1 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines BugReporter, a utility class for generating 11 // PathDiagnostics. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/DeclObjC.h" 18 #include "clang/AST/Expr.h" 19 #include "clang/AST/ParentMap.h" 20 #include "clang/AST/StmtObjC.h" 21 #include "clang/Analysis/CFG.h" 22 #include "clang/Analysis/ProgramPoint.h" 23 #include "clang/Basic/SourceManager.h" 24 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 25 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 26 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 27 #include "llvm/ADT/DenseMap.h" 28 #include "llvm/ADT/IntrusiveRefCntPtr.h" 29 #include "llvm/ADT/OwningPtr.h" 30 #include "llvm/ADT/STLExtras.h" 31 #include "llvm/ADT/SmallString.h" 32 #include "llvm/Support/raw_ostream.h" 33 #include <queue> 34 35 using namespace clang; 36 using namespace ento; 37 38 BugReporterVisitor::~BugReporterVisitor() {} 39 40 void BugReporterContext::anchor() {} 41 42 //===----------------------------------------------------------------------===// 43 // Helper routines for walking the ExplodedGraph and fetching statements. 44 //===----------------------------------------------------------------------===// 45 46 static inline const Stmt *GetStmt(const ProgramPoint &P) { 47 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 48 return SP->getStmt(); 49 else if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) 50 return BE->getSrc()->getTerminator(); 51 else if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) 52 return CE->getCallExpr(); 53 else if (const CallExitEnd *CEE = dyn_cast<CallExitEnd>(&P)) 54 return CEE->getCalleeContext()->getCallSite(); 55 56 return 0; 57 } 58 59 static inline const ExplodedNode* 60 GetPredecessorNode(const ExplodedNode *N) { 61 return N->pred_empty() ? NULL : *(N->pred_begin()); 62 } 63 64 static inline const ExplodedNode* 65 GetSuccessorNode(const ExplodedNode *N) { 66 return N->succ_empty() ? NULL : *(N->succ_begin()); 67 } 68 69 static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 70 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 71 if (const Stmt *S = GetStmt(N->getLocation())) 72 return S; 73 74 return 0; 75 } 76 77 static const Stmt *GetNextStmt(const ExplodedNode *N) { 78 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 79 if (const Stmt *S = GetStmt(N->getLocation())) { 80 // Check if the statement is '?' or '&&'/'||'. These are "merges", 81 // not actual statement points. 82 switch (S->getStmtClass()) { 83 case Stmt::ChooseExprClass: 84 case Stmt::BinaryConditionalOperatorClass: continue; 85 case Stmt::ConditionalOperatorClass: continue; 86 case Stmt::BinaryOperatorClass: { 87 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 88 if (Op == BO_LAnd || Op == BO_LOr) 89 continue; 90 break; 91 } 92 default: 93 break; 94 } 95 return S; 96 } 97 98 return 0; 99 } 100 101 static inline const Stmt* 102 GetCurrentOrPreviousStmt(const ExplodedNode *N) { 103 if (const Stmt *S = GetStmt(N->getLocation())) 104 return S; 105 106 return GetPreviousStmt(N); 107 } 108 109 static inline const Stmt* 110 GetCurrentOrNextStmt(const ExplodedNode *N) { 111 if (const Stmt *S = GetStmt(N->getLocation())) 112 return S; 113 114 return GetNextStmt(N); 115 } 116 117 //===----------------------------------------------------------------------===// 118 // Diagnostic cleanup. 119 //===----------------------------------------------------------------------===// 120 121 static PathDiagnosticEventPiece * 122 eventsDescribeSameCondition(PathDiagnosticEventPiece *X, 123 PathDiagnosticEventPiece *Y) { 124 // Prefer diagnostics that come from ConditionBRVisitor over 125 // those that came from TrackConstraintBRVisitor. 126 const void *tagPreferred = ConditionBRVisitor::getTag(); 127 const void *tagLesser = TrackConstraintBRVisitor::getTag(); 128 129 if (X->getLocation() != Y->getLocation()) 130 return 0; 131 132 if (X->getTag() == tagPreferred && Y->getTag() == tagLesser) 133 return X; 134 135 if (Y->getTag() == tagPreferred && X->getTag() == tagLesser) 136 return Y; 137 138 return 0; 139 } 140 141 /// An optimization pass over PathPieces that removes redundant diagnostics 142 /// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both 143 /// BugReporterVisitors use different methods to generate diagnostics, with 144 /// one capable of emitting diagnostics in some cases but not in others. This 145 /// can lead to redundant diagnostic pieces at the same point in a path. 146 static void removeRedundantMsgs(PathPieces &path) { 147 unsigned N = path.size(); 148 if (N < 2) 149 return; 150 // NOTE: this loop intentionally is not using an iterator. Instead, we 151 // are streaming the path and modifying it in place. This is done by 152 // grabbing the front, processing it, and if we decide to keep it append 153 // it to the end of the path. The entire path is processed in this way. 154 for (unsigned i = 0; i < N; ++i) { 155 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(path.front()); 156 path.pop_front(); 157 158 switch (piece->getKind()) { 159 case clang::ento::PathDiagnosticPiece::Call: 160 removeRedundantMsgs(cast<PathDiagnosticCallPiece>(piece)->path); 161 break; 162 case clang::ento::PathDiagnosticPiece::Macro: 163 removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(piece)->subPieces); 164 break; 165 case clang::ento::PathDiagnosticPiece::ControlFlow: 166 break; 167 case clang::ento::PathDiagnosticPiece::Event: { 168 if (i == N-1) 169 break; 170 171 if (PathDiagnosticEventPiece *nextEvent = 172 dyn_cast<PathDiagnosticEventPiece>(path.front().getPtr())) { 173 PathDiagnosticEventPiece *event = 174 cast<PathDiagnosticEventPiece>(piece); 175 // Check to see if we should keep one of the two pieces. If we 176 // come up with a preference, record which piece to keep, and consume 177 // another piece from the path. 178 if (PathDiagnosticEventPiece *pieceToKeep = 179 eventsDescribeSameCondition(event, nextEvent)) { 180 piece = pieceToKeep; 181 path.pop_front(); 182 ++i; 183 } 184 } 185 break; 186 } 187 } 188 path.push_back(piece); 189 } 190 } 191 192 /// Recursively scan through a path and prune out calls and macros pieces 193 /// that aren't needed. Return true if afterwards the path contains 194 /// "interesting stuff" which means it shouldn't be pruned from the parent path. 195 bool BugReporter::RemoveUnneededCalls(PathPieces &pieces, BugReport *R) { 196 bool containsSomethingInteresting = false; 197 const unsigned N = pieces.size(); 198 199 for (unsigned i = 0 ; i < N ; ++i) { 200 // Remove the front piece from the path. If it is still something we 201 // want to keep once we are done, we will push it back on the end. 202 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(pieces.front()); 203 pieces.pop_front(); 204 205 // Throw away pieces with invalid locations. Note that we can't throw away 206 // calls just yet because they might have something interesting inside them. 207 // If so, their locations will be adjusted as necessary later. 208 if (piece->getKind() != PathDiagnosticPiece::Call && 209 piece->getLocation().asLocation().isInvalid()) 210 continue; 211 212 switch (piece->getKind()) { 213 case PathDiagnosticPiece::Call: { 214 PathDiagnosticCallPiece *call = cast<PathDiagnosticCallPiece>(piece); 215 // Check if the location context is interesting. 216 assert(LocationContextMap.count(call)); 217 if (R->isInteresting(LocationContextMap[call])) { 218 containsSomethingInteresting = true; 219 break; 220 } 221 222 if (!RemoveUnneededCalls(call->path, R)) 223 continue; 224 225 containsSomethingInteresting = true; 226 break; 227 } 228 case PathDiagnosticPiece::Macro: { 229 PathDiagnosticMacroPiece *macro = cast<PathDiagnosticMacroPiece>(piece); 230 if (!RemoveUnneededCalls(macro->subPieces, R)) 231 continue; 232 containsSomethingInteresting = true; 233 break; 234 } 235 case PathDiagnosticPiece::Event: { 236 PathDiagnosticEventPiece *event = cast<PathDiagnosticEventPiece>(piece); 237 238 // We never throw away an event, but we do throw it away wholesale 239 // as part of a path if we throw the entire path away. 240 containsSomethingInteresting |= !event->isPrunable(); 241 break; 242 } 243 case PathDiagnosticPiece::ControlFlow: 244 break; 245 } 246 247 pieces.push_back(piece); 248 } 249 250 return containsSomethingInteresting; 251 } 252 253 /// Recursively scan through a path and make sure that all call pieces have 254 /// valid locations. Note that all other pieces with invalid locations should 255 /// have already been pruned out. 256 static void adjustCallLocations(PathPieces &Pieces, 257 PathDiagnosticLocation *LastCallLocation = 0) { 258 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E; ++I) { 259 PathDiagnosticCallPiece *Call = dyn_cast<PathDiagnosticCallPiece>(*I); 260 261 if (!Call) { 262 assert((*I)->getLocation().asLocation().isValid()); 263 continue; 264 } 265 266 if (LastCallLocation) { 267 if (!Call->callEnter.asLocation().isValid() || 268 Call->getCaller()->isImplicit()) 269 Call->callEnter = *LastCallLocation; 270 if (!Call->callReturn.asLocation().isValid() || 271 Call->getCaller()->isImplicit()) 272 Call->callReturn = *LastCallLocation; 273 } 274 275 // Recursively clean out the subclass. Keep this call around if 276 // it contains any informative diagnostics. 