1 //===- BugReporter.cpp - Generate PathDiagnostics for bugs ----------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines BugReporter, a utility class for generating 10 // PathDiagnostics. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 15 #include "clang/AST/Decl.h" 16 #include "clang/AST/DeclBase.h" 17 #include "clang/AST/DeclObjC.h" 18 #include "clang/AST/Expr.h" 19 #include "clang/AST/ExprCXX.h" 20 #include "clang/AST/ParentMap.h" 21 #include "clang/AST/Stmt.h" 22 #include "clang/AST/StmtCXX.h" 23 #include "clang/AST/StmtObjC.h" 24 #include "clang/Analysis/AnalysisDeclContext.h" 25 #include "clang/Analysis/CFG.h" 26 #include "clang/Analysis/CFGStmtMap.h" 27 #include "clang/Analysis/PathDiagnostic.h" 28 #include "clang/Analysis/ProgramPoint.h" 29 #include "clang/Basic/LLVM.h" 30 #include "clang/Basic/SourceLocation.h" 31 #include "clang/Basic/SourceManager.h" 32 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 33 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 34 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 35 #include "clang/StaticAnalyzer/Core/Checker.h" 36 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 37 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 38 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 39 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 40 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 41 #include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h" 42 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 43 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 44 #include "llvm/ADT/ArrayRef.h" 45 #include "llvm/ADT/DenseMap.h" 46 #include "llvm/ADT/DenseSet.h" 47 #include "llvm/ADT/FoldingSet.h" 48 #include "llvm/ADT/None.h" 49 #include "llvm/ADT/Optional.h" 50 #include "llvm/ADT/STLExtras.h" 51 #include "llvm/ADT/SmallPtrSet.h" 52 #include "llvm/ADT/SmallString.h" 53 #include "llvm/ADT/SmallVector.h" 54 #include "llvm/ADT/Statistic.h" 55 #include "llvm/ADT/StringExtras.h" 56 #include "llvm/ADT/StringRef.h" 57 #include "llvm/ADT/iterator_range.h" 58 #include "llvm/Support/Casting.h" 59 #include "llvm/Support/Compiler.h" 60 #include "llvm/Support/ErrorHandling.h" 61 #include "llvm/Support/MemoryBuffer.h" 62 #include "llvm/Support/raw_ostream.h" 63 #include <algorithm> 64 #include <cassert> 65 #include <cstddef> 66 #include <iterator> 67 #include <memory> 68 #include <queue> 69 #include <string> 70 #include <tuple> 71 #include <utility> 72 #include <vector> 73 74 using namespace clang; 75 using namespace ento; 76 using namespace llvm; 77 78 #define DEBUG_TYPE "BugReporter" 79 80 STATISTIC(MaxBugClassSize, 81 "The maximum number of bug reports in the same equivalence class"); 82 STATISTIC(MaxValidBugClassSize, 83 "The maximum number of bug reports in the same equivalence class " 84 "where at least one report is valid (not suppressed)"); 85 86 BugReporterVisitor::~BugReporterVisitor() = default; 87 88 void BugReporterContext::anchor() {} 89 90 //===----------------------------------------------------------------------===// 91 // PathDiagnosticBuilder and its associated routines and helper objects. 92 //===----------------------------------------------------------------------===// 93 94 namespace { 95 96 /// A (CallPiece, node assiciated with its CallEnter) pair. 97 using CallWithEntry = 98 std::pair<PathDiagnosticCallPiece *, const ExplodedNode *>; 99 using CallWithEntryStack = SmallVector<CallWithEntry, 6>; 100 101 /// Map from each node to the diagnostic pieces visitors emit for them. 102 using VisitorsDiagnosticsTy = 103 llvm::DenseMap<const ExplodedNode *, std::vector<PathDiagnosticPieceRef>>; 104 105 /// A map from PathDiagnosticPiece to the LocationContext of the inlined 106 /// function call it represents. 107 using LocationContextMap = 108 llvm::DenseMap<const PathPieces *, const LocationContext *>; 109 110 /// A helper class that contains everything needed to construct a 111 /// PathDiagnostic object. It does no much more then providing convenient 112 /// getters and some well placed asserts for extra security. 113 class PathDiagnosticConstruct { 114 /// The consumer we're constructing the bug report for. 115 const PathDiagnosticConsumer *Consumer; 116 /// Our current position in the bug path, which is owned by 117 /// PathDiagnosticBuilder. 118 const ExplodedNode *CurrentNode; 119 /// A mapping from parts of the bug path (for example, a function call, which 120 /// would span backwards from a CallExit to a CallEnter with the nodes in 121 /// between them) with the location contexts it is associated with. 122 LocationContextMap LCM; 123 const SourceManager &SM; 124 125 public: 126 /// We keep stack of calls to functions as we're ascending the bug path. 127 /// TODO: PathDiagnostic has a stack doing the same thing, shouldn't we use 128 /// that instead? 129 CallWithEntryStack CallStack; 130 /// The bug report we're constructing. For ease of use, this field is kept 131 /// public, though some "shortcut" getters are provided for commonly used 132 /// methods of PathDiagnostic. 133 std::unique_ptr<PathDiagnostic> PD; 134 135 public: 136 PathDiagnosticConstruct(const PathDiagnosticConsumer *PDC, 137 const ExplodedNode *ErrorNode, 138 const PathSensitiveBugReport *R); 139 140 /// \returns the location context associated with the current position in the 141 /// bug path. 142 const LocationContext *getCurrLocationContext() const { 143 assert(CurrentNode && "Already reached the root!"); 144 return CurrentNode->getLocationContext(); 145 } 146 147 /// Same as getCurrLocationContext (they should always return the same 148 /// location context), but works after reaching the root of the bug path as 149 /// well. 150 const LocationContext *getLocationContextForActivePath() const { 151 return LCM.find(&PD->getActivePath())->getSecond(); 152 } 153 154 const ExplodedNode *getCurrentNode() const { return CurrentNode; } 155 156 /// Steps the current node to its predecessor. 157 /// \returns whether we reached the root of the bug path. 158 bool ascendToPrevNode() { 159 CurrentNode = CurrentNode->getFirstPred(); 160 return static_cast<bool>(CurrentNode); 161 } 162 163 const ParentMap &getParentMap() const { 164 return getCurrLocationContext()->getParentMap(); 165 } 166 167 const SourceManager &getSourceManager() const { return SM; } 168 169 const Stmt *getParent(const Stmt *S) const { 170 return getParentMap().getParent(S); 171 } 172 173 void updateLocCtxMap(const PathPieces *Path, const LocationContext *LC) { 174 assert(Path && LC); 175 LCM[Path] = LC; 176 } 177 178 const LocationContext *getLocationContextFor(const PathPieces *Path) const { 179 assert(LCM.count(Path) && 180 "Failed to find the context associated with these pieces!"); 181 return LCM.find(Path)->getSecond(); 182 } 183 184 bool isInLocCtxMap(const PathPieces *Path) const { return LCM.count(Path); } 185 186 PathPieces &getActivePath() { return PD->getActivePath(); } 187 PathPieces &getMutablePieces() { return PD->getMutablePieces(); } 188 189 bool shouldAddPathEdges() const { return Consumer->shouldAddPathEdges(); } 190 bool shouldGenerateDiagnostics() const { 191 return Consumer->shouldGenerateDiagnostics(); 192 } 193 bool supportsLogicalOpControlFlow() const { 194 return Consumer->supportsLogicalOpControlFlow(); 195 } 196 }; 197 198 /// Contains every contextual information needed for constructing a 199 /// PathDiagnostic object for a given bug report. This class and its fields are 200 /// immutable, and passes a BugReportConstruct object around during the 201 /// construction. 202 class PathDiagnosticBuilder : public BugReporterContext { 203 /// A linear path from the error node to the root. 204 std::unique_ptr<const ExplodedGraph> BugPath; 205 /// The bug report we're describing. Visitors create their diagnostics with 206 /// them being the last entities being able to modify it (for example, 207 /// changing interestingness here would cause inconsistencies as to how this 208 /// file and visitors construct diagnostics), hence its const. 209 const PathSensitiveBugReport *R; 210 /// The leaf of the bug path. This isn't the same as the bug reports error 211 /// node, which refers to the *original* graph, not the bug path. 212 const ExplodedNode *const ErrorNode; 213 /// The diagnostic pieces visitors emitted, which is expected to be collected 214 /// by the time this builder is constructed. 215 std::unique_ptr<const VisitorsDiagnosticsTy> VisitorsDiagnostics; 216 217 public: 218 /// Find a non-invalidated report for a given equivalence class, and returns 219 /// a PathDiagnosticBuilder able to construct bug reports for different 220 /// consumers. Returns None if no valid report is found. 221 static Optional<PathDiagnosticBuilder> 222 findValidReport(ArrayRef<PathSensitiveBugReport *> &bugReports, 223 PathSensitiveBugReporter &Reporter); 224 225 PathDiagnosticBuilder( 226 BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath, 227 PathSensitiveBugReport *r, const ExplodedNode *ErrorNode, 228 std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics); 229 230 /// This function is responsible for generating diagnostic pieces that are 231 /// *not* provided by bug report visitors. 232 /// These diagnostics may differ depending on the consumer's settings, 233 /// and are therefore constructed separately for each consumer. 234 /// 235 /// There are two path diagnostics generation modes: with adding edges (used 236 /// for plists) and without (used for HTML and text). When edges are added, 237 /// the path is modified to insert artificially generated edges. 238 /// Otherwise, more detailed diagnostics is emitted for block edges, 239 /// explaining the transitions in words. 240 std::unique_ptr<PathDiagnostic> 241 generate(const PathDiagnosticConsumer *PDC) const; 242 243 private: 244 void updateStackPiecesWithMessage(PathDiagnosticPieceRef P, 245 const CallWithEntryStack &CallStack) const; 246 void generatePathDiagnosticsForNode(PathDiagnosticConstruct &C, 247 PathDiagnosticLocation &PrevLoc) const; 248 249 void generateMinimalDiagForBlockEdge(PathDiagnosticConstruct &C, 250 BlockEdge BE) const; 251 252 PathDiagnosticPieceRef 253 generateDiagForGotoOP(const PathDiagnosticConstruct &C, const Stmt *S, 254 PathDiagnosticLocation &Start) const; 255 256 PathDiagnosticPieceRef 257 generateDiagForSwitchOP(const PathDiagnosticConstruct &C, const CFGBlock *Dst, 258 PathDiagnosticLocation &Start) const; 259 260 PathDiagnosticPieceRef 261 generateDiagForBinaryOP(const PathDiagnosticConstruct &C, const Stmt *T, 262 const CFGBlock *Src, const CFGBlock *DstC) const; 263 264 PathDiagnosticLocation 265 ExecutionContinues(const PathDiagnosticConstruct &C) const; 266 267 PathDiagnosticLocation 268 ExecutionContinues(llvm::raw_string_ostream &os, 269 const PathDiagnosticConstruct &C) const; 270 271 const PathSensitiveBugReport *getBugReport() const { return R; } 272 }; 273 274 } // namespace 275 276 //===----------------------------------------------------------------------===// 277 // Base implementation of stack hint generators. 278 //===----------------------------------------------------------------------===// 279 280 StackHintGenerator::~StackHintGenerator() = default; 281 282 std::string StackHintGeneratorForSymbol::getMessage(const ExplodedNode *N){ 283 if (!N) 284 return getMessageForSymbolNotFound(); 285 286 ProgramPoint P = N->getLocation(); 287 CallExitEnd CExit = P.castAs<CallExitEnd>(); 288 289 // FIXME: Use CallEvent to abstract this over all calls. 290 const Stmt *CallSite = CExit.getCalleeContext()->getCallSite(); 291 const auto *CE = dyn_cast_or_null<CallExpr>(CallSite); 292 if (!CE) 293 return {}; 294 295 // Check if one of the parameters are set to the interesting symbol. 296 unsigned ArgIndex = 0; 297 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 298 E = CE->arg_end(); I != E; ++I, ++ArgIndex){ 299 SVal SV = N->getSVal(*I); 300 301 // Check if the variable corresponding to the symbol is passed by value. 302 SymbolRef AS = SV.getAsLocSymbol(); 303 if (AS == Sym) { 304 return getMessageForArg(*I, ArgIndex); 305 } 306 307 // Check if the parameter is a pointer to the symbol. 308 if (Optional<loc::MemRegionVal> Reg = SV.getAs<loc::MemRegionVal>()) { 309 // Do not attempt to dereference void*. 310 if ((*I)->getType()->isVoidPointerType()) 311 continue; 312 SVal PSV = N->getState()->getSVal(Reg->getRegion()); 313 SymbolRef AS = PSV.getAsLocSymbol(); 314 if (AS == Sym) { 315 return getMessageForArg(*I, ArgIndex); 316 } 317 } 318 } 319 320 // Check if we are returning the interesting symbol. 321 SVal SV = N->getSVal(CE); 322 SymbolRef RetSym = SV.getAsLocSymbol(); 323 if (RetSym == Sym) { 324 return getMessageForReturn(CE); 325 } 326 327 return getMessageForSymbolNotFound(); 328 } 329 330 std::string StackHintGeneratorForSymbol::getMessageForArg(const Expr *ArgE, 331 unsigned ArgIndex) { 332 // Printed parameters start at 1, not 0. 333 ++ArgIndex; 334 335 return (llvm::Twine(Msg) + " via " + std::to_string(ArgIndex) + 336 llvm::getOrdinalSuffix(ArgIndex) + " parameter").str(); 337 } 338 339 //===----------------------------------------------------------------------===// 340 // Diagnostic cleanup. 341 //===----------------------------------------------------------------------===// 342 343 static PathDiagnosticEventPiece * 344 eventsDescribeSameCondition(PathDiagnosticEventPiece *X, 345 PathDiagnosticEventPiece *Y) { 346 // Prefer diagnostics that come from ConditionBRVisitor over 347 // those that came from TrackConstraintBRVisitor, 348 // unless the one from ConditionBRVisitor is 349 // its generic fallback diagnostic. 