1 // BugReporterVisitors.cpp - Helpers for reporting bugs -----------*- C++ -*--//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 //  This file defines a set of BugReporter "visitors" which can be used to
11 //  enhance the diagnostics reported for a bug.
12 //
13 //===----------------------------------------------------------------------===//
14 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h"
15 #include "clang/AST/Expr.h"
16 #include "clang/AST/ExprObjC.h"
17 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
18 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
23 #include "llvm/ADT/SmallString.h"
24 #include "llvm/ADT/StringExtras.h"
25 #include "llvm/Support/raw_ostream.h"
26 
27 using namespace clang;
28 using namespace ento;
29 
30 using llvm::FoldingSetNodeID;
31 
32 //===----------------------------------------------------------------------===//
33 // Utility functions.
34 //===----------------------------------------------------------------------===//
35 
36 bool bugreporter::isDeclRefExprToReference(const Expr *E) {
37   if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
38     return DRE->getDecl()->getType()->isReferenceType();
39   }
40   return false;
41 }
42 
43 const Expr *bugreporter::getDerefExpr(const Stmt *S) {
44   // Pattern match for a few useful cases (do something smarter later):
45   //   a[0], p->f, *p
46   const Expr *E = dyn_cast<Expr>(S);
47   if (!E)
48     return 0;
49   E = E->IgnoreParenCasts();
50 
51   while (true) {
52     if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) {
53       assert(B->isAssignmentOp());
54       E = B->getLHS()->IgnoreParenCasts();
55       continue;
56     }
57     else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(E)) {
58       if (U->getOpcode() == UO_Deref)
59         return U->getSubExpr()->IgnoreParenCasts();
60     }
61     else if (const MemberExpr *ME = dyn_cast<MemberExpr>(E)) {
62       if (ME->isArrow() || isDeclRefExprToReference(ME->getBase())) {
63         return ME->getBase()->IgnoreParenCasts();
64       }
65     }
66     else if (const ObjCIvarRefExpr *IvarRef = dyn_cast<ObjCIvarRefExpr>(E)) {
67       return IvarRef->getBase()->IgnoreParenCasts();
68     }
69     else if (const ArraySubscriptExpr *AE = dyn_cast<ArraySubscriptExpr>(E)) {
70       return AE->getBase();
71     }
72     break;
73   }
74 
75   return NULL;
76 }
77 
78 const Stmt *bugreporter::GetDenomExpr(const ExplodedNode *N) {
79   const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();
80   if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(S))
81     return BE->getRHS();
82   return NULL;
83 }
84 
85 const Stmt *bugreporter::GetRetValExpr(const ExplodedNode *N) {
86   const Stmt *S = N->getLocationAs<PostStmt>()->getStmt();
87   if (const ReturnStmt *RS = dyn_cast<ReturnStmt>(S))
88     return RS->getRetValue();
89   return NULL;
90 }
91 
92 //===----------------------------------------------------------------------===//
93 // Definitions for bug reporter visitors.
94 //===----------------------------------------------------------------------===//
95 
96 PathDiagnosticPiece*
97 BugReporterVisitor::getEndPath(BugReporterContext &BRC,
98                                const ExplodedNode *EndPathNode,
99                                BugReport &BR) {
100   return 0;
101 }
102 
103 PathDiagnosticPiece*
104 BugReporterVisitor::getDefaultEndPath(BugReporterContext &BRC,
105                                       const ExplodedNode *EndPathNode,
106                                       BugReport &BR) {
107   PathDiagnosticLocation L =
108     PathDiagnosticLocation::createEndOfPath(EndPathNode,BRC.getSourceManager());
109 
110   BugReport::ranges_iterator Beg, End;
111   llvm::tie(Beg, End) = BR.getRanges();
112 
113   // Only add the statement itself as a range if we didn't specify any
114   // special ranges for this report.
115   PathDiagnosticPiece *P = new PathDiagnosticEventPiece(L,
116       BR.getDescription(),
117       Beg == End);
118   for (; Beg != End; ++Beg)
119     P->addRange(*Beg);
120 
121   return P;
122 }
123 
124 
125 namespace {
126 /// Emits an extra note at the return statement of an interesting stack frame.
127 ///
128 /// The returned value is marked as an interesting value, and if it's null,
129 /// adds a visitor to track where it became null.
130 ///
131 /// This visitor is intended to be used when another visitor discovers that an
132 /// interesting value comes from an inlined function call.
133 class ReturnVisitor : public BugReporterVisitorImpl<ReturnVisitor> {
134   const StackFrameContext *StackFrame;
135   enum {
136     Initial,
137     MaybeUnsuppress,
138     Satisfied
139   } Mode;
140   bool InitiallySuppressed;
141 
142 public:
143   ReturnVisitor(const StackFrameContext *Frame, bool Suppressed)
144     : StackFrame(Frame), Mode(Initial), InitiallySuppressed(Suppressed) {}
145 
146   static void *getTag() {
147     static int Tag = 0;
148     return static_cast<void *>(&Tag);
149   }
150 
151   virtual void Profile(llvm::FoldingSetNodeID &ID) const {
152     ID.AddPointer(ReturnVisitor::getTag());
153     ID.AddPointer(StackFrame);
154     ID.AddBoolean(InitiallySuppressed);
155   }
156 
157   /// Adds a ReturnVisitor if the given statement represents a call that was
158   /// inlined.
159   ///
160   /// This will search back through the ExplodedGraph, starting from the given
161   /// node, looking for when the given statement was processed. If it turns out
162   /// the statement is a call that was inlined, we add the visitor to the
163   /// bug report, so it can print a note later.
164   static void addVisitorIfNecessary(const ExplodedNode *Node, const Stmt *S,
165                                     BugReport &BR) {
166     if (!CallEvent::isCallStmt(S))
167       return;
168 
169     // First, find when we processed the statement.
170     do {
171       if (Optional<CallExitEnd> CEE = Node->getLocationAs<CallExitEnd>())
172         if (CEE->getCalleeContext()->getCallSite() == S)
173           break;
174       if (Optional<StmtPoint> SP = Node->getLocationAs<StmtPoint>())
175         if (SP->getStmt() == S)
176           break;
177 
178       Node = Node->getFirstPred();
179     } while (Node);
180 
181     // Next, step over any post-statement checks.
182     while (Node && Node->getLocation().getAs<PostStmt>())
183       Node = Node->getFirstPred();
184     if (!Node)
185       return;
186 
187     // Finally, see if we inlined the call.
188     Optional<CallExitEnd> CEE = Node->getLocationAs<CallExitEnd>();
189     if (!CEE)
190       return;
191 
192     const StackFrameContext *CalleeContext = CEE->getCalleeContext();
193     if (CalleeContext->getCallSite() != S)
194       return;
195 
196     // Check the return value.
197     ProgramStateRef State = Node->getState();
198     SVal RetVal = State->getSVal(S, Node->getLocationContext());
199 
200     // Handle cases where a reference is returned and then immediately used.
201     if (cast<Expr>(S)->isGLValue())
202       if (Optional<Loc> LValue = RetVal.getAs<Loc>())
203         RetVal = State->getSVal(*LValue);
204 
205     // See if the return value is NULL. If so, suppress the report.