277 PathDiagnosticLocation *ThisCallLocation; 278 if (Call->callEnterWithin.asLocation().isValid() && 279 !Call->getCallee()->isImplicit()) 280 ThisCallLocation = &Call->callEnterWithin; 281 else 282 ThisCallLocation = &Call->callEnter; 283 284 assert(ThisCallLocation && "Outermost call has an invalid location"); 285 adjustCallLocations(Call->path, ThisCallLocation); 286 } 287 } 288 289 //===----------------------------------------------------------------------===// 290 // PathDiagnosticBuilder and its associated routines and helper objects. 291 //===----------------------------------------------------------------------===// 292 293 typedef llvm::DenseMap<const ExplodedNode*, 294 const ExplodedNode*> NodeBackMap; 295 296 namespace { 297 class NodeMapClosure : public BugReport::NodeResolver { 298 NodeBackMap& M; 299 public: 300 NodeMapClosure(NodeBackMap *m) : M(*m) {} 301 ~NodeMapClosure() {} 302 303 const ExplodedNode *getOriginalNode(const ExplodedNode *N) { 304 NodeBackMap::iterator I = M.find(N); 305 return I == M.end() ? 0 : I->second; 306 } 307 }; 308 309 class PathDiagnosticBuilder : public BugReporterContext { 310 BugReport *R; 311 PathDiagnosticConsumer *PDC; 312 OwningPtr<ParentMap> PM; 313 NodeMapClosure NMC; 314 public: 315 const LocationContext *LC; 316 317 PathDiagnosticBuilder(GRBugReporter &br, 318 BugReport *r, NodeBackMap *Backmap, 319 PathDiagnosticConsumer *pdc) 320 : BugReporterContext(br), 321 R(r), PDC(pdc), NMC(Backmap), LC(r->getErrorNode()->getLocationContext()) 322 {} 323 324 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 325 326 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 327 const ExplodedNode *N); 328 329 BugReport *getBugReport() { return R; } 330 331 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 332 333 ParentMap& getParentMap() { return LC->getParentMap(); } 334 335 const Stmt *getParent(const Stmt *S) { 336 return getParentMap().getParent(S); 337 } 338 339 virtual NodeMapClosure& getNodeResolver() { return NMC; } 340 341 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 342 343 PathDiagnosticConsumer::PathGenerationScheme getGenerationScheme() const { 344 return PDC ? PDC->getGenerationScheme() : PathDiagnosticConsumer::Extensive; 345 } 346 347 bool supportsLogicalOpControlFlow() const { 348 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 349 } 350 }; 351 } // end anonymous namespace 352 353 PathDiagnosticLocation 354 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 355 if (const Stmt *S = GetNextStmt(N)) 356 return PathDiagnosticLocation(S, getSourceManager(), LC); 357 358 return PathDiagnosticLocation::createDeclEnd(N->getLocationContext(), 359 getSourceManager()); 360 } 361 362 PathDiagnosticLocation 363 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 364 const ExplodedNode *N) { 365 366 // Slow, but probably doesn't matter. 367 if (os.str().empty()) 368 os << ' '; 369 370 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 371 372 if (Loc.asStmt()) 373 os << "Execution continues on line " 374 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 375 << '.'; 376 else { 377 os << "Execution jumps to the end of the "; 378 const Decl *D = N->getLocationContext()->getDecl(); 379 if (isa<ObjCMethodDecl>(D)) 380 os << "method"; 381 else if (isa<FunctionDecl>(D)) 382 os << "function"; 383 else { 384 assert(isa<BlockDecl>(D)); 385 os << "anonymous block"; 386 } 387 os << '.'; 388 } 389 390 return Loc; 391 } 392 393 static bool IsNested(const Stmt *S, ParentMap &PM) { 394 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 395 return true; 396 397 const Stmt *Parent = PM.getParentIgnoreParens(S); 398 399 if (Parent) 400 switch (Parent->getStmtClass()) { 401 case Stmt::ForStmtClass: 402 case Stmt::DoStmtClass: 403 case Stmt::WhileStmtClass: 404 return true; 405 default: 406 break; 407 } 408 409 return false; 410 } 411 412 PathDiagnosticLocation 413 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 414 assert(S && "Null Stmt *passed to getEnclosingStmtLocation"); 415 ParentMap &P = getParentMap(); 416 SourceManager &SMgr = getSourceManager(); 417 418 while (IsNested(S, P)) { 419 const Stmt *Parent = P.getParentIgnoreParens(S); 420 421 if (!Parent) 422 break; 423 424 switch (Parent->getStmtClass()) { 425 case Stmt::BinaryOperatorClass: { 426 const BinaryOperator *B = cast<BinaryOperator>(Parent); 427 if (B->isLogicalOp()) 428 return PathDiagnosticLocation(S, SMgr, LC); 429 break; 430 } 431 case Stmt::CompoundStmtClass: 432 case Stmt::StmtExprClass: 433 return PathDiagnosticLocation(S, SMgr, LC); 434 case Stmt::ChooseExprClass: 435 // Similar to '?' if we are referring to condition, just have the edge 436 // point to the entire choose expression. 437 if (cast<ChooseExpr>(Parent)->getCond() == S) 438 return PathDiagnosticLocation(Parent, SMgr, LC); 439 else 440 return PathDiagnosticLocation(S, SMgr, LC); 441 case Stmt::BinaryConditionalOperatorClass: 442 case Stmt::ConditionalOperatorClass: 443 // For '?', if we are referring to condition, just have the edge point 444 // to the entire '?' expression. 445 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S) 446 return PathDiagnosticLocation(Parent, SMgr, LC); 447 else 448 return PathDiagnosticLocation(S, SMgr, LC); 449 case Stmt::DoStmtClass: 450 return PathDiagnosticLocation(S, SMgr, LC); 451 case Stmt::ForStmtClass: 452 if (cast<ForStmt>(Parent)->getBody() == S) 453 return PathDiagnosticLocation(S, SMgr, LC); 454 break; 455 case Stmt::IfStmtClass: 456 if (cast<IfStmt>(Parent)->getCond() != S) 457 return PathDiagnosticLocation(S, SMgr, LC); 458 break; 459 case Stmt::ObjCForCollectionStmtClass: 460 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 461 return PathDiagnosticLocation(S, SMgr, LC); 462 break; 463 case Stmt::WhileStmtClass: 464 if (cast<WhileStmt>(Parent)->getCond() != S) 465 return PathDiagnosticLocation(S, SMgr, LC); 466 break; 467 default: 468 break; 469 } 470 471 S = Parent; 472 } 473 474 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 475 476 // Special case: DeclStmts can appear in for statement declarations, in which 477 // case the ForStmt is the context. 478 if (isa<DeclStmt>(S)) { 479 if (const Stmt *Parent = P.getParent(S)) { 480 switch (Parent->getStmtClass()) { 481 case Stmt::ForStmtClass: 482 case Stmt::ObjCForCollectionStmtClass: 483 return PathDiagnosticLocation(Parent, SMgr, LC); 484 default: 485 break; 486 } 487 } 488 } 489 else if (isa<BinaryOperator>(S)) { 490 // Special case: the binary operator represents the initialization 491 // code in a for statement (this can happen when the variable being 492 // initialized is an old variable. 493 if (const ForStmt *FS = 494 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 495 if (FS->getInit() == S) 496 return PathDiagnosticLocation(FS, SMgr, LC); 497 } 498 } 499 500 return PathDiagnosticLocation(S, SMgr, LC); 501 } 502 503 //===----------------------------------------------------------------------===// 504 // "Visitors only" path diagnostic generation algorithm. 505 //===----------------------------------------------------------------------===// 506 static bool GenerateVisitorsOnlyPathDiagnostic(PathDiagnostic &PD, 507 PathDiagnosticBuilder &PDB, 508 const ExplodedNode *N, 509 ArrayRef<BugReporterVisitor *> visitors) { 510 // All path generation skips the very first node (the error node). 511 // This is because there is special handling for the end-of-path note. 512 N = N->getFirstPred(); 513 if (!N) 514 return true; 515 516 BugReport *R = PDB.getBugReport(); 517 while (const ExplodedNode *Pred = N->getFirstPred()) { 518 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 519 E = visitors.end(); 520 I != E; ++I) { 521 // Visit all the node pairs, but throw the path pieces away. 522 PathDiagnosticPiece *Piece = (*I)->VisitNode(N, Pred, PDB, *R); 523 delete Piece; 524 } 525 526 N = Pred; 527 } 528 529 return R->isValid(); 530 } 531 532 //===----------------------------------------------------------------------===// 533 // "Minimal" path diagnostic generation algorithm. 534 //===----------------------------------------------------------------------===// 535 typedef std::pair<PathDiagnosticCallPiece*, const ExplodedNode*> StackDiagPair; 536 typedef SmallVector<StackDiagPair, 6> StackDiagVector; 537 538 static void updateStackPiecesWithMessage(PathDiagnosticPiece *P, 539 StackDiagVector &CallStack) { 540 // If the piece contains a special message, add it to all the call 541 // pieces on the active stack. 542 if (PathDiagnosticEventPiece *ep = 543 dyn_cast<PathDiagnosticEventPiece>(P)) { 544 545 if (ep->hasCallStackHint()) 546 for (StackDiagVector::iterator I = CallStack.begin(), 547 E = CallStack.end(); I != E; ++I) { 548 PathDiagnosticCallPiece *CP = I->first; 549 const ExplodedNode *N = I->second; 550 std::string stackMsg = ep->getCallStackMessage(N); 551 552 // The last message on the path to final bug is the most important 553 // one. Since we traverse the path backwards, do not add the message 554 // if one has been previously added. 