350 const void *tagPreferred = ConditionBRVisitor::getTag(); 351 const void *tagLesser = TrackConstraintBRVisitor::getTag(); 352 353 if (X->getLocation() != Y->getLocation()) 354 return nullptr; 355 356 if (X->getTag() == tagPreferred && Y->getTag() == tagLesser) 357 return ConditionBRVisitor::isPieceMessageGeneric(X) ? Y : X; 358 359 if (Y->getTag() == tagPreferred && X->getTag() == tagLesser) 360 return ConditionBRVisitor::isPieceMessageGeneric(Y) ? X : Y; 361 362 return nullptr; 363 } 364 365 /// An optimization pass over PathPieces that removes redundant diagnostics 366 /// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both 367 /// BugReporterVisitors use different methods to generate diagnostics, with 368 /// one capable of emitting diagnostics in some cases but not in others. This 369 /// can lead to redundant diagnostic pieces at the same point in a path. 370 static void removeRedundantMsgs(PathPieces &path) { 371 unsigned N = path.size(); 372 if (N < 2) 373 return; 374 // NOTE: this loop intentionally is not using an iterator. Instead, we 375 // are streaming the path and modifying it in place. This is done by 376 // grabbing the front, processing it, and if we decide to keep it append 377 // it to the end of the path. The entire path is processed in this way. 378 for (unsigned i = 0; i < N; ++i) { 379 auto piece = std::move(path.front()); 380 path.pop_front(); 381 382 switch (piece->getKind()) { 383 case PathDiagnosticPiece::Call: 384 removeRedundantMsgs(cast<PathDiagnosticCallPiece>(*piece).path); 385 break; 386 case PathDiagnosticPiece::Macro: 387 removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(*piece).subPieces); 388 break; 389 case PathDiagnosticPiece::Event: { 390 if (i == N-1) 391 break; 392 393 if (auto *nextEvent = 394 dyn_cast<PathDiagnosticEventPiece>(path.front().get())) { 395 auto *event = cast<PathDiagnosticEventPiece>(piece.get()); 396 // Check to see if we should keep one of the two pieces. If we 397 // come up with a preference, record which piece to keep, and consume 398 // another piece from the path. 399 if (auto *pieceToKeep = 400 eventsDescribeSameCondition(event, nextEvent)) { 401 piece = std::move(pieceToKeep == event ? piece : path.front()); 402 path.pop_front(); 403 ++i; 404 } 405 } 406 break; 407 } 408 case PathDiagnosticPiece::ControlFlow: 409 case PathDiagnosticPiece::Note: 410 case PathDiagnosticPiece::PopUp: 411 break; 412 } 413 path.push_back(std::move(piece)); 414 } 415 } 416 417 /// Recursively scan through a path and prune out calls and macros pieces 418 /// that aren't needed. Return true if afterwards the path contains 419 /// "interesting stuff" which means it shouldn't be pruned from the parent path. 420 static bool removeUnneededCalls(const PathDiagnosticConstruct &C, 421 PathPieces &pieces, 422 const PathSensitiveBugReport *R, 423 bool IsInteresting = false) { 424 bool containsSomethingInteresting = IsInteresting; 425 const unsigned N = pieces.size(); 426 427 for (unsigned i = 0 ; i < N ; ++i) { 428 // Remove the front piece from the path. If it is still something we 429 // want to keep once we are done, we will push it back on the end. 430 auto piece = std::move(pieces.front()); 431 pieces.pop_front(); 432 433 switch (piece->getKind()) { 434 case PathDiagnosticPiece::Call: { 435 auto &call = cast<PathDiagnosticCallPiece>(*piece); 436 // Check if the location context is interesting. 437 if (!removeUnneededCalls( 438 C, call.path, R, 439 R->isInteresting(C.getLocationContextFor(&call.path)))) 440 continue; 441 442 containsSomethingInteresting = true; 443 break; 444 } 445 case PathDiagnosticPiece::Macro: { 446 auto ¯o = cast<PathDiagnosticMacroPiece>(*piece); 447 if (!removeUnneededCalls(C, macro.subPieces, R, IsInteresting)) 448 continue; 449 containsSomethingInteresting = true; 450 break; 451 } 452 case PathDiagnosticPiece::Event: { 453 auto &event = cast<PathDiagnosticEventPiece>(*piece); 454 455 // We never throw away an event, but we do throw it away wholesale 456 // as part of a path if we throw the entire path away. 457 containsSomethingInteresting |= !event.isPrunable(); 458 break; 459 } 460 case PathDiagnosticPiece::ControlFlow: 461 case PathDiagnosticPiece::Note: 462 case PathDiagnosticPiece::PopUp: 463 break; 464 } 465 466 pieces.push_back(std::move(piece)); 467 } 468 469 return containsSomethingInteresting; 470 } 471 472 /// Same logic as above to remove extra pieces. 473 static void removePopUpNotes(PathPieces &Path) { 474 for (unsigned int i = 0; i < Path.size(); ++i) { 475 auto Piece = std::move(Path.front()); 476 Path.pop_front(); 477 if (!isa<PathDiagnosticPopUpPiece>(*Piece)) 478 Path.push_back(std::move(Piece)); 479 } 480 } 481 482 /// Returns true if the given decl has been implicitly given a body, either by 483 /// the analyzer or by the compiler proper. 484 static bool hasImplicitBody(const Decl *D) { 485 assert(D); 486 return D->isImplicit() || !D->hasBody(); 487 } 488 489 /// Recursively scan through a path and make sure that all call pieces have 490 /// valid locations. 491 static void 492 adjustCallLocations(PathPieces &Pieces, 493 PathDiagnosticLocation *LastCallLocation = nullptr) { 494 for (const auto &I : Pieces) { 495 auto *Call = dyn_cast<PathDiagnosticCallPiece>(I.get()); 496 497 if (!Call) 498 continue; 499 500 if (LastCallLocation) { 501 bool CallerIsImplicit = hasImplicitBody(Call->getCaller()); 502 if (CallerIsImplicit || !Call->callEnter.asLocation().isValid()) 503 Call->callEnter = *LastCallLocation; 504 if (CallerIsImplicit || !Call->callReturn.asLocation().isValid()) 505 Call->callReturn = *LastCallLocation; 506 } 507 508 // Recursively clean out the subclass. Keep this call around if 509 // it contains any informative diagnostics. 510 PathDiagnosticLocation *ThisCallLocation; 511 if (Call->callEnterWithin.asLocation().isValid() && 512 !hasImplicitBody(Call->getCallee())) 513 ThisCallLocation = &Call->callEnterWithin; 514 else 515 ThisCallLocation = &Call->callEnter; 516 517 assert(ThisCallLocation && "Outermost call has an invalid location"); 518 adjustCallLocations(Call->path, ThisCallLocation); 519 } 520 } 521 522 /// Remove edges in and out of C++ default initializer expressions. These are 523 /// for fields that have in-class initializers, as opposed to being initialized 524 /// explicitly in a constructor or braced list. 525 static void removeEdgesToDefaultInitializers(PathPieces &Pieces) { 526 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 527 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 528 removeEdgesToDefaultInitializers(C->path); 529 530 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 531 removeEdgesToDefaultInitializers(M->subPieces); 532 533 if (auto *CF = dyn_cast<PathDiagnosticControlFlowPiece>(I->get())) { 534 const Stmt *Start = CF->getStartLocation().asStmt(); 535 const Stmt *End = CF->getEndLocation().asStmt(); 536 if (Start && isa<CXXDefaultInitExpr>(Start)) { 537 I = Pieces.erase(I); 538 continue; 539 } else if (End && isa<CXXDefaultInitExpr>(End)) { 540 PathPieces::iterator Next = std::next(I); 541 if (Next != E) { 542 if (auto *NextCF = 543 dyn_cast<PathDiagnosticControlFlowPiece>(Next->get())) { 544 NextCF->setStartLocation(CF->getStartLocation()); 545 } 546 } 547 I = Pieces.erase(I); 548 continue; 549 } 550 } 551 552 I++; 553 } 554 } 555 556 /// Remove all pieces with invalid locations as these cannot be serialized. 557 /// We might have pieces with invalid locations as a result of inlining Body 558 /// Farm generated functions. 559 static void removePiecesWithInvalidLocations(PathPieces &Pieces) { 560 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 561 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 562 removePiecesWithInvalidLocations(C->path); 563 564 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 565 removePiecesWithInvalidLocations(M->subPieces); 566 567 if (!(*I)->getLocation().isValid() || 568 !(*I)->getLocation().asLocation().isValid()) { 569 I = Pieces.erase(I); 570 continue; 571 } 572 I++; 573 } 574 } 575 576 PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues( 577 const PathDiagnosticConstruct &C) const { 578 if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics()) 579 return PathDiagnosticLocation(S, getSourceManager(), 580 C.getCurrLocationContext()); 581 582 return PathDiagnosticLocation::createDeclEnd(C.getCurrLocationContext(), 583 getSourceManager()); 584 } 585 586 PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues( 587 llvm::raw_string_ostream &os, const PathDiagnosticConstruct &C) const { 588 // Slow, but probably doesn't matter. 589 if (os.str().empty()) 590 os << ' '; 591 592 const PathDiagnosticLocation &Loc = ExecutionContinues(C); 593 594 if (Loc.asStmt()) 595 os << "Execution continues on line " 596 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 597 << '.'; 598 else { 599 os << "Execution jumps to the end of the "; 600 const Decl *D = C.getCurrLocationContext()->getDecl(); 601 if (isa<ObjCMethodDecl>(D)) 602 os << "method"; 603 else if (isa<FunctionDecl>(D)) 604 os << "function"; 605 else { 606 assert(isa<BlockDecl>(D)); 607 os << "anonymous block"; 608 } 609 os << '.'; 610 } 611 612 return Loc; 613 } 614 615 static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) { 616 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 617 return PM.getParentIgnoreParens(S); 618 619 const Stmt *Parent = PM.getParentIgnoreParens(S); 620 if (!Parent) 621 return nullptr; 622 623 switch (Parent->getStmtClass()) { 624 case Stmt::ForStmtClass: 625 case Stmt::DoStmtClass: 626 case Stmt::WhileStmtClass: 627 case Stmt::ObjCForCollectionStmtClass: 628 case Stmt::CXXForRangeStmtClass: 629 return Parent; 630 default: 631 break; 632 } 633 634 return nullptr; 635 } 636 637 static PathDiagnosticLocation 638 getEnclosingStmtLocation(const Stmt *S, const LocationContext *LC, 639 bool allowNestedContexts = false) { 640 if (!S) 641 return {}; 642 643 const SourceManager &SMgr = LC->getDecl()->getASTContext().getSourceManager(); 644 645 while (const Stmt *Parent = getEnclosingParent(S, LC->getParentMap())) { 646 switch (Parent->getStmtClass()) { 647 case Stmt::BinaryOperatorClass: { 648 const auto *B = cast<BinaryOperator>(Parent); 649 if (B->isLogicalOp()) 650 return PathDiagnosticLocation(allowNestedContexts ? B : S, SMgr, LC); 651 break; 652 } 653 case Stmt::CompoundStmtClass: 654 case Stmt::StmtExprClass: 655 return PathDiagnosticLocation(S, SMgr, LC); 656 case Stmt::ChooseExprClass: 657 // Similar to '?' if we are referring to condition, just have the edge 658 // point to the entire choose expression. 659 if (allowNestedContexts || cast<ChooseExpr>(Parent)->getCond() == S) 660 return PathDiagnosticLocation(Parent, SMgr, LC); 661 else 662 return PathDiagnosticLocation(S, SMgr, LC); 663 case Stmt::BinaryConditionalOperatorClass: 664 case Stmt::ConditionalOperatorClass: 665 // For '?', if we are referring to condition, just have the edge point 666 // to the entire '?' expression. 667 if (allowNestedContexts || 668 cast<AbstractConditionalOperator>(Parent)->getCond() == S) 669 return PathDiagnosticLocation(Parent, SMgr, LC); 670 else 671 return PathDiagnosticLocation(S, SMgr, LC); 672 case Stmt::CXXForRangeStmtClass: 673 if (cast<CXXForRangeStmt>(Parent)->getBody() == S) 674 return PathDiagnosticLocation(S, SMgr, LC); 675 break; 676 case Stmt::DoStmtClass: 677 return PathDiagnosticLocation(S, SMgr, LC); 678 case Stmt::ForStmtClass: 679 if (cast<ForStmt>(Parent)->getBody() == S) 680 return PathDiagnosticLocation(S, SMgr, LC); 681 break; 682 case Stmt::IfStmtClass: 683 if (cast<IfStmt>(Parent)->getCond() != S) 684 return PathDiagnosticLocation(S, SMgr, LC); 685 break; 686 case Stmt::ObjCForCollectionStmtClass: 687 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 688 return PathDiagnosticLocation(S, SMgr, LC); 689 break; 690 case Stmt::WhileStmtClass: 691 if (cast<WhileStmt>(Parent)->getCond() != S) 692 return PathDiagnosticLocation(S, SMgr, LC); 693 break; 694 default: 695 break; 696 } 697 698 S = Parent; 699 } 700 701 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 702 703 return PathDiagnosticLocation(S, SMgr, LC); 704 } 705 706 //===----------------------------------------------------------------------===// 707 // "Minimal" path diagnostic generation algorithm. 708 //===----------------------------------------------------------------------===// 709 710 /// If the piece contains a special message, add it to all the call pieces on 711 /// the active stack. For example, my_malloc allocated memory, so MallocChecker 712 /// will construct an event at the call to malloc(), and add a stack hint that 713 /// an allocated memory was returned. We'll use this hint to construct a message 714 /// when returning from the call to my_malloc 715 /// 716 /// void *my_malloc() { return malloc(sizeof(int)); } 717 /// void fishy() { 718 /// void *ptr = my_malloc(); // returned allocated memory 719 /// } // leak 720 void PathDiagnosticBuilder::updateStackPiecesWithMessage( 721 PathDiagnosticPieceRef P, const CallWithEntryStack &CallStack) const { 722 if (R->hasCallStackHint(P)) 723 for (const auto &I : CallStack) { 724 PathDiagnosticCallPiece *CP = I.first; 725 const ExplodedNode *N = I.second; 726 std::string stackMsg = R->getCallStackMessage(P, N); 727 728 // The last message on the path to final bug is the most important 729 // one. Since we traverse the path backwards, do not add the message 730 // if one has been previously added. 731 if (!CP->hasCallStackMessage()) 732 CP->setCallStackMessage(stackMsg); 733 } 734 } 735 736 static void CompactMacroExpandedPieces(PathPieces &path, 737 const SourceManager& SM); 738 739 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForSwitchOP( 740 const PathDiagnosticConstruct &C, const CFGBlock *Dst, 741 PathDiagnosticLocation &Start) const { 742 743 const SourceManager &SM = getSourceManager(); 744 // Figure out what case arm we took. 745 std::string sbuf; 746 llvm::raw_string_ostream os(sbuf); 747 PathDiagnosticLocation End; 748 749 if (const Stmt *S = Dst->getLabel()) { 750 End = PathDiagnosticLocation(S, SM, C.getCurrLocationContext()); 751 752 switch (S->getStmtClass()) { 753 default: 754 os << "No cases match in the switch statement. " 755 "Control jumps to line " 756 << End.asLocation().getExpansionLineNumber(); 757 break; 758 case Stmt::DefaultStmtClass: 759 os << "Control jumps to the 'default' case at line " 760 << End.asLocation().getExpansionLineNumber(); 761 break; 762 763 case Stmt::CaseStmtClass: { 764 os << "Control jumps to 'case "; 765 const auto *Case = cast<CaseStmt>(S); 766 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 767 768 // Determine if it is an enum. 769 bool GetRawInt = true; 770 771 if (const auto *DR = dyn_cast<DeclRefExpr>(LHS)) { 772 // FIXME: Maybe this should be an assertion. Are there cases 773 // were it is not an EnumConstantDecl? 