1 //===- BugReporter.cpp - Generate PathDiagnostics for bugs ----------------===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file defines BugReporter, a utility class for generating 10 // PathDiagnostics. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 15 #include "clang/AST/Decl.h" 16 #include "clang/AST/DeclBase.h" 17 #include "clang/AST/DeclObjC.h" 18 #include "clang/AST/Expr.h" 19 #include "clang/AST/ExprCXX.h" 20 #include "clang/AST/ParentMap.h" 21 #include "clang/AST/Stmt.h" 22 #include "clang/AST/StmtCXX.h" 23 #include "clang/AST/StmtObjC.h" 24 #include "clang/Analysis/AnalysisDeclContext.h" 25 #include "clang/Analysis/CFG.h" 26 #include "clang/Analysis/CFGStmtMap.h" 27 #include "clang/Analysis/PathDiagnostic.h" 28 #include "clang/Analysis/ProgramPoint.h" 29 #include "clang/Basic/LLVM.h" 30 #include "clang/Basic/SourceLocation.h" 31 #include "clang/Basic/SourceManager.h" 32 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 33 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h" 34 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 35 #include "clang/StaticAnalyzer/Core/Checker.h" 36 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 37 #include "clang/StaticAnalyzer/Core/CheckerRegistryData.h" 38 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h" 39 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 40 #include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h" 41 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h" 42 #include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h" 43 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 44 #include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h" 45 #include "llvm/ADT/ArrayRef.h" 46 #include "llvm/ADT/DenseMap.h" 47 #include "llvm/ADT/DenseSet.h" 48 #include "llvm/ADT/FoldingSet.h" 49 #include "llvm/ADT/None.h" 50 #include "llvm/ADT/Optional.h" 51 #include "llvm/ADT/STLExtras.h" 52 #include "llvm/ADT/SmallPtrSet.h" 53 #include "llvm/ADT/SmallString.h" 54 #include "llvm/ADT/SmallVector.h" 55 #include "llvm/ADT/Statistic.h" 56 #include "llvm/ADT/StringExtras.h" 57 #include "llvm/ADT/StringRef.h" 58 #include "llvm/ADT/iterator_range.h" 59 #include "llvm/Support/Casting.h" 60 #include "llvm/Support/Compiler.h" 61 #include "llvm/Support/ErrorHandling.h" 62 #include "llvm/Support/MemoryBuffer.h" 63 #include "llvm/Support/raw_ostream.h" 64 #include <algorithm> 65 #include <cassert> 66 #include <cstddef> 67 #include <iterator> 68 #include <memory> 69 #include <queue> 70 #include <string> 71 #include <tuple> 72 #include <utility> 73 #include <vector> 74 75 using namespace clang; 76 using namespace ento; 77 using namespace llvm; 78 79 #define DEBUG_TYPE "BugReporter" 80 81 STATISTIC(MaxBugClassSize, 82 "The maximum number of bug reports in the same equivalence class"); 83 STATISTIC(MaxValidBugClassSize, 84 "The maximum number of bug reports in the same equivalence class " 85 "where at least one report is valid (not suppressed)"); 86 87 BugReporterVisitor::~BugReporterVisitor() = default; 88 89 void BugReporterContext::anchor() {} 90 91 //===----------------------------------------------------------------------===// 92 // PathDiagnosticBuilder and its associated routines and helper objects. 93 //===----------------------------------------------------------------------===// 94 95 namespace { 96 97 /// A (CallPiece, node assiciated with its CallEnter) pair. 98 using CallWithEntry = 99 std::pair<PathDiagnosticCallPiece *, const ExplodedNode *>; 100 using CallWithEntryStack = SmallVector<CallWithEntry, 6>; 101 102 /// Map from each node to the diagnostic pieces visitors emit for them. 103 using VisitorsDiagnosticsTy = 104 llvm::DenseMap<const ExplodedNode *, std::vector<PathDiagnosticPieceRef>>; 105 106 /// A map from PathDiagnosticPiece to the LocationContext of the inlined 107 /// function call it represents. 108 using LocationContextMap = 109 llvm::DenseMap<const PathPieces *, const LocationContext *>; 110 111 /// A helper class that contains everything needed to construct a 112 /// PathDiagnostic object. It does no much more then providing convenient 113 /// getters and some well placed asserts for extra security. 114 class PathDiagnosticConstruct { 115 /// The consumer we're constructing the bug report for. 116 const PathDiagnosticConsumer *Consumer; 117 /// Our current position in the bug path, which is owned by 118 /// PathDiagnosticBuilder. 119 const ExplodedNode *CurrentNode; 120 /// A mapping from parts of the bug path (for example, a function call, which 121 /// would span backwards from a CallExit to a CallEnter with the nodes in 122 /// between them) with the location contexts it is associated with. 123 LocationContextMap LCM; 124 const SourceManager &SM; 125 126 public: 127 /// We keep stack of calls to functions as we're ascending the bug path. 128 /// TODO: PathDiagnostic has a stack doing the same thing, shouldn't we use 129 /// that instead? 130 CallWithEntryStack CallStack; 131 /// The bug report we're constructing. For ease of use, this field is kept 132 /// public, though some "shortcut" getters are provided for commonly used 133 /// methods of PathDiagnostic. 134 std::unique_ptr<PathDiagnostic> PD; 135 136 public: 137 PathDiagnosticConstruct(const PathDiagnosticConsumer *PDC, 138 const ExplodedNode *ErrorNode, 139 const PathSensitiveBugReport *R); 140 141 /// \returns the location context associated with the current position in the 142 /// bug path. 143 const LocationContext *getCurrLocationContext() const { 144 assert(CurrentNode && "Already reached the root!"); 145 return CurrentNode->getLocationContext(); 146 } 147 148 /// Same as getCurrLocationContext (they should always return the same 149 /// location context), but works after reaching the root of the bug path as 150 /// well. 151 const LocationContext *getLocationContextForActivePath() const { 152 return LCM.find(&PD->getActivePath())->getSecond(); 153 } 154 155 const ExplodedNode *getCurrentNode() const { return CurrentNode; } 156 157 /// Steps the current node to its predecessor. 158 /// \returns whether we reached the root of the bug path. 159 bool ascendToPrevNode() { 160 CurrentNode = CurrentNode->getFirstPred(); 161 return static_cast<bool>(CurrentNode); 162 } 163 164 const ParentMap &getParentMap() const { 165 return getCurrLocationContext()->getParentMap(); 166 } 167 168 const SourceManager &getSourceManager() const { return SM; } 169 170 const Stmt *getParent(const Stmt *S) const { 171 return getParentMap().getParent(S); 172 } 173 174 void updateLocCtxMap(const PathPieces *Path, const LocationContext *LC) { 175 assert(Path && LC); 176 LCM[Path] = LC; 177 } 178 179 const LocationContext *getLocationContextFor(const PathPieces *Path) const { 180 assert(LCM.count(Path) && 181 "Failed to find the context associated with these pieces!"); 182 return LCM.find(Path)->getSecond(); 183 } 184 185 bool isInLocCtxMap(const PathPieces *Path) const { return LCM.count(Path); } 186 187 PathPieces &getActivePath() { return PD->getActivePath(); } 188 PathPieces &getMutablePieces() { return PD->getMutablePieces(); } 189 190 bool shouldAddPathEdges() const { return Consumer->shouldAddPathEdges(); } 191 bool shouldGenerateDiagnostics() const { 192 return Consumer->shouldGenerateDiagnostics(); 193 } 194 bool supportsLogicalOpControlFlow() const { 195 return Consumer->supportsLogicalOpControlFlow(); 196 } 197 }; 198 199 /// Contains every contextual information needed for constructing a 200 /// PathDiagnostic object for a given bug report. This class and its fields are 201 /// immutable, and passes a BugReportConstruct object around during the 202 /// construction. 203 class PathDiagnosticBuilder : public BugReporterContext { 204 /// A linear path from the error node to the root. 205 std::unique_ptr<const ExplodedGraph> BugPath; 206 /// The bug report we're describing. Visitors create their diagnostics with 207 /// them being the last entities being able to modify it (for example, 208 /// changing interestingness here would cause inconsistencies as to how this 209 /// file and visitors construct diagnostics), hence its const. 210 const PathSensitiveBugReport *R; 211 /// The leaf of the bug path. This isn't the same as the bug reports error 212 /// node, which refers to the *original* graph, not the bug path. 213 const ExplodedNode *const ErrorNode; 214 /// The diagnostic pieces visitors emitted, which is expected to be collected 215 /// by the time this builder is constructed. 216 std::unique_ptr<const VisitorsDiagnosticsTy> VisitorsDiagnostics; 217 218 public: 219 /// Find a non-invalidated report for a given equivalence class, and returns 220 /// a PathDiagnosticBuilder able to construct bug reports for different 221 /// consumers. Returns None if no valid report is found. 222 static Optional<PathDiagnosticBuilder> 223 findValidReport(ArrayRef<PathSensitiveBugReport *> &bugReports, 224 PathSensitiveBugReporter &Reporter); 225 226 PathDiagnosticBuilder( 227 BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath, 228 PathSensitiveBugReport *r, const ExplodedNode *ErrorNode, 229 std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics); 230 231 /// This function is responsible for generating diagnostic pieces that are 232 /// *not* provided by bug report visitors. 233 /// These diagnostics may differ depending on the consumer's settings, 234 /// and are therefore constructed separately for each consumer. 235 /// 236 /// There are two path diagnostics generation modes: with adding edges (used 237 /// for plists) and without (used for HTML and text). When edges are added, 238 /// the path is modified to insert artificially generated edges. 239 /// Otherwise, more detailed diagnostics is emitted for block edges, 240 /// explaining the transitions in words. 241 std::unique_ptr<PathDiagnostic> 242 generate(const PathDiagnosticConsumer *PDC) const; 243 244 private: 245 void updateStackPiecesWithMessage(PathDiagnosticPieceRef P, 246 const CallWithEntryStack &CallStack) const; 247 void generatePathDiagnosticsForNode(PathDiagnosticConstruct &C, 248 PathDiagnosticLocation &PrevLoc) const; 249 250 void generateMinimalDiagForBlockEdge(PathDiagnosticConstruct &C, 251 BlockEdge BE) const; 252 253 PathDiagnosticPieceRef 254 generateDiagForGotoOP(const PathDiagnosticConstruct &C, const Stmt *S, 255 PathDiagnosticLocation &Start) const; 256 257 PathDiagnosticPieceRef 258 generateDiagForSwitchOP(const PathDiagnosticConstruct &C, const CFGBlock *Dst, 259 PathDiagnosticLocation &Start) const; 260 261 PathDiagnosticPieceRef 262 generateDiagForBinaryOP(const PathDiagnosticConstruct &C, const Stmt *T, 263 const CFGBlock *Src, const CFGBlock *DstC) const; 264 265 PathDiagnosticLocation 266 ExecutionContinues(const PathDiagnosticConstruct &C) const; 267 268 PathDiagnosticLocation 269 ExecutionContinues(llvm::raw_string_ostream &os, 270 const PathDiagnosticConstruct &C) const; 271 272 const PathSensitiveBugReport *getBugReport() const { return R; } 273 }; 274 275 } // namespace 276 277 //===----------------------------------------------------------------------===// 278 // Base implementation of stack hint generators. 279 //===----------------------------------------------------------------------===// 280 281 StackHintGenerator::~StackHintGenerator() = default; 282 283 std::string StackHintGeneratorForSymbol::getMessage(const ExplodedNode *N){ 284 if (!N) 285 return getMessageForSymbolNotFound(); 286 287 ProgramPoint P = N->getLocation(); 288 CallExitEnd CExit = P.castAs<CallExitEnd>(); 289 290 // FIXME: Use CallEvent to abstract this over all calls. 291 const Stmt *CallSite = CExit.getCalleeContext()->getCallSite(); 292 const auto *CE = dyn_cast_or_null<CallExpr>(CallSite); 293 if (!CE) 294 return {}; 295 296 // Check if one of the parameters are set to the interesting symbol. 297 unsigned ArgIndex = 0; 298 for (CallExpr::const_arg_iterator I = CE->arg_begin(), 299 E = CE->arg_end(); I != E; ++I, ++ArgIndex){ 300 SVal SV = N->getSVal(*I); 301 302 // Check if the variable corresponding to the symbol is passed by value. 303 SymbolRef AS = SV.getAsLocSymbol(); 304 if (AS == Sym) { 305 return getMessageForArg(*I, ArgIndex); 306 } 307 308 // Check if the parameter is a pointer to the symbol. 309 if (Optional<loc::MemRegionVal> Reg = SV.getAs<loc::MemRegionVal>()) { 310 // Do not attempt to dereference void*. 311 if ((*I)->getType()->isVoidPointerType()) 312 continue; 313 SVal PSV = N->getState()->getSVal(Reg->getRegion()); 314 SymbolRef AS = PSV.getAsLocSymbol(); 315 if (AS == Sym) { 316 return getMessageForArg(*I, ArgIndex); 317 } 318 } 319 } 320 321 // Check if we are returning the interesting symbol. 322 SVal SV = N->getSVal(CE); 323 SymbolRef RetSym = SV.getAsLocSymbol(); 324 if (RetSym == Sym) { 325 return getMessageForReturn(CE); 326 } 327 328 return getMessageForSymbolNotFound(); 329 } 330 331 std::string StackHintGeneratorForSymbol::getMessageForArg(const Expr *ArgE, 332 unsigned ArgIndex) { 333 // Printed parameters start at 1, not 0. 334 ++ArgIndex; 335 336 return (llvm::Twine(Msg) + " via " + std::to_string(ArgIndex) + 337 llvm::getOrdinalSuffix(ArgIndex) + " parameter").str(); 338 } 339 340 //===----------------------------------------------------------------------===// 341 // Diagnostic cleanup. 342 //===----------------------------------------------------------------------===// 343 344 static PathDiagnosticEventPiece * 345 eventsDescribeSameCondition(PathDiagnosticEventPiece *X, 346 PathDiagnosticEventPiece *Y) { 347 // Prefer diagnostics that come from ConditionBRVisitor over 348 // those that came from TrackConstraintBRVisitor, 349 // unless the one from ConditionBRVisitor is 350 // its generic fallback diagnostic. 