555 if (!CP->hasCallStackMessage()) 556 CP->setCallStackMessage(stackMsg); 557 } 558 } 559 } 560 561 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM); 562 563 static bool GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 564 PathDiagnosticBuilder &PDB, 565 const ExplodedNode *N, 566 ArrayRef<BugReporterVisitor *> visitors) { 567 568 SourceManager& SMgr = PDB.getSourceManager(); 569 const LocationContext *LC = PDB.LC; 570 const ExplodedNode *NextNode = N->pred_empty() 571 ? NULL : *(N->pred_begin()); 572 573 StackDiagVector CallStack; 574 575 while (NextNode) { 576 N = NextNode; 577 PDB.LC = N->getLocationContext(); 578 NextNode = GetPredecessorNode(N); 579 580 ProgramPoint P = N->getLocation(); 581 582 do { 583 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) { 584 PathDiagnosticCallPiece *C = 585 PathDiagnosticCallPiece::construct(N, *CE, SMgr); 586 GRBugReporter& BR = PDB.getBugReporter(); 587 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext()); 588 PD.getActivePath().push_front(C); 589 PD.pushActivePath(&C->path); 590 CallStack.push_back(StackDiagPair(C, N)); 591 break; 592 } 593 594 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) { 595 // Flush all locations, and pop the active path. 596 bool VisitedEntireCall = PD.isWithinCall(); 597 PD.popActivePath(); 598 599 // Either we just added a bunch of stuff to the top-level path, or 600 // we have a previous CallExitEnd. If the former, it means that the 601 // path terminated within a function call. We must then take the 602 // current contents of the active path and place it within 603 // a new PathDiagnosticCallPiece. 604 PathDiagnosticCallPiece *C; 605 if (VisitedEntireCall) { 606 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 607 } else { 608 const Decl *Caller = CE->getLocationContext()->getDecl(); 609 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 610 GRBugReporter& BR = PDB.getBugReporter(); 611 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext()); 612 } 613 614 C->setCallee(*CE, SMgr); 615 if (!CallStack.empty()) { 616 assert(CallStack.back().first == C); 617 CallStack.pop_back(); 618 } 619 break; 620 } 621 622 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 623 const CFGBlock *Src = BE->getSrc(); 624 const CFGBlock *Dst = BE->getDst(); 625 const Stmt *T = Src->getTerminator(); 626 627 if (!T) 628 break; 629 630 PathDiagnosticLocation Start = 631 PathDiagnosticLocation::createBegin(T, SMgr, 632 N->getLocationContext()); 633 634 switch (T->getStmtClass()) { 635 default: 636 break; 637 638 case Stmt::GotoStmtClass: 639 case Stmt::IndirectGotoStmtClass: { 640 const Stmt *S = GetNextStmt(N); 641 642 if (!S) 643 break; 644 645 std::string sbuf; 646 llvm::raw_string_ostream os(sbuf); 647 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 648 649 os << "Control jumps to line " 650 << End.asLocation().getExpansionLineNumber(); 651 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 652 Start, End, os.str())); 653 break; 654 } 655 656 case Stmt::SwitchStmtClass: { 657 // Figure out what case arm we took. 658 std::string sbuf; 659 llvm::raw_string_ostream os(sbuf); 660 661 if (const Stmt *S = Dst->getLabel()) { 662 PathDiagnosticLocation End(S, SMgr, LC); 663 664 switch (S->getStmtClass()) { 665 default: 666 os << "No cases match in the switch statement. " 667 "Control jumps to line " 668 << End.asLocation().getExpansionLineNumber(); 669 break; 670 case Stmt::DefaultStmtClass: 671 os << "Control jumps to the 'default' case at line " 672 << End.asLocation().getExpansionLineNumber(); 673 break; 674 675 case Stmt::CaseStmtClass: { 676 os << "Control jumps to 'case "; 677 const CaseStmt *Case = cast<CaseStmt>(S); 678 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 679 680 // Determine if it is an enum. 681 bool GetRawInt = true; 682 683 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) { 684 // FIXME: Maybe this should be an assertion. Are there cases 685 // were it is not an EnumConstantDecl? 686 const EnumConstantDecl *D = 687 dyn_cast<EnumConstantDecl>(DR->getDecl()); 688 689 if (D) { 690 GetRawInt = false; 691 os << *D; 692 } 693 } 694 695 if (GetRawInt) 696 os << LHS->EvaluateKnownConstInt(PDB.getASTContext()); 697 698 os << ":' at line " 699 << End.asLocation().getExpansionLineNumber(); 700 break; 701 } 702 } 703 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 704 Start, End, os.str())); 705 } 706 else { 707 os << "'Default' branch taken. "; 708 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 709 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 710 Start, End, os.str())); 711 } 712 713 break; 714 } 715 716 case Stmt::BreakStmtClass: 717 case Stmt::ContinueStmtClass: { 718 std::string sbuf; 719 llvm::raw_string_ostream os(sbuf); 720 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 721 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 722 Start, End, os.str())); 723 break; 724 } 725 726 // Determine control-flow for ternary '?'. 727 case Stmt::BinaryConditionalOperatorClass: 728 case Stmt::ConditionalOperatorClass: { 729 std::string sbuf; 730 llvm::raw_string_ostream os(sbuf); 731 os << "'?' condition is "; 732 733 if (*(Src->succ_begin()+1) == Dst) 734 os << "false"; 735 else 736 os << "true"; 737 738 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 739 740 if (const Stmt *S = End.asStmt()) 741 End = PDB.getEnclosingStmtLocation(S); 742 743 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 744 Start, End, os.str())); 745 break; 746 } 747 748 // Determine control-flow for short-circuited '&&' and '||'. 749 case Stmt::BinaryOperatorClass: { 750 if (!PDB.supportsLogicalOpControlFlow()) 751 break; 752 753 const BinaryOperator *B = cast<BinaryOperator>(T); 754 std::string sbuf; 755 llvm::raw_string_ostream os(sbuf); 756 os << "Left side of '"; 757 758 if (B->getOpcode() == BO_LAnd) { 759 os << "&&" << "' is "; 760 761 if (*(Src->succ_begin()+1) == Dst) { 762 os << "false"; 763 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 764 PathDiagnosticLocation Start = 765 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 766 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 767 Start, End, os.str())); 768 } 769 else { 770 os << "true"; 771 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 772 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 773 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 774 Start, End, os.str())); 775 } 776 } 777 else { 778 assert(B->getOpcode() == BO_LOr); 779 os << "||" << "' is "; 780 781 if (*(Src->succ_begin()+1) == Dst) { 782 os << "false"; 783 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 784 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 785 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 786 Start, End, os.str())); 787 } 788 else { 789 os << "true"; 790 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 791 PathDiagnosticLocation Start = 792 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 793 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 794 Start, End, os.str())); 795 } 796 } 797 798 break; 799 } 800 801 case Stmt::DoStmtClass: { 802 if (*(Src->succ_begin()) == Dst) { 803 std::string sbuf; 804 llvm::raw_string_ostream os(sbuf); 805 806 os << "Loop condition is true. "; 807 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 808 809 if (const Stmt *S = End.asStmt()) 810 End = PDB.getEnclosingStmtLocation(S); 811 812 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 813 Start, End, os.str())); 814 } 815 else { 816 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 817 818 if (const Stmt *S = End.asStmt()) 819 End = PDB.getEnclosingStmtLocation(S); 820 821 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 822 Start, End, "Loop condition is false. Exiting loop")); 823 } 824 825 break; 826 } 827 828 case Stmt::WhileStmtClass: 829 case Stmt::ForStmtClass: { 830 if (*(Src->succ_begin()+1) == Dst) { 831 std::string sbuf; 832 llvm::raw_string_ostream os(sbuf); 833 834 os << "Loop condition is false. "; 835 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 836 if (const Stmt *S = End.asStmt()) 837 End = PDB.getEnclosingStmtLocation(S); 838 839 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 840 Start, End, os.str())); 841 } 842 else { 843 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 844 if (const Stmt *S = End.asStmt()) 845 End = PDB.getEnclosingStmtLocation(S); 846 847 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 848 Start, End, "Loop condition is true. Entering loop body")); 849 } 850 851 break; 852 } 853 854 case Stmt::IfStmtClass: { 855 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 856 857 if (const Stmt *S = End.asStmt()) 858 End = PDB.getEnclosingStmtLocation(S); 859 860 if (*(Src->succ_begin()+1) == Dst) 861 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 862 Start, End, "Taking false branch")); 863 else 864 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 865 Start, End, "Taking true branch")); 866 867 break; 868 } 869 } 870 } 871 } while(0); 872 873 if (NextNode) { 874 // Add diagnostic pieces from custom visitors. 875 BugReport *R = PDB.getBugReport(); 876 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 877 E = visitors.end(); 878 I != E; ++I) { 879 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 880 PD.getActivePath().push_front(p); 881 updateStackPiecesWithMessage(p, CallStack); 882 } 883 } 884 } 885 } 886 887 if (!PDB.getBugReport()->isValid()) 888 return false; 889 890 // After constructing the full PathDiagnostic, do a pass over it to compact 891 // PathDiagnosticPieces that occur within a macro. 892 CompactPathDiagnostic(PD.getMutablePieces(), PDB.getSourceManager()); 893 return true; 894 } 895 896 //===----------------------------------------------------------------------===// 897 // "Extensive" PathDiagnostic generation. 