774 const auto *D = dyn_cast<EnumConstantDecl>(DR->getDecl()); 775 776 if (D) { 777 GetRawInt = false; 778 os << *D; 779 } 780 } 781 782 if (GetRawInt) 783 os << LHS->EvaluateKnownConstInt(getASTContext()); 784 785 os << ":' at line " << End.asLocation().getExpansionLineNumber(); 786 break; 787 } 788 } 789 } else { 790 os << "'Default' branch taken. "; 791 End = ExecutionContinues(os, C); 792 } 793 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 794 os.str()); 795 } 796 797 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForGotoOP( 798 const PathDiagnosticConstruct &C, const Stmt *S, 799 PathDiagnosticLocation &Start) const { 800 std::string sbuf; 801 llvm::raw_string_ostream os(sbuf); 802 const PathDiagnosticLocation &End = 803 getEnclosingStmtLocation(S, C.getCurrLocationContext()); 804 os << "Control jumps to line " << End.asLocation().getExpansionLineNumber(); 805 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str()); 806 } 807 808 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForBinaryOP( 809 const PathDiagnosticConstruct &C, const Stmt *T, const CFGBlock *Src, 810 const CFGBlock *Dst) const { 811 812 const SourceManager &SM = getSourceManager(); 813 814 const auto *B = cast<BinaryOperator>(T); 815 std::string sbuf; 816 llvm::raw_string_ostream os(sbuf); 817 os << "Left side of '"; 818 PathDiagnosticLocation Start, End; 819 820 if (B->getOpcode() == BO_LAnd) { 821 os << "&&" 822 << "' is "; 823 824 if (*(Src->succ_begin() + 1) == Dst) { 825 os << "false"; 826 End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 827 Start = 828 PathDiagnosticLocation::createOperatorLoc(B, SM); 829 } else { 830 os << "true"; 831 Start = 832 PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 833 End = ExecutionContinues(C); 834 } 835 } else { 836 assert(B->getOpcode() == BO_LOr); 837 os << "||" 838 << "' is "; 839 840 if (*(Src->succ_begin() + 1) == Dst) { 841 os << "false"; 842 Start = 843 PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 844 End = ExecutionContinues(C); 845 } else { 846 os << "true"; 847 End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 848 Start = 849 PathDiagnosticLocation::createOperatorLoc(B, SM); 850 } 851 } 852 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 853 os.str()); 854 } 855 856 void PathDiagnosticBuilder::generateMinimalDiagForBlockEdge( 857 PathDiagnosticConstruct &C, BlockEdge BE) const { 858 const SourceManager &SM = getSourceManager(); 859 const LocationContext *LC = C.getCurrLocationContext(); 860 const CFGBlock *Src = BE.getSrc(); 861 const CFGBlock *Dst = BE.getDst(); 862 const Stmt *T = Src->getTerminatorStmt(); 863 if (!T) 864 return; 865 866 auto Start = PathDiagnosticLocation::createBegin(T, SM, LC); 867 switch (T->getStmtClass()) { 868 default: 869 break; 870 871 case Stmt::GotoStmtClass: 872 case Stmt::IndirectGotoStmtClass: { 873 if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics()) 874 C.getActivePath().push_front(generateDiagForGotoOP(C, S, Start)); 875 break; 876 } 877 878 case Stmt::SwitchStmtClass: { 879 C.getActivePath().push_front(generateDiagForSwitchOP(C, Dst, Start)); 880 break; 881 } 882 883 case Stmt::BreakStmtClass: 884 case Stmt::ContinueStmtClass: { 885 std::string sbuf; 886 llvm::raw_string_ostream os(sbuf); 887 PathDiagnosticLocation End = ExecutionContinues(os, C); 888 C.getActivePath().push_front( 889 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 890 break; 891 } 892 893 // Determine control-flow for ternary '?'. 894 case Stmt::BinaryConditionalOperatorClass: 895 case Stmt::ConditionalOperatorClass: { 896 std::string sbuf; 897 llvm::raw_string_ostream os(sbuf); 898 os << "'?' condition is "; 899 900 if (*(Src->succ_begin() + 1) == Dst) 901 os << "false"; 902 else 903 os << "true"; 904 905 PathDiagnosticLocation End = ExecutionContinues(C); 906 907 if (const Stmt *S = End.asStmt()) 908 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 909 910 C.getActivePath().push_front( 911 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 912 break; 913 } 914 915 // Determine control-flow for short-circuited '&&' and '||'. 916 case Stmt::BinaryOperatorClass: { 917 if (!C.supportsLogicalOpControlFlow()) 918 break; 919 920 C.getActivePath().push_front(generateDiagForBinaryOP(C, T, Src, Dst)); 921 break; 922 } 923 924 case Stmt::DoStmtClass: 925 if (*(Src->succ_begin()) == Dst) { 926 std::string sbuf; 927 llvm::raw_string_ostream os(sbuf); 928 929 os << "Loop condition is true. "; 930 PathDiagnosticLocation End = ExecutionContinues(os, C); 931 932 if (const Stmt *S = End.asStmt()) 933 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 934 935 C.getActivePath().push_front( 936 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 937 os.str())); 938 } else { 939 PathDiagnosticLocation End = ExecutionContinues(C); 940 941 if (const Stmt *S = End.asStmt()) 942 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 943 944 C.getActivePath().push_front( 945 std::make_shared<PathDiagnosticControlFlowPiece>( 946 Start, End, "Loop condition is false. Exiting loop")); 947 } 948 break; 949 950 case Stmt::WhileStmtClass: 951 case Stmt::ForStmtClass: 952 if (*(Src->succ_begin() + 1) == Dst) { 953 std::string sbuf; 954 llvm::raw_string_ostream os(sbuf); 955 956 os << "Loop condition is false. "; 957 PathDiagnosticLocation End = ExecutionContinues(os, C); 958 if (const Stmt *S = End.asStmt()) 959 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 960 961 C.getActivePath().push_front( 962 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 963 os.str())); 964 } else { 965 PathDiagnosticLocation End = ExecutionContinues(C); 966 if (const Stmt *S = End.asStmt()) 967 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 968 969 C.getActivePath().push_front( 970 std::make_shared<PathDiagnosticControlFlowPiece>( 971 Start, End, "Loop condition is true. Entering loop body")); 972 } 973 974 break; 975 976 case Stmt::IfStmtClass: { 977 PathDiagnosticLocation End = ExecutionContinues(C); 978 979 if (const Stmt *S = End.asStmt()) 980 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 981 982 if (*(Src->succ_begin() + 1) == Dst) 983 C.getActivePath().push_front( 984 std::make_shared<PathDiagnosticControlFlowPiece>( 985 Start, End, "Taking false branch")); 986 else 987 C.getActivePath().push_front( 988 std::make_shared<PathDiagnosticControlFlowPiece>( 989 Start, End, "Taking true branch")); 990 991 break; 992 } 993 } 994 } 995 996 //===----------------------------------------------------------------------===// 997 // Functions for determining if a loop was executed 0 times. 998 //===----------------------------------------------------------------------===// 999 1000 static bool isLoop(const Stmt *Term) { 1001 switch (Term->getStmtClass()) { 1002 case Stmt::ForStmtClass: 1003 case Stmt::WhileStmtClass: 1004 case Stmt::ObjCForCollectionStmtClass: 1005 case Stmt::CXXForRangeStmtClass: 1006 return true; 1007 default: 1008 // Note that we intentionally do not include do..while here. 1009 return false; 1010 } 1011 } 1012 1013 static bool isJumpToFalseBranch(const BlockEdge *BE) { 1014 const CFGBlock *Src = BE->getSrc(); 1015 assert(Src->succ_size() == 2); 1016 return (*(Src->succ_begin()+1) == BE->getDst()); 1017 } 1018 1019 static bool isContainedByStmt(const ParentMap &PM, const Stmt *S, 1020 const Stmt *SubS) { 1021 while (SubS) { 1022 if (SubS == S) 1023 return true; 1024 SubS = PM.getParent(SubS); 1025 } 1026 return false; 1027 } 1028 1029 static const Stmt *getStmtBeforeCond(const ParentMap &PM, const Stmt *Term, 1030 const ExplodedNode *N) { 1031 while (N) { 1032 Optional<StmtPoint> SP = N->getLocation().getAs<StmtPoint>(); 1033 if (SP) { 1034 const Stmt *S = SP->getStmt(); 1035 if (!isContainedByStmt(PM, Term, S)) 1036 return S; 1037 } 1038 N = N->getFirstPred(); 1039 } 1040 return nullptr; 1041 } 1042 1043 static bool isInLoopBody(const ParentMap &PM, const Stmt *S, const Stmt *Term) { 1044 const Stmt *LoopBody = nullptr; 1045 switch (Term->getStmtClass()) { 1046 case Stmt::CXXForRangeStmtClass: { 1047 const auto *FR = cast<CXXForRangeStmt>(Term); 1048 if (isContainedByStmt(PM, FR->getInc(), S)) 1049 return true; 1050 if (isContainedByStmt(PM, FR->getLoopVarStmt(), S)) 1051 return true; 1052 LoopBody = FR->getBody(); 1053 break; 1054 } 1055 case Stmt::ForStmtClass: { 1056 const auto *FS = cast<ForStmt>(Term); 1057 if (isContainedByStmt(PM, FS->getInc(), S)) 1058 return true; 1059 LoopBody = FS->getBody(); 1060 break; 1061 } 1062 case Stmt::ObjCForCollectionStmtClass: { 1063 const auto *FC = cast<ObjCForCollectionStmt>(Term); 1064 LoopBody = FC->getBody(); 1065 break; 1066 } 1067 case Stmt::WhileStmtClass: 1068 LoopBody = cast<WhileStmt>(Term)->getBody(); 1069 break; 1070 default: 1071 return false; 1072 } 1073 return isContainedByStmt(PM, LoopBody, S); 1074 } 1075 1076 /// Adds a sanitized control-flow diagnostic edge to a path. 1077 static void addEdgeToPath(PathPieces &path, 1078 PathDiagnosticLocation &PrevLoc, 1079 PathDiagnosticLocation NewLoc) { 1080 if (!NewLoc.isValid()) 1081 return; 1082 1083 SourceLocation NewLocL = NewLoc.asLocation(); 1084 if (NewLocL.isInvalid()) 1085 return; 1086 1087 if (!PrevLoc.isValid() || !PrevLoc.asLocation().isValid()) { 1088 PrevLoc = NewLoc; 1089 return; 1090 } 1091 1092 // Ignore self-edges, which occur when there are multiple nodes at the same 1093 // statement. 1094 if (NewLoc.asStmt() && NewLoc.asStmt() == PrevLoc.asStmt()) 1095 return; 1096 1097 path.push_front( 1098 std::make_shared<PathDiagnosticControlFlowPiece>(NewLoc, PrevLoc)); 1099 PrevLoc = NewLoc; 1100 } 1101 1102 /// A customized wrapper for CFGBlock::getTerminatorCondition() 1103 /// which returns the element for ObjCForCollectionStmts. 1104 static const Stmt *getTerminatorCondition(const CFGBlock *B) { 1105 const Stmt *S = B->getTerminatorCondition(); 1106 if (const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(S)) 1107 return FS->getElement(); 1108 return S; 1109 } 1110 1111 constexpr llvm::StringLiteral StrEnteringLoop = "Entering loop body"; 1112 constexpr llvm::StringLiteral StrLoopBodyZero = "Loop body executed 0 times"; 1113 constexpr llvm::StringLiteral StrLoopRangeEmpty = 1114 "Loop body skipped when range is empty"; 1115 constexpr llvm::StringLiteral StrLoopCollectionEmpty = 1116 "Loop body skipped when collection is empty"; 1117 1118 static std::unique_ptr<FilesToLineNumsMap> 1119 findExecutedLines(const SourceManager &SM, const ExplodedNode *N); 1120 1121 void PathDiagnosticBuilder::generatePathDiagnosticsForNode( 1122 PathDiagnosticConstruct &C, PathDiagnosticLocation &PrevLoc) const { 1123 ProgramPoint P = C.getCurrentNode()->getLocation(); 1124 const SourceManager &SM = getSourceManager(); 1125 1126 // Have we encountered an entrance to a call? It may be 1127 // the case that we have not encountered a matching 1128 // call exit before this point. This means that the path 1129 // terminated within the call itself. 1130 if (auto CE = P.getAs<CallEnter>()) { 1131 1132 if (C.shouldAddPathEdges()) { 1133 // Add an edge to the start of the function. 1134 const StackFrameContext *CalleeLC = CE->getCalleeContext(); 1135 const Decl *D = CalleeLC->getDecl(); 1136 // Add the edge only when the callee has body. We jump to the beginning 1137 // of the *declaration*, however we expect it to be followed by the 1138 // body. This isn't the case for autosynthesized property accessors in 1139 // Objective-C. No need for a similar extra check for CallExit points 1140 // because the exit edge comes from a statement (i.e. return), 1141 // not from declaration. 1142 if (D->hasBody()) 1143 addEdgeToPath(C.getActivePath(), PrevLoc, 1144 PathDiagnosticLocation::createBegin(D, SM)); 1145 } 1146 1147 // Did we visit an entire call? 1148 bool VisitedEntireCall = C.PD->isWithinCall(); 1149 C.PD->popActivePath(); 1150 1151 PathDiagnosticCallPiece *Call; 1152 if (VisitedEntireCall) { 1153 Call = cast<PathDiagnosticCallPiece>(C.getActivePath().front().get()); 1154 } else { 1155 // The path terminated within a nested location context, create a new 1156 // call piece to encapsulate the rest of the path pieces. 1157 const Decl *Caller = CE->getLocationContext()->getDecl(); 1158 Call = PathDiagnosticCallPiece::construct(C.getActivePath(), Caller); 1159 assert(C.getActivePath().size() == 1 && 1160 C.getActivePath().front().get() == Call); 1161 1162 // Since we just transferred the path over to the call piece, reset the 1163 // mapping of the active path to the current location context. 1164 assert(C.isInLocCtxMap(&C.getActivePath()) && 1165 "When we ascend to a previously unvisited call, the active path's " 1166 "address shouldn't change, but rather should be compacted into " 1167 "a single CallEvent!"); 1168 C.updateLocCtxMap(&C.getActivePath(), C.getCurrLocationContext()); 1169 1170 // Record the location context mapping for the path within the call. 1171 assert(!C.isInLocCtxMap(&Call->path) && 1172 "When we ascend to a previously unvisited call, this must be the " 1173 "first time we encounter the caller context!"); 1174 C.updateLocCtxMap(&Call->path, CE->getCalleeContext()); 1175 } 1176 Call->setCallee(*CE, SM); 1177 1178 // Update the previous location in the active path. 1179 PrevLoc = Call->getLocation(); 1180 1181 if (!C.CallStack.empty()) { 1182 assert(C.CallStack.back().first == Call); 1183 C.CallStack.pop_back(); 1184 } 1185 return; 1186 } 1187 1188 assert(C.getCurrLocationContext() == C.getLocationContextForActivePath() && 1189 "The current position in the bug path is out of sync with the " 1190 "location context associated with the active path!"); 1191 1192 // Have we encountered an exit from a function call? 1193 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 1194 1195 // We are descending into a call (backwards). Construct 1196 // a new call piece to contain the path pieces for that call. 1197 auto Call = PathDiagnosticCallPiece::construct(*CE, SM); 1198 // Record the mapping from call piece to LocationContext. 1199 assert(!C.isInLocCtxMap(&Call->path) && 1200 "We just entered a call, this must've been the first time we " 1201 "encounter its context!"); 1202 C.updateLocCtxMap(&Call->path, CE->getCalleeContext()); 1203 1204 if (C.shouldAddPathEdges()) { 1205 // Add the edge to the return site. 1206 addEdgeToPath(C.getActivePath(), PrevLoc, Call->callReturn); 1207 PrevLoc.invalidate(); 1208 } 1209 1210 auto *P = Call.get(); 1211 C.getActivePath().push_front(std::move(Call)); 1212 1213 // Make the contents of the call the active path for now. 1214 C.PD->pushActivePath(&P->path); 1215 C.CallStack.push_back(CallWithEntry(P, C.getCurrentNode())); 1216 return; 1217 } 1218 1219 if (auto PS = P.getAs<PostStmt>()) { 1220 if (!C.shouldAddPathEdges()) 1221 return; 1222 1223 // Add an edge. If this is an ObjCForCollectionStmt do 1224 // not add an edge here as it appears in the CFG both 1225 // as a terminator and as a terminator condition. 