351 const void *tagPreferred = ConditionBRVisitor::getTag(); 352 const void *tagLesser = TrackConstraintBRVisitor::getTag(); 353 354 if (X->getLocation() != Y->getLocation()) 355 return nullptr; 356 357 if (X->getTag() == tagPreferred && Y->getTag() == tagLesser) 358 return ConditionBRVisitor::isPieceMessageGeneric(X) ? Y : X; 359 360 if (Y->getTag() == tagPreferred && X->getTag() == tagLesser) 361 return ConditionBRVisitor::isPieceMessageGeneric(Y) ? X : Y; 362 363 return nullptr; 364 } 365 366 /// An optimization pass over PathPieces that removes redundant diagnostics 367 /// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both 368 /// BugReporterVisitors use different methods to generate diagnostics, with 369 /// one capable of emitting diagnostics in some cases but not in others. This 370 /// can lead to redundant diagnostic pieces at the same point in a path. 371 static void removeRedundantMsgs(PathPieces &path) { 372 unsigned N = path.size(); 373 if (N < 2) 374 return; 375 // NOTE: this loop intentionally is not using an iterator. Instead, we 376 // are streaming the path and modifying it in place. This is done by 377 // grabbing the front, processing it, and if we decide to keep it append 378 // it to the end of the path. The entire path is processed in this way. 379 for (unsigned i = 0; i < N; ++i) { 380 auto piece = std::move(path.front()); 381 path.pop_front(); 382 383 switch (piece->getKind()) { 384 case PathDiagnosticPiece::Call: 385 removeRedundantMsgs(cast<PathDiagnosticCallPiece>(*piece).path); 386 break; 387 case PathDiagnosticPiece::Macro: 388 removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(*piece).subPieces); 389 break; 390 case PathDiagnosticPiece::Event: { 391 if (i == N-1) 392 break; 393 394 if (auto *nextEvent = 395 dyn_cast<PathDiagnosticEventPiece>(path.front().get())) { 396 auto *event = cast<PathDiagnosticEventPiece>(piece.get()); 397 // Check to see if we should keep one of the two pieces. If we 398 // come up with a preference, record which piece to keep, and consume 399 // another piece from the path. 400 if (auto *pieceToKeep = 401 eventsDescribeSameCondition(event, nextEvent)) { 402 piece = std::move(pieceToKeep == event ? piece : path.front()); 403 path.pop_front(); 404 ++i; 405 } 406 } 407 break; 408 } 409 case PathDiagnosticPiece::ControlFlow: 410 case PathDiagnosticPiece::Note: 411 case PathDiagnosticPiece::PopUp: 412 break; 413 } 414 path.push_back(std::move(piece)); 415 } 416 } 417 418 /// Recursively scan through a path and prune out calls and macros pieces 419 /// that aren't needed. Return true if afterwards the path contains 420 /// "interesting stuff" which means it shouldn't be pruned from the parent path. 421 static bool removeUnneededCalls(const PathDiagnosticConstruct &C, 422 PathPieces &pieces, 423 const PathSensitiveBugReport *R, 424 bool IsInteresting = false) { 425 bool containsSomethingInteresting = IsInteresting; 426 const unsigned N = pieces.size(); 427 428 for (unsigned i = 0 ; i < N ; ++i) { 429 // Remove the front piece from the path. If it is still something we 430 // want to keep once we are done, we will push it back on the end. 431 auto piece = std::move(pieces.front()); 432 pieces.pop_front(); 433 434 switch (piece->getKind()) { 435 case PathDiagnosticPiece::Call: { 436 auto &call = cast<PathDiagnosticCallPiece>(*piece); 437 // Check if the location context is interesting. 438 if (!removeUnneededCalls( 439 C, call.path, R, 440 R->isInteresting(C.getLocationContextFor(&call.path)))) 441 continue; 442 443 containsSomethingInteresting = true; 444 break; 445 } 446 case PathDiagnosticPiece::Macro: { 447 auto ¯o = cast<PathDiagnosticMacroPiece>(*piece); 448 if (!removeUnneededCalls(C, macro.subPieces, R, IsInteresting)) 449 continue; 450 containsSomethingInteresting = true; 451 break; 452 } 453 case PathDiagnosticPiece::Event: { 454 auto &event = cast<PathDiagnosticEventPiece>(*piece); 455 456 // We never throw away an event, but we do throw it away wholesale 457 // as part of a path if we throw the entire path away. 458 containsSomethingInteresting |= !event.isPrunable(); 459 break; 460 } 461 case PathDiagnosticPiece::ControlFlow: 462 case PathDiagnosticPiece::Note: 463 case PathDiagnosticPiece::PopUp: 464 break; 465 } 466 467 pieces.push_back(std::move(piece)); 468 } 469 470 return containsSomethingInteresting; 471 } 472 473 /// Same logic as above to remove extra pieces. 474 static void removePopUpNotes(PathPieces &Path) { 475 for (unsigned int i = 0; i < Path.size(); ++i) { 476 auto Piece = std::move(Path.front()); 477 Path.pop_front(); 478 if (!isa<PathDiagnosticPopUpPiece>(*Piece)) 479 Path.push_back(std::move(Piece)); 480 } 481 } 482 483 /// Returns true if the given decl has been implicitly given a body, either by 484 /// the analyzer or by the compiler proper. 485 static bool hasImplicitBody(const Decl *D) { 486 assert(D); 487 return D->isImplicit() || !D->hasBody(); 488 } 489 490 /// Recursively scan through a path and make sure that all call pieces have 491 /// valid locations. 492 static void 493 adjustCallLocations(PathPieces &Pieces, 494 PathDiagnosticLocation *LastCallLocation = nullptr) { 495 for (const auto &I : Pieces) { 496 auto *Call = dyn_cast<PathDiagnosticCallPiece>(I.get()); 497 498 if (!Call) 499 continue; 500 501 if (LastCallLocation) { 502 bool CallerIsImplicit = hasImplicitBody(Call->getCaller()); 503 if (CallerIsImplicit || !Call->callEnter.asLocation().isValid()) 504 Call->callEnter = *LastCallLocation; 505 if (CallerIsImplicit || !Call->callReturn.asLocation().isValid()) 506 Call->callReturn = *LastCallLocation; 507 } 508 509 // Recursively clean out the subclass. Keep this call around if 510 // it contains any informative diagnostics. 511 PathDiagnosticLocation *ThisCallLocation; 512 if (Call->callEnterWithin.asLocation().isValid() && 513 !hasImplicitBody(Call->getCallee())) 514 ThisCallLocation = &Call->callEnterWithin; 515 else 516 ThisCallLocation = &Call->callEnter; 517 518 assert(ThisCallLocation && "Outermost call has an invalid location"); 519 adjustCallLocations(Call->path, ThisCallLocation); 520 } 521 } 522 523 /// Remove edges in and out of C++ default initializer expressions. These are 524 /// for fields that have in-class initializers, as opposed to being initialized 525 /// explicitly in a constructor or braced list. 526 static void removeEdgesToDefaultInitializers(PathPieces &Pieces) { 527 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 528 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 529 removeEdgesToDefaultInitializers(C->path); 530 531 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 532 removeEdgesToDefaultInitializers(M->subPieces); 533 534 if (auto *CF = dyn_cast<PathDiagnosticControlFlowPiece>(I->get())) { 535 const Stmt *Start = CF->getStartLocation().asStmt(); 536 const Stmt *End = CF->getEndLocation().asStmt(); 537 if (Start && isa<CXXDefaultInitExpr>(Start)) { 538 I = Pieces.erase(I); 539 continue; 540 } else if (End && isa<CXXDefaultInitExpr>(End)) { 541 PathPieces::iterator Next = std::next(I); 542 if (Next != E) { 543 if (auto *NextCF = 544 dyn_cast<PathDiagnosticControlFlowPiece>(Next->get())) { 545 NextCF->setStartLocation(CF->getStartLocation()); 546 } 547 } 548 I = Pieces.erase(I); 549 continue; 550 } 551 } 552 553 I++; 554 } 555 } 556 557 /// Remove all pieces with invalid locations as these cannot be serialized. 558 /// We might have pieces with invalid locations as a result of inlining Body 559 /// Farm generated functions. 560 static void removePiecesWithInvalidLocations(PathPieces &Pieces) { 561 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 562 if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get())) 563 removePiecesWithInvalidLocations(C->path); 564 565 if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get())) 566 removePiecesWithInvalidLocations(M->subPieces); 567 568 if (!(*I)->getLocation().isValid() || 569 !(*I)->getLocation().asLocation().isValid()) { 570 I = Pieces.erase(I); 571 continue; 572 } 573 I++; 574 } 575 } 576 577 PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues( 578 const PathDiagnosticConstruct &C) const { 579 if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics()) 580 return PathDiagnosticLocation(S, getSourceManager(), 581 C.getCurrLocationContext()); 582 583 return PathDiagnosticLocation::createDeclEnd(C.getCurrLocationContext(), 584 getSourceManager()); 585 } 586 587 PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues( 588 llvm::raw_string_ostream &os, const PathDiagnosticConstruct &C) const { 589 // Slow, but probably doesn't matter. 590 if (os.str().empty()) 591 os << ' '; 592 593 const PathDiagnosticLocation &Loc = ExecutionContinues(C); 594 595 if (Loc.asStmt()) 596 os << "Execution continues on line " 597 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 598 << '.'; 599 else { 600 os << "Execution jumps to the end of the "; 601 const Decl *D = C.getCurrLocationContext()->getDecl(); 602 if (isa<ObjCMethodDecl>(D)) 603 os << "method"; 604 else if (isa<FunctionDecl>(D)) 605 os << "function"; 606 else { 607 assert(isa<BlockDecl>(D)); 608 os << "anonymous block"; 609 } 610 os << '.'; 611 } 612 613 return Loc; 614 } 615 616 static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) { 617 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 618 return PM.getParentIgnoreParens(S); 619 620 const Stmt *Parent = PM.getParentIgnoreParens(S); 621 if (!Parent) 622 return nullptr; 623 624 switch (Parent->getStmtClass()) { 625 case Stmt::ForStmtClass: 626 case Stmt::DoStmtClass: 627 case Stmt::WhileStmtClass: 628 case Stmt::ObjCForCollectionStmtClass: 629 case Stmt::CXXForRangeStmtClass: 630 return Parent; 631 default: 632 break; 633 } 634 635 return nullptr; 636 } 637 638 static PathDiagnosticLocation 639 getEnclosingStmtLocation(const Stmt *S, const LocationContext *LC, 640 bool allowNestedContexts = false) { 641 if (!S) 642 return {}; 643 644 const SourceManager &SMgr = LC->getDecl()->getASTContext().getSourceManager(); 645 646 while (const Stmt *Parent = getEnclosingParent(S, LC->getParentMap())) { 647 switch (Parent->getStmtClass()) { 648 case Stmt::BinaryOperatorClass: { 649 const auto *B = cast<BinaryOperator>(Parent); 650 if (B->isLogicalOp()) 651 return PathDiagnosticLocation(allowNestedContexts ? B : S, SMgr, LC); 652 break; 653 } 654 case Stmt::CompoundStmtClass: 655 case Stmt::StmtExprClass: 656 return PathDiagnosticLocation(S, SMgr, LC); 657 case Stmt::ChooseExprClass: 658 // Similar to '?' if we are referring to condition, just have the edge 659 // point to the entire choose expression. 660 if (allowNestedContexts || cast<ChooseExpr>(Parent)->getCond() == S) 661 return PathDiagnosticLocation(Parent, SMgr, LC); 662 else 663 return PathDiagnosticLocation(S, SMgr, LC); 664 case Stmt::BinaryConditionalOperatorClass: 665 case Stmt::ConditionalOperatorClass: 666 // For '?', if we are referring to condition, just have the edge point 667 // to the entire '?' expression. 668 if (allowNestedContexts || 669 cast<AbstractConditionalOperator>(Parent)->getCond() == S) 670 return PathDiagnosticLocation(Parent, SMgr, LC); 671 else 672 return PathDiagnosticLocation(S, SMgr, LC); 673 case Stmt::CXXForRangeStmtClass: 674 if (cast<CXXForRangeStmt>(Parent)->getBody() == S) 675 return PathDiagnosticLocation(S, SMgr, LC); 676 break; 677 case Stmt::DoStmtClass: 678 return PathDiagnosticLocation(S, SMgr, LC); 679 case Stmt::ForStmtClass: 680 if (cast<ForStmt>(Parent)->getBody() == S) 681 return PathDiagnosticLocation(S, SMgr, LC); 682 break; 683 case Stmt::IfStmtClass: 684 if (cast<IfStmt>(Parent)->getCond() != S) 685 return PathDiagnosticLocation(S, SMgr, LC); 686 break; 687 case Stmt::ObjCForCollectionStmtClass: 688 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 689 return PathDiagnosticLocation(S, SMgr, LC); 690 break; 691 case Stmt::WhileStmtClass: 692 if (cast<WhileStmt>(Parent)->getCond() != S) 693 return PathDiagnosticLocation(S, SMgr, LC); 694 break; 695 default: 696 break; 697 } 698 699 S = Parent; 700 } 701 702 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 703 704 return PathDiagnosticLocation(S, SMgr, LC); 705 } 706 707 //===----------------------------------------------------------------------===// 708 // "Minimal" path diagnostic generation algorithm. 709 //===----------------------------------------------------------------------===// 710 711 /// If the piece contains a special message, add it to all the call pieces on 712 /// the active stack. For example, my_malloc allocated memory, so MallocChecker 713 /// will construct an event at the call to malloc(), and add a stack hint that 714 /// an allocated memory was returned. We'll use this hint to construct a message 715 /// when returning from the call to my_malloc 716 /// 717 /// void *my_malloc() { return malloc(sizeof(int)); } 718 /// void fishy() { 719 /// void *ptr = my_malloc(); // returned allocated memory 720 /// } // leak 721 void PathDiagnosticBuilder::updateStackPiecesWithMessage( 722 PathDiagnosticPieceRef P, const CallWithEntryStack &CallStack) const { 723 if (R->hasCallStackHint(P)) 724 for (const auto &I : CallStack) { 725 PathDiagnosticCallPiece *CP = I.first; 726 const ExplodedNode *N = I.second; 727 std::string stackMsg = R->getCallStackMessage(P, N); 728 729 // The last message on the path to final bug is the most important 730 // one. Since we traverse the path backwards, do not add the message 731 // if one has been previously added. 732 if (!CP->hasCallStackMessage()) 733 CP->setCallStackMessage(stackMsg); 734 } 735 } 736 737 static void CompactMacroExpandedPieces(PathPieces &path, 738 const SourceManager& SM); 739 740 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForSwitchOP( 741 const PathDiagnosticConstruct &C, const CFGBlock *Dst, 742 PathDiagnosticLocation &Start) const { 743 744 const SourceManager &SM = getSourceManager(); 745 // Figure out what case arm we took. 746 std::string sbuf; 747 llvm::raw_string_ostream os(sbuf); 748 PathDiagnosticLocation End; 749 750 if (const Stmt *S = Dst->getLabel()) { 751 End = PathDiagnosticLocation(S, SM, C.getCurrLocationContext()); 752 753 switch (S->getStmtClass()) { 754 default: 755 os << "No cases match in the switch statement. " 756 "Control jumps to line " 757 << End.asLocation().getExpansionLineNumber(); 758 break; 759 case Stmt::DefaultStmtClass: 760 os << "Control jumps to the 'default' case at line " 761 << End.asLocation().getExpansionLineNumber(); 762 break; 763 764 case Stmt::CaseStmtClass: { 765 os << "Control jumps to 'case "; 766 const auto *Case = cast<CaseStmt>(S); 767 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 768 769 // Determine if it is an enum. 770 bool GetRawInt = true; 771 772 if (const auto *DR = dyn_cast<DeclRefExpr>(LHS)) { 773 // FIXME: Maybe this should be an assertion. Are there cases 774 // were it is not an EnumConstantDecl? 