1 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines BugReporter, a utility class for generating 11 // PathDiagnostics. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18 #include "clang/AST/ASTContext.h" 19 #include "clang/Analysis/CFG.h" 20 #include "clang/AST/Expr.h" 21 #include "clang/AST/ParentMap.h" 22 #include "clang/AST/StmtObjC.h" 23 #include "clang/Basic/SourceManager.h" 24 #include "clang/Analysis/ProgramPoint.h" 25 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 26 #include "llvm/Support/raw_ostream.h" 27 #include "llvm/ADT/DenseMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/OwningPtr.h" 30 #include <queue> 31 32 using namespace clang; 33 using namespace ento; 34 35 BugReporterVisitor::~BugReporterVisitor() {} 36 37 //===----------------------------------------------------------------------===// 38 // Helper routines for walking the ExplodedGraph and fetching statements. 39 //===----------------------------------------------------------------------===// 40 41 static inline const Stmt *GetStmt(const ProgramPoint &P) { 42 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 43 return SP->getStmt(); 44 else if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) 45 return BE->getSrc()->getTerminator(); 46 47 return 0; 48 } 49 50 static inline const ExplodedNode* 51 GetPredecessorNode(const ExplodedNode *N) { 52 return N->pred_empty() ? NULL : *(N->pred_begin()); 53 } 54 55 static inline const ExplodedNode* 56 GetSuccessorNode(const ExplodedNode *N) { 57 return N->succ_empty() ? NULL : *(N->succ_begin()); 58 } 59 60 static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 61 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 62 if (const Stmt *S = GetStmt(N->getLocation())) 63 return S; 64 65 return 0; 66 } 67 68 static const Stmt *GetNextStmt(const ExplodedNode *N) { 69 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 70 if (const Stmt *S = GetStmt(N->getLocation())) { 71 // Check if the statement is '?' or '&&'/'||'. These are "merges", 72 // not actual statement points. 73 switch (S->getStmtClass()) { 74 case Stmt::ChooseExprClass: 75 case Stmt::BinaryConditionalOperatorClass: continue; 76 case Stmt::ConditionalOperatorClass: continue; 77 case Stmt::BinaryOperatorClass: { 78 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 79 if (Op == BO_LAnd || Op == BO_LOr) 80 continue; 81 break; 82 } 83 default: 84 break; 85 } 86 return S; 87 } 88 89 return 0; 90 } 91 92 static inline const Stmt* 93 GetCurrentOrPreviousStmt(const ExplodedNode *N) { 94 if (const Stmt *S = GetStmt(N->getLocation())) 95 return S; 96 97 return GetPreviousStmt(N); 98 } 99 100 static inline const Stmt* 101 GetCurrentOrNextStmt(const ExplodedNode *N) { 102 if (const Stmt *S = GetStmt(N->getLocation())) 103 return S; 104 105 return GetNextStmt(N); 106 } 107 108 //===----------------------------------------------------------------------===// 109 // PathDiagnosticBuilder and its associated routines and helper objects. 110 //===----------------------------------------------------------------------===// 111 112 typedef llvm::DenseMap<const ExplodedNode*, 113 const ExplodedNode*> NodeBackMap; 114 115 namespace { 116 class NodeMapClosure : public BugReport::NodeResolver { 117 NodeBackMap& M; 118 public: 119 NodeMapClosure(NodeBackMap *m) : M(*m) {} 120 ~NodeMapClosure() {} 121 122 const ExplodedNode *getOriginalNode(const ExplodedNode *N) { 123 NodeBackMap::iterator I = M.find(N); 124 return I == M.end() ? 0 : I->second; 125 } 126 }; 127 128 class PathDiagnosticBuilder : public BugReporterContext { 129 BugReport *R; 130 PathDiagnosticClient *PDC; 131 llvm::OwningPtr<ParentMap> PM; 132 NodeMapClosure NMC; 133 public: 134 PathDiagnosticBuilder(GRBugReporter &br, 135 BugReport *r, NodeBackMap *Backmap, 136 PathDiagnosticClient *pdc) 137 : BugReporterContext(br), 138 R(r), PDC(pdc), NMC(Backmap) {} 139 140 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 141 142 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 143 const ExplodedNode *N); 144 145 BugReport *getBugReport() { return R; } 146 147 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 148 149 const LocationContext* getLocationContext() { 150 return R->getErrorNode()->getLocationContext(); 151 } 152 153 ParentMap& getParentMap() { return R->getErrorNode()->getParentMap(); } 154 155 const Stmt *getParent(const Stmt *S) { 156 return getParentMap().getParent(S); 157 } 158 159 virtual NodeMapClosure& getNodeResolver() { return NMC; } 160 161 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 162 163 PathDiagnosticClient::PathGenerationScheme getGenerationScheme() const { 164 return PDC ? PDC->getGenerationScheme() : PathDiagnosticClient::Extensive; 165 } 166 167 bool supportsLogicalOpControlFlow() const { 168 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 169 } 170 }; 171 } // end anonymous namespace 172 173 PathDiagnosticLocation 174 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 175 if (const Stmt *S = GetNextStmt(N)) 176 return PathDiagnosticLocation(S, getSourceManager(), getLocationContext()); 177 178 return FullSourceLoc(N->getLocationContext()->getDecl()->getBodyRBrace(), 179 getSourceManager()); 180 } 181 182 PathDiagnosticLocation 183 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 184 const ExplodedNode *N) { 185 186 // Slow, but probably doesn't matter. 187 if (os.str().empty()) 188 os << ' '; 189 190 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 191 192 if (Loc.asStmt()) 193 os << "Execution continues on line " 194 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 195 << '.'; 196 else { 197 os << "Execution jumps to the end of the "; 198 const Decl *D = N->getLocationContext()->getDecl(); 199 if (isa<ObjCMethodDecl>(D)) 200 os << "method"; 201 else if (isa<FunctionDecl>(D)) 202 os << "function"; 203 else { 204 assert(isa<BlockDecl>(D)); 205 os << "anonymous block"; 206 } 207 os << '.'; 208 } 209 210 return Loc; 211 } 212 213 static bool IsNested(const Stmt *S, ParentMap &PM) { 214 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 215 return true; 216 217 const Stmt *Parent = PM.getParentIgnoreParens(S); 218 219 if (Parent) 220 switch (Parent->getStmtClass()) { 221 case Stmt::ForStmtClass: 222 case Stmt::DoStmtClass: 223 case Stmt::WhileStmtClass: 224 return true; 225 default: 226 break; 227 } 228 229 return false; 230 } 231 232 PathDiagnosticLocation 233 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 234 assert(S && "Null Stmt *passed to getEnclosingStmtLocation"); 235 ParentMap &P = getParentMap(); 236 SourceManager &SMgr = getSourceManager(); 237 const LocationContext *LC = getLocationContext(); 238 239 while (IsNested(S, P)) { 240 const Stmt *Parent = P.getParentIgnoreParens(S); 241 242 if (!Parent) 243 break; 244 245 switch (Parent->getStmtClass()) { 246 case Stmt::BinaryOperatorClass: { 247 const BinaryOperator *B = cast<BinaryOperator>(Parent); 248 if (B->isLogicalOp()) 249 return PathDiagnosticLocation(S, SMgr, LC); 250 break; 251 } 252 case Stmt::CompoundStmtClass: 253 case Stmt::StmtExprClass: 254 return PathDiagnosticLocation(S, SMgr, LC); 255 case Stmt::ChooseExprClass: 256 // Similar to '?' if we are referring to condition, just have the edge 257 // point to the entire choose expression. 