206     SubEngine *Eng = State->getStateManager().getOwningEngine();
207     assert(Eng && "Cannot file a bug report without an owning engine");
208     AnalyzerOptions &Options = Eng->getAnalysisManager().options;
209 
210     bool InitiallySuppressed = false;
211     if (Options.shouldSuppressNullReturnPaths())
212       if (Optional<Loc> RetLoc = RetVal.getAs<Loc>())
213         InitiallySuppressed = State->isNull(*RetLoc).isConstrainedTrue();
214 
215     BR.markInteresting(CalleeContext);
216     BR.addVisitor(new ReturnVisitor(CalleeContext, InitiallySuppressed));
217   }
218 
219   /// Returns true if any counter-suppression heuristics are enabled for
220   /// ReturnVisitor.
221   static bool hasCounterSuppression(AnalyzerOptions &Options) {
222     return Options.shouldAvoidSuppressingNullArgumentPaths();
223   }
224 
225   PathDiagnosticPiece *visitNodeInitial(const ExplodedNode *N,
226                                         const ExplodedNode *PrevN,
227                                         BugReporterContext &BRC,
228                                         BugReport &BR) {
229     // Only print a message at the interesting return statement.
230     if (N->getLocationContext() != StackFrame)
231       return 0;
232 
233     Optional<StmtPoint> SP = N->getLocationAs<StmtPoint>();
234     if (!SP)
235       return 0;
236 
237     const ReturnStmt *Ret = dyn_cast<ReturnStmt>(SP->getStmt());
238     if (!Ret)
239       return 0;
240 
241     // Okay, we're at the right return statement, but do we have the return
242     // value available?
243     ProgramStateRef State = N->getState();
244     SVal V = State->getSVal(Ret, StackFrame);
245     if (V.isUnknownOrUndef())
246       return 0;
247 
248     // Don't print any more notes after this one.
249     Mode = Satisfied;
250 
251     const Expr *RetE = Ret->getRetValue();
252     assert(RetE && "Tracking a return value for a void function");
253 
254     // Handle cases where a reference is returned and then immediately used.
255     Optional<Loc> LValue;
256     if (RetE->isGLValue()) {
257       if ((LValue = V.getAs<Loc>())) {
258         SVal RValue = State->getRawSVal(*LValue, RetE->getType());
259         if (RValue.getAs<DefinedSVal>())
260           V = RValue;
261       }
262     }
263 
264     // Ignore aggregate rvalues.
265     if (V.getAs<nonloc::LazyCompoundVal>() ||
266         V.getAs<nonloc::CompoundVal>())
267       return 0;
268 
269     RetE = RetE->IgnoreParenCasts();
270 
271     // If we can't prove the return value is 0, just mark it interesting, and
272     // make sure to track it into any further inner functions.
273     if (!State->isNull(V).isConstrainedTrue()) {
274       BR.markInteresting(V);
275       ReturnVisitor::addVisitorIfNecessary(N, RetE, BR);
276       return 0;
277     }
278 
279     // If we're returning 0, we should track where that 0 came from.
280     bugreporter::trackNullOrUndefValue(N, RetE, BR);
281 
282     // Build an appropriate message based on the return value.
283     SmallString<64> Msg;
284     llvm::raw_svector_ostream Out(Msg);
285 
286     if (V.getAs<Loc>()) {
287       // If we have counter-suppression enabled, make sure we keep visiting
288       // future nodes. We want to emit a path note as well, in case
289       // the report is resurrected as valid later on.
290       ExprEngine &Eng = BRC.getBugReporter().getEngine();
291       AnalyzerOptions &Options = Eng.getAnalysisManager().options;
292       if (InitiallySuppressed && hasCounterSuppression(Options))
293         Mode = MaybeUnsuppress;
294 
295       if (RetE->getType()->isObjCObjectPointerType())
296         Out << "Returning nil";
297       else
298         Out << "Returning null pointer";
299     } else {
300       Out << "Returning zero";
301     }
302 
303     if (LValue) {
304       if (const MemRegion *MR = LValue->getAsRegion()) {
305         if (MR->canPrintPretty()) {
306           Out << " (reference to '";
307           MR->printPretty(Out);
308           Out << "')";
309         }
310       }
311     } else {
312       // FIXME: We should have a more generalized location printing mechanism.
313       if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(RetE))
314         if (const DeclaratorDecl *DD = dyn_cast<DeclaratorDecl>(DR->getDecl()))
315           Out << " (loaded from '" << *DD << "')";
316     }
317 
318     PathDiagnosticLocation L(Ret, BRC.getSourceManager(), StackFrame);
319     return new PathDiagnosticEventPiece(L, Out.str());
320   }
321 
322   PathDiagnosticPiece *visitNodeMaybeUnsuppress(const ExplodedNode *N,
323                                                 const ExplodedNode *PrevN,
324                                                 BugReporterContext &BRC,
325                                                 BugReport &BR) {
326 #ifndef NDEBUG
327     ExprEngine &Eng = BRC.getBugReporter().getEngine();
328     AnalyzerOptions &Options = Eng.getAnalysisManager().options;
329     assert(hasCounterSuppression(Options));
330 #endif
331 
332     // Are we at the entry node for this call?
333     Optional<CallEnter> CE = N->getLocationAs<CallEnter>();
334     if (!CE)
335       return 0;
336 
337     if (CE->getCalleeContext() != StackFrame)
338       return 0;
339 
340     Mode = Satisfied;
341 
342     // Don't automatically suppress a report if one of the arguments is
343     // known to be a null pointer. Instead, start tracking /that/ null
344     // value back to its origin.
345     ProgramStateManager &StateMgr = BRC.getStateManager();
346     CallEventManager &CallMgr = StateMgr.getCallEventManager();
347 
348     ProgramStateRef State = N->getState();
349     CallEventRef<> Call = CallMgr.getCaller(StackFrame, State);
350     for (unsigned I = 0, E = Call->getNumArgs(); I != E; ++I) {
351       Optional<Loc> ArgV = Call->getArgSVal(I).getAs<Loc>();
352       if (!ArgV)
353         continue;
354 
355       const Expr *ArgE = Call->getArgExpr(I);
356       if (!ArgE)
357         continue;
358 
359       // Is it possible for this argument to be non-null?
360       if (!State->isNull(*ArgV).isConstrainedTrue())
361         continue;
362 
363       if (bugreporter::trackNullOrUndefValue(N, ArgE, BR, /*IsArg=*/true))
364         BR.removeInvalidation(ReturnVisitor::getTag(), StackFrame);
365 
366       // If we /can't/ track the null pointer, we should err on the side of
367       // false negatives, and continue towards marking this report invalid.
368       // (We will still look at the other arguments, though.)