775 const auto *D = dyn_cast<EnumConstantDecl>(DR->getDecl()); 776 777 if (D) { 778 GetRawInt = false; 779 os << *D; 780 } 781 } 782 783 if (GetRawInt) 784 os << LHS->EvaluateKnownConstInt(getASTContext()); 785 786 os << ":' at line " << End.asLocation().getExpansionLineNumber(); 787 break; 788 } 789 } 790 } else { 791 os << "'Default' branch taken. "; 792 End = ExecutionContinues(os, C); 793 } 794 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 795 os.str()); 796 } 797 798 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForGotoOP( 799 const PathDiagnosticConstruct &C, const Stmt *S, 800 PathDiagnosticLocation &Start) const { 801 std::string sbuf; 802 llvm::raw_string_ostream os(sbuf); 803 const PathDiagnosticLocation &End = 804 getEnclosingStmtLocation(S, C.getCurrLocationContext()); 805 os << "Control jumps to line " << End.asLocation().getExpansionLineNumber(); 806 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str()); 807 } 808 809 PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForBinaryOP( 810 const PathDiagnosticConstruct &C, const Stmt *T, const CFGBlock *Src, 811 const CFGBlock *Dst) const { 812 813 const SourceManager &SM = getSourceManager(); 814 815 const auto *B = cast<BinaryOperator>(T); 816 std::string sbuf; 817 llvm::raw_string_ostream os(sbuf); 818 os << "Left side of '"; 819 PathDiagnosticLocation Start, End; 820 821 if (B->getOpcode() == BO_LAnd) { 822 os << "&&" 823 << "' is "; 824 825 if (*(Src->succ_begin() + 1) == Dst) { 826 os << "false"; 827 End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 828 Start = 829 PathDiagnosticLocation::createOperatorLoc(B, SM); 830 } else { 831 os << "true"; 832 Start = 833 PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 834 End = ExecutionContinues(C); 835 } 836 } else { 837 assert(B->getOpcode() == BO_LOr); 838 os << "||" 839 << "' is "; 840 841 if (*(Src->succ_begin() + 1) == Dst) { 842 os << "false"; 843 Start = 844 PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 845 End = ExecutionContinues(C); 846 } else { 847 os << "true"; 848 End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext()); 849 Start = 850 PathDiagnosticLocation::createOperatorLoc(B, SM); 851 } 852 } 853 return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 854 os.str()); 855 } 856 857 void PathDiagnosticBuilder::generateMinimalDiagForBlockEdge( 858 PathDiagnosticConstruct &C, BlockEdge BE) const { 859 const SourceManager &SM = getSourceManager(); 860 const LocationContext *LC = C.getCurrLocationContext(); 861 const CFGBlock *Src = BE.getSrc(); 862 const CFGBlock *Dst = BE.getDst(); 863 const Stmt *T = Src->getTerminatorStmt(); 864 if (!T) 865 return; 866 867 auto Start = PathDiagnosticLocation::createBegin(T, SM, LC); 868 switch (T->getStmtClass()) { 869 default: 870 break; 871 872 case Stmt::GotoStmtClass: 873 case Stmt::IndirectGotoStmtClass: { 874 if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics()) 875 C.getActivePath().push_front(generateDiagForGotoOP(C, S, Start)); 876 break; 877 } 878 879 case Stmt::SwitchStmtClass: { 880 C.getActivePath().push_front(generateDiagForSwitchOP(C, Dst, Start)); 881 break; 882 } 883 884 case Stmt::BreakStmtClass: 885 case Stmt::ContinueStmtClass: { 886 std::string sbuf; 887 llvm::raw_string_ostream os(sbuf); 888 PathDiagnosticLocation End = ExecutionContinues(os, C); 889 C.getActivePath().push_front( 890 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 891 break; 892 } 893 894 // Determine control-flow for ternary '?'. 895 case Stmt::BinaryConditionalOperatorClass: 896 case Stmt::ConditionalOperatorClass: { 897 std::string sbuf; 898 llvm::raw_string_ostream os(sbuf); 899 os << "'?' condition is "; 900 901 if (*(Src->succ_begin() + 1) == Dst) 902 os << "false"; 903 else 904 os << "true"; 905 906 PathDiagnosticLocation End = ExecutionContinues(C); 907 908 if (const Stmt *S = End.asStmt()) 909 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 910 911 C.getActivePath().push_front( 912 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str())); 913 break; 914 } 915 916 // Determine control-flow for short-circuited '&&' and '||'. 917 case Stmt::BinaryOperatorClass: { 918 if (!C.supportsLogicalOpControlFlow()) 919 break; 920 921 C.getActivePath().push_front(generateDiagForBinaryOP(C, T, Src, Dst)); 922 break; 923 } 924 925 case Stmt::DoStmtClass: 926 if (*(Src->succ_begin()) == Dst) { 927 std::string sbuf; 928 llvm::raw_string_ostream os(sbuf); 929 930 os << "Loop condition is true. "; 931 PathDiagnosticLocation End = ExecutionContinues(os, C); 932 933 if (const Stmt *S = End.asStmt()) 934 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 935 936 C.getActivePath().push_front( 937 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 938 os.str())); 939 } else { 940 PathDiagnosticLocation End = ExecutionContinues(C); 941 942 if (const Stmt *S = End.asStmt()) 943 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 944 945 C.getActivePath().push_front( 946 std::make_shared<PathDiagnosticControlFlowPiece>( 947 Start, End, "Loop condition is false. Exiting loop")); 948 } 949 break; 950 951 case Stmt::WhileStmtClass: 952 case Stmt::ForStmtClass: 953 if (*(Src->succ_begin() + 1) == Dst) { 954 std::string sbuf; 955 llvm::raw_string_ostream os(sbuf); 956 957 os << "Loop condition is false. "; 958 PathDiagnosticLocation End = ExecutionContinues(os, C); 959 if (const Stmt *S = End.asStmt()) 960 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 961 962 C.getActivePath().push_front( 963 std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, 964 os.str())); 965 } else { 966 PathDiagnosticLocation End = ExecutionContinues(C); 967 if (const Stmt *S = End.asStmt()) 968 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 969 970 C.getActivePath().push_front( 971 std::make_shared<PathDiagnosticControlFlowPiece>( 972 Start, End, "Loop condition is true. Entering loop body")); 973 } 974 975 break; 976 977 case Stmt::IfStmtClass: { 978 PathDiagnosticLocation End = ExecutionContinues(C); 979 980 if (const Stmt *S = End.asStmt()) 981 End = getEnclosingStmtLocation(S, C.getCurrLocationContext()); 982 983 if (*(Src->succ_begin() + 1) == Dst) 984 C.getActivePath().push_front( 985 std::make_shared<PathDiagnosticControlFlowPiece>( 986 Start, End, "Taking false branch")); 987 else 988 C.getActivePath().push_front( 989 std::make_shared<PathDiagnosticControlFlowPiece>( 990 Start, End, "Taking true branch")); 991 992 break; 993 } 994 } 995 } 996 997 //===----------------------------------------------------------------------===// 998 // Functions for determining if a loop was executed 0 times. 999 //===----------------------------------------------------------------------===// 1000 1001 static bool isLoop(const Stmt *Term) { 1002 switch (Term->getStmtClass()) { 1003 case Stmt::ForStmtClass: 1004 case Stmt::WhileStmtClass: 1005 case Stmt::ObjCForCollectionStmtClass: 1006 case Stmt::CXXForRangeStmtClass: 1007 return true; 1008 default: 1009 // Note that we intentionally do not include do..while here. 1010 return false; 1011 } 1012 } 1013 1014 static bool isJumpToFalseBranch(const BlockEdge *BE) { 1015 const CFGBlock *Src = BE->getSrc(); 1016 assert(Src->succ_size() == 2); 1017 return (*(Src->succ_begin()+1) == BE->getDst()); 1018 } 1019 1020 static bool isContainedByStmt(const ParentMap &PM, const Stmt *S, 1021 const Stmt *SubS) { 1022 while (SubS) { 1023 if (SubS == S) 1024 return true; 1025 SubS = PM.getParent(SubS); 1026 } 1027 return false; 1028 } 1029 1030 static const Stmt *getStmtBeforeCond(const ParentMap &PM, const Stmt *Term, 1031 const ExplodedNode *N) { 1032 while (N) { 1033 Optional<StmtPoint> SP = N->getLocation().getAs<StmtPoint>(); 1034 if (SP) { 1035 const Stmt *S = SP->getStmt(); 1036 if (!isContainedByStmt(PM, Term, S)) 1037 return S; 1038 } 1039 N = N->getFirstPred(); 1040 } 1041 return nullptr; 1042 } 1043 1044 static bool isInLoopBody(const ParentMap &PM, const Stmt *S, const Stmt *Term) { 1045 const Stmt *LoopBody = nullptr; 1046 switch (Term->getStmtClass()) { 1047 case Stmt::CXXForRangeStmtClass: { 1048 const auto *FR = cast<CXXForRangeStmt>(Term); 1049 if (isContainedByStmt(PM, FR->getInc(), S)) 1050 return true; 1051 if (isContainedByStmt(PM, FR->getLoopVarStmt(), S)) 1052 return true; 1053 LoopBody = FR->getBody(); 1054 break; 1055 } 1056 case Stmt::ForStmtClass: { 1057 const auto *FS = cast<ForStmt>(Term); 1058 if (isContainedByStmt(PM, FS->getInc(), S)) 1059 return true; 1060 LoopBody = FS->getBody(); 1061 break; 1062 } 1063 case Stmt::ObjCForCollectionStmtClass: { 1064 const auto *FC = cast<ObjCForCollectionStmt>(Term); 1065 LoopBody = FC->getBody(); 1066 break; 1067 } 1068 case Stmt::WhileStmtClass: 1069 LoopBody = cast<WhileStmt>(Term)->getBody(); 1070 break; 1071 default: 1072 return false; 1073 } 1074 return isContainedByStmt(PM, LoopBody, S); 1075 } 1076 1077 /// Adds a sanitized control-flow diagnostic edge to a path. 1078 static void addEdgeToPath(PathPieces &path, 1079 PathDiagnosticLocation &PrevLoc, 1080 PathDiagnosticLocation NewLoc) { 1081 if (!NewLoc.isValid()) 1082 return; 1083 1084 SourceLocation NewLocL = NewLoc.asLocation(); 1085 if (NewLocL.isInvalid()) 1086 return; 1087 1088 if (!PrevLoc.isValid() || !PrevLoc.asLocation().isValid()) { 1089 PrevLoc = NewLoc; 1090 return; 1091 } 1092 1093 // Ignore self-edges, which occur when there are multiple nodes at the same 1094 // statement. 1095 if (NewLoc.asStmt() && NewLoc.asStmt() == PrevLoc.asStmt()) 1096 return; 1097 1098 path.push_front( 1099 std::make_shared<PathDiagnosticControlFlowPiece>(NewLoc, PrevLoc)); 1100 PrevLoc = NewLoc; 1101 } 1102 1103 /// A customized wrapper for CFGBlock::getTerminatorCondition() 1104 /// which returns the element for ObjCForCollectionStmts. 1105 static const Stmt *getTerminatorCondition(const CFGBlock *B) { 1106 const Stmt *S = B->getTerminatorCondition(); 1107 if (const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(S)) 1108 return FS->getElement(); 1109 return S; 1110 } 1111 1112 constexpr llvm::StringLiteral StrEnteringLoop = "Entering loop body"; 1113 constexpr llvm::StringLiteral StrLoopBodyZero = "Loop body executed 0 times"; 1114 constexpr llvm::StringLiteral StrLoopRangeEmpty = 1115 "Loop body skipped when range is empty"; 1116 constexpr llvm::StringLiteral StrLoopCollectionEmpty = 1117 "Loop body skipped when collection is empty"; 1118 1119 static std::unique_ptr<FilesToLineNumsMap> 1120 findExecutedLines(const SourceManager &SM, const ExplodedNode *N); 1121 1122 void PathDiagnosticBuilder::generatePathDiagnosticsForNode( 1123 PathDiagnosticConstruct &C, PathDiagnosticLocation &PrevLoc) const { 1124 ProgramPoint P = C.getCurrentNode()->getLocation(); 1125 const SourceManager &SM = getSourceManager(); 1126 1127 // Have we encountered an entrance to a call? It may be 1128 // the case that we have not encountered a matching 1129 // call exit before this point. This means that the path 1130 // terminated within the call itself. 1131 if (auto CE = P.getAs<CallEnter>()) { 1132 1133 if (C.shouldAddPathEdges()) { 1134 // Add an edge to the start of the function. 1135 const StackFrameContext *CalleeLC = CE->getCalleeContext(); 1136 const Decl *D = CalleeLC->getDecl(); 1137 // Add the edge only when the callee has body. We jump to the beginning 1138 // of the *declaration*, however we expect it to be followed by the 1139 // body. This isn't the case for autosynthesized property accessors in 1140 // Objective-C. No need for a similar extra check for CallExit points 1141 // because the exit edge comes from a statement (i.e. return), 1142 // not from declaration. 1143 if (D->hasBody()) 1144 addEdgeToPath(C.getActivePath(), PrevLoc, 1145 PathDiagnosticLocation::createBegin(D, SM)); 1146 } 1147 1148 // Did we visit an entire call? 1149 bool VisitedEntireCall = C.PD->isWithinCall(); 1150 C.PD->popActivePath(); 1151 1152 PathDiagnosticCallPiece *Call; 1153 if (VisitedEntireCall) { 1154 Call = cast<PathDiagnosticCallPiece>(C.getActivePath().front().get()); 1155 } else { 1156 // The path terminated within a nested location context, create a new 1157 // call piece to encapsulate the rest of the path pieces. 1158 const Decl *Caller = CE->getLocationContext()->getDecl(); 1159 Call = PathDiagnosticCallPiece::construct(C.getActivePath(), Caller); 1160 assert(C.getActivePath().size() == 1 && 1161 C.getActivePath().front().get() == Call); 1162 1163 // Since we just transferred the path over to the call piece, reset the 1164 // mapping of the active path to the current location context. 1165 assert(C.isInLocCtxMap(&C.getActivePath()) && 1166 "When we ascend to a previously unvisited call, the active path's " 1167 "address shouldn't change, but rather should be compacted into " 1168 "a single CallEvent!"); 1169 C.updateLocCtxMap(&C.getActivePath(), C.getCurrLocationContext()); 1170 1171 // Record the location context mapping for the path within the call. 1172 assert(!C.isInLocCtxMap(&Call->path) && 1173 "When we ascend to a previously unvisited call, this must be the " 1174 "first time we encounter the caller context!"); 1175 C.updateLocCtxMap(&Call->path, CE->getCalleeContext()); 1176 } 1177 Call->setCallee(*CE, SM); 1178 1179 // Update the previous location in the active path. 1180 PrevLoc = Call->getLocation(); 1181 1182 if (!C.CallStack.empty()) { 1183 assert(C.CallStack.back().first == Call); 1184 C.CallStack.pop_back(); 1185 } 1186 return; 1187 } 1188 1189 assert(C.getCurrLocationContext() == C.getLocationContextForActivePath() && 1190 "The current position in the bug path is out of sync with the " 1191 "location context associated with the active path!"); 1192 1193 // Have we encountered an exit from a function call? 1194 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 1195 1196 // We are descending into a call (backwards). Construct 1197 // a new call piece to contain the path pieces for that call. 1198 auto Call = PathDiagnosticCallPiece::construct(*CE, SM); 1199 // Record the mapping from call piece to LocationContext. 