258 if (cast<ChooseExpr>(Parent)->getCond() == S) 259 return PathDiagnosticLocation(Parent, SMgr, LC); 260 else 261 return PathDiagnosticLocation(S, SMgr, LC); 262 case Stmt::BinaryConditionalOperatorClass: 263 case Stmt::ConditionalOperatorClass: 264 // For '?', if we are referring to condition, just have the edge point 265 // to the entire '?' expression. 266 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S) 267 return PathDiagnosticLocation(Parent, SMgr, LC); 268 else 269 return PathDiagnosticLocation(S, SMgr, LC); 270 case Stmt::DoStmtClass: 271 return PathDiagnosticLocation(S, SMgr, LC); 272 case Stmt::ForStmtClass: 273 if (cast<ForStmt>(Parent)->getBody() == S) 274 return PathDiagnosticLocation(S, SMgr, LC); 275 break; 276 case Stmt::IfStmtClass: 277 if (cast<IfStmt>(Parent)->getCond() != S) 278 return PathDiagnosticLocation(S, SMgr, LC); 279 break; 280 case Stmt::ObjCForCollectionStmtClass: 281 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 282 return PathDiagnosticLocation(S, SMgr, LC); 283 break; 284 case Stmt::WhileStmtClass: 285 if (cast<WhileStmt>(Parent)->getCond() != S) 286 return PathDiagnosticLocation(S, SMgr, LC); 287 break; 288 default: 289 break; 290 } 291 292 S = Parent; 293 } 294 295 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 296 297 // Special case: DeclStmts can appear in for statement declarations, in which 298 // case the ForStmt is the context. 299 if (isa<DeclStmt>(S)) { 300 if (const Stmt *Parent = P.getParent(S)) { 301 switch (Parent->getStmtClass()) { 302 case Stmt::ForStmtClass: 303 case Stmt::ObjCForCollectionStmtClass: 304 return PathDiagnosticLocation(Parent, SMgr, LC); 305 default: 306 break; 307 } 308 } 309 } 310 else if (isa<BinaryOperator>(S)) { 311 // Special case: the binary operator represents the initialization 312 // code in a for statement (this can happen when the variable being 313 // initialized is an old variable. 314 if (const ForStmt *FS = 315 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 316 if (FS->getInit() == S) 317 return PathDiagnosticLocation(FS, SMgr, LC); 318 } 319 } 320 321 return PathDiagnosticLocation(S, SMgr, LC); 322 } 323 324 //===----------------------------------------------------------------------===// 325 // ScanNotableSymbols: closure-like callback for scanning Store bindings. 326 //===----------------------------------------------------------------------===// 327 328 static const VarDecl* GetMostRecentVarDeclBinding(const ExplodedNode *N, 329 ProgramStateManager& VMgr, 330 SVal X) { 331 332 for ( ; N ; N = N->pred_empty() ? 0 : *N->pred_begin()) { 333 334 ProgramPoint P = N->getLocation(); 335 336 if (!isa<PostStmt>(P)) 337 continue; 338 339 const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(cast<PostStmt>(P).getStmt()); 340 341 if (!DR) 342 continue; 343 344 SVal Y = N->getState()->getSVal(DR); 345 346 if (X != Y) 347 continue; 348 349 const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl()); 350 351 if (!VD) 352 continue; 353 354 return VD; 355 } 356 357 return 0; 358 } 359 360 namespace { 361 class NotableSymbolHandler 362 : public StoreManager::BindingsHandler { 363 364 SymbolRef Sym; 365 const ProgramState *PrevSt; 366 const Stmt *S; 367 ProgramStateManager& VMgr; 368 const ExplodedNode *Pred; 369 PathDiagnostic& PD; 370 BugReporter& BR; 371 372 public: 373 374 NotableSymbolHandler(SymbolRef sym, 375 const ProgramState *prevst, 376 const Stmt *s, 377 ProgramStateManager& vmgr, 378 const ExplodedNode *pred, 379 PathDiagnostic& pd, 380 BugReporter& br) 381 : Sym(sym), 382 PrevSt(prevst), 383 S(s), 384 VMgr(vmgr), 385 Pred(pred), 386 PD(pd), 387 BR(br) {} 388 389 bool HandleBinding(StoreManager& SMgr, Store store, const MemRegion* R, 390 SVal V) { 391 392 SymbolRef ScanSym = V.getAsSymbol(); 393 394 if (ScanSym != Sym) 395 return true; 396 397 // Check if the previous state has this binding. 398 SVal X = PrevSt->getSVal(loc::MemRegionVal(R)); 399 400 if (X == V) // Same binding? 401 return true; 402 403 // Different binding. Only handle assignments for now. We don't pull 404 // this check out of the loop because we will eventually handle other 405 // cases. 406 407 VarDecl *VD = 0; 408 409 if (const BinaryOperator* B = dyn_cast<BinaryOperator>(S)) { 410 if (!B->isAssignmentOp()) 411 return true; 412 413 // What variable did we assign to? 414 DeclRefExpr *DR = dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenCasts()); 415 416 if (!DR) 417 return true; 418 419 VD = dyn_cast<VarDecl>(DR->getDecl()); 420 } 421 else if (const DeclStmt *DS = dyn_cast<DeclStmt>(S)) { 422 // FIXME: Eventually CFGs won't have DeclStmts. Right now we 423 // assume that each DeclStmt has a single Decl. This invariant 424 // holds by construction in the CFG. 425 VD = dyn_cast<VarDecl>(*DS->decl_begin()); 426 } 427 428 if (!VD) 429 return true; 430 431 // What is the most recently referenced variable with this binding? 432 const VarDecl *MostRecent = GetMostRecentVarDeclBinding(Pred, VMgr, V); 433 434 if (!MostRecent) 435 return true; 436 437 // Create the diagnostic. 438 FullSourceLoc L(S->getLocStart(), BR.getSourceManager()); 439 440 if (Loc::isLocType(VD->getType())) { 441 llvm::SmallString<64> buf; 442 llvm::raw_svector_ostream os(buf); 443 os << '\'' << VD << "' now aliases '" << MostRecent << '\''; 444 445 PD.push_front(new PathDiagnosticEventPiece(L, os.str())); 446 } 447 448 return true; 449 } 450 }; 451 } 452 453 static void HandleNotableSymbol(const ExplodedNode *N, 454 const Stmt *S, 455 SymbolRef Sym, BugReporter& BR, 456 PathDiagnostic& PD) { 457 458 const ExplodedNode *Pred = N->pred_empty() ? 0 : *N->pred_begin(); 459 const ProgramState *PrevSt = Pred ? Pred->getState() : 0; 460 461 if (!PrevSt) 462 return; 463 464 // Look at the region bindings of the current state that map to the 465 // specified symbol. Are any of them not in the previous state? 466 ProgramStateManager& VMgr = cast<GRBugReporter>(BR).getStateManager(); 467 NotableSymbolHandler H(Sym, PrevSt, S, VMgr, Pred, PD, BR); 468 cast<GRBugReporter>(BR).getStateManager().iterBindings(N->getState(), H); 469 } 470 471 namespace { 472 class ScanNotableSymbols 473 : public StoreManager::BindingsHandler { 474 475 llvm::SmallSet<SymbolRef, 10> AlreadyProcessed; 476 const ExplodedNode *N; 477 const Stmt *S; 478 GRBugReporter& BR; 479 PathDiagnostic& PD; 480 481 public: 482 ScanNotableSymbols(const ExplodedNode *n, const Stmt *s, 483 GRBugReporter& br, PathDiagnostic& pd) 484 : N(n), S(s), BR(br), PD(pd) {} 485 486 bool HandleBinding(StoreManager& SMgr, Store store, 487 const MemRegion* R, SVal V) { 488 489 SymbolRef ScanSym = V.getAsSymbol(); 490 491 if (!ScanSym) 492 return true; 493 494 if (!BR.isNotable(ScanSym)) 495 return true; 496 497 if (AlreadyProcessed.count(ScanSym)) 498 return true; 499 500 AlreadyProcessed.insert(ScanSym); 501 502 HandleNotableSymbol(N, S, ScanSym, BR, PD); 503 return true; 504 } 505 }; 506 } // end anonymous namespace 507 508 //===----------------------------------------------------------------------===// 509 // "Minimal" path diagnostic generation algorithm. 