369     }
370 
371     return 0;
372   }
373 
374   PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
375                                  const ExplodedNode *PrevN,
376                                  BugReporterContext &BRC,
377                                  BugReport &BR) {
378     switch (Mode) {
379     case Initial:
380       return visitNodeInitial(N, PrevN, BRC, BR);
381     case MaybeUnsuppress:
382       return visitNodeMaybeUnsuppress(N, PrevN, BRC, BR);
383     case Satisfied:
384       return 0;
385     }
386 
387     llvm_unreachable("Invalid visit mode!");
388   }
389 
390   PathDiagnosticPiece *getEndPath(BugReporterContext &BRC,
391                                   const ExplodedNode *N,
392                                   BugReport &BR) {
393     if (InitiallySuppressed)
394       BR.markInvalid(ReturnVisitor::getTag(), StackFrame);
395     return 0;
396   }
397 };
398 } // end anonymous namespace
399 
400 
401 void FindLastStoreBRVisitor ::Profile(llvm::FoldingSetNodeID &ID) const {
402   static int tag = 0;
403   ID.AddPointer(&tag);
404   ID.AddPointer(R);
405   ID.Add(V);
406 }
407 
408 PathDiagnosticPiece *FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
409                                                        const ExplodedNode *Pred,
410                                                        BugReporterContext &BRC,
411                                                        BugReport &BR) {
412 
413   if (Satisfied)
414     return NULL;
415 
416   const ExplodedNode *StoreSite = 0;
417   const Expr *InitE = 0;
418   bool IsParam = false;
419 
420   // First see if we reached the declaration of the region.
421   if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
422     if (Optional<PostStmt> P = Pred->getLocationAs<PostStmt>()) {
423       if (const DeclStmt *DS = P->getStmtAs<DeclStmt>()) {
424         if (DS->getSingleDecl() == VR->getDecl()) {
425           StoreSite = Pred;
426           InitE = VR->getDecl()->getInit();
427         }
428       }
429     }
430   }
431 
432   // Otherwise, see if this is the store site:
433   // (1) Succ has this binding and Pred does not, i.e. this is
434   //     where the binding first occurred.
435   // (2) Succ has this binding and is a PostStore node for this region, i.e.
436   //     the same binding was re-assigned here.
437   if (!StoreSite) {
438     if (Succ->getState()->getSVal(R) != V)
439       return NULL;
440 
441     if (Pred->getState()->getSVal(R) == V) {
442       Optional<PostStore> PS = Succ->getLocationAs<PostStore>();
443       if (!PS || PS->getLocationValue() != R)
444         return NULL;
445     }
446 
447     StoreSite = Succ;
448 
449     // If this is an assignment expression, we can track the value
450     // being assigned.
451     if (Optional<PostStmt> P = Succ->getLocationAs<PostStmt>())
452       if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>())
453         if (BO->isAssignmentOp())
454           InitE = BO->getRHS();
455 
456     // If this is a call entry, the variable should be a parameter.
457     // FIXME: Handle CXXThisRegion as well. (This is not a priority because
458     // 'this' should never be NULL, but this visitor isn't just for NULL and
459     // UndefinedVal.)
460     if (Optional<CallEnter> CE = Succ->getLocationAs<CallEnter>()) {
461       if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
462         const ParmVarDecl *Param = cast<ParmVarDecl>(VR->getDecl());
463 
464         ProgramStateManager &StateMgr = BRC.getStateManager();
465         CallEventManager &CallMgr = StateMgr.getCallEventManager();
466 
467         CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(),
468                                                 Succ->getState());
469         InitE = Call->getArgExpr(Param->getFunctionScopeIndex());
470         IsParam = true;
471       }
472     }
473 
474     // If this is a CXXTempObjectRegion, the Expr responsible for its creation
475     // is wrapped inside of it.
476     if (const CXXTempObjectRegion *TmpR = dyn_cast<CXXTempObjectRegion>(R))
477       InitE = TmpR->getExpr();
478   }
479 
480   if (!StoreSite)
481     return NULL;
482   Satisfied = true;
483 
484   // If we have an expression that provided the value, try to track where it
485   // came from.
486   if (InitE) {
487     if (V.isUndef() || V.getAs<loc::ConcreteInt>()) {
488       if (!IsParam)
489         InitE = InitE->IgnoreParenCasts();
490       bugreporter::trackNullOrUndefValue(StoreSite, InitE, BR, IsParam);
491     } else {
492       ReturnVisitor::addVisitorIfNecessary(StoreSite, InitE->IgnoreParenCasts(),
493                                            BR);
494     }
495   }
496 
497   if (!R->canPrintPretty())
498     return 0;
499 
500   // Okay, we've found the binding. Emit an appropriate message.
501   SmallString<256> sbuf;
502   llvm::raw_svector_ostream os(sbuf);
503 
504   if (Optional<PostStmt> PS = StoreSite->getLocationAs<PostStmt>()) {
505     const Stmt *S = PS->getStmt();
506     const char *action = 0;
507     const DeclStmt *DS = dyn_cast<DeclStmt>(S);
508     const VarRegion *VR = dyn_cast<VarRegion>(R);
509 
510     if (DS) {
511       action = "initialized to ";
512     } else if (isa<BlockExpr>(S)) {
513       action = "captured by block as ";
514       if (VR) {
515         // See if we can get the BlockVarRegion.
516         ProgramStateRef State = StoreSite->getState();
517         SVal V = State->getSVal(S, PS->getLocationContext());
518         if (const BlockDataRegion *BDR =
519               dyn_cast_or_null<BlockDataRegion>(V.getAsRegion())) {
520           if (const VarRegion *OriginalR = BDR->getOriginalRegion(VR)) {
521             if (Optional<KnownSVal> KV =
522                 State->getSVal(OriginalR).getAs<KnownSVal>())
523               BR.addVisitor(new FindLastStoreBRVisitor(*KV, OriginalR));
524           }
525         }
526       }
527     }
528 
529     if (action) {
530       if (!R)
531         return 0;
532 
533       os << '\'';
534       R->printPretty(os);
535       os << "' ";
536 
537       if (V.getAs<loc::ConcreteInt>()) {
538         bool b = false;
539         if (R->isBoundable()) {
540           if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {
541             if (TR->getValueType()->isObjCObjectPointerType()) {
542               os << action << "nil";
543               b = true;
544             }
545           }
546         }
547 
548         if (!b)
549           os << action << "a null pointer value";
550       } else if (Optional<nonloc::ConcreteInt> CVal =
551                      V.getAs<nonloc::ConcreteInt>()) {
552         os << action << CVal->getValue();
553       }
554       else if (DS) {
555         if (V.isUndef()) {
556           if (isa<VarRegion>(R)) {
557             const VarDecl *VD = cast<VarDecl>(DS->getSingleDecl());
558             if (VD->getInit())
559               os << "initialized to a garbage value";
560             else
561               os << "declared without an initial value";
562           }
563         }
564         else {
565           os << "initialized here";
566         }
567       }
568     }
569   } else if (StoreSite->getLocation().getAs<CallEnter>()) {
570     if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
571       const ParmVarDecl *Param = cast<ParmVarDecl>(VR->getDecl());
572 
573       os << "Passing ";
574 
575       if (V.getAs<loc::ConcreteInt>()) {
576         if (Param->getType()->isObjCObjectPointerType())
577           os << "nil object reference";
578         else
579           os << "null pointer value";
580       } else if (V.isUndef()) {
581         os << "uninitialized value";
582       } else if (Optional<nonloc::ConcreteInt> CI =
583                      V.getAs<nonloc::ConcreteInt>()) {
584         os << "the value " << CI->getValue();
585       } else {
586         os << "value";
587       }
588 
589       // Printed parameter indexes are 1-based, not 0-based.