1200 assert(!C.isInLocCtxMap(&Call->path) && 1201 "We just entered a call, this must've been the first time we " 1202 "encounter its context!"); 1203 C.updateLocCtxMap(&Call->path, CE->getCalleeContext()); 1204 1205 if (C.shouldAddPathEdges()) { 1206 // Add the edge to the return site. 1207 addEdgeToPath(C.getActivePath(), PrevLoc, Call->callReturn); 1208 PrevLoc.invalidate(); 1209 } 1210 1211 auto *P = Call.get(); 1212 C.getActivePath().push_front(std::move(Call)); 1213 1214 // Make the contents of the call the active path for now. 1215 C.PD->pushActivePath(&P->path); 1216 C.CallStack.push_back(CallWithEntry(P, C.getCurrentNode())); 1217 return; 1218 } 1219 1220 if (auto PS = P.getAs<PostStmt>()) { 1221 if (!C.shouldAddPathEdges()) 1222 return; 1223 1224 // Add an edge. If this is an ObjCForCollectionStmt do 1225 // not add an edge here as it appears in the CFG both 1226 // as a terminator and as a terminator condition. 1227 if (!isa<ObjCForCollectionStmt>(PS->getStmt())) { 1228 PathDiagnosticLocation L = 1229 PathDiagnosticLocation(PS->getStmt(), SM, C.getCurrLocationContext()); 1230 addEdgeToPath(C.getActivePath(), PrevLoc, L); 1231 } 1232 1233 } else if (auto BE = P.getAs<BlockEdge>()) { 1234 1235 if (!C.shouldAddPathEdges()) { 1236 generateMinimalDiagForBlockEdge(C, *BE); 1237 return; 1238 } 1239 1240 // Are we jumping to the head of a loop? Add a special diagnostic. 1241 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1242 PathDiagnosticLocation L(Loop, SM, C.getCurrLocationContext()); 1243 const Stmt *Body = nullptr; 1244 1245 if (const auto *FS = dyn_cast<ForStmt>(Loop)) 1246 Body = FS->getBody(); 1247 else if (const auto *WS = dyn_cast<WhileStmt>(Loop)) 1248 Body = WS->getBody(); 1249 else if (const auto *OFS = dyn_cast<ObjCForCollectionStmt>(Loop)) { 1250 Body = OFS->getBody(); 1251 } else if (const auto *FRS = dyn_cast<CXXForRangeStmt>(Loop)) { 1252 Body = FRS->getBody(); 1253 } 1254 // do-while statements are explicitly excluded here 1255 1256 auto p = std::make_shared<PathDiagnosticEventPiece>( 1257 L, "Looping back to the head " 1258 "of the loop"); 1259 p->setPrunable(true); 1260 1261 addEdgeToPath(C.getActivePath(), PrevLoc, p->getLocation()); 1262 C.getActivePath().push_front(std::move(p)); 1263 1264 if (const auto *CS = dyn_cast_or_null<CompoundStmt>(Body)) { 1265 addEdgeToPath(C.getActivePath(), PrevLoc, 1266 PathDiagnosticLocation::createEndBrace(CS, SM)); 1267 } 1268 } 1269 1270 const CFGBlock *BSrc = BE->getSrc(); 1271 const ParentMap &PM = C.getParentMap(); 1272 1273 if (const Stmt *Term = BSrc->getTerminatorStmt()) { 1274 // Are we jumping past the loop body without ever executing the 1275 // loop (because the condition was false)? 1276 if (isLoop(Term)) { 1277 const Stmt *TermCond = getTerminatorCondition(BSrc); 1278 bool IsInLoopBody = isInLoopBody( 1279 PM, getStmtBeforeCond(PM, TermCond, C.getCurrentNode()), Term); 1280 1281 StringRef str; 1282 1283 if (isJumpToFalseBranch(&*BE)) { 1284 if (!IsInLoopBody) { 1285 if (isa<ObjCForCollectionStmt>(Term)) { 1286 str = StrLoopCollectionEmpty; 1287 } else if (isa<CXXForRangeStmt>(Term)) { 1288 str = StrLoopRangeEmpty; 1289 } else { 1290 str = StrLoopBodyZero; 1291 } 1292 } 1293 } else { 1294 str = StrEnteringLoop; 1295 } 1296 1297 if (!str.empty()) { 1298 PathDiagnosticLocation L(TermCond ? TermCond : Term, SM, 1299 C.getCurrLocationContext()); 1300 auto PE = std::make_shared<PathDiagnosticEventPiece>(L, str); 1301 PE->setPrunable(true); 1302 addEdgeToPath(C.getActivePath(), PrevLoc, PE->getLocation()); 1303 C.getActivePath().push_front(std::move(PE)); 1304 } 1305 } else if (isa<BreakStmt>(Term) || isa<ContinueStmt>(Term) || 1306 isa<GotoStmt>(Term)) { 1307 PathDiagnosticLocation L(Term, SM, C.getCurrLocationContext()); 1308 addEdgeToPath(C.getActivePath(), PrevLoc, L); 1309 } 1310 } 1311 } 1312 } 1313 1314 static std::unique_ptr<PathDiagnostic> 1315 generateDiagnosticForBasicReport(const BasicBugReport *R) { 1316 const BugType &BT = R->getBugType(); 1317 return std::make_unique<PathDiagnostic>( 1318 BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(), 1319 R->getDescription(), R->getShortDescription(/*UseFallback=*/false), 1320 BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(), 1321 std::make_unique<FilesToLineNumsMap>()); 1322 } 1323 1324 static std::unique_ptr<PathDiagnostic> 1325 generateEmptyDiagnosticForReport(const PathSensitiveBugReport *R, 1326 const SourceManager &SM) { 1327 const BugType &BT = R->getBugType(); 1328 return std::make_unique<PathDiagnostic>( 1329 BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(), 1330 R->getDescription(), R->getShortDescription(/*UseFallback=*/false), 1331 BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(), 1332 findExecutedLines(SM, R->getErrorNode())); 1333 } 1334 1335 static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) { 1336 if (!S) 1337 return nullptr; 1338 1339 while (true) { 1340 S = PM.getParentIgnoreParens(S); 1341 1342 if (!S) 1343 break; 1344 1345 if (isa<FullExpr>(S) || 1346 isa<CXXBindTemporaryExpr>(S) || 1347 isa<SubstNonTypeTemplateParmExpr>(S)) 1348 continue; 1349 1350 break; 1351 } 1352 1353 return S; 1354 } 1355 1356 static bool isConditionForTerminator(const Stmt *S, const Stmt *Cond) { 1357 switch (S->getStmtClass()) { 1358 case Stmt::BinaryOperatorClass: { 1359 const auto *BO = cast<BinaryOperator>(S); 1360 if (!BO->isLogicalOp()) 1361 return false; 1362 return BO->getLHS() == Cond || BO->getRHS() == Cond; 1363 } 1364 case Stmt::IfStmtClass: 1365 return cast<IfStmt>(S)->getCond() == Cond; 1366 case Stmt::ForStmtClass: 1367 return cast<ForStmt>(S)->getCond() == Cond; 1368 case Stmt::WhileStmtClass: 1369 return cast<WhileStmt>(S)->getCond() == Cond; 1370 case Stmt::DoStmtClass: 1371 return cast<DoStmt>(S)->getCond() == Cond; 1372 case Stmt::ChooseExprClass: 1373 return cast<ChooseExpr>(S)->getCond() == Cond; 1374 case Stmt::IndirectGotoStmtClass: 1375 return cast<IndirectGotoStmt>(S)->getTarget() == Cond; 1376 case Stmt::SwitchStmtClass: 1377 return cast<SwitchStmt>(S)->getCond() == Cond; 1378 case Stmt::BinaryConditionalOperatorClass: 1379 return cast<BinaryConditionalOperator>(S)->getCond() == Cond; 1380 case Stmt::ConditionalOperatorClass: { 1381 const auto *CO = cast<ConditionalOperator>(S); 1382 return CO->getCond() == Cond || 1383 CO->getLHS() == Cond || 1384 CO->getRHS() == Cond; 1385 } 1386 case Stmt::ObjCForCollectionStmtClass: 1387 return cast<ObjCForCollectionStmt>(S)->getElement() == Cond; 1388 case Stmt::CXXForRangeStmtClass: { 1389 const auto *FRS = cast<CXXForRangeStmt>(S); 1390 return FRS->getCond() == Cond || FRS->getRangeInit() == Cond; 1391 } 1392 default: 1393 return false; 1394 } 1395 } 1396 1397 static bool isIncrementOrInitInForLoop(const Stmt *S, const Stmt *FL) { 1398 if (const auto *FS = dyn_cast<ForStmt>(FL)) 1399 return FS->getInc() == S || FS->getInit() == S; 1400 if (const auto *FRS = dyn_cast<CXXForRangeStmt>(FL)) 1401 return FRS->getInc() == S || FRS->getRangeStmt() == S || 1402 FRS->getLoopVarStmt() || FRS->getRangeInit() == S; 1403 return false; 1404 } 1405 1406 using OptimizedCallsSet = llvm::DenseSet<const PathDiagnosticCallPiece *>; 1407 1408 /// Adds synthetic edges from top-level statements to their subexpressions. 1409 /// 1410 /// This avoids a "swoosh" effect, where an edge from a top-level statement A 1411 /// points to a sub-expression B.1 that's not at the start of B. In these cases, 1412 /// we'd like to see an edge from A to B, then another one from B to B.1. 1413 static void addContextEdges(PathPieces &pieces, const LocationContext *LC) { 1414 const ParentMap &PM = LC->getParentMap(); 1415 PathPieces::iterator Prev = pieces.end(); 1416 for (PathPieces::iterator I = pieces.begin(), E = Prev; I != E; 1417 Prev = I, ++I) { 1418 auto *Piece = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1419 1420 if (!Piece) 1421 continue; 1422 1423 PathDiagnosticLocation SrcLoc = Piece->getStartLocation(); 1424 SmallVector<PathDiagnosticLocation, 4> SrcContexts; 1425 1426 PathDiagnosticLocation NextSrcContext = SrcLoc; 1427 const Stmt *InnerStmt = nullptr; 1428 while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) { 1429 SrcContexts.push_back(NextSrcContext); 1430 InnerStmt = NextSrcContext.asStmt(); 1431 NextSrcContext = getEnclosingStmtLocation(InnerStmt, LC, 1432 /*allowNested=*/true); 1433 } 1434 1435 // Repeatedly split the edge as necessary. 1436 // This is important for nested logical expressions (||, &&, ?:) where we 1437 // want to show all the levels of context. 1438 while (true) { 1439 const Stmt *Dst = Piece->getEndLocation().getStmtOrNull(); 1440 1441 // We are looking at an edge. Is the destination within a larger 1442 // expression? 1443 PathDiagnosticLocation DstContext = 1444 getEnclosingStmtLocation(Dst, LC, /*allowNested=*/true); 1445 if (!DstContext.isValid() || DstContext.asStmt() == Dst) 1446 break; 1447 1448 // If the source is in the same context, we're already good. 1449 if (llvm::find(SrcContexts, DstContext) != SrcContexts.end()) 1450 break; 1451 1452 // Update the subexpression node to point to the context edge. 1453 Piece->setStartLocation(DstContext); 1454 1455 // Try to extend the previous edge if it's at the same level as the source 1456 // context. 1457 if (Prev != E) { 1458 auto *PrevPiece = dyn_cast<PathDiagnosticControlFlowPiece>(Prev->get()); 1459 1460 if (PrevPiece) { 1461 if (const Stmt *PrevSrc = 1462 PrevPiece->getStartLocation().getStmtOrNull()) { 1463 const Stmt *PrevSrcParent = getStmtParent(PrevSrc, PM); 1464 if (PrevSrcParent == 1465 getStmtParent(DstContext.getStmtOrNull(), PM)) { 1466 PrevPiece->setEndLocation(DstContext); 1467 break; 1468 } 1469 } 1470 } 1471 } 1472 1473 // Otherwise, split the current edge into a context edge and a 1474 // subexpression edge. Note that the context statement may itself have 1475 // context. 1476 auto P = 1477 std::make_shared<PathDiagnosticControlFlowPiece>(SrcLoc, DstContext); 1478 Piece = P.get(); 1479 I = pieces.insert(I, std::move(P)); 1480 } 1481 } 1482 } 1483 1484 /// Move edges from a branch condition to a branch target 1485 /// when the condition is simple. 1486 /// 1487 /// This restructures some of the work of addContextEdges. That function 1488 /// creates edges this may destroy, but they work together to create a more 1489 /// aesthetically set of edges around branches. After the call to 1490 /// addContextEdges, we may have (1) an edge to the branch, (2) an edge from 1491 /// the branch to the branch condition, and (3) an edge from the branch 1492 /// condition to the branch target. We keep (1), but may wish to remove (2) 1493 /// and move the source of (3) to the branch if the branch condition is simple. 1494 static void simplifySimpleBranches(PathPieces &pieces) { 1495 for (PathPieces::iterator I = pieces.begin(), E = pieces.end(); I != E; ++I) { 1496 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1497 1498 if (!PieceI) 1499 continue; 1500 1501 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1502 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1503 1504 if (!s1Start || !s1End) 1505 continue; 1506 1507 PathPieces::iterator NextI = I; ++NextI; 1508 if (NextI == E) 1509 break; 1510 1511 PathDiagnosticControlFlowPiece *PieceNextI = nullptr; 1512 1513 while (true) { 1514 if (NextI == E) 1515 break; 1516 1517 const auto *EV = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 1518 if (EV) { 1519 StringRef S = EV->getString(); 1520 if (S == StrEnteringLoop || S == StrLoopBodyZero || 1521 S == StrLoopCollectionEmpty || S == StrLoopRangeEmpty) { 1522 ++NextI; 1523 continue; 1524 } 1525 break; 1526 } 1527 1528 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1529 break; 1530 } 1531 1532 if (!PieceNextI) 1533 continue; 1534 1535 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1536 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1537 1538 if (!s2Start || !s2End || s1End != s2Start) 1539 continue; 1540 1541 // We only perform this transformation for specific branch kinds. 1542 // We don't want to do this for do..while, for example. 1543 if (!(isa<ForStmt>(s1Start) || isa<WhileStmt>(s1Start) || 1544 isa<IfStmt>(s1Start) || isa<ObjCForCollectionStmt>(s1Start) || 1545 isa<CXXForRangeStmt>(s1Start))) 1546 continue; 1547 1548 // Is s1End the branch condition? 1549 if (!isConditionForTerminator(s1Start, s1End)) 1550 continue; 1551 1552 // Perform the hoisting by eliminating (2) and changing the start 1553 // location of (3). 1554 PieceNextI->setStartLocation(PieceI->getStartLocation()); 1555 I = pieces.erase(I); 1556 } 1557 } 1558 1559 /// Returns the number of bytes in the given (character-based) SourceRange. 1560 /// 1561 /// If the locations in the range are not on the same line, returns None. 1562 /// 1563 /// Note that this does not do a precise user-visible character or column count. 1564 static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM, 1565 SourceRange Range) { 1566 SourceRange ExpansionRange(SM.getExpansionLoc(Range.getBegin()), 1567 SM.getExpansionRange(Range.getEnd()).getEnd()); 1568 1569 FileID FID = SM.getFileID(ExpansionRange.getBegin()); 1570 if (FID != SM.getFileID(ExpansionRange.getEnd())) 1571 return None; 1572 1573 Optional<MemoryBufferRef> Buffer = SM.getBufferOrNone(FID); 1574 if (!Buffer) 1575 return None; 1576 1577 unsigned BeginOffset = SM.getFileOffset(ExpansionRange.getBegin()); 1578 unsigned EndOffset = SM.getFileOffset(ExpansionRange.getEnd()); 1579 StringRef Snippet = Buffer->getBuffer().slice(BeginOffset, EndOffset); 1580 1581 // We're searching the raw bytes of the buffer here, which might include 1582 // escaped newlines and such. That's okay; we're trying to decide whether the 1583 // SourceRange is covering a large or small amount of space in the user's 1584 // editor. 1585 if (Snippet.find_first_of("\r\n") != StringRef::npos) 1586 return None; 1587 1588 // This isn't Unicode-aware, but it doesn't need to be. 1589 return Snippet.size(); 1590 } 1591 1592 /// \sa getLengthOnSingleLine(SourceManager, SourceRange) 1593 static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM, 1594 const Stmt *S) { 1595 return getLengthOnSingleLine(SM, S->getSourceRange()); 1596 } 1597 1598 /// Eliminate two-edge cycles created by addContextEdges(). 