510 //===----------------------------------------------------------------------===// 511 512 static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM); 513 514 static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 515 PathDiagnosticBuilder &PDB, 516 const ExplodedNode *N) { 517 518 SourceManager& SMgr = PDB.getSourceManager(); 519 const LocationContext *LC = PDB.getLocationContext(); 520 const ExplodedNode *NextNode = N->pred_empty() 521 ? NULL : *(N->pred_begin()); 522 while (NextNode) { 523 N = NextNode; 524 NextNode = GetPredecessorNode(N); 525 526 ProgramPoint P = N->getLocation(); 527 528 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 529 const CFGBlock *Src = BE->getSrc(); 530 const CFGBlock *Dst = BE->getDst(); 531 const Stmt *T = Src->getTerminator(); 532 533 if (!T) 534 continue; 535 536 FullSourceLoc Start(T->getLocStart(), SMgr); 537 538 switch (T->getStmtClass()) { 539 default: 540 break; 541 542 case Stmt::GotoStmtClass: 543 case Stmt::IndirectGotoStmtClass: { 544 const Stmt *S = GetNextStmt(N); 545 546 if (!S) 547 continue; 548 549 std::string sbuf; 550 llvm::raw_string_ostream os(sbuf); 551 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 552 553 os << "Control jumps to line " 554 << End.asLocation().getExpansionLineNumber(); 555 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 556 os.str())); 557 break; 558 } 559 560 case Stmt::SwitchStmtClass: { 561 // Figure out what case arm we took. 562 std::string sbuf; 563 llvm::raw_string_ostream os(sbuf); 564 565 if (const Stmt *S = Dst->getLabel()) { 566 PathDiagnosticLocation End(S, SMgr, LC); 567 568 switch (S->getStmtClass()) { 569 default: 570 os << "No cases match in the switch statement. " 571 "Control jumps to line " 572 << End.asLocation().getExpansionLineNumber(); 573 break; 574 case Stmt::DefaultStmtClass: 575 os << "Control jumps to the 'default' case at line " 576 << End.asLocation().getExpansionLineNumber(); 577 break; 578 579 case Stmt::CaseStmtClass: { 580 os << "Control jumps to 'case "; 581 const CaseStmt *Case = cast<CaseStmt>(S); 582 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 583 584 // Determine if it is an enum. 585 bool GetRawInt = true; 586 587 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) { 588 // FIXME: Maybe this should be an assertion. Are there cases 589 // were it is not an EnumConstantDecl? 590 const EnumConstantDecl *D = 591 dyn_cast<EnumConstantDecl>(DR->getDecl()); 592 593 if (D) { 594 GetRawInt = false; 595 os << D; 596 } 597 } 598 599 if (GetRawInt) 600 os << LHS->EvaluateAsInt(PDB.getASTContext()); 601 602 os << ":' at line " 603 << End.asLocation().getExpansionLineNumber(); 604 break; 605 } 606 } 607 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 608 os.str())); 609 } 610 else { 611 os << "'Default' branch taken. "; 612 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 613 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 614 os.str())); 615 } 616 617 break; 618 } 619 620 case Stmt::BreakStmtClass: 621 case Stmt::ContinueStmtClass: { 622 std::string sbuf; 623 llvm::raw_string_ostream os(sbuf); 624 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 625 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 626 os.str())); 627 break; 628 } 629 630 // Determine control-flow for ternary '?'. 631 case Stmt::BinaryConditionalOperatorClass: 632 case Stmt::ConditionalOperatorClass: { 633 std::string sbuf; 634 llvm::raw_string_ostream os(sbuf); 635 os << "'?' condition is "; 636 637 if (*(Src->succ_begin()+1) == Dst) 638 os << "false"; 639 else 640 os << "true"; 641 642 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 643 644 if (const Stmt *S = End.asStmt()) 645 End = PDB.getEnclosingStmtLocation(S); 646 647 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 648 os.str())); 649 break; 650 } 651 652 // Determine control-flow for short-circuited '&&' and '||'. 653 case Stmt::BinaryOperatorClass: { 654 if (!PDB.supportsLogicalOpControlFlow()) 655 break; 656 657 const BinaryOperator *B = cast<BinaryOperator>(T); 658 std::string sbuf; 659 llvm::raw_string_ostream os(sbuf); 660 os << "Left side of '"; 661 662 if (B->getOpcode() == BO_LAnd) { 663 os << "&&" << "' is "; 664 665 if (*(Src->succ_begin()+1) == Dst) { 666 os << "false"; 667 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 668 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 669 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 670 os.str())); 671 } 672 else { 673 os << "true"; 674 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 675 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 676 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 677 os.str())); 678 } 679 } 680 else { 681 assert(B->getOpcode() == BO_LOr); 682 os << "||" << "' is "; 683 684 if (*(Src->succ_begin()+1) == Dst) { 685 os << "false"; 686 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 687 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 688 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 689 os.str())); 690 } 691 else { 692 os << "true"; 693 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 694 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 695 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 696 os.str())); 697 } 698 } 699 700 break; 701 } 702 703 case Stmt::DoStmtClass: { 704 if (*(Src->succ_begin()) == Dst) { 705 std::string sbuf; 706 llvm::raw_string_ostream os(sbuf); 707 708 os << "Loop condition is true. "; 709 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 710 711 if (const Stmt *S = End.asStmt()) 712 End = PDB.getEnclosingStmtLocation(S); 713 714 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 715 os.str())); 716 } 717 else { 718 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 719 720 if (const Stmt *S = End.asStmt()) 721 End = PDB.getEnclosingStmtLocation(S); 722 723 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 724 "Loop condition is false. Exiting loop")); 725 } 726 727 break; 728 } 729 730 case Stmt::WhileStmtClass: 731 case Stmt::ForStmtClass: { 732 if (*(Src->succ_begin()+1) == Dst) { 733 std::string sbuf; 734 llvm::raw_string_ostream os(sbuf); 735 736 os << "Loop condition is false. "; 737 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 738 if (const Stmt *S = End.asStmt()) 739 End = PDB.getEnclosingStmtLocation(S); 740 741 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 742 os.str())); 743 } 744 else { 745 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 746 if (const Stmt *S = End.asStmt()) 747 End = PDB.getEnclosingStmtLocation(S); 748 749 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 750 "Loop condition is true. Entering loop body")); 751 } 752 753 break; 754 } 755 756 case Stmt::IfStmtClass: { 757 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 758 759 if (const Stmt *S = End.asStmt()) 760 End = PDB.getEnclosingStmtLocation(S); 761 762 if (*(Src->succ_begin()+1) == Dst) 763 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 764 "Taking false branch")); 765 else 766 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 767 "Taking true branch")); 768 769 break; 770 } 771 } 772 } 773 774 if (NextNode) { 775 // Add diagnostic pieces from custom visitors. 776 BugReport *R = PDB.getBugReport(); 777 for (BugReport::visitor_iterator I = R->visitor_begin(), 778 E = R->visitor_end(); I!