898 //===----------------------------------------------------------------------===// 899 900 static bool IsControlFlowExpr(const Stmt *S) { 901 const Expr *E = dyn_cast<Expr>(S); 902 903 if (!E) 904 return false; 905 906 E = E->IgnoreParenCasts(); 907 908 if (isa<AbstractConditionalOperator>(E)) 909 return true; 910 911 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 912 if (B->isLogicalOp()) 913 return true; 914 915 return false; 916 } 917 918 namespace { 919 class ContextLocation : public PathDiagnosticLocation { 920 bool IsDead; 921 public: 922 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 923 : PathDiagnosticLocation(L), IsDead(isdead) {} 924 925 void markDead() { IsDead = true; } 926 bool isDead() const { return IsDead; } 927 }; 928 929 class EdgeBuilder { 930 std::vector<ContextLocation> CLocs; 931 typedef std::vector<ContextLocation>::iterator iterator; 932 PathDiagnostic &PD; 933 PathDiagnosticBuilder &PDB; 934 PathDiagnosticLocation PrevLoc; 935 936 bool IsConsumedExpr(const PathDiagnosticLocation &L); 937 938 bool containsLocation(const PathDiagnosticLocation &Container, 939 const PathDiagnosticLocation &Containee); 940 941 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 942 943 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 944 bool firstCharOnly = false) { 945 if (const Stmt *S = L.asStmt()) { 946 const Stmt *Original = S; 947 while (1) { 948 // Adjust the location for some expressions that are best referenced 949 // by one of their subexpressions. 950 switch (S->getStmtClass()) { 951 default: 952 break; 953 case Stmt::ParenExprClass: 954 case Stmt::GenericSelectionExprClass: 955 S = cast<Expr>(S)->IgnoreParens(); 956 firstCharOnly = true; 957 continue; 958 case Stmt::BinaryConditionalOperatorClass: 959 case Stmt::ConditionalOperatorClass: 960 S = cast<AbstractConditionalOperator>(S)->getCond(); 961 firstCharOnly = true; 962 continue; 963 case Stmt::ChooseExprClass: 964 S = cast<ChooseExpr>(S)->getCond(); 965 firstCharOnly = true; 966 continue; 967 case Stmt::BinaryOperatorClass: 968 S = cast<BinaryOperator>(S)->getLHS(); 969 firstCharOnly = true; 970 continue; 971 } 972 973 break; 974 } 975 976 if (S != Original) 977 L = PathDiagnosticLocation(S, L.getManager(), PDB.LC); 978 } 979 980 if (firstCharOnly) 981 L = PathDiagnosticLocation::createSingleLocation(L); 982 983 return L; 984 } 985 986 void popLocation() { 987 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 988 // For contexts, we only one the first character as the range. 989 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 990 } 991 CLocs.pop_back(); 992 } 993 994 public: 995 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 996 : PD(pd), PDB(pdb) { 997 998 // If the PathDiagnostic already has pieces, add the enclosing statement 999 // of the first piece as a context as well. 1000 if (!PD.path.empty()) { 1001 PrevLoc = (*PD.path.begin())->getLocation(); 1002 1003 if (const Stmt *S = PrevLoc.asStmt()) 1004 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1005 } 1006 } 1007 1008 ~EdgeBuilder() { 1009 while (!CLocs.empty()) popLocation(); 1010 1011 // Finally, add an initial edge from the start location of the first 1012 // statement (if it doesn't already exist). 1013 PathDiagnosticLocation L = PathDiagnosticLocation::createDeclBegin( 1014 PDB.LC, 1015 PDB.getSourceManager()); 1016 if (L.isValid()) 1017 rawAddEdge(L); 1018 } 1019 1020 void flushLocations() { 1021 while (!CLocs.empty()) 1022 popLocation(); 1023 PrevLoc = PathDiagnosticLocation(); 1024 } 1025 1026 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 1027 1028 void rawAddEdge(PathDiagnosticLocation NewLoc); 1029 1030 void addContext(const Stmt *S); 1031 void addContext(const PathDiagnosticLocation &L); 1032 void addExtendedContext(const Stmt *S); 1033 }; 1034 } // end anonymous namespace 1035 1036 1037 PathDiagnosticLocation 1038 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 1039 if (const Stmt *S = L.asStmt()) { 1040 if (IsControlFlowExpr(S)) 1041 return L; 1042 1043 return PDB.getEnclosingStmtLocation(S); 1044 } 1045 1046 return L; 1047 } 1048 1049 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 1050 const PathDiagnosticLocation &Containee) { 1051 1052 if (Container == Containee) 1053 return true; 1054 1055 if (Container.asDecl()) 1056 return true; 1057 1058 if (const Stmt *S = Containee.asStmt()) 1059 if (const Stmt *ContainerS = Container.asStmt()) { 1060 while (S) { 1061 if (S == ContainerS) 1062 return true; 1063 S = PDB.getParent(S); 1064 } 1065 return false; 1066 } 1067 1068 // Less accurate: compare using source ranges. 1069 SourceRange ContainerR = Container.asRange(); 1070 SourceRange ContaineeR = Containee.asRange(); 1071 1072 SourceManager &SM = PDB.getSourceManager(); 1073 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 1074 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 1075 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 1076 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 1077 1078 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 1079 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 1080 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 1081 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 1082 1083 assert(ContainerBegLine <= ContainerEndLine); 1084 assert(ContaineeBegLine <= ContaineeEndLine); 1085 1086 return (ContainerBegLine <= ContaineeBegLine && 1087 ContainerEndLine >= ContaineeEndLine && 1088 (ContainerBegLine != ContaineeBegLine || 1089 SM.getExpansionColumnNumber(ContainerRBeg) <= 1090 SM.getExpansionColumnNumber(ContaineeRBeg)) && 1091 (ContainerEndLine != ContaineeEndLine || 1092 SM.getExpansionColumnNumber(ContainerREnd) >= 1093 SM.getExpansionColumnNumber(ContaineeREnd))); 1094 } 1095 1096 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 1097 if (!PrevLoc.isValid()) { 1098 PrevLoc = NewLoc; 1099 return; 1100 } 1101 1102 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 1103 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 1104 1105 if (PrevLocClean.asLocation().isInvalid()) { 1106 PrevLoc = NewLoc; 1107 return; 1108 } 1109 1110 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1111 return; 1112 1113 // FIXME: Ignore intra-macro edges for now. 1114 if (NewLocClean.asLocation().getExpansionLoc() == 1115 PrevLocClean.asLocation().getExpansionLoc()) 1116 return; 1117 1118 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 1119 PrevLoc = NewLoc; 1120 } 1121 1122 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 1123 1124 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1125 return; 1126 1127 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1128 1129 while (!CLocs.empty()) { 1130 ContextLocation &TopContextLoc = CLocs.back(); 1131 1132 // Is the top location context the same as the one for the new location? 1133 if (TopContextLoc == CLoc) { 1134 if (alwaysAdd) { 1135 if (IsConsumedExpr(TopContextLoc) && 1136 !IsControlFlowExpr(TopContextLoc.asStmt())) 1137 TopContextLoc.markDead(); 1138 1139 rawAddEdge(NewLoc); 1140 } 1141 1142 return; 1143 } 1144 1145 if (containsLocation(TopContextLoc, CLoc)) { 1146 if (alwaysAdd) { 1147 rawAddEdge(NewLoc); 1148 1149 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 1150 CLocs.push_back(ContextLocation(CLoc, true)); 1151 return; 1152 } 1153 } 1154 1155 CLocs.push_back(CLoc); 1156 return; 1157 } 1158 1159 // Context does not contain the location. Flush it. 1160 popLocation(); 1161 } 1162 1163 // If we reach here, there is no enclosing context. Just add the edge. 1164 rawAddEdge(NewLoc); 1165 } 1166 1167 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1168 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 1169 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1170 1171 return false; 1172 } 1173 1174 void EdgeBuilder::addExtendedContext(const Stmt *S) { 1175 if (!S) 1176 return; 1177 1178 const Stmt *Parent = PDB.getParent(S); 1179 while (Parent) { 1180 if (isa<CompoundStmt>(Parent)) 1181 Parent = PDB.getParent(Parent); 1182 else 1183 break; 1184 } 1185 1186 if (Parent) { 1187 switch (Parent->getStmtClass()) { 1188 case Stmt::DoStmtClass: 1189 case Stmt::ObjCAtSynchronizedStmtClass: 1190 addContext(Parent); 1191 default: 1192 break; 1193 } 1194 } 1195 1196 addContext(S); 1197 } 1198 1199 void EdgeBuilder::addContext(const Stmt *S) { 1200 if (!S) 1201 return; 1202 1203 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.LC); 1204 addContext(L); 1205 } 1206 1207 void EdgeBuilder::addContext(const PathDiagnosticLocation &L) { 1208 while (!CLocs.empty()) { 1209 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1210 1211 // Is the top location context the same as the one for the new location? 1212 if (TopContextLoc == L) 1213 return; 1214 1215 if (containsLocation(TopContextLoc, L)) { 1216 CLocs.push_back(L); 1217 return; 1218 } 1219 1220 // Context does not contain the location. Flush it. 1221 popLocation(); 1222 } 1223 1224 CLocs.push_back(L); 1225 } 1226 1227 // Cone-of-influence: support the reverse propagation of "interesting" symbols 1228 // and values by tracing interesting calculations backwards through evaluated 1229 // expressions along a path. This is probably overly complicated, but the idea 1230 // is that if an expression computed an "interesting" value, the child 1231 // expressions are are also likely to be "interesting" as well (which then 1232 // propagates to the values they in turn compute). This reverse propagation 1233 // is needed to track interesting correlations across function call boundaries, 1234 // where formal arguments bind to actual arguments, etc. This is also needed 1235 // because the constraint solver sometimes simplifies certain symbolic values 1236 // into constants when appropriate, and this complicates reasoning about 1237 // interesting values. 