1599 /// 1600 /// Once all the context edges are in place, there are plenty of cases where 1601 /// there's a single edge from a top-level statement to a subexpression, 1602 /// followed by a single path note, and then a reverse edge to get back out to 1603 /// the top level. If the statement is simple enough, the subexpression edges 1604 /// just add noise and make it harder to understand what's going on. 1605 /// 1606 /// This function only removes edges in pairs, because removing only one edge 1607 /// might leave other edges dangling. 1608 /// 1609 /// This will not remove edges in more complicated situations: 1610 /// - if there is more than one "hop" leading to or from a subexpression. 1611 /// - if there is an inlined call between the edges instead of a single event. 1612 /// - if the whole statement is large enough that having subexpression arrows 1613 /// might be helpful. 1614 static void removeContextCycles(PathPieces &Path, const SourceManager &SM) { 1615 for (PathPieces::iterator I = Path.begin(), E = Path.end(); I != E; ) { 1616 // Pattern match the current piece and its successor. 1617 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1618 1619 if (!PieceI) { 1620 ++I; 1621 continue; 1622 } 1623 1624 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1625 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1626 1627 PathPieces::iterator NextI = I; ++NextI; 1628 if (NextI == E) 1629 break; 1630 1631 const auto *PieceNextI = 1632 dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1633 1634 if (!PieceNextI) { 1635 if (isa<PathDiagnosticEventPiece>(NextI->get())) { 1636 ++NextI; 1637 if (NextI == E) 1638 break; 1639 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1640 } 1641 1642 if (!PieceNextI) { 1643 ++I; 1644 continue; 1645 } 1646 } 1647 1648 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1649 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1650 1651 if (s1Start && s2Start && s1Start == s2End && s2Start == s1End) { 1652 const size_t MAX_SHORT_LINE_LENGTH = 80; 1653 Optional<size_t> s1Length = getLengthOnSingleLine(SM, s1Start); 1654 if (s1Length && *s1Length <= MAX_SHORT_LINE_LENGTH) { 1655 Optional<size_t> s2Length = getLengthOnSingleLine(SM, s2Start); 1656 if (s2Length && *s2Length <= MAX_SHORT_LINE_LENGTH) { 1657 Path.erase(I); 1658 I = Path.erase(NextI); 1659 continue; 1660 } 1661 } 1662 } 1663 1664 ++I; 1665 } 1666 } 1667 1668 /// Return true if X is contained by Y. 1669 static bool lexicalContains(const ParentMap &PM, const Stmt *X, const Stmt *Y) { 1670 while (X) { 1671 if (X == Y) 1672 return true; 1673 X = PM.getParent(X); 1674 } 1675 return false; 1676 } 1677 1678 // Remove short edges on the same line less than 3 columns in difference. 1679 static void removePunyEdges(PathPieces &path, const SourceManager &SM, 1680 const ParentMap &PM) { 1681 bool erased = false; 1682 1683 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; 1684 erased ? I : ++I) { 1685 erased = false; 1686 1687 const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1688 1689 if (!PieceI) 1690 continue; 1691 1692 const Stmt *start = PieceI->getStartLocation().getStmtOrNull(); 1693 const Stmt *end = PieceI->getEndLocation().getStmtOrNull(); 1694 1695 if (!start || !end) 1696 continue; 1697 1698 const Stmt *endParent = PM.getParent(end); 1699 if (!endParent) 1700 continue; 1701 1702 if (isConditionForTerminator(end, endParent)) 1703 continue; 1704 1705 SourceLocation FirstLoc = start->getBeginLoc(); 1706 SourceLocation SecondLoc = end->getBeginLoc(); 1707 1708 if (!SM.isWrittenInSameFile(FirstLoc, SecondLoc)) 1709 continue; 1710 if (SM.isBeforeInTranslationUnit(SecondLoc, FirstLoc)) 1711 std::swap(SecondLoc, FirstLoc); 1712 1713 SourceRange EdgeRange(FirstLoc, SecondLoc); 1714 Optional<size_t> ByteWidth = getLengthOnSingleLine(SM, EdgeRange); 1715 1716 // If the statements are on different lines, continue. 1717 if (!ByteWidth) 1718 continue; 1719 1720 const size_t MAX_PUNY_EDGE_LENGTH = 2; 1721 if (*ByteWidth <= MAX_PUNY_EDGE_LENGTH) { 1722 // FIXME: There are enough /bytes/ between the endpoints of the edge, but 1723 // there might not be enough /columns/. A proper user-visible column count 1724 // is probably too expensive, though. 1725 I = path.erase(I); 1726 erased = true; 1727 continue; 1728 } 1729 } 1730 } 1731 1732 static void removeIdenticalEvents(PathPieces &path) { 1733 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ++I) { 1734 const auto *PieceI = dyn_cast<PathDiagnosticEventPiece>(I->get()); 1735 1736 if (!PieceI) 1737 continue; 1738 1739 PathPieces::iterator NextI = I; ++NextI; 1740 if (NextI == E) 1741 return; 1742 1743 const auto *PieceNextI = dyn_cast<PathDiagnosticEventPiece>(NextI->get()); 1744 1745 if (!PieceNextI) 1746 continue; 1747 1748 // Erase the second piece if it has the same exact message text. 1749 if (PieceI->getString() == PieceNextI->getString()) { 1750 path.erase(NextI); 1751 } 1752 } 1753 } 1754 1755 static bool optimizeEdges(const PathDiagnosticConstruct &C, PathPieces &path, 1756 OptimizedCallsSet &OCS) { 1757 bool hasChanges = false; 1758 const LocationContext *LC = C.getLocationContextFor(&path); 1759 assert(LC); 1760 const ParentMap &PM = LC->getParentMap(); 1761 const SourceManager &SM = C.getSourceManager(); 1762 1763 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ) { 1764 // Optimize subpaths. 1765 if (auto *CallI = dyn_cast<PathDiagnosticCallPiece>(I->get())) { 1766 // Record the fact that a call has been optimized so we only do the 1767 // effort once. 1768 if (!OCS.count(CallI)) { 1769 while (optimizeEdges(C, CallI->path, OCS)) { 1770 } 1771 OCS.insert(CallI); 1772 } 1773 ++I; 1774 continue; 1775 } 1776 1777 // Pattern match the current piece and its successor. 1778 auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get()); 1779 1780 if (!PieceI) { 1781 ++I; 1782 continue; 1783 } 1784 1785 const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull(); 1786 const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull(); 1787 const Stmt *level1 = getStmtParent(s1Start, PM); 1788 const Stmt *level2 = getStmtParent(s1End, PM); 1789 1790 PathPieces::iterator NextI = I; ++NextI; 1791 if (NextI == E) 1792 break; 1793 1794 const auto *PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get()); 1795 1796 if (!PieceNextI) { 1797 ++I; 1798 continue; 1799 } 1800 1801 const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull(); 1802 const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull(); 1803 const Stmt *level3 = getStmtParent(s2Start, PM); 1804 const Stmt *level4 = getStmtParent(s2End, PM); 1805 1806 // Rule I. 1807 // 1808 // If we have two consecutive control edges whose end/begin locations 1809 // are at the same level (e.g. statements or top-level expressions within 1810 // a compound statement, or siblings share a single ancestor expression), 1811 // then merge them if they have no interesting intermediate event. 1812 // 1813 // For example: 1814 // 1815 // (1.1 -> 1.2) -> (1.2 -> 1.3) becomes (1.1 -> 1.3) because the common 1816 // parent is '1'. Here 'x.y.z' represents the hierarchy of statements. 1817 // 1818 // NOTE: this will be limited later in cases where we add barriers 1819 // to prevent this optimization. 1820 if (level1 && level1 == level2 && level1 == level3 && level1 == level4) { 1821 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1822 path.erase(NextI); 1823 hasChanges = true; 1824 continue; 1825 } 1826 1827 // Rule II. 1828 // 1829 // Eliminate edges between subexpressions and parent expressions 1830 // when the subexpression is consumed. 1831 // 1832 // NOTE: this will be limited later in cases where we add barriers 1833 // to prevent this optimization. 1834 if (s1End && s1End == s2Start && level2) { 1835 bool removeEdge = false; 1836 // Remove edges into the increment or initialization of a 1837 // loop that have no interleaving event. This means that 1838 // they aren't interesting. 1839 if (isIncrementOrInitInForLoop(s1End, level2)) 1840 removeEdge = true; 1841 // Next only consider edges that are not anchored on 1842 // the condition of a terminator. This are intermediate edges 1843 // that we might want to trim. 1844 else if (!isConditionForTerminator(level2, s1End)) { 1845 // Trim edges on expressions that are consumed by 1846 // the parent expression. 1847 if (isa<Expr>(s1End) && PM.isConsumedExpr(cast<Expr>(s1End))) { 1848 removeEdge = true; 1849 } 1850 // Trim edges where a lexical containment doesn't exist. 1851 // For example: 1852 // 1853 // X -> Y -> Z 1854 // 1855 // If 'Z' lexically contains Y (it is an ancestor) and 1856 // 'X' does not lexically contain Y (it is a descendant OR 1857 // it has no lexical relationship at all) then trim. 1858 // 1859 // This can eliminate edges where we dive into a subexpression 1860 // and then pop back out, etc. 1861 else if (s1Start && s2End && 1862 lexicalContains(PM, s2Start, s2End) && 1863 !lexicalContains(PM, s1End, s1Start)) { 1864 removeEdge = true; 1865 } 1866 // Trim edges from a subexpression back to the top level if the 1867 // subexpression is on a different line. 1868 // 1869 // A.1 -> A -> B 1870 // becomes 1871 // A.1 -> B 1872 // 1873 // These edges just look ugly and don't usually add anything. 1874 else if (s1Start && s2End && 1875 lexicalContains(PM, s1Start, s1End)) { 1876 SourceRange EdgeRange(PieceI->getEndLocation().asLocation(), 1877 PieceI->getStartLocation().asLocation()); 1878 if (!getLengthOnSingleLine(SM, EdgeRange).hasValue()) 1879 removeEdge = true; 1880 } 1881 } 1882 1883 if (removeEdge) { 1884 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1885 path.erase(NextI); 1886 hasChanges = true; 1887 continue; 1888 } 1889 } 1890 1891 // Optimize edges for ObjC fast-enumeration loops. 1892 // 1893 // (X -> collection) -> (collection -> element) 1894 // 1895 // becomes: 1896 // 1897 // (X -> element) 1898 if (s1End == s2Start) { 1899 const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(level3); 1900 if (FS && FS->getCollection()->IgnoreParens() == s2Start && 1901 s2End == FS->getElement()) { 1902 PieceI->setEndLocation(PieceNextI->getEndLocation()); 1903 path.erase(NextI); 1904 hasChanges = true; 1905 continue; 1906 } 1907 } 1908 1909 // No changes at this index? Move to the next one. 1910 ++I; 1911 } 1912 1913 if (!hasChanges) { 1914 // Adjust edges into subexpressions to make them more uniform 1915 // and aesthetically pleasing. 1916 addContextEdges(path, LC); 1917 // Remove "cyclical" edges that include one or more context edges. 1918 removeContextCycles(path, SM); 1919 // Hoist edges originating from branch conditions to branches 1920 // for simple branches. 1921 simplifySimpleBranches(path); 1922 // Remove any puny edges left over after primary optimization pass. 1923 removePunyEdges(path, SM, PM); 1924 // Remove identical events. 1925 removeIdenticalEvents(path); 1926 } 1927 1928 return hasChanges; 1929 } 1930 1931 /// Drop the very first edge in a path, which should be a function entry edge. 1932 /// 1933 /// If the first edge is not a function entry edge (say, because the first 1934 /// statement had an invalid source location), this function does nothing. 1935 // FIXME: We should just generate invalid edges anyway and have the optimizer 1936 // deal with them. 1937 static void dropFunctionEntryEdge(const PathDiagnosticConstruct &C, 1938 PathPieces &Path) { 1939 const auto *FirstEdge = 1940 dyn_cast<PathDiagnosticControlFlowPiece>(Path.front().get()); 1941 if (!FirstEdge) 1942 return; 1943 1944 const Decl *D = C.getLocationContextFor(&Path)->getDecl(); 1945 PathDiagnosticLocation EntryLoc = 1946 PathDiagnosticLocation::createBegin(D, C.getSourceManager()); 1947 if (FirstEdge->getStartLocation() != EntryLoc) 1948 return; 1949 1950 Path.pop_front(); 1951 } 1952 1953 /// Populate executes lines with lines containing at least one diagnostics. 1954 static void updateExecutedLinesWithDiagnosticPieces(PathDiagnostic &PD) { 1955 1956 PathPieces path = PD.path.flatten(/*ShouldFlattenMacros=*/true); 1957 FilesToLineNumsMap &ExecutedLines = PD.getExecutedLines(); 1958 1959 for (const auto &P : path) { 1960 FullSourceLoc Loc = P->getLocation().asLocation().getExpansionLoc(); 1961 FileID FID = Loc.getFileID(); 1962 unsigned LineNo = Loc.getLineNumber(); 1963 assert(FID.isValid()); 1964 ExecutedLines[FID].insert(LineNo); 1965 } 1966 } 1967 1968 PathDiagnosticConstruct::PathDiagnosticConstruct( 1969 const PathDiagnosticConsumer *PDC, const ExplodedNode *ErrorNode, 1970 const PathSensitiveBugReport *R) 1971 : Consumer(PDC), CurrentNode(ErrorNode), 1972 SM(CurrentNode->getCodeDecl().getASTContext().getSourceManager()), 1973 PD(generateEmptyDiagnosticForReport(R, getSourceManager())) { 1974 LCM[&PD->getActivePath()] = ErrorNode->getLocationContext(); 1975 } 1976 1977 PathDiagnosticBuilder::PathDiagnosticBuilder( 1978 BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath, 1979 PathSensitiveBugReport *r, const ExplodedNode *ErrorNode, 1980 std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics) 1981 : BugReporterContext(BRC), BugPath(std::move(BugPath)), R(r), 1982 ErrorNode(ErrorNode), 1983 VisitorsDiagnostics(std::move(VisitorsDiagnostics)) {} 1984 1985 std::unique_ptr<PathDiagnostic> 1986 PathDiagnosticBuilder::generate(const PathDiagnosticConsumer *PDC) const { 1987 PathDiagnosticConstruct Construct(PDC, ErrorNode, R); 1988 1989 const SourceManager &SM = getSourceManager(); 1990 const AnalyzerOptions &Opts = getAnalyzerOptions(); 1991 1992 // See whether we need to silence the checker/package. 1993 // FIXME: This will not work if the report was emitted with an incorrect tag. 1994 for (const std::string &CheckerOrPackage : Opts.SilencedCheckersAndPackages) { 1995 if (R->getBugType().getCheckerName().startswith(CheckerOrPackage)) 1996 return nullptr; 1997 } 1998 1999 if (!PDC->shouldGenerateDiagnostics()) 2000 return generateEmptyDiagnosticForReport(R, getSourceManager()); 2001 2002 // Construct the final (warning) event for the bug report. 