1 //===- BugReporter.cpp - Generate PathDiagnostics for bugs ----------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines BugReporter, a utility class for generating 10 // PathDiagnostics. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 15 #include "clang/AST/Decl.h" 16 #include "clang/AST/DeclBase.h" 17 #include "clang/AST/DeclObjC.h" 18 #include "clang/AST/Expr.h" 19 #include "clang/AST/ExprCXX.h" 20 #include "clang/AST/ParentMap.h" 21 #include "clang/AST/Stmt.h" 22 #include "clang/AST/StmtCXX.h" 23 #include "clang/AST/StmtObjC.h" 24 #include "clang/Analysis/AnalysisDeclContext.h" 25 #include "clang/Analysis/CFG.h" 26 #include "clang/Analysis/CFGStmtMap.h" 27 #include "clang/Analysis/PathDiagnostic.h" 28 #include "clang/Analysis/ProgramPoint.h" 29 #include "clang/Basic/LLVM.h" 30 #include "clang/Basic/SourceLocation.h" 31 #include "clang/Basic/SourceManager.h" 32 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 33 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 34 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 35 #include "clang/StaticAnalyzer/Core/Checker.h" 36 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 37 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 38 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 39 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 40 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 41 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 42 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 43 #include "clang/StaticAnalyzer/Frontend/CheckerRegistry.h" 44 #include "llvm/ADT/ArrayRef.h" 45 #include "llvm/ADT/DenseMap.h" 46 #include "llvm/ADT/DenseSet.h" 47 #include "llvm/ADT/FoldingSet.h" 48 #include "llvm/ADT/None.h" 49 #include "llvm/ADT/Optional.h" 50 #include "llvm/ADT/STLExtras.h" 51 #include "llvm/ADT/SmallPtrSet.h" 52 #include "llvm/ADT/SmallString.h" 53 #include "llvm/ADT/SmallVector.h" 54 #include "llvm/ADT/Statistic.h" 55 #include "llvm/ADT/StringExtras.h" 56 #include "llvm/ADT/StringRef.h" 57 #include "llvm/ADT/iterator_range.h" 58 #include "llvm/Support/Casting.h" 59 #include "llvm/Support/Compiler.h" 60 #include "llvm/Support/ErrorHandling.h" 61 #include "llvm/Support/MemoryBuffer.h" 62 #include "llvm/Support/raw_ostream.h" 63 #include <algorithm> 64 #include <cassert> 65 #include <cstddef> 66 #include <iterator> 67 #include <memory> 68 #include <queue> 69 #include <string> 70 #include <tuple> 71 #include <utility> 72 #include <vector> 73 74 using namespace clang; 75 using namespace ento; 76 using namespace llvm; 77 78 #define DEBUG_TYPE "BugReporter" 79 80 STATISTIC(MaxBugClassSize, 81 "The maximum number of bug reports in the same equivalence class"); 82 STATISTIC(MaxValidBugClassSize, 83 "The maximum number of bug reports in the same equivalence class " 84 "where at least one report is valid (not suppressed)"); 85 86 BugReporterVisitor::~BugReporterVisitor() = default; 87 88 void BugReporterContext::anchor() {} 89 90 //===----------------------------------------------------------------------===// 91 // PathDiagnosticBuilder and its associated routines and helper objects. 92 //===----------------------------------------------------------------------===// 93 94 namespace { 95 96 /// A (CallPiece, node assiciated with its CallEnter) pair. 97 using CallWithEntry = 98 std::pair<PathDiagnosticCallPiece *, const ExplodedNode *>; 99 using CallWithEntryStack = SmallVector<CallWithEntry, 6>; 100 101 /// Map from each node to the diagnostic pieces visitors emit for them. 102 using VisitorsDiagnosticsTy = 103 llvm::DenseMap<const ExplodedNode *, std::vector<PathDiagnosticPieceRef>>; 104 105 /// A map from PathDiagnosticPiece to the LocationContext of the inlined 106 /// function call it represents. 107 using LocationContextMap = 108 llvm::DenseMap<const PathPieces *, const LocationContext *>; 109 110 /// A helper class that contains everything needed to construct a 111 /// PathDiagnostic object. It does no much more then providing convenient 112 /// getters and some well placed asserts for extra security. 113 class PathDiagnosticConstruct { 114 /// The consumer we're constructing the bug report for. 115 const PathDiagnosticConsumer *Consumer; 116 /// Our current position in the bug path, which is owned by 117 /// PathDiagnosticBuilder. 118 const ExplodedNode *CurrentNode; 119 /// A mapping from parts of the bug path (for example, a function call, which 120 /// would span backwards from a CallExit to a CallEnter with the nodes in 121 /// between them) with the location contexts it is associated with. 122 LocationContextMap LCM; 123 const SourceManager &SM; 124 125 public: 126 /// We keep stack of calls to functions as we're ascending the bug path. 127 /// TODO: PathDiagnostic has a stack doing the same thing, shouldn't we use 128 /// that instead? 129 CallWithEntryStack CallStack; 130 /// The bug report we're constructing. For ease of use, this field is kept 131 /// public, though some "shortcut" getters are provided for commonly used 132 /// methods of PathDiagnostic. 133 std::unique_ptr<PathDiagnostic> PD; 134 135 public: 136 PathDiagnosticConstruct(const PathDiagnosticConsumer *PDC, 137 const ExplodedNode *ErrorNode, 138 const PathSensitiveBugReport *R); 139 140 /// \returns the location context associated with the current position in the 141 /// bug path. 142 const LocationContext *getCurrLocationContext() const { 143 assert(CurrentNode && "Already reached the root!"); 144 return CurrentNode->getLocationContext(); 145 } 146 147 /// Same as getCurrLocationContext (they should always return the same 148 /// location context), but works after reaching the root of the bug path as 149 /// well. 150 const LocationContext *getLocationContextForActivePath() const { 151 return LCM.find(&PD->getActivePath())->getSecond(); 152 } 153 154 const ExplodedNode *getCurrentNode() const { return CurrentNode; } 155 156 /// Steps the current node to its predecessor. 157 /// \returns whether we reached the root of the bug path. 158 bool ascendToPrevNode() { 159 CurrentNode = CurrentNode->getFirstPred(); 160 return static_cast<bool>(CurrentNode); 161 } 162 163 const ParentMap &getParentMap() const { 164 return getCurrLocationContext()->getParentMap(); 165 } 166 167 const SourceManager &getSourceManager() const { return SM; } 168 169 const Stmt *getParent(const Stmt *S) const { 170 return getParentMap().getParent(S); 171 } 172 173 void updateLocCtxMap(const PathPieces *Path, const LocationContext *LC) { 174 assert(Path && LC); 175 LCM[Path] = LC; 176 } 177 178 const LocationContext *getLocationContextFor(const PathPieces *Path) const { 179 assert(LCM.count(Path) && 180 "Failed to find the context associated with these pieces!"); 181 return LCM.find(Path)->getSecond(); 182 } 183 184 bool isInLocCtxMap(const PathPieces *Path) const { return LCM.count(Path); } 185 186 PathPieces &getActivePath() { return PD->getActivePath(); } 187 PathPieces &getMutablePieces() { return PD->getMutablePieces(); } 188 189 bool shouldAddPathEdges() const { return Consumer->shouldAddPathEdges(); } 190 bool shouldGenerateDiagnostics() const { 191 return Consumer->shouldGenerateDiagnostics(); 192 } 193 bool supportsLogicalOpControlFlow() const { 194 return Consumer->supportsLogicalOpControlFlow(); 195 } 196 }; 197 198 /// Contains every contextual information needed for constructing a 199 /// PathDiagnostic object for a given bug report. This class and its fields are 200 /// immutable, and passes a BugReportConstruct object around during the 201 /// construction. 202 class PathDiagnosticBuilder : public BugReporterContext { 203 /// A linear path from the error node to the root. 204 std::unique_ptr<const ExplodedGraph> BugPath; 205 /// The bug report we're describing. Visitors create their diagnostics with 206 /// them being the last entities being able to modify it (for example, 207 /// changing interestingness here would cause inconsistencies as to how this 208 /// file and visitors construct diagnostics), hence its const. 209 const PathSensitiveBugReport *R; 210 /// The leaf of the bug path. This isn't the same as the bug reports error 211 /// node, which refers to the *original* graph, not the bug path. 212 const ExplodedNode *const ErrorNode; 213 /// The diagnostic pieces visitors emitted, which is expected to be collected 214 /// by the time this builder is constructed. 215 std::unique_ptr<const VisitorsDiagnosticsTy> VisitorsDiagnostics; 216 217 public: 218 /// Find a non-invalidated report for a given equivalence class, and returns 219 /// a PathDiagnosticBuilder able to construct bug reports for different 220 /// consumers. Returns None if no valid report is found. 221 static Optional<PathDiagnosticBuilder> 222 findValidReport(ArrayRef<PathSensitiveBugReport *> &bugReports, 223 PathSensitiveBugReporter &Reporter); 224 225 PathDiagnosticBuilder( 226 BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath, 227 PathSensitiveBugReport *r, const ExplodedNode *ErrorNode, 228 std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics); 229 230 /// This function is responsible for generating diagnostic pieces that are 231 /// *not* provided by bug report visitors. 232 /// These diagnostics may differ depending on the consumer's settings, 233 /// and are therefore constructed separately for each consumer. 234 /// 235 /// There are two path diagnostics generation modes: with adding edges (used 236 /// for plists) and without (used for HTML and text). When edges are added, 237 /// the path is modified to insert artificially generated edges. 238 /// Otherwise, more detailed diagnostics is emitted for block edges, 239 /// explaining the transitions in words. 240 std::unique_ptr<PathDiagnostic> 241 generate(const PathDiagnosticConsumer *PDC) const; 242 243 private: 244 void updateStackPiecesWithMessage(PathDiagnosticPieceRef P, 245 const CallWithEntryStack &CallStack) const; 246 void generatePathDiagnosticsForNode(PathDiagnosticConstruct &C, 247 PathDiagnosticLocation &PrevLoc) const; 248 249 void generateMinimalDiagForBlockEdge(PathDiagnosticConstruct &C, 250 BlockEdge BE) const; 251 252 PathDiagnosticPieceRef 253 generateDiagForGotoOP(const PathDiagnosticConstruct &C, const Stmt *S, 254 PathDiagnosticLocation &Start) const; 255 256 PathDiagnosticPieceRef 257 generateDiagForSwitchOP(const PathDiagnosticConstruct &C, const CFGBlock *Dst, 258 PathDiagnosticLocation &Start) const; 259 260 PathDiagnosticPieceRef 261 generateDiagForBinaryOP(const PathDiagnosticConstruct &C, const Stmt *T, 262 const CFGBlock *Src, const CFGBlock *DstC) const; 263 264 PathDiagnosticLocation 265 ExecutionContinues(const PathDiagnosticConstruct &C) const; 266 267 PathDiagnosticLocation 268 ExecutionContinues(llvm::raw_string_ostream &os, 269 const PathDiagnosticConstruct &C) const; 270 271 const PathSensitiveBugReport *getBugReport() const { return R; } 272 }; 273 274 } // namespace 275 276 //===----------------------------------------------------------------------===// 277 // Base implementation of stack hint generators. 278 //===----------------------------------------------------------------------===// 279 280 StackHintGenerator::~StackHintGenerator() = default; 281 282 std::string StackHintGeneratorForSymbol::getMessage(const ExplodedNode *N){ 283 if (!N) 284 return getMessageForSymbolNotFound(); 285 286 ProgramPoint P = N->getLocation(); 287 CallExitEnd CExit = P.castAs<CallExitEnd>(); 288 289 // FIXME: Use CallEvent to abstract this over all calls. 290 const Stmt *CallSite = CExit.getCalleeContext()->getCallSite(); 291 const auto *CE = dyn_cast_or_null<CallExpr>(CallSite); 292 if (!CE) 293 return {}; 294 295 // Check if one of the parameters are set to the interesting symbol. 296 unsigned ArgIndex = 0; 297 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 298 E = CE->arg_end(); I != E; ++I, ++ArgIndex){ 299 SVal SV = N->getSVal(*I); 300 301 // Check if the variable corresponding to the symbol is passed by value. 302 SymbolRef AS = SV.getAsLocSymbol(); 303 if (AS == Sym) { 304 return getMessageForArg(*I, ArgIndex); 305 } 306 307 // Check if the parameter is a pointer to the symbol. 308 if (Optional<loc::MemRegionVal> Reg = SV.getAs<loc::MemRegionVal>()) { 309 // Do not attempt to dereference void*. 310 if ((*I)->getType()->isVoidPointerType()) 311 continue; 312 SVal PSV = N->getState()->getSVal(Reg->getRegion()); 313 SymbolRef AS = PSV.getAsLocSymbol(); 314 if (AS == Sym) { 315 return getMessageForArg(*I, ArgIndex); 316 } 317 } 318 } 319 320 // Check if we are returning the interesting symbol. 321 SVal SV = N->getSVal(CE); 322 SymbolRef RetSym = SV.getAsLocSymbol(); 323 if (RetSym == Sym) { 324 return getMessageForReturn(CE); 325 } 326 327 return getMessageForSymbolNotFound(); 328 } 329 330 std::string StackHintGeneratorForSymbol::getMessageForArg(const Expr *ArgE, 331 unsigned ArgIndex) { 332 // Printed parameters start at 1, not 0. 333 ++ArgIndex; 334 335 return (llvm::Twine(Msg) + " via " + std::to_string(ArgIndex) + 336 llvm::getOrdinalSuffix(ArgIndex) + " parameter").str(); 337 } 338 339 //===----------------------------------------------------------------------===// 340 // Diagnostic cleanup. 341 //===----------------------------------------------------------------------===// 342 343 static PathDiagnosticEventPiece * 344 eventsDescribeSameCondition(PathDiagnosticEventPiece *X, 345 PathDiagnosticEventPiece *Y) { 346 // Prefer diagnostics that come from ConditionBRVisitor over 347 // those that came from TrackConstraintBRVisitor, 348 // unless the one from ConditionBRVisitor is 349 // its generic fallback diagnostic. 