=E; ++I) { 779 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) 780 PD.push_front(p); 781 } 782 } 783 784 if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) { 785 // Scan the region bindings, and see if a "notable" symbol has a new 786 // lval binding. 787 ScanNotableSymbols SNS(N, PS->getStmt(), PDB.getBugReporter(), PD); 788 PDB.getStateManager().iterBindings(N->getState(), SNS); 789 } 790 } 791 792 // After constructing the full PathDiagnostic, do a pass over it to compact 793 // PathDiagnosticPieces that occur within a macro. 794 CompactPathDiagnostic(PD, PDB.getSourceManager()); 795 } 796 797 //===----------------------------------------------------------------------===// 798 // "Extensive" PathDiagnostic generation. 799 //===----------------------------------------------------------------------===// 800 801 static bool IsControlFlowExpr(const Stmt *S) { 802 const Expr *E = dyn_cast<Expr>(S); 803 804 if (!E) 805 return false; 806 807 E = E->IgnoreParenCasts(); 808 809 if (isa<AbstractConditionalOperator>(E)) 810 return true; 811 812 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 813 if (B->isLogicalOp()) 814 return true; 815 816 return false; 817 } 818 819 namespace { 820 class ContextLocation : public PathDiagnosticLocation { 821 bool IsDead; 822 public: 823 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 824 : PathDiagnosticLocation(L), IsDead(isdead) {} 825 826 void markDead() { IsDead = true; } 827 bool isDead() const { return IsDead; } 828 }; 829 830 class EdgeBuilder { 831 std::vector<ContextLocation> CLocs; 832 typedef std::vector<ContextLocation>::iterator iterator; 833 PathDiagnostic &PD; 834 PathDiagnosticBuilder &PDB; 835 PathDiagnosticLocation PrevLoc; 836 837 bool IsConsumedExpr(const PathDiagnosticLocation &L); 838 839 bool containsLocation(const PathDiagnosticLocation &Container, 840 const PathDiagnosticLocation &Containee); 841 842 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 843 844 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 845 bool firstCharOnly = false) { 846 if (const Stmt *S = L.asStmt()) { 847 const Stmt *Original = S; 848 while (1) { 849 // Adjust the location for some expressions that are best referenced 850 // by one of their subexpressions. 851 switch (S->getStmtClass()) { 852 default: 853 break; 854 case Stmt::ParenExprClass: 855 case Stmt::GenericSelectionExprClass: 856 S = cast<Expr>(S)->IgnoreParens(); 857 firstCharOnly = true; 858 continue; 859 case Stmt::BinaryConditionalOperatorClass: 860 case Stmt::ConditionalOperatorClass: 861 S = cast<AbstractConditionalOperator>(S)->getCond(); 862 firstCharOnly = true; 863 continue; 864 case Stmt::ChooseExprClass: 865 S = cast<ChooseExpr>(S)->getCond(); 866 firstCharOnly = true; 867 continue; 868 case Stmt::BinaryOperatorClass: 869 S = cast<BinaryOperator>(S)->getLHS(); 870 firstCharOnly = true; 871 continue; 872 } 873 874 break; 875 } 876 877 if (S != Original) 878 L = PathDiagnosticLocation(S, L.getManager(), L.getLocationContext()); 879 } 880 881 if (firstCharOnly) 882 L = PathDiagnosticLocation(L.asLocation()); 883 884 return L; 885 } 886 887 void popLocation() { 888 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 889 // For contexts, we only one the first character as the range. 890 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 891 } 892 CLocs.pop_back(); 893 } 894 895 public: 896 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 897 : PD(pd), PDB(pdb) { 898 899 // If the PathDiagnostic already has pieces, add the enclosing statement 900 // of the first piece as a context as well. 901 if (!PD.empty()) { 902 PrevLoc = PD.begin()->getLocation(); 903 904 if (const Stmt *S = PrevLoc.asStmt()) 905 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 906 } 907 } 908 909 ~EdgeBuilder() { 910 while (!CLocs.empty()) popLocation(); 911 912 // Finally, add an initial edge from the start location of the first 913 // statement (if it doesn't already exist). 914 // FIXME: Should handle CXXTryStmt if analyser starts supporting C++. 915 if (const CompoundStmt *CS = 916 dyn_cast_or_null<CompoundStmt>(PDB.getCodeDecl().getBody())) 917 if (!CS->body_empty()) { 918 SourceLocation Loc = (*CS->body_begin())->getLocStart(); 919 rawAddEdge(PathDiagnosticLocation(Loc, PDB.getSourceManager())); 920 } 921 922 } 923 924 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 925 926 void rawAddEdge(PathDiagnosticLocation NewLoc); 927 928 void addContext(const Stmt *S); 929 void addExtendedContext(const Stmt *S); 930 }; 931 } // end anonymous namespace 932 933 934 PathDiagnosticLocation 935 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 936 if (const Stmt *S = L.asStmt()) { 937 if (IsControlFlowExpr(S)) 938 return L; 939 940 return PDB.getEnclosingStmtLocation(S); 941 } 942 943 return L; 944 } 945 946 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 947 const PathDiagnosticLocation &Containee) { 948 949 if (Container == Containee) 950 return true; 951 952 if (Container.asDecl()) 953 return true; 954 955 if (const Stmt *S = Containee.asStmt()) 956 if (const Stmt *ContainerS = Container.asStmt()) { 957 while (S) { 958 if (S == ContainerS) 959 return true; 960 S = PDB.getParent(S); 961 } 962 return false; 963 } 964 965 // Less accurate: compare using source ranges. 966 SourceRange ContainerR = Container.asRange(); 967 SourceRange ContaineeR = Containee.asRange(); 968 969 SourceManager &SM = PDB.getSourceManager(); 970 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 971 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 972 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 973 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 974 975 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 976 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 977 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 978 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 979 980 assert(ContainerBegLine <= ContainerEndLine); 981 assert(ContaineeBegLine <= ContaineeEndLine); 982 983 return (ContainerBegLine <= ContaineeBegLine && 984 ContainerEndLine >= ContaineeEndLine && 985 (ContainerBegLine != ContaineeBegLine || 986 SM.getExpansionColumnNumber(ContainerRBeg) <= 987 SM.getExpansionColumnNumber(ContaineeRBeg)) && 988 (ContainerEndLine != ContaineeEndLine || 989 SM.getExpansionColumnNumber(ContainerREnd) >= 990 SM.getExpansionColumnNumber(ContainerREnd))); 991 } 992 993 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 994 if (!PrevLoc.isValid()) { 995 PrevLoc = NewLoc; 996 return; 997 } 998 999 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 1000 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 1001 1002 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1003 return; 1004 1005 // FIXME: Ignore intra-macro edges for now. 1006 if (NewLocClean.asLocation().getExpansionLoc() == 1007 PrevLocClean.asLocation().getExpansionLoc()) 1008 return; 1009 1010 PD.push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 1011 PrevLoc = NewLoc; 1012 } 1013 1014 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 1015 1016 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1017 return; 1018 1019 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1020 1021 while (!CLocs.empty()) { 1022 ContextLocation &TopContextLoc = CLocs.back(); 1023 1024 // Is the top location context the same as the one for the new location? 