1 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines BugReporter, a utility class for generating 11 // PathDiagnostics. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18 #include "clang/AST/ASTContext.h" 19 #include "clang/Analysis/CFG.h" 20 #include "clang/AST/Expr.h" 21 #include "clang/AST/ParentMap.h" 22 #include "clang/AST/StmtObjC.h" 23 #include "clang/Basic/SourceManager.h" 24 #include "clang/Analysis/ProgramPoint.h" 25 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 26 #include "llvm/Support/raw_ostream.h" 27 #include "llvm/ADT/DenseMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/OwningPtr.h" 30 #include <queue> 31 32 using namespace clang; 33 using namespace ento; 34 35 BugReporterVisitor::~BugReporterVisitor() {} 36 37 //===----------------------------------------------------------------------===// 38 // Helper routines for walking the ExplodedGraph and fetching statements. 39 //===----------------------------------------------------------------------===// 40 41 static inline const Stmt *GetStmt(const ProgramPoint &P) { 42 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 43 return SP->getStmt(); 44 else if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) 45 return BE->getSrc()->getTerminator(); 46 47 return 0; 48 } 49 50 static inline const ExplodedNode* 51 GetPredecessorNode(const ExplodedNode *N) { 52 return N->pred_empty() ? NULL : *(N->pred_begin()); 53 } 54 55 static inline const ExplodedNode* 56 GetSuccessorNode(const ExplodedNode *N) { 57 return N->succ_empty() ? NULL : *(N->succ_begin()); 58 } 59 60 static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 61 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 62 if (const Stmt *S = GetStmt(N->getLocation())) 63 return S; 64 65 return 0; 66 } 67 68 static const Stmt *GetNextStmt(const ExplodedNode *N) { 69 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 70 if (const Stmt *S = GetStmt(N->getLocation())) { 71 // Check if the statement is '?' or '&&'/'||'. These are "merges", 72 // not actual statement points. 73 switch (S->getStmtClass()) { 74 case Stmt::ChooseExprClass: 75 case Stmt::BinaryConditionalOperatorClass: continue; 76 case Stmt::ConditionalOperatorClass: continue; 77 case Stmt::BinaryOperatorClass: { 78 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 79 if (Op == BO_LAnd || Op == BO_LOr) 80 continue; 81 break; 82 } 83 default: 84 break; 85 } 86 87 // Some expressions don't have locations. 88 if (S->getLocStart().isInvalid()) 89 continue; 90 91 return S; 92 } 93 94 return 0; 95 } 96 97 static inline const Stmt* 98 GetCurrentOrPreviousStmt(const ExplodedNode *N) { 99 if (const Stmt *S = GetStmt(N->getLocation())) 100 return S; 101 102 return GetPreviousStmt(N); 103 } 104 105 static inline const Stmt* 106 GetCurrentOrNextStmt(const ExplodedNode *N) { 107 if (const Stmt *S = GetStmt(N->getLocation())) 108 return S; 109 110 return GetNextStmt(N); 111 } 112 113 //===----------------------------------------------------------------------===// 114 // PathDiagnosticBuilder and its associated routines and helper objects. 115 //===----------------------------------------------------------------------===// 116 117 typedef llvm::DenseMap<const ExplodedNode*, 118 const ExplodedNode*> NodeBackMap; 119 120 namespace { 121 class NodeMapClosure : public BugReport::NodeResolver { 122 NodeBackMap& M; 123 public: 124 NodeMapClosure(NodeBackMap *m) : M(*m) {} 125 ~NodeMapClosure() {} 126 127 const ExplodedNode *getOriginalNode(const ExplodedNode *N) { 128 NodeBackMap::iterator I = M.find(N); 129 return I == M.end() ? 0 : I->second; 130 } 131 }; 132 133 class PathDiagnosticBuilder : public BugReporterContext { 134 BugReport *R; 135 PathDiagnosticClient *PDC; 136 llvm::OwningPtr<ParentMap> PM; 137 NodeMapClosure NMC; 138 public: 139 PathDiagnosticBuilder(GRBugReporter &br, 140 BugReport *r, NodeBackMap *Backmap, 141 PathDiagnosticClient *pdc) 142 : BugReporterContext(br), 143 R(r), PDC(pdc), NMC(Backmap) {} 144 145 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 146 147 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 148 const ExplodedNode *N); 149 150 BugReport *getBugReport() { return R; } 151 152 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 153 154 ParentMap& getParentMap() { return R->getErrorNode()->getParentMap(); } 155 156 const Stmt *getParent(const Stmt *S) { 157 return getParentMap().getParent(S); 158 } 159 160 virtual NodeMapClosure& getNodeResolver() { return NMC; } 161 162 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 163 164 PathDiagnosticClient::PathGenerationScheme getGenerationScheme() const { 165 return PDC ? PDC->getGenerationScheme() : PathDiagnosticClient::Extensive; 166 } 167 168 bool supportsLogicalOpControlFlow() const { 169 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 170 } 171 }; 172 } // end anonymous namespace 173 174 PathDiagnosticLocation 175 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 176 if (const Stmt *S = GetNextStmt(N)) 177 return PathDiagnosticLocation(S, getSourceManager()); 178 179 return FullSourceLoc(N->getLocationContext()->getDecl()->getBodyRBrace(), 180 getSourceManager()); 181 } 182 183 PathDiagnosticLocation 184 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 185 const ExplodedNode *N) { 186 187 // Slow, but probably doesn't matter. 188 if (os.str().empty()) 189 os << ' '; 190 191 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 192 193 if (Loc.asStmt()) 194 os << "Execution continues on line " 195 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 196 << '.'; 197 else { 198 os << "Execution jumps to the end of the "; 199 const Decl *D = N->getLocationContext()->getDecl(); 200 if (isa<ObjCMethodDecl>(D)) 201 os << "method"; 202 else if (isa<FunctionDecl>(D)) 203 os << "function"; 204 else { 205 assert(isa<BlockDecl>(D)); 206 os << "anonymous block"; 207 } 208 os << '.'; 209 } 210 211 return Loc; 212 } 213 214 static bool IsNested(const Stmt *S, ParentMap &PM) { 215 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 216 return true; 217 218 const Stmt *Parent = PM.getParentIgnoreParens(S); 219 220 if (Parent) 221 switch (Parent->getStmtClass()) { 222 case Stmt::ForStmtClass: 223 case Stmt::DoStmtClass: 224 case Stmt::WhileStmtClass: 225 return true; 226 default: 227 break; 228 } 229 230 return false; 231 } 232 233 PathDiagnosticLocation 234 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 235 assert(S && "Null Stmt *passed to getEnclosingStmtLocation"); 236 ParentMap &P = getParentMap(); 237 SourceManager &SMgr = getSourceManager(); 238 239 while (IsNested(S, P)) { 240 const Stmt *Parent = P.getParentIgnoreParens(S); 241 242 if (!Parent) 243 break; 244 245 switch (Parent->getStmtClass()) { 246 case Stmt::BinaryOperatorClass: { 247 const BinaryOperator *B = cast<BinaryOperator>(Parent); 248 if (B->isLogicalOp()) 249 return PathDiagnosticLocation(S, SMgr); 250 break; 251 } 252 case Stmt::CompoundStmtClass: 253 case Stmt::StmtExprClass: 254 return PathDiagnosticLocation(S, SMgr); 255 case Stmt::ChooseExprClass: 256 // Similar to '?' if we are referring to condition, just have the edge 257 // point to the entire choose expression. 