350 const void *tagPreferred = ConditionBRVisitor::getTag(); 351 const void *tagLesser = TrackConstraintBRVisitor::getTag(); 352 353 if (X->getLocation() != Y->getLocation()) 354 return nullptr; 355 356 if (X->getTag() == tagPreferred && Y->getTag() == tagLesser) 357 return ConditionBRVisitor::isPieceMessageGeneric(X) ? Y : X; 358 359 if (Y->getTag() == tagPreferred && X->getTag() == tagLesser) 360 return ConditionBRVisitor::isPieceMessageGeneric(Y) ? X : Y; 361 362 return nullptr; 363 } 364 365 /// An optimization pass over PathPieces that removes redundant diagnostics 366 /// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both 367 /// BugReporterVisitors use different methods to generate diagnostics, with 368 /// one capable of emitting diagnostics in some cases but not in others. This 369 /// can lead to redundant diagnostic pieces at the same point in a path. 370 static void removeRedundantMsgs(PathPieces &path) { 371 unsigned N = path.size(); 372 if (N < 2) 373 return; 374 // NOTE: this loop intentionally is not using an iterator. Instead, we 375 // are streaming the path and modifying it in place. This is done by 376 // grabbing the front, processing it, and if we decide to keep it append 377 // it to the end of the path. The entire path is processed in this way. 378 for (unsigned i = 0; i < N; ++i) { 379 auto piece = std::move(path.front()); 380 path.pop_front(); 381 382 switch (piece->getKind()) { 383 case PathDiagnosticPiece::Call: 384 removeRedundantMsgs(cast<PathDiagnosticCallPiece>(*piece).path); 385 break; 386 case PathDiagnosticPiece::Macro: 387 removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(*piece).subPieces); 388 break; 389 case PathDiagnosticPiece::Event: { 390 if (i == N-1) 391 break; 392 393 if (auto *nextEvent = 394 dyn_cast<PathDiagnosticEventPiece>(path.front().get())) { 395 auto *event = cast<PathDiagnosticEventPiece>(piece.get()); 396 // Check to see if we should keep one of the two pieces. If we 397 // come up with a preference, record which piece to keep, and consume 398 // another piece from the path. 399 if (auto *pieceToKeep = 400 eventsDescribeSameCondition(event, nextEvent)) { 401 piece = std::move(pieceToKeep == event ? piece : path.front()); 402 path.pop_front(); 403 ++i; 404 } 405 } 406 break; 407 } 408 case PathDiagnosticPiece::ControlFlow: 409 case PathDiagnosticPiece::Note: 410 case PathDiagnosticPiece::PopUp: 411 break; 412 } 413 path.push_back(std::move(piece)); 414 } 415 } 416 417 /// Recursively scan through a path and prune out calls and macros pieces 418 /// that aren't needed. Return true if afterwards the path contains 419 /// "interesting stuff" which means it shouldn't be pruned from the parent path. 420 static bool removeUnneededCalls(const PathDiagnosticConstruct &C, 421 PathPieces &pieces, 422 const PathSensitiveBugReport *R, 423 bool IsInteresting = false) { 424 bool containsSomethingInteresting = IsInteresting; 425 const unsigned N = pieces.size(); 426 427 for (unsigned i = 0 ; i < N ; ++i) { 428 // Remove the front piece from the path. If it is still something we 429 // want to keep once we are done, we will push it back on the end. 430 auto piece = std::move(pieces.front()); 431 pieces.pop_front(); 432 433 switch (piece->getKind()) { 434 case PathDiagnosticPiece::Call: { 435 auto &call = cast<PathDiagnosticCallPiece>(*piece); 436 // Check if the location context is interesting. 437 if (!removeUnneededCalls( 438 C, call.path, R, 439 R->isInteresting(C.getLocationContextFor(&call.path)))) 440 continue; 441 442 containsSomethingInteresting = true; 443 break; 444 } 445 case PathDiagnosticPiece::Macro: { 446 auto ¯o = cast<PathDiagnosticMacroPiece>(*piece); 447 if (!removeUnneededCalls(C, macro.subPieces, R, IsInteresting)) 448 continue; 449 containsSomethingInteresting = true; 450 break; 451 } 452 case PathDiagnosticPiece::Event: { 453 auto &event = cast<PathDiagnosticEventPiece>(*piece); 454 455 // We never throw away an event, but we do throw it away wholesale 456 // as part of a path if we throw the entire path away. 457 containsSomethingInteresting |= !event.isPrunable(); 458 break; 459 } 460 case PathDiagnosticPiece::ControlFlow: 461 case PathDiagnosticPiece::Note: 462 case PathDiagnosticPiece::PopUp: 463 break; 464 } 465 466 pieces.push_back(std::move(piece)); 467 } 468 469 return containsSomethingInteresting; 470 } 471 472 /// Same logic as above to remove extra pieces. 473 static void removePopUpNotes(PathPieces &Path) { 474 for (unsigned int i = 0; i < Path.size(); ++i) { 475 auto Piece = std::move(Path.front()); 476 Path.pop_front(); 477 if (!isa<PathDiagnosticPopUpPiece>(*Piece)) 478 Path.push_back(std::move(Piece)); 479 } 480 } 481 482 /// Returns true if the given decl has been implicitly given a body, either by 483 /// the analyzer or by the compiler proper. 484 static bool hasImplicitBody(const Decl *D) { 485 assert(D); 486 return D->isImplicit() || !D->hasBody(); 487 } 488 489 /// Recursively scan through a path and make sure that all call pieces have 490 /// valid locations. 491 static void 492 adjustCallLocations(PathPieces &Pieces, 493 PathDiagnosticLocation *LastCallLocation = nullptr) { 494 for (const auto &I : Pieces) { 495 auto *Call = dyn_cast<PathDiagnosticCallPiece>(I.get()); 496 497 if (!Call) 498 continue; 499 500 if (LastCallLocation) { 501 bool CallerIsImplicit = hasImplicitBody(Call->getCaller()); 502 if (CallerIsImplicit || !Call->callEnter.asLocation().isValid()) 503 Call->callEnter = *LastCallLocation; 504 if (CallerIsImplicit || !Call->callReturn.asLocation().isValid()) 505 Call->callReturn = *LastCallLocation; 506 } 507 508 // Recursively clean out the subclass. Keep this call around if 509 // it contains any informative diagnostics. 510 PathDiagnosticLocation *ThisCallLocation; 511 if (Call->callEnterWithin.asLocation().isValid() && 512 !hasImplicitBody(Call->getCallee())) 513 ThisCallLocation = &Call->callEnterWithin; 514 else 515 ThisCallLocation = &Call->callEnter; 516 517 assert(ThisCallLocation && "Outermost call has an invalid location"); 518 adjustCallLocations(Call->path, ThisCallLocation); 519 } 520 } 521 522 /// Remove edges in and out of C++ default initializer expressions. These are 523 /// for fields that have in-class initializers, as opposed to being initialized 524 /// explicitly in a constructor or braced list. 525 static void removeEdgesToDefaultInitializers(PathPieces &Pieces) { 526 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 527 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 528 removeEdgesToDefaultInitializers(C->path); 529 530 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 531 removeEdgesToDefaultInitializers(M->subPieces); 532 533 if (auto *CF = dyn_cast<PathDiagnosticControlFlowPiece>(I->get())) { 534 const Stmt *Start = CF->getStartLocation().asStmt(); 535 const Stmt *End = CF->getEndLocation().asStmt(); 536 if (Start && isa<CXXDefaultInitExpr>(Start)) { 537 I = Pieces.erase(I); 538 continue; 539 } else if (End && isa<CXXDefaultInitExpr>(End)) { 540 PathPieces::iterator Next = std::next(I); 541 if (Next != E) { 542 if (auto *NextCF = 543 dyn_cast<PathDiagnosticControlFlowPiece>(Next->get())) { 544 NextCF->setStartLocation(CF->getStartLocation()); 545 } 546 } 547 I = Pieces.erase(I); 548 continue; 549 } 550 } 551 552 I++; 553 } 554 } 555 556 /// Remove all pieces with invalid locations as these cannot be serialized. 557 /// We might have pieces with invalid locations as a result of inlining Body 558 /// Farm generated functions. 559 static void removePiecesWithInvalidLocations(PathPieces &Pieces) { 560 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 561 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 562 removePiecesWithInvalidLocations(C->path); 563 564 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 565 removePiecesWithInvalidLocations(M->subPieces); 566 567 if (!(*I)->getLocation().isValid() || 568 !(*I)->getLocation().asLocation().isValid()) { 569 I = Pieces.erase(I); 570 continue; 571 } 572 I++; 573 } 574 } 575 576 PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues( 577 const PathDiagnosticConstruct &C) const { 578 if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics()) 579 return PathDiagnosticLocation(S, getSourceManager(), 580 C.getCurrLocationContext()); 581 582 return PathDiagnosticLocation::createDeclEnd(C.getCurrLocationContext(), 583 getSourceManager()); 584 } 585 586 PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues( 587 llvm::raw_string_ostream &os, const PathDiagnosticConstruct &C) const { 588 // Slow, but probably doesn't matter. 589 if (os.str().empty()) 590 os << ' '; 591 592 const PathDiagnosticLocation &Loc = ExecutionContinues(C); 593 594 if (Loc.asStmt()) 595 os << "Execution continues on line " 596 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 597 << '.'; 598 else { 599 os << "Execution jumps to the end of the "; 600 const Decl *D = C.getCurrLocationContext()->getDecl(); 601 if (isa<ObjCMethodDecl>(D)) 602 os << "method"; 603 else if (isa<FunctionDecl>(D)) 604 os << "function"; 605 else { 606 assert(isa<BlockDecl>(D)); 607 os << "anonymous block"; 608 } 609 os << '.'; 610 } 611 612 return Loc; 613 } 614 615 static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) { 616 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 617 return PM.getParentIgnoreParens(S); 618 619 const Stmt *Parent = PM.getParentIgnoreParens(S); 620 if (!Parent) 621 return nullptr; 622 623 switch (Parent->getStmtClass()) { 624 case Stmt::ForStmtClass: 625 case Stmt::DoStmtClass: 626 case Stmt::WhileStmtClass: 627 case Stmt::ObjCForCollectionStmtClass: 628 case Stmt::CXXForRangeStmtClass: 629 return Parent; 630 default: 631 break; 632 } 633 634 return nullptr; 635 } 636 637 static PathDiagnosticLocation 638 getEnclosingStmtLocation(const Stmt *S, const LocationContext *LC, 639 bool allowNestedContexts = false) { 640 if (!S) 641 return {}; 642 643 const SourceManager &SMgr = LC->getDecl()->getASTContext().getSourceManager(); 644 645 while (const Stmt *Parent = getEnclosingParent(S, LC->getParentMap())) { 646 switch (Parent->getStmtClass()) { 647 case Stmt::BinaryOperatorClass: { 648 const auto *B = cast<BinaryOperator>(Parent); 649 if (B->isLogicalOp()) 650 return PathDiagnosticLocation(allowNestedContexts ? B : S, SMgr, LC); 651 break; 652 } 653 case Stmt::CompoundStmtClass: 654 case Stmt::StmtExprClass: 655 return PathDiagnosticLocation(S, SMgr, LC); 656 case Stmt::ChooseExprClass: 657 // Similar to '?' if we are referring to condition, just have the edge 658 // point to the entire choose expression. 659 if (allowNestedContexts || cast<ChooseExpr>(Parent)->getCond() == S) 660 return PathDiagnosticLocation(Parent, SMgr, LC); 661 else 662 return PathDiagnosticLocation(S, SMgr, LC); 663 case Stmt::BinaryConditionalOperatorClass: 664 case Stmt::ConditionalOperatorClass: 665 // For '?', if we are referring to condition, just have the edge point 666 // to the entire '?' expression. 667 if (allowNestedContexts || 668 cast<AbstractConditionalOperator>(Parent)->getCond() == S) 669 return PathDiagnosticLocation(Parent, SMgr, LC); 670 else 671 return PathDiagnosticLocation(S, SMgr, LC); 672 case Stmt::CXXForRangeStmtClass: 673 if (cast<CXXForRangeStmt>(Parent)->getBody() == S) 674 return PathDiagnosticLocation(S, SMgr, LC); 675 break; 676 case Stmt::DoStmtClass: 677 return PathDiagnosticLocation(S, SMgr, LC); 678 case Stmt::ForStmtClass: 679 if (cast<ForStmt>(Parent)->getBody() == S) 680 return PathDiagnosticLocation(S, SMgr, LC); 681 break; 682 case Stmt::IfStmtClass: 683 if (cast<IfStmt>(Parent)->getCond() != S) 684 return PathDiagnosticLocation(S, SMgr, LC); 685 break; 686 case Stmt::ObjCForCollectionStmtClass: 687 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 688 return PathDiagnosticLocation(S, SMgr, LC); 689 break; 690 case Stmt::WhileStmtClass: 691 if (cast<WhileStmt>(Parent)->getCond() != S) 692 return PathDiagnosticLocation(S, SMgr, LC); 693 break; 694 default: 695 break; 696 } 697 698 S = Parent; 699 } 700 701 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 702 703 return PathDiagnosticLocation(S, SMgr, LC); 704 } 705 706 //===----------------------------------------------------------------------===// 707 // "Minimal" path diagnostic generation algorithm. 708 //===----------------------------------------------------------------------===// 709 710 /// If the piece contains a special message, add it to all the call pieces on 711 /// the active stack. For example, my_malloc allocated memory, so MallocChecker 712 /// will construct an event at the call to malloc(), and add a stack hint that 713 /// an allocated memory was returned. We'll use this hint to construct a message 714 /// when returning from the call to my_malloc 715 /// 716 /// void *my_malloc() { return malloc(sizeof(int)); } 717 /// void fishy() { 718 /// void *ptr = my_malloc(); // returned allocated memory 719 /// } // leak 720 void PathDiagnosticBuilder::updateStackPiecesWithMessage( 721 PathDiagnosticPieceRef P, const CallWithEntryStack &CallStack) const { 722 if (R->hasCallStackHint(P)) 723 for (const auto &I : CallStack) { 724 PathDiagnosticCallPiece *CP = I.first; 725 const ExplodedNode *N = I.second; 726 std::string stackMsg = R->getCallStackMessage(P, N); 727 728 // The last message on the path to final bug is the most important 729 // one. Since we traverse the path backwards, do not add the message 730 // if one has been previously added. 731 if (!CP->hasCallStackMessage()) 732 CP->setCallStackMessage(stackMsg); 733 } 734 } 735 736 static void CompactMacroExpandedPieces(PathPieces &path, 737 const SourceManager& SM); 738 739 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForSwitchOP( 740 const PathDiagnosticConstruct &C, const CFGBlock *Dst, 741 PathDiagnosticLocation &Start) const { 742 743 const SourceManager &SM = getSourceManager(); 744 // Figure out what case arm we took. 745 std::string sbuf; 746 llvm::raw_string_ostream os(sbuf); 747 PathDiagnosticLocation End; 748 749 if (const Stmt *S = Dst->getLabel()) { 750 End = PathDiagnosticLocation(S, SM, C.getCurrLocationContext()); 751 752 switch (S->getStmtClass()) { 753 default: 754 os << "No cases match in the switch statement. " 755 "Control jumps to line " 756 << End.asLocation().getExpansionLineNumber(); 757 break; 758 case Stmt::DefaultStmtClass: 759 os << "Control jumps to the 'default' case at line " 760 << End.asLocation().getExpansionLineNumber(); 761 break; 762 763 case Stmt::CaseStmtClass: { 764 os << "Control jumps to 'case "; 765 const auto *Case = cast<CaseStmt>(S); 766 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 767 768 // Determine if it is an enum. 769 bool GetRawInt = true; 770 771 if (const auto *DR = dyn_cast<DeclRefExpr>(LHS)) { 772 // FIXME: Maybe this should be an assertion. Are there cases 773 // were it is not an EnumConstantDecl? 