590       unsigned Idx = Param->getFunctionScopeIndex() + 1;
591       os << " via " << Idx << llvm::getOrdinalSuffix(Idx) << " parameter '";
592 
593       R->printPretty(os);
594       os << '\'';
595     }
596   }
597 
598   if (os.str().empty()) {
599     if (V.getAs<loc::ConcreteInt>()) {
600       bool b = false;
601       if (R->isBoundable()) {
602         if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {
603           if (TR->getValueType()->isObjCObjectPointerType()) {
604             os << "nil object reference stored to ";
605             b = true;
606           }
607         }
608       }
609 
610       if (!b)
611         os << "Null pointer value stored to ";
612     }
613     else if (V.isUndef()) {
614       os << "Uninitialized value stored to ";
615     } else if (Optional<nonloc::ConcreteInt> CV =
616                    V.getAs<nonloc::ConcreteInt>()) {
617       os << "The value " << CV->getValue() << " is assigned to ";
618     }
619     else
620       os << "Value assigned to ";
621 
622     os << '\'';
623     R->printPretty(os);
624     os << '\'';
625   }
626 
627   // Construct a new PathDiagnosticPiece.
628   ProgramPoint P = StoreSite->getLocation();
629   PathDiagnosticLocation L;
630   if (P.getAs<CallEnter>() && InitE)
631     L = PathDiagnosticLocation(InitE, BRC.getSourceManager(),
632                                P.getLocationContext());
633   else
634     L = PathDiagnosticLocation::create(P, BRC.getSourceManager());
635   if (!L.isValid())
636     return NULL;
637   return new PathDiagnosticEventPiece(L, os.str());
638 }
639 
640 void TrackConstraintBRVisitor::Profile(llvm::FoldingSetNodeID &ID) const {
641   static int tag = 0;
642   ID.AddPointer(&tag);
643   ID.AddBoolean(Assumption);
644   ID.Add(Constraint);
645 }
646 
647 /// Return the tag associated with this visitor.  This tag will be used
648 /// to make all PathDiagnosticPieces created by this visitor.
649 const char *TrackConstraintBRVisitor::getTag() {
650   return "TrackConstraintBRVisitor";
651 }
652 
653 bool TrackConstraintBRVisitor::isUnderconstrained(const ExplodedNode *N) const {
654   if (IsZeroCheck)
655     return N->getState()->isNull(Constraint).isUnderconstrained();
656   return N->getState()->assume(Constraint, !Assumption);
657 }
658 
659 PathDiagnosticPiece *
660 TrackConstraintBRVisitor::VisitNode(const ExplodedNode *N,
661                                     const ExplodedNode *PrevN,
662                                     BugReporterContext &BRC,
663                                     BugReport &BR) {
664   if (IsSatisfied)
665     return NULL;
666 
667   // Check if in the previous state it was feasible for this constraint
668   // to *not* be true.
669   if (isUnderconstrained(PrevN)) {
670 
671     IsSatisfied = true;
672 
673     // As a sanity check, make sure that the negation of the constraint
674     // was infeasible in the current state.  If it is feasible, we somehow
675     // missed the transition point.
676     if (isUnderconstrained(N))
677       return NULL;
678 
679     // We found the transition point for the constraint.  We now need to
680     // pretty-print the constraint. (work-in-progress)
681     SmallString<64> sbuf;
682     llvm::raw_svector_ostream os(sbuf);
683 
684     if (Constraint.getAs<Loc>()) {
685       os << "Assuming pointer value is ";
686       os << (Assumption ? "non-null" : "null");
687     }
688 
689     if (os.str().empty())
690       return NULL;
691 
692     // Construct a new PathDiagnosticPiece.
693     ProgramPoint P = N->getLocation();
694     PathDiagnosticLocation L =
695       PathDiagnosticLocation::create(P, BRC.getSourceManager());
696     if (!L.isValid())
697       return NULL;
698 
699     PathDiagnosticEventPiece *X = new PathDiagnosticEventPiece(L, os.str());
700     X->setTag(getTag());
701     return X;
702   }
703 
704   return NULL;
705 }
706 
707 SuppressInlineDefensiveChecksVisitor::
708 SuppressInlineDefensiveChecksVisitor(DefinedSVal Value, const ExplodedNode *N)
709   : V(Value), IsSatisfied(false), IsTrackingTurnedOn(false) {
710 
711     // Check if the visitor is disabled.
712     SubEngine *Eng = N->getState()->getStateManager().getOwningEngine();
713     assert(Eng && "Cannot file a bug report without an owning engine");
714     AnalyzerOptions &Options = Eng->getAnalysisManager().options;
715     if (!Options.shouldSuppressInlinedDefensiveChecks())
716       IsSatisfied = true;
717 
718     assert(N->getState()->isNull(V).isConstrainedTrue() &&
719            "The visitor only tracks the cases where V is constrained to 0");
720 }
721 
722 void SuppressInlineDefensiveChecksVisitor::Profile(FoldingSetNodeID &ID) const {
723   static int id = 0;
724   ID.AddPointer(&id);
725   ID.Add(V);
726 }
727 
728 const char *SuppressInlineDefensiveChecksVisitor::getTag() {
729   return "IDCVisitor";
730 }
731 
732 PathDiagnosticPiece *
733 SuppressInlineDefensiveChecksVisitor::VisitNode(const ExplodedNode *Succ,
734                                                 const ExplodedNode *Pred,
735                                                 BugReporterContext &BRC,
736                                                 BugReport &BR) {
737   if (IsSatisfied)
738     return 0;
739 
740   // Start tracking after we see the first state in which the value is null.
741   if (!IsTrackingTurnedOn)
742     if (Succ->getState()->isNull(V).isConstrainedTrue())
743       IsTrackingTurnedOn = true;
744   if (!IsTrackingTurnedOn)
745     return 0;
746 
747   // Check if in the previous state it was feasible for this value
748   // to *not* be null.
749   if (!Pred->getState()->isNull(V).isConstrainedTrue()) {
750     IsSatisfied = true;
751 
752     assert(Succ->getState()->isNull(V).isConstrainedTrue());
753 
754     // Check if this is inlined defensive checks.