258 if (cast<ChooseExpr>(Parent)->getCond() == S) 259 return PathDiagnosticLocation(Parent, SMgr); 260 else 261 return PathDiagnosticLocation(S, SMgr); 262 case Stmt::BinaryConditionalOperatorClass: 263 case Stmt::ConditionalOperatorClass: 264 // For '?', if we are referring to condition, just have the edge point 265 // to the entire '?' expression. 266 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S) 267 return PathDiagnosticLocation(Parent, SMgr); 268 else 269 return PathDiagnosticLocation(S, SMgr); 270 case Stmt::DoStmtClass: 271 return PathDiagnosticLocation(S, SMgr); 272 case Stmt::ForStmtClass: 273 if (cast<ForStmt>(Parent)->getBody() == S) 274 return PathDiagnosticLocation(S, SMgr); 275 break; 276 case Stmt::IfStmtClass: 277 if (cast<IfStmt>(Parent)->getCond() != S) 278 return PathDiagnosticLocation(S, SMgr); 279 break; 280 case Stmt::ObjCForCollectionStmtClass: 281 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 282 return PathDiagnosticLocation(S, SMgr); 283 break; 284 case Stmt::WhileStmtClass: 285 if (cast<WhileStmt>(Parent)->getCond() != S) 286 return PathDiagnosticLocation(S, SMgr); 287 break; 288 default: 289 break; 290 } 291 292 S = Parent; 293 } 294 295 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 296 297 // Special case: DeclStmts can appear in for statement declarations, in which 298 // case the ForStmt is the context. 299 if (isa<DeclStmt>(S)) { 300 if (const Stmt *Parent = P.getParent(S)) { 301 switch (Parent->getStmtClass()) { 302 case Stmt::ForStmtClass: 303 case Stmt::ObjCForCollectionStmtClass: 304 return PathDiagnosticLocation(Parent, SMgr); 305 default: 306 break; 307 } 308 } 309 } 310 else if (isa<BinaryOperator>(S)) { 311 // Special case: the binary operator represents the initialization 312 // code in a for statement (this can happen when the variable being 313 // initialized is an old variable. 314 if (const ForStmt *FS = 315 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 316 if (FS->getInit() == S) 317 return PathDiagnosticLocation(FS, SMgr); 318 } 319 } 320 321 return PathDiagnosticLocation(S, SMgr); 322 } 323 324 //===----------------------------------------------------------------------===// 325 // ScanNotableSymbols: closure-like callback for scanning Store bindings. 326 //===----------------------------------------------------------------------===// 327 328 static const VarDecl* GetMostRecentVarDeclBinding(const ExplodedNode *N, 329 ProgramStateManager& VMgr, 330 SVal X) { 331 332 for ( ; N ; N = N->pred_empty() ? 0 : *N->pred_begin()) { 333 334 ProgramPoint P = N->getLocation(); 335 336 if (!isa<PostStmt>(P)) 337 continue; 338 339 const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(cast<PostStmt>(P).getStmt()); 340 341 if (!DR) 342 continue; 343 344 SVal Y = N->getState()->getSVal(DR); 345 346 if (X != Y) 347 continue; 348 349 const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl()); 350 351 if (!VD) 352 continue; 353 354 return VD; 355 } 356 357 return 0; 358 } 359 360 namespace { 361 class NotableSymbolHandler 362 : public StoreManager::BindingsHandler { 363 364 SymbolRef Sym; 365 const ProgramState *PrevSt; 366 const Stmt *S; 367 ProgramStateManager& VMgr; 368 const ExplodedNode *Pred; 369 PathDiagnostic& PD; 370 BugReporter& BR; 371 372 public: 373 374 NotableSymbolHandler(SymbolRef sym, 375 const ProgramState *prevst, 376 const Stmt *s, 377 ProgramStateManager& vmgr, 378 const ExplodedNode *pred, 379 PathDiagnostic& pd, 380 BugReporter& br) 381 : Sym(sym), 382 PrevSt(prevst), 383 S(s), 384 VMgr(vmgr), 385 Pred(pred), 386 PD(pd), 387 BR(br) {} 388 389 bool HandleBinding(StoreManager& SMgr, Store store, const MemRegion* R, 390 SVal V) { 391 392 SymbolRef ScanSym = V.getAsSymbol(); 393 394 if (ScanSym != Sym) 395 return true; 396 397 // Check if the previous state has this binding. 398 SVal X = PrevSt->getSVal(loc::MemRegionVal(R)); 399 400 if (X == V) // Same binding? 401 return true; 402 403 // Different binding. Only handle assignments for now. We don't pull 404 // this check out of the loop because we will eventually handle other 405 // cases. 406 407 VarDecl *VD = 0; 408 409 if (const BinaryOperator* B = dyn_cast<BinaryOperator>(S)) { 410 if (!B->isAssignmentOp()) 411 return true; 412 413 // What variable did we assign to? 414 DeclRefExpr *DR = dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenCasts()); 415 416 if (!DR) 417 return true; 418 419 VD = dyn_cast<VarDecl>(DR->getDecl()); 420 } 421 else if (const DeclStmt *DS = dyn_cast<DeclStmt>(S)) { 422 // FIXME: Eventually CFGs won't have DeclStmts. Right now we 423 // assume that each DeclStmt has a single Decl. This invariant 424 // holds by construction in the CFG. 425 VD = dyn_cast<VarDecl>(*DS->decl_begin()); 426 } 427 428 if (!VD) 429 return true; 430 431 // What is the most recently referenced variable with this binding? 432 const VarDecl *MostRecent = GetMostRecentVarDeclBinding(Pred, VMgr, V); 433 434 if (!MostRecent) 435 return true; 436 437 // Create the diagnostic. 438 FullSourceLoc L(S->getLocStart(), BR.getSourceManager()); 439 440 if (Loc::isLocType(VD->getType())) { 441 llvm::SmallString<64> buf; 442 llvm::raw_svector_ostream os(buf); 443 os << '\'' << VD << "' now aliases '" << MostRecent << '\''; 444 445 PD.push_front(new PathDiagnosticEventPiece(L, os.str())); 446 } 447 448 return true; 449 } 450 }; 451 } 452 453 static void HandleNotableSymbol(const ExplodedNode *N, 454 const Stmt *S, 455 SymbolRef Sym, BugReporter& BR, 456 PathDiagnostic& PD) { 457 458 const ExplodedNode *Pred = N->pred_empty() ? 0 : *N->pred_begin(); 459 const ProgramState *PrevSt = Pred ? Pred->getState() : 0; 460 461 if (!PrevSt) 462 return; 463 464 // Look at the region bindings of the current state that map to the 465 // specified symbol. Are any of them not in the previous state? 466 ProgramStateManager& VMgr = cast<GRBugReporter>(BR).getStateManager(); 467 NotableSymbolHandler H(Sym, PrevSt, S, VMgr, Pred, PD, BR); 468 cast<GRBugReporter>(BR).getStateManager().iterBindings(N->getState(), H); 469 } 470 471 namespace { 472 class ScanNotableSymbols 473 : public StoreManager::BindingsHandler { 474 475 llvm::SmallSet<SymbolRef, 10> AlreadyProcessed; 476 const ExplodedNode *N; 477 const Stmt *S; 478 GRBugReporter& BR; 479 PathDiagnostic& PD; 480 481 public: 482 ScanNotableSymbols(const ExplodedNode *n, const Stmt *s, 483 GRBugReporter& br, PathDiagnostic& pd) 484 : N(n), S(s), BR(br), PD(pd) {} 485 486 bool HandleBinding(StoreManager& SMgr, Store store, 487 const MemRegion* R, SVal V) { 488 489 SymbolRef ScanSym = V.getAsSymbol(); 490 491 if (!ScanSym) 492 return true; 493 494 if (!BR.isNotable(ScanSym)) 495 return true; 496 497 if (AlreadyProcessed.count(ScanSym)) 498 return true; 499 500 AlreadyProcessed.insert(ScanSym); 501 502 HandleNotableSymbol(N, S, ScanSym, BR, PD); 503 return true; 504 } 505 }; 506 } // end anonymous namespace 507 508 //===----------------------------------------------------------------------===// 509 // "Minimal" path diagnostic generation algorithm. 