1226 if (!isa<ObjCForCollectionStmt>(PS->getStmt())) { 1227 PathDiagnosticLocation L = 1228 PathDiagnosticLocation(PS->getStmt(), SM, C.getCurrLocationContext()); 1229 addEdgeToPath(C.getActivePath(), PrevLoc, L); 1230 } 1231 1232 } else if (auto BE = P.getAs<BlockEdge>()) { 1233 1234 if (!C.shouldAddPathEdges()) { 1235 generateMinimalDiagForBlockEdge(C, *BE); 1236 return; 1237 } 1238 1239 // Are we jumping to the head of a loop? Add a special diagnostic. 1240 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1241 PathDiagnosticLocation L(Loop, SM, C.getCurrLocationContext()); 1242 const Stmt *Body = nullptr; 1243 1244 if (const auto *FS = dyn_cast<ForStmt>(Loop)) 1245 Body = FS->getBody(); 1246 else if (const auto *WS = dyn_cast<WhileStmt>(Loop)) 1247 Body = WS->getBody(); 1248 else if (const auto *OFS = dyn_cast<ObjCForCollectionStmt>(Loop)) { 1249 Body = OFS->getBody(); 1250 } else if (const auto *FRS = dyn_cast<CXXForRangeStmt>(Loop)) { 1251 Body = FRS->getBody(); 1252 } 1253 // do-while statements are explicitly excluded here 1254 1255 auto p = std::make_shared<PathDiagnosticEventPiece>( 1256 L, "Looping back to the head " 1257 "of the loop"); 1258 p->setPrunable(true); 1259 1260 addEdgeToPath(C.getActivePath(), PrevLoc, p->getLocation()); 1261 C.getActivePath().push_front(std::move(p)); 1262 1263 if (const auto *CS = dyn_cast_or_null<CompoundStmt>(Body)) { 1264 addEdgeToPath(C.getActivePath(), PrevLoc, 1265 PathDiagnosticLocation::createEndBrace(CS, SM)); 1266 } 1267 } 1268 1269 const CFGBlock *BSrc = BE->getSrc(); 1270 const ParentMap &PM = C.getParentMap(); 1271 1272 if (const Stmt *Term = BSrc->getTerminatorStmt()) { 1273 // Are we jumping past the loop body without ever executing the 1274 // loop (because the condition was false)? 1275 if (isLoop(Term)) { 1276 const Stmt *TermCond = getTerminatorCondition(BSrc); 1277 bool IsInLoopBody = isInLoopBody( 1278 PM, getStmtBeforeCond(PM, TermCond, C.getCurrentNode()), Term); 1279 1280 StringRef str; 1281 1282 if (isJumpToFalseBranch(&*BE)) { 1283 if (!IsInLoopBody) { 1284 if (isa<ObjCForCollectionStmt>(Term)) { 1285 str = StrLoopCollectionEmpty; 1286 } else if (isa<CXXForRangeStmt>(Term)) { 1287 str = StrLoopRangeEmpty; 1288 } else { 1289 str = StrLoopBodyZero; 1290 } 1291 } 1292 } else { 1293 str = StrEnteringLoop; 1294 } 1295 1296 if (!str.empty()) { 1297 PathDiagnosticLocation L(TermCond ? TermCond : Term, SM, 1298 C.getCurrLocationContext()); 1299 auto PE = std::make_shared<PathDiagnosticEventPiece>(L, str); 1300 PE->setPrunable(true); 1301 addEdgeToPath(C.getActivePath(), PrevLoc, PE->getLocation()); 1302 C.getActivePath().push_front(std::move(PE)); 1303 } 1304 } else if (isa<BreakStmt>(Term) || isa<ContinueStmt>(Term) || 1305 isa<GotoStmt>(Term)) { 1306 PathDiagnosticLocation L(Term, SM, C.getCurrLocationContext()); 1307 addEdgeToPath(C.getActivePath(), PrevLoc, L); 1308 } 1309 } 1310 } 1311 } 1312 1313 static std::unique_ptr<PathDiagnostic> 1314 generateDiagnosticForBasicReport(const BasicBugReport *R) { 1315 const BugType &BT = R->getBugType(); 1316 return std::make_unique<PathDiagnostic>( 1317 BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(), 1318 R->getDescription(), R->getShortDescription(/*UseFallback=*/false), 1319 BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(), 1320 std::make_unique<FilesToLineNumsMap>()); 1321 } 1322 1323 static std::unique_ptr<PathDiagnostic> 1324 generateEmptyDiagnosticForReport(const PathSensitiveBugReport *R, 1325 const SourceManager &SM) { 1326 const BugType &BT = R->getBugType(); 1327 return std::make_unique<PathDiagnostic>( 1328 BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(), 1329 R->getDescription(), R->getShortDescription(/*UseFallback=*/false), 1330 BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(), 1331 findExecutedLines(SM, R->getErrorNode())); 1332 } 1333 1334 static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) { 1335 if (!S) 1336 return nullptr; 1337 1338 while (true) { 1339 S = PM.getParentIgnoreParens(S); 1340 1341 if (!S) 1342 break; 1343 1344 if (isa<FullExpr>(S) || 1345 isa<CXXBindTemporaryExpr>(S) || 1346 isa<SubstNonTypeTemplateParmExpr>(S)) 1347 continue; 1348 1349 break; 1350 } 1351 1352 return S; 1353 } 1354 1355 static bool isConditionForTerminator(const Stmt *S, const Stmt *Cond) { 1356 switch (S->getStmtClass()) { 1357 case Stmt::BinaryOperatorClass: { 1358 const auto *BO = cast<BinaryOperator>(S); 1359 if (!BO->isLogicalOp()) 1360 return false; 1361 return BO->getLHS() == Cond || BO->getRHS() == Cond; 1362 } 1363 case Stmt::IfStmtClass: 1364 return cast<IfStmt>(S)->getCond() == Cond; 1365 case Stmt::ForStmtClass: 1366 return cast<ForStmt>(S)->getCond() == Cond; 1367 case Stmt::WhileStmtClass: 1368 return cast<WhileStmt>(S)->getCond() == Cond; 1369 case Stmt::DoStmtClass: 1370 return cast<DoStmt>(S)->getCond() == Cond; 1371 case Stmt::ChooseExprClass: 1372 return cast<ChooseExpr>(S)->getCond() == Cond; 1373 case Stmt::IndirectGotoStmtClass: 1374 return cast<IndirectGotoStmt>(S)->getTarget() == Cond; 1375 case Stmt::SwitchStmtClass: 1376 return cast<SwitchStmt>(S)->getCond() == Cond; 1377 case Stmt::BinaryConditionalOperatorClass: 1378 return cast<BinaryConditionalOperator>(S)->getCond() == Cond; 1379 case Stmt::ConditionalOperatorClass: { 1380 const auto *CO = cast<ConditionalOperator>(S); 1381 return CO->getCond() == Cond || 1382 CO->getLHS() == Cond || 1383 CO->getRHS() == Cond; 1384 } 1385 case Stmt::ObjCForCollectionStmtClass: 1386 return cast<ObjCForCollectionStmt>(S)->getElement() == Cond; 1387 case Stmt::CXXForRangeStmtClass: { 1388 const auto *FRS = cast<CXXForRangeStmt>(S); 1389 return FRS->getCond() == Cond || FRS->getRangeInit() == Cond; 1390 } 1391 default: 1392 return false; 1393 } 1394 } 1395 1396 static bool isIncrementOrInitInForLoop(const Stmt *S, const Stmt *FL) { 1397 if (const auto *FS = dyn_cast<ForStmt>(FL)) 1398 return FS->getInc() == S || FS->getInit() == S; 1399 if (const auto *FRS = dyn_cast<CXXForRangeStmt>(FL)) 1400 return FRS->getInc() == S || FRS->getRangeStmt() == S || 1401 FRS->getLoopVarStmt() || FRS->getRangeInit() == S; 1402 return false; 1403 } 1404 1405 using OptimizedCallsSet = llvm::DenseSet<const PathDiagnosticCallPiece *>; 1406 1407 /// Adds synthetic edges from top-level statements to their subexpressions. 1408 /// 1409 /// This avoids a "swoosh" effect, where an edge from a top-level statement A 1410 /// points to a sub-expression B.1 that's not at the start of B. In these cases, 1411 /// we'd like to see an edge from A to B, then another one from B to B.1. 1412 static void addContextEdges(PathPieces &pieces, const LocationContext *LC) { 1413 const ParentMap &PM = LC->getParentMap(); 1414 PathPieces::iterator Prev = pieces.end(); 1415 for (PathPieces::iterator I = pieces.begin(), E = Prev; I != E; 1416 Prev = I, ++I) { 1417 auto *Piece = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1418 1419 if (!Piece) 1420 continue; 1421 1422 PathDiagnosticLocation SrcLoc = Piece->getStartLocation(); 1423 SmallVector<PathDiagnosticLocation, 4> SrcContexts; 1424 1425 PathDiagnosticLocation NextSrcContext = SrcLoc; 1426 const Stmt *InnerStmt = nullptr; 1427 while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) { 1428 SrcContexts.push_back(NextSrcContext); 1429 InnerStmt = NextSrcContext.asStmt(); 1430 NextSrcContext = getEnclosingStmtLocation(InnerStmt, LC, 1431 /*allowNested=*/true); 1432 } 1433 1434 // Repeatedly split the edge as necessary. 1435 // This is important for nested logical expressions (||, &&, ?:) where we 1436 // want to show all the levels of context. 1437 while (true) { 1438 const Stmt *Dst = Piece->getEndLocation().getStmtOrNull(); 1439 1440 // We are looking at an edge. Is the destination within a larger 1441 // expression? 1442 PathDiagnosticLocation DstContext = 1443 getEnclosingStmtLocation(Dst, LC, /*allowNested=*/true); 1444 if (!DstContext.isValid() || DstContext.asStmt() == Dst) 1445 break; 1446 1447 // If the source is in the same context, we're already good. 1448 if (llvm::find(SrcContexts, DstContext) != SrcContexts.end()) 1449 break; 1450 1451 // Update the subexpression node to point to the context edge. 1452 Piece->setStartLocation(DstContext); 1453 1454 // Try to extend the previous edge if it's at the same level as the source 1455 // context. 1456 if (Prev != E) { 1457 auto *PrevPiece = dyn_cast<PathDiagnosticControlFlowPiece>(Prev->get()); 1458 1459 if (PrevPiece) { 1460 if (const Stmt *PrevSrc = 1461 PrevPiece->getStartLocation().getStmtOrNull()) { 1462 const Stmt *PrevSrcParent = getStmtParent(PrevSrc, PM); 1463 if (PrevSrcParent == 1464 getStmtParent(DstContext.getStmtOrNull(), PM)) { 1465 PrevPiece->setEndLocation(DstContext); 1466 break; 1467 } 1468 } 1469 } 1470 } 1471 1472 // Otherwise, split the current edge into a context edge and a 1473 // subexpression edge. Note that the context statement may itself have 1474 // context. 1475 auto P = 1476 std::make_shared<PathDiagnosticControlFlowPiece>(SrcLoc, DstContext); 1477 Piece = P.get(); 1478 I = pieces.insert(I, std::move(P)); 1479 } 1480 } 1481 } 1482 1483 /// Move edges from a branch condition to a branch target 1484 /// when the condition is simple. 1485 /// 1486 /// This restructures some of the work of addContextEdges. That function 1487 /// creates edges this may destroy, but they work together to create a more 1488 /// aesthetically set of edges around branches. After the call to 1489 /// addContextEdges, we may have (1) an edge to the branch, (2) an edge from 1490 /// the branch to the branch condition, and (3) an edge from the branch 1491 /// condition to the branch target. We keep (1), but may wish to remove (2) 1492 /// and move the source of (3) to the branch if the branch condition is simple. 1493 static void simplifySimpleBranches(PathPieces &pieces) { 1494 for (PathPieces::iterator I = pieces.begin(), E = pieces.end(); I != E; ++I) { 1495 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1496 1497 if (!PieceI) 1498 continue; 1499 1500 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1501 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1502 1503 if (!s1Start || !s1End) 1504 continue; 1505 1506 PathPieces::iterator NextI = I; ++NextI; 1507 if (NextI == E) 1508 break; 1509 1510 PathDiagnosticControlFlowPiece *PieceNextI = nullptr; 1511 1512 while (true) { 1513 if (NextI == E) 1514 break; 1515 1516 const auto *EV = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 1517 if (EV) { 1518 StringRef S = EV->getString(); 1519 if (S == StrEnteringLoop || S == StrLoopBodyZero || 1520 S == StrLoopCollectionEmpty || S == StrLoopRangeEmpty) { 1521 ++NextI; 1522 continue; 1523 } 1524 break; 1525 } 1526 1527 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1528 break; 1529 } 1530 1531 if (!PieceNextI) 1532 continue; 1533 1534 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1535 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1536 1537 if (!s2Start || !s2End || s1End != s2Start) 1538 continue; 1539 1540 // We only perform this transformation for specific branch kinds. 1541 // We don't want to do this for do..while, for example. 1542 if (!(isa<ForStmt>(s1Start) || isa<WhileStmt>(s1Start) || 1543 isa<IfStmt>(s1Start) || isa<ObjCForCollectionStmt>(s1Start) || 1544 isa<CXXForRangeStmt>(s1Start))) 1545 continue; 1546 1547 // Is s1End the branch condition? 1548 if (!isConditionForTerminator(s1Start, s1End)) 1549 continue; 1550 1551 // Perform the hoisting by eliminating (2) and changing the start 1552 // location of (3). 1553 PieceNextI->setStartLocation(PieceI->getStartLocation()); 1554 I = pieces.erase(I); 1555 } 1556 } 1557 1558 /// Returns the number of bytes in the given (character-based) SourceRange. 1559 /// 1560 /// If the locations in the range are not on the same line, returns None. 1561 /// 1562 /// Note that this does not do a precise user-visible character or column count. 1563 static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM, 1564 SourceRange Range) { 1565 SourceRange ExpansionRange(SM.getExpansionLoc(Range.getBegin()), 1566 SM.getExpansionRange(Range.getEnd()).getEnd()); 1567 1568 FileID FID = SM.getFileID(ExpansionRange.getBegin()); 1569 if (FID != SM.getFileID(ExpansionRange.getEnd())) 1570 return None; 1571 1572 bool Invalid; 1573 const llvm::MemoryBuffer *Buffer = SM.getBuffer(FID, &Invalid); 1574 if (Invalid) 1575 return None; 1576 1577 unsigned BeginOffset = SM.getFileOffset(ExpansionRange.getBegin()); 1578 unsigned EndOffset = SM.getFileOffset(ExpansionRange.getEnd()); 1579 StringRef Snippet = Buffer->getBuffer().slice(BeginOffset, EndOffset); 1580 1581 // We're searching the raw bytes of the buffer here, which might include 1582 // escaped newlines and such. That's okay; we're trying to decide whether the 1583 // SourceRange is covering a large or small amount of space in the user's 1584 // editor. 1585 if (Snippet.find_first_of("\r\n") != StringRef::npos) 1586 return None; 1587 1588 // This isn't Unicode-aware, but it doesn't need to be. 1589 return Snippet.size(); 1590 } 1591 1592 /// \sa getLengthOnSingleLine(SourceManager, SourceRange) 1593 static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM, 1594 const Stmt *S) { 1595 return getLengthOnSingleLine(SM, S->getSourceRange()); 1596 } 1597 1598 /// Eliminate two-edge cycles created by addContextEdges(). 1599 /// 1600 /// Once all the context edges are in place, there are plenty of cases where 1601 /// there's a single edge from a top-level statement to a subexpression, 1602 /// followed by a single path note, and then a reverse edge to get back out to 1603 /// the top level. If the statement is simple enough, the subexpression edges 1604 /// just add noise and make it harder to understand what's going on. 1605 /// 1606 /// This function only removes edges in pairs, because removing only one edge 1607 /// might leave other edges dangling. 1608 /// 1609 /// This will not remove edges in more complicated situations: 1610 /// - if there is more than one "hop" leading to or from a subexpression. 1611 /// - if there is an inlined call between the edges instead of a single event. 1612 /// - if the whole statement is large enough that having subexpression arrows 1613 /// might be helpful. 1614 static void removeContextCycles(PathPieces &Path, const SourceManager &SM) { 1615 for (PathPieces::iterator I = Path.begin(), E = Path.end(); I != E; ) { 1616 // Pattern match the current piece and its successor. 