2003 auto EndNotes = VisitorsDiagnostics->find(ErrorNode); 2004 PathDiagnosticPieceRef LastPiece; 2005 if (EndNotes != VisitorsDiagnostics->end()) { 2006 assert(!EndNotes->second.empty()); 2007 LastPiece = EndNotes->second[0]; 2008 } else { 2009 LastPiece = BugReporterVisitor::getDefaultEndPath(*this, ErrorNode, 2010 *getBugReport()); 2011 } 2012 Construct.PD->setEndOfPath(LastPiece); 2013 2014 PathDiagnosticLocation PrevLoc = Construct.PD->getLocation(); 2015 // From the error node to the root, ascend the bug path and construct the bug 2016 // report. 2017 while (Construct.ascendToPrevNode()) { 2018 generatePathDiagnosticsForNode(Construct, PrevLoc); 2019 2020 auto VisitorNotes = VisitorsDiagnostics->find(Construct.getCurrentNode()); 2021 if (VisitorNotes == VisitorsDiagnostics->end()) 2022 continue; 2023 2024 // This is a workaround due to inability to put shared PathDiagnosticPiece 2025 // into a FoldingSet. 2026 std::set<llvm::FoldingSetNodeID> DeduplicationSet; 2027 2028 // Add pieces from custom visitors. 2029 for (const PathDiagnosticPieceRef &Note : VisitorNotes->second) { 2030 llvm::FoldingSetNodeID ID; 2031 Note->Profile(ID); 2032 if (!DeduplicationSet.insert(ID).second) 2033 continue; 2034 2035 if (PDC->shouldAddPathEdges()) 2036 addEdgeToPath(Construct.getActivePath(), PrevLoc, Note->getLocation()); 2037 updateStackPiecesWithMessage(Note, Construct.CallStack); 2038 Construct.getActivePath().push_front(Note); 2039 } 2040 } 2041 2042 if (PDC->shouldAddPathEdges()) { 2043 // Add an edge to the start of the function. 2044 // We'll prune it out later, but it helps make diagnostics more uniform. 2045 const StackFrameContext *CalleeLC = 2046 Construct.getLocationContextForActivePath()->getStackFrame(); 2047 const Decl *D = CalleeLC->getDecl(); 2048 addEdgeToPath(Construct.getActivePath(), PrevLoc, 2049 PathDiagnosticLocation::createBegin(D, SM)); 2050 } 2051 2052 2053 // Finally, prune the diagnostic path of uninteresting stuff. 2054 if (!Construct.PD->path.empty()) { 2055 if (R->shouldPrunePath() && Opts.ShouldPrunePaths) { 2056 bool stillHasNotes = 2057 removeUnneededCalls(Construct, Construct.getMutablePieces(), R); 2058 assert(stillHasNotes); 2059 (void)stillHasNotes; 2060 } 2061 2062 // Remove pop-up notes if needed. 2063 if (!Opts.ShouldAddPopUpNotes) 2064 removePopUpNotes(Construct.getMutablePieces()); 2065 2066 // Redirect all call pieces to have valid locations. 2067 adjustCallLocations(Construct.getMutablePieces()); 2068 removePiecesWithInvalidLocations(Construct.getMutablePieces()); 2069 2070 if (PDC->shouldAddPathEdges()) { 2071 2072 // Reduce the number of edges from a very conservative set 2073 // to an aesthetically pleasing subset that conveys the 2074 // necessary information. 2075 OptimizedCallsSet OCS; 2076 while (optimizeEdges(Construct, Construct.getMutablePieces(), OCS)) { 2077 } 2078 2079 // Drop the very first function-entry edge. It's not really necessary 2080 // for top-level functions. 2081 dropFunctionEntryEdge(Construct, Construct.getMutablePieces()); 2082 } 2083 2084 // Remove messages that are basically the same, and edges that may not 2085 // make sense. 2086 // We have to do this after edge optimization in the Extensive mode. 2087 removeRedundantMsgs(Construct.getMutablePieces()); 2088 removeEdgesToDefaultInitializers(Construct.getMutablePieces()); 2089 } 2090 2091 if (Opts.ShouldDisplayMacroExpansions) 2092 CompactMacroExpandedPieces(Construct.getMutablePieces(), SM); 2093 2094 return std::move(Construct.PD); 2095 } 2096 2097 //===----------------------------------------------------------------------===// 2098 // Methods for BugType and subclasses. 2099 //===----------------------------------------------------------------------===// 2100 2101 void BugType::anchor() {} 2102 2103 void BuiltinBug::anchor() {} 2104 2105 //===----------------------------------------------------------------------===// 2106 // Methods for BugReport and subclasses. 2107 //===----------------------------------------------------------------------===// 2108 2109 LLVM_ATTRIBUTE_USED static bool 2110 isDependency(const CheckerRegistryData &Registry, StringRef CheckerName) { 2111 for (const std::pair<StringRef, StringRef> &Pair : Registry.Dependencies) { 2112 if (Pair.second == CheckerName) 2113 return true; 2114 } 2115 return false; 2116 } 2117 2118 LLVM_ATTRIBUTE_USED static bool isHidden(const CheckerRegistryData &Registry, 2119 StringRef CheckerName) { 2120 for (const CheckerInfo &Checker : Registry.Checkers) { 2121 if (Checker.FullName == CheckerName) 2122 return Checker.IsHidden; 2123 } 2124 llvm_unreachable( 2125 "Checker name not found in CheckerRegistry -- did you retrieve it " 2126 "correctly from CheckerManager::getCurrentCheckerName?"); 2127 } 2128 2129 PathSensitiveBugReport::PathSensitiveBugReport( 2130 const BugType &bt, StringRef shortDesc, StringRef desc, 2131 const ExplodedNode *errorNode, PathDiagnosticLocation LocationToUnique, 2132 const Decl *DeclToUnique) 2133 : BugReport(Kind::PathSensitive, bt, shortDesc, desc), ErrorNode(errorNode), 2134 ErrorNodeRange(getStmt() ? getStmt()->getSourceRange() : SourceRange()), 2135 UniqueingLocation(LocationToUnique), UniqueingDecl(DeclToUnique) { 2136 assert(!isDependency(ErrorNode->getState() 2137 ->getAnalysisManager() 2138 .getCheckerManager() 2139 ->getCheckerRegistryData(), 2140 bt.getCheckerName()) && 2141 "Some checkers depend on this one! We don't allow dependency " 2142 "checkers to emit warnings, because checkers should depend on " 2143 "*modeling*, not *diagnostics*."); 2144 2145 assert( 2146 (bt.getCheckerName().startswith("debug") || 2147 !isHidden(ErrorNode->getState() 2148 ->getAnalysisManager() 2149 .getCheckerManager() 2150 ->getCheckerRegistryData(), 2151 bt.getCheckerName())) && 2152 "Hidden checkers musn't emit diagnostics as they are by definition " 2153 "non-user facing!"); 2154 } 2155 2156 void PathSensitiveBugReport::addVisitor( 2157 std::unique_ptr<BugReporterVisitor> visitor) { 2158 if (!visitor) 2159 return; 2160 2161 llvm::FoldingSetNodeID ID; 2162 visitor->Profile(ID); 2163 2164 void *InsertPos = nullptr; 2165 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 2166 return; 2167 } 2168 2169 Callbacks.push_back(std::move(visitor)); 2170 } 2171 2172 void PathSensitiveBugReport::clearVisitors() { 2173 Callbacks.clear(); 2174 } 2175 2176 const Decl *PathSensitiveBugReport::getDeclWithIssue() const { 2177 const ExplodedNode *N = getErrorNode(); 2178 if (!N) 2179 return nullptr; 2180 2181 const LocationContext *LC = N->getLocationContext(); 2182 return LC->getStackFrame()->getDecl(); 2183 } 2184 2185 void BasicBugReport::Profile(llvm::FoldingSetNodeID& hash) const { 2186 hash.AddInteger(static_cast<int>(getKind())); 2187 hash.AddPointer(&BT); 2188 hash.AddString(Description); 2189 assert(Location.isValid()); 2190 Location.Profile(hash); 2191 2192 for (SourceRange range : Ranges) { 2193 if (!range.isValid()) 2194 continue; 2195 hash.Add(range.getBegin()); 2196 hash.Add(range.getEnd()); 2197 } 2198 } 2199 2200 void PathSensitiveBugReport::Profile(llvm::FoldingSetNodeID &hash) const { 2201 hash.AddInteger(static_cast<int>(getKind())); 2202 hash.AddPointer(&BT); 2203 hash.AddString(Description); 2204 PathDiagnosticLocation UL = getUniqueingLocation(); 2205 if (UL.isValid()) { 2206 UL.Profile(hash); 2207 } else { 2208 // TODO: The statement may be null if the report was emitted before any 2209 // statements were executed. In particular, some checkers by design 2210 // occasionally emit their reports in empty functions (that have no 2211 // statements in their body). Do we profile correctly in this case? 2212 hash.AddPointer(ErrorNode->getCurrentOrPreviousStmtForDiagnostics()); 2213 } 2214 2215 for (SourceRange range : Ranges) { 2216 if (!range.isValid()) 2217 continue; 2218 hash.Add(range.getBegin()); 2219 hash.Add(range.getEnd()); 2220 } 2221 } 2222 2223 template <class T> 2224 static void insertToInterestingnessMap( 2225 llvm::DenseMap<T, bugreporter::TrackingKind> &InterestingnessMap, T Val, 2226 bugreporter::TrackingKind TKind) { 2227 auto Result = InterestingnessMap.insert({Val, TKind}); 2228 2229 if (Result.second) 2230 return; 2231 2232 // Even if this symbol/region was already marked as interesting as a 2233 // condition, if we later mark it as interesting again but with 2234 // thorough tracking, overwrite it. Entities marked with thorough 2235 // interestiness are the most important (or most interesting, if you will), 2236 // and we wouldn't like to downplay their importance. 2237 2238 switch (TKind) { 2239 case bugreporter::TrackingKind::Thorough: 2240 Result.first->getSecond() = bugreporter::TrackingKind::Thorough; 2241 return; 2242 case bugreporter::TrackingKind::Condition: 2243 return; 2244 } 2245 2246 llvm_unreachable( 2247 "BugReport::markInteresting currently can only handle 2 different " 2248 "tracking kinds! Please define what tracking kind should this entitiy" 2249 "have, if it was already marked as interesting with a different kind!"); 2250 } 2251 2252 void PathSensitiveBugReport::markInteresting(SymbolRef sym, 2253 bugreporter::TrackingKind TKind) { 2254 if (!sym) 2255 return; 2256 2257 insertToInterestingnessMap(InterestingSymbols, sym, TKind); 2258 2259 if (const auto *meta = dyn_cast<SymbolMetadata>(sym)) 2260 markInteresting(meta->getRegion(), TKind); 2261 } 2262 2263 void PathSensitiveBugReport::markInteresting(const MemRegion *R, 2264 bugreporter::TrackingKind TKind) { 2265 if (!R) 2266 return; 2267 2268 R = R->getBaseRegion(); 2269 insertToInterestingnessMap(InterestingRegions, R, TKind); 2270 2271 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2272 markInteresting(SR->getSymbol(), TKind); 2273 } 2274 2275 void PathSensitiveBugReport::markInteresting(SVal V, 2276 bugreporter::TrackingKind TKind) { 2277 markInteresting(V.getAsRegion(), TKind); 2278 markInteresting(V.getAsSymbol(), TKind); 2279 } 2280 2281 void PathSensitiveBugReport::markInteresting(const LocationContext *LC) { 2282 if (!LC) 2283 return; 2284 InterestingLocationContexts.insert(LC); 2285 } 2286 2287 Optional<bugreporter::TrackingKind> 2288 PathSensitiveBugReport::getInterestingnessKind(SVal V) const { 2289 auto RKind = getInterestingnessKind(V.getAsRegion()); 2290 auto SKind = getInterestingnessKind(V.getAsSymbol()); 2291 if (!RKind) 2292 return SKind; 2293 if (!SKind) 2294 return RKind; 2295 2296 // If either is marked with throrough tracking, return that, we wouldn't like 2297 // to downplay a note's importance by 'only' mentioning it as a condition. 2298 switch(*RKind) { 2299 case bugreporter::TrackingKind::Thorough: 2300 return RKind; 2301 case bugreporter::TrackingKind::Condition: 2302 return SKind; 2303 } 2304 2305 llvm_unreachable( 2306 "BugReport::getInterestingnessKind currently can only handle 2 different " 2307 "tracking kinds! Please define what tracking kind should we return here " 2308 "when the kind of getAsRegion() and getAsSymbol() is different!"); 2309 return None; 2310 } 2311 2312 Optional<bugreporter::TrackingKind> 2313 PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const { 2314 if (!sym) 2315 return None; 2316 // We don't currently consider metadata symbols to be interesting 2317 // even if we know their region is interesting. Is that correct behavior? 2318 auto It = InterestingSymbols.find(sym); 2319 if (It == InterestingSymbols.end()) 2320 return None; 2321 return It->getSecond(); 2322 } 2323 2324 Optional<bugreporter::TrackingKind> 2325 PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const { 2326 if (!R) 2327 return None; 2328 2329 R = R->getBaseRegion(); 2330 auto It = InterestingRegions.find(R); 2331 if (It != InterestingRegions.end()) 2332 return It->getSecond(); 2333 2334 if (const auto *SR = dyn_cast<SymbolicRegion>(R)) 2335 return getInterestingnessKind(SR->getSymbol()); 2336 return None; 2337 } 2338 2339 bool PathSensitiveBugReport::isInteresting(SVal V) const { 2340 return getInterestingnessKind(V).hasValue(); 2341 } 2342 2343 bool PathSensitiveBugReport::isInteresting(SymbolRef sym) const { 2344 return getInterestingnessKind(sym).hasValue(); 2345 } 2346 2347 bool PathSensitiveBugReport::isInteresting(const MemRegion *R) const { 2348 return getInterestingnessKind(R).hasValue(); 2349 } 2350 2351 bool PathSensitiveBugReport::isInteresting(const LocationContext *LC) const { 2352 if (!LC) 2353 return false; 2354 return InterestingLocationContexts.count(LC); 2355 } 2356 2357 const Stmt *PathSensitiveBugReport::getStmt() const { 2358 if (!ErrorNode) 2359 return nullptr; 2360 2361 ProgramPoint ProgP = ErrorNode->getLocation(); 2362 const Stmt *S = nullptr; 2363 2364 if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) { 2365 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 2366 if (BE->getBlock() == &Exit) 2367 S = ErrorNode->getPreviousStmtForDiagnostics(); 2368 } 2369 if (!S) 2370 S = ErrorNode->getStmtForDiagnostics(); 2371 2372 return S; 2373 } 2374 2375 ArrayRef<SourceRange> 2376 PathSensitiveBugReport::getRanges() const { 2377 // If no custom ranges, add the range of the statement corresponding to 2378 // the error node. 2379 if (Ranges.empty() && isa_and_nonnull<Expr>(getStmt())) 2380 return ErrorNodeRange; 2381 2382 return Ranges; 2383 } 2384 2385 PathDiagnosticLocation 2386 PathSensitiveBugReport::getLocation() const { 2387 assert(ErrorNode && "Cannot create a location with a null node."); 2388 const Stmt *S = ErrorNode->getStmtForDiagnostics(); 2389 ProgramPoint P = ErrorNode->getLocation(); 2390 const LocationContext *LC = P.getLocationContext(); 2391 SourceManager &SM = 2392 ErrorNode->getState()->getStateManager().getContext().getSourceManager(); 2393 2394 if (!S) { 2395 // If this is an implicit call, return the implicit call point location. 2396 if (Optional<PreImplicitCall> PIE = P.getAs<PreImplicitCall>()) 2397 return PathDiagnosticLocation(PIE->getLocation(), SM); 2398 if (auto FE = P.getAs<FunctionExitPoint>()) { 2399 if (const ReturnStmt *RS = FE->getStmt()) 2400 return PathDiagnosticLocation::createBegin(RS, SM, LC); 2401 } 2402 S = ErrorNode->getNextStmtForDiagnostics(); 2403 } 2404 2405 if (S) { 2406 // For member expressions, return the location of the '.' or '->'. 2407 if (const auto *ME = dyn_cast<MemberExpr>(S)) 2408 return PathDiagnosticLocation::createMemberLoc(ME, SM); 2409 2410 // For binary operators, return the location of the operator. 