510 //===----------------------------------------------------------------------===// 511 512 static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM); 513 514 static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 515 PathDiagnosticBuilder &PDB, 516 const ExplodedNode *N) { 517 518 SourceManager& SMgr = PDB.getSourceManager(); 519 const ExplodedNode *NextNode = N->pred_empty() 520 ? NULL : *(N->pred_begin()); 521 while (NextNode) { 522 N = NextNode; 523 NextNode = GetPredecessorNode(N); 524 525 ProgramPoint P = N->getLocation(); 526 527 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 528 const CFGBlock *Src = BE->getSrc(); 529 const CFGBlock *Dst = BE->getDst(); 530 const Stmt *T = Src->getTerminator(); 531 532 if (!T) 533 continue; 534 535 FullSourceLoc Start(T->getLocStart(), SMgr); 536 537 switch (T->getStmtClass()) { 538 default: 539 break; 540 541 case Stmt::GotoStmtClass: 542 case Stmt::IndirectGotoStmtClass: { 543 const Stmt *S = GetNextStmt(N); 544 545 if (!S) 546 continue; 547 548 std::string sbuf; 549 llvm::raw_string_ostream os(sbuf); 550 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 551 552 os << "Control jumps to line " 553 << End.asLocation().getExpansionLineNumber(); 554 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 555 os.str())); 556 break; 557 } 558 559 case Stmt::SwitchStmtClass: { 560 // Figure out what case arm we took. 561 std::string sbuf; 562 llvm::raw_string_ostream os(sbuf); 563 564 if (const Stmt *S = Dst->getLabel()) { 565 PathDiagnosticLocation End(S, SMgr); 566 567 switch (S->getStmtClass()) { 568 default: 569 os << "No cases match in the switch statement. " 570 "Control jumps to line " 571 << End.asLocation().getExpansionLineNumber(); 572 break; 573 case Stmt::DefaultStmtClass: 574 os << "Control jumps to the 'default' case at line " 575 << End.asLocation().getExpansionLineNumber(); 576 break; 577 578 case Stmt::CaseStmtClass: { 579 os << "Control jumps to 'case "; 580 const CaseStmt *Case = cast<CaseStmt>(S); 581 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 582 583 // Determine if it is an enum. 584 bool GetRawInt = true; 585 586 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) { 587 // FIXME: Maybe this should be an assertion. Are there cases 588 // were it is not an EnumConstantDecl? 589 const EnumConstantDecl *D = 590 dyn_cast<EnumConstantDecl>(DR->getDecl()); 591 592 if (D) { 593 GetRawInt = false; 594 os << D; 595 } 596 } 597 598 if (GetRawInt) 599 os << LHS->EvaluateAsInt(PDB.getASTContext()); 600 601 os << ":' at line " 602 << End.asLocation().getExpansionLineNumber(); 603 break; 604 } 605 } 606 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 607 os.str())); 608 } 609 else { 610 os << "'Default' branch taken. "; 611 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 612 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 613 os.str())); 614 } 615 616 break; 617 } 618 619 case Stmt::BreakStmtClass: 620 case Stmt::ContinueStmtClass: { 621 std::string sbuf; 622 llvm::raw_string_ostream os(sbuf); 623 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 624 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 625 os.str())); 626 break; 627 } 628 629 // Determine control-flow for ternary '?'. 630 case Stmt::BinaryConditionalOperatorClass: 631 case Stmt::ConditionalOperatorClass: { 632 std::string sbuf; 633 llvm::raw_string_ostream os(sbuf); 634 os << "'?' condition is "; 635 636 if (*(Src->succ_begin()+1) == Dst) 637 os << "false"; 638 else 639 os << "true"; 640 641 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 642 643 if (const Stmt *S = End.asStmt()) 644 End = PDB.getEnclosingStmtLocation(S); 645 646 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 647 os.str())); 648 break; 649 } 650 651 // Determine control-flow for short-circuited '&&' and '||'. 652 case Stmt::BinaryOperatorClass: { 653 if (!PDB.supportsLogicalOpControlFlow()) 654 break; 655 656 const BinaryOperator *B = cast<BinaryOperator>(T); 657 std::string sbuf; 658 llvm::raw_string_ostream os(sbuf); 659 os << "Left side of '"; 660 661 if (B->getOpcode() == BO_LAnd) { 662 os << "&&" << "' is "; 663 664 if (*(Src->succ_begin()+1) == Dst) { 665 os << "false"; 666 PathDiagnosticLocation End(B->getLHS(), SMgr); 667 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 668 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 669 os.str())); 670 } 671 else { 672 os << "true"; 673 PathDiagnosticLocation Start(B->getLHS(), SMgr); 674 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 675 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 676 os.str())); 677 } 678 } 679 else { 680 assert(B->getOpcode() == BO_LOr); 681 os << "||" << "' is "; 682 683 if (*(Src->succ_begin()+1) == Dst) { 684 os << "false"; 685 PathDiagnosticLocation Start(B->getLHS(), SMgr); 686 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 687 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 688 os.str())); 689 } 690 else { 691 os << "true"; 692 PathDiagnosticLocation End(B->getLHS(), SMgr); 693 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 694 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 695 os.str())); 696 } 697 } 698 699 break; 700 } 701 702 case Stmt::DoStmtClass: { 703 if (*(Src->succ_begin()) == Dst) { 704 std::string sbuf; 705 llvm::raw_string_ostream os(sbuf); 706 707 os << "Loop condition is true. "; 708 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 709 710 if (const Stmt *S = End.asStmt()) 711 End = PDB.getEnclosingStmtLocation(S); 712 713 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 714 os.str())); 715 } 716 else { 717 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 718 719 if (const Stmt *S = End.asStmt()) 720 End = PDB.getEnclosingStmtLocation(S); 721 722 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 723 "Loop condition is false. Exiting loop")); 724 } 725 726 break; 727 } 728 729 case Stmt::WhileStmtClass: 730 case Stmt::ForStmtClass: { 731 if (*(Src->succ_begin()+1) == Dst) { 732 std::string sbuf; 733 llvm::raw_string_ostream os(sbuf); 734 735 os << "Loop condition is false. "; 736 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 737 if (const Stmt *S = End.asStmt()) 738 End = PDB.getEnclosingStmtLocation(S); 739 740 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 741 os.str())); 742 } 743 else { 744 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 745 if (const Stmt *S = End.asStmt()) 746 End = PDB.getEnclosingStmtLocation(S); 747 748 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 749 "Loop condition is true. Entering loop body")); 750 } 751 752 break; 753 } 754 755 case Stmt::IfStmtClass: { 756 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 757 758 if (const Stmt *S = End.asStmt()) 759 End = PDB.getEnclosingStmtLocation(S); 760 761 if (*(Src->succ_begin()+1) == Dst) 762 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 763 "Taking false branch")); 764 else 765 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 766 "Taking true branch")); 767 768 break; 769 } 770 } 771 } 772 773 if (NextNode) { 774 // Add diagnostic pieces from custom visitors. 775 BugReport *R = PDB.getBugReport(); 776 for (BugReport::visitor_iterator I = R->visitor_begin(), 777 E = R->visitor_end(); I!=E; ++I) { 778 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) 779 PD.push_front(p); 780 } 781 } 782 783 if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) { 784 // Scan the region bindings, and see if a "notable" symbol has a new 785 // lval binding. 