755     const LocationContext *CurLC =Succ->getLocationContext();
756     const LocationContext *ReportLC = BR.getErrorNode()->getLocationContext();
757     if (CurLC != ReportLC && !CurLC->isParentOf(ReportLC))
758       BR.markInvalid("Suppress IDC", CurLC);
759   }
760   return 0;
761 }
762 
763 static const MemRegion *getLocationRegionIfReference(const Expr *E,
764                                                      const ExplodedNode *N) {
765   if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(E)) {
766     if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
767       if (!VD->getType()->isReferenceType())
768         return 0;
769       ProgramStateManager &StateMgr = N->getState()->getStateManager();
770       MemRegionManager &MRMgr = StateMgr.getRegionManager();
771       return MRMgr.getVarRegion(VD, N->getLocationContext());
772     }
773   }
774 
775   // FIXME: This does not handle other kinds of null references,
776   // for example, references from FieldRegions:
777   //   struct Wrapper { int &ref; };
778   //   Wrapper w = { *(int *)0 };
779   //   w.ref = 1;
780 
781   return 0;
782 }
783 
784 bool bugreporter::trackNullOrUndefValue(const ExplodedNode *N,
785                                         const Stmt *S,
786                                         BugReport &report, bool IsArg) {
787   if (!S || !N)
788     return false;
789 
790   if (const ExprWithCleanups *EWC = dyn_cast<ExprWithCleanups>(S))
791     S = EWC->getSubExpr();
792   if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(S))
793     S = OVE->getSourceExpr();
794 
795   // Peel off the ternary operator.
796   if (const Expr *Ex = dyn_cast<Expr>(S)) {
797     Ex = Ex->IgnoreParenCasts();
798     if (const ConditionalOperator *CO = dyn_cast<ConditionalOperator>(Ex)) {
799       ProgramStateRef State = N->getState();
800       SVal CondVal = State->getSVal(CO->getCond(), N->getLocationContext());
801       if (State->isNull(CondVal).isConstrainedTrue()) {
802         S = CO->getTrueExpr();
803       } else {
804         assert(State->isNull(CondVal).isConstrainedFalse());
805         S =  CO->getFalseExpr();
806       }
807     }
808   }
809 
810   const Expr *Inner = 0;
811   if (const Expr *Ex = dyn_cast<Expr>(S)) {
812     Ex = Ex->IgnoreParenCasts();
813     if (ExplodedGraph::isInterestingLValueExpr(Ex) || CallEvent::isCallStmt(Ex))
814       Inner = Ex;
815   }
816 
817   if (IsArg) {
818     assert(N->getLocation().getAs<CallEnter>() && "Tracking arg but not at call");
819   } else {
820     // Walk through nodes until we get one that matches the statement exactly.
821     // Alternately, if we hit a known lvalue for the statement, we know we've
822     // gone too far (though we can likely track the lvalue better anyway).
823     do {
824       const ProgramPoint &pp = N->getLocation();
825       if (Optional<PostStmt> ps = pp.getAs<PostStmt>()) {
826         if (ps->getStmt() == S || ps->getStmt() == Inner)
827           break;
828       } else if (Optional<CallExitEnd> CEE = pp.getAs<CallExitEnd>()) {
829         if (CEE->getCalleeContext()->getCallSite() == S ||
830             CEE->getCalleeContext()->getCallSite() == Inner)
831           break;
832       }
833       N = N->getFirstPred();
834     } while (N);
835 
836     if (!N)
837       return false;
838   }
839 
840   ProgramStateRef state = N->getState();
841 
842   // See if the expression we're interested refers to a variable.
843   // If so, we can track both its contents and constraints on its value.
844   if (Inner && ExplodedGraph::isInterestingLValueExpr(Inner)) {
845     const MemRegion *R = 0;
846 
847     // Find the ExplodedNode where the lvalue (the value of 'Ex')
848     // was computed.  We need this for getting the location value.
849     const ExplodedNode *LVNode = N;
850     while (LVNode) {
851       if (Optional<PostStmt> P = LVNode->getLocation().getAs<PostStmt>()) {
852         if (P->getStmt() == Inner)
853           break;
854       }
855       LVNode = LVNode->getFirstPred();
856     }
857     assert(LVNode && "Unable to find the lvalue node.");
858     ProgramStateRef LVState = LVNode->getState();
859     SVal LVal = LVState->getSVal(Inner, LVNode->getLocationContext());
860 
861     if (LVState->isNull(LVal).isConstrainedTrue()) {
862       // In case of C++ references, we want to differentiate between a null
863       // reference and reference to null pointer.
864       // If the LVal is null, check if we are dealing with null reference.
865       // For those, we want to track the location of the reference.
866       if (const MemRegion *RR = getLocationRegionIfReference(Inner, N))
867         R = RR;
868     } else {
869       R = LVState->getSVal(Inner, LVNode->getLocationContext()).getAsRegion();
870 
871       // If this is a C++ reference to a null pointer, we are tracking the
872       // pointer. In additon, we should find the store at which the reference
873       // got initialized.
874       if (const MemRegion *RR = getLocationRegionIfReference(Inner, N)) {
875         if (Optional<KnownSVal> KV = LVal.getAs<KnownSVal>())
876           report.addVisitor(new FindLastStoreBRVisitor(*KV, RR));
877       }
878     }
879 
880     if (R) {
881       // Mark both the variable region and its contents as interesting.
882       SVal V = state->getRawSVal(loc::MemRegionVal(R));
883 
884       // If the value matches the default for the variable region, that
885       // might mean that it's been cleared out of the state. Fall back to
886       // the full argument expression (with casts and such intact).
887       if (IsArg) {
888         bool UseArgValue = V.isUnknownOrUndef() || V.isZeroConstant();
889         if (!UseArgValue) {
890           const SymbolRegionValue *SRV =
891             dyn_cast_or_null<SymbolRegionValue>(V.getAsLocSymbol());
892           if (SRV)
893             UseArgValue = (SRV->getRegion() == R);
894         }
895         if (UseArgValue)
896           V = state->getSValAsScalarOrLoc(S, N->getLocationContext());
897       }
898 
899       report.markInteresting(R);
900       report.markInteresting(V);
901       report.addVisitor(new UndefOrNullArgVisitor(R));
902 
903       if (isa<SymbolicRegion>(R)) {
904         TrackConstraintBRVisitor *VI =
905           new TrackConstraintBRVisitor(loc::MemRegionVal(R), false);
906         report.addVisitor(VI);
907       }
908 
909       // If the contents are symbolic, find out when they became null.
910       if (V.getAsLocSymbol()) {
911         BugReporterVisitor *ConstraintTracker =
912           new TrackConstraintBRVisitor(V.castAs<DefinedSVal>(), false);
913         report.addVisitor(ConstraintTracker);
914 
915         // Add visitor, which will suppress inline defensive checks.
916         if (N->getState()->isNull(V).isConstrainedTrue()) {
917           BugReporterVisitor *IDCSuppressor =
918             new SuppressInlineDefensiveChecksVisitor(V.castAs<DefinedSVal>(),
919                                                      N);
920           report.addVisitor(IDCSuppressor);
921         }
922       }
923 
924       if (Optional<KnownSVal> KV = V.getAs<KnownSVal>())
925         report.addVisitor(new FindLastStoreBRVisitor(*KV, R));
926       return true;
927     }
928   }
929 
930   // If the expression is not an "lvalue expression", we can still
931   // track the constraints on its contents.
932   SVal V = state->getSValAsScalarOrLoc(S, N->getLocationContext());
933 
934   // If the value came from an inlined function call, we should at least make
935   // sure that function isn't pruned in our output.
936   if (const Expr *E = dyn_cast<Expr>(S))
937     S = E->IgnoreParenCasts();
938   ReturnVisitor::addVisitorIfNecessary(N, S, report);
939 
940   // Uncomment this to find cases where we aren't properly getting the
941   // base value that was dereferenced.
