DUMP_METHOD void PathPieces::dump() const { 3713 unsigned index = 0; 3714 for (PathPieces::const_iterator I = begin(), E = end(); I != E; ++I) { 3715 llvm::errs() << "[" << index++ << "] "; 3716 (*I)->dump(); 3717 llvm::errs() << "\n"; 3718 } 3719 } 3720 3721 LLVM_DUMP_METHOD void PathDiagnosticCallPiece::dump() const { 3722 llvm::errs() << "CALL\n--------------\n"; 3723 3724 if (const Stmt *SLoc = getLocStmt(getLocation())) 3725 SLoc->dump(); 3726 else if (const auto *ND = dyn_cast<NamedDecl>(getCallee())) 3727 llvm::errs() << *ND << "\n"; 3728 else 3729 getLocation().dump(); 3730 } 3731 3732 LLVM_DUMP_METHOD void PathDiagnosticEventPiece::dump() const { 3733 llvm::errs() << "EVENT\n--------------\n"; 3734 llvm::errs() << getString() << "\n"; 3735 llvm::errs() << " ---- at ----\n"; 3736 getLocation().dump(); 3737 } 3738 3739 LLVM_DUMP_METHOD void PathDiagnosticControlFlowPiece::dump() const { 3740 llvm::errs() << "CONTROL\n--------------\n"; 3741 getStartLocation().dump(); 3742 llvm::errs() << " ---- to ----\n"; 3743 getEndLocation().dump(); 3744 } 3745 3746 LLVM_DUMP_METHOD void PathDiagnosticMacroPiece::dump() const { 3747 llvm::errs() << "MACRO\n--------------\n"; 3748 // FIXME: Print which macro is being invoked. 3749 } 3750 3751 LLVM_DUMP_METHOD void PathDiagnosticNotePiece::dump() const { 3752 llvm::errs() << "NOTE\n--------------\n"; 3753 llvm::errs() << getString() << "\n"; 3754 llvm::errs() << " ---- at ----\n"; 3755 getLocation().dump(); 3756 } 3757 3758 LLVM_DUMP_METHOD void PathDiagnosticLocation::dump() const { 3759 if (!isValid()) { 3760 llvm::errs() << "<INVALID>\n"; 3761 return; 3762 } 3763 3764 switch (K) { 3765 case RangeK: 3766 // FIXME: actually print the range. 3767 llvm::errs() << "<range>\n"; 3768 break; 3769 case SingleLocK: 3770 asLocation().dump(); 3771 llvm::errs() << "\n"; 3772 break; 3773 case StmtK: 3774 if (S) 3775 S->dump(); 3776 else 3777 llvm::errs() << "<NULL STMT>\n"; 3778 break; 3779 case DeclK: 3780 if (const auto *ND = dyn_cast_or_null<NamedDecl>(D)) 3781 llvm::errs() << *ND << "\n"; 3782 else if (isa<BlockDecl>(D)) 3783 // FIXME: Make this nicer. 3784 llvm::errs() << "<block>\n"; 3785 else if (D) 3786 llvm::errs() << "<unknown decl>\n"; 3787 else 3788 llvm::errs() << "<NULL DECL>\n"; 3789 break; 3790 } 3791 } 3792