786 ScanNotableSymbols SNS(N, PS->getStmt(), PDB.getBugReporter(), PD); 787 PDB.getStateManager().iterBindings(N->getState(), SNS); 788 } 789 } 790 791 // After constructing the full PathDiagnostic, do a pass over it to compact 792 // PathDiagnosticPieces that occur within a macro. 793 CompactPathDiagnostic(PD, PDB.getSourceManager()); 794 } 795 796 //===----------------------------------------------------------------------===// 797 // "Extensive" PathDiagnostic generation. 798 //===----------------------------------------------------------------------===// 799 800 static bool IsControlFlowExpr(const Stmt *S) { 801 const Expr *E = dyn_cast<Expr>(S); 802 803 if (!E) 804 return false; 805 806 E = E->IgnoreParenCasts(); 807 808 if (isa<AbstractConditionalOperator>(E)) 809 return true; 810 811 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 812 if (B->isLogicalOp()) 813 return true; 814 815 return false; 816 } 817 818 namespace { 819 class ContextLocation : public PathDiagnosticLocation { 820 bool IsDead; 821 public: 822 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 823 : PathDiagnosticLocation(L), IsDead(isdead) {} 824 825 void markDead() { IsDead = true; } 826 bool isDead() const { return IsDead; } 827 }; 828 829 class EdgeBuilder { 830 std::vector<ContextLocation> CLocs; 831 typedef std::vector<ContextLocation>::iterator iterator; 832 PathDiagnostic &PD; 833 PathDiagnosticBuilder &PDB; 834 PathDiagnosticLocation PrevLoc; 835 836 bool IsConsumedExpr(const PathDiagnosticLocation &L); 837 838 bool containsLocation(const PathDiagnosticLocation &Container, 839 const PathDiagnosticLocation &Containee); 840 841 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 842 843 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 844 bool firstCharOnly = false) { 845 if (const Stmt *S = L.asStmt()) { 846 const Stmt *Original = S; 847 while (1) { 848 // Adjust the location for some expressions that are best referenced 849 // by one of their subexpressions. 850 switch (S->getStmtClass()) { 851 default: 852 break; 853 case Stmt::ParenExprClass: 854 case Stmt::GenericSelectionExprClass: 855 S = cast<Expr>(S)->IgnoreParens(); 856 firstCharOnly = true; 857 continue; 858 case Stmt::BinaryConditionalOperatorClass: 859 case Stmt::ConditionalOperatorClass: 860 S = cast<AbstractConditionalOperator>(S)->getCond(); 861 firstCharOnly = true; 862 continue; 863 case Stmt::ChooseExprClass: 864 S = cast<ChooseExpr>(S)->getCond(); 865 firstCharOnly = true; 866 continue; 867 case Stmt::BinaryOperatorClass: 868 S = cast<BinaryOperator>(S)->getLHS(); 869 firstCharOnly = true; 870 continue; 871 } 872 873 break; 874 } 875 876 if (S != Original) 877 L = PathDiagnosticLocation(S, L.getManager()); 878 } 879 880 if (firstCharOnly) 881 L = PathDiagnosticLocation(L.asLocation()); 882 883 return L; 884 } 885 886 void popLocation() { 887 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 888 // For contexts, we only one the first character as the range. 889 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 890 } 891 CLocs.pop_back(); 892 } 893 894 public: 895 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 896 : PD(pd), PDB(pdb) { 897 898 // If the PathDiagnostic already has pieces, add the enclosing statement 899 // of the first piece as a context as well. 900 if (!PD.empty()) { 901 PrevLoc = PD.begin()->getLocation(); 902 903 if (const Stmt *S = PrevLoc.asStmt()) 904 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 905 } 906 } 907 908 ~EdgeBuilder() { 909 while (!CLocs.empty()) popLocation(); 910 911 // Finally, add an initial edge from the start location of the first 912 // statement (if it doesn't already exist). 913 // FIXME: Should handle CXXTryStmt if analyser starts supporting C++. 914 if (const CompoundStmt *CS = 915 dyn_cast_or_null<CompoundStmt>(PDB.getCodeDecl().getBody())) 916 if (!CS->body_empty()) { 917 SourceLocation Loc = (*CS->body_begin())->getLocStart(); 918 rawAddEdge(PathDiagnosticLocation(Loc, PDB.getSourceManager())); 919 } 920 921 } 922 923 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 924 925 void rawAddEdge(PathDiagnosticLocation NewLoc); 926 927 void addContext(const Stmt *S); 928 void addExtendedContext(const Stmt *S); 929 }; 930 } // end anonymous namespace 931 932 933 PathDiagnosticLocation 934 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 935 if (const Stmt *S = L.asStmt()) { 936 if (IsControlFlowExpr(S)) 937 return L; 938 939 return PDB.getEnclosingStmtLocation(S); 940 } 941 942 return L; 943 } 944 945 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 946 const PathDiagnosticLocation &Containee) { 947 948 if (Container == Containee) 949 return true; 950 951 if (Container.asDecl()) 952 return true; 953 954 if (const Stmt *S = Containee.asStmt()) 955 if (const Stmt *ContainerS = Container.asStmt()) { 956 while (S) { 957 if (S == ContainerS) 958 return true; 959 S = PDB.getParent(S); 960 } 961 return false; 962 } 963 964 // Less accurate: compare using source ranges. 965 SourceRange ContainerR = Container.asRange(); 966 SourceRange ContaineeR = Containee.asRange(); 967 968 SourceManager &SM = PDB.getSourceManager(); 969 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 970 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 971 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 972 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 973 974 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 975 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 976 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 977 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 978 979 assert(ContainerBegLine <= ContainerEndLine); 980 assert(ContaineeBegLine <= ContaineeEndLine); 981 982 return (ContainerBegLine <= ContaineeBegLine && 983 ContainerEndLine >= ContaineeEndLine && 984 (ContainerBegLine != ContaineeBegLine || 985 SM.getExpansionColumnNumber(ContainerRBeg) <= 986 SM.getExpansionColumnNumber(ContaineeRBeg)) && 987 (ContainerEndLine != ContaineeEndLine || 988 SM.getExpansionColumnNumber(ContainerREnd) >= 989 SM.getExpansionColumnNumber(ContainerREnd))); 990 } 991 992 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 993 if (!PrevLoc.isValid()) { 994 PrevLoc = NewLoc; 995 return; 996 } 997 998 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 999 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 1000 1001 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1002 return; 1003 1004 // FIXME: Ignore intra-macro edges for now. 1005 if (NewLocClean.asLocation().getExpansionLoc() == 1006 PrevLocClean.asLocation().getExpansionLoc()) 1007 return; 1008 1009 PD.push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 1010 PrevLoc = NewLoc; 1011 } 1012 1013 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 1014 1015 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1016 return; 1017 1018 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1019 1020 while (!CLocs.empty()) { 1021 ContextLocation &TopContextLoc = CLocs.back(); 1022 1023 // Is the top location context the same as the one for the new location? 