942   // assert(!V.isUnknownOrUndef());
943   // Is it a symbolic value?
944   if (Optional<loc::MemRegionVal> L = V.getAs<loc::MemRegionVal>()) {
945     // At this point we are dealing with the region's LValue.
946     // However, if the rvalue is a symbolic region, we should track it as well.
947     SVal RVal = state->getSVal(L->getRegion());
948     const MemRegion *RegionRVal = RVal.getAsRegion();
949     report.addVisitor(new UndefOrNullArgVisitor(L->getRegion()));
950 
951     if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) {
952       report.markInteresting(RegionRVal);
953       report.addVisitor(new TrackConstraintBRVisitor(
954         loc::MemRegionVal(RegionRVal), false));
955     }
956   }
957 
958   return true;
959 }
960 
961 BugReporterVisitor *
962 FindLastStoreBRVisitor::createVisitorObject(const ExplodedNode *N,
963                                             const MemRegion *R) {
964   assert(R && "The memory region is null.");
965 
966   ProgramStateRef state = N->getState();
967   if (Optional<KnownSVal> KV = state->getSVal(R).getAs<KnownSVal>())
968     return new FindLastStoreBRVisitor(*KV, R);
969   return 0;
970 }
971 
972 PathDiagnosticPiece *NilReceiverBRVisitor::VisitNode(const ExplodedNode *N,
973                                                      const ExplodedNode *PrevN,
974                                                      BugReporterContext &BRC,
975                                                      BugReport &BR) {
976   Optional<PostStmt> P = N->getLocationAs<PostStmt>();
977   if (!P)
978     return 0;
979   const ObjCMessageExpr *ME = P->getStmtAs<ObjCMessageExpr>();
980   if (!ME)
981     return 0;
982   const Expr *Receiver = ME->getInstanceReceiver();
983   if (!Receiver)
984     return 0;
985 
986   ProgramStateRef state = N->getState();
987   SVal V = state->getSVal(Receiver, N->getLocationContext());
988   if (!state->isNull(V).isConstrainedTrue())
989     return 0;
990 
991   // The receiver was nil, and hence the method was skipped.
992   // Register a BugReporterVisitor to issue a message telling us how
993   // the receiver was null.
994   bugreporter::trackNullOrUndefValue(N, Receiver, BR);
995   // Issue a message saying that the method was skipped.
996   PathDiagnosticLocation L(Receiver, BRC.getSourceManager(),
997                                      N->getLocationContext());
998   return new PathDiagnosticEventPiece(L, "No method is called "
999       "because the receiver is nil");
1000 }
1001 
1002 // Registers every VarDecl inside a Stmt with a last store visitor.
1003 void FindLastStoreBRVisitor::registerStatementVarDecls(BugReport &BR,
1004                                                        const Stmt *S) {
1005   const ExplodedNode *N = BR.getErrorNode();
1006   std::deque<const Stmt *> WorkList;
1007   WorkList.push_back(S);
1008 
1009   while (!WorkList.empty()) {
1010     const Stmt *Head = WorkList.front();
1011     WorkList.pop_front();
1012 
1013     ProgramStateRef state = N->getState();
1014     ProgramStateManager &StateMgr = state->getStateManager();
1015 
1016     if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Head)) {
1017       if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
1018         const VarRegion *R =
1019         StateMgr.getRegionManager().getVarRegion(VD, N->getLocationContext());
1020 
1021         // What did we load?
1022         SVal V = state->getSVal(S, N->getLocationContext());
1023 
1024         if (V.getAs<loc::ConcreteInt>() || V.getAs<nonloc::ConcreteInt>()) {
1025           // Register a new visitor with the BugReport.
1026           BR.addVisitor(new FindLastStoreBRVisitor(V.castAs<KnownSVal>(), R));
1027         }
1028       }
1029     }
1030 
1031     for (Stmt::const_child_iterator I = Head->child_begin();
1032         I != Head->child_end(); ++I)
1033       WorkList.push_back(*I);
1034   }
1035 }
1036 
1037 //===----------------------------------------------------------------------===//
1038 // Visitor that tries to report interesting diagnostics from conditions.
1039 //===----------------------------------------------------------------------===//
1040 
1041 /// Return the tag associated with this visitor.  This tag will be used
1042 /// to make all PathDiagnosticPieces created by this visitor.
1043 const char *ConditionBRVisitor::getTag() {
1044   return "ConditionBRVisitor";
1045 }
1046 
1047 PathDiagnosticPiece *ConditionBRVisitor::VisitNode(const ExplodedNode *N,
1048                                                    const ExplodedNode *Prev,
1049                                                    BugReporterContext &BRC,
1050                                                    BugReport &BR) {
1051   PathDiagnosticPiece *piece = VisitNodeImpl(N, Prev, BRC, BR);
1052   if (piece) {
1053     piece->setTag(getTag());
1054     if (PathDiagnosticEventPiece *ev=dyn_cast<PathDiagnosticEventPiece>(piece))
1055       ev->setPrunable(true, /* override */ false);
1056   }
1057   return piece;
1058 }
1059 
1060 PathDiagnosticPiece *ConditionBRVisitor::VisitNodeImpl(const ExplodedNode *N,
1061                                                        const ExplodedNode *Prev,
1062                                                        BugReporterContext &BRC,
1063                                                        BugReport &BR) {
1064 
1065   ProgramPoint progPoint = N->getLocation();
1066   ProgramStateRef CurrentState = N->getState();
1067   ProgramStateRef PrevState = Prev->getState();
1068 
1069   // Compare the GDMs of the state, because that is where constraints
1070   // are managed.  Note that ensure that we only look at nodes that
1071   // were generated by the analyzer engine proper, not checkers.
1072   if (CurrentState->getGDM().getRoot() ==
1073       PrevState->getGDM().getRoot())
1074     return 0;
1075 
1076   // If an assumption was made on a branch, it should be caught
1077   // here by looking at the state transition.
1078   if (Optional<BlockEdge> BE = progPoint.getAs<BlockEdge>()) {
1079     const CFGBlock *srcBlk = BE->getSrc();
1080     if (const Stmt *term = srcBlk->getTerminator())
1081       return VisitTerminator(term, N, srcBlk, BE->getDst(), BR, BRC);
1082     return 0;
1083   }
1084 
1085   if (Optional<PostStmt> PS = progPoint.getAs<PostStmt>()) {
1086     // FIXME: Assuming that BugReporter is a GRBugReporter is a layering
1087     // violation.
1088     const std::pair<const ProgramPointTag *, const ProgramPointTag *> &tags =
1089       cast<GRBugReporter>(BRC.getBugReporter()).