774 const auto *D = dyn_cast<EnumConstantDecl>(DR->getDecl()); 775 776 if (D) { 777 GetRawInt = false; 778 os << *D; 779 } 780 } 781 782 if (GetRawInt) 783 os << LHS->EvaluateKnownConstInt(getASTContext()); 784 785 os << ":' at line " << End.asLocation().getExpansionLineNumber(); 786 break; 787 } 788 } 789 } else { 790 os << "'Default' branch taken. "; 791 End = ExecutionContinues(os, C); 792 } 793 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 794 os.str()); 795 } 796 797 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForGotoOP( 798 const PathDiagnosticConstruct &C, const Stmt *S, 799 PathDiagnosticLocation &Start) const { 800 std::string sbuf; 801 llvm::raw_string_ostream os(sbuf); 802 const PathDiagnosticLocation &End = 803 getEnclosingStmtLocation(S, C.getCurrLocationContext()); 804 os << "Control jumps to line " << End.asLocation().getExpansionLineNumber(); 805 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str()); 806 } 807 808 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForBinaryOP( 809 const PathDiagnosticConstruct &C, const Stmt *T, const CFGBlock *Src, 810 const CFGBlock *Dst) const { 811 812 const SourceManager &SM = getSourceManager(); 813 814 const auto *B = cast<BinaryOperator>(T); 815 std::string sbuf; 816 llvm::raw_string_ostream os(sbuf); 817 os << "Left side of '"; 818 PathDiagnosticLocation Start, End; 819 820 if (B->getOpcode() == BO_LAnd) { 821 os << "&&" 822 << "' is "; 823 824 if (*(Src->succ_begin() + 1) == Dst) { 825 os << "false"; 826 End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 827 Start = 828 PathDiagnosticLocation::createOperatorLoc(B, SM); 829 } else { 830 os << "true"; 831 Start = 832 PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 833 End = ExecutionContinues(C); 834 } 835 } else { 836 assert(B->getOpcode() == BO_LOr); 837 os << "||" 838 << "' is "; 839 840 if (*(Src->succ_begin() + 1) == Dst) { 841 os << "false"; 842 Start = 843 PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 844 End = ExecutionContinues(C); 845 } else { 846 os << "true"; 847 End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 848 Start = 849 PathDiagnosticLocation::createOperatorLoc(B, SM); 850 } 851 } 852 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 853 os.str()); 854 } 855 856 void PathDiagnosticBuilder::generateMinimalDiagForBlockEdge( 857 PathDiagnosticConstruct &C, BlockEdge BE) const { 858 const SourceManager &SM = getSourceManager(); 859 const LocationContext *LC = C.getCurrLocationContext(); 860 const CFGBlock *Src = BE.getSrc(); 861 const CFGBlock *Dst = BE.getDst(); 862 const Stmt *T = Src->getTerminatorStmt(); 863 if (!T) 864 return; 865 866 auto Start = PathDiagnosticLocation::createBegin(T, SM, LC); 867 switch (T->getStmtClass()) { 868 default: 869 break; 870 871 case Stmt::GotoStmtClass: 872 case Stmt::IndirectGotoStmtClass: { 873 if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics()) 874 C.getActivePath().push_front(generateDiagForGotoOP(C, S, Start)); 875 break; 876 } 877 878 case Stmt::SwitchStmtClass: { 879 C.getActivePath().push_front(generateDiagForSwitchOP(C, Dst, Start)); 880 break; 881 } 882 883 case Stmt::BreakStmtClass: 884 case Stmt::ContinueStmtClass: { 885 std::string sbuf; 886 llvm::raw_string_ostream os(sbuf); 887 PathDiagnosticLocation End = ExecutionContinues(os, C); 888 C.getActivePath().push_front( 889 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 890 break; 891 } 892 893 // Determine control-flow for ternary '?'. 894 case Stmt::BinaryConditionalOperatorClass: 895 case Stmt::ConditionalOperatorClass: { 896 std::string sbuf; 897 llvm::raw_string_ostream os(sbuf); 898 os << "'?' condition is "; 899 900 if (*(Src->succ_begin() + 1) == Dst) 901 os << "false"; 902 else 903 os << "true"; 904 905 PathDiagnosticLocation End = ExecutionContinues(C); 906 907 if (const Stmt *S = End.asStmt()) 908 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 909 910 C.getActivePath().push_front( 911 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 912 break; 913 } 914 915 // Determine control-flow for short-circuited '&&' and '||'. 916 case Stmt::BinaryOperatorClass: { 917 if (!C.supportsLogicalOpControlFlow()) 918 break; 919 920 C.getActivePath().push_front(generateDiagForBinaryOP(C, T, Src, Dst)); 921 break; 922 } 923 924 case Stmt::DoStmtClass: 925 if (*(Src->succ_begin()) == Dst) { 926 std::string sbuf; 927 llvm::raw_string_ostream os(sbuf); 928 929 os << "Loop condition is true. "; 930 PathDiagnosticLocation End = ExecutionContinues(os, C); 931 932 if (const Stmt *S = End.asStmt()) 933 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 934 935 C.getActivePath().push_front( 936 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 937 os.str())); 938 } else { 939 PathDiagnosticLocation End = ExecutionContinues(C); 940 941 if (const Stmt *S = End.asStmt()) 942 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 943 944 C.getActivePath().push_front( 945 std::make_shared<PathDiagnosticControlFlowPiece>( 946 Start, End, "Loop condition is false. Exiting loop")); 947 } 948 break; 949 950 case Stmt::WhileStmtClass: 951 case Stmt::ForStmtClass: 952 if (*(Src->succ_begin() + 1) == Dst) { 953 std::string sbuf; 954 llvm::raw_string_ostream os(sbuf); 955 956 os << "Loop condition is false. "; 957 PathDiagnosticLocation End = ExecutionContinues(os, C); 958 if (const Stmt *S = End.asStmt()) 959 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 960 961 C.getActivePath().push_front( 962 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 963 os.str())); 964 } else { 965 PathDiagnosticLocation End = ExecutionContinues(C); 966 if (const Stmt *S = End.asStmt()) 967 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 968 969 C.getActivePath().push_front( 970 std::make_shared<PathDiagnosticControlFlowPiece>( 971 Start, End, "Loop condition is true. Entering loop body")); 972 } 973 974 break; 975 976 case Stmt::IfStmtClass: { 977 PathDiagnosticLocation End = ExecutionContinues(C); 978 979 if (const Stmt *S = End.asStmt()) 980 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 981 982 if (*(Src->succ_begin() + 1) == Dst) 983 C.getActivePath().push_front( 984 std::make_shared<PathDiagnosticControlFlowPiece>( 985 Start, End, "Taking false branch")); 986 else 987 C.getActivePath().push_front( 988 std::make_shared<PathDiagnosticControlFlowPiece>( 989 Start, End, "Taking true branch")); 990 991 break; 992 } 993 } 994 } 995 996 //===----------------------------------------------------------------------===// 997 // Functions for determining if a loop was executed 0 times. 998 //===----------------------------------------------------------------------===// 999 1000 static bool isLoop(const Stmt *Term) { 1001 switch (Term->getStmtClass()) { 1002 case Stmt::ForStmtClass: 1003 case Stmt::WhileStmtClass: 1004 case Stmt::ObjCForCollectionStmtClass: 1005 case Stmt::CXXForRangeStmtClass: 1006 return true; 1007 default: 1008 // Note that we intentionally do not include do..while here. 1009 return false; 1010 } 1011 } 1012 1013 static bool isJumpToFalseBranch(const BlockEdge *BE) { 1014 const CFGBlock *Src = BE->getSrc(); 1015 assert(Src->succ_size() == 2); 1016 return (*(Src->succ_begin()+1) == BE->getDst()); 1017 } 1018 1019 static bool isContainedByStmt(const ParentMap &PM, const Stmt *S, 1020 const Stmt *SubS) { 1021 while (SubS) { 1022 if (SubS == S) 1023 return true; 1024 SubS = PM.getParent(SubS); 1025 } 1026 return false; 1027 } 1028 1029 static const Stmt *getStmtBeforeCond(const ParentMap &PM, const Stmt *Term, 1030 const ExplodedNode *N) { 1031 while (N) { 1032 Optional<StmtPoint> SP = N->getLocation().getAs<StmtPoint>(); 1033 if (SP) { 1034 const Stmt *S = SP->getStmt(); 1035 if (!isContainedByStmt(PM, Term, S)) 1036 return S; 1037 } 1038 N = N->getFirstPred(); 1039 } 1040 return nullptr; 1041 } 1042 1043 static bool isInLoopBody(const ParentMap &PM, const Stmt *S, const Stmt *Term) { 1044 const Stmt *LoopBody = nullptr; 1045 switch (Term->getStmtClass()) { 1046 case Stmt::CXXForRangeStmtClass: { 1047 const auto *FR = cast<CXXForRangeStmt>(Term); 1048 if (isContainedByStmt(PM, FR->getInc(), S)) 1049 return true; 1050 if (isContainedByStmt(PM, FR->getLoopVarStmt(), S)) 1051 return true; 1052 LoopBody = FR->getBody(); 1053 break; 1054 } 1055 case Stmt::ForStmtClass: { 1056 const auto *FS = cast<ForStmt>(Term); 1057 if (isContainedByStmt(PM, FS->getInc(), S)) 1058 return true; 1059 LoopBody = FS->getBody(); 1060 break; 1061 } 1062 case Stmt::ObjCForCollectionStmtClass: { 1063 const auto *FC = cast<ObjCForCollectionStmt>(Term); 1064 LoopBody = FC->getBody(); 1065 break; 1066 } 1067 case Stmt::WhileStmtClass: 1068 LoopBody = cast<WhileStmt>(Term)->getBody(); 1069 break; 1070 default: 1071 return false; 1072 } 1073 return isContainedByStmt(PM, LoopBody, S); 1074 } 1075 1076 /// Adds a sanitized control-flow diagnostic edge to a path. 1077 static void addEdgeToPath(PathPieces &path, 1078 PathDiagnosticLocation &PrevLoc, 1079 PathDiagnosticLocation NewLoc) { 1080 if (!NewLoc.isValid()) 1081 return; 1082 1083 SourceLocation NewLocL = NewLoc.asLocation(); 1084 if (NewLocL.isInvalid()) 1085 return; 1086 1087 if (!PrevLoc.isValid() || !PrevLoc.asLocation().isValid()) { 1088 PrevLoc = NewLoc; 1089 return; 1090 } 1091 1092 // Ignore self-edges, which occur when there are multiple nodes at the same 1093 // statement. 1094 if (NewLoc.asStmt() && NewLoc.asStmt() == PrevLoc.asStmt()) 1095 return; 1096 1097 path.push_front( 1098 std::make_shared<PathDiagnosticControlFlowPiece>(NewLoc, PrevLoc)); 1099 PrevLoc = NewLoc; 1100 } 1101 1102 /// A customized wrapper for CFGBlock::getTerminatorCondition() 1103 /// which returns the element for ObjCForCollectionStmts. 1104 static const Stmt *getTerminatorCondition(const CFGBlock *B) { 1105 const Stmt *S = B->getTerminatorCondition(); 1106 if (const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(S)) 1107 return FS->getElement(); 1108 return S; 1109 } 1110 1111 constexpr llvm::StringLiteral StrEnteringLoop = "Entering loop body"; 1112 constexpr llvm::StringLiteral StrLoopBodyZero = "Loop body executed 0 times"; 1113 constexpr llvm::StringLiteral StrLoopRangeEmpty = 1114 "Loop body skipped when range is empty"; 1115 constexpr llvm::StringLiteral StrLoopCollectionEmpty = 1116 "Loop body skipped when collection is empty"; 1117 1118 static std::unique_ptr<FilesToLineNumsMap> 1119 findExecutedLines(const SourceManager &SM, const ExplodedNode *N); 1120 1121 void PathDiagnosticBuilder::generatePathDiagnosticsForNode( 1122 PathDiagnosticConstruct &C, PathDiagnosticLocation &PrevLoc) const { 1123 ProgramPoint P = C.getCurrentNode()->getLocation(); 1124 const SourceManager &SM = getSourceManager(); 1125 1126 // Have we encountered an entrance to a call? It may be 1127 // the case that we have not encountered a matching 1128 // call exit before this point. This means that the path 1129 // terminated within the call itself. 1130 if (auto CE = P.getAs<CallEnter>()) { 1131 1132 if (C.shouldAddPathEdges()) { 1133 // Add an edge to the start of the function. 1134 const StackFrameContext *CalleeLC = CE->getCalleeContext(); 1135 const Decl *D = CalleeLC->getDecl(); 1136 // Add the edge only when the callee has body. We jump to the beginning 1137 // of the *declaration*, however we expect it to be followed by the 1138 // body. This isn't the case for autosynthesized property accessors in 1139 // Objective-C. No need for a similar extra check for CallExit points 1140 // because the exit edge comes from a statement (i.e. return), 1141 // not from declaration. 1142 if (D->hasBody()) 1143 addEdgeToPath(C.getActivePath(), PrevLoc, 1144 PathDiagnosticLocation::createBegin(D, SM)); 1145 } 1146 1147 // Did we visit an entire call? 1148 bool VisitedEntireCall = C.PD->isWithinCall(); 1149 C.PD->popActivePath(); 1150 1151 PathDiagnosticCallPiece *Call; 1152 if (VisitedEntireCall) { 1153 Call = cast<PathDiagnosticCallPiece>(C.getActivePath().front().get()); 1154 } else { 1155 // The path terminated within a nested location context, create a new 1156 // call piece to encapsulate the rest of the path pieces. 1157 const Decl *Caller = CE->getLocationContext()->getDecl(); 1158 Call = PathDiagnosticCallPiece::construct(C.getActivePath(), Caller); 1159 assert(C.getActivePath().size() == 1 && 1160 C.getActivePath().front().get() == Call); 1161 1162 // Since we just transferred the path over to the call piece, reset the 1163 // mapping of the active path to the current location context. 1164 assert(C.isInLocCtxMap(&C.getActivePath()) && 1165 "When we ascend to a previously unvisited call, the active path's " 1166 "address shouldn't change, but rather should be compacted into " 1167 "a single CallEvent!"); 1168 C.updateLocCtxMap(&C.getActivePath(), C.getCurrLocationContext()); 1169 1170 // Record the location context mapping for the path within the call. 1171 assert(!C.isInLocCtxMap(&Call->path) && 1172 "When we ascend to a previously unvisited call, this must be the " 1173 "first time we encounter the caller context!"); 1174 C.updateLocCtxMap(&Call->path, CE->getCalleeContext()); 1175 } 1176 Call->setCallee(*CE, SM); 1177 1178 // Update the previous location in the active path. 1179 PrevLoc = Call->getLocation(); 1180 1181 if (!C.CallStack.empty()) { 1182 assert(C.CallStack.back().first == Call); 1183 C.CallStack.pop_back(); 1184 } 1185 return; 1186 } 1187 1188 assert(C.getCurrLocationContext() == C.getLocationContextForActivePath() && 1189 "The current position in the bug path is out of sync with the " 1190 "location context associated with the active path!"); 1191 1192 // Have we encountered an exit from a function call? 1193 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 1194 1195 // We are descending into a call (backwards). Construct 1196 // a new call piece to contain the path pieces for that call. 1197 auto Call = PathDiagnosticCallPiece::construct(*CE, SM); 1198 // Record the mapping from call piece to LocationContext. 1199 assert(!C.isInLocCtxMap(&Call->path) && 1200 "We just entered a call, this must've been the first time we " 1201 "encounter its context!"); 1202 C.updateLocCtxMap(&Call->path, CE->getCalleeContext()); 1203 1204 if (C.shouldAddPathEdges()) { 1205 // Add the edge to the return site. 1206 addEdgeToPath(C.getActivePath(), PrevLoc, Call->callReturn); 1207 PrevLoc.invalidate(); 1208 } 1209 1210 auto *P = Call.get(); 1211 C.getActivePath().push_front(std::move(Call)); 1212 1213 // Make the contents of the call the active path for now. 1214 C.PD->pushActivePath(&P->path); 1215 C.CallStack.push_back(CallWithEntry(P, C.getCurrentNode())); 1216 return; 1217 } 1218 1219 if (auto PS = P.getAs<PostStmt>()) { 1220 if (!C.shouldAddPathEdges()) 1221 return; 1222 1223 // Add an edge. If this is an ObjCForCollectionStmt do 1224 // not add an edge here as it appears in the CFG both 1225 // as a terminator and as a terminator condition. 1226 if (!isa<ObjCForCollectionStmt>(PS->getStmt())) { 1227 PathDiagnosticLocation L = 1228 PathDiagnosticLocation(PS->getStmt(), SM, C.getCurrLocationContext()); 1229 addEdgeToPath(C.getActivePath(), PrevLoc, L); 1230 } 1231 1232 } else if (auto BE = P.getAs<BlockEdge>()) { 1233 1234 if (!C.shouldAddPathEdges()) { 1235 generateMinimalDiagForBlockEdge(C, *BE); 1236 return; 1237 } 1238 1239 // Are we jumping to the head of a loop? Add a special diagnostic. 