2411 if (const auto *B = dyn_cast<BinaryOperator>(S)) 2412 return PathDiagnosticLocation::createOperatorLoc(B, SM); 2413 2414 if (P.getAs<PostStmtPurgeDeadSymbols>()) 2415 return PathDiagnosticLocation::createEnd(S, SM, LC); 2416 2417 if (S->getBeginLoc().isValid()) 2418 return PathDiagnosticLocation(S, SM, LC); 2419 2420 return PathDiagnosticLocation( 2421 PathDiagnosticLocation::getValidSourceLocation(S, LC), SM); 2422 } 2423 2424 return PathDiagnosticLocation::createDeclEnd(ErrorNode->getLocationContext(), 2425 SM); 2426 } 2427 2428 //===----------------------------------------------------------------------===// 2429 // Methods for BugReporter and subclasses. 2430 //===----------------------------------------------------------------------===// 2431 2432 const ExplodedGraph &PathSensitiveBugReporter::getGraph() const { 2433 return Eng.getGraph(); 2434 } 2435 2436 ProgramStateManager &PathSensitiveBugReporter::getStateManager() const { 2437 return Eng.getStateManager(); 2438 } 2439 2440 BugReporter::BugReporter(BugReporterData &d) : D(d) {} 2441 BugReporter::~BugReporter() { 2442 // Make sure reports are flushed. 2443 assert(StrBugTypes.empty() && 2444 "Destroying BugReporter before diagnostics are emitted!"); 2445 2446 // Free the bug reports we are tracking. 2447 for (const auto I : EQClassesVector) 2448 delete I; 2449 } 2450 2451 void BugReporter::FlushReports() { 2452 // We need to flush reports in deterministic order to ensure the order 2453 // of the reports is consistent between runs. 2454 for (const auto EQ : EQClassesVector) 2455 FlushReport(*EQ); 2456 2457 // BugReporter owns and deletes only BugTypes created implicitly through 2458 // EmitBasicReport. 2459 // FIXME: There are leaks from checkers that assume that the BugTypes they 2460 // create will be destroyed by the BugReporter. 2461 StrBugTypes.clear(); 2462 } 2463 2464 //===----------------------------------------------------------------------===// 2465 // PathDiagnostics generation. 2466 //===----------------------------------------------------------------------===// 2467 2468 namespace { 2469 2470 /// A wrapper around an ExplodedGraph that contains a single path from the root 2471 /// to the error node. 2472 class BugPathInfo { 2473 public: 2474 std::unique_ptr<ExplodedGraph> BugPath; 2475 PathSensitiveBugReport *Report; 2476 const ExplodedNode *ErrorNode; 2477 }; 2478 2479 /// A wrapper around an ExplodedGraph whose leafs are all error nodes. Can 2480 /// conveniently retrieve bug paths from a single error node to the root. 2481 class BugPathGetter { 2482 std::unique_ptr<ExplodedGraph> TrimmedGraph; 2483 2484 using PriorityMapTy = llvm::DenseMap<const ExplodedNode *, unsigned>; 2485 2486 /// Assign each node with its distance from the root. 2487 PriorityMapTy PriorityMap; 2488 2489 /// Since the getErrorNode() or BugReport refers to the original ExplodedGraph, 2490 /// we need to pair it to the error node of the constructed trimmed graph. 2491 using ReportNewNodePair = 2492 std::pair<PathSensitiveBugReport *, const ExplodedNode *>; 2493 SmallVector<ReportNewNodePair, 32> ReportNodes; 2494 2495 BugPathInfo CurrentBugPath; 2496 2497 /// A helper class for sorting ExplodedNodes by priority. 2498 template <bool Descending> 2499 class PriorityCompare { 2500 const PriorityMapTy &PriorityMap; 2501 2502 public: 2503 PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {} 2504 2505 bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const { 2506 PriorityMapTy::const_iterator LI = PriorityMap.find(LHS); 2507 PriorityMapTy::const_iterator RI = PriorityMap.find(RHS); 2508 PriorityMapTy::const_iterator E = PriorityMap.end(); 2509 2510 if (LI == E) 2511 return Descending; 2512 if (RI == E) 2513 return !Descending; 2514 2515 return Descending ? LI->second > RI->second 2516 : LI->second < RI->second; 2517 } 2518 2519 bool operator()(const ReportNewNodePair &LHS, 2520 const ReportNewNodePair &RHS) const { 2521 return (*this)(LHS.second, RHS.second); 2522 } 2523 }; 2524 2525 public: 2526 BugPathGetter(const ExplodedGraph *OriginalGraph, 2527 ArrayRef<PathSensitiveBugReport *> &bugReports); 2528 2529 BugPathInfo *getNextBugPath(); 2530 }; 2531 2532 } // namespace 2533 2534 BugPathGetter::BugPathGetter(const ExplodedGraph *OriginalGraph, 2535 ArrayRef<PathSensitiveBugReport *> &bugReports) { 2536 SmallVector<const ExplodedNode *, 32> Nodes; 2537 for (const auto I : bugReports) { 2538 assert(I->isValid() && 2539 "We only allow BugReporterVisitors and BugReporter itself to " 2540 "invalidate reports!"); 2541 Nodes.emplace_back(I->getErrorNode()); 2542 } 2543 2544 // The trimmed graph is created in the body of the constructor to ensure 2545 // that the DenseMaps have been initialized already. 2546 InterExplodedGraphMap ForwardMap; 2547 TrimmedGraph = OriginalGraph->trim(Nodes, &ForwardMap); 2548 2549 // Find the (first) error node in the trimmed graph. We just need to consult 2550 // the node map which maps from nodes in the original graph to nodes 2551 // in the new graph. 2552 llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes; 2553 2554 for (PathSensitiveBugReport *Report : bugReports) { 2555 const ExplodedNode *NewNode = ForwardMap.lookup(Report->getErrorNode()); 2556 assert(NewNode && 2557 "Failed to construct a trimmed graph that contains this error " 2558 "node!"); 2559 ReportNodes.emplace_back(Report, NewNode); 2560 RemainingNodes.insert(NewNode); 2561 } 2562 2563 assert(!RemainingNodes.empty() && "No error node found in the trimmed graph"); 2564 2565 // Perform a forward BFS to find all the shortest paths. 2566 std::queue<const ExplodedNode *> WS; 2567 2568 assert(TrimmedGraph->num_roots() == 1); 2569 WS.push(*TrimmedGraph->roots_begin()); 2570 unsigned Priority = 0; 2571 2572 while (!WS.empty()) { 2573 const ExplodedNode *Node = WS.front(); 2574 WS.pop(); 2575 2576 PriorityMapTy::iterator PriorityEntry; 2577 bool IsNew; 2578 std::tie(PriorityEntry, IsNew) = PriorityMap.insert({Node, Priority}); 2579 ++Priority; 2580 2581 if (!IsNew) { 2582 assert(PriorityEntry->second <= Priority); 2583 continue; 2584 } 2585 2586 if (RemainingNodes.erase(Node)) 2587 if (RemainingNodes.empty()) 2588 break; 2589 2590 for (const ExplodedNode *Succ : Node->succs()) 2591 WS.push(Succ); 2592 } 2593 2594 // Sort the error paths from longest to shortest. 2595 llvm::sort(ReportNodes, PriorityCompare<true>(PriorityMap)); 2596 } 2597 2598 BugPathInfo *BugPathGetter::getNextBugPath() { 2599 if (ReportNodes.empty()) 2600 return nullptr; 2601 2602 const ExplodedNode *OrigN; 2603 std::tie(CurrentBugPath.Report, OrigN) = ReportNodes.pop_back_val(); 2604 assert(PriorityMap.find(OrigN) != PriorityMap.end() && 2605 "error node not accessible from root"); 2606 2607 // Create a new graph with a single path. This is the graph that will be 2608 // returned to the caller. 2609 auto GNew = std::make_unique<ExplodedGraph>(); 2610 2611 // Now walk from the error node up the BFS path, always taking the 2612 // predeccessor with the lowest number. 2613 ExplodedNode *Succ = nullptr; 2614 while (true) { 2615 // Create the equivalent node in the new graph with the same state 2616 // and location. 2617 ExplodedNode *NewN = GNew->createUncachedNode( 2618 OrigN->getLocation(), OrigN->getState(), 2619 OrigN->getID(), OrigN->isSink()); 2620 2621 // Link up the new node with the previous node. 2622 if (Succ) 2623 Succ->addPredecessor(NewN, *GNew); 2624 else 2625 CurrentBugPath.ErrorNode = NewN; 2626 2627 Succ = NewN; 2628 2629 // Are we at the final node? 2630 if (OrigN->pred_empty()) { 2631 GNew->addRoot(NewN); 2632 break; 2633 } 2634 2635 // Find the next predeccessor node. We choose the node that is marked 2636 // with the lowest BFS number. 2637 OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(), 2638 PriorityCompare<false>(PriorityMap)); 2639 } 2640 2641 CurrentBugPath.BugPath = std::move(GNew); 2642 2643 return &CurrentBugPath; 2644 } 2645 2646 /// CompactMacroExpandedPieces - This function postprocesses a PathDiagnostic 2647 /// object and collapses PathDiagosticPieces that are expanded by macros. 2648 static void CompactMacroExpandedPieces(PathPieces &path, 2649 const SourceManager& SM) { 2650 using MacroStackTy = std::vector< 2651 std::pair<std::shared_ptr<PathDiagnosticMacroPiece>, SourceLocation>>; 2652 2653 using PiecesTy = std::vector<PathDiagnosticPieceRef>; 2654 2655 MacroStackTy MacroStack; 2656 PiecesTy Pieces; 2657 2658 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 2659 I != E; ++I) { 2660 const auto &piece = *I; 2661 2662 // Recursively compact calls. 2663 if (auto *call = dyn_cast<PathDiagnosticCallPiece>(&*piece)) { 2664 CompactMacroExpandedPieces(call->path, SM); 2665 } 2666 2667 // Get the location of the PathDiagnosticPiece. 2668 const FullSourceLoc Loc = piece->getLocation().asLocation(); 2669 2670 // Determine the instantiation location, which is the location we group 2671 // related PathDiagnosticPieces. 2672 SourceLocation InstantiationLoc = Loc.isMacroID() ? 2673 SM.getExpansionLoc(Loc) : 2674 SourceLocation(); 2675 2676 if (Loc.isFileID()) { 2677 MacroStack.clear(); 2678 Pieces.push_back(piece); 2679 continue; 2680 } 2681 2682 assert(Loc.isMacroID()); 2683 2684 // Is the PathDiagnosticPiece within the same macro group? 2685 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 2686 MacroStack.back().first->subPieces.push_back(piece); 2687 continue; 2688 } 2689 2690 // We aren't in the same group. Are we descending into a new macro 2691 // or are part of an old one? 2692 std::shared_ptr<PathDiagnosticMacroPiece> MacroGroup; 2693 2694 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 2695 SM.getExpansionLoc(Loc) : 2696 SourceLocation(); 2697 2698 // Walk the entire macro stack. 2699 while (!MacroStack.empty()) { 2700 if (InstantiationLoc == MacroStack.back().second) { 2701 MacroGroup = MacroStack.back().first; 2702 break; 2703 } 2704 2705 if (ParentInstantiationLoc == MacroStack.back().second) { 2706 MacroGroup = MacroStack.back().first; 2707 break; 2708 } 2709 2710 MacroStack.pop_back(); 2711 } 2712 2713 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 2714 // Create a new macro group and add it to the stack. 2715 auto NewGroup = std::make_shared<PathDiagnosticMacroPiece>( 2716 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 2717 2718 if (MacroGroup) 2719 MacroGroup->subPieces.push_back(NewGroup); 2720 else { 2721 assert(InstantiationLoc.isFileID()); 2722 Pieces.push_back(NewGroup); 2723 } 2724 2725 MacroGroup = NewGroup; 2726 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 2727 } 2728 2729 // Finally, add the PathDiagnosticPiece to the group. 2730 MacroGroup->subPieces.push_back(piece); 2731 } 2732 2733 // Now take the pieces and construct a new PathDiagnostic. 2734 path.clear(); 2735 2736 path.insert(path.end(), Pieces.begin(), Pieces.end()); 2737 } 2738 2739 /// Generate notes from all visitors. 2740 /// Notes associated with @c ErrorNode are generated using 2741 /// @c getEndPath, and the rest are generated with @c VisitNode. 2742 static std::unique_ptr<VisitorsDiagnosticsTy> 2743 generateVisitorsDiagnostics(PathSensitiveBugReport *R, 2744 const ExplodedNode *ErrorNode, 2745 BugReporterContext &BRC) { 2746 std::unique_ptr<VisitorsDiagnosticsTy> Notes = 2747 std::make_unique<VisitorsDiagnosticsTy>(); 2748 PathSensitiveBugReport::VisitorList visitors; 2749 2750 // Run visitors on all nodes starting from the node *before* the last one. 2751 // The last node is reserved for notes generated with @c getEndPath. 2752 const ExplodedNode *NextNode = ErrorNode->getFirstPred(); 2753 while (NextNode) { 2754 2755 // At each iteration, move all visitors from report to visitor list. This is 2756 // important, because the Profile() functions of the visitors make sure that 2757 // a visitor isn't added multiple times for the same node, but it's fine 2758 // to add the a visitor with Profile() for different nodes (e.g. tracking 2759 // a region at different points of the symbolic execution). 2760 for (std::unique_ptr<BugReporterVisitor> &Visitor : R->visitors()) 2761 visitors.push_back(std::move(Visitor)); 2762 2763 R->clearVisitors(); 2764 2765 const ExplodedNode *Pred = NextNode->getFirstPred(); 2766 if (!Pred) { 2767 PathDiagnosticPieceRef LastPiece; 2768 for (auto &V : visitors) { 2769 V->finalizeVisitor(BRC, ErrorNode, *R); 2770 2771 if (auto Piece = V->getEndPath(BRC, ErrorNode, *R)) { 2772 assert(!LastPiece && 2773 "There can only be one final piece in a diagnostic."); 2774 assert(Piece->getKind() == PathDiagnosticPiece::Kind::Event && 2775 "The final piece must contain a message!"); 2776 LastPiece = std::move(Piece); 2777 (*Notes)[ErrorNode].push_back(LastPiece); 2778 } 2779 } 2780 break; 2781 } 2782 2783 for (auto &V : visitors) { 2784 auto P = V->VisitNode(NextNode, BRC, *R); 2785 if (P) 2786 (*Notes)[NextNode].push_back(std::move(P)); 2787 } 2788 2789 if (!R->isValid()) 2790 break; 2791 2792 NextNode = Pred; 2793 } 2794 2795 return Notes; 2796 } 2797 2798 Optional<PathDiagnosticBuilder> PathDiagnosticBuilder::findValidReport( 2799 ArrayRef<PathSensitiveBugReport *> &bugReports, 2800 PathSensitiveBugReporter &Reporter) { 2801 2802 BugPathGetter BugGraph(&Reporter.getGraph(), bugReports); 2803 2804 while (BugPathInfo *BugPath = BugGraph.getNextBugPath()) { 2805 // Find the BugReport with the original location. 2806 PathSensitiveBugReport *R = BugPath->Report; 2807 assert(R && "No original report found for sliced graph."); 2808 assert(R->isValid() && "Report selected by trimmed graph marked invalid."); 2809 const ExplodedNode *ErrorNode = BugPath->ErrorNode; 2810 2811 // Register refutation visitors first, if they mark the bug invalid no 2812 // further analysis is required 2813 R->addVisitor(std::make_unique<LikelyFalsePositiveSuppressionBRVisitor>()); 2814 2815 // Register additional node visitors. 