1090         getEngine().geteagerlyAssumeBinOpBifurcationTags();
1091 
1092     const ProgramPointTag *tag = PS->getTag();
1093     if (tag == tags.first)
1094       return VisitTrueTest(cast<Expr>(PS->getStmt()), true,
1095                            BRC, BR, N);
1096     if (tag == tags.second)
1097       return VisitTrueTest(cast<Expr>(PS->getStmt()), false,
1098                            BRC, BR, N);
1099 
1100     return 0;
1101   }
1102 
1103   return 0;
1104 }
1105 
1106 PathDiagnosticPiece *
1107 ConditionBRVisitor::VisitTerminator(const Stmt *Term,
1108                                     const ExplodedNode *N,
1109                                     const CFGBlock *srcBlk,
1110                                     const CFGBlock *dstBlk,
1111                                     BugReport &R,
1112                                     BugReporterContext &BRC) {
1113   const Expr *Cond = 0;
1114 
1115   switch (Term->getStmtClass()) {
1116   default:
1117     return 0;
1118   case Stmt::IfStmtClass:
1119     Cond = cast<IfStmt>(Term)->getCond();
1120     break;
1121   case Stmt::ConditionalOperatorClass:
1122     Cond = cast<ConditionalOperator>(Term)->getCond();
1123     break;
1124   }
1125 
1126   assert(Cond);
1127   assert(srcBlk->succ_size() == 2);
1128   const bool tookTrue = *(srcBlk->succ_begin()) == dstBlk;
1129   return VisitTrueTest(Cond, tookTrue, BRC, R, N);
1130 }
1131 
1132 PathDiagnosticPiece *
1133 ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
1134                                   bool tookTrue,
1135                                   BugReporterContext &BRC,
1136                                   BugReport &R,
1137                                   const ExplodedNode *N) {
1138 
1139   const Expr *Ex = Cond;
1140 
1141   while (true) {
1142     Ex = Ex->IgnoreParenCasts();
1143     switch (Ex->getStmtClass()) {
1144       default:
1145         return 0;
1146       case Stmt::BinaryOperatorClass:
1147         return VisitTrueTest(Cond, cast<BinaryOperator>(Ex), tookTrue, BRC,
1148                              R, N);
1149       case Stmt::DeclRefExprClass:
1150         return VisitTrueTest(Cond, cast<DeclRefExpr>(Ex), tookTrue, BRC,
1151                              R, N);
1152       case Stmt::UnaryOperatorClass: {
1153         const UnaryOperator *UO = cast<UnaryOperator>(Ex);
1154         if (UO->getOpcode() == UO_LNot) {
1155           tookTrue = !tookTrue;
1156           Ex = UO->getSubExpr();
1157           continue;
1158         }
1159         return 0;
1160       }
1161     }
1162   }
1163 }
1164 
1165 bool ConditionBRVisitor::patternMatch(const Expr *Ex, raw_ostream &Out,
1166                                       BugReporterContext &BRC,
1167                                       BugReport &report,
1168                                       const ExplodedNode *N,
1169                                       Optional<bool> &prunable) {
1170   const Expr *OriginalExpr = Ex;
1171   Ex = Ex->IgnoreParenCasts();
1172 
1173   if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Ex)) {
1174     const bool quotes = isa<VarDecl>(DR->getDecl());
1175     if (quotes) {
1176       Out << '\'';
1177       const LocationContext *LCtx = N->getLocationContext();
1178       const ProgramState *state = N->getState().getPtr();
1179       if (const MemRegion *R = state->getLValue(cast<VarDecl>(DR->getDecl()),
1180                                                 LCtx).getAsRegion()) {
1181         if (report.isInteresting(R))
1182           prunable = false;
1183         else {
1184           const ProgramState *state = N->getState().getPtr();
1185           SVal V = state->getSVal(R);
1186           if (report.isInteresting(V))
1187             prunable = false;
1188         }
1189       }
1190     }
1191     Out << DR->getDecl()->getDeclName().getAsString();
1192     if (quotes)
1193       Out << '\'';
1194     return quotes;
1195   }
1196 
1197   if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(Ex)) {
1198     QualType OriginalTy = OriginalExpr->getType();
1199     if (OriginalTy->isPointerType()) {
1200       if (IL->getValue() == 0) {
1201         Out << "null";
1202         return false;
1203       }
1204     }
1205     else if (OriginalTy->isObjCObjectPointerType()) {
1206       if (IL->getValue() == 0) {
1207         Out << "nil";
1208         return false;
1209       }
1210     }
1211 
1212     Out << IL->getValue();
1213     return false;
1214   }
1215 
1216   return false;
1217 }
1218 
1219 PathDiagnosticPiece *
1220 ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
1221                                   const BinaryOperator *BExpr,
1222                                   const bool tookTrue,
1223                                   BugReporterContext &BRC,
1224                                   BugReport &R,
1225                                   const ExplodedNode *N) {
1226 
1227   bool shouldInvert = false;
1228   Optional<bool> shouldPrune;
1229 
1230   SmallString<128> LhsString, RhsString;
1231   {
1232     llvm::raw_svector_ostream OutLHS(LhsString), OutRHS(RhsString);
1233     const bool isVarLHS = patternMatch(BExpr->getLHS(), OutLHS, BRC, R, N,
1234                                        shouldPrune);
1235     const bool isVarRHS = patternMatch(BExpr->getRHS(), OutRHS, BRC, R, N,
1236                                        shouldPrune);
1237 
1238     shouldInvert = !isVarLHS && isVarRHS;
1239   }
1240 
1241   BinaryOperator::Opcode Op = BExpr->getOpcode();
1242 
1243   if (BinaryOperator::isAssignmentOp(Op)) {
1244     // For assignment operators, all that we care about is that the LHS
1245     // evaluates to "true" or "false".
1246     return VisitConditionVariable(LhsString, BExpr->getLHS(), tookTrue,
1247                                   BRC, R, N);
1248   }
1249 
1250   // For non-assignment operations, we require that we can understand
1251   // both the LHS and RHS.
1252   if (LhsString.empty() || RhsString.empty())
1253     return 0;
1254 
1255   // Should we invert the strings if the LHS is not a variable name?
1256   SmallString<256> buf;
1257   llvm::raw_svector_ostream Out(buf);
1258   Out << "Assuming " << (shouldInvert ? RhsString : LhsString) << " is ";
1259 
1260   // Do we need to invert the opcode?