1025 if (TopContextLoc == CLoc) { 1026 if (alwaysAdd) { 1027 if (IsConsumedExpr(TopContextLoc) && 1028 !IsControlFlowExpr(TopContextLoc.asStmt())) 1029 TopContextLoc.markDead(); 1030 1031 rawAddEdge(NewLoc); 1032 } 1033 1034 return; 1035 } 1036 1037 if (containsLocation(TopContextLoc, CLoc)) { 1038 if (alwaysAdd) { 1039 rawAddEdge(NewLoc); 1040 1041 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 1042 CLocs.push_back(ContextLocation(CLoc, true)); 1043 return; 1044 } 1045 } 1046 1047 CLocs.push_back(CLoc); 1048 return; 1049 } 1050 1051 // Context does not contain the location. Flush it. 1052 popLocation(); 1053 } 1054 1055 // If we reach here, there is no enclosing context. Just add the edge. 1056 rawAddEdge(NewLoc); 1057 } 1058 1059 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1060 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 1061 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1062 1063 return false; 1064 } 1065 1066 void EdgeBuilder::addExtendedContext(const Stmt *S) { 1067 if (!S) 1068 return; 1069 1070 const Stmt *Parent = PDB.getParent(S); 1071 while (Parent) { 1072 if (isa<CompoundStmt>(Parent)) 1073 Parent = PDB.getParent(Parent); 1074 else 1075 break; 1076 } 1077 1078 if (Parent) { 1079 switch (Parent->getStmtClass()) { 1080 case Stmt::DoStmtClass: 1081 case Stmt::ObjCAtSynchronizedStmtClass: 1082 addContext(Parent); 1083 default: 1084 break; 1085 } 1086 } 1087 1088 addContext(S); 1089 } 1090 1091 void EdgeBuilder::addContext(const Stmt *S) { 1092 if (!S) 1093 return; 1094 1095 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.getLocationContext()); 1096 1097 while (!CLocs.empty()) { 1098 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1099 1100 // Is the top location context the same as the one for the new location? 1101 if (TopContextLoc == L) 1102 return; 1103 1104 if (containsLocation(TopContextLoc, L)) { 1105 CLocs.push_back(L); 1106 return; 1107 } 1108 1109 // Context does not contain the location. Flush it. 1110 popLocation(); 1111 } 1112 1113 CLocs.push_back(L); 1114 } 1115 1116 static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1117 PathDiagnosticBuilder &PDB, 1118 const ExplodedNode *N) { 1119 EdgeBuilder EB(PD, PDB); 1120 1121 const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 1122 while (NextNode) { 1123 N = NextNode; 1124 NextNode = GetPredecessorNode(N); 1125 ProgramPoint P = N->getLocation(); 1126 1127 do { 1128 // Block edges. 1129 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 1130 const CFGBlock &Blk = *BE->getSrc(); 1131 const Stmt *Term = Blk.getTerminator(); 1132 1133 // Are we jumping to the head of a loop? Add a special diagnostic. 1134 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) { 1135 PathDiagnosticLocation L(Loop, PDB.getSourceManager(), 1136 PDB.getLocationContext()); 1137 const CompoundStmt *CS = NULL; 1138 1139 if (!Term) { 1140 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1141 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1142 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1143 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1144 } 1145 1146 PathDiagnosticEventPiece *p = 1147 new PathDiagnosticEventPiece(L, 1148 "Looping back to the head of the loop"); 1149 1150 EB.addEdge(p->getLocation(), true); 1151 PD.push_front(p); 1152 1153 if (CS) { 1154 PathDiagnosticLocation BL(CS->getRBracLoc(), 1155 PDB.getSourceManager()); 1156 BL = PathDiagnosticLocation(BL.asLocation()); 1157 EB.addEdge(BL); 1158 } 1159 } 1160 1161 if (Term) 1162 EB.addContext(Term); 1163 1164 break; 1165 } 1166 1167 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 1168 if (const CFGStmt *S = BE->getFirstElement().getAs<CFGStmt>()) { 1169 const Stmt *stmt = S->getStmt(); 1170 if (IsControlFlowExpr(stmt)) { 1171 // Add the proper context for '&&', '||', and '?'. 1172 EB.addContext(stmt); 1173 } 1174 else 1175 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1176 } 1177 1178 break; 1179 } 1180 } while (0); 1181 1182 if (!NextNode) 1183 continue; 1184 1185 // Add pieces from custom visitors. 1186 BugReport *R = PDB.getBugReport(); 1187 for (BugReport::visitor_iterator I = R->visitor_begin(), 1188 E = R->visitor_end(); I!=E; ++I) { 1189 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 1190 const PathDiagnosticLocation &Loc = p->getLocation(); 1191 EB.addEdge(Loc, true); 1192 PD.push_front(p); 1193 if (const Stmt *S = Loc.asStmt()) 1194 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1195 } 1196 } 1197 } 1198 } 1199 1200 //===----------------------------------------------------------------------===// 1201 // Methods for BugType and subclasses. 1202 //===----------------------------------------------------------------------===// 1203 BugType::~BugType() { } 1204 1205 void BugType::FlushReports(BugReporter &BR) {} 1206 1207 //===----------------------------------------------------------------------===// 1208 // Methods for BugReport and subclasses. 1209 //===----------------------------------------------------------------------===// 1210 1211 void BugReport::addVisitor(BugReporterVisitor* visitor) { 1212 if (!visitor) 1213 return; 1214 1215 llvm::FoldingSetNodeID ID; 1216 visitor->Profile(ID); 1217 void *InsertPos; 1218 1219 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 1220 delete visitor; 1221 return; 1222 } 1223 1224 CallbacksSet.InsertNode(visitor, InsertPos); 1225 Callbacks = F.add(visitor, Callbacks); 1226 } 1227 1228 BugReport::~BugReport() { 1229 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) { 1230 delete *I; 1231 } 1232 } 1233 1234 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const { 1235 hash.AddPointer(&BT); 1236 hash.AddInteger(getLocation().getRawEncoding()); 1237 hash.AddString(Description); 1238 1239 for (SmallVectorImpl<SourceRange>::const_iterator I = 1240 Ranges.begin(), E = Ranges.end(); I != E; ++I) { 1241 const SourceRange range = *I; 1242 if (!range.isValid()) 1243 continue; 1244 hash.AddInteger(range.getBegin().getRawEncoding()); 1245 hash.AddInteger(range.getEnd().getRawEncoding()); 1246 } 1247 } 1248 1249 const Stmt *BugReport::getStmt() const { 1250 if (!ErrorNode) 1251 return 0; 1252 1253 ProgramPoint ProgP = ErrorNode->getLocation(); 1254 const Stmt *S = NULL; 1255 1256 if (BlockEntrance *BE = dyn_cast<BlockEntrance>(&ProgP)) { 1257 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 1258 if (BE->getBlock() == &Exit) 1259 S = GetPreviousStmt(ErrorNode); 1260 } 1261 if (!S) 1262 S = GetStmt(ProgP); 1263 1264 return S; 1265 } 1266 1267 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 1268 BugReport::getRanges() { 1269 // If no custom ranges, add the range of the statement corresponding to 1270 // the error node. 1271 if (Ranges.empty()) { 1272 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt())) 1273 addRange(E->getSourceRange()); 1274 else 1275 return std::make_pair(ranges_iterator(), ranges_iterator()); 1276 } 1277 1278 // User-specified absence of range info. 1279 if (Ranges.size() == 1 && !Ranges.begin()->isValid()) 1280 return std::make_pair(ranges_iterator(), ranges_iterator()); 1281 1282 return std::make_pair(Ranges.begin(), Ranges.end()); 1283 } 1284 1285 SourceLocation BugReport::getLocation() const { 1286 if (ErrorNode) { 1287 (Location.isInvalid() && 1288 "Either Location or ErrorNode should be specified but not both."); 1289 1290 if (const Stmt *S = GetCurrentOrPreviousStmt(ErrorNode)) { 1291 // For member expressions, return the location of the '.' or '->'. 