1024 if (TopContextLoc == CLoc) { 1025 if (alwaysAdd) { 1026 if (IsConsumedExpr(TopContextLoc) && 1027 !IsControlFlowExpr(TopContextLoc.asStmt())) 1028 TopContextLoc.markDead(); 1029 1030 rawAddEdge(NewLoc); 1031 } 1032 1033 return; 1034 } 1035 1036 if (containsLocation(TopContextLoc, CLoc)) { 1037 if (alwaysAdd) { 1038 rawAddEdge(NewLoc); 1039 1040 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 1041 CLocs.push_back(ContextLocation(CLoc, true)); 1042 return; 1043 } 1044 } 1045 1046 CLocs.push_back(CLoc); 1047 return; 1048 } 1049 1050 // Context does not contain the location. Flush it. 1051 popLocation(); 1052 } 1053 1054 // If we reach here, there is no enclosing context. Just add the edge. 1055 rawAddEdge(NewLoc); 1056 } 1057 1058 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1059 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 1060 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1061 1062 return false; 1063 } 1064 1065 void EdgeBuilder::addExtendedContext(const Stmt *S) { 1066 if (!S) 1067 return; 1068 1069 const Stmt *Parent = PDB.getParent(S); 1070 while (Parent) { 1071 if (isa<CompoundStmt>(Parent)) 1072 Parent = PDB.getParent(Parent); 1073 else 1074 break; 1075 } 1076 1077 if (Parent) { 1078 switch (Parent->getStmtClass()) { 1079 case Stmt::DoStmtClass: 1080 case Stmt::ObjCAtSynchronizedStmtClass: 1081 addContext(Parent); 1082 default: 1083 break; 1084 } 1085 } 1086 1087 addContext(S); 1088 } 1089 1090 void EdgeBuilder::addContext(const Stmt *S) { 1091 if (!S) 1092 return; 1093 1094 PathDiagnosticLocation L(S, PDB.getSourceManager()); 1095 1096 while (!CLocs.empty()) { 1097 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1098 1099 // Is the top location context the same as the one for the new location? 1100 if (TopContextLoc == L) 1101 return; 1102 1103 if (containsLocation(TopContextLoc, L)) { 1104 CLocs.push_back(L); 1105 return; 1106 } 1107 1108 // Context does not contain the location. Flush it. 1109 popLocation(); 1110 } 1111 1112 CLocs.push_back(L); 1113 } 1114 1115 static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1116 PathDiagnosticBuilder &PDB, 1117 const ExplodedNode *N) { 1118 EdgeBuilder EB(PD, PDB); 1119 1120 const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 1121 while (NextNode) { 1122 N = NextNode; 1123 NextNode = GetPredecessorNode(N); 1124 ProgramPoint P = N->getLocation(); 1125 1126 do { 1127 // Block edges. 1128 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 1129 const CFGBlock &Blk = *BE->getSrc(); 1130 const Stmt *Term = Blk.getTerminator(); 1131 1132 // Are we jumping to the head of a loop? Add a special diagnostic. 1133 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) { 1134 PathDiagnosticLocation L(Loop, PDB.getSourceManager()); 1135 const CompoundStmt *CS = NULL; 1136 1137 if (!Term) { 1138 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1139 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1140 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1141 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1142 } 1143 1144 PathDiagnosticEventPiece *p = 1145 new PathDiagnosticEventPiece(L, 1146 "Looping back to the head of the loop"); 1147 1148 EB.addEdge(p->getLocation(), true); 1149 PD.push_front(p); 1150 1151 if (CS) { 1152 PathDiagnosticLocation BL(CS->getRBracLoc(), 1153 PDB.getSourceManager()); 1154 BL = PathDiagnosticLocation(BL.asLocation()); 1155 EB.addEdge(BL); 1156 } 1157 } 1158 1159 if (Term) 1160 EB.addContext(Term); 1161 1162 break; 1163 } 1164 1165 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 1166 if (const CFGStmt *S = BE->getFirstElement().getAs<CFGStmt>()) { 1167 const Stmt *stmt = S->getStmt(); 1168 if (IsControlFlowExpr(stmt)) { 1169 // Add the proper context for '&&', '||', and '?'. 1170 EB.addContext(stmt); 1171 } 1172 else 1173 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1174 } 1175 1176 break; 1177 } 1178 } while (0); 1179 1180 if (!NextNode) 1181 continue; 1182 1183 // Add pieces from custom visitors. 1184 BugReport *R = PDB.getBugReport(); 1185 for (BugReport::visitor_iterator I = R->visitor_begin(), 1186 E = R->visitor_end(); I!=E; ++I) { 1187 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 1188 const PathDiagnosticLocation &Loc = p->getLocation(); 1189 EB.addEdge(Loc, true); 1190 PD.push_front(p); 1191 if (const Stmt *S = Loc.asStmt()) 1192 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1193 } 1194 } 1195 } 1196 } 1197 1198 //===----------------------------------------------------------------------===// 1199 // Methods for BugType and subclasses. 1200 //===----------------------------------------------------------------------===// 1201 BugType::~BugType() { } 1202 1203 void BugType::FlushReports(BugReporter &BR) {} 1204 1205 //===----------------------------------------------------------------------===// 1206 // Methods for BugReport and subclasses. 1207 //===----------------------------------------------------------------------===// 1208 1209 void BugReport::addVisitor(BugReporterVisitor* visitor) { 1210 if (!visitor) 1211 return; 1212 1213 llvm::FoldingSetNodeID ID; 1214 visitor->Profile(ID); 1215 void *InsertPos; 1216 1217 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 1218 delete visitor; 1219 return; 1220 } 1221 1222 CallbacksSet.InsertNode(visitor, InsertPos); 1223 Callbacks = F.add(visitor, Callbacks); 1224 } 1225 1226 BugReport::~BugReport() { 1227 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) { 1228 delete *I; 1229 } 1230 } 1231 1232 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const { 1233 hash.AddPointer(&BT); 1234 hash.AddInteger(getLocation().getRawEncoding()); 1235 hash.AddString(Description); 1236 1237 for (SmallVectorImpl<SourceRange>::const_iterator I = 1238 Ranges.begin(), E = Ranges.end(); I != E; ++I) { 1239 const SourceRange range = *I; 1240 if (!range.isValid()) 1241 continue; 1242 hash.AddInteger(range.getBegin().getRawEncoding()); 1243 hash.AddInteger(range.getEnd().getRawEncoding()); 1244 } 1245 } 1246 1247 const Stmt *BugReport::getStmt() const { 1248 if (!ErrorNode) 1249 return 0; 1250 1251 ProgramPoint ProgP = ErrorNode->getLocation(); 1252 const Stmt *S = NULL; 1253 1254 if (BlockEntrance *BE = dyn_cast<BlockEntrance>(&ProgP)) { 1255 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 1256 if (BE->getBlock() == &Exit) 1257 S = GetPreviousStmt(ErrorNode); 1258 } 1259 if (!S) 1260 S = GetStmt(ProgP); 1261 1262 return S; 1263 } 1264 1265 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 1266 BugReport::getRanges() { 1267 // If no custom ranges, add the range of the statement corresponding to 1268 // the error node. 1269 if (Ranges.empty()) { 1270 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt())) 1271 addRange(E->getSourceRange()); 1272 else 1273 return std::make_pair(ranges_iterator(), ranges_iterator()); 1274 } 1275 1276 // User-specified absence of range info. 1277 if (Ranges.size() == 1 && !Ranges.begin()->isValid()) 1278 return std::make_pair(ranges_iterator(), ranges_iterator()); 1279 1280 return std::make_pair(Ranges.begin(), Ranges.end()); 1281 } 1282 1283 SourceLocation BugReport::getLocation() const { 1284 if (ErrorNode) { 1285 (Location.isInvalid() && 1286 "Either Location or ErrorNode should be specified but not both."); 1287 1288 if (const Stmt *S = GetCurrentOrPreviousStmt(ErrorNode)) { 1289 // For member expressions, return the location of the '.' or '->'. 