1238 typedef llvm::DenseSet<const Expr *> InterestingExprs; 1239 1240 static void reversePropagateIntererstingSymbols(BugReport &R, 1241 InterestingExprs &IE, 1242 const ProgramState *State, 1243 const Expr *Ex, 1244 const LocationContext *LCtx) { 1245 SVal V = State->getSVal(Ex, LCtx); 1246 if (!(R.isInteresting(V) || IE.count(Ex))) 1247 return; 1248 1249 switch (Ex->getStmtClass()) { 1250 default: 1251 if (!isa<CastExpr>(Ex)) 1252 break; 1253 // Fall through. 1254 case Stmt::BinaryOperatorClass: 1255 case Stmt::UnaryOperatorClass: { 1256 for (Stmt::const_child_iterator CI = Ex->child_begin(), 1257 CE = Ex->child_end(); 1258 CI != CE; ++CI) { 1259 if (const Expr *child = dyn_cast_or_null<Expr>(*CI)) { 1260 IE.insert(child); 1261 SVal ChildV = State->getSVal(child, LCtx); 1262 R.markInteresting(ChildV); 1263 } 1264 break; 1265 } 1266 } 1267 } 1268 1269 R.markInteresting(V); 1270 } 1271 1272 static void reversePropagateInterestingSymbols(BugReport &R, 1273 InterestingExprs &IE, 1274 const ProgramState *State, 1275 const LocationContext *CalleeCtx, 1276 const LocationContext *CallerCtx) 1277 { 1278 // FIXME: Handle non-CallExpr-based CallEvents. 1279 const StackFrameContext *Callee = CalleeCtx->getCurrentStackFrame(); 1280 const Stmt *CallSite = Callee->getCallSite(); 1281 if (const CallExpr *CE = dyn_cast_or_null<CallExpr>(CallSite)) { 1282 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeCtx->getDecl())) { 1283 FunctionDecl::param_const_iterator PI = FD->param_begin(), 1284 PE = FD->param_end(); 1285 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end(); 1286 for (; AI != AE && PI != PE; ++AI, ++PI) { 1287 if (const Expr *ArgE = *AI) { 1288 if (const ParmVarDecl *PD = *PI) { 1289 Loc LV = State->getLValue(PD, CalleeCtx); 1290 if (R.isInteresting(LV) || R.isInteresting(State->getRawSVal(LV))) 1291 IE.insert(ArgE); 1292 } 1293 } 1294 } 1295 } 1296 } 1297 } 1298 1299 static bool GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1300 PathDiagnosticBuilder &PDB, 1301 const ExplodedNode *N, 1302 ArrayRef<BugReporterVisitor *> visitors) { 1303 EdgeBuilder EB(PD, PDB); 1304 const SourceManager& SM = PDB.getSourceManager(); 1305 StackDiagVector CallStack; 1306 InterestingExprs IE; 1307 1308 const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 1309 while (NextNode) { 1310 N = NextNode; 1311 NextNode = GetPredecessorNode(N); 1312 ProgramPoint P = N->getLocation(); 1313 1314 do { 1315 if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) { 1316 if (const Expr *Ex = PS->getStmtAs<Expr>()) 1317 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1318 N->getState().getPtr(), Ex, 1319 N->getLocationContext()); 1320 } 1321 1322 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) { 1323 const Stmt *S = CE->getCalleeContext()->getCallSite(); 1324 if (const Expr *Ex = dyn_cast_or_null<Expr>(S)) { 1325 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1326 N->getState().getPtr(), Ex, 1327 N->getLocationContext()); 1328 } 1329 1330 PathDiagnosticCallPiece *C = 1331 PathDiagnosticCallPiece::construct(N, *CE, SM); 1332 GRBugReporter& BR = PDB.getBugReporter(); 1333 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext()); 1334 1335 EB.addEdge(C->callReturn, true); 1336 EB.flushLocations(); 1337 1338 PD.getActivePath().push_front(C); 1339 PD.pushActivePath(&C->path); 1340 CallStack.push_back(StackDiagPair(C, N)); 1341 break; 1342 } 1343 1344 // Pop the call hierarchy if we are done walking the contents 1345 // of a function call. 1346 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) { 1347 // Add an edge to the start of the function. 1348 const Decl *D = CE->getCalleeContext()->getDecl(); 1349 PathDiagnosticLocation pos = 1350 PathDiagnosticLocation::createBegin(D, SM); 1351 EB.addEdge(pos); 1352 1353 // Flush all locations, and pop the active path. 1354 bool VisitedEntireCall = PD.isWithinCall(); 1355 EB.flushLocations(); 1356 PD.popActivePath(); 1357 PDB.LC = N->getLocationContext(); 1358 1359 // Either we just added a bunch of stuff to the top-level path, or 1360 // we have a previous CallExitEnd. If the former, it means that the 1361 // path terminated within a function call. We must then take the 1362 // current contents of the active path and place it within 1363 // a new PathDiagnosticCallPiece. 1364 PathDiagnosticCallPiece *C; 1365 if (VisitedEntireCall) { 1366 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 1367 } else { 1368 const Decl *Caller = CE->getLocationContext()->getDecl(); 1369 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 1370 GRBugReporter& BR = PDB.getBugReporter(); 1371 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext()); 1372 } 1373 1374 C->setCallee(*CE, SM); 1375 EB.addContext(C->getLocation()); 1376 1377 if (!CallStack.empty()) { 1378 assert(CallStack.back().first == C); 1379 CallStack.pop_back(); 1380 } 1381 break; 1382 } 1383 1384 // Note that is important that we update the LocationContext 1385 // after looking at CallExits. CallExit basically adds an 1386 // edge in the *caller*, so we don't want to update the LocationContext 1387 // too soon. 1388 PDB.LC = N->getLocationContext(); 1389 1390 // Block edges. 1391 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 1392 // Does this represent entering a call? If so, look at propagating 1393 // interesting symbols across call boundaries. 1394 if (NextNode) { 1395 const LocationContext *CallerCtx = NextNode->getLocationContext(); 1396 const LocationContext *CalleeCtx = PDB.LC; 1397 if (CallerCtx != CalleeCtx) { 1398 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE, 1399 N->getState().getPtr(), 1400 CalleeCtx, CallerCtx); 1401 } 1402 } 1403 1404 // Are we jumping to the head of a loop? Add a special diagnostic. 1405 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1406 PathDiagnosticLocation L(Loop, SM, PDB.LC); 1407 const CompoundStmt *CS = NULL; 1408 1409 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1410 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1411 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1412 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1413 1414 PathDiagnosticEventPiece *p = 1415 new PathDiagnosticEventPiece(L, 1416 "Looping back to the head of the loop"); 1417 p->setPrunable(true); 1418 1419 EB.addEdge(p->getLocation(), true); 1420 PD.getActivePath().push_front(p); 1421 1422 if (CS) { 1423 PathDiagnosticLocation BL = 1424 PathDiagnosticLocation::createEndBrace(CS, SM); 1425 EB.addEdge(BL); 1426 } 1427 } 1428 1429 if (const Stmt *Term = BE->getSrc()->getTerminator()) 1430 EB.addContext(Term); 1431 1432 break; 1433 } 1434 1435 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 1436 CFGElement First = BE->getFirstElement(); 1437 if (const CFGStmt *S = First.getAs<CFGStmt>()) { 1438 const Stmt *stmt = S->getStmt(); 1439 if (IsControlFlowExpr(stmt)) { 1440 // Add the proper context for '&&', '||', and '?'. 1441 EB.addContext(stmt); 1442 } 1443 else 1444 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1445 } 1446 1447 break; 1448 } 1449 1450 1451 } while (0); 1452 1453 if (!NextNode) 1454 continue; 1455 1456 // Add pieces from custom visitors. 1457 BugReport *R = PDB.getBugReport(); 1458 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 1459 E = visitors.end(); 1460 I != E; ++I) { 1461 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 1462 const PathDiagnosticLocation &Loc = p->getLocation(); 1463 EB.addEdge(Loc, true); 1464 PD.getActivePath().push_front(p); 1465 updateStackPiecesWithMessage(p, CallStack); 1466 1467 if (const Stmt *S = Loc.asStmt()) 1468 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1469 } 1470 } 1471 } 1472 1473 return PDB.getBugReport()->isValid(); 1474 } 1475 1476 //===----------------------------------------------------------------------===// 1477 // Methods for BugType and subclasses. 1478 //===----------------------------------------------------------------------===// 1479 BugType::~BugType() { } 1480 1481 void BugType::FlushReports(BugReporter &BR) {} 1482 1483 void BuiltinBug::anchor() {} 1484 1485 //===----------------------------------------------------------------------===// 1486 // Methods for BugReport and subclasses. 1487 //===----------------------------------------------------------------------===// 1488 1489 void BugReport::NodeResolver::anchor() {} 1490 1491 void BugReport::addVisitor(BugReporterVisitor* visitor) { 1492 if (!visitor) 1493 return; 1494 1495 llvm::FoldingSetNodeID ID; 1496 visitor->Profile(ID); 1497 void *InsertPos; 1498 1499 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 1500 delete visitor; 1501 return; 1502 } 1503 1504 CallbacksSet.InsertNode(visitor, InsertPos); 1505 Callbacks.push_back(visitor); 1506 ++ConfigurationChangeToken; 1507 } 1508 1509 BugReport::~BugReport() { 1510 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) { 1511 delete *I; 1512 } 1513 while (!interestingSymbols.empty()) { 1514 popInterestingSymbolsAndRegions(); 1515 } 1516 } 1517 1518 const Decl *BugReport::getDeclWithIssue() const { 1519 if (DeclWithIssue) 1520 return DeclWithIssue; 1521 1522 const ExplodedNode *N = getErrorNode(); 1523 if (!N) 1524 return 0; 1525 1526 const LocationContext *LC = N->getLocationContext(); 1527 return LC->getCurrentStackFrame()->getDecl(); 1528 } 1529 1530 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const { 1531 hash.AddPointer(&BT); 1532 hash.AddString(Description); 1533 PathDiagnosticLocation UL = getUniqueingLocation(); 1534 if (UL.isValid()) { 1535 UL.Profile(hash); 1536 } else if (Location.isValid()) { 1537 Location.Profile(hash); 1538 } else { 1539 assert(ErrorNode); 1540 hash.AddPointer(GetCurrentOrPreviousStmt(ErrorNode)); 1541 } 1542 1543 for (SmallVectorImpl<SourceRange>::const_iterator I = 1544 Ranges.begin(), E = Ranges.end(); I != E; ++I) { 1545 const SourceRange range = *I; 1546 if (!range.isValid()) 1547 continue; 1548 hash.AddInteger(range.getBegin().getRawEncoding()); 1549 hash.AddInteger(range.getEnd().getRawEncoding()); 1550 } 1551 } 1552 1553 void BugReport::markInteresting(SymbolRef sym) { 1554 if (!sym) 1555 return; 1556 1557 // If the symbol wasn't already in our set, note a configuration change. 