1617 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1618 1619 if (!PieceI) { 1620 ++I; 1621 continue; 1622 } 1623 1624 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1625 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1626 1627 PathPieces::iterator NextI = I; ++NextI; 1628 if (NextI == E) 1629 break; 1630 1631 const auto *PieceNextI = 1632 dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1633 1634 if (!PieceNextI) { 1635 if (isa<PathDiagnosticEventPiece>(NextI->get())) { 1636 ++NextI; 1637 if (NextI == E) 1638 break; 1639 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1640 } 1641 1642 if (!PieceNextI) { 1643 ++I; 1644 continue; 1645 } 1646 } 1647 1648 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1649 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1650 1651 if (s1Start && s2Start && s1Start == s2End && s2Start == s1End) { 1652 const size_t MAX_SHORT_LINE_LENGTH = 80; 1653 Optional<size_t> s1Length = getLengthOnSingleLine(SM, s1Start); 1654 if (s1Length && *s1Length <= MAX_SHORT_LINE_LENGTH) { 1655 Optional<size_t> s2Length = getLengthOnSingleLine(SM, s2Start); 1656 if (s2Length && *s2Length <= MAX_SHORT_LINE_LENGTH) { 1657 Path.erase(I); 1658 I = Path.erase(NextI); 1659 continue; 1660 } 1661 } 1662 } 1663 1664 ++I; 1665 } 1666 } 1667 1668 /// Return true if X is contained by Y. 1669 static bool lexicalContains(const ParentMap &PM, const Stmt *X, const Stmt *Y) { 1670 while (X) { 1671 if (X == Y) 1672 return true; 1673 X = PM.getParent(X); 1674 } 1675 return false; 1676 } 1677 1678 // Remove short edges on the same line less than 3 columns in difference. 1679 static void removePunyEdges(PathPieces &path, const SourceManager &SM, 1680 const ParentMap &PM) { 1681 bool erased = false; 1682 1683 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; 1684 erased ? I : ++I) { 1685 erased = false; 1686 1687 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1688 1689 if (!PieceI) 1690 continue; 1691 1692 const Stmt *start = PieceI->getStartLocation().getStmtOrNull(); 1693 const Stmt *end = PieceI->getEndLocation().getStmtOrNull(); 1694 1695 if (!start || !end) 1696 continue; 1697 1698 const Stmt *endParent = PM.getParent(end); 1699 if (!endParent) 1700 continue; 1701 1702 if (isConditionForTerminator(end, endParent)) 1703 continue; 1704 1705 SourceLocation FirstLoc = start->getBeginLoc(); 1706 SourceLocation SecondLoc = end->getBeginLoc(); 1707 1708 if (!SM.isWrittenInSameFile(FirstLoc, SecondLoc)) 1709 continue; 1710 if (SM.isBeforeInTranslationUnit(SecondLoc, FirstLoc)) 1711 std::swap(SecondLoc, FirstLoc); 1712 1713 SourceRange EdgeRange(FirstLoc, SecondLoc); 1714 Optional<size_t> ByteWidth = getLengthOnSingleLine(SM, EdgeRange); 1715 1716 // If the statements are on different lines, continue. 1717 if (!ByteWidth) 1718 continue; 1719 1720 const size_t MAX_PUNY_EDGE_LENGTH = 2; 1721 if (*ByteWidth <= MAX_PUNY_EDGE_LENGTH) { 1722 // FIXME: There are enough /bytes/ between the endpoints of the edge, but 1723 // there might not be enough /columns/. A proper user-visible column count 1724 // is probably too expensive, though. 1725 I = path.erase(I); 1726 erased = true; 1727 continue; 1728 } 1729 } 1730 } 1731 1732 static void removeIdenticalEvents(PathPieces &path) { 1733 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ++I) { 1734 const auto *PieceI = dyn_cast<PathDiagnosticEventPiece>(I->get()); 1735 1736 if (!PieceI) 1737 continue; 1738 1739 PathPieces::iterator NextI = I; ++NextI; 1740 if (NextI == E) 1741 return; 1742 1743 const auto *PieceNextI = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 1744 1745 if (!PieceNextI) 1746 continue; 1747 1748 // Erase the second piece if it has the same exact message text. 1749 if (PieceI->getString() == PieceNextI->getString()) { 1750 path.erase(NextI); 1751 } 1752 } 1753 } 1754 1755 static bool optimizeEdges(const PathDiagnosticConstruct &C, PathPieces &path, 1756 OptimizedCallsSet &OCS) { 1757 bool hasChanges = false; 1758 const LocationContext *LC = C.getLocationContextFor(&path); 1759 assert(LC); 1760 const ParentMap &PM = LC->getParentMap(); 1761 const SourceManager &SM = C.getSourceManager(); 1762 1763 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ) { 1764 // Optimize subpaths. 1765 if (auto *CallI = dyn_cast<PathDiagnosticCallPiece>(I->get())) { 1766 // Record the fact that a call has been optimized so we only do the 1767 // effort once. 1768 if (!OCS.count(CallI)) { 1769 while (optimizeEdges(C, CallI->path, OCS)) { 1770 } 1771 OCS.insert(CallI); 1772 } 1773 ++I; 1774 continue; 1775 } 1776 1777 // Pattern match the current piece and its successor. 1778 auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1779 1780 if (!PieceI) { 1781 ++I; 1782 continue; 1783 } 1784 1785 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1786 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1787 const Stmt *level1 = getStmtParent(s1Start, PM); 1788 const Stmt *level2 = getStmtParent(s1End, PM); 1789 1790 PathPieces::iterator NextI = I; ++NextI; 1791 if (NextI == E) 1792 break; 1793 1794 const auto *PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1795 1796 if (!PieceNextI) { 1797 ++I; 1798 continue; 1799 } 1800 1801 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1802 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1803 const Stmt *level3 = getStmtParent(s2Start, PM); 1804 const Stmt *level4 = getStmtParent(s2End, PM); 1805 1806 // Rule I. 1807 // 1808 // If we have two consecutive control edges whose end/begin locations 1809 // are at the same level (e.g. statements or top-level expressions within 1810 // a compound statement, or siblings share a single ancestor expression), 1811 // then merge them if they have no interesting intermediate event. 1812 // 1813 // For example: 1814 // 1815 // (1.1 -> 1.2) -> (1.2 -> 1.3) becomes (1.1 -> 1.3) because the common 1816 // parent is '1'. Here 'x.y.z' represents the hierarchy of statements. 1817 // 1818 // NOTE: this will be limited later in cases where we add barriers 1819 // to prevent this optimization. 1820 if (level1 && level1 == level2 && level1 == level3 && level1 == level4) { 1821 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1822 path.erase(NextI); 1823 hasChanges = true; 1824 continue; 1825 } 1826 1827 // Rule II. 1828 // 1829 // Eliminate edges between subexpressions and parent expressions 1830 // when the subexpression is consumed. 1831 // 1832 // NOTE: this will be limited later in cases where we add barriers 1833 // to prevent this optimization. 1834 if (s1End && s1End == s2Start && level2) { 1835 bool removeEdge = false; 1836 // Remove edges into the increment or initialization of a 1837 // loop that have no interleaving event. This means that 1838 // they aren't interesting. 1839 if (isIncrementOrInitInForLoop(s1End, level2)) 1840 removeEdge = true; 1841 // Next only consider edges that are not anchored on 1842 // the condition of a terminator. This are intermediate edges 1843 // that we might want to trim. 1844 else if (!isConditionForTerminator(level2, s1End)) { 1845 // Trim edges on expressions that are consumed by 1846 // the parent expression. 1847 if (isa<Expr>(s1End) && PM.isConsumedExpr(cast<Expr>(s1End))) { 1848 removeEdge = true; 1849 } 1850 // Trim edges where a lexical containment doesn't exist. 1851 // For example: 1852 // 1853 // X -> Y -> Z 1854 // 1855 // If 'Z' lexically contains Y (it is an ancestor) and 1856 // 'X' does not lexically contain Y (it is a descendant OR 1857 // it has no lexical relationship at all) then trim. 1858 // 1859 // This can eliminate edges where we dive into a subexpression 1860 // and then pop back out, etc. 1861 else if (s1Start && s2End && 1862 lexicalContains(PM, s2Start, s2End) && 1863 !lexicalContains(PM, s1End, s1Start)) { 1864 removeEdge = true; 1865 } 1866 // Trim edges from a subexpression back to the top level if the 1867 // subexpression is on a different line. 1868 // 1869 // A.1 -> A -> B 1870 // becomes 1871 // A.1 -> B 1872 // 1873 // These edges just look ugly and don't usually add anything. 1874 else if (s1Start && s2End && 1875 lexicalContains(PM, s1Start, s1End)) { 1876 SourceRange EdgeRange(PieceI->getEndLocation().asLocation(), 1877 PieceI->getStartLocation().asLocation()); 1878 if (!getLengthOnSingleLine(SM, EdgeRange).hasValue()) 1879 removeEdge = true; 1880 } 1881 } 1882 1883 if (removeEdge) { 1884 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1885 path.erase(NextI); 1886 hasChanges = true; 1887 continue; 1888 } 1889 } 1890 1891 // Optimize edges for ObjC fast-enumeration loops. 1892 // 1893 // (X -> collection) -> (collection -> element) 1894 // 1895 // becomes: 1896 // 1897 // (X -> element) 1898 if (s1End == s2Start) { 1899 const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(level3); 1900 if (FS && FS->getCollection()->IgnoreParens() == s2Start && 1901 s2End == FS->getElement()) { 1902 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1903 path.erase(NextI); 1904 hasChanges = true; 1905 continue; 1906 } 1907 } 1908 1909 // No changes at this index? Move to the next one. 1910 ++I; 1911 } 1912 1913 if (!hasChanges) { 1914 // Adjust edges into subexpressions to make them more uniform 1915 // and aesthetically pleasing. 1916 addContextEdges(path, LC); 1917 // Remove "cyclical" edges that include one or more context edges. 1918 removeContextCycles(path, SM); 1919 // Hoist edges originating from branch conditions to branches 1920 // for simple branches. 1921 simplifySimpleBranches(path); 1922 // Remove any puny edges left over after primary optimization pass. 1923 removePunyEdges(path, SM, PM); 1924 // Remove identical events. 1925 removeIdenticalEvents(path); 1926 } 1927 1928 return hasChanges; 1929 } 1930 1931 /// Drop the very first edge in a path, which should be a function entry edge. 1932 /// 1933 /// If the first edge is not a function entry edge (say, because the first 1934 /// statement had an invalid source location), this function does nothing. 1935 // FIXME: We should just generate invalid edges anyway and have the optimizer 1936 // deal with them. 1937 static void dropFunctionEntryEdge(const PathDiagnosticConstruct &C, 1938 PathPieces &Path) { 1939 const auto *FirstEdge = 1940 dyn_cast<PathDiagnosticControlFlowPiece>(Path.front().get()); 1941 if (!FirstEdge) 1942 return; 1943 1944 const Decl *D = C.getLocationContextFor(&Path)->getDecl(); 1945 PathDiagnosticLocation EntryLoc = 1946 PathDiagnosticLocation::createBegin(D, C.getSourceManager()); 1947 if (FirstEdge->getStartLocation() != EntryLoc) 1948 return; 1949 1950 Path.pop_front(); 1951 } 1952 1953 /// Populate executes lines with lines containing at least one diagnostics. 1954 static void updateExecutedLinesWithDiagnosticPieces(PathDiagnostic &PD) { 1955 1956 PathPieces path = PD.path.flatten(/*ShouldFlattenMacros=*/true); 1957 FilesToLineNumsMap &ExecutedLines = PD.getExecutedLines(); 1958 1959 for (const auto &P : path) { 1960 FullSourceLoc Loc = P->getLocation().asLocation().getExpansionLoc(); 1961 FileID FID = Loc.getFileID(); 1962 unsigned LineNo = Loc.getLineNumber(); 1963 assert(FID.isValid()); 1964 ExecutedLines[FID].insert(LineNo); 1965 } 1966 } 1967 1968 PathDiagnosticConstruct::PathDiagnosticConstruct( 1969 const PathDiagnosticConsumer *PDC, const ExplodedNode *ErrorNode, 1970 const PathSensitiveBugReport *R) 1971 : Consumer(PDC), CurrentNode(ErrorNode), 1972 SM(CurrentNode->getCodeDecl().getASTContext().getSourceManager()), 1973 PD(generateEmptyDiagnosticForReport(R, getSourceManager())) { 1974 LCM[&PD->getActivePath()] = ErrorNode->getLocationContext(); 1975 } 1976 1977 PathDiagnosticBuilder::PathDiagnosticBuilder( 1978 BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath, 1979 PathSensitiveBugReport *r, const ExplodedNode *ErrorNode, 1980 std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics) 1981 : BugReporterContext(BRC), BugPath(std::move(BugPath)), R(r), 1982 ErrorNode(ErrorNode), 1983 VisitorsDiagnostics(std::move(VisitorsDiagnostics)) {} 1984 1985 std::unique_ptr<PathDiagnostic> 1986 PathDiagnosticBuilder::generate(const PathDiagnosticConsumer *PDC) const { 1987 PathDiagnosticConstruct Construct(PDC, ErrorNode, R); 1988 1989 const SourceManager &SM = getSourceManager(); 1990 const AnalyzerOptions &Opts = getAnalyzerOptions(); 1991 StringRef ErrorTag = ErrorNode->getLocation().getTag()->getTagDescription(); 1992 1993 // See whether we need to silence the checker/package. 1994 // FIXME: This will not work if the report was emitted with an incorrect tag. 1995 for (const std::string &CheckerOrPackage : Opts.SilencedCheckersAndPackages) { 1996 if (ErrorTag.startswith(CheckerOrPackage)) 1997 return nullptr; 1998 } 1999 2000 if (!PDC->shouldGenerateDiagnostics()) 2001 return generateEmptyDiagnosticForReport(R, getSourceManager()); 2002 2003 // Construct the final (warning) event for the bug report. 2004 auto EndNotes = VisitorsDiagnostics->find(ErrorNode); 2005 PathDiagnosticPieceRef LastPiece; 2006 if (EndNotes != VisitorsDiagnostics->end()) { 2007 assert(!EndNotes->second.empty()); 2008 LastPiece = EndNotes->second[0]; 2009 } else { 2010 LastPiece = BugReporterVisitor::getDefaultEndPath(*this, ErrorNode, 2011 *getBugReport()); 2012 } 2013 Construct.PD->setEndOfPath(LastPiece); 2014 2015 PathDiagnosticLocation PrevLoc = Construct.PD->getLocation(); 2016 // From the error node to the root, ascend the bug path and construct the bug 2017 // report. 2018 while (Construct.ascendToPrevNode()) { 2019 generatePathDiagnosticsForNode(Construct, PrevLoc); 2020 2021 auto VisitorNotes = VisitorsDiagnostics->find(Construct.getCurrentNode()); 2022 if (VisitorNotes == VisitorsDiagnostics->end()) 2023 continue; 2024 2025 // This is a workaround due to inability to put shared PathDiagnosticPiece 2026 // into a FoldingSet. 2027 std::set<llvm::FoldingSetNodeID> DeduplicationSet; 2028 2029 // Add pieces from custom visitors. 2030 for (const PathDiagnosticPieceRef &Note : VisitorNotes->second) { 2031 llvm::FoldingSetNodeID ID; 2032 Note->Profile(ID); 2033 if (!DeduplicationSet.insert(ID).second) 2034 continue; 2035 2036 if (PDC->shouldAddPathEdges()) 2037 addEdgeToPath(Construct.getActivePath(), PrevLoc, Note->getLocation()); 2038 updateStackPiecesWithMessage(Note, Construct.CallStack); 2039 Construct.getActivePath().push_front(Note); 2040 } 2041 } 2042 2043 if (PDC->shouldAddPathEdges()) { 2044 // Add an edge to the start of the function. 2045 // We'll prune it out later, but it helps make diagnostics more uniform. 