1290 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 1291 return ME->getMemberLoc(); 1292 // For binary operators, return the location of the operator. 1293 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 1294 return B->getOperatorLoc(); 1295 1296 return S->getLocStart(); 1297 } 1298 1299 } else { 1300 assert(Location.isValid()); 1301 return Location; 1302 } 1303 1304 return FullSourceLoc(); 1305 } 1306 1307 //===----------------------------------------------------------------------===// 1308 // Methods for BugReporter and subclasses. 1309 //===----------------------------------------------------------------------===// 1310 1311 BugReportEquivClass::~BugReportEquivClass() { 1312 for (iterator I=begin(), E=end(); I!=E; ++I) delete *I; 1313 } 1314 1315 GRBugReporter::~GRBugReporter() { } 1316 BugReporterData::~BugReporterData() {} 1317 1318 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 1319 1320 ProgramStateManager& 1321 GRBugReporter::getStateManager() { return Eng.getStateManager(); } 1322 1323 BugReporter::~BugReporter() { 1324 FlushReports(); 1325 1326 // Free the bug reports we are tracking. 1327 typedef std::vector<BugReportEquivClass *> ContTy; 1328 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end(); 1329 I != E; ++I) { 1330 delete *I; 1331 } 1332 } 1333 1334 void BugReporter::FlushReports() { 1335 if (BugTypes.isEmpty()) 1336 return; 1337 1338 // First flush the warnings for each BugType. This may end up creating new 1339 // warnings and new BugTypes. 1340 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 1341 // Turn NSErrorChecker into a proper checker and remove this. 1342 SmallVector<const BugType*, 16> bugTypes; 1343 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 1344 bugTypes.push_back(*I); 1345 for (SmallVector<const BugType*, 16>::iterator 1346 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 1347 const_cast<BugType*>(*I)->FlushReports(*this); 1348 1349 typedef llvm::FoldingSet<BugReportEquivClass> SetTy; 1350 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){ 1351 BugReportEquivClass& EQ = *EI; 1352 FlushReport(EQ); 1353 } 1354 1355 // BugReporter owns and deletes only BugTypes created implicitly through 1356 // EmitBasicReport. 1357 // FIXME: There are leaks from checkers that assume that the BugTypes they 1358 // create will be destroyed by the BugReporter. 1359 for (llvm::StringMap<BugType*>::iterator 1360 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I) 1361 delete I->second; 1362 1363 // Remove all references to the BugType objects. 1364 BugTypes = F.getEmptySet(); 1365 } 1366 1367 //===----------------------------------------------------------------------===// 1368 // PathDiagnostics generation. 1369 //===----------------------------------------------------------------------===// 1370 1371 static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1372 std::pair<ExplodedNode*, unsigned> > 1373 MakeReportGraph(const ExplodedGraph* G, 1374 SmallVectorImpl<const ExplodedNode*> &nodes) { 1375 1376 // Create the trimmed graph. It will contain the shortest paths from the 1377 // error nodes to the root. In the new graph we should only have one 1378 // error node unless there are two or more error nodes with the same minimum 1379 // path length. 1380 ExplodedGraph* GTrim; 1381 InterExplodedGraphMap* NMap; 1382 1383 llvm::DenseMap<const void*, const void*> InverseMap; 1384 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 1385 &InverseMap); 1386 1387 // Create owning pointers for GTrim and NMap just to ensure that they are 1388 // released when this function exists. 1389 llvm::OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 1390 llvm::OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 1391 1392 // Find the (first) error node in the trimmed graph. We just need to consult 1393 // the node map (NMap) which maps from nodes in the original graph to nodes 1394 // in the new graph. 1395 1396 std::queue<const ExplodedNode*> WS; 1397 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 1398 IndexMapTy IndexMap; 1399 1400 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 1401 const ExplodedNode *originalNode = nodes[nodeIndex]; 1402 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 1403 WS.push(N); 1404 IndexMap[originalNode] = nodeIndex; 1405 } 1406 } 1407 1408 assert(!WS.empty() && "No error node found in the trimmed graph."); 1409 1410 // Create a new (third!) graph with a single path. This is the graph 1411 // that will be returned to the caller. 1412 ExplodedGraph *GNew = new ExplodedGraph(); 1413 1414 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 1415 // to the root node, and then construct a new graph that contains only 1416 // a single path. 1417 llvm::DenseMap<const void*,unsigned> Visited; 1418 1419 unsigned cnt = 0; 1420 const ExplodedNode *Root = 0; 1421 1422 while (!WS.empty()) { 1423 const ExplodedNode *Node = WS.front(); 1424 WS.pop(); 1425 1426 if (Visited.find(Node) != Visited.end()) 1427 continue; 1428 1429 Visited[Node] = cnt++; 1430 1431 if (Node->pred_empty()) { 1432 Root = Node; 1433 break; 1434 } 1435 1436 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 1437 E=Node->pred_end(); I!=E; ++I) 1438 WS.push(*I); 1439 } 1440 1441 assert(Root); 1442 1443 // Now walk from the root down the BFS path, always taking the successor 1444 // with the lowest number. 1445 ExplodedNode *Last = 0, *First = 0; 1446 NodeBackMap *BM = new NodeBackMap(); 1447 unsigned NodeIndex = 0; 1448 1449 for ( const ExplodedNode *N = Root ;;) { 1450 // Lookup the number associated with the current node. 1451 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 1452 assert(I != Visited.end()); 1453 1454 // Create the equivalent node in the new graph with the same state 1455 // and location. 1456 ExplodedNode *NewN = GNew->getNode(N->getLocation(), N->getState()); 1457 1458 // Store the mapping to the original node. 1459 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 1460 assert(IMitr != InverseMap.end() && "No mapping to original node."); 1461 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 1462 1463 // Link up the new node with the previous node. 1464 if (Last) 1465 NewN->addPredecessor(Last, *GNew); 1466 1467 Last = NewN; 1468 1469 // Are we at the final node? 1470 IndexMapTy::iterator IMI = 1471 IndexMap.find((const ExplodedNode*)(IMitr->second)); 1472 if (IMI != IndexMap.end()) { 1473 First = NewN; 1474 NodeIndex = IMI->second; 1475 break; 1476 } 1477 1478 // Find the next successor node. We choose the node that is marked 1479 // with the lowest DFS number. 1480 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 1481 ExplodedNode::const_succ_iterator SE = N->succ_end(); 1482 N = 0; 1483 1484 for (unsigned MinVal = 0; SI != SE; ++SI) { 1485 1486 I = Visited.find(*SI); 1487 1488 if (I == Visited.end()) 1489 continue; 1490 1491 if (!N || I->second < MinVal) { 1492 N = *SI; 1493 MinVal = I->second; 1494 } 1495 } 1496 1497 assert(N); 1498 } 1499 1500 assert(First); 1501 1502 return std::make_pair(std::make_pair(GNew, BM), 1503 std::make_pair(First, NodeIndex)); 1504 } 1505 1506 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 1507 /// and collapses PathDiagosticPieces that are expanded by macros. 