1240 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1241 PathDiagnosticLocation L(Loop, SM, C.getCurrLocationContext()); 1242 const Stmt *Body = nullptr; 1243 1244 if (const auto *FS = dyn_cast<ForStmt>(Loop)) 1245 Body = FS->getBody(); 1246 else if (const auto *WS = dyn_cast<WhileStmt>(Loop)) 1247 Body = WS->getBody(); 1248 else if (const auto *OFS = dyn_cast<ObjCForCollectionStmt>(Loop)) { 1249 Body = OFS->getBody(); 1250 } else if (const auto *FRS = dyn_cast<CXXForRangeStmt>(Loop)) { 1251 Body = FRS->getBody(); 1252 } 1253 // do-while statements are explicitly excluded here 1254 1255 auto p = std::make_shared<PathDiagnosticEventPiece>( 1256 L, "Looping back to the head " 1257 "of the loop"); 1258 p->setPrunable(true); 1259 1260 addEdgeToPath(C.getActivePath(), PrevLoc, p->getLocation()); 1261 C.getActivePath().push_front(std::move(p)); 1262 1263 if (const auto *CS = dyn_cast_or_null<CompoundStmt>(Body)) { 1264 addEdgeToPath(C.getActivePath(), PrevLoc, 1265 PathDiagnosticLocation::createEndBrace(CS, SM)); 1266 } 1267 } 1268 1269 const CFGBlock *BSrc = BE->getSrc(); 1270 const ParentMap &PM = C.getParentMap(); 1271 1272 if (const Stmt *Term = BSrc->getTerminatorStmt()) { 1273 // Are we jumping past the loop body without ever executing the 1274 // loop (because the condition was false)? 1275 if (isLoop(Term)) { 1276 const Stmt *TermCond = getTerminatorCondition(BSrc); 1277 bool IsInLoopBody = isInLoopBody( 1278 PM, getStmtBeforeCond(PM, TermCond, C.getCurrentNode()), Term); 1279 1280 StringRef str; 1281 1282 if (isJumpToFalseBranch(&*BE)) { 1283 if (!IsInLoopBody) { 1284 if (isa<ObjCForCollectionStmt>(Term)) { 1285 str = StrLoopCollectionEmpty; 1286 } else if (isa<CXXForRangeStmt>(Term)) { 1287 str = StrLoopRangeEmpty; 1288 } else { 1289 str = StrLoopBodyZero; 1290 } 1291 } 1292 } else { 1293 str = StrEnteringLoop; 1294 } 1295 1296 if (!str.empty()) { 1297 PathDiagnosticLocation L(TermCond ? TermCond : Term, SM, 1298 C.getCurrLocationContext()); 1299 auto PE = std::make_shared<PathDiagnosticEventPiece>(L, str); 1300 PE->setPrunable(true); 1301 addEdgeToPath(C.getActivePath(), PrevLoc, PE->getLocation()); 1302 C.getActivePath().push_front(std::move(PE)); 1303 } 1304 } else if (isa<BreakStmt>(Term) || isa<ContinueStmt>(Term) || 1305 isa<GotoStmt>(Term)) { 1306 PathDiagnosticLocation L(Term, SM, C.getCurrLocationContext()); 1307 addEdgeToPath(C.getActivePath(), PrevLoc, L); 1308 } 1309 } 1310 } 1311 } 1312 1313 static std::unique_ptr<PathDiagnostic> 1314 generateDiagnosticForBasicReport(const BasicBugReport *R) { 1315 const BugType &BT = R->getBugType(); 1316 return std::make_unique<PathDiagnostic>( 1317 BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(), 1318 R->getDescription(), R->getShortDescription(/*UseFallback=*/false), 1319 BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(), 1320 std::make_unique<FilesToLineNumsMap>()); 1321 } 1322 1323 static std::unique_ptr<PathDiagnostic> 1324 generateEmptyDiagnosticForReport(const PathSensitiveBugReport *R, 1325 const SourceManager &SM) { 1326 const BugType &BT = R->getBugType(); 1327 return std::make_unique<PathDiagnostic>( 1328 BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(), 1329 R->getDescription(), R->getShortDescription(/*UseFallback=*/false), 1330 BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(), 1331 findExecutedLines(SM, R->getErrorNode())); 1332 } 1333 1334 static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) { 1335 if (!S) 1336 return nullptr; 1337 1338 while (true) { 1339 S = PM.getParentIgnoreParens(S); 1340 1341 if (!S) 1342 break; 1343 1344 if (isa<FullExpr>(S) || 1345 isa<CXXBindTemporaryExpr>(S) || 1346 isa<SubstNonTypeTemplateParmExpr>(S)) 1347 continue; 1348 1349 break; 1350 } 1351 1352 return S; 1353 } 1354 1355 static bool isConditionForTerminator(const Stmt *S, const Stmt *Cond) { 1356 switch (S->getStmtClass()) { 1357 case Stmt::BinaryOperatorClass: { 1358 const auto *BO = cast<BinaryOperator>(S); 1359 if (!BO->isLogicalOp()) 1360 return false; 1361 return BO->getLHS() == Cond || BO->getRHS() == Cond; 1362 } 1363 case Stmt::IfStmtClass: 1364 return cast<IfStmt>(S)->getCond() == Cond; 1365 case Stmt::ForStmtClass: 1366 return cast<ForStmt>(S)->getCond() == Cond; 1367 case Stmt::WhileStmtClass: 1368 return cast<WhileStmt>(S)->getCond() == Cond; 1369 case Stmt::DoStmtClass: 1370 return cast<DoStmt>(S)->getCond() == Cond; 1371 case Stmt::ChooseExprClass: 1372 return cast<ChooseExpr>(S)->getCond() == Cond; 1373 case Stmt::IndirectGotoStmtClass: 1374 return cast<IndirectGotoStmt>(S)->getTarget() == Cond; 1375 case Stmt::SwitchStmtClass: 1376 return cast<SwitchStmt>(S)->getCond() == Cond; 1377 case Stmt::BinaryConditionalOperatorClass: 1378 return cast<BinaryConditionalOperator>(S)->getCond() == Cond; 1379 case Stmt::ConditionalOperatorClass: { 1380 const auto *CO = cast<ConditionalOperator>(S); 1381 return CO->getCond() == Cond || 1382 CO->getLHS() == Cond || 1383 CO->getRHS() == Cond; 1384 } 1385 case Stmt::ObjCForCollectionStmtClass: 1386 return cast<ObjCForCollectionStmt>(S)->getElement() == Cond; 1387 case Stmt::CXXForRangeStmtClass: { 1388 const auto *FRS = cast<CXXForRangeStmt>(S); 1389 return FRS->getCond() == Cond || FRS->getRangeInit() == Cond; 1390 } 1391 default: 1392 return false; 1393 } 1394 } 1395 1396 static bool isIncrementOrInitInForLoop(const Stmt *S, const Stmt *FL) { 1397 if (const auto *FS = dyn_cast<ForStmt>(FL)) 1398 return FS->getInc() == S || FS->getInit() == S; 1399 if (const auto *FRS = dyn_cast<CXXForRangeStmt>(FL)) 1400 return FRS->getInc() == S || FRS->getRangeStmt() == S || 1401 FRS->getLoopVarStmt() || FRS->getRangeInit() == S; 1402 return false; 1403 } 1404 1405 using OptimizedCallsSet = llvm::DenseSet<const PathDiagnosticCallPiece *>; 1406 1407 /// Adds synthetic edges from top-level statements to their subexpressions. 1408 /// 1409 /// This avoids a "swoosh" effect, where an edge from a top-level statement A 1410 /// points to a sub-expression B.1 that's not at the start of B. In these cases, 1411 /// we'd like to see an edge from A to B, then another one from B to B.1. 1412 static void addContextEdges(PathPieces &pieces, const LocationContext *LC) { 1413 const ParentMap &PM = LC->getParentMap(); 1414 PathPieces::iterator Prev = pieces.end(); 1415 for (PathPieces::iterator I = pieces.begin(), E = Prev; I != E; 1416 Prev = I, ++I) { 1417 auto *Piece = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1418 1419 if (!Piece) 1420 continue; 1421 1422 PathDiagnosticLocation SrcLoc = Piece->getStartLocation(); 1423 SmallVector<PathDiagnosticLocation, 4> SrcContexts; 1424 1425 PathDiagnosticLocation NextSrcContext = SrcLoc; 1426 const Stmt *InnerStmt = nullptr; 1427 while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) { 1428 SrcContexts.push_back(NextSrcContext); 1429 InnerStmt = NextSrcContext.asStmt(); 1430 NextSrcContext = getEnclosingStmtLocation(InnerStmt, LC, 1431 /*allowNested=*/true); 1432 } 1433 1434 // Repeatedly split the edge as necessary. 1435 // This is important for nested logical expressions (||, &&, ?:) where we 1436 // want to show all the levels of context. 1437 while (true) { 1438 const Stmt *Dst = Piece->getEndLocation().getStmtOrNull(); 1439 1440 // We are looking at an edge. Is the destination within a larger 1441 // expression? 1442 PathDiagnosticLocation DstContext = 1443 getEnclosingStmtLocation(Dst, LC, /*allowNested=*/true); 1444 if (!DstContext.isValid() || DstContext.asStmt() == Dst) 1445 break; 1446 1447 // If the source is in the same context, we're already good. 1448 if (llvm::find(SrcContexts, DstContext) != SrcContexts.end()) 1449 break; 1450 1451 // Update the subexpression node to point to the context edge. 1452 Piece->setStartLocation(DstContext); 1453 1454 // Try to extend the previous edge if it's at the same level as the source 1455 // context. 1456 if (Prev != E) { 1457 auto *PrevPiece = dyn_cast<PathDiagnosticControlFlowPiece>(Prev->get()); 1458 1459 if (PrevPiece) { 1460 if (const Stmt *PrevSrc = 1461 PrevPiece->getStartLocation().getStmtOrNull()) { 1462 const Stmt *PrevSrcParent = getStmtParent(PrevSrc, PM); 1463 if (PrevSrcParent == 1464 getStmtParent(DstContext.getStmtOrNull(), PM)) { 1465 PrevPiece->setEndLocation(DstContext); 1466 break; 1467 } 1468 } 1469 } 1470 } 1471 1472 // Otherwise, split the current edge into a context edge and a 1473 // subexpression edge. Note that the context statement may itself have 1474 // context. 1475 auto P = 1476 std::make_shared<PathDiagnosticControlFlowPiece>(SrcLoc, DstContext); 1477 Piece = P.get(); 1478 I = pieces.insert(I, std::move(P)); 1479 } 1480 } 1481 } 1482 1483 /// Move edges from a branch condition to a branch target 1484 /// when the condition is simple. 1485 /// 1486 /// This restructures some of the work of addContextEdges. That function 1487 /// creates edges this may destroy, but they work together to create a more 1488 /// aesthetically set of edges around branches. After the call to 1489 /// addContextEdges, we may have (1) an edge to the branch, (2) an edge from 1490 /// the branch to the branch condition, and (3) an edge from the branch 1491 /// condition to the branch target. We keep (1), but may wish to remove (2) 1492 /// and move the source of (3) to the branch if the branch condition is simple. 1493 static void simplifySimpleBranches(PathPieces &pieces) { 1494 for (PathPieces::iterator I = pieces.begin(), E = pieces.end(); I != E; ++I) { 1495 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1496 1497 if (!PieceI) 1498 continue; 1499 1500 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1501 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1502 1503 if (!s1Start || !s1End) 1504 continue; 1505 1506 PathPieces::iterator NextI = I; ++NextI; 1507 if (NextI == E) 1508 break; 1509 1510 PathDiagnosticControlFlowPiece *PieceNextI = nullptr; 1511 1512 while (true) { 1513 if (NextI == E) 1514 break; 1515 1516 const auto *EV = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 1517 if (EV) { 1518 StringRef S = EV->getString(); 1519 if (S == StrEnteringLoop || S == StrLoopBodyZero || 1520 S == StrLoopCollectionEmpty || S == StrLoopRangeEmpty) { 1521 ++NextI; 1522 continue; 1523 } 1524 break; 1525 } 1526 1527 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1528 break; 1529 } 1530 1531 if (!PieceNextI) 1532 continue; 1533 1534 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1535 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1536 1537 if (!s2Start || !s2End || s1End != s2Start) 1538 continue; 1539 1540 // We only perform this transformation for specific branch kinds. 1541 // We don't want to do this for do..while, for example. 1542 if (!(isa<ForStmt>(s1Start) || isa<WhileStmt>(s1Start) || 1543 isa<IfStmt>(s1Start) || isa<ObjCForCollectionStmt>(s1Start) || 1544 isa<CXXForRangeStmt>(s1Start))) 1545 continue; 1546 1547 // Is s1End the branch condition? 1548 if (!isConditionForTerminator(s1Start, s1End)) 1549 continue; 1550 1551 // Perform the hoisting by eliminating (2) and changing the start 1552 // location of (3). 1553 PieceNextI->setStartLocation(PieceI->getStartLocation()); 1554 I = pieces.erase(I); 1555 } 1556 } 1557 1558 /// Returns the number of bytes in the given (character-based) SourceRange. 1559 /// 1560 /// If the locations in the range are not on the same line, returns None. 1561 /// 1562 /// Note that this does not do a precise user-visible character or column count. 1563 static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM, 1564 SourceRange Range) { 1565 SourceRange ExpansionRange(SM.getExpansionLoc(Range.getBegin()), 1566 SM.getExpansionRange(Range.getEnd()).getEnd()); 1567 1568 FileID FID = SM.getFileID(ExpansionRange.getBegin()); 1569 if (FID != SM.getFileID(ExpansionRange.getEnd())) 1570 return None; 1571 1572 bool Invalid; 1573 const llvm::MemoryBuffer *Buffer = SM.getBuffer(FID, &Invalid); 1574 if (Invalid) 1575 return None; 1576 1577 unsigned BeginOffset = SM.getFileOffset(ExpansionRange.getBegin()); 1578 unsigned EndOffset = SM.getFileOffset(ExpansionRange.getEnd()); 1579 StringRef Snippet = Buffer->getBuffer().slice(BeginOffset, EndOffset); 1580 1581 // We're searching the raw bytes of the buffer here, which might include 1582 // escaped newlines and such. That's okay; we're trying to decide whether the 1583 // SourceRange is covering a large or small amount of space in the user's 1584 // editor. 1585 if (Snippet.find_first_of("\r\n") != StringRef::npos) 1586 return None; 1587 1588 // This isn't Unicode-aware, but it doesn't need to be. 1589 return Snippet.size(); 1590 } 1591 1592 /// \sa getLengthOnSingleLine(SourceManager, SourceRange) 1593 static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM, 1594 const Stmt *S) { 1595 return getLengthOnSingleLine(SM, S->getSourceRange()); 1596 } 1597 1598 /// Eliminate two-edge cycles created by addContextEdges(). 1599 /// 1600 /// Once all the context edges are in place, there are plenty of cases where 1601 /// there's a single edge from a top-level statement to a subexpression, 1602 /// followed by a single path note, and then a reverse edge to get back out to 1603 /// the top level. If the statement is simple enough, the subexpression edges 1604 /// just add noise and make it harder to understand what's going on. 1605 /// 1606 /// This function only removes edges in pairs, because removing only one edge 1607 /// might leave other edges dangling. 1608 /// 1609 /// This will not remove edges in more complicated situations: 1610 /// - if there is more than one "hop" leading to or from a subexpression. 1611 /// - if there is an inlined call between the edges instead of a single event. 1612 /// - if the whole statement is large enough that having subexpression arrows 1613 /// might be helpful. 1614 static void removeContextCycles(PathPieces &Path, const SourceManager &SM) { 1615 for (PathPieces::iterator I = Path.begin(), E = Path.end(); I != E; ) { 1616 // Pattern match the current piece and its successor. 