1558 if (getInterestingSymbols().insert(sym).second) 1559 ++ConfigurationChangeToken; 1560 1561 if (const SymbolMetadata *meta = dyn_cast<SymbolMetadata>(sym)) 1562 getInterestingRegions().insert(meta->getRegion()); 1563 } 1564 1565 void BugReport::markInteresting(const MemRegion *R) { 1566 if (!R) 1567 return; 1568 1569 // If the base region wasn't already in our set, note a configuration change. 1570 R = R->getBaseRegion(); 1571 if (getInterestingRegions().insert(R).second) 1572 ++ConfigurationChangeToken; 1573 1574 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 1575 getInterestingSymbols().insert(SR->getSymbol()); 1576 } 1577 1578 void BugReport::markInteresting(SVal V) { 1579 markInteresting(V.getAsRegion()); 1580 markInteresting(V.getAsSymbol()); 1581 } 1582 1583 void BugReport::markInteresting(const LocationContext *LC) { 1584 if (!LC) 1585 return; 1586 InterestingLocationContexts.insert(LC); 1587 } 1588 1589 bool BugReport::isInteresting(SVal V) { 1590 return isInteresting(V.getAsRegion()) || isInteresting(V.getAsSymbol()); 1591 } 1592 1593 bool BugReport::isInteresting(SymbolRef sym) { 1594 if (!sym) 1595 return false; 1596 // We don't currently consider metadata symbols to be interesting 1597 // even if we know their region is interesting. Is that correct behavior? 1598 return getInterestingSymbols().count(sym); 1599 } 1600 1601 bool BugReport::isInteresting(const MemRegion *R) { 1602 if (!R) 1603 return false; 1604 R = R->getBaseRegion(); 1605 bool b = getInterestingRegions().count(R); 1606 if (b) 1607 return true; 1608 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 1609 return getInterestingSymbols().count(SR->getSymbol()); 1610 return false; 1611 } 1612 1613 bool BugReport::isInteresting(const LocationContext *LC) { 1614 if (!LC) 1615 return false; 1616 return InterestingLocationContexts.count(LC); 1617 } 1618 1619 void BugReport::lazyInitializeInterestingSets() { 1620 if (interestingSymbols.empty()) { 1621 interestingSymbols.push_back(new Symbols()); 1622 interestingRegions.push_back(new Regions()); 1623 } 1624 } 1625 1626 BugReport::Symbols &BugReport::getInterestingSymbols() { 1627 lazyInitializeInterestingSets(); 1628 return *interestingSymbols.back(); 1629 } 1630 1631 BugReport::Regions &BugReport::getInterestingRegions() { 1632 lazyInitializeInterestingSets(); 1633 return *interestingRegions.back(); 1634 } 1635 1636 void BugReport::pushInterestingSymbolsAndRegions() { 1637 interestingSymbols.push_back(new Symbols(getInterestingSymbols())); 1638 interestingRegions.push_back(new Regions(getInterestingRegions())); 1639 } 1640 1641 void BugReport::popInterestingSymbolsAndRegions() { 1642 delete interestingSymbols.back(); 1643 interestingSymbols.pop_back(); 1644 delete interestingRegions.back(); 1645 interestingRegions.pop_back(); 1646 } 1647 1648 const Stmt *BugReport::getStmt() const { 1649 if (!ErrorNode) 1650 return 0; 1651 1652 ProgramPoint ProgP = ErrorNode->getLocation(); 1653 const Stmt *S = NULL; 1654 1655 if (BlockEntrance *BE = dyn_cast<BlockEntrance>(&ProgP)) { 1656 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 1657 if (BE->getBlock() == &Exit) 1658 S = GetPreviousStmt(ErrorNode); 1659 } 1660 if (!S) 1661 S = GetStmt(ProgP); 1662 1663 return S; 1664 } 1665 1666 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 1667 BugReport::getRanges() { 1668 // If no custom ranges, add the range of the statement corresponding to 1669 // the error node. 1670 if (Ranges.empty()) { 1671 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt())) 1672 addRange(E->getSourceRange()); 1673 else 1674 return std::make_pair(ranges_iterator(), ranges_iterator()); 1675 } 1676 1677 // User-specified absence of range info. 1678 if (Ranges.size() == 1 && !Ranges.begin()->isValid()) 1679 return std::make_pair(ranges_iterator(), ranges_iterator()); 1680 1681 return std::make_pair(Ranges.begin(), Ranges.end()); 1682 } 1683 1684 PathDiagnosticLocation BugReport::getLocation(const SourceManager &SM) const { 1685 if (ErrorNode) { 1686 assert(!Location.isValid() && 1687 "Either Location or ErrorNode should be specified but not both."); 1688 1689 if (const Stmt *S = GetCurrentOrPreviousStmt(ErrorNode)) { 1690 const LocationContext *LC = ErrorNode->getLocationContext(); 1691 1692 // For member expressions, return the location of the '.' or '->'. 1693 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 1694 return PathDiagnosticLocation::createMemberLoc(ME, SM); 1695 // For binary operators, return the location of the operator. 1696 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 1697 return PathDiagnosticLocation::createOperatorLoc(B, SM); 1698 1699 if (isa<PostStmtPurgeDeadSymbols>(ErrorNode->getLocation())) 1700 return PathDiagnosticLocation::createEnd(S, SM, LC); 1701 1702 return PathDiagnosticLocation::createBegin(S, SM, LC); 1703 } 1704 } else { 1705 assert(Location.isValid()); 1706 return Location; 1707 } 1708 1709 return PathDiagnosticLocation(); 1710 } 1711 1712 //===----------------------------------------------------------------------===// 1713 // Methods for BugReporter and subclasses. 1714 //===----------------------------------------------------------------------===// 1715 1716 BugReportEquivClass::~BugReportEquivClass() { } 1717 GRBugReporter::~GRBugReporter() { } 1718 BugReporterData::~BugReporterData() {} 1719 1720 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 1721 1722 ProgramStateManager& 1723 GRBugReporter::getStateManager() { return Eng.getStateManager(); } 1724 1725 BugReporter::~BugReporter() { 1726 FlushReports(); 1727 1728 // Free the bug reports we are tracking. 1729 typedef std::vector<BugReportEquivClass *> ContTy; 1730 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end(); 1731 I != E; ++I) { 1732 delete *I; 1733 } 1734 } 1735 1736 void BugReporter::FlushReports() { 1737 if (BugTypes.isEmpty()) 1738 return; 1739 1740 // First flush the warnings for each BugType. This may end up creating new 1741 // warnings and new BugTypes. 1742 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 1743 // Turn NSErrorChecker into a proper checker and remove this. 1744 SmallVector<const BugType*, 16> bugTypes; 1745 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 1746 bugTypes.push_back(*I); 1747 for (SmallVector<const BugType*, 16>::iterator 1748 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 1749 const_cast<BugType*>(*I)->FlushReports(*this); 1750 1751 // We need to flush reports in deterministic order to ensure the order 1752 // of the reports is consistent between runs. 1753 typedef std::vector<BugReportEquivClass *> ContVecTy; 1754 for (ContVecTy::iterator EI=EQClassesVector.begin(), EE=EQClassesVector.end(); 1755 EI != EE; ++EI){ 1756 BugReportEquivClass& EQ = **EI; 1757 FlushReport(EQ); 1758 } 1759 1760 // BugReporter owns and deletes only BugTypes created implicitly through 1761 // EmitBasicReport. 1762 // FIXME: There are leaks from checkers that assume that the BugTypes they 1763 // create will be destroyed by the BugReporter. 1764 for (llvm::StringMap<BugType*>::iterator 1765 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I) 1766 delete I->second; 1767 1768 // Remove all references to the BugType objects. 1769 BugTypes = F.getEmptySet(); 1770 } 1771 1772 //===----------------------------------------------------------------------===// 1773 // PathDiagnostics generation. 1774 //===----------------------------------------------------------------------===// 1775 1776 static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1777 std::pair<ExplodedNode*, unsigned> > 1778 MakeReportGraph(const ExplodedGraph* G, 1779 SmallVectorImpl<const ExplodedNode*> &nodes) { 1780 1781 // Create the trimmed graph. It will contain the shortest paths from the 1782 // error nodes to the root. In the new graph we should only have one 1783 // error node unless there are two or more error nodes with the same minimum 1784 // path length. 1785 ExplodedGraph* GTrim; 1786 InterExplodedGraphMap* NMap; 1787 1788 llvm::DenseMap<const void*, const void*> InverseMap; 1789 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 1790 &InverseMap); 1791 1792 // Create owning pointers for GTrim and NMap just to ensure that they are 1793 // released when this function exists. 1794 OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 1795 OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 1796 1797 // Find the (first) error node in the trimmed graph. We just need to consult 1798 // the node map (NMap) which maps from nodes in the original graph to nodes 1799 // in the new graph. 1800 1801 std::queue<const ExplodedNode*> WS; 1802 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 1803 IndexMapTy IndexMap; 1804 1805 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 1806 const ExplodedNode *originalNode = nodes[nodeIndex]; 1807 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 1808 WS.push(N); 1809 IndexMap[originalNode] = nodeIndex; 1810 } 1811 } 1812 1813 assert(!WS.empty() && "No error node found in the trimmed graph."); 1814 1815 // Create a new (third!) graph with a single path. This is the graph 1816 // that will be returned to the caller. 