1508 static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM) { 1509 typedef std::vector<std::pair<PathDiagnosticMacroPiece*, SourceLocation> > 1510 MacroStackTy; 1511 1512 typedef std::vector<PathDiagnosticPiece*> 1513 PiecesTy; 1514 1515 MacroStackTy MacroStack; 1516 PiecesTy Pieces; 1517 1518 for (PathDiagnostic::iterator I = PD.begin(), E = PD.end(); I!=E; ++I) { 1519 // Get the location of the PathDiagnosticPiece. 1520 const FullSourceLoc Loc = I->getLocation().asLocation(); 1521 1522 // Determine the instantiation location, which is the location we group 1523 // related PathDiagnosticPieces. 1524 SourceLocation InstantiationLoc = Loc.isMacroID() ? 1525 SM.getExpansionLoc(Loc) : 1526 SourceLocation(); 1527 1528 if (Loc.isFileID()) { 1529 MacroStack.clear(); 1530 Pieces.push_back(&*I); 1531 continue; 1532 } 1533 1534 assert(Loc.isMacroID()); 1535 1536 // Is the PathDiagnosticPiece within the same macro group? 1537 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 1538 MacroStack.back().first->push_back(&*I); 1539 continue; 1540 } 1541 1542 // We aren't in the same group. Are we descending into a new macro 1543 // or are part of an old one? 1544 PathDiagnosticMacroPiece *MacroGroup = 0; 1545 1546 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 1547 SM.getExpansionLoc(Loc) : 1548 SourceLocation(); 1549 1550 // Walk the entire macro stack. 1551 while (!MacroStack.empty()) { 1552 if (InstantiationLoc == MacroStack.back().second) { 1553 MacroGroup = MacroStack.back().first; 1554 break; 1555 } 1556 1557 if (ParentInstantiationLoc == MacroStack.back().second) { 1558 MacroGroup = MacroStack.back().first; 1559 break; 1560 } 1561 1562 MacroStack.pop_back(); 1563 } 1564 1565 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 1566 // Create a new macro group and add it to the stack. 1567 PathDiagnosticMacroPiece *NewGroup = new PathDiagnosticMacroPiece(Loc); 1568 1569 if (MacroGroup) 1570 MacroGroup->push_back(NewGroup); 1571 else { 1572 assert(InstantiationLoc.isFileID()); 1573 Pieces.push_back(NewGroup); 1574 } 1575 1576 MacroGroup = NewGroup; 1577 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 1578 } 1579 1580 // Finally, add the PathDiagnosticPiece to the group. 1581 MacroGroup->push_back(&*I); 1582 } 1583 1584 // Now take the pieces and construct a new PathDiagnostic. 1585 PD.resetPath(false); 1586 1587 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) { 1588 if (PathDiagnosticMacroPiece *MP=dyn_cast<PathDiagnosticMacroPiece>(*I)) 1589 if (!MP->containsEvent()) { 1590 delete MP; 1591 continue; 1592 } 1593 1594 PD.push_back(*I); 1595 } 1596 } 1597 1598 void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD, 1599 SmallVectorImpl<BugReport *> &bugReports) { 1600 1601 assert(!bugReports.empty()); 1602 SmallVector<const ExplodedNode *, 10> errorNodes; 1603 for (SmallVectorImpl<BugReport*>::iterator I = bugReports.begin(), 1604 E = bugReports.end(); I != E; ++I) { 1605 errorNodes.push_back((*I)->getErrorNode()); 1606 } 1607 1608 // Construct a new graph that contains only a single path from the error 1609 // node to a root. 1610 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1611 std::pair<ExplodedNode*, unsigned> >& 1612 GPair = MakeReportGraph(&getGraph(), errorNodes); 1613 1614 // Find the BugReport with the original location. 1615 assert(GPair.second.second < bugReports.size()); 1616 BugReport *R = bugReports[GPair.second.second]; 1617 assert(R && "No original report found for sliced graph."); 1618 1619 llvm::OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 1620 llvm::OwningPtr<NodeBackMap> BackMap(GPair.first.second); 1621 const ExplodedNode *N = GPair.second.first; 1622 1623 // Start building the path diagnostic... 1624 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), getPathDiagnosticClient()); 1625 1626 // Register additional node visitors. 1627 R->addVisitor(new NilReceiverBRVisitor()); 1628 R->addVisitor(new ConditionBRVisitor()); 1629 1630 // Generate the very last diagnostic piece - the piece is visible before 1631 // the trace is expanded. 1632 PathDiagnosticPiece *LastPiece = 0; 1633 for (BugReport::visitor_iterator I = R->visitor_begin(), 1634 E = R->visitor_end(); I!=E; ++I) { 1635 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) { 1636 assert (!LastPiece && 1637 "There can only be one final piece in a diagnostic."); 1638 LastPiece = Piece; 1639 } 1640 } 1641 if (!LastPiece) 1642 LastPiece = BugReporterVisitor::getDefaultEndPath(PDB, N, *R); 1643 if (LastPiece) 1644 PD.push_back(LastPiece); 1645 else 1646 return; 1647 1648 switch (PDB.getGenerationScheme()) { 1649 case PathDiagnosticClient::Extensive: 1650 GenerateExtensivePathDiagnostic(PD, PDB, N); 1651 break; 1652 case PathDiagnosticClient::Minimal: 1653 GenerateMinimalPathDiagnostic(PD, PDB, N); 1654 break; 1655 } 1656 } 1657 1658 void BugReporter::Register(BugType *BT) { 1659 BugTypes = F.add(BugTypes, BT); 1660 } 1661 1662 void BugReporter::EmitReport(BugReport* R) { 1663 // Compute the bug report's hash to determine its equivalence class. 1664 llvm::FoldingSetNodeID ID; 1665 R->Profile(ID); 1666 1667 // Lookup the equivance class. If there isn't one, create it. 1668 BugType& BT = R->getBugType(); 1669 Register(&BT); 1670 void *InsertPos; 1671 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 1672 1673 if (!EQ) { 1674 EQ = new BugReportEquivClass(R); 1675 EQClasses.InsertNode(EQ, InsertPos); 1676 EQClassesVector.push_back(EQ); 1677 } 1678 else 1679 EQ->AddReport(R); 1680 } 1681 1682 1683 //===----------------------------------------------------------------------===// 1684 // Emitting reports in equivalence classes. 1685 //===----------------------------------------------------------------------===// 1686 1687 namespace { 1688 struct FRIEC_WLItem { 1689 const ExplodedNode *N; 1690 ExplodedNode::const_succ_iterator I, E; 1691 1692 FRIEC_WLItem(const ExplodedNode *n) 1693 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 1694 }; 1695 } 1696 1697 static BugReport * 1698 FindReportInEquivalenceClass(BugReportEquivClass& EQ, 1699 SmallVectorImpl<BugReport*> &bugReports) { 1700 1701 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 1702 assert(I != E); 1703 BugReport *R = *I; 1704 BugType& BT = R->getBugType(); 1705 1706 // If we don't need to suppress any of the nodes because they are 1707 // post-dominated by a sink, simply add all the nodes in the equivalence class 1708 // to 'Nodes'. Any of the reports will serve as a "representative" report. 1709 if (!BT.isSuppressOnSink()) { 1710 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 1711 const ExplodedNode *N = I->getErrorNode(); 1712 if (N) { 1713 R = *I; 1714 bugReports.push_back(R); 1715 } 1716 } 1717 return R; 1718 } 1719 1720 // For bug reports that should be suppressed when all paths are post-dominated 1721 // by a sink node, iterate through the reports in the equivalence class 1722 // until we find one that isn't post-dominated (if one exists). We use a 1723 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 1724 // this as a recursive function, but we don't want to risk blowing out the 1725 // stack for very long paths. 