1292 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 1293 return ME->getMemberLoc(); 1294 // For binary operators, return the location of the operator. 1295 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 1296 return B->getOperatorLoc(); 1297 1298 return S->getLocStart(); 1299 } 1300 1301 } else { 1302 assert(Location.isValid()); 1303 return Location; 1304 } 1305 1306 return FullSourceLoc(); 1307 } 1308 1309 //===----------------------------------------------------------------------===// 1310 // Methods for BugReporter and subclasses. 1311 //===----------------------------------------------------------------------===// 1312 1313 BugReportEquivClass::~BugReportEquivClass() { 1314 for (iterator I=begin(), E=end(); I!=E; ++I) delete *I; 1315 } 1316 1317 GRBugReporter::~GRBugReporter() { } 1318 BugReporterData::~BugReporterData() {} 1319 1320 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 1321 1322 ProgramStateManager& 1323 GRBugReporter::getStateManager() { return Eng.getStateManager(); } 1324 1325 BugReporter::~BugReporter() { 1326 FlushReports(); 1327 1328 // Free the bug reports we are tracking. 1329 typedef std::vector<BugReportEquivClass *> ContTy; 1330 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end(); 1331 I != E; ++I) { 1332 delete *I; 1333 } 1334 } 1335 1336 void BugReporter::FlushReports() { 1337 if (BugTypes.isEmpty()) 1338 return; 1339 1340 // First flush the warnings for each BugType. This may end up creating new 1341 // warnings and new BugTypes. 1342 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 1343 // Turn NSErrorChecker into a proper checker and remove this. 1344 SmallVector<const BugType*, 16> bugTypes; 1345 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 1346 bugTypes.push_back(*I); 1347 for (SmallVector<const BugType*, 16>::iterator 1348 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 1349 const_cast<BugType*>(*I)->FlushReports(*this); 1350 1351 typedef llvm::FoldingSet<BugReportEquivClass> SetTy; 1352 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){ 1353 BugReportEquivClass& EQ = *EI; 1354 FlushReport(EQ); 1355 } 1356 1357 // BugReporter owns and deletes only BugTypes created implicitly through 1358 // EmitBasicReport. 1359 // FIXME: There are leaks from checkers that assume that the BugTypes they 1360 // create will be destroyed by the BugReporter. 1361 for (llvm::StringMap<BugType*>::iterator 1362 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I) 1363 delete I->second; 1364 1365 // Remove all references to the BugType objects. 1366 BugTypes = F.getEmptySet(); 1367 } 1368 1369 //===----------------------------------------------------------------------===// 1370 // PathDiagnostics generation. 1371 //===----------------------------------------------------------------------===// 1372 1373 static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1374 std::pair<ExplodedNode*, unsigned> > 1375 MakeReportGraph(const ExplodedGraph* G, 1376 SmallVectorImpl<const ExplodedNode*> &nodes) { 1377 1378 // Create the trimmed graph. It will contain the shortest paths from the 1379 // error nodes to the root. In the new graph we should only have one 1380 // error node unless there are two or more error nodes with the same minimum 1381 // path length. 1382 ExplodedGraph* GTrim; 1383 InterExplodedGraphMap* NMap; 1384 1385 llvm::DenseMap<const void*, const void*> InverseMap; 1386 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 1387 &InverseMap); 1388 1389 // Create owning pointers for GTrim and NMap just to ensure that they are 1390 // released when this function exists. 1391 llvm::OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 1392 llvm::OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 1393 1394 // Find the (first) error node in the trimmed graph. We just need to consult 1395 // the node map (NMap) which maps from nodes in the original graph to nodes 1396 // in the new graph. 1397 1398 std::queue<const ExplodedNode*> WS; 1399 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 1400 IndexMapTy IndexMap; 1401 1402 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 1403 const ExplodedNode *originalNode = nodes[nodeIndex]; 1404 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 1405 WS.push(N); 1406 IndexMap[originalNode] = nodeIndex; 1407 } 1408 } 1409 1410 assert(!WS.empty() && "No error node found in the trimmed graph."); 1411 1412 // Create a new (third!) graph with a single path. This is the graph 1413 // that will be returned to the caller. 1414 ExplodedGraph *GNew = new ExplodedGraph(); 1415 1416 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 1417 // to the root node, and then construct a new graph that contains only 1418 // a single path. 1419 llvm::DenseMap<const void*,unsigned> Visited; 1420 1421 unsigned cnt = 0; 1422 const ExplodedNode *Root = 0; 1423 1424 while (!WS.empty()) { 1425 const ExplodedNode *Node = WS.front(); 1426 WS.pop(); 1427 1428 if (Visited.find(Node) != Visited.end()) 1429 continue; 1430 1431 Visited[Node] = cnt++; 1432 1433 if (Node->pred_empty()) { 1434 Root = Node; 1435 break; 1436 } 1437 1438 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 1439 E=Node->pred_end(); I!=E; ++I) 1440 WS.push(*I); 1441 } 1442 1443 assert(Root); 1444 1445 // Now walk from the root down the BFS path, always taking the successor 1446 // with the lowest number. 1447 ExplodedNode *Last = 0, *First = 0; 1448 NodeBackMap *BM = new NodeBackMap(); 1449 unsigned NodeIndex = 0; 1450 1451 for ( const ExplodedNode *N = Root ;;) { 1452 // Lookup the number associated with the current node. 1453 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 1454 assert(I != Visited.end()); 1455 1456 // Create the equivalent node in the new graph with the same state 1457 // and location. 1458 ExplodedNode *NewN = GNew->getNode(N->getLocation(), N->getState()); 1459 1460 // Store the mapping to the original node. 1461 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 1462 assert(IMitr != InverseMap.end() && "No mapping to original node."); 1463 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 1464 1465 // Link up the new node with the previous node. 1466 if (Last) 1467 NewN->addPredecessor(Last, *GNew); 1468 1469 Last = NewN; 1470 1471 // Are we at the final node? 1472 IndexMapTy::iterator IMI = 1473 IndexMap.find((const ExplodedNode*)(IMitr->second)); 1474 if (IMI != IndexMap.end()) { 1475 First = NewN; 1476 NodeIndex = IMI->second; 1477 break; 1478 } 1479 1480 // Find the next successor node. We choose the node that is marked 1481 // with the lowest DFS number. 1482 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 1483 ExplodedNode::const_succ_iterator SE = N->succ_end(); 1484 N = 0; 1485 1486 for (unsigned MinVal = 0; SI != SE; ++SI) { 1487 1488 I = Visited.find(*SI); 1489 1490 if (I == Visited.end()) 1491 continue; 1492 1493 if (!N || I->second < MinVal) { 1494 N = *SI; 1495 MinVal = I->second; 1496 } 1497 } 1498 1499 assert(N); 1500 } 1501 1502 assert(First); 1503 1504 return std::make_pair(std::make_pair(GNew, BM), 1505 std::make_pair(First, NodeIndex)); 1506 } 1507 1508 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 1509 /// and collapses PathDiagosticPieces that are expanded by macros. 