1261   if (shouldInvert)
1262     switch (Op) {
1263       default: break;
1264       case BO_LT: Op = BO_GT; break;
1265       case BO_GT: Op = BO_LT; break;
1266       case BO_LE: Op = BO_GE; break;
1267       case BO_GE: Op = BO_LE; break;
1268     }
1269 
1270   if (!tookTrue)
1271     switch (Op) {
1272       case BO_EQ: Op = BO_NE; break;
1273       case BO_NE: Op = BO_EQ; break;
1274       case BO_LT: Op = BO_GE; break;
1275       case BO_GT: Op = BO_LE; break;
1276       case BO_LE: Op = BO_GT; break;
1277       case BO_GE: Op = BO_LT; break;
1278       default:
1279         return 0;
1280     }
1281 
1282   switch (Op) {
1283     case BO_EQ:
1284       Out << "equal to ";
1285       break;
1286     case BO_NE:
1287       Out << "not equal to ";
1288       break;
1289     default:
1290       Out << BinaryOperator::getOpcodeStr(Op) << ' ';
1291       break;
1292   }
1293 
1294   Out << (shouldInvert ? LhsString : RhsString);
1295   const LocationContext *LCtx = N->getLocationContext();
1296   PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx);
1297   PathDiagnosticEventPiece *event =
1298     new PathDiagnosticEventPiece(Loc, Out.str());
1299   if (shouldPrune.hasValue())
1300     event->setPrunable(shouldPrune.getValue());
1301   return event;
1302 }
1303 
1304 PathDiagnosticPiece *
1305 ConditionBRVisitor::VisitConditionVariable(StringRef LhsString,
1306                                            const Expr *CondVarExpr,
1307                                            const bool tookTrue,
1308                                            BugReporterContext &BRC,
1309                                            BugReport &report,
1310                                            const ExplodedNode *N) {
1311   // FIXME: If there's already a constraint tracker for this variable,
1312   // we shouldn't emit anything here (c.f. the double note in
1313   // test/Analysis/inlining/path-notes.c)
1314   SmallString<256> buf;
1315   llvm::raw_svector_ostream Out(buf);
1316   Out << "Assuming " << LhsString << " is ";
1317 
1318   QualType Ty = CondVarExpr->getType();
1319 
1320   if (Ty->isPointerType())
1321     Out << (tookTrue ? "not null" : "null");
1322   else if (Ty->isObjCObjectPointerType())
1323     Out << (tookTrue ? "not nil" : "nil");
1324   else if (Ty->isBooleanType())
1325     Out << (tookTrue ? "true" : "false");
1326   else if (Ty->isIntegerType())
1327     Out << (tookTrue ? "non-zero" : "zero");
1328   else
1329     return 0;
1330 
1331   const LocationContext *LCtx = N->getLocationContext();
1332   PathDiagnosticLocation Loc(CondVarExpr, BRC.getSourceManager(), LCtx);
1333   PathDiagnosticEventPiece *event =
1334     new PathDiagnosticEventPiece(Loc, Out.str());
1335 
1336   if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(CondVarExpr)) {
1337     if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
1338       const ProgramState *state = N->getState().getPtr();
1339       if (const MemRegion *R = state->getLValue(VD, LCtx).getAsRegion()) {
1340         if (report.isInteresting(R))
1341           event->setPrunable(false);
1342       }
1343     }
1344   }
1345 
1346   return event;
1347 }
1348 
1349 PathDiagnosticPiece *
1350 ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
1351                                   const DeclRefExpr *DR,
1352                                   const bool tookTrue,
1353                                   BugReporterContext &BRC,
1354                                   BugReport &report,
1355                                   const ExplodedNode *N) {
1356 
1357   const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl());
1358   if (!VD)
1359     return 0;
1360 
1361   SmallString<256> Buf;
1362   llvm::raw_svector_ostream Out(Buf);
1363 
1364   Out << "Assuming '";
1365   VD->getDeclName().printName(Out);
1366   Out << "' is ";
1367 
1368   QualType VDTy = VD->getType();
1369 
1370   if (VDTy->isPointerType())
1371     Out << (tookTrue ? "non-null" : "null");
1372   else if (VDTy->isObjCObjectPointerType())
1373     Out << (tookTrue ? "non-nil" : "nil");
1374   else if (VDTy->isScalarType())
1375     Out << (tookTrue ? "not equal to 0" : "0");
1376   else
1377     return 0;
1378 
1379   const LocationContext *LCtx = N->getLocationContext();
1380   PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx);
1381   PathDiagnosticEventPiece *event =
1382     new PathDiagnosticEventPiece(Loc, Out.str());
1383 
1384   const ProgramState *state = N->getState().getPtr();
1385   if (const MemRegion *R = state->getLValue(VD, LCtx).getAsRegion()) {
1386     if (report.isInteresting(R))
1387       event->setPrunable(false);
1388     else {
1389       SVal V = state->getSVal(R);
1390       if (report.isInteresting(V))
1391         event->setPrunable(false);
1392     }
1393   }
1394   return event;
1395 }
1396 
1397 PathDiagnosticPiece *
1398 LikelyFalsePositiveSuppressionBRVisitor::getEndPath(BugReporterContext &BRC,
1399                                                     const ExplodedNode *N,
1400                                                     BugReport &BR) {
1401   const Stmt *S = BR.getStmt();
1402   if (!S)
1403     return 0;
1404 
1405   // Here we suppress false positives coming from system macros. This list is
1406   // based on known issues.
1407 
1408   // Skip reports within the sys/queue.h macros as we do not have the ability to
1409   // reason about data structure shapes.
1410   SourceManager &SM = BRC.getSourceManager();
1411   SourceLocation Loc = S->getLocStart();
1412   while (Loc.isMacroID()) {
1413     if (SM.isInSystemMacro(Loc) &&
1414        (SM.getFilename(SM.getSpellingLoc(Loc)).endswith("sys/queue.h"))) {
1415       BR.markInvalid(getTag(), 0);
1416       return 0;
1417     }
1418     Loc = SM.getSpellingLoc(Loc);
1419   }
1420 
1421   return 0;
1422 }
1423 
1424 PathDiagnosticPiece *
1425 UndefOrNullArgVisitor::VisitNode(const ExplodedNode *N,
1426                                   const ExplodedNode *PrevN,
1427                                   BugReporterContext &BRC,
1428                                   BugReport &BR) {
1429 
1430   ProgramStateRef State = N->getState();
1431   ProgramPoint ProgLoc = N->getLocation();
1432 
1433   // We are only interested in visiting CallEnter nodes.
1434   Optional<CallEnter> CEnter = ProgLoc.getAs<CallEnter>();
1435   if (!CEnter)
1436     return 0;
1437 
1438   // Check if one of the arguments is the region the visitor is tracking.
1439   CallEventManager &CEMgr = BRC.getStateManager().getCallEventManager();
1440   CallEventRef<> Call = CEMgr.getCaller(CEnter->getCalleeContext(), State);
1441   unsigned Idx = 0;
1442   for (CallEvent::param_iterator I = Call->param_begin(),
1443                                  E = Call->param_end(); I != E; ++I, ++Idx) {
1444     const MemRegion *ArgReg = Call->getArgSVal(Idx).getAsRegion();
1445 
1446     // Are we tracking the argument or its subregion?
1447     if ( !ArgReg || (ArgReg != R && !R->isSubRegionOf(ArgReg->StripCasts())))
1448       continue;
1449 
1450     // Check the function parameter type.
1451     const ParmVarDecl *ParamDecl = *I;
1452     assert(ParamDecl && "Formal parameter has no decl?");
1453     QualType T = ParamDecl->getType();
1454 
1455     if (!(T->isAnyPointerType() || T->isReferenceType())) {
1456       // Function can only change the value passed in by address.
1457       continue;
1458     }
1459 
1460     // If it is a const pointer value, the function does not intend to
1461     // change the value.
1462     if (T->getPointeeType().isConstQualified())
1463       continue;
1464 
1465     // Mark the call site (LocationContext) as interesting if the value of the
1466     // argument is undefined or '0'/'NULL'.
1467     SVal BoundVal = State->getSVal(R);
1468     if (BoundVal.isUndef() || BoundVal.isZeroConstant()) {
1469       BR.markInteresting(CEnter->getCalleeContext());
1470       return 0;
1471     }
1472   }
1473   return 0;
1474 }
1475