2046 const StackFrameContext *CalleeLC = 2047 Construct.getLocationContextForActivePath()->getStackFrame(); 2048 const Decl *D = CalleeLC->getDecl(); 2049 addEdgeToPath(Construct.getActivePath(), PrevLoc, 2050 PathDiagnosticLocation::createBegin(D, SM)); 2051 } 2052 2053 2054 // Finally, prune the diagnostic path of uninteresting stuff. 2055 if (!Construct.PD->path.empty()) { 2056 if (R->shouldPrunePath() && Opts.ShouldPrunePaths) { 2057 bool stillHasNotes = 2058 removeUnneededCalls(Construct, Construct.getMutablePieces(), R); 2059 assert(stillHasNotes); 2060 (void)stillHasNotes; 2061 } 2062 2063 // Remove pop-up notes if needed. 2064 if (!Opts.ShouldAddPopUpNotes) 2065 removePopUpNotes(Construct.getMutablePieces()); 2066 2067 // Redirect all call pieces to have valid locations. 2068 adjustCallLocations(Construct.getMutablePieces()); 2069 removePiecesWithInvalidLocations(Construct.getMutablePieces()); 2070 2071 if (PDC->shouldAddPathEdges()) { 2072 2073 // Reduce the number of edges from a very conservative set 2074 // to an aesthetically pleasing subset that conveys the 2075 // necessary information. 2076 OptimizedCallsSet OCS; 2077 while (optimizeEdges(Construct, Construct.getMutablePieces(), OCS)) { 2078 } 2079 2080 // Drop the very first function-entry edge. It's not really necessary 2081 // for top-level functions. 2082 dropFunctionEntryEdge(Construct, Construct.getMutablePieces()); 2083 } 2084 2085 // Remove messages that are basically the same, and edges that may not 2086 // make sense. 2087 // We have to do this after edge optimization in the Extensive mode. 2088 removeRedundantMsgs(Construct.getMutablePieces()); 2089 removeEdgesToDefaultInitializers(Construct.getMutablePieces()); 2090 } 2091 2092 if (Opts.ShouldDisplayMacroExpansions) 2093 CompactMacroExpandedPieces(Construct.getMutablePieces(), SM); 2094 2095 return std::move(Construct.PD); 2096 } 2097 2098 //===----------------------------------------------------------------------===// 2099 // Methods for BugType and subclasses. 2100 //===----------------------------------------------------------------------===// 2101 2102 void BugType::anchor() {} 2103 2104 void BuiltinBug::anchor() {} 2105 2106 //===----------------------------------------------------------------------===// 2107 // Methods for BugReport and subclasses. 2108 //===----------------------------------------------------------------------===// 2109 2110 void PathSensitiveBugReport::addVisitor( 2111 std::unique_ptr<BugReporterVisitor> visitor) { 2112 if (!visitor) 2113 return; 2114 2115 llvm::FoldingSetNodeID ID; 2116 visitor->Profile(ID); 2117 2118 void *InsertPos = nullptr; 2119 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 2120 return; 2121 } 2122 2123 Callbacks.push_back(std::move(visitor)); 2124 } 2125 2126 void PathSensitiveBugReport::clearVisitors() { 2127 Callbacks.clear(); 2128 } 2129 2130 const Decl *PathSensitiveBugReport::getDeclWithIssue() const { 2131 const ExplodedNode *N = getErrorNode(); 2132 if (!N) 2133 return nullptr; 2134 2135 const LocationContext *LC = N->getLocationContext(); 2136 return LC->getStackFrame()->getDecl(); 2137 } 2138 2139 void BasicBugReport::Profile(llvm::FoldingSetNodeID& hash) const { 2140 hash.AddInteger(static_cast<int>(getKind())); 2141 hash.AddPointer(&BT); 2142 hash.AddString(Description); 2143 assert(Location.isValid()); 2144 Location.Profile(hash); 2145 2146 for (SourceRange range : Ranges) { 2147 if (!range.isValid()) 2148 continue; 2149 hash.AddInteger(range.getBegin().getRawEncoding()); 2150 hash.AddInteger(range.getEnd().getRawEncoding()); 2151 } 2152 } 2153 2154 void PathSensitiveBugReport::Profile(llvm::FoldingSetNodeID &hash) const { 2155 hash.AddInteger(static_cast<int>(getKind())); 2156 hash.AddPointer(&BT); 2157 hash.AddString(Description); 2158 PathDiagnosticLocation UL = getUniqueingLocation(); 2159 if (UL.isValid()) { 2160 UL.Profile(hash); 2161 } else { 2162 // TODO: The statement may be null if the report was emitted before any 2163 // statements were executed. In particular, some checkers by design 2164 // occasionally emit their reports in empty functions (that have no 2165 // statements in their body). Do we profile correctly in this case? 2166 hash.AddPointer(ErrorNode->getCurrentOrPreviousStmtForDiagnostics()); 2167 } 2168 2169 for (SourceRange range : Ranges) { 2170 if (!range.isValid()) 2171 continue; 2172 hash.AddInteger(range.getBegin().getRawEncoding()); 2173 hash.AddInteger(range.getEnd().getRawEncoding()); 2174 } 2175 } 2176 2177 template <class T> 2178 static void insertToInterestingnessMap( 2179 llvm::DenseMap<T, bugreporter::TrackingKind> &InterestingnessMap, T Val, 2180 bugreporter::TrackingKind TKind) { 2181 auto Result = InterestingnessMap.insert({Val, TKind}); 2182 2183 if (Result.second) 2184 return; 2185 2186 // Even if this symbol/region was already marked as interesting as a 2187 // condition, if we later mark it as interesting again but with 2188 // thorough tracking, overwrite it. Entities marked with thorough 2189 // interestiness are the most important (or most interesting, if you will), 2190 // and we wouldn't like to downplay their importance. 2191 2192 switch (TKind) { 2193 case bugreporter::TrackingKind::Thorough: 2194 Result.first->getSecond() = bugreporter::TrackingKind::Thorough; 2195 return; 2196 case bugreporter::TrackingKind::Condition: 2197 return; 2198 } 2199 2200 llvm_unreachable( 2201 "BugReport::markInteresting currently can only handle 2 different " 2202 "tracking kinds! Please define what tracking kind should this entitiy" 2203 "have, if it was already marked as interesting with a different kind!"); 2204 } 2205 2206 void PathSensitiveBugReport::markInteresting(SymbolRef sym, 2207 bugreporter::TrackingKind TKind) { 2208 if (!sym) 2209 return; 2210 2211 insertToInterestingnessMap(InterestingSymbols, sym, TKind); 2212 2213 if (const auto *meta = dyn_cast<SymbolMetadata>(sym)) 2214 markInteresting(meta->getRegion(), TKind); 2215 } 2216 2217 void PathSensitiveBugReport::markInteresting(const MemRegion *R, 2218 bugreporter::TrackingKind TKind) { 2219 if (!R) 2220 return; 2221 2222 R = R->getBaseRegion(); 2223 insertToInterestingnessMap(InterestingRegions, R, TKind); 2224 2225 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2226 markInteresting(SR->getSymbol(), TKind); 2227 } 2228 2229 void PathSensitiveBugReport::markInteresting(SVal V, 2230 bugreporter::TrackingKind TKind) { 2231 markInteresting(V.getAsRegion(), TKind); 2232 markInteresting(V.getAsSymbol(), TKind); 2233 } 2234 2235 void PathSensitiveBugReport::markInteresting(const LocationContext *LC) { 2236 if (!LC) 2237 return; 2238 InterestingLocationContexts.insert(LC); 2239 } 2240 2241 Optional<bugreporter::TrackingKind> 2242 PathSensitiveBugReport::getInterestingnessKind(SVal V) const { 2243 auto RKind = getInterestingnessKind(V.getAsRegion()); 2244 auto SKind = getInterestingnessKind(V.getAsSymbol()); 2245 if (!RKind) 2246 return SKind; 2247 if (!SKind) 2248 return RKind; 2249 2250 // If either is marked with throrough tracking, return that, we wouldn't like 2251 // to downplay a note's importance by 'only' mentioning it as a condition. 2252 switch(*RKind) { 2253 case bugreporter::TrackingKind::Thorough: 2254 return RKind; 2255 case bugreporter::TrackingKind::Condition: 2256 return SKind; 2257 } 2258 2259 llvm_unreachable( 2260 "BugReport::getInterestingnessKind currently can only handle 2 different " 2261 "tracking kinds! Please define what tracking kind should we return here " 2262 "when the kind of getAsRegion() and getAsSymbol() is different!"); 2263 return None; 2264 } 2265 2266 Optional<bugreporter::TrackingKind> 2267 PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const { 2268 if (!sym) 2269 return None; 2270 // We don't currently consider metadata symbols to be interesting 2271 // even if we know their region is interesting. Is that correct behavior? 2272 auto It = InterestingSymbols.find(sym); 2273 if (It == InterestingSymbols.end()) 2274 return None; 2275 return It->getSecond(); 2276 } 2277 2278 Optional<bugreporter::TrackingKind> 2279 PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const { 2280 if (!R) 2281 return None; 2282 2283 R = R->getBaseRegion(); 2284 auto It = InterestingRegions.find(R); 2285 if (It != InterestingRegions.end()) 2286 return It->getSecond(); 2287 2288 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2289 return getInterestingnessKind(SR->getSymbol()); 2290 return None; 2291 } 2292 2293 bool PathSensitiveBugReport::isInteresting(SVal V) const { 2294 return getInterestingnessKind(V).hasValue(); 2295 } 2296 2297 bool PathSensitiveBugReport::isInteresting(SymbolRef sym) const { 2298 return getInterestingnessKind(sym).hasValue(); 2299 } 2300 2301 bool PathSensitiveBugReport::isInteresting(const MemRegion *R) const { 2302 return getInterestingnessKind(R).hasValue(); 2303 } 2304 2305 bool PathSensitiveBugReport::isInteresting(const LocationContext *LC) const { 2306 if (!LC) 2307 return false; 2308 return InterestingLocationContexts.count(LC); 2309 } 2310 2311 const Stmt *PathSensitiveBugReport::getStmt() const { 2312 if (!ErrorNode) 2313 return nullptr; 2314 2315 ProgramPoint ProgP = ErrorNode->getLocation(); 2316 const Stmt *S = nullptr; 2317 2318 if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) { 2319 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 2320 if (BE->getBlock() == &Exit) 2321 S = ErrorNode->getPreviousStmtForDiagnostics(); 2322 } 2323 if (!S) 2324 S = ErrorNode->getStmtForDiagnostics(); 2325 2326 return S; 2327 } 2328 2329 ArrayRef<SourceRange> 2330 PathSensitiveBugReport::getRanges() const { 2331 // If no custom ranges, add the range of the statement corresponding to 2332 // the error node. 2333 if (Ranges.empty() && isa_and_nonnull<Expr>(getStmt())) 2334 return ErrorNodeRange; 2335 2336 return Ranges; 2337 } 2338 2339 PathDiagnosticLocation 2340 PathSensitiveBugReport::getLocation() const { 2341 assert(ErrorNode && "Cannot create a location with a null node."); 2342 const Stmt *S = ErrorNode->getStmtForDiagnostics(); 2343 ProgramPoint P = ErrorNode->getLocation(); 2344 const LocationContext *LC = P.getLocationContext(); 2345 SourceManager &SM = 2346 ErrorNode->getState()->getStateManager().getContext().getSourceManager(); 2347 2348 if (!S) { 2349 // If this is an implicit call, return the implicit call point location. 2350 if (Optional<PreImplicitCall> PIE = P.getAs<PreImplicitCall>()) 2351 return PathDiagnosticLocation(PIE->getLocation(), SM); 2352 if (auto FE = P.getAs<FunctionExitPoint>()) { 2353 if (const ReturnStmt *RS = FE->getStmt()) 2354 return PathDiagnosticLocation::createBegin(RS, SM, LC); 2355 } 2356 S = ErrorNode->getNextStmtForDiagnostics(); 2357 } 2358 2359 if (S) { 2360 // For member expressions, return the location of the '.' or '->'. 2361 if (const auto *ME = dyn_cast<MemberExpr>(S)) 2362 return PathDiagnosticLocation::createMemberLoc(ME, SM); 2363 2364 // For binary operators, return the location of the operator. 2365 if (const auto *B = dyn_cast<BinaryOperator>(S)) 2366 return PathDiagnosticLocation::createOperatorLoc(B, SM); 2367 2368 if (P.getAs<PostStmtPurgeDeadSymbols>()) 2369 return PathDiagnosticLocation::createEnd(S, SM, LC); 2370 2371 if (S->getBeginLoc().isValid()) 2372 return PathDiagnosticLocation(S, SM, LC); 2373 2374 return PathDiagnosticLocation( 2375 PathDiagnosticLocation::getValidSourceLocation(S, LC), SM); 2376 } 2377 2378 return PathDiagnosticLocation::createDeclEnd(ErrorNode->getLocationContext(), 2379 SM); 2380 } 2381 2382 //===----------------------------------------------------------------------===// 2383 // Methods for BugReporter and subclasses. 2384 //===----------------------------------------------------------------------===// 2385 2386 const ExplodedGraph &PathSensitiveBugReporter::getGraph() const { 2387 return Eng.getGraph(); 2388 } 2389 2390 ProgramStateManager &PathSensitiveBugReporter::getStateManager() const { 2391 return Eng.getStateManager(); 2392 } 2393 2394 BugReporter::BugReporter(BugReporterData &d) : D(d) {} 2395 BugReporter::~BugReporter() { 2396 // Make sure reports are flushed. 2397 assert(StrBugTypes.empty() && 2398 "Destroying BugReporter before diagnostics are emitted!"); 2399 2400 // Free the bug reports we are tracking. 2401 for (const auto I : EQClassesVector) 2402 delete I; 2403 } 2404 2405 void BugReporter::FlushReports() { 2406 // We need to flush reports in deterministic order to ensure the order 2407 // of the reports is consistent between runs. 2408 for (const auto EQ : EQClassesVector) 2409 FlushReport(*EQ); 2410 2411 // BugReporter owns and deletes only BugTypes created implicitly through 2412 // EmitBasicReport. 2413 // FIXME: There are leaks from checkers that assume that the BugTypes they 2414 // create will be destroyed by the BugReporter. 2415 StrBugTypes.clear(); 2416 } 2417 2418 //===----------------------------------------------------------------------===// 2419 // PathDiagnostics generation. 2420 //===----------------------------------------------------------------------===// 2421 2422 namespace { 2423 2424 /// A wrapper around an ExplodedGraph that contains a single path from the root 2425 /// to the error node. 2426 class BugPathInfo { 2427 public: 2428 std::unique_ptr<ExplodedGraph> BugPath; 2429 PathSensitiveBugReport *Report; 2430 const ExplodedNode *ErrorNode; 2431 }; 2432 2433 /// A wrapper around an ExplodedGraph whose leafs are all error nodes. Can 2434 /// conveniently retrieve bug paths from a single error node to the root. 2435 class BugPathGetter { 2436 std::unique_ptr<ExplodedGraph> TrimmedGraph; 2437 2438 using PriorityMapTy = llvm::DenseMap<const ExplodedNode *, unsigned>; 2439 2440 /// Assign each node with its distance from the root. 2441 PriorityMapTy PriorityMap; 2442 2443 /// Since the getErrorNode() or BugReport refers to the original ExplodedGraph, 2444 /// we need to pair it to the error node of the constructed trimmed graph. 2445 using ReportNewNodePair = 2446 std::pair<PathSensitiveBugReport *, const ExplodedNode *>; 2447 SmallVector<ReportNewNodePair, 32> ReportNodes; 2448 2449 BugPathInfo CurrentBugPath; 2450 2451 /// A helper class for sorting ExplodedNodes by priority. 