1817 ExplodedGraph *GNew = new ExplodedGraph(); 1818 1819 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 1820 // to the root node, and then construct a new graph that contains only 1821 // a single path. 1822 llvm::DenseMap<const void*,unsigned> Visited; 1823 1824 unsigned cnt = 0; 1825 const ExplodedNode *Root = 0; 1826 1827 while (!WS.empty()) { 1828 const ExplodedNode *Node = WS.front(); 1829 WS.pop(); 1830 1831 if (Visited.find(Node) != Visited.end()) 1832 continue; 1833 1834 Visited[Node] = cnt++; 1835 1836 if (Node->pred_empty()) { 1837 Root = Node; 1838 break; 1839 } 1840 1841 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 1842 E=Node->pred_end(); I!=E; ++I) 1843 WS.push(*I); 1844 } 1845 1846 assert(Root); 1847 1848 // Now walk from the root down the BFS path, always taking the successor 1849 // with the lowest number. 1850 ExplodedNode *Last = 0, *First = 0; 1851 NodeBackMap *BM = new NodeBackMap(); 1852 unsigned NodeIndex = 0; 1853 1854 for ( const ExplodedNode *N = Root ;;) { 1855 // Lookup the number associated with the current node. 1856 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 1857 assert(I != Visited.end()); 1858 1859 // Create the equivalent node in the new graph with the same state 1860 // and location. 1861 ExplodedNode *NewN = GNew->getNode(N->getLocation(), N->getState()); 1862 1863 // Store the mapping to the original node. 1864 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 1865 assert(IMitr != InverseMap.end() && "No mapping to original node."); 1866 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 1867 1868 // Link up the new node with the previous node. 1869 if (Last) 1870 NewN->addPredecessor(Last, *GNew); 1871 1872 Last = NewN; 1873 1874 // Are we at the final node? 1875 IndexMapTy::iterator IMI = 1876 IndexMap.find((const ExplodedNode*)(IMitr->second)); 1877 if (IMI != IndexMap.end()) { 1878 First = NewN; 1879 NodeIndex = IMI->second; 1880 break; 1881 } 1882 1883 // Find the next successor node. We choose the node that is marked 1884 // with the lowest DFS number. 1885 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 1886 ExplodedNode::const_succ_iterator SE = N->succ_end(); 1887 N = 0; 1888 1889 for (unsigned MinVal = 0; SI != SE; ++SI) { 1890 1891 I = Visited.find(*SI); 1892 1893 if (I == Visited.end()) 1894 continue; 1895 1896 if (!N || I->second < MinVal) { 1897 N = *SI; 1898 MinVal = I->second; 1899 } 1900 } 1901 1902 assert(N); 1903 } 1904 1905 assert(First); 1906 1907 return std::make_pair(std::make_pair(GNew, BM), 1908 std::make_pair(First, NodeIndex)); 1909 } 1910 1911 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 1912 /// and collapses PathDiagosticPieces that are expanded by macros. 1913 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM) { 1914 typedef std::vector<std::pair<IntrusiveRefCntPtr<PathDiagnosticMacroPiece>, 1915 SourceLocation> > MacroStackTy; 1916 1917 typedef std::vector<IntrusiveRefCntPtr<PathDiagnosticPiece> > 1918 PiecesTy; 1919 1920 MacroStackTy MacroStack; 1921 PiecesTy Pieces; 1922 1923 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 1924 I!=E; ++I) { 1925 1926 PathDiagnosticPiece *piece = I->getPtr(); 1927 1928 // Recursively compact calls. 1929 if (PathDiagnosticCallPiece *call=dyn_cast<PathDiagnosticCallPiece>(piece)){ 1930 CompactPathDiagnostic(call->path, SM); 1931 } 1932 1933 // Get the location of the PathDiagnosticPiece. 1934 const FullSourceLoc Loc = piece->getLocation().asLocation(); 1935 1936 // Determine the instantiation location, which is the location we group 1937 // related PathDiagnosticPieces. 1938 SourceLocation InstantiationLoc = Loc.isMacroID() ? 1939 SM.getExpansionLoc(Loc) : 1940 SourceLocation(); 1941 1942 if (Loc.isFileID()) { 1943 MacroStack.clear(); 1944 Pieces.push_back(piece); 1945 continue; 1946 } 1947 1948 assert(Loc.isMacroID()); 1949 1950 // Is the PathDiagnosticPiece within the same macro group? 1951 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 1952 MacroStack.back().first->subPieces.push_back(piece); 1953 continue; 1954 } 1955 1956 // We aren't in the same group. Are we descending into a new macro 1957 // or are part of an old one? 1958 IntrusiveRefCntPtr<PathDiagnosticMacroPiece> MacroGroup; 1959 1960 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 1961 SM.getExpansionLoc(Loc) : 1962 SourceLocation(); 1963 1964 // Walk the entire macro stack. 1965 while (!MacroStack.empty()) { 1966 if (InstantiationLoc == MacroStack.back().second) { 1967 MacroGroup = MacroStack.back().first; 1968 break; 1969 } 1970 1971 if (ParentInstantiationLoc == MacroStack.back().second) { 1972 MacroGroup = MacroStack.back().first; 1973 break; 1974 } 1975 1976 MacroStack.pop_back(); 1977 } 1978 1979 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 1980 // Create a new macro group and add it to the stack. 1981 PathDiagnosticMacroPiece *NewGroup = 1982 new PathDiagnosticMacroPiece( 1983 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 1984 1985 if (MacroGroup) 1986 MacroGroup->subPieces.push_back(NewGroup); 1987 else { 1988 assert(InstantiationLoc.isFileID()); 1989 Pieces.push_back(NewGroup); 1990 } 1991 1992 MacroGroup = NewGroup; 1993 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 1994 } 1995 1996 // Finally, add the PathDiagnosticPiece to the group. 1997 MacroGroup->subPieces.push_back(piece); 1998 } 1999 2000 // Now take the pieces and construct a new PathDiagnostic. 2001 path.clear(); 2002 2003 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) 2004 path.push_back(*I); 2005 } 2006 2007 bool GRBugReporter::generatePathDiagnostic(PathDiagnostic& PD, 2008 PathDiagnosticConsumer &PC, 2009 ArrayRef<BugReport *> &bugReports) { 2010 assert(!bugReports.empty()); 2011 2012 bool HasValid = false; 2013 SmallVector<const ExplodedNode *, 10> errorNodes; 2014 for (ArrayRef<BugReport*>::iterator I = bugReports.begin(), 2015 E = bugReports.end(); I != E; ++I) { 2016 if ((*I)->isValid()) { 2017 HasValid = true; 2018 errorNodes.push_back((*I)->getErrorNode()); 2019 } else { 2020 errorNodes.push_back(0); 2021 } 2022 } 2023 2024 // If all the reports have been marked invalid, we're done. 2025 if (!HasValid) 2026 return false; 2027 2028 // Construct a new graph that contains only a single path from the error 2029 // node to a root. 2030 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 2031 std::pair<ExplodedNode*, unsigned> >& 2032 GPair = MakeReportGraph(&getGraph(), errorNodes); 2033 2034 // Find the BugReport with the original location. 2035 assert(GPair.second.second < bugReports.size()); 2036 BugReport *R = bugReports[GPair.second.second]; 2037 assert(R && "No original report found for sliced graph."); 2038 assert(R->isValid() && "Report selected from trimmed graph marked invalid."); 2039 2040 OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 2041 OwningPtr<NodeBackMap> BackMap(GPair.first.second); 2042 const ExplodedNode *N = GPair.second.first; 2043 2044 // Start building the path diagnostic... 2045 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), &PC); 2046 2047 // Register additional node visitors. 2048 R->addVisitor(new NilReceiverBRVisitor()); 2049 R->addVisitor(new ConditionBRVisitor()); 2050 2051 BugReport::VisitorList visitors; 2052 unsigned originalReportConfigToken, finalReportConfigToken; 2053 2054 // While generating diagnostics, it's possible the visitors will decide 2055 // new symbols and regions are interesting, or add other visitors based on 2056 // the information they find. If they do, we need to regenerate the path 2057 // based on our new report configuration. 2058 do { 2059 // Get a clean copy of all the visitors. 2060 for (BugReport::visitor_iterator I = R->visitor_begin(), 2061 E = R->visitor_end(); I != E; ++I) 2062 visitors.push_back((*I)->clone()); 2063 2064 // Clear out the active path from any previous work. 2065 PD.resetPath(); 2066 originalReportConfigToken = R->getConfigurationChangeToken(); 2067 2068 // Generate the very last diagnostic piece - the piece is visible before 2069 // the trace is expanded. 2070 if (PDB.getGenerationScheme() != PathDiagnosticConsumer::None) { 2071 PathDiagnosticPiece *LastPiece = 0; 2072 for (BugReport::visitor_iterator I = visitors.begin(), E = visitors.end(); 2073 I != E; ++I) { 2074 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) { 2075 assert (!LastPiece && 2076 "There can only be one final piece in a diagnostic."); 2077 LastPiece = Piece; 2078 } 2079 } 2080 if (!LastPiece) 2081 LastPiece = BugReporterVisitor::getDefaultEndPath(PDB, N, *R); 2082 if (LastPiece) 2083 PD.setEndOfPath(LastPiece); 2084 else 2085 return false; 2086 } 2087 2088 switch (PDB.getGenerationScheme()) { 2089 case PathDiagnosticConsumer::Extensive: 2090 if (!GenerateExtensivePathDiagnostic(PD, PDB, N, visitors)) { 2091 assert(!R->isValid() && "Failed on valid report"); 2092 // Try again. We'll filter out the bad report when we trim the graph. 2093 // FIXME: It would be more efficient to use the same intermediate 2094 // trimmed graph, and just repeat the shortest-path search. 2095 return generatePathDiagnostic(PD, PC, bugReports); 2096 } 2097 break; 2098 case PathDiagnosticConsumer::Minimal: 2099 if (!GenerateMinimalPathDiagnostic(PD, PDB, N, visitors)) { 2100 assert(!R->isValid() && "Failed on valid report"); 2101 // Try again. We'll filter out the bad report when we trim the graph. 