1617 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1618 1619 if (!PieceI) { 1620 ++I; 1621 continue; 1622 } 1623 1624 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1625 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1626 1627 PathPieces::iterator NextI = I; ++NextI; 1628 if (NextI == E) 1629 break; 1630 1631 const auto *PieceNextI = 1632 dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1633 1634 if (!PieceNextI) { 1635 if (isa<PathDiagnosticEventPiece>(NextI->get())) { 1636 ++NextI; 1637 if (NextI == E) 1638 break; 1639 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1640 } 1641 1642 if (!PieceNextI) { 1643 ++I; 1644 continue; 1645 } 1646 } 1647 1648 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1649 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1650 1651 if (s1Start && s2Start && s1Start == s2End && s2Start == s1End) { 1652 const size_t MAX_SHORT_LINE_LENGTH = 80; 1653 Optional<size_t> s1Length = getLengthOnSingleLine(SM, s1Start); 1654 if (s1Length && *s1Length <= MAX_SHORT_LINE_LENGTH) { 1655 Optional<size_t> s2Length = getLengthOnSingleLine(SM, s2Start); 1656 if (s2Length && *s2Length <= MAX_SHORT_LINE_LENGTH) { 1657 Path.erase(I); 1658 I = Path.erase(NextI); 1659 continue; 1660 } 1661 } 1662 } 1663 1664 ++I; 1665 } 1666 } 1667 1668 /// Return true if X is contained by Y. 1669 static bool lexicalContains(const ParentMap &PM, const Stmt *X, const Stmt *Y) { 1670 while (X) { 1671 if (X == Y) 1672 return true; 1673 X = PM.getParent(X); 1674 } 1675 return false; 1676 } 1677 1678 // Remove short edges on the same line less than 3 columns in difference. 1679 static void removePunyEdges(PathPieces &path, const SourceManager &SM, 1680 const ParentMap &PM) { 1681 bool erased = false; 1682 1683 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; 1684 erased ? I : ++I) { 1685 erased = false; 1686 1687 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1688 1689 if (!PieceI) 1690 continue; 1691 1692 const Stmt *start = PieceI->getStartLocation().getStmtOrNull(); 1693 const Stmt *end = PieceI->getEndLocation().getStmtOrNull(); 1694 1695 if (!start || !end) 1696 continue; 1697 1698 const Stmt *endParent = PM.getParent(end); 1699 if (!endParent) 1700 continue; 1701 1702 if (isConditionForTerminator(end, endParent)) 1703 continue; 1704 1705 SourceLocation FirstLoc = start->getBeginLoc(); 1706 SourceLocation SecondLoc = end->getBeginLoc(); 1707 1708 if (!SM.isWrittenInSameFile(FirstLoc, SecondLoc)) 1709 continue; 1710 if (SM.isBeforeInTranslationUnit(SecondLoc, FirstLoc)) 1711 std::swap(SecondLoc, FirstLoc); 1712 1713 SourceRange EdgeRange(FirstLoc, SecondLoc); 1714 Optional<size_t> ByteWidth = getLengthOnSingleLine(SM, EdgeRange); 1715 1716 // If the statements are on different lines, continue. 1717 if (!ByteWidth) 1718 continue; 1719 1720 const size_t MAX_PUNY_EDGE_LENGTH = 2; 1721 if (*ByteWidth <= MAX_PUNY_EDGE_LENGTH) { 1722 // FIXME: There are enough /bytes/ between the endpoints of the edge, but 1723 // there might not be enough /columns/. A proper user-visible column count 1724 // is probably too expensive, though. 1725 I = path.erase(I); 1726 erased = true; 1727 continue; 1728 } 1729 } 1730 } 1731 1732 static void removeIdenticalEvents(PathPieces &path) { 1733 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ++I) { 1734 const auto *PieceI = dyn_cast<PathDiagnosticEventPiece>(I->get()); 1735 1736 if (!PieceI) 1737 continue; 1738 1739 PathPieces::iterator NextI = I; ++NextI; 1740 if (NextI == E) 1741 return; 1742 1743 const auto *PieceNextI = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 1744 1745 if (!PieceNextI) 1746 continue; 1747 1748 // Erase the second piece if it has the same exact message text. 1749 if (PieceI->getString() == PieceNextI->getString()) { 1750 path.erase(NextI); 1751 } 1752 } 1753 } 1754 1755 static bool optimizeEdges(const PathDiagnosticConstruct &C, PathPieces &path, 1756 OptimizedCallsSet &OCS) { 1757 bool hasChanges = false; 1758 const LocationContext *LC = C.getLocationContextFor(&path); 1759 assert(LC); 1760 const ParentMap &PM = LC->getParentMap(); 1761 const SourceManager &SM = C.getSourceManager(); 1762 1763 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ) { 1764 // Optimize subpaths. 1765 if (auto *CallI = dyn_cast<PathDiagnosticCallPiece>(I->get())) { 1766 // Record the fact that a call has been optimized so we only do the 1767 // effort once. 1768 if (!OCS.count(CallI)) { 1769 while (optimizeEdges(C, CallI->path, OCS)) { 1770 } 1771 OCS.insert(CallI); 1772 } 1773 ++I; 1774 continue; 1775 } 1776 1777 // Pattern match the current piece and its successor. 1778 auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1779 1780 if (!PieceI) { 1781 ++I; 1782 continue; 1783 } 1784 1785 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1786 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1787 const Stmt *level1 = getStmtParent(s1Start, PM); 1788 const Stmt *level2 = getStmtParent(s1End, PM); 1789 1790 PathPieces::iterator NextI = I; ++NextI; 1791 if (NextI == E) 1792 break; 1793 1794 const auto *PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1795 1796 if (!PieceNextI) { 1797 ++I; 1798 continue; 1799 } 1800 1801 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1802 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1803 const Stmt *level3 = getStmtParent(s2Start, PM); 1804 const Stmt *level4 = getStmtParent(s2End, PM); 1805 1806 // Rule I. 1807 // 1808 // If we have two consecutive control edges whose end/begin locations 1809 // are at the same level (e.g. statements or top-level expressions within 1810 // a compound statement, or siblings share a single ancestor expression), 1811 // then merge them if they have no interesting intermediate event. 1812 // 1813 // For example: 1814 // 1815 // (1.1 -> 1.2) -> (1.2 -> 1.3) becomes (1.1 -> 1.3) because the common 1816 // parent is '1'. Here 'x.y.z' represents the hierarchy of statements. 1817 // 1818 // NOTE: this will be limited later in cases where we add barriers 1819 // to prevent this optimization. 1820 if (level1 && level1 == level2 && level1 == level3 && level1 == level4) { 1821 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1822 path.erase(NextI); 1823 hasChanges = true; 1824 continue; 1825 } 1826 1827 // Rule II. 1828 // 1829 // Eliminate edges between subexpressions and parent expressions 1830 // when the subexpression is consumed. 1831 // 1832 // NOTE: this will be limited later in cases where we add barriers 1833 // to prevent this optimization. 1834 if (s1End && s1End == s2Start && level2) { 1835 bool removeEdge = false; 1836 // Remove edges into the increment or initialization of a 1837 // loop that have no interleaving event. This means that 1838 // they aren't interesting. 1839 if (isIncrementOrInitInForLoop(s1End, level2)) 1840 removeEdge = true; 1841 // Next only consider edges that are not anchored on 1842 // the condition of a terminator. This are intermediate edges 1843 // that we might want to trim. 1844 else if (!isConditionForTerminator(level2, s1End)) { 1845 // Trim edges on expressions that are consumed by 1846 // the parent expression. 1847 if (isa<Expr>(s1End) && PM.isConsumedExpr(cast<Expr>(s1End))) { 1848 removeEdge = true; 1849 } 1850 // Trim edges where a lexical containment doesn't exist. 1851 // For example: 1852 // 1853 // X -> Y -> Z 1854 // 1855 // If 'Z' lexically contains Y (it is an ancestor) and 1856 // 'X' does not lexically contain Y (it is a descendant OR 1857 // it has no lexical relationship at all) then trim. 1858 // 1859 // This can eliminate edges where we dive into a subexpression 1860 // and then pop back out, etc. 1861 else if (s1Start && s2End && 1862 lexicalContains(PM, s2Start, s2End) && 1863 !lexicalContains(PM, s1End, s1Start)) { 1864 removeEdge = true; 1865 } 1866 // Trim edges from a subexpression back to the top level if the 1867 // subexpression is on a different line. 1868 // 1869 // A.1 -> A -> B 1870 // becomes 1871 // A.1 -> B 1872 // 1873 // These edges just look ugly and don't usually add anything. 1874 else if (s1Start && s2End && 1875 lexicalContains(PM, s1Start, s1End)) { 1876 SourceRange EdgeRange(PieceI->getEndLocation().asLocation(), 1877 PieceI->getStartLocation().asLocation()); 1878 if (!getLengthOnSingleLine(SM, EdgeRange).hasValue()) 1879 removeEdge = true; 1880 } 1881 } 1882 1883 if (removeEdge) { 1884 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1885 path.erase(NextI); 1886 hasChanges = true; 1887 continue; 1888 } 1889 } 1890 1891 // Optimize edges for ObjC fast-enumeration loops. 1892 // 1893 // (X -> collection) -> (collection -> element) 1894 // 1895 // becomes: 1896 // 1897 // (X -> element) 1898 if (s1End == s2Start) { 1899 const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(level3); 1900 if (FS && FS->getCollection()->IgnoreParens() == s2Start && 1901 s2End == FS->getElement()) { 1902 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1903 path.erase(NextI); 1904 hasChanges = true; 1905 continue; 1906 } 1907 } 1908 1909 // No changes at this index? Move to the next one. 1910 ++I; 1911 } 1912 1913 if (!hasChanges) { 1914 // Adjust edges into subexpressions to make them more uniform 1915 // and aesthetically pleasing. 1916 addContextEdges(path, LC); 1917 // Remove "cyclical" edges that include one or more context edges. 1918 removeContextCycles(path, SM); 1919 // Hoist edges originating from branch conditions to branches 1920 // for simple branches. 1921 simplifySimpleBranches(path); 1922 // Remove any puny edges left over after primary optimization pass. 1923 removePunyEdges(path, SM, PM); 1924 // Remove identical events. 1925 removeIdenticalEvents(path); 1926 } 1927 1928 return hasChanges; 1929 } 1930 1931 /// Drop the very first edge in a path, which should be a function entry edge. 1932 /// 1933 /// If the first edge is not a function entry edge (say, because the first 1934 /// statement had an invalid source location), this function does nothing. 1935 // FIXME: We should just generate invalid edges anyway and have the optimizer 1936 // deal with them. 1937 static void dropFunctionEntryEdge(const PathDiagnosticConstruct &C, 1938 PathPieces &Path) { 1939 const auto *FirstEdge = 1940 dyn_cast<PathDiagnosticControlFlowPiece>(Path.front().get()); 1941 if (!FirstEdge) 1942 return; 1943 1944 const Decl *D = C.getLocationContextFor(&Path)->getDecl(); 1945 PathDiagnosticLocation EntryLoc = 1946 PathDiagnosticLocation::createBegin(D, C.getSourceManager()); 1947 if (FirstEdge->getStartLocation() != EntryLoc) 1948 return; 1949 1950 Path.pop_front(); 1951 } 1952 1953 /// Populate executes lines with lines containing at least one diagnostics. 1954 static void updateExecutedLinesWithDiagnosticPieces(PathDiagnostic &PD) { 1955 1956 PathPieces path = PD.path.flatten(/*ShouldFlattenMacros=*/true); 1957 FilesToLineNumsMap &ExecutedLines = PD.getExecutedLines(); 1958 1959 for (const auto &P : path) { 1960 FullSourceLoc Loc = P->getLocation().asLocation().getExpansionLoc(); 1961 FileID FID = Loc.getFileID(); 1962 unsigned LineNo = Loc.getLineNumber(); 1963 assert(FID.isValid()); 1964 ExecutedLines[FID].insert(LineNo); 1965 } 1966 } 1967 1968 PathDiagnosticConstruct::PathDiagnosticConstruct( 1969 const PathDiagnosticConsumer *PDC, const ExplodedNode *ErrorNode, 1970 const PathSensitiveBugReport *R) 1971 : Consumer(PDC), CurrentNode(ErrorNode), 1972 SM(CurrentNode->getCodeDecl().getASTContext().getSourceManager()), 1973 PD(generateEmptyDiagnosticForReport(R, getSourceManager())) { 1974 LCM[&PD->getActivePath()] = ErrorNode->getLocationContext(); 1975 } 1976 1977 PathDiagnosticBuilder::PathDiagnosticBuilder( 1978 BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath, 1979 PathSensitiveBugReport *r, const ExplodedNode *ErrorNode, 1980 std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics) 1981 : BugReporterContext(BRC), BugPath(std::move(BugPath)), R(r), 1982 ErrorNode(ErrorNode), 1983 VisitorsDiagnostics(std::move(VisitorsDiagnostics)) {} 1984 1985 std::unique_ptr<PathDiagnostic> 1986 PathDiagnosticBuilder::generate(const PathDiagnosticConsumer *PDC) const { 1987 PathDiagnosticConstruct Construct(PDC, ErrorNode, R); 1988 1989 const SourceManager &SM = getSourceManager(); 1990 const AnalyzerOptions &Opts = getAnalyzerOptions(); 1991 StringRef ErrorTag = ErrorNode->getLocation().getTag()->getTagDescription(); 1992 1993 // See whether we need to silence the checker/package. 1994 // FIXME: This will not work if the report was emitted with an incorrect tag. 1995 for (const std::string &CheckerOrPackage : Opts.SilencedCheckersAndPackages) { 1996 if (ErrorTag.startswith(CheckerOrPackage)) 1997 return nullptr; 1998 } 1999 2000 if (!PDC->shouldGenerateDiagnostics()) 2001 return generateEmptyDiagnosticForReport(R, getSourceManager()); 2002 2003 // Construct the final (warning) event for the bug report. 2004 auto EndNotes = VisitorsDiagnostics->find(ErrorNode); 2005 PathDiagnosticPieceRef LastPiece; 2006 if (EndNotes != VisitorsDiagnostics->end()) { 2007 assert(!EndNotes->second.empty()); 2008 LastPiece = EndNotes->second[0]; 2009 } else { 2010 LastPiece = BugReporterVisitor::getDefaultEndPath(*this, ErrorNode, 2011 *getBugReport()); 2012 } 2013 Construct.PD->setEndOfPath(LastPiece); 2014 2015 PathDiagnosticLocation PrevLoc = Construct.PD->getLocation(); 2016 // From the error node to the root, ascend the bug path and construct the bug 2017 // report. 2018 while (Construct.ascendToPrevNode()) { 2019 generatePathDiagnosticsForNode(Construct, PrevLoc); 2020 2021 auto VisitorNotes = VisitorsDiagnostics->find(Construct.getCurrentNode()); 2022 if (VisitorNotes == VisitorsDiagnostics->end()) 2023 continue; 2024 2025 // This is a workaround due to inability to put shared PathDiagnosticPiece 2026 // into a FoldingSet. 2027 std::set<llvm::FoldingSetNodeID> DeduplicationSet; 2028 2029 // Add pieces from custom visitors. 2030 for (const PathDiagnosticPieceRef &Note : VisitorNotes->second) { 2031 llvm::FoldingSetNodeID ID; 2032 Note->Profile(ID); 2033 if (!DeduplicationSet.insert(ID).second) 2034 continue; 2035 2036 if (PDC->shouldAddPathEdges()) 2037 addEdgeToPath(Construct.getActivePath(), PrevLoc, Note->getLocation()); 2038 updateStackPiecesWithMessage(Note, Construct.CallStack); 2039 Construct.getActivePath().push_front(Note); 2040 } 2041 } 2042 2043 if (PDC->shouldAddPathEdges()) { 2044 // Add an edge to the start of the function. 2045 // We'll prune it out later, but it helps make diagnostics more uniform. 2046 const StackFrameContext *CalleeLC = 2047 Construct.getLocationContextForActivePath()->getStackFrame(); 2048 const Decl *D = CalleeLC->getDecl(); 2049 addEdgeToPath(Construct.getActivePath(), PrevLoc, 2050 PathDiagnosticLocation::createBegin(D, SM)); 2051 } 2052 2053 2054 // Finally, prune the diagnostic path of uninteresting stuff. 2055 if (!Construct.PD->path.empty()) { 2056 if (R->shouldPrunePath() && Opts.ShouldPrunePaths) { 2057 bool stillHasNotes = 2058 removeUnneededCalls(Construct, Construct.getMutablePieces(), R); 2059 assert(stillHasNotes); 2060 (void)stillHasNotes; 2061 } 2062 2063 // Remove pop-up notes if needed. 2064 if (!Opts.ShouldAddPopUpNotes) 2065 removePopUpNotes(Construct.getMutablePieces()); 2066 2067 // Redirect all call pieces to have valid locations. 