2452 template <bool Descending> 2453 class PriorityCompare { 2454 const PriorityMapTy &PriorityMap; 2455 2456 public: 2457 PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {} 2458 2459 bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const { 2460 PriorityMapTy::const_iterator LI = PriorityMap.find(LHS); 2461 PriorityMapTy::const_iterator RI = PriorityMap.find(RHS); 2462 PriorityMapTy::const_iterator E = PriorityMap.end(); 2463 2464 if (LI == E) 2465 return Descending; 2466 if (RI == E) 2467 return !Descending; 2468 2469 return Descending ? LI->second > RI->second 2470 : LI->second < RI->second; 2471 } 2472 2473 bool operator()(const ReportNewNodePair &LHS, 2474 const ReportNewNodePair &RHS) const { 2475 return (*this)(LHS.second, RHS.second); 2476 } 2477 }; 2478 2479 public: 2480 BugPathGetter(const ExplodedGraph *OriginalGraph, 2481 ArrayRef<PathSensitiveBugReport *> &bugReports); 2482 2483 BugPathInfo *getNextBugPath(); 2484 }; 2485 2486 } // namespace 2487 2488 BugPathGetter::BugPathGetter(const ExplodedGraph *OriginalGraph, 2489 ArrayRef<PathSensitiveBugReport *> &bugReports) { 2490 SmallVector<const ExplodedNode *, 32> Nodes; 2491 for (const auto I : bugReports) { 2492 assert(I->isValid() && 2493 "We only allow BugReporterVisitors and BugReporter itself to " 2494 "invalidate reports!"); 2495 Nodes.emplace_back(I->getErrorNode()); 2496 } 2497 2498 // The trimmed graph is created in the body of the constructor to ensure 2499 // that the DenseMaps have been initialized already. 2500 InterExplodedGraphMap ForwardMap; 2501 TrimmedGraph = OriginalGraph->trim(Nodes, &ForwardMap); 2502 2503 // Find the (first) error node in the trimmed graph. We just need to consult 2504 // the node map which maps from nodes in the original graph to nodes 2505 // in the new graph. 2506 llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes; 2507 2508 for (PathSensitiveBugReport *Report : bugReports) { 2509 const ExplodedNode *NewNode = ForwardMap.lookup(Report->getErrorNode()); 2510 assert(NewNode && 2511 "Failed to construct a trimmed graph that contains this error " 2512 "node!"); 2513 ReportNodes.emplace_back(Report, NewNode); 2514 RemainingNodes.insert(NewNode); 2515 } 2516 2517 assert(!RemainingNodes.empty() && "No error node found in the trimmed graph"); 2518 2519 // Perform a forward BFS to find all the shortest paths. 2520 std::queue<const ExplodedNode *> WS; 2521 2522 assert(TrimmedGraph->num_roots() == 1); 2523 WS.push(*TrimmedGraph->roots_begin()); 2524 unsigned Priority = 0; 2525 2526 while (!WS.empty()) { 2527 const ExplodedNode *Node = WS.front(); 2528 WS.pop(); 2529 2530 PriorityMapTy::iterator PriorityEntry; 2531 bool IsNew; 2532 std::tie(PriorityEntry, IsNew) = PriorityMap.insert({Node, Priority}); 2533 ++Priority; 2534 2535 if (!IsNew) { 2536 assert(PriorityEntry->second <= Priority); 2537 continue; 2538 } 2539 2540 if (RemainingNodes.erase(Node)) 2541 if (RemainingNodes.empty()) 2542 break; 2543 2544 for (const ExplodedNode *Succ : Node->succs()) 2545 WS.push(Succ); 2546 } 2547 2548 // Sort the error paths from longest to shortest. 2549 llvm::sort(ReportNodes, PriorityCompare<true>(PriorityMap)); 2550 } 2551 2552 BugPathInfo *BugPathGetter::getNextBugPath() { 2553 if (ReportNodes.empty()) 2554 return nullptr; 2555 2556 const ExplodedNode *OrigN; 2557 std::tie(CurrentBugPath.Report, OrigN) = ReportNodes.pop_back_val(); 2558 assert(PriorityMap.find(OrigN) != PriorityMap.end() && 2559 "error node not accessible from root"); 2560 2561 // Create a new graph with a single path. This is the graph that will be 2562 // returned to the caller. 2563 auto GNew = std::make_unique<ExplodedGraph>(); 2564 2565 // Now walk from the error node up the BFS path, always taking the 2566 // predeccessor with the lowest number. 2567 ExplodedNode *Succ = nullptr; 2568 while (true) { 2569 // Create the equivalent node in the new graph with the same state 2570 // and location. 2571 ExplodedNode *NewN = GNew->createUncachedNode( 2572 OrigN->getLocation(), OrigN->getState(), 2573 OrigN->getID(), OrigN->isSink()); 2574 2575 // Link up the new node with the previous node. 2576 if (Succ) 2577 Succ->addPredecessor(NewN, *GNew); 2578 else 2579 CurrentBugPath.ErrorNode = NewN; 2580 2581 Succ = NewN; 2582 2583 // Are we at the final node? 2584 if (OrigN->pred_empty()) { 2585 GNew->addRoot(NewN); 2586 break; 2587 } 2588 2589 // Find the next predeccessor node. We choose the node that is marked 2590 // with the lowest BFS number. 2591 OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(), 2592 PriorityCompare<false>(PriorityMap)); 2593 } 2594 2595 CurrentBugPath.BugPath = std::move(GNew); 2596 2597 return &CurrentBugPath; 2598 } 2599 2600 /// CompactMacroExpandedPieces - This function postprocesses a PathDiagnostic 2601 /// object and collapses PathDiagosticPieces that are expanded by macros. 2602 static void CompactMacroExpandedPieces(PathPieces &path, 2603 const SourceManager& SM) { 2604 using MacroStackTy = std::vector< 2605 std::pair<std::shared_ptr<PathDiagnosticMacroPiece>, SourceLocation>>; 2606 2607 using PiecesTy = std::vector<PathDiagnosticPieceRef>; 2608 2609 MacroStackTy MacroStack; 2610 PiecesTy Pieces; 2611 2612 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 2613 I != E; ++I) { 2614 const auto &piece = *I; 2615 2616 // Recursively compact calls. 2617 if (auto *call = dyn_cast<PathDiagnosticCallPiece>(&*piece)) { 2618 CompactMacroExpandedPieces(call->path, SM); 2619 } 2620 2621 // Get the location of the PathDiagnosticPiece. 2622 const FullSourceLoc Loc = piece->getLocation().asLocation(); 2623 2624 // Determine the instantiation location, which is the location we group 2625 // related PathDiagnosticPieces. 2626 SourceLocation InstantiationLoc = Loc.isMacroID() ? 2627 SM.getExpansionLoc(Loc) : 2628 SourceLocation(); 2629 2630 if (Loc.isFileID()) { 2631 MacroStack.clear(); 2632 Pieces.push_back(piece); 2633 continue; 2634 } 2635 2636 assert(Loc.isMacroID()); 2637 2638 // Is the PathDiagnosticPiece within the same macro group? 2639 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 2640 MacroStack.back().first->subPieces.push_back(piece); 2641 continue; 2642 } 2643 2644 // We aren't in the same group. Are we descending into a new macro 2645 // or are part of an old one? 2646 std::shared_ptr<PathDiagnosticMacroPiece> MacroGroup; 2647 2648 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 2649 SM.getExpansionLoc(Loc) : 2650 SourceLocation(); 2651 2652 // Walk the entire macro stack. 2653 while (!MacroStack.empty()) { 2654 if (InstantiationLoc == MacroStack.back().second) { 2655 MacroGroup = MacroStack.back().first; 2656 break; 2657 } 2658 2659 if (ParentInstantiationLoc == MacroStack.back().second) { 2660 MacroGroup = MacroStack.back().first; 2661 break; 2662 } 2663 2664 MacroStack.pop_back(); 2665 } 2666 2667 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 2668 // Create a new macro group and add it to the stack. 2669 auto NewGroup = std::make_shared<PathDiagnosticMacroPiece>( 2670 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 2671 2672 if (MacroGroup) 2673 MacroGroup->subPieces.push_back(NewGroup); 2674 else { 2675 assert(InstantiationLoc.isFileID()); 2676 Pieces.push_back(NewGroup); 2677 } 2678 2679 MacroGroup = NewGroup; 2680 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 2681 } 2682 2683 // Finally, add the PathDiagnosticPiece to the group. 2684 MacroGroup->subPieces.push_back(piece); 2685 } 2686 2687 // Now take the pieces and construct a new PathDiagnostic. 2688 path.clear(); 2689 2690 path.insert(path.end(), Pieces.begin(), Pieces.end()); 2691 } 2692 2693 /// Generate notes from all visitors. 2694 /// Notes associated with {@code ErrorNode} are generated using 2695 /// {@code getEndPath}, and the rest are generated with {@code VisitNode}. 2696 static std::unique_ptr<VisitorsDiagnosticsTy> 2697 generateVisitorsDiagnostics(PathSensitiveBugReport *R, 2698 const ExplodedNode *ErrorNode, 2699 BugReporterContext &BRC) { 2700 std::unique_ptr<VisitorsDiagnosticsTy> Notes = 2701 std::make_unique<VisitorsDiagnosticsTy>(); 2702 PathSensitiveBugReport::VisitorList visitors; 2703 2704 // Run visitors on all nodes starting from the node *before* the last one. 2705 // The last node is reserved for notes generated with {@code getEndPath}. 2706 const ExplodedNode *NextNode = ErrorNode->getFirstPred(); 2707 while (NextNode) { 2708 2709 // At each iteration, move all visitors from report to visitor list. This is 2710 // important, because the Profile() functions of the visitors make sure that 2711 // a visitor isn't added multiple times for the same node, but it's fine 2712 // to add the a visitor with Profile() for different nodes (e.g. tracking 2713 // a region at different points of the symbolic execution). 2714 for (std::unique_ptr<BugReporterVisitor> &Visitor : R->visitors()) 2715 visitors.push_back(std::move(Visitor)); 2716 2717 R->clearVisitors(); 2718 2719 const ExplodedNode *Pred = NextNode->getFirstPred(); 2720 if (!Pred) { 2721 PathDiagnosticPieceRef LastPiece; 2722 for (auto &V : visitors) { 2723 V->finalizeVisitor(BRC, ErrorNode, *R); 2724 2725 if (auto Piece = V->getEndPath(BRC, ErrorNode, *R)) { 2726 assert(!LastPiece && 2727 "There can only be one final piece in a diagnostic."); 2728 assert(Piece->getKind() == PathDiagnosticPiece::Kind::Event && 2729 "The final piece must contain a message!"); 2730 LastPiece = std::move(Piece); 2731 (*Notes)[ErrorNode].push_back(LastPiece); 2732 } 2733 } 2734 break; 2735 } 2736 2737 for (auto &V : visitors) { 2738 auto P = V->VisitNode(NextNode, BRC, *R); 2739 if (P) 2740 (*Notes)[NextNode].push_back(std::move(P)); 2741 } 2742 2743 if (!R->isValid()) 2744 break; 2745 2746 NextNode = Pred; 2747 } 2748 2749 return Notes; 2750 } 2751 2752 Optional<PathDiagnosticBuilder> PathDiagnosticBuilder::findValidReport( 2753 ArrayRef<PathSensitiveBugReport *> &bugReports, 2754 PathSensitiveBugReporter &Reporter) { 2755 2756 BugPathGetter BugGraph(&Reporter.getGraph(), bugReports); 2757 2758 while (BugPathInfo *BugPath = BugGraph.getNextBugPath()) { 2759 // Find the BugReport with the original location. 2760 PathSensitiveBugReport *R = BugPath->Report; 2761 assert(R && "No original report found for sliced graph."); 2762 assert(R->isValid() && "Report selected by trimmed graph marked invalid."); 2763 const ExplodedNode *ErrorNode = BugPath->ErrorNode; 2764 2765 // Register refutation visitors first, if they mark the bug invalid no 2766 // further analysis is required 2767 R->addVisitor(std::make_unique<LikelyFalsePositiveSuppressionBRVisitor>()); 2768 2769 // Register additional node visitors. 2770 R->addVisitor(std::make_unique<NilReceiverBRVisitor>()); 2771 R->addVisitor(std::make_unique<ConditionBRVisitor>()); 2772 R->addVisitor(std::make_unique<TagVisitor>()); 2773 2774 BugReporterContext BRC(Reporter); 2775 2776 // Run all visitors on a given graph, once. 2777 std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes = 2778 generateVisitorsDiagnostics(R, ErrorNode, BRC); 2779 2780 if (R->isValid()) { 2781 if (Reporter.getAnalyzerOptions().ShouldCrosscheckWithZ3) { 2782 // If crosscheck is enabled, remove all visitors, add the refutation 2783 // visitor and check again 2784 R->clearVisitors(); 2785 R->addVisitor(std::make_unique<FalsePositiveRefutationBRVisitor>()); 2786 2787 // We don't overwrite the notes inserted by other visitors because the 2788 // refutation manager does not add any new note to the path 2789 generateVisitorsDiagnostics(R, BugPath->ErrorNode, BRC); 2790 } 2791 2792 // Check if the bug is still valid 2793 if (R->isValid()) 2794 return PathDiagnosticBuilder( 2795 std::move(BRC), std::move(BugPath->BugPath), BugPath->Report, 2796 BugPath->ErrorNode, std::move(visitorNotes)); 2797 } 2798 } 2799 2800 return {}; 2801 } 2802 2803 std::unique_ptr<DiagnosticForConsumerMapTy> 2804 PathSensitiveBugReporter::generatePathDiagnostics( 2805 ArrayRef<PathDiagnosticConsumer *> consumers, 2806 ArrayRef<PathSensitiveBugReport *> &bugReports) { 2807 assert(!bugReports.empty()); 2808 2809 auto Out = std::make_unique<DiagnosticForConsumerMapTy>(); 2810 2811 Optional<PathDiagnosticBuilder> PDB = 2812 PathDiagnosticBuilder::findValidReport(bugReports, *this); 2813 2814 if (PDB) { 2815 for (PathDiagnosticConsumer *PC : consumers) { 2816 if (std::unique_ptr<PathDiagnostic> PD = PDB->generate(PC)) { 2817 (*Out)[PC] = std::move(PD); 2818 } 2819 } 2820 } 2821 2822 return Out; 2823 } 2824 2825 void BugReporter::emitReport(std::unique_ptr<BugReport> R) { 2826 bool ValidSourceLoc = R->getLocation().isValid(); 2827 assert(ValidSourceLoc); 2828 // If we mess up in a release build, we'd still prefer to just drop the bug 2829 // instead of trying to go on. 2830 if (!ValidSourceLoc) 2831 return; 2832 2833 // Compute the bug report's hash to determine its equivalence class. 2834 llvm::FoldingSetNodeID ID; 2835 R->Profile(ID); 2836 2837 // Lookup the equivance class. If there isn't one, create it. 2838 void *InsertPos; 2839 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 2840 2841 if (!EQ) { 2842 EQ = new BugReportEquivClass(std::move(R)); 2843 EQClasses.InsertNode(EQ, InsertPos); 2844 EQClassesVector.push_back(EQ); 2845 } else 2846 EQ->AddReport(std::move(R)); 2847 } 2848 2849 void PathSensitiveBugReporter::emitReport(std::unique_ptr<BugReport> R) { 2850 if (auto PR = dyn_cast<PathSensitiveBugReport>(R.get())) 2851 if (const ExplodedNode *E = PR->getErrorNode()) { 2852 // An error node must either be a sink or have a tag, otherwise 2853 // it could get reclaimed before the path diagnostic is created. 2854 assert((E->isSink() || E->getLocation().getTag()) && 2855 "Error node must either be a sink or have a tag"); 2856 2857 const AnalysisDeclContext *DeclCtx = 2858 E->getLocationContext()->getAnalysisDeclContext(); 2859 // The source of autosynthesized body can be handcrafted AST or a model 2860 // file. The locations from handcrafted ASTs have no valid source 2861 // locations and have to be discarded. Locations from model files should 2862 // be preserved for processing and reporting. 2863 if (DeclCtx->isBodyAutosynthesized() && 2864 !DeclCtx->isBodyAutosynthesizedFromModelFile()) 2865 return; 2866 } 2867 2868 BugReporter::emitReport(std::move(R)); 2869 } 2870 2871 //===----------------------------------------------------------------------===// 2872 // Emitting reports in equivalence classes. 2873 //===----------------------------------------------------------------------===// 2874 2875 namespace { 2876 2877 struct FRIEC_WLItem { 2878 const ExplodedNode *N; 2879 ExplodedNode::const_succ_iterator I, E; 2880 2881 FRIEC_WLItem(const ExplodedNode *n) 2882 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 2883 }; 2884 2885 } // namespace 2886 2887 BugReport *PathSensitiveBugReporter::findReportInEquivalenceClass( 2888 BugReportEquivClass &EQ, SmallVectorImpl<BugReport *> &bugReports) { 2889 // If we don't need to suppress any of the nodes because they are 2890 // post-dominated by a sink, simply add all the nodes in the equivalence class 2891 // to 'Nodes'. Any of the reports will serve as a "representative" report. 