2102 return generatePathDiagnostic(PD, PC, bugReports); 2103 } 2104 break; 2105 case PathDiagnosticConsumer::None: 2106 if (!GenerateVisitorsOnlyPathDiagnostic(PD, PDB, N, visitors)) { 2107 assert(!R->isValid() && "Failed on valid report"); 2108 // Try again. We'll filter out the bad report when we trim the graph. 2109 return generatePathDiagnostic(PD, PC, bugReports); 2110 } 2111 break; 2112 } 2113 2114 // Clean up the visitors we used. 2115 llvm::DeleteContainerPointers(visitors); 2116 2117 // Did anything change while generating this path? 2118 finalReportConfigToken = R->getConfigurationChangeToken(); 2119 } while(finalReportConfigToken != originalReportConfigToken); 2120 2121 // Finally, prune the diagnostic path of uninteresting stuff. 2122 if (!PD.path.empty()) { 2123 // Remove messages that are basically the same. 2124 removeRedundantMsgs(PD.getMutablePieces()); 2125 2126 if (R->shouldPrunePath() && 2127 getEngine().getAnalysisManager().options.shouldPrunePaths()) { 2128 bool hasSomethingInteresting = RemoveUnneededCalls(PD.getMutablePieces(), 2129 R); 2130 assert(hasSomethingInteresting); 2131 (void) hasSomethingInteresting; 2132 } 2133 2134 adjustCallLocations(PD.getMutablePieces()); 2135 } 2136 2137 return true; 2138 } 2139 2140 void BugReporter::Register(BugType *BT) { 2141 BugTypes = F.add(BugTypes, BT); 2142 } 2143 2144 bool BugReporter::suppressReport(BugReport *R) { 2145 const Stmt *S = R->getStmt(); 2146 if (!S) 2147 return false; 2148 2149 // Here we suppress false positives coming from system macros. This list is 2150 // based on known issues. 2151 2152 // Skip reports within the sys/queue.h macros as we do not have the ability to 2153 // reason about data structure shapes. 2154 SourceManager &SM = getSourceManager(); 2155 SourceLocation Loc = S->getLocStart(); 2156 while (Loc.isMacroID()) { 2157 if (SM.isInSystemMacro(Loc) && 2158 (SM.getFilename(SM.getSpellingLoc(Loc)).endswith("sys/queue.h"))) 2159 return true; 2160 Loc = SM.getSpellingLoc(Loc); 2161 } 2162 2163 return false; 2164 } 2165 2166 void BugReporter::emitReport(BugReport* R) { 2167 if (suppressReport(R)) 2168 return; 2169 2170 // Compute the bug report's hash to determine its equivalence class. 2171 llvm::FoldingSetNodeID ID; 2172 R->Profile(ID); 2173 2174 // Lookup the equivance class. If there isn't one, create it. 2175 BugType& BT = R->getBugType(); 2176 Register(&BT); 2177 void *InsertPos; 2178 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 2179 2180 if (!EQ) { 2181 EQ = new BugReportEquivClass(R); 2182 EQClasses.InsertNode(EQ, InsertPos); 2183 EQClassesVector.push_back(EQ); 2184 } 2185 else 2186 EQ->AddReport(R); 2187 } 2188 2189 2190 //===----------------------------------------------------------------------===// 2191 // Emitting reports in equivalence classes. 2192 //===----------------------------------------------------------------------===// 2193 2194 namespace { 2195 struct FRIEC_WLItem { 2196 const ExplodedNode *N; 2197 ExplodedNode::const_succ_iterator I, E; 2198 2199 FRIEC_WLItem(const ExplodedNode *n) 2200 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 2201 }; 2202 } 2203 2204 static BugReport * 2205 FindReportInEquivalenceClass(BugReportEquivClass& EQ, 2206 SmallVectorImpl<BugReport*> &bugReports) { 2207 2208 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 2209 assert(I != E); 2210 BugType& BT = I->getBugType(); 2211 2212 // If we don't need to suppress any of the nodes because they are 2213 // post-dominated by a sink, simply add all the nodes in the equivalence class 2214 // to 'Nodes'. Any of the reports will serve as a "representative" report. 2215 if (!BT.isSuppressOnSink()) { 2216 BugReport *R = I; 2217 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 2218 const ExplodedNode *N = I->getErrorNode(); 2219 if (N) { 2220 R = I; 2221 bugReports.push_back(R); 2222 } 2223 } 2224 return R; 2225 } 2226 2227 // For bug reports that should be suppressed when all paths are post-dominated 2228 // by a sink node, iterate through the reports in the equivalence class 2229 // until we find one that isn't post-dominated (if one exists). We use a 2230 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 2231 // this as a recursive function, but we don't want to risk blowing out the 2232 // stack for very long paths. 2233 BugReport *exampleReport = 0; 2234 2235 for (; I != E; ++I) { 2236 const ExplodedNode *errorNode = I->getErrorNode(); 2237 2238 if (!errorNode) 2239 continue; 2240 if (errorNode->isSink()) { 2241 llvm_unreachable( 2242 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 2243 } 2244 // No successors? By definition this nodes isn't post-dominated by a sink. 2245 if (errorNode->succ_empty()) { 2246 bugReports.push_back(I); 2247 if (!exampleReport) 2248 exampleReport = I; 2249 continue; 2250 } 2251 2252 // At this point we know that 'N' is not a sink and it has at least one 2253 // successor. Use a DFS worklist to find a non-sink end-of-path node. 2254 typedef FRIEC_WLItem WLItem; 2255 typedef SmallVector<WLItem, 10> DFSWorkList; 2256 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 2257 2258 DFSWorkList WL; 2259 WL.push_back(errorNode); 2260 Visited[errorNode] = 1; 2261 2262 while (!WL.empty()) { 2263 WLItem &WI = WL.back(); 2264 assert(!WI.N->succ_empty()); 2265 2266 for (; WI.I != WI.E; ++WI.I) { 2267 const ExplodedNode *Succ = *WI.I; 2268 // End-of-path node? 2269 if (Succ->succ_empty()) { 2270 // If we found an end-of-path node that is not a sink. 2271 if (!Succ->isSink()) { 2272 bugReports.push_back(I); 2273 if (!exampleReport) 2274 exampleReport = I; 2275 WL.clear(); 2276 break; 2277 } 2278 // Found a sink? Continue on to the next successor. 2279 continue; 2280 } 2281 // Mark the successor as visited. If it hasn't been explored, 2282 // enqueue it to the DFS worklist. 2283 unsigned &mark = Visited[Succ]; 2284 if (!mark) { 2285 mark = 1; 2286 WL.push_back(Succ); 2287 break; 2288 } 2289 } 2290 2291 // The worklist may have been cleared at this point. First 2292 // check if it is empty before checking the last item. 2293 if (!WL.empty() && &WL.back() == &WI) 2294 WL.pop_back(); 2295 } 2296 } 2297 2298 // ExampleReport will be NULL if all the nodes in the equivalence class 2299 // were post-dominated by sinks. 2300 return exampleReport; 2301 } 2302 2303 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 2304 SmallVector<BugReport*, 10> bugReports; 2305 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 2306 if (exampleReport) { 2307 const PathDiagnosticConsumers &C = getPathDiagnosticConsumers(); 2308 for (PathDiagnosticConsumers::const_iterator I=C.begin(), 2309 E=C.end(); I != E; ++I) { 2310 FlushReport(exampleReport, **I, bugReports); 2311 } 2312 } 2313 } 2314 2315 void BugReporter::FlushReport(BugReport *exampleReport, 2316 PathDiagnosticConsumer &PD, 2317 ArrayRef<BugReport*> bugReports) { 2318 2319 // FIXME: Make sure we use the 'R' for the path that was actually used. 2320 // Probably doesn't make a difference in practice. 2321 BugType& BT = exampleReport->getBugType(); 2322 2323 OwningPtr<PathDiagnostic> 2324 D(new PathDiagnostic(exampleReport->getDeclWithIssue(), 2325 exampleReport->getBugType().getName(), 2326 exampleReport->getDescription(), 2327 exampleReport->getShortDescription(/*Fallback=*/false), 2328 BT.getCategory(), 2329 exampleReport->getUniqueingLocation(), 2330 exampleReport->getUniqueingDecl())); 2331 2332 // Generate the full path diagnostic, using the generation scheme 2333 // specified by the PathDiagnosticConsumer. Note that we have to generate 2334 // path diagnostics even for consumers which do not support paths, because 2335 // the BugReporterVisitors may mark this bug as a false positive. 2336 if (!bugReports.empty()) 2337 if (!generatePathDiagnostic(*D.get(), PD, bugReports)) 2338 return; 2339 2340 // If the path is empty, generate a single step path with the location 2341 // of the issue. 2342 if (D->path.empty()) { 2343 PathDiagnosticLocation L = exampleReport->getLocation(getSourceManager()); 2344 PathDiagnosticPiece *piece = 2345 new PathDiagnosticEventPiece(L, exampleReport->getDescription()); 2346 BugReport::ranges_iterator Beg, End; 2347 llvm::tie(Beg, End) = exampleReport->getRanges(); 2348 for ( ; Beg != End; ++Beg) 2349 piece->addRange(*Beg); 2350 D->setEndOfPath(piece); 2351 } 2352 2353 // Get the meta data. 2354 const BugReport::ExtraTextList &Meta = exampleReport->getExtraText(); 2355 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(), 2356 e = Meta.end(); i != e; ++i) { 2357 D->addMeta(*i); 2358 } 2359 2360 PD.HandlePathDiagnostic(D.take()); 2361 } 2362 2363 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 2364 StringRef name, 2365 StringRef category, 2366 StringRef str, PathDiagnosticLocation Loc, 2367 SourceRange* RBeg, unsigned NumRanges) { 2368 2369 // 'BT' is owned by BugReporter. 2370 BugType *BT = getBugTypeForName(name, category); 2371 BugReport *R = new BugReport(*BT, str, Loc); 2372 R->setDeclWithIssue(DeclWithIssue); 2373 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 2374 emitReport(R); 2375 } 2376 2377 BugType *BugReporter::getBugTypeForName(StringRef name, 2378 StringRef category) { 2379 SmallString<136> fullDesc; 2380 llvm::raw_svector_ostream(fullDesc) << name << ":" << category; 2381 llvm::StringMapEntry<BugType *> & 2382 entry = StrBugTypes.GetOrCreateValue(fullDesc); 2383 BugType *BT = entry.getValue(); 2384 if (!BT) { 2385 BT = new BugType(name, category); 2386 entry.setValue(BT); 2387 } 2388 return BT; 2389 } 2390