2068 adjustCallLocations(Construct.getMutablePieces()); 2069 removePiecesWithInvalidLocations(Construct.getMutablePieces()); 2070 2071 if (PDC->shouldAddPathEdges()) { 2072 2073 // Reduce the number of edges from a very conservative set 2074 // to an aesthetically pleasing subset that conveys the 2075 // necessary information. 2076 OptimizedCallsSet OCS; 2077 while (optimizeEdges(Construct, Construct.getMutablePieces(), OCS)) { 2078 } 2079 2080 // Drop the very first function-entry edge. It's not really necessary 2081 // for top-level functions. 2082 dropFunctionEntryEdge(Construct, Construct.getMutablePieces()); 2083 } 2084 2085 // Remove messages that are basically the same, and edges that may not 2086 // make sense. 2087 // We have to do this after edge optimization in the Extensive mode. 2088 removeRedundantMsgs(Construct.getMutablePieces()); 2089 removeEdgesToDefaultInitializers(Construct.getMutablePieces()); 2090 } 2091 2092 if (Opts.ShouldDisplayMacroExpansions) 2093 CompactMacroExpandedPieces(Construct.getMutablePieces(), SM); 2094 2095 return std::move(Construct.PD); 2096 } 2097 2098 //===----------------------------------------------------------------------===// 2099 // Methods for BugType and subclasses. 2100 //===----------------------------------------------------------------------===// 2101 2102 void BugType::anchor() {} 2103 2104 void BuiltinBug::anchor() {} 2105 2106 //===----------------------------------------------------------------------===// 2107 // Methods for BugReport and subclasses. 2108 //===----------------------------------------------------------------------===// 2109 2110 static bool isDependency(const CheckerRegistry &Registry, 2111 StringRef CheckerName) { 2112 for (const std::pair<StringRef, StringRef> &Pair : Registry.Dependencies) { 2113 if (Pair.second == CheckerName) 2114 return true; 2115 } 2116 return false; 2117 } 2118 2119 PathSensitiveBugReport::PathSensitiveBugReport( 2120 const BugType &bt, StringRef shortDesc, StringRef desc, 2121 const ExplodedNode *errorNode, PathDiagnosticLocation LocationToUnique, 2122 const Decl *DeclToUnique) 2123 : BugReport(Kind::PathSensitive, bt, shortDesc, desc), ErrorNode(errorNode), 2124 ErrorNodeRange(getStmt() ? getStmt()->getSourceRange() : SourceRange()), 2125 UniqueingLocation(LocationToUnique), UniqueingDecl(DeclToUnique) { 2126 assert(!isDependency(ErrorNode->getState() 2127 ->getAnalysisManager() 2128 .getCheckerManager() 2129 ->getCheckerRegistry(), 2130 bt.getCheckerName()) && 2131 "Some checkers depend on this one! We don't allow dependency " 2132 "checkers to emit warnings, because checkers should depend on " 2133 "*modeling*, not *diagnostics*."); 2134 } 2135 2136 void PathSensitiveBugReport::addVisitor( 2137 std::unique_ptr<BugReporterVisitor> visitor) { 2138 if (!visitor) 2139 return; 2140 2141 llvm::FoldingSetNodeID ID; 2142 visitor->Profile(ID); 2143 2144 void *InsertPos = nullptr; 2145 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 2146 return; 2147 } 2148 2149 Callbacks.push_back(std::move(visitor)); 2150 } 2151 2152 void PathSensitiveBugReport::clearVisitors() { 2153 Callbacks.clear(); 2154 } 2155 2156 const Decl *PathSensitiveBugReport::getDeclWithIssue() const { 2157 const ExplodedNode *N = getErrorNode(); 2158 if (!N) 2159 return nullptr; 2160 2161 const LocationContext *LC = N->getLocationContext(); 2162 return LC->getStackFrame()->getDecl(); 2163 } 2164 2165 void BasicBugReport::Profile(llvm::FoldingSetNodeID& hash) const { 2166 hash.AddInteger(static_cast<int>(getKind())); 2167 hash.AddPointer(&BT); 2168 hash.AddString(Description); 2169 assert(Location.isValid()); 2170 Location.Profile(hash); 2171 2172 for (SourceRange range : Ranges) { 2173 if (!range.isValid()) 2174 continue; 2175 hash.AddInteger(range.getBegin().getRawEncoding()); 2176 hash.AddInteger(range.getEnd().getRawEncoding()); 2177 } 2178 } 2179 2180 void PathSensitiveBugReport::Profile(llvm::FoldingSetNodeID &hash) const { 2181 hash.AddInteger(static_cast<int>(getKind())); 2182 hash.AddPointer(&BT); 2183 hash.AddString(Description); 2184 PathDiagnosticLocation UL = getUniqueingLocation(); 2185 if (UL.isValid()) { 2186 UL.Profile(hash); 2187 } else { 2188 // TODO: The statement may be null if the report was emitted before any 2189 // statements were executed. In particular, some checkers by design 2190 // occasionally emit their reports in empty functions (that have no 2191 // statements in their body). Do we profile correctly in this case? 2192 hash.AddPointer(ErrorNode->getCurrentOrPreviousStmtForDiagnostics()); 2193 } 2194 2195 for (SourceRange range : Ranges) { 2196 if (!range.isValid()) 2197 continue; 2198 hash.AddInteger(range.getBegin().getRawEncoding()); 2199 hash.AddInteger(range.getEnd().getRawEncoding()); 2200 } 2201 } 2202 2203 template <class T> 2204 static void insertToInterestingnessMap( 2205 llvm::DenseMap<T, bugreporter::TrackingKind> &InterestingnessMap, T Val, 2206 bugreporter::TrackingKind TKind) { 2207 auto Result = InterestingnessMap.insert({Val, TKind}); 2208 2209 if (Result.second) 2210 return; 2211 2212 // Even if this symbol/region was already marked as interesting as a 2213 // condition, if we later mark it as interesting again but with 2214 // thorough tracking, overwrite it. Entities marked with thorough 2215 // interestiness are the most important (or most interesting, if you will), 2216 // and we wouldn't like to downplay their importance. 2217 2218 switch (TKind) { 2219 case bugreporter::TrackingKind::Thorough: 2220 Result.first->getSecond() = bugreporter::TrackingKind::Thorough; 2221 return; 2222 case bugreporter::TrackingKind::Condition: 2223 return; 2224 } 2225 2226 llvm_unreachable( 2227 "BugReport::markInteresting currently can only handle 2 different " 2228 "tracking kinds! Please define what tracking kind should this entitiy" 2229 "have, if it was already marked as interesting with a different kind!"); 2230 } 2231 2232 void PathSensitiveBugReport::markInteresting(SymbolRef sym, 2233 bugreporter::TrackingKind TKind) { 2234 if (!sym) 2235 return; 2236 2237 insertToInterestingnessMap(InterestingSymbols, sym, TKind); 2238 2239 if (const auto *meta = dyn_cast<SymbolMetadata>(sym)) 2240 markInteresting(meta->getRegion(), TKind); 2241 } 2242 2243 void PathSensitiveBugReport::markInteresting(const MemRegion *R, 2244 bugreporter::TrackingKind TKind) { 2245 if (!R) 2246 return; 2247 2248 R = R->getBaseRegion(); 2249 insertToInterestingnessMap(InterestingRegions, R, TKind); 2250 2251 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2252 markInteresting(SR->getSymbol(), TKind); 2253 } 2254 2255 void PathSensitiveBugReport::markInteresting(SVal V, 2256 bugreporter::TrackingKind TKind) { 2257 markInteresting(V.getAsRegion(), TKind); 2258 markInteresting(V.getAsSymbol(), TKind); 2259 } 2260 2261 void PathSensitiveBugReport::markInteresting(const LocationContext *LC) { 2262 if (!LC) 2263 return; 2264 InterestingLocationContexts.insert(LC); 2265 } 2266 2267 Optional<bugreporter::TrackingKind> 2268 PathSensitiveBugReport::getInterestingnessKind(SVal V) const { 2269 auto RKind = getInterestingnessKind(V.getAsRegion()); 2270 auto SKind = getInterestingnessKind(V.getAsSymbol()); 2271 if (!RKind) 2272 return SKind; 2273 if (!SKind) 2274 return RKind; 2275 2276 // If either is marked with throrough tracking, return that, we wouldn't like 2277 // to downplay a note's importance by 'only' mentioning it as a condition. 2278 switch(*RKind) { 2279 case bugreporter::TrackingKind::Thorough: 2280 return RKind; 2281 case bugreporter::TrackingKind::Condition: 2282 return SKind; 2283 } 2284 2285 llvm_unreachable( 2286 "BugReport::getInterestingnessKind currently can only handle 2 different " 2287 "tracking kinds! Please define what tracking kind should we return here " 2288 "when the kind of getAsRegion() and getAsSymbol() is different!"); 2289 return None; 2290 } 2291 2292 Optional<bugreporter::TrackingKind> 2293 PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const { 2294 if (!sym) 2295 return None; 2296 // We don't currently consider metadata symbols to be interesting 2297 // even if we know their region is interesting. Is that correct behavior? 2298 auto It = InterestingSymbols.find(sym); 2299 if (It == InterestingSymbols.end()) 2300 return None; 2301 return It->getSecond(); 2302 } 2303 2304 Optional<bugreporter::TrackingKind> 2305 PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const { 2306 if (!R) 2307 return None; 2308 2309 R = R->getBaseRegion(); 2310 auto It = InterestingRegions.find(R); 2311 if (It != InterestingRegions.end()) 2312 return It->getSecond(); 2313 2314 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2315 return getInterestingnessKind(SR->getSymbol()); 2316 return None; 2317 } 2318 2319 bool PathSensitiveBugReport::isInteresting(SVal V) const { 2320 return getInterestingnessKind(V).hasValue(); 2321 } 2322 2323 bool PathSensitiveBugReport::isInteresting(SymbolRef sym) const { 2324 return getInterestingnessKind(sym).hasValue(); 2325 } 2326 2327 bool PathSensitiveBugReport::isInteresting(const MemRegion *R) const { 2328 return getInterestingnessKind(R).hasValue(); 2329 } 2330 2331 bool PathSensitiveBugReport::isInteresting(const LocationContext *LC) const { 2332 if (!LC) 2333 return false; 2334 return InterestingLocationContexts.count(LC); 2335 } 2336 2337 const Stmt *PathSensitiveBugReport::getStmt() const { 2338 if (!ErrorNode) 2339 return nullptr; 2340 2341 ProgramPoint ProgP = ErrorNode->getLocation(); 2342 const Stmt *S = nullptr; 2343 2344 if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) { 2345 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 2346 if (BE->getBlock() == &Exit) 2347 S = ErrorNode->getPreviousStmtForDiagnostics(); 2348 } 2349 if (!S) 2350 S = ErrorNode->getStmtForDiagnostics(); 2351 2352 return S; 2353 } 2354 2355 ArrayRef<SourceRange> 2356 PathSensitiveBugReport::getRanges() const { 2357 // If no custom ranges, add the range of the statement corresponding to 2358 // the error node. 2359 if (Ranges.empty() && isa_and_nonnull<Expr>(getStmt())) 2360 return ErrorNodeRange; 2361 2362 return Ranges; 2363 } 2364 2365 PathDiagnosticLocation 2366 PathSensitiveBugReport::getLocation() const { 2367 assert(ErrorNode && "Cannot create a location with a null node."); 2368 const Stmt *S = ErrorNode->getStmtForDiagnostics(); 2369 ProgramPoint P = ErrorNode->getLocation(); 2370 const LocationContext *LC = P.getLocationContext(); 2371 SourceManager &SM = 2372 ErrorNode->getState()->getStateManager().getContext().getSourceManager(); 2373 2374 if (!S) { 2375 // If this is an implicit call, return the implicit call point location. 2376 if (Optional<PreImplicitCall> PIE = P.getAs<PreImplicitCall>()) 2377 return PathDiagnosticLocation(PIE->getLocation(), SM); 2378 if (auto FE = P.getAs<FunctionExitPoint>()) { 2379 if (const ReturnStmt *RS = FE->getStmt()) 2380 return PathDiagnosticLocation::createBegin(RS, SM, LC); 2381 } 2382 S = ErrorNode->getNextStmtForDiagnostics(); 2383 } 2384 2385 if (S) { 2386 // For member expressions, return the location of the '.' or '->'. 2387 if (const auto *ME = dyn_cast<MemberExpr>(S)) 2388 return PathDiagnosticLocation::createMemberLoc(ME, SM); 2389 2390 // For binary operators, return the location of the operator. 2391 if (const auto *B = dyn_cast<BinaryOperator>(S)) 2392 return PathDiagnosticLocation::createOperatorLoc(B, SM); 2393 2394 if (P.getAs<PostStmtPurgeDeadSymbols>()) 2395 return PathDiagnosticLocation::createEnd(S, SM, LC); 2396 2397 if (S->getBeginLoc().isValid()) 2398 return PathDiagnosticLocation(S, SM, LC); 2399 2400 return PathDiagnosticLocation( 2401 PathDiagnosticLocation::getValidSourceLocation(S, LC), SM); 2402 } 2403 2404 return PathDiagnosticLocation::createDeclEnd(ErrorNode->getLocationContext(), 2405 SM); 2406 } 2407 2408 //===----------------------------------------------------------------------===// 2409 // Methods for BugReporter and subclasses. 2410 //===----------------------------------------------------------------------===// 2411 2412 const ExplodedGraph &PathSensitiveBugReporter::getGraph() const { 2413 return Eng.getGraph(); 2414 } 2415 2416 ProgramStateManager &PathSensitiveBugReporter::getStateManager() const { 2417 return Eng.getStateManager(); 2418 } 2419 2420 BugReporter::BugReporter(BugReporterData &d) : D(d) {} 2421 BugReporter::~BugReporter() { 2422 // Make sure reports are flushed. 2423 assert(StrBugTypes.empty() && 2424 "Destroying BugReporter before diagnostics are emitted!"); 2425 2426 // Free the bug reports we are tracking. 2427 for (const auto I : EQClassesVector) 2428 delete I; 2429 } 2430 2431 void BugReporter::FlushReports() { 2432 // We need to flush reports in deterministic order to ensure the order 2433 // of the reports is consistent between runs. 2434 for (const auto EQ : EQClassesVector) 2435 FlushReport(*EQ); 2436 2437 // BugReporter owns and deletes only BugTypes created implicitly through 2438 // EmitBasicReport. 2439 // FIXME: There are leaks from checkers that assume that the BugTypes they 2440 // create will be destroyed by the BugReporter. 2441 StrBugTypes.clear(); 2442 } 2443 2444 //===----------------------------------------------------------------------===// 2445 // PathDiagnostics generation. 2446 //===----------------------------------------------------------------------===// 2447 2448 namespace { 2449 2450 /// A wrapper around an ExplodedGraph that contains a single path from the root 2451 /// to the error node. 2452 class BugPathInfo { 2453 public: 2454 std::unique_ptr<ExplodedGraph> BugPath; 2455 PathSensitiveBugReport *Report; 2456 const ExplodedNode *ErrorNode; 2457 }; 2458 2459 /// A wrapper around an ExplodedGraph whose leafs are all error nodes. Can 2460 /// conveniently retrieve bug paths from a single error node to the root. 2461 class BugPathGetter { 2462 std::unique_ptr<ExplodedGraph> TrimmedGraph; 2463 2464 using PriorityMapTy = llvm::DenseMap<const ExplodedNode *, unsigned>; 2465 2466 /// Assign each node with its distance from the root. 2467 PriorityMapTy PriorityMap; 2468 2469 /// Since the getErrorNode() or BugReport refers to the original ExplodedGraph, 2470 /// we need to pair it to the error node of the constructed trimmed graph. 2471 using ReportNewNodePair = 2472 std::pair<PathSensitiveBugReport *, const ExplodedNode *>; 2473 SmallVector<ReportNewNodePair, 32> ReportNodes; 2474 2475 BugPathInfo CurrentBugPath; 2476 2477 /// A helper class for sorting ExplodedNodes by priority. 