1510 static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM) { 1511 typedef std::vector<std::pair<PathDiagnosticMacroPiece*, SourceLocation> > 1512 MacroStackTy; 1513 1514 typedef std::vector<PathDiagnosticPiece*> 1515 PiecesTy; 1516 1517 MacroStackTy MacroStack; 1518 PiecesTy Pieces; 1519 1520 for (PathDiagnostic::iterator I = PD.begin(), E = PD.end(); I!=E; ++I) { 1521 // Get the location of the PathDiagnosticPiece. 1522 const FullSourceLoc Loc = I->getLocation().asLocation(); 1523 1524 // Determine the instantiation location, which is the location we group 1525 // related PathDiagnosticPieces. 1526 SourceLocation InstantiationLoc = Loc.isMacroID() ? 1527 SM.getExpansionLoc(Loc) : 1528 SourceLocation(); 1529 1530 if (Loc.isFileID()) { 1531 MacroStack.clear(); 1532 Pieces.push_back(&*I); 1533 continue; 1534 } 1535 1536 assert(Loc.isMacroID()); 1537 1538 // Is the PathDiagnosticPiece within the same macro group? 1539 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 1540 MacroStack.back().first->push_back(&*I); 1541 continue; 1542 } 1543 1544 // We aren't in the same group. Are we descending into a new macro 1545 // or are part of an old one? 1546 PathDiagnosticMacroPiece *MacroGroup = 0; 1547 1548 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 1549 SM.getExpansionLoc(Loc) : 1550 SourceLocation(); 1551 1552 // Walk the entire macro stack. 1553 while (!MacroStack.empty()) { 1554 if (InstantiationLoc == MacroStack.back().second) { 1555 MacroGroup = MacroStack.back().first; 1556 break; 1557 } 1558 1559 if (ParentInstantiationLoc == MacroStack.back().second) { 1560 MacroGroup = MacroStack.back().first; 1561 break; 1562 } 1563 1564 MacroStack.pop_back(); 1565 } 1566 1567 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 1568 // Create a new macro group and add it to the stack. 1569 PathDiagnosticMacroPiece *NewGroup = new PathDiagnosticMacroPiece(Loc); 1570 1571 if (MacroGroup) 1572 MacroGroup->push_back(NewGroup); 1573 else { 1574 assert(InstantiationLoc.isFileID()); 1575 Pieces.push_back(NewGroup); 1576 } 1577 1578 MacroGroup = NewGroup; 1579 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 1580 } 1581 1582 // Finally, add the PathDiagnosticPiece to the group. 1583 MacroGroup->push_back(&*I); 1584 } 1585 1586 // Now take the pieces and construct a new PathDiagnostic. 1587 PD.resetPath(false); 1588 1589 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) { 1590 if (PathDiagnosticMacroPiece *MP=dyn_cast<PathDiagnosticMacroPiece>(*I)) 1591 if (!MP->containsEvent()) { 1592 delete MP; 1593 continue; 1594 } 1595 1596 PD.push_back(*I); 1597 } 1598 } 1599 1600 void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD, 1601 SmallVectorImpl<BugReport *> &bugReports) { 1602 1603 assert(!bugReports.empty()); 1604 SmallVector<const ExplodedNode *, 10> errorNodes; 1605 for (SmallVectorImpl<BugReport*>::iterator I = bugReports.begin(), 1606 E = bugReports.end(); I != E; ++I) { 1607 errorNodes.push_back((*I)->getErrorNode()); 1608 } 1609 1610 // Construct a new graph that contains only a single path from the error 1611 // node to a root. 1612 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1613 std::pair<ExplodedNode*, unsigned> >& 1614 GPair = MakeReportGraph(&getGraph(), errorNodes); 1615 1616 // Find the BugReport with the original location. 1617 assert(GPair.second.second < bugReports.size()); 1618 BugReport *R = bugReports[GPair.second.second]; 1619 assert(R && "No original report found for sliced graph."); 1620 1621 llvm::OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 1622 llvm::OwningPtr<NodeBackMap> BackMap(GPair.first.second); 1623 const ExplodedNode *N = GPair.second.first; 1624 1625 // Start building the path diagnostic... 1626 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), getPathDiagnosticClient()); 1627 1628 // Register additional node visitors. 1629 R->addVisitor(new NilReceiverBRVisitor()); 1630 R->addVisitor(new ConditionBRVisitor()); 1631 1632 // Generate the very last diagnostic piece - the piece is visible before 1633 // the trace is expanded. 1634 PathDiagnosticPiece *LastPiece = 0; 1635 for (BugReport::visitor_iterator I = R->visitor_begin(), 1636 E = R->visitor_end(); I!=E; ++I) { 1637 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) { 1638 assert (!LastPiece && 1639 "There can only be one final piece in a diagnostic."); 1640 LastPiece = Piece; 1641 } 1642 } 1643 if (!LastPiece) 1644 LastPiece = BugReporterVisitor::getDefaultEndPath(PDB, N, *R); 1645 if (LastPiece) 1646 PD.push_back(LastPiece); 1647 else 1648 return; 1649 1650 switch (PDB.getGenerationScheme()) { 1651 case PathDiagnosticClient::Extensive: 1652 GenerateExtensivePathDiagnostic(PD, PDB, N); 1653 break; 1654 case PathDiagnosticClient::Minimal: 1655 GenerateMinimalPathDiagnostic(PD, PDB, N); 1656 break; 1657 } 1658 } 1659 1660 void BugReporter::Register(BugType *BT) { 1661 BugTypes = F.add(BugTypes, BT); 1662 } 1663 1664 void BugReporter::EmitReport(BugReport* R) { 1665 // Compute the bug report's hash to determine its equivalence class. 1666 llvm::FoldingSetNodeID ID; 1667 R->Profile(ID); 1668 1669 // Lookup the equivance class. If there isn't one, create it. 1670 BugType& BT = R->getBugType(); 1671 Register(&BT); 1672 void *InsertPos; 1673 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 1674 1675 if (!EQ) { 1676 EQ = new BugReportEquivClass(R); 1677 EQClasses.InsertNode(EQ, InsertPos); 1678 EQClassesVector.push_back(EQ); 1679 } 1680 else 1681 EQ->AddReport(R); 1682 } 1683 1684 1685 //===----------------------------------------------------------------------===// 1686 // Emitting reports in equivalence classes. 1687 //===----------------------------------------------------------------------===// 1688 1689 namespace { 1690 struct FRIEC_WLItem { 1691 const ExplodedNode *N; 1692 ExplodedNode::const_succ_iterator I, E; 1693 1694 FRIEC_WLItem(const ExplodedNode *n) 1695 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 1696 }; 1697 } 1698 1699 static BugReport * 1700 FindReportInEquivalenceClass(BugReportEquivClass& EQ, 1701 SmallVectorImpl<BugReport*> &bugReports) { 1702 1703 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 1704 assert(I != E); 1705 BugReport *R = *I; 1706 BugType& BT = R->getBugType(); 1707 1708 // If we don't need to suppress any of the nodes because they are 1709 // post-dominated by a sink, simply add all the nodes in the equivalence class 1710 // to 'Nodes'. Any of the reports will serve as a "representative" report. 1711 if (!BT.isSuppressOnSink()) { 1712 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 1713 const ExplodedNode *N = I->getErrorNode(); 1714 if (N) { 1715 R = *I; 1716 bugReports.push_back(R); 1717 } 1718 } 1719 return R; 1720 } 1721 1722 // For bug reports that should be suppressed when all paths are post-dominated 1723 // by a sink node, iterate through the reports in the equivalence class 1724 // until we find one that isn't post-dominated (if one exists). We use a 1725 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 1726 // this as a recursive function, but we don't want to risk blowing out the 1727 // stack for very long paths. 