2892 assert(EQ.getReports().size() > 0); 2893 const BugType& BT = EQ.getReports()[0]->getBugType(); 2894 if (!BT.isSuppressOnSink()) { 2895 BugReport *R = EQ.getReports()[0].get(); 2896 for (auto &J : EQ.getReports()) { 2897 if (auto *PR = dyn_cast<PathSensitiveBugReport>(J.get())) { 2898 R = PR; 2899 bugReports.push_back(PR); 2900 } 2901 } 2902 return R; 2903 } 2904 2905 // For bug reports that should be suppressed when all paths are post-dominated 2906 // by a sink node, iterate through the reports in the equivalence class 2907 // until we find one that isn't post-dominated (if one exists). We use a 2908 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 2909 // this as a recursive function, but we don't want to risk blowing out the 2910 // stack for very long paths. 2911 BugReport *exampleReport = nullptr; 2912 2913 for (const auto &I: EQ.getReports()) { 2914 auto *R = dyn_cast<PathSensitiveBugReport>(I.get()); 2915 if (!R) 2916 continue; 2917 2918 const ExplodedNode *errorNode = R->getErrorNode(); 2919 if (errorNode->isSink()) { 2920 llvm_unreachable( 2921 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 2922 } 2923 // No successors? By definition this nodes isn't post-dominated by a sink. 2924 if (errorNode->succ_empty()) { 2925 bugReports.push_back(R); 2926 if (!exampleReport) 2927 exampleReport = R; 2928 continue; 2929 } 2930 2931 // See if we are in a no-return CFG block. If so, treat this similarly 2932 // to being post-dominated by a sink. This works better when the analysis 2933 // is incomplete and we have never reached the no-return function call(s) 2934 // that we'd inevitably bump into on this path. 2935 if (const CFGBlock *ErrorB = errorNode->getCFGBlock()) 2936 if (ErrorB->isInevitablySinking()) 2937 continue; 2938 2939 // At this point we know that 'N' is not a sink and it has at least one 2940 // successor. Use a DFS worklist to find a non-sink end-of-path node. 2941 using WLItem = FRIEC_WLItem; 2942 using DFSWorkList = SmallVector<WLItem, 10>; 2943 2944 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 2945 2946 DFSWorkList WL; 2947 WL.push_back(errorNode); 2948 Visited[errorNode] = 1; 2949 2950 while (!WL.empty()) { 2951 WLItem &WI = WL.back(); 2952 assert(!WI.N->succ_empty()); 2953 2954 for (; WI.I != WI.E; ++WI.I) { 2955 const ExplodedNode *Succ = *WI.I; 2956 // End-of-path node? 2957 if (Succ->succ_empty()) { 2958 // If we found an end-of-path node that is not a sink. 2959 if (!Succ->isSink()) { 2960 bugReports.push_back(R); 2961 if (!exampleReport) 2962 exampleReport = R; 2963 WL.clear(); 2964 break; 2965 } 2966 // Found a sink? Continue on to the next successor. 2967 continue; 2968 } 2969 // Mark the successor as visited. If it hasn't been explored, 2970 // enqueue it to the DFS worklist. 2971 unsigned &mark = Visited[Succ]; 2972 if (!mark) { 2973 mark = 1; 2974 WL.push_back(Succ); 2975 break; 2976 } 2977 } 2978 2979 // The worklist may have been cleared at this point. First 2980 // check if it is empty before checking the last item. 2981 if (!WL.empty() && &WL.back() == &WI) 2982 WL.pop_back(); 2983 } 2984 } 2985 2986 // ExampleReport will be NULL if all the nodes in the equivalence class 2987 // were post-dominated by sinks. 2988 return exampleReport; 2989 } 2990 2991 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 2992 SmallVector<BugReport*, 10> bugReports; 2993 BugReport *report = findReportInEquivalenceClass(EQ, bugReports); 2994 if (!report) 2995 return; 2996 2997 ArrayRef<PathDiagnosticConsumer*> Consumers = getPathDiagnosticConsumers(); 2998 std::unique_ptr<DiagnosticForConsumerMapTy> Diagnostics = 2999 generateDiagnosticForConsumerMap(report, Consumers, bugReports); 3000 3001 for (auto &P : *Diagnostics) { 3002 PathDiagnosticConsumer *Consumer = P.first; 3003 std::unique_ptr<PathDiagnostic> &PD = P.second; 3004 3005 // If the path is empty, generate a single step path with the location 3006 // of the issue. 3007 if (PD->path.empty()) { 3008 PathDiagnosticLocation L = report->getLocation(); 3009 auto piece = std::make_unique<PathDiagnosticEventPiece>( 3010 L, report->getDescription()); 3011 for (SourceRange Range : report->getRanges()) 3012 piece->addRange(Range); 3013 PD->setEndOfPath(std::move(piece)); 3014 } 3015 3016 PathPieces &Pieces = PD->getMutablePieces(); 3017 if (getAnalyzerOptions().ShouldDisplayNotesAsEvents) { 3018 // For path diagnostic consumers that don't support extra notes, 3019 // we may optionally convert those to path notes. 3020 for (auto I = report->getNotes().rbegin(), 3021 E = report->getNotes().rend(); I != E; ++I) { 3022 PathDiagnosticNotePiece *Piece = I->get(); 3023 auto ConvertedPiece = std::make_shared<PathDiagnosticEventPiece>( 3024 Piece->getLocation(), Piece->getString()); 3025 for (const auto &R: Piece->getRanges()) 3026 ConvertedPiece->addRange(R); 3027 3028 Pieces.push_front(std::move(ConvertedPiece)); 3029 } 3030 } else { 3031 for (auto I = report->getNotes().rbegin(), 3032 E = report->getNotes().rend(); I != E; ++I) 3033 Pieces.push_front(*I); 3034 } 3035 3036 for (const auto &I : report->getFixits()) 3037 Pieces.back()->addFixit(I); 3038 3039 updateExecutedLinesWithDiagnosticPieces(*PD); 3040 Consumer->HandlePathDiagnostic(std::move(PD)); 3041 } 3042 } 3043 3044 /// Insert all lines participating in the function signature \p Signature 3045 /// into \p ExecutedLines. 3046 static void populateExecutedLinesWithFunctionSignature( 3047 const Decl *Signature, const SourceManager &SM, 3048 FilesToLineNumsMap &ExecutedLines) { 3049 SourceRange SignatureSourceRange; 3050 const Stmt* Body = Signature->getBody(); 3051 if (const auto FD = dyn_cast<FunctionDecl>(Signature)) { 3052 SignatureSourceRange = FD->getSourceRange(); 3053 } else if (const auto OD = dyn_cast<ObjCMethodDecl>(Signature)) { 3054 SignatureSourceRange = OD->getSourceRange(); 3055 } else { 3056 return; 3057 } 3058 SourceLocation Start = SignatureSourceRange.getBegin(); 3059 SourceLocation End = Body ? Body->getSourceRange().getBegin() 3060 : SignatureSourceRange.getEnd(); 3061 if (!Start.isValid() || !End.isValid()) 3062 return; 3063 unsigned StartLine = SM.getExpansionLineNumber(Start); 3064 unsigned EndLine = SM.getExpansionLineNumber(End); 3065 3066 FileID FID = SM.getFileID(SM.getExpansionLoc(Start)); 3067 for (unsigned Line = StartLine; Line <= EndLine; Line++) 3068 ExecutedLines[FID].insert(Line); 3069 } 3070 3071 static void populateExecutedLinesWithStmt( 3072 const Stmt *S, const SourceManager &SM, 3073 FilesToLineNumsMap &ExecutedLines) { 3074 SourceLocation Loc = S->getSourceRange().getBegin(); 3075 if (!Loc.isValid()) 3076 return; 3077 SourceLocation ExpansionLoc = SM.getExpansionLoc(Loc); 3078 FileID FID = SM.getFileID(ExpansionLoc); 3079 unsigned LineNo = SM.getExpansionLineNumber(ExpansionLoc); 3080 ExecutedLines[FID].insert(LineNo); 3081 } 3082 3083 /// \return all executed lines including function signatures on the path 3084 /// starting from \p N. 3085 static std::unique_ptr<FilesToLineNumsMap> 3086 findExecutedLines(const SourceManager &SM, const ExplodedNode *N) { 3087 auto ExecutedLines = std::make_unique<FilesToLineNumsMap>(); 3088 3089 while (N) { 3090 if (N->getFirstPred() == nullptr) { 3091 // First node: show signature of the entrance point. 3092 const Decl *D = N->getLocationContext()->getDecl(); 3093 populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines); 3094 } else if (auto CE = N->getLocationAs<CallEnter>()) { 3095 // Inlined function: show signature. 3096 const Decl* D = CE->getCalleeContext()->getDecl(); 3097 populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines); 3098 } else if (const Stmt *S = N->getStmtForDiagnostics()) { 3099 populateExecutedLinesWithStmt(S, SM, *ExecutedLines); 3100 3101 // Show extra context for some parent kinds. 3102 const Stmt *P = N->getParentMap().getParent(S); 3103 3104 // The path exploration can die before the node with the associated 3105 // return statement is generated, but we do want to show the whole 3106 // return. 3107 if (const auto *RS = dyn_cast_or_null<ReturnStmt>(P)) { 3108 populateExecutedLinesWithStmt(RS, SM, *ExecutedLines); 3109 P = N->getParentMap().getParent(RS); 3110 } 3111 3112 if (P && (isa<SwitchCase>(P) || isa<LabelStmt>(P))) 3113 populateExecutedLinesWithStmt(P, SM, *ExecutedLines); 3114 } 3115 3116 N = N->getFirstPred(); 3117 } 3118 return ExecutedLines; 3119 } 3120 3121 std::unique_ptr<DiagnosticForConsumerMapTy> 3122 BugReporter::generateDiagnosticForConsumerMap( 3123 BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers, 3124 ArrayRef<BugReport *> bugReports) { 3125 auto *basicReport = cast<BasicBugReport>(exampleReport); 3126 auto Out = std::make_unique<DiagnosticForConsumerMapTy>(); 3127 for (auto *Consumer : consumers) 3128 (*Out)[Consumer] = generateDiagnosticForBasicReport(basicReport); 3129 return Out; 3130 } 3131 3132 static PathDiagnosticCallPiece * 3133 getFirstStackedCallToHeaderFile(PathDiagnosticCallPiece *CP, 3134 const SourceManager &SMgr) { 3135 SourceLocation CallLoc = CP->callEnter.asLocation(); 3136 3137 // If the call is within a macro, don't do anything (for now). 3138 if (CallLoc.isMacroID()) 3139 return nullptr; 3140 3141 assert(AnalysisManager::isInCodeFile(CallLoc, SMgr) && 3142 "The call piece should not be in a header file."); 3143 3144 // Check if CP represents a path through a function outside of the main file. 3145 if (!AnalysisManager::isInCodeFile(CP->callEnterWithin.asLocation(), SMgr)) 3146 return CP; 3147 3148 const PathPieces &Path = CP->path; 3149 if (Path.empty()) 3150 return nullptr; 3151 3152 // Check if the last piece in the callee path is a call to a function outside 3153 // of the main file. 3154 if (auto *CPInner = dyn_cast<PathDiagnosticCallPiece>(Path.back().get())) 3155 return getFirstStackedCallToHeaderFile(CPInner, SMgr); 3156 3157 // Otherwise, the last piece is in the main file. 3158 return nullptr; 3159 } 3160 3161 static void resetDiagnosticLocationToMainFile(PathDiagnostic &PD) { 3162 if (PD.path.empty()) 3163 return; 3164 3165 PathDiagnosticPiece *LastP = PD.path.back().get(); 3166 assert(LastP); 3167 const SourceManager &SMgr = LastP->getLocation().getManager(); 3168 3169 // We only need to check if the report ends inside headers, if the last piece 3170 // is a call piece. 3171 if (auto *CP = dyn_cast<PathDiagnosticCallPiece>(LastP)) { 3172 CP = getFirstStackedCallToHeaderFile(CP, SMgr); 3173 if (CP) { 3174 // Mark the piece. 3175 CP->setAsLastInMainSourceFile(); 3176 3177 // Update the path diagnostic message. 3178 const auto *ND = dyn_cast<NamedDecl>(CP->getCallee()); 3179 if (ND) { 3180 SmallString<200> buf; 3181 llvm::raw_svector_ostream os(buf); 3182 os << " (within a call to '" << ND->getDeclName() << "')"; 3183 PD.appendToDesc(os.str()); 3184 } 3185 3186 // Reset the report containing declaration and location. 3187 PD.setDeclWithIssue(CP->getCaller()); 3188 PD.setLocation(CP->getLocation()); 3189 3190 return; 3191 } 3192 } 3193 } 3194 3195 3196 3197 std::unique_ptr<DiagnosticForConsumerMapTy> 3198 PathSensitiveBugReporter::generateDiagnosticForConsumerMap( 3199 BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers, 3200 ArrayRef<BugReport *> bugReports) { 3201 std::vector<BasicBugReport *> BasicBugReports; 3202 std::vector<PathSensitiveBugReport *> PathSensitiveBugReports; 3203 if (isa<BasicBugReport>(exampleReport)) 3204 return BugReporter::generateDiagnosticForConsumerMap(exampleReport, 3205 consumers, bugReports); 3206 3207 // Generate the full path sensitive diagnostic, using the generation scheme 3208 // specified by the PathDiagnosticConsumer. Note that we have to generate 3209 // path diagnostics even for consumers which do not support paths, because 3210 // the BugReporterVisitors may mark this bug as a false positive. 3211 assert(!bugReports.empty()); 3212 MaxBugClassSize.updateMax(bugReports.size()); 3213 3214 // Avoid copying the whole array because there may be a lot of reports. 3215 ArrayRef<PathSensitiveBugReport *> convertedArrayOfReports( 3216 reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.begin()), 3217 reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.end())); 3218 std::unique_ptr<DiagnosticForConsumerMapTy> Out = generatePathDiagnostics( 3219 consumers, convertedArrayOfReports); 3220 3221 if (Out->empty()) 3222 return Out; 3223 3224 MaxValidBugClassSize.updateMax(bugReports.size()); 3225 3226 // Examine the report and see if the last piece is in a header. Reset the 3227 // report location to the last piece in the main source file. 3228 const AnalyzerOptions &Opts = getAnalyzerOptions(); 3229 for (auto const &P : *Out) 3230 if (Opts.ShouldReportIssuesInMainSourceFile && !Opts.AnalyzeAll) 3231 resetDiagnosticLocationToMainFile(*P.second); 3232 3233 return Out; 3234 } 3235 3236 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3237 const CheckerBase *Checker, StringRef Name, 3238 StringRef Category, StringRef Str, 3239 PathDiagnosticLocation Loc, 3240 ArrayRef<SourceRange> Ranges, 3241 ArrayRef<FixItHint> Fixits) { 3242 EmitBasicReport(DeclWithIssue, Checker->getCheckerName(), Name, Category, Str, 3243 Loc, Ranges, Fixits); 3244 } 3245 3246 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3247 CheckerNameRef CheckName, 3248 StringRef name, StringRef category, 3249 StringRef str, PathDiagnosticLocation Loc, 3250 ArrayRef<SourceRange> Ranges, 3251 ArrayRef<FixItHint> Fixits) { 3252 // 'BT' is owned by BugReporter. 3253 BugType *BT = getBugTypeForName(CheckName, name, category); 3254 auto R = std::make_unique<BasicBugReport>(*BT, str, Loc); 3255 R->setDeclWithIssue(DeclWithIssue); 3256 for (const auto &SR : Ranges) 3257 R->addRange(SR); 3258 for (const auto &FH : Fixits) 3259 R->addFixItHint(FH); 3260 emitReport(std::move(R)); 3261 } 3262 3263 BugType *BugReporter::getBugTypeForName(CheckerNameRef CheckName, 3264 StringRef name, StringRef category) { 3265 SmallString<136> fullDesc; 3266 llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name 3267 << ":" << category; 3268 std::unique_ptr<BugType> &BT = StrBugTypes[fullDesc]; 3269 if (!BT) 3270 BT = std::make_unique<BugType>(CheckName, name, category); 3271 return BT.get(); 3272 } 3273