2478 template <bool Descending> 2479 class PriorityCompare { 2480 const PriorityMapTy &PriorityMap; 2481 2482 public: 2483 PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {} 2484 2485 bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const { 2486 PriorityMapTy::const_iterator LI = PriorityMap.find(LHS); 2487 PriorityMapTy::const_iterator RI = PriorityMap.find(RHS); 2488 PriorityMapTy::const_iterator E = PriorityMap.end(); 2489 2490 if (LI == E) 2491 return Descending; 2492 if (RI == E) 2493 return !Descending; 2494 2495 return Descending ? LI->second > RI->second 2496 : LI->second < RI->second; 2497 } 2498 2499 bool operator()(const ReportNewNodePair &LHS, 2500 const ReportNewNodePair &RHS) const { 2501 return (*this)(LHS.second, RHS.second); 2502 } 2503 }; 2504 2505 public: 2506 BugPathGetter(const ExplodedGraph *OriginalGraph, 2507 ArrayRef<PathSensitiveBugReport *> &bugReports); 2508 2509 BugPathInfo *getNextBugPath(); 2510 }; 2511 2512 } // namespace 2513 2514 BugPathGetter::BugPathGetter(const ExplodedGraph *OriginalGraph, 2515 ArrayRef<PathSensitiveBugReport *> &bugReports) { 2516 SmallVector<const ExplodedNode *, 32> Nodes; 2517 for (const auto I : bugReports) { 2518 assert(I->isValid() && 2519 "We only allow BugReporterVisitors and BugReporter itself to " 2520 "invalidate reports!"); 2521 Nodes.emplace_back(I->getErrorNode()); 2522 } 2523 2524 // The trimmed graph is created in the body of the constructor to ensure 2525 // that the DenseMaps have been initialized already. 2526 InterExplodedGraphMap ForwardMap; 2527 TrimmedGraph = OriginalGraph->trim(Nodes, &ForwardMap); 2528 2529 // Find the (first) error node in the trimmed graph. We just need to consult 2530 // the node map which maps from nodes in the original graph to nodes 2531 // in the new graph. 2532 llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes; 2533 2534 for (PathSensitiveBugReport *Report : bugReports) { 2535 const ExplodedNode *NewNode = ForwardMap.lookup(Report->getErrorNode()); 2536 assert(NewNode && 2537 "Failed to construct a trimmed graph that contains this error " 2538 "node!"); 2539 ReportNodes.emplace_back(Report, NewNode); 2540 RemainingNodes.insert(NewNode); 2541 } 2542 2543 assert(!RemainingNodes.empty() && "No error node found in the trimmed graph"); 2544 2545 // Perform a forward BFS to find all the shortest paths. 2546 std::queue<const ExplodedNode *> WS; 2547 2548 assert(TrimmedGraph->num_roots() == 1); 2549 WS.push(*TrimmedGraph->roots_begin()); 2550 unsigned Priority = 0; 2551 2552 while (!WS.empty()) { 2553 const ExplodedNode *Node = WS.front(); 2554 WS.pop(); 2555 2556 PriorityMapTy::iterator PriorityEntry; 2557 bool IsNew; 2558 std::tie(PriorityEntry, IsNew) = PriorityMap.insert({Node, Priority}); 2559 ++Priority; 2560 2561 if (!IsNew) { 2562 assert(PriorityEntry->second <= Priority); 2563 continue; 2564 } 2565 2566 if (RemainingNodes.erase(Node)) 2567 if (RemainingNodes.empty()) 2568 break; 2569 2570 for (const ExplodedNode *Succ : Node->succs()) 2571 WS.push(Succ); 2572 } 2573 2574 // Sort the error paths from longest to shortest. 2575 llvm::sort(ReportNodes, PriorityCompare<true>(PriorityMap)); 2576 } 2577 2578 BugPathInfo *BugPathGetter::getNextBugPath() { 2579 if (ReportNodes.empty()) 2580 return nullptr; 2581 2582 const ExplodedNode *OrigN; 2583 std::tie(CurrentBugPath.Report, OrigN) = ReportNodes.pop_back_val(); 2584 assert(PriorityMap.find(OrigN) != PriorityMap.end() && 2585 "error node not accessible from root"); 2586 2587 // Create a new graph with a single path. This is the graph that will be 2588 // returned to the caller. 2589 auto GNew = std::make_unique<ExplodedGraph>(); 2590 2591 // Now walk from the error node up the BFS path, always taking the 2592 // predeccessor with the lowest number. 2593 ExplodedNode *Succ = nullptr; 2594 while (true) { 2595 // Create the equivalent node in the new graph with the same state 2596 // and location. 2597 ExplodedNode *NewN = GNew->createUncachedNode( 2598 OrigN->getLocation(), OrigN->getState(), 2599 OrigN->getID(), OrigN->isSink()); 2600 2601 // Link up the new node with the previous node. 2602 if (Succ) 2603 Succ->addPredecessor(NewN, *GNew); 2604 else 2605 CurrentBugPath.ErrorNode = NewN; 2606 2607 Succ = NewN; 2608 2609 // Are we at the final node? 2610 if (OrigN->pred_empty()) { 2611 GNew->addRoot(NewN); 2612 break; 2613 } 2614 2615 // Find the next predeccessor node. We choose the node that is marked 2616 // with the lowest BFS number. 2617 OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(), 2618 PriorityCompare<false>(PriorityMap)); 2619 } 2620 2621 CurrentBugPath.BugPath = std::move(GNew); 2622 2623 return &CurrentBugPath; 2624 } 2625 2626 /// CompactMacroExpandedPieces - This function postprocesses a PathDiagnostic 2627 /// object and collapses PathDiagosticPieces that are expanded by macros. 2628 static void CompactMacroExpandedPieces(PathPieces &path, 2629 const SourceManager& SM) { 2630 using MacroStackTy = std::vector< 2631 std::pair<std::shared_ptr<PathDiagnosticMacroPiece>, SourceLocation>>; 2632 2633 using PiecesTy = std::vector<PathDiagnosticPieceRef>; 2634 2635 MacroStackTy MacroStack; 2636 PiecesTy Pieces; 2637 2638 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 2639 I != E; ++I) { 2640 const auto &piece = *I; 2641 2642 // Recursively compact calls. 2643 if (auto *call = dyn_cast<PathDiagnosticCallPiece>(&*piece)) { 2644 CompactMacroExpandedPieces(call->path, SM); 2645 } 2646 2647 // Get the location of the PathDiagnosticPiece. 2648 const FullSourceLoc Loc = piece->getLocation().asLocation(); 2649 2650 // Determine the instantiation location, which is the location we group 2651 // related PathDiagnosticPieces. 2652 SourceLocation InstantiationLoc = Loc.isMacroID() ? 2653 SM.getExpansionLoc(Loc) : 2654 SourceLocation(); 2655 2656 if (Loc.isFileID()) { 2657 MacroStack.clear(); 2658 Pieces.push_back(piece); 2659 continue; 2660 } 2661 2662 assert(Loc.isMacroID()); 2663 2664 // Is the PathDiagnosticPiece within the same macro group? 2665 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 2666 MacroStack.back().first->subPieces.push_back(piece); 2667 continue; 2668 } 2669 2670 // We aren't in the same group. Are we descending into a new macro 2671 // or are part of an old one? 2672 std::shared_ptr<PathDiagnosticMacroPiece> MacroGroup; 2673 2674 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 2675 SM.getExpansionLoc(Loc) : 2676 SourceLocation(); 2677 2678 // Walk the entire macro stack. 2679 while (!MacroStack.empty()) { 2680 if (InstantiationLoc == MacroStack.back().second) { 2681 MacroGroup = MacroStack.back().first; 2682 break; 2683 } 2684 2685 if (ParentInstantiationLoc == MacroStack.back().second) { 2686 MacroGroup = MacroStack.back().first; 2687 break; 2688 } 2689 2690 MacroStack.pop_back(); 2691 } 2692 2693 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 2694 // Create a new macro group and add it to the stack. 2695 auto NewGroup = std::make_shared<PathDiagnosticMacroPiece>( 2696 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 2697 2698 if (MacroGroup) 2699 MacroGroup->subPieces.push_back(NewGroup); 2700 else { 2701 assert(InstantiationLoc.isFileID()); 2702 Pieces.push_back(NewGroup); 2703 } 2704 2705 MacroGroup = NewGroup; 2706 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 2707 } 2708 2709 // Finally, add the PathDiagnosticPiece to the group. 2710 MacroGroup->subPieces.push_back(piece); 2711 } 2712 2713 // Now take the pieces and construct a new PathDiagnostic. 2714 path.clear(); 2715 2716 path.insert(path.end(), Pieces.begin(), Pieces.end()); 2717 } 2718 2719 /// Generate notes from all visitors. 2720 /// Notes associated with {@code ErrorNode} are generated using 2721 /// {@code getEndPath}, and the rest are generated with {@code VisitNode}. 2722 static std::unique_ptr<VisitorsDiagnosticsTy> 2723 generateVisitorsDiagnostics(PathSensitiveBugReport *R, 2724 const ExplodedNode *ErrorNode, 2725 BugReporterContext &BRC) { 2726 std::unique_ptr<VisitorsDiagnosticsTy> Notes = 2727 std::make_unique<VisitorsDiagnosticsTy>(); 2728 PathSensitiveBugReport::VisitorList visitors; 2729 2730 // Run visitors on all nodes starting from the node *before* the last one. 2731 // The last node is reserved for notes generated with {@code getEndPath}. 2732 const ExplodedNode *NextNode = ErrorNode->getFirstPred(); 2733 while (NextNode) { 2734 2735 // At each iteration, move all visitors from report to visitor list. This is 2736 // important, because the Profile() functions of the visitors make sure that 2737 // a visitor isn't added multiple times for the same node, but it's fine 2738 // to add the a visitor with Profile() for different nodes (e.g. tracking 2739 // a region at different points of the symbolic execution). 2740 for (std::unique_ptr<BugReporterVisitor> &Visitor : R->visitors()) 2741 visitors.push_back(std::move(Visitor)); 2742 2743 R->clearVisitors(); 2744 2745 const ExplodedNode *Pred = NextNode->getFirstPred(); 2746 if (!Pred) { 2747 PathDiagnosticPieceRef LastPiece; 2748 for (auto &V : visitors) { 2749 V->finalizeVisitor(BRC, ErrorNode, *R); 2750 2751 if (auto Piece = V->getEndPath(BRC, ErrorNode, *R)) { 2752 assert(!LastPiece && 2753 "There can only be one final piece in a diagnostic."); 2754 assert(Piece->getKind() == PathDiagnosticPiece::Kind::Event && 2755 "The final piece must contain a message!"); 2756 LastPiece = std::move(Piece); 2757 (*Notes)[ErrorNode].push_back(LastPiece); 2758 } 2759 } 2760 break; 2761 } 2762 2763 for (auto &V : visitors) { 2764 auto P = V->VisitNode(NextNode, BRC, *R); 2765 if (P) 2766 (*Notes)[NextNode].push_back(std::move(P)); 2767 } 2768 2769 if (!R->isValid()) 2770 break; 2771 2772 NextNode = Pred; 2773 } 2774 2775 return Notes; 2776 } 2777 2778 Optional<PathDiagnosticBuilder> PathDiagnosticBuilder::findValidReport( 2779 ArrayRef<PathSensitiveBugReport *> &bugReports, 2780 PathSensitiveBugReporter &Reporter) { 2781 2782 BugPathGetter BugGraph(&Reporter.getGraph(), bugReports); 2783 2784 while (BugPathInfo *BugPath = BugGraph.getNextBugPath()) { 2785 // Find the BugReport with the original location. 2786 PathSensitiveBugReport *R = BugPath->Report; 2787 assert(R && "No original report found for sliced graph."); 2788 assert(R->isValid() && "Report selected by trimmed graph marked invalid."); 2789 const ExplodedNode *ErrorNode = BugPath->ErrorNode; 2790 2791 // Register refutation visitors first, if they mark the bug invalid no 2792 // further analysis is required 2793 R->addVisitor(std::make_unique<LikelyFalsePositiveSuppressionBRVisitor>()); 2794 2795 // Register additional node visitors. 2796 R->addVisitor(std::make_unique<NilReceiverBRVisitor>()); 2797 R->addVisitor(std::make_unique<ConditionBRVisitor>()); 2798 R->addVisitor(std::make_unique<TagVisitor>()); 2799 2800 BugReporterContext BRC(Reporter); 2801 2802 // Run all visitors on a given graph, once. 2803 std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes = 2804 generateVisitorsDiagnostics(R, ErrorNode, BRC); 2805 2806 if (R->isValid()) { 2807 if (Reporter.getAnalyzerOptions().ShouldCrosscheckWithZ3) { 2808 // If crosscheck is enabled, remove all visitors, add the refutation 2809 // visitor and check again 2810 R->clearVisitors(); 2811 R->addVisitor(std::make_unique<FalsePositiveRefutationBRVisitor>()); 2812 2813 // We don't overrite the notes inserted by other visitors because the 2814 // refutation manager does not add any new note to the path 2815 generateVisitorsDiagnostics(R, BugPath->ErrorNode, BRC); 2816 } 2817 2818 // Check if the bug is still valid 2819 if (R->isValid()) 2820 return PathDiagnosticBuilder( 2821 std::move(BRC), std::move(BugPath->BugPath), BugPath->Report, 2822 BugPath->ErrorNode, std::move(visitorNotes)); 2823 } 2824 } 2825 2826 return {}; 2827 } 2828 2829 std::unique_ptr<DiagnosticForConsumerMapTy> 2830 PathSensitiveBugReporter::generatePathDiagnostics( 2831 ArrayRef<PathDiagnosticConsumer *> consumers, 2832 ArrayRef<PathSensitiveBugReport *> &bugReports) { 2833 assert(!bugReports.empty()); 2834 2835 auto Out = std::make_unique<DiagnosticForConsumerMapTy>(); 2836 2837 Optional<PathDiagnosticBuilder> PDB = 2838 PathDiagnosticBuilder::findValidReport(bugReports, *this); 2839 2840 if (PDB) { 2841 for (PathDiagnosticConsumer *PC : consumers) { 2842 if (std::unique_ptr<PathDiagnostic> PD = PDB->generate(PC)) { 2843 (*Out)[PC] = std::move(PD); 2844 } 2845 } 2846 } 2847 2848 return Out; 2849 } 2850 2851 void BugReporter::emitReport(std::unique_ptr<BugReport> R) { 2852 bool ValidSourceLoc = R->getLocation().isValid(); 2853 assert(ValidSourceLoc); 2854 // If we mess up in a release build, we'd still prefer to just drop the bug 2855 // instead of trying to go on. 2856 if (!ValidSourceLoc) 2857 return; 2858 2859 // Compute the bug report's hash to determine its equivalence class. 2860 llvm::FoldingSetNodeID ID; 2861 R->Profile(ID); 2862 2863 // Lookup the equivance class. If there isn't one, create it. 2864 void *InsertPos; 2865 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 2866 2867 if (!EQ) { 2868 EQ = new BugReportEquivClass(std::move(R)); 2869 EQClasses.InsertNode(EQ, InsertPos); 2870 EQClassesVector.push_back(EQ); 2871 } else 2872 EQ->AddReport(std::move(R)); 2873 } 2874 2875 void PathSensitiveBugReporter::emitReport(std::unique_ptr<BugReport> R) { 2876 if (auto PR = dyn_cast<PathSensitiveBugReport>(R.get())) 2877 if (const ExplodedNode *E = PR->getErrorNode()) { 2878 // An error node must either be a sink or have a tag, otherwise 2879 // it could get reclaimed before the path diagnostic is created. 2880 assert((E->isSink() || E->getLocation().getTag()) && 2881 "Error node must either be a sink or have a tag"); 2882 2883 const AnalysisDeclContext *DeclCtx = 2884 E->getLocationContext()->getAnalysisDeclContext(); 2885 // The source of autosynthesized body can be handcrafted AST or a model 2886 // file. The locations from handcrafted ASTs have no valid source 2887 // locations and have to be discarded. Locations from model files should 2888 // be preserved for processing and reporting. 2889 if (DeclCtx->isBodyAutosynthesized() && 2890 !DeclCtx->isBodyAutosynthesizedFromModelFile()) 2891 return; 2892 } 2893 2894 BugReporter::emitReport(std::move(R)); 2895 } 2896 2897 //===----------------------------------------------------------------------===// 2898 // Emitting reports in equivalence classes. 