1726 BugReport *exampleReport = 0; 1727 1728 for (; I != E; ++I) { 1729 R = *I; 1730 const ExplodedNode *errorNode = R->getErrorNode(); 1731 1732 if (!errorNode) 1733 continue; 1734 if (errorNode->isSink()) { 1735 assert(false && 1736 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 1737 return 0; 1738 } 1739 // No successors? By definition this nodes isn't post-dominated by a sink. 1740 if (errorNode->succ_empty()) { 1741 bugReports.push_back(R); 1742 if (!exampleReport) 1743 exampleReport = R; 1744 continue; 1745 } 1746 1747 // At this point we know that 'N' is not a sink and it has at least one 1748 // successor. Use a DFS worklist to find a non-sink end-of-path node. 1749 typedef FRIEC_WLItem WLItem; 1750 typedef SmallVector<WLItem, 10> DFSWorkList; 1751 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 1752 1753 DFSWorkList WL; 1754 WL.push_back(errorNode); 1755 Visited[errorNode] = 1; 1756 1757 while (!WL.empty()) { 1758 WLItem &WI = WL.back(); 1759 assert(!WI.N->succ_empty()); 1760 1761 for (; WI.I != WI.E; ++WI.I) { 1762 const ExplodedNode *Succ = *WI.I; 1763 // End-of-path node? 1764 if (Succ->succ_empty()) { 1765 // If we found an end-of-path node that is not a sink. 1766 if (!Succ->isSink()) { 1767 bugReports.push_back(R); 1768 if (!exampleReport) 1769 exampleReport = R; 1770 WL.clear(); 1771 break; 1772 } 1773 // Found a sink? Continue on to the next successor. 1774 continue; 1775 } 1776 // Mark the successor as visited. If it hasn't been explored, 1777 // enqueue it to the DFS worklist. 1778 unsigned &mark = Visited[Succ]; 1779 if (!mark) { 1780 mark = 1; 1781 WL.push_back(Succ); 1782 break; 1783 } 1784 } 1785 1786 // The worklist may have been cleared at this point. First 1787 // check if it is empty before checking the last item. 1788 if (!WL.empty() && &WL.back() == &WI) 1789 WL.pop_back(); 1790 } 1791 } 1792 1793 // ExampleReport will be NULL if all the nodes in the equivalence class 1794 // were post-dominated by sinks. 1795 return exampleReport; 1796 } 1797 1798 //===----------------------------------------------------------------------===// 1799 // DiagnosticCache. This is a hack to cache analyzer diagnostics. It 1800 // uses global state, which eventually should go elsewhere. 1801 //===----------------------------------------------------------------------===// 1802 namespace { 1803 class DiagCacheItem : public llvm::FoldingSetNode { 1804 llvm::FoldingSetNodeID ID; 1805 public: 1806 DiagCacheItem(BugReport *R, PathDiagnostic *PD) { 1807 ID.AddString(R->getBugType().getName()); 1808 ID.AddString(R->getBugType().getCategory()); 1809 ID.AddString(R->getDescription()); 1810 ID.AddInteger(R->getLocation().getRawEncoding()); 1811 PD->Profile(ID); 1812 } 1813 1814 void Profile(llvm::FoldingSetNodeID &id) { 1815 id = ID; 1816 } 1817 1818 llvm::FoldingSetNodeID &getID() { return ID; } 1819 }; 1820 } 1821 1822 static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) { 1823 // FIXME: Eventually this diagnostic cache should reside in something 1824 // like AnalysisManager instead of being a static variable. This is 1825 // really unsafe in the long term. 1826 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache; 1827 static DiagnosticCache DC; 1828 1829 void *InsertPos; 1830 DiagCacheItem *Item = new DiagCacheItem(R, PD); 1831 1832 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) { 1833 delete Item; 1834 return true; 1835 } 1836 1837 DC.InsertNode(Item, InsertPos); 1838 return false; 1839 } 1840 1841 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 1842 SmallVector<BugReport*, 10> bugReports; 1843 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 1844 if (!exampleReport) 1845 return; 1846 1847 PathDiagnosticClient* PD = getPathDiagnosticClient(); 1848 1849 // FIXME: Make sure we use the 'R' for the path that was actually used. 1850 // Probably doesn't make a difference in practice. 1851 BugType& BT = exampleReport->getBugType(); 1852 1853 llvm::OwningPtr<PathDiagnostic> 1854 D(new PathDiagnostic(exampleReport->getBugType().getName(), 1855 !PD || PD->useVerboseDescription() 1856 ? exampleReport->getDescription() 1857 : exampleReport->getShortDescription(), 1858 BT.getCategory())); 1859 1860 if (!bugReports.empty()) 1861 GeneratePathDiagnostic(*D.get(), bugReports); 1862 1863 if (IsCachedDiagnostic(exampleReport, D.get())) 1864 return; 1865 1866 // Get the meta data. 1867 const BugReport::ExtraTextList &Meta = 1868 exampleReport->getExtraText(); 1869 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(), 1870 e = Meta.end(); i != e; ++i) { 1871 D->addMeta(*i); 1872 } 1873 1874 // Emit a summary diagnostic to the regular Diagnostics engine. 1875 BugReport::ranges_iterator Beg, End; 1876 llvm::tie(Beg, End) = exampleReport->getRanges(); 1877 Diagnostic &Diag = getDiagnostic(); 1878 FullSourceLoc L(exampleReport->getLocation(), getSourceManager()); 1879 1880 // Search the description for '%', as that will be interpretted as a 1881 // format character by FormatDiagnostics. 1882 StringRef desc = exampleReport->getShortDescription(); 1883 unsigned ErrorDiag; 1884 { 1885 llvm::SmallString<512> TmpStr; 1886 llvm::raw_svector_ostream Out(TmpStr); 1887 for (StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I) 1888 if (*I == '%') 1889 Out << "%%"; 1890 else 1891 Out << *I; 1892 1893 Out.flush(); 1894 ErrorDiag = Diag.getCustomDiagID(Diagnostic::Warning, TmpStr); 1895 } 1896 1897 { 1898 DiagnosticBuilder diagBuilder = Diag.Report(L, ErrorDiag); 1899 for (BugReport::ranges_iterator I = Beg; I != End; ++I) 1900 diagBuilder << *I; 1901 } 1902 1903 // Emit a full diagnostic for the path if we have a PathDiagnosticClient. 1904 if (!PD) 1905 return; 1906 1907 if (D->empty()) { 1908 PathDiagnosticPiece *piece = 1909 new PathDiagnosticEventPiece(L, exampleReport->getDescription()); 1910 1911 for ( ; Beg != End; ++Beg) piece->addRange(*Beg); 1912 D->push_back(piece); 1913 } 1914 1915 PD->HandlePathDiagnostic(D.take()); 1916 } 1917 1918 void BugReporter::EmitBasicReport(StringRef name, StringRef str, 1919 SourceLocation Loc, 1920 SourceRange* RBeg, unsigned NumRanges) { 1921 EmitBasicReport(name, "", str, Loc, RBeg, NumRanges); 1922 } 1923 1924 void BugReporter::EmitBasicReport(StringRef name, 1925 StringRef category, 1926 StringRef str, SourceLocation Loc, 1927 SourceRange* RBeg, unsigned NumRanges) { 1928 1929 // 'BT' is owned by BugReporter. 1930 BugType *BT = getBugTypeForName(name, category); 1931 FullSourceLoc L = getContext().getFullLoc(Loc); 1932 BugReport *R = new BugReport(*BT, str, L); 1933 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 1934 EmitReport(R); 1935 } 1936 1937 BugType *BugReporter::getBugTypeForName(StringRef name, 1938 StringRef category) { 1939 llvm::SmallString<136> fullDesc; 1940 llvm::raw_svector_ostream(fullDesc) << name << ":" << category; 1941 llvm::StringMapEntry<BugType *> & 1942 entry = StrBugTypes.GetOrCreateValue(fullDesc); 1943 BugType *BT = entry.getValue(); 1944 if (!BT) { 1945 BT = new BugType(name, category); 1946 entry.setValue(BT); 1947 } 1948 return BT; 1949 } 1950