1728 BugReport *exampleReport = 0; 1729 1730 for (; I != E; ++I) { 1731 R = *I; 1732 const ExplodedNode *errorNode = R->getErrorNode(); 1733 1734 if (!errorNode) 1735 continue; 1736 if (errorNode->isSink()) { 1737 assert(false && 1738 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 1739 return 0; 1740 } 1741 // No successors? By definition this nodes isn't post-dominated by a sink. 1742 if (errorNode->succ_empty()) { 1743 bugReports.push_back(R); 1744 if (!exampleReport) 1745 exampleReport = R; 1746 continue; 1747 } 1748 1749 // At this point we know that 'N' is not a sink and it has at least one 1750 // successor. Use a DFS worklist to find a non-sink end-of-path node. 1751 typedef FRIEC_WLItem WLItem; 1752 typedef SmallVector<WLItem, 10> DFSWorkList; 1753 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 1754 1755 DFSWorkList WL; 1756 WL.push_back(errorNode); 1757 Visited[errorNode] = 1; 1758 1759 while (!WL.empty()) { 1760 WLItem &WI = WL.back(); 1761 assert(!WI.N->succ_empty()); 1762 1763 for (; WI.I != WI.E; ++WI.I) { 1764 const ExplodedNode *Succ = *WI.I; 1765 // End-of-path node? 1766 if (Succ->succ_empty()) { 1767 // If we found an end-of-path node that is not a sink. 1768 if (!Succ->isSink()) { 1769 bugReports.push_back(R); 1770 if (!exampleReport) 1771 exampleReport = R; 1772 WL.clear(); 1773 break; 1774 } 1775 // Found a sink? Continue on to the next successor. 1776 continue; 1777 } 1778 // Mark the successor as visited. If it hasn't been explored, 1779 // enqueue it to the DFS worklist. 1780 unsigned &mark = Visited[Succ]; 1781 if (!mark) { 1782 mark = 1; 1783 WL.push_back(Succ); 1784 break; 1785 } 1786 } 1787 1788 // The worklist may have been cleared at this point. First 1789 // check if it is empty before checking the last item. 1790 if (!WL.empty() && &WL.back() == &WI) 1791 WL.pop_back(); 1792 } 1793 } 1794 1795 // ExampleReport will be NULL if all the nodes in the equivalence class 1796 // were post-dominated by sinks. 1797 return exampleReport; 1798 } 1799 1800 //===----------------------------------------------------------------------===// 1801 // DiagnosticCache. This is a hack to cache analyzer diagnostics. It 1802 // uses global state, which eventually should go elsewhere. 1803 //===----------------------------------------------------------------------===// 1804 namespace { 1805 class DiagCacheItem : public llvm::FoldingSetNode { 1806 llvm::FoldingSetNodeID ID; 1807 public: 1808 DiagCacheItem(BugReport *R, PathDiagnostic *PD) { 1809 ID.AddString(R->getBugType().getName()); 1810 ID.AddString(R->getBugType().getCategory()); 1811 ID.AddString(R->getDescription()); 1812 ID.AddInteger(R->getLocation().getRawEncoding()); 1813 PD->Profile(ID); 1814 } 1815 1816 void Profile(llvm::FoldingSetNodeID &id) { 1817 id = ID; 1818 } 1819 1820 llvm::FoldingSetNodeID &getID() { return ID; } 1821 }; 1822 } 1823 1824 static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) { 1825 // FIXME: Eventually this diagnostic cache should reside in something 1826 // like AnalysisManager instead of being a static variable. This is 1827 // really unsafe in the long term. 1828 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache; 1829 static DiagnosticCache DC; 1830 1831 void *InsertPos; 1832 DiagCacheItem *Item = new DiagCacheItem(R, PD); 1833 1834 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) { 1835 delete Item; 1836 return true; 1837 } 1838 1839 DC.InsertNode(Item, InsertPos); 1840 return false; 1841 } 1842 1843 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 1844 SmallVector<BugReport*, 10> bugReports; 1845 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 1846 if (!exampleReport) 1847 return; 1848 1849 PathDiagnosticClient* PD = getPathDiagnosticClient(); 1850 1851 // FIXME: Make sure we use the 'R' for the path that was actually used. 1852 // Probably doesn't make a difference in practice. 1853 BugType& BT = exampleReport->getBugType(); 1854 1855 llvm::OwningPtr<PathDiagnostic> 1856 D(new PathDiagnostic(exampleReport->getBugType().getName(), 1857 !PD || PD->useVerboseDescription() 1858 ? exampleReport->getDescription() 1859 : exampleReport->getShortDescription(), 1860 BT.getCategory())); 1861 1862 if (!bugReports.empty()) 1863 GeneratePathDiagnostic(*D.get(), bugReports); 1864 1865 if (IsCachedDiagnostic(exampleReport, D.get())) 1866 return; 1867 1868 // Get the meta data. 1869 const BugReport::ExtraTextList &Meta = 1870 exampleReport->getExtraText(); 1871 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(), 1872 e = Meta.end(); i != e; ++i) { 1873 D->addMeta(*i); 1874 } 1875 1876 // Emit a summary diagnostic to the regular Diagnostics engine. 1877 BugReport::ranges_iterator Beg, End; 1878 llvm::tie(Beg, End) = exampleReport->getRanges(); 1879 Diagnostic &Diag = getDiagnostic(); 1880 FullSourceLoc L(exampleReport->getLocation(), getSourceManager()); 1881 1882 // Search the description for '%', as that will be interpretted as a 1883 // format character by FormatDiagnostics. 1884 StringRef desc = exampleReport->getShortDescription(); 1885 unsigned ErrorDiag; 1886 { 1887 llvm::SmallString<512> TmpStr; 1888 llvm::raw_svector_ostream Out(TmpStr); 1889 for (StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I) 1890 if (*I == '%') 1891 Out << "%%"; 1892 else 1893 Out << *I; 1894 1895 Out.flush(); 1896 ErrorDiag = Diag.getCustomDiagID(Diagnostic::Warning, TmpStr); 1897 } 1898 1899 { 1900 DiagnosticBuilder diagBuilder = Diag.Report(L, ErrorDiag); 1901 for (BugReport::ranges_iterator I = Beg; I != End; ++I) 1902 diagBuilder << *I; 1903 } 1904 1905 // Emit a full diagnostic for the path if we have a PathDiagnosticClient. 1906 if (!PD) 1907 return; 1908 1909 if (D->empty()) { 1910 PathDiagnosticPiece *piece = 1911 new PathDiagnosticEventPiece(L, exampleReport->getDescription()); 1912 1913 for ( ; Beg != End; ++Beg) piece->addRange(*Beg); 1914 D->push_back(piece); 1915 } 1916 1917 PD->HandlePathDiagnostic(D.take()); 1918 } 1919 1920 void BugReporter::EmitBasicReport(StringRef name, StringRef str, 1921 SourceLocation Loc, 1922 SourceRange* RBeg, unsigned NumRanges) { 1923 EmitBasicReport(name, "", str, Loc, RBeg, NumRanges); 1924 } 1925 1926 void BugReporter::EmitBasicReport(StringRef name, 1927 StringRef category, 1928 StringRef str, SourceLocation Loc, 1929 SourceRange* RBeg, unsigned NumRanges) { 1930 1931 // 'BT' is owned by BugReporter. 1932 BugType *BT = getBugTypeForName(name, category); 1933 FullSourceLoc L = getContext().getFullLoc(Loc); 1934 BugReport *R = new BugReport(*BT, str, L); 1935 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 1936 EmitReport(R); 1937 } 1938 1939 BugType *BugReporter::getBugTypeForName(StringRef name, 1940 StringRef category) { 1941 llvm::SmallString<136> fullDesc; 1942 llvm::raw_svector_ostream(fullDesc) << name << ":" << category; 1943 llvm::StringMapEntry<BugType *> & 1944 entry = StrBugTypes.GetOrCreateValue(fullDesc); 1945 BugType *BT = entry.getValue(); 1946 if (!BT) { 1947 BT = new BugType(name, category); 1948 entry.setValue(BT); 1949 } 1950 return BT; 1951 } 1952