2899 //===----------------------------------------------------------------------===// 2900 2901 namespace { 2902 2903 struct FRIEC_WLItem { 2904 const ExplodedNode *N; 2905 ExplodedNode::const_succ_iterator I, E; 2906 2907 FRIEC_WLItem(const ExplodedNode *n) 2908 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 2909 }; 2910 2911 } // namespace 2912 2913 BugReport *PathSensitiveBugReporter::findReportInEquivalenceClass( 2914 BugReportEquivClass &EQ, SmallVectorImpl<BugReport *> &bugReports) { 2915 // If we don't need to suppress any of the nodes because they are 2916 // post-dominated by a sink, simply add all the nodes in the equivalence class 2917 // to 'Nodes'. Any of the reports will serve as a "representative" report. 2918 assert(EQ.getReports().size() > 0); 2919 const BugType& BT = EQ.getReports()[0]->getBugType(); 2920 if (!BT.isSuppressOnSink()) { 2921 BugReport *R = EQ.getReports()[0].get(); 2922 for (auto &J : EQ.getReports()) { 2923 if (auto *PR = dyn_cast<PathSensitiveBugReport>(J.get())) { 2924 R = PR; 2925 bugReports.push_back(PR); 2926 } 2927 } 2928 return R; 2929 } 2930 2931 // For bug reports that should be suppressed when all paths are post-dominated 2932 // by a sink node, iterate through the reports in the equivalence class 2933 // until we find one that isn't post-dominated (if one exists). We use a 2934 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 2935 // this as a recursive function, but we don't want to risk blowing out the 2936 // stack for very long paths. 2937 BugReport *exampleReport = nullptr; 2938 2939 for (const auto &I: EQ.getReports()) { 2940 auto *R = dyn_cast<PathSensitiveBugReport>(I.get()); 2941 if (!R) 2942 continue; 2943 2944 const ExplodedNode *errorNode = R->getErrorNode(); 2945 if (errorNode->isSink()) { 2946 llvm_unreachable( 2947 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 2948 } 2949 // No successors? By definition this nodes isn't post-dominated by a sink. 2950 if (errorNode->succ_empty()) { 2951 bugReports.push_back(R); 2952 if (!exampleReport) 2953 exampleReport = R; 2954 continue; 2955 } 2956 2957 // See if we are in a no-return CFG block. If so, treat this similarly 2958 // to being post-dominated by a sink. This works better when the analysis 2959 // is incomplete and we have never reached the no-return function call(s) 2960 // that we'd inevitably bump into on this path. 2961 if (const CFGBlock *ErrorB = errorNode->getCFGBlock()) 2962 if (ErrorB->isInevitablySinking()) 2963 continue; 2964 2965 // At this point we know that 'N' is not a sink and it has at least one 2966 // successor. Use a DFS worklist to find a non-sink end-of-path node. 2967 using WLItem = FRIEC_WLItem; 2968 using DFSWorkList = SmallVector<WLItem, 10>; 2969 2970 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 2971 2972 DFSWorkList WL; 2973 WL.push_back(errorNode); 2974 Visited[errorNode] = 1; 2975 2976 while (!WL.empty()) { 2977 WLItem &WI = WL.back(); 2978 assert(!WI.N->succ_empty()); 2979 2980 for (; WI.I != WI.E; ++WI.I) { 2981 const ExplodedNode *Succ = *WI.I; 2982 // End-of-path node? 2983 if (Succ->succ_empty()) { 2984 // If we found an end-of-path node that is not a sink. 2985 if (!Succ->isSink()) { 2986 bugReports.push_back(R); 2987 if (!exampleReport) 2988 exampleReport = R; 2989 WL.clear(); 2990 break; 2991 } 2992 // Found a sink? Continue on to the next successor. 2993 continue; 2994 } 2995 // Mark the successor as visited. If it hasn't been explored, 2996 // enqueue it to the DFS worklist. 2997 unsigned &mark = Visited[Succ]; 2998 if (!mark) { 2999 mark = 1; 3000 WL.push_back(Succ); 3001 break; 3002 } 3003 } 3004 3005 // The worklist may have been cleared at this point. First 3006 // check if it is empty before checking the last item. 3007 if (!WL.empty() && &WL.back() == &WI) 3008 WL.pop_back(); 3009 } 3010 } 3011 3012 // ExampleReport will be NULL if all the nodes in the equivalence class 3013 // were post-dominated by sinks. 3014 return exampleReport; 3015 } 3016 3017 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 3018 SmallVector<BugReport*, 10> bugReports; 3019 BugReport *report = findReportInEquivalenceClass(EQ, bugReports); 3020 if (!report) 3021 return; 3022 3023 ArrayRef<PathDiagnosticConsumer*> Consumers = getPathDiagnosticConsumers(); 3024 std::unique_ptr<DiagnosticForConsumerMapTy> Diagnostics = 3025 generateDiagnosticForConsumerMap(report, Consumers, bugReports); 3026 3027 for (auto &P : *Diagnostics) { 3028 PathDiagnosticConsumer *Consumer = P.first; 3029 std::unique_ptr<PathDiagnostic> &PD = P.second; 3030 3031 // If the path is empty, generate a single step path with the location 3032 // of the issue. 3033 if (PD->path.empty()) { 3034 PathDiagnosticLocation L = report->getLocation(); 3035 auto piece = std::make_unique<PathDiagnosticEventPiece>( 3036 L, report->getDescription()); 3037 for (SourceRange Range : report->getRanges()) 3038 piece->addRange(Range); 3039 PD->setEndOfPath(std::move(piece)); 3040 } 3041 3042 PathPieces &Pieces = PD->getMutablePieces(); 3043 if (getAnalyzerOptions().ShouldDisplayNotesAsEvents) { 3044 // For path diagnostic consumers that don't support extra notes, 3045 // we may optionally convert those to path notes. 3046 for (auto I = report->getNotes().rbegin(), 3047 E = report->getNotes().rend(); I != E; ++I) { 3048 PathDiagnosticNotePiece *Piece = I->get(); 3049 auto ConvertedPiece = std::make_shared<PathDiagnosticEventPiece>( 3050 Piece->getLocation(), Piece->getString()); 3051 for (const auto &R: Piece->getRanges()) 3052 ConvertedPiece->addRange(R); 3053 3054 Pieces.push_front(std::move(ConvertedPiece)); 3055 } 3056 } else { 3057 for (auto I = report->getNotes().rbegin(), 3058 E = report->getNotes().rend(); I != E; ++I) 3059 Pieces.push_front(*I); 3060 } 3061 3062 for (const auto &I : report->getFixits()) 3063 Pieces.back()->addFixit(I); 3064 3065 updateExecutedLinesWithDiagnosticPieces(*PD); 3066 Consumer->HandlePathDiagnostic(std::move(PD)); 3067 } 3068 } 3069 3070 /// Insert all lines participating in the function signature \p Signature 3071 /// into \p ExecutedLines. 3072 static void populateExecutedLinesWithFunctionSignature( 3073 const Decl *Signature, const SourceManager &SM, 3074 FilesToLineNumsMap &ExecutedLines) { 3075 SourceRange SignatureSourceRange; 3076 const Stmt* Body = Signature->getBody(); 3077 if (const auto FD = dyn_cast<FunctionDecl>(Signature)) { 3078 SignatureSourceRange = FD->getSourceRange(); 3079 } else if (const auto OD = dyn_cast<ObjCMethodDecl>(Signature)) { 3080 SignatureSourceRange = OD->getSourceRange(); 3081 } else { 3082 return; 3083 } 3084 SourceLocation Start = SignatureSourceRange.getBegin(); 3085 SourceLocation End = Body ? Body->getSourceRange().getBegin() 3086 : SignatureSourceRange.getEnd(); 3087 if (!Start.isValid() || !End.isValid()) 3088 return; 3089 unsigned StartLine = SM.getExpansionLineNumber(Start); 3090 unsigned EndLine = SM.getExpansionLineNumber(End); 3091 3092 FileID FID = SM.getFileID(SM.getExpansionLoc(Start)); 3093 for (unsigned Line = StartLine; Line <= EndLine; Line++) 3094 ExecutedLines[FID].insert(Line); 3095 } 3096 3097 static void populateExecutedLinesWithStmt( 3098 const Stmt *S, const SourceManager &SM, 3099 FilesToLineNumsMap &ExecutedLines) { 3100 SourceLocation Loc = S->getSourceRange().getBegin(); 3101 if (!Loc.isValid()) 3102 return; 3103 SourceLocation ExpansionLoc = SM.getExpansionLoc(Loc); 3104 FileID FID = SM.getFileID(ExpansionLoc); 3105 unsigned LineNo = SM.getExpansionLineNumber(ExpansionLoc); 3106 ExecutedLines[FID].insert(LineNo); 3107 } 3108 3109 /// \return all executed lines including function signatures on the path 3110 /// starting from \p N. 3111 static std::unique_ptr<FilesToLineNumsMap> 3112 findExecutedLines(const SourceManager &SM, const ExplodedNode *N) { 3113 auto ExecutedLines = std::make_unique<FilesToLineNumsMap>(); 3114 3115 while (N) { 3116 if (N->getFirstPred() == nullptr) { 3117 // First node: show signature of the entrance point. 3118 const Decl *D = N->getLocationContext()->getDecl(); 3119 populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines); 3120 } else if (auto CE = N->getLocationAs<CallEnter>()) { 3121 // Inlined function: show signature. 3122 const Decl* D = CE->getCalleeContext()->getDecl(); 3123 populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines); 3124 } else if (const Stmt *S = N->getStmtForDiagnostics()) { 3125 populateExecutedLinesWithStmt(S, SM, *ExecutedLines); 3126 3127 // Show extra context for some parent kinds. 3128 const Stmt *P = N->getParentMap().getParent(S); 3129 3130 // The path exploration can die before the node with the associated 3131 // return statement is generated, but we do want to show the whole 3132 // return. 3133 if (const auto *RS = dyn_cast_or_null<ReturnStmt>(P)) { 3134 populateExecutedLinesWithStmt(RS, SM, *ExecutedLines); 3135 P = N->getParentMap().getParent(RS); 3136 } 3137 3138 if (P && (isa<SwitchCase>(P) || isa<LabelStmt>(P))) 3139 populateExecutedLinesWithStmt(P, SM, *ExecutedLines); 3140 } 3141 3142 N = N->getFirstPred(); 3143 } 3144 return ExecutedLines; 3145 } 3146 3147 std::unique_ptr<DiagnosticForConsumerMapTy> 3148 BugReporter::generateDiagnosticForConsumerMap( 3149 BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers, 3150 ArrayRef<BugReport *> bugReports) { 3151 auto *basicReport = cast<BasicBugReport>(exampleReport); 3152 auto Out = std::make_unique<DiagnosticForConsumerMapTy>(); 3153 for (auto *Consumer : consumers) 3154 (*Out)[Consumer] = generateDiagnosticForBasicReport(basicReport); 3155 return Out; 3156 } 3157 3158 static PathDiagnosticCallPiece * 3159 getFirstStackedCallToHeaderFile(PathDiagnosticCallPiece *CP, 3160 const SourceManager &SMgr) { 3161 SourceLocation CallLoc = CP->callEnter.asLocation(); 3162 3163 // If the call is within a macro, don't do anything (for now). 3164 if (CallLoc.isMacroID()) 3165 return nullptr; 3166 3167 assert(AnalysisManager::isInCodeFile(CallLoc, SMgr) && 3168 "The call piece should not be in a header file."); 3169 3170 // Check if CP represents a path through a function outside of the main file. 3171 if (!AnalysisManager::isInCodeFile(CP->callEnterWithin.asLocation(), SMgr)) 3172 return CP; 3173 3174 const PathPieces &Path = CP->path; 3175 if (Path.empty()) 3176 return nullptr; 3177 3178 // Check if the last piece in the callee path is a call to a function outside 3179 // of the main file. 3180 if (auto *CPInner = dyn_cast<PathDiagnosticCallPiece>(Path.back().get())) 3181 return getFirstStackedCallToHeaderFile(CPInner, SMgr); 3182 3183 // Otherwise, the last piece is in the main file. 3184 return nullptr; 3185 } 3186 3187 static void resetDiagnosticLocationToMainFile(PathDiagnostic &PD) { 3188 if (PD.path.empty()) 3189 return; 3190 3191 PathDiagnosticPiece *LastP = PD.path.back().get(); 3192 assert(LastP); 3193 const SourceManager &SMgr = LastP->getLocation().getManager(); 3194 3195 // We only need to check if the report ends inside headers, if the last piece 3196 // is a call piece. 3197 if (auto *CP = dyn_cast<PathDiagnosticCallPiece>(LastP)) { 3198 CP = getFirstStackedCallToHeaderFile(CP, SMgr); 3199 if (CP) { 3200 // Mark the piece. 3201 CP->setAsLastInMainSourceFile(); 3202 3203 // Update the path diagnostic message. 3204 const auto *ND = dyn_cast<NamedDecl>(CP->getCallee()); 3205 if (ND) { 3206 SmallString<200> buf; 3207 llvm::raw_svector_ostream os(buf); 3208 os << " (within a call to '" << ND->getDeclName() << "')"; 3209 PD.appendToDesc(os.str()); 3210 } 3211 3212 // Reset the report containing declaration and location. 3213 PD.setDeclWithIssue(CP->getCaller()); 3214 PD.setLocation(CP->getLocation()); 3215 3216 return; 3217 } 3218 } 3219 } 3220 3221 3222 3223 std::unique_ptr<DiagnosticForConsumerMapTy> 3224 PathSensitiveBugReporter::generateDiagnosticForConsumerMap( 3225 BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers, 3226 ArrayRef<BugReport *> bugReports) { 3227 std::vector<BasicBugReport *> BasicBugReports; 3228 std::vector<PathSensitiveBugReport *> PathSensitiveBugReports; 3229 if (isa<BasicBugReport>(exampleReport)) 3230 return BugReporter::generateDiagnosticForConsumerMap(exampleReport, 3231 consumers, bugReports); 3232 3233 // Generate the full path sensitive diagnostic, using the generation scheme 3234 // specified by the PathDiagnosticConsumer. Note that we have to generate 3235 // path diagnostics even for consumers which do not support paths, because 3236 // the BugReporterVisitors may mark this bug as a false positive. 3237 assert(!bugReports.empty()); 3238 MaxBugClassSize.updateMax(bugReports.size()); 3239 3240 // Avoid copying the whole array because there may be a lot of reports. 3241 ArrayRef<PathSensitiveBugReport *> convertedArrayOfReports( 3242 reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.begin()), 3243 reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.end())); 3244 std::unique_ptr<DiagnosticForConsumerMapTy> Out = generatePathDiagnostics( 3245 consumers, convertedArrayOfReports); 3246 3247 if (Out->empty()) 3248 return Out; 3249 3250 MaxValidBugClassSize.updateMax(bugReports.size()); 3251 3252 // Examine the report and see if the last piece is in a header. Reset the 3253 // report location to the last piece in the main source file. 3254 const AnalyzerOptions &Opts = getAnalyzerOptions(); 3255 for (auto const &P : *Out) 3256 if (Opts.ShouldReportIssuesInMainSourceFile && !Opts.AnalyzeAll) 3257 resetDiagnosticLocationToMainFile(*P.second); 3258 3259 return Out; 3260 } 3261 3262 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3263 const CheckerBase *Checker, StringRef Name, 3264 StringRef Category, StringRef Str, 3265 PathDiagnosticLocation Loc, 3266 ArrayRef<SourceRange> Ranges, 3267 ArrayRef<FixItHint> Fixits) { 3268 EmitBasicReport(DeclWithIssue, Checker->getCheckerName(), Name, Category, Str, 3269 Loc, Ranges, Fixits); 3270 } 3271 3272 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3273 CheckerNameRef CheckName, 3274 StringRef name, StringRef category, 3275 StringRef str, PathDiagnosticLocation Loc, 3276 ArrayRef<SourceRange> Ranges, 3277 ArrayRef<FixItHint> Fixits) { 3278 // 'BT' is owned by BugReporter. 3279 BugType *BT = getBugTypeForName(CheckName, name, category); 3280 auto R = std::make_unique<BasicBugReport>(*BT, str, Loc); 3281 R->setDeclWithIssue(DeclWithIssue); 3282 for (const auto &SR : Ranges) 3283 R->addRange(SR); 3284 for (const auto &FH : Fixits) 3285 R->addFixItHint(FH); 3286 emitReport(std::move(R)); 3287 } 3288 3289 BugType *BugReporter::getBugTypeForName(CheckerNameRef CheckName, 3290 StringRef name, StringRef category) { 3291 SmallString<136> fullDesc; 3292 llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name 3293 << ":" << category; 3294 std::unique_ptr<BugType> &BT = StrBugTypes[fullDesc]; 3295 if (!BT) 3296 BT = std::make_unique<BugType>(CheckName, name, category); 3297 return BT.get(); 3298 } 3299