2816 R->addVisitor(std::make_unique<NilReceiverBRVisitor>()); 2817 R->addVisitor(std::make_unique<ConditionBRVisitor>()); 2818 R->addVisitor(std::make_unique<TagVisitor>()); 2819 2820 BugReporterContext BRC(Reporter); 2821 2822 // Run all visitors on a given graph, once. 2823 std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes = 2824 generateVisitorsDiagnostics(R, ErrorNode, BRC); 2825 2826 if (R->isValid()) { 2827 if (Reporter.getAnalyzerOptions().ShouldCrosscheckWithZ3) { 2828 // If crosscheck is enabled, remove all visitors, add the refutation 2829 // visitor and check again 2830 R->clearVisitors(); 2831 R->addVisitor(std::make_unique<FalsePositiveRefutationBRVisitor>()); 2832 2833 // We don't overwrite the notes inserted by other visitors because the 2834 // refutation manager does not add any new note to the path 2835 generateVisitorsDiagnostics(R, BugPath->ErrorNode, BRC); 2836 } 2837 2838 // Check if the bug is still valid 2839 if (R->isValid()) 2840 return PathDiagnosticBuilder( 2841 std::move(BRC), std::move(BugPath->BugPath), BugPath->Report, 2842 BugPath->ErrorNode, std::move(visitorNotes)); 2843 } 2844 } 2845 2846 return {}; 2847 } 2848 2849 std::unique_ptr<DiagnosticForConsumerMapTy> 2850 PathSensitiveBugReporter::generatePathDiagnostics( 2851 ArrayRef<PathDiagnosticConsumer *> consumers, 2852 ArrayRef<PathSensitiveBugReport *> &bugReports) { 2853 assert(!bugReports.empty()); 2854 2855 auto Out = std::make_unique<DiagnosticForConsumerMapTy>(); 2856 2857 Optional<PathDiagnosticBuilder> PDB = 2858 PathDiagnosticBuilder::findValidReport(bugReports, *this); 2859 2860 if (PDB) { 2861 for (PathDiagnosticConsumer *PC : consumers) { 2862 if (std::unique_ptr<PathDiagnostic> PD = PDB->generate(PC)) { 2863 (*Out)[PC] = std::move(PD); 2864 } 2865 } 2866 } 2867 2868 return Out; 2869 } 2870 2871 void BugReporter::emitReport(std::unique_ptr<BugReport> R) { 2872 bool ValidSourceLoc = R->getLocation().isValid(); 2873 assert(ValidSourceLoc); 2874 // If we mess up in a release build, we'd still prefer to just drop the bug 2875 // instead of trying to go on. 2876 if (!ValidSourceLoc) 2877 return; 2878 2879 // Compute the bug report's hash to determine its equivalence class. 2880 llvm::FoldingSetNodeID ID; 2881 R->Profile(ID); 2882 2883 // Lookup the equivance class. If there isn't one, create it. 2884 void *InsertPos; 2885 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 2886 2887 if (!EQ) { 2888 EQ = new BugReportEquivClass(std::move(R)); 2889 EQClasses.InsertNode(EQ, InsertPos); 2890 EQClassesVector.push_back(EQ); 2891 } else 2892 EQ->AddReport(std::move(R)); 2893 } 2894 2895 void PathSensitiveBugReporter::emitReport(std::unique_ptr<BugReport> R) { 2896 if (auto PR = dyn_cast<PathSensitiveBugReport>(R.get())) 2897 if (const ExplodedNode *E = PR->getErrorNode()) { 2898 // An error node must either be a sink or have a tag, otherwise 2899 // it could get reclaimed before the path diagnostic is created. 2900 assert((E->isSink() || E->getLocation().getTag()) && 2901 "Error node must either be a sink or have a tag"); 2902 2903 const AnalysisDeclContext *DeclCtx = 2904 E->getLocationContext()->getAnalysisDeclContext(); 2905 // The source of autosynthesized body can be handcrafted AST or a model 2906 // file. The locations from handcrafted ASTs have no valid source 2907 // locations and have to be discarded. Locations from model files should 2908 // be preserved for processing and reporting. 2909 if (DeclCtx->isBodyAutosynthesized() && 2910 !DeclCtx->isBodyAutosynthesizedFromModelFile()) 2911 return; 2912 } 2913 2914 BugReporter::emitReport(std::move(R)); 2915 } 2916 2917 //===----------------------------------------------------------------------===// 2918 // Emitting reports in equivalence classes. 2919 //===----------------------------------------------------------------------===// 2920 2921 namespace { 2922 2923 struct FRIEC_WLItem { 2924 const ExplodedNode *N; 2925 ExplodedNode::const_succ_iterator I, E; 2926 2927 FRIEC_WLItem(const ExplodedNode *n) 2928 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 2929 }; 2930 2931 } // namespace 2932 2933 BugReport *PathSensitiveBugReporter::findReportInEquivalenceClass( 2934 BugReportEquivClass &EQ, SmallVectorImpl<BugReport *> &bugReports) { 2935 // If we don't need to suppress any of the nodes because they are 2936 // post-dominated by a sink, simply add all the nodes in the equivalence class 2937 // to 'Nodes'. Any of the reports will serve as a "representative" report. 2938 assert(EQ.getReports().size() > 0); 2939 const BugType& BT = EQ.getReports()[0]->getBugType(); 2940 if (!BT.isSuppressOnSink()) { 2941 BugReport *R = EQ.getReports()[0].get(); 2942 for (auto &J : EQ.getReports()) { 2943 if (auto *PR = dyn_cast<PathSensitiveBugReport>(J.get())) { 2944 R = PR; 2945 bugReports.push_back(PR); 2946 } 2947 } 2948 return R; 2949 } 2950 2951 // For bug reports that should be suppressed when all paths are post-dominated 2952 // by a sink node, iterate through the reports in the equivalence class 2953 // until we find one that isn't post-dominated (if one exists). We use a 2954 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 2955 // this as a recursive function, but we don't want to risk blowing out the 2956 // stack for very long paths. 2957 BugReport *exampleReport = nullptr; 2958 2959 for (const auto &I: EQ.getReports()) { 2960 auto *R = dyn_cast<PathSensitiveBugReport>(I.get()); 2961 if (!R) 2962 continue; 2963 2964 const ExplodedNode *errorNode = R->getErrorNode(); 2965 if (errorNode->isSink()) { 2966 llvm_unreachable( 2967 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 2968 } 2969 // No successors? By definition this nodes isn't post-dominated by a sink. 2970 if (errorNode->succ_empty()) { 2971 bugReports.push_back(R); 2972 if (!exampleReport) 2973 exampleReport = R; 2974 continue; 2975 } 2976 2977 // See if we are in a no-return CFG block. If so, treat this similarly 2978 // to being post-dominated by a sink. This works better when the analysis 2979 // is incomplete and we have never reached the no-return function call(s) 2980 // that we'd inevitably bump into on this path. 2981 if (const CFGBlock *ErrorB = errorNode->getCFGBlock()) 2982 if (ErrorB->isInevitablySinking()) 2983 continue; 2984 2985 // At this point we know that 'N' is not a sink and it has at least one 2986 // successor. Use a DFS worklist to find a non-sink end-of-path node. 2987 using WLItem = FRIEC_WLItem; 2988 using DFSWorkList = SmallVector<WLItem, 10>; 2989 2990 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 2991 2992 DFSWorkList WL; 2993 WL.push_back(errorNode); 2994 Visited[errorNode] = 1; 2995 2996 while (!WL.empty()) { 2997 WLItem &WI = WL.back(); 2998 assert(!WI.N->succ_empty()); 2999 3000 for (; WI.I != WI.E; ++WI.I) { 3001 const ExplodedNode *Succ = *WI.I; 3002 // End-of-path node? 3003 if (Succ->succ_empty()) { 3004 // If we found an end-of-path node that is not a sink. 3005 if (!Succ->isSink()) { 3006 bugReports.push_back(R); 3007 if (!exampleReport) 3008 exampleReport = R; 3009 WL.clear(); 3010 break; 3011 } 3012 // Found a sink? Continue on to the next successor. 3013 continue; 3014 } 3015 // Mark the successor as visited. If it hasn't been explored, 3016 // enqueue it to the DFS worklist. 3017 unsigned &mark = Visited[Succ]; 3018 if (!mark) { 3019 mark = 1; 3020 WL.push_back(Succ); 3021 break; 3022 } 3023 } 3024 3025 // The worklist may have been cleared at this point. First 3026 // check if it is empty before checking the last item. 3027 if (!WL.empty() && &WL.back() == &WI) 3028 WL.pop_back(); 3029 } 3030 } 3031 3032 // ExampleReport will be NULL if all the nodes in the equivalence class 3033 // were post-dominated by sinks. 3034 return exampleReport; 3035 } 3036 3037 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 3038 SmallVector<BugReport*, 10> bugReports; 3039 BugReport *report = findReportInEquivalenceClass(EQ, bugReports); 3040 if (!report) 3041 return; 3042 3043 ArrayRef<PathDiagnosticConsumer*> Consumers = getPathDiagnosticConsumers(); 3044 std::unique_ptr<DiagnosticForConsumerMapTy> Diagnostics = 3045 generateDiagnosticForConsumerMap(report, Consumers, bugReports); 3046 3047 for (auto &P : *Diagnostics) { 3048 PathDiagnosticConsumer *Consumer = P.first; 3049 std::unique_ptr<PathDiagnostic> &PD = P.second; 3050 3051 // If the path is empty, generate a single step path with the location 3052 // of the issue. 3053 if (PD->path.empty()) { 3054 PathDiagnosticLocation L = report->getLocation(); 3055 auto piece = std::make_unique<PathDiagnosticEventPiece>( 3056 L, report->getDescription()); 3057 for (SourceRange Range : report->getRanges()) 3058 piece->addRange(Range); 3059 PD->setEndOfPath(std::move(piece)); 3060 } 3061 3062 PathPieces &Pieces = PD->getMutablePieces(); 3063 if (getAnalyzerOptions().ShouldDisplayNotesAsEvents) { 3064 // For path diagnostic consumers that don't support extra notes, 3065 // we may optionally convert those to path notes. 3066 for (auto I = report->getNotes().rbegin(), 3067 E = report->getNotes().rend(); I != E; ++I) { 3068 PathDiagnosticNotePiece *Piece = I->get(); 3069 auto ConvertedPiece = std::make_shared<PathDiagnosticEventPiece>( 3070 Piece->getLocation(), Piece->getString()); 3071 for (const auto &R: Piece->getRanges()) 3072 ConvertedPiece->addRange(R); 3073 3074 Pieces.push_front(std::move(ConvertedPiece)); 3075 } 3076 } else { 3077 for (auto I = report->getNotes().rbegin(), 3078 E = report->getNotes().rend(); I != E; ++I) 3079 Pieces.push_front(*I); 3080 } 3081 3082 for (const auto &I : report->getFixits()) 3083 Pieces.back()->addFixit(I); 3084 3085 updateExecutedLinesWithDiagnosticPieces(*PD); 3086 Consumer->HandlePathDiagnostic(std::move(PD)); 3087 } 3088 } 3089 3090 /// Insert all lines participating in the function signature \p Signature 3091 /// into \p ExecutedLines. 3092 static void populateExecutedLinesWithFunctionSignature( 3093 const Decl *Signature, const SourceManager &SM, 3094 FilesToLineNumsMap &ExecutedLines) { 3095 SourceRange SignatureSourceRange; 3096 const Stmt* Body = Signature->getBody(); 3097 if (const auto FD = dyn_cast<FunctionDecl>(Signature)) { 3098 SignatureSourceRange = FD->getSourceRange(); 3099 } else if (const auto OD = dyn_cast<ObjCMethodDecl>(Signature)) { 3100 SignatureSourceRange = OD->getSourceRange(); 3101 } else { 3102 return; 3103 } 3104 SourceLocation Start = SignatureSourceRange.getBegin(); 3105 SourceLocation End = Body ? Body->getSourceRange().getBegin() 3106 : SignatureSourceRange.getEnd(); 3107 if (!Start.isValid() || !End.isValid()) 3108 return; 3109 unsigned StartLine = SM.getExpansionLineNumber(Start); 3110 unsigned EndLine = SM.getExpansionLineNumber(End); 3111 3112 FileID FID = SM.getFileID(SM.getExpansionLoc(Start)); 3113 for (unsigned Line = StartLine; Line <= EndLine; Line++) 3114 ExecutedLines[FID].insert(Line); 3115 } 3116 3117 static void populateExecutedLinesWithStmt( 3118 const Stmt *S, const SourceManager &SM, 3119 FilesToLineNumsMap &ExecutedLines) { 3120 SourceLocation Loc = S->getSourceRange().getBegin(); 3121 if (!Loc.isValid()) 3122 return; 3123 SourceLocation ExpansionLoc = SM.getExpansionLoc(Loc); 3124 FileID FID = SM.getFileID(ExpansionLoc); 3125 unsigned LineNo = SM.getExpansionLineNumber(ExpansionLoc); 3126 ExecutedLines[FID].insert(LineNo); 3127 } 3128 3129 /// \return all executed lines including function signatures on the path 3130 /// starting from \p N. 3131 static std::unique_ptr<FilesToLineNumsMap> 3132 findExecutedLines(const SourceManager &SM, const ExplodedNode *N) { 3133 auto ExecutedLines = std::make_unique<FilesToLineNumsMap>(); 3134 3135 while (N) { 3136 if (N->getFirstPred() == nullptr) { 3137 // First node: show signature of the entrance point. 3138 const Decl *D = N->getLocationContext()->getDecl(); 3139 populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines); 3140 } else if (auto CE = N->getLocationAs<CallEnter>()) { 3141 // Inlined function: show signature. 3142 const Decl* D = CE->getCalleeContext()->getDecl(); 3143 populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines); 3144 } else if (const Stmt *S = N->getStmtForDiagnostics()) { 3145 populateExecutedLinesWithStmt(S, SM, *ExecutedLines); 3146 3147 // Show extra context for some parent kinds. 3148 const Stmt *P = N->getParentMap().getParent(S); 3149 3150 // The path exploration can die before the node with the associated 3151 // return statement is generated, but we do want to show the whole 3152 // return. 3153 if (const auto *RS = dyn_cast_or_null<ReturnStmt>(P)) { 3154 populateExecutedLinesWithStmt(RS, SM, *ExecutedLines); 3155 P = N->getParentMap().getParent(RS); 3156 } 3157 3158 if (P && (isa<SwitchCase>(P) || isa<LabelStmt>(P))) 3159 populateExecutedLinesWithStmt(P, SM, *ExecutedLines); 3160 } 3161 3162 N = N->getFirstPred(); 3163 } 3164 return ExecutedLines; 3165 } 3166 3167 std::unique_ptr<DiagnosticForConsumerMapTy> 3168 BugReporter::generateDiagnosticForConsumerMap( 3169 BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers, 3170 ArrayRef<BugReport *> bugReports) { 3171 auto *basicReport = cast<BasicBugReport>(exampleReport); 3172 auto Out = std::make_unique<DiagnosticForConsumerMapTy>(); 3173 for (auto *Consumer : consumers) 3174 (*Out)[Consumer] = generateDiagnosticForBasicReport(basicReport); 3175 return Out; 3176 } 3177 3178 static PathDiagnosticCallPiece * 3179 getFirstStackedCallToHeaderFile(PathDiagnosticCallPiece *CP, 3180 const SourceManager &SMgr) { 3181 SourceLocation CallLoc = CP->callEnter.asLocation(); 3182 3183 // If the call is within a macro, don't do anything (for now). 3184 if (CallLoc.isMacroID()) 3185 return nullptr; 3186 3187 assert(AnalysisManager::isInCodeFile(CallLoc, SMgr) && 3188 "The call piece should not be in a header file."); 3189 3190 // Check if CP represents a path through a function outside of the main file. 3191 if (!AnalysisManager::isInCodeFile(CP->callEnterWithin.asLocation(), SMgr)) 3192 return CP; 3193 3194 const PathPieces &Path = CP->path; 3195 if (Path.empty()) 3196 return nullptr; 3197 3198 // Check if the last piece in the callee path is a call to a function outside 3199 // of the main file. 3200 if (auto *CPInner = dyn_cast<PathDiagnosticCallPiece>(Path.back().get())) 3201 return getFirstStackedCallToHeaderFile(CPInner, SMgr); 3202 3203 // Otherwise, the last piece is in the main file. 3204 return nullptr; 3205 } 3206 3207 static void resetDiagnosticLocationToMainFile(PathDiagnostic &PD) { 3208 if (PD.path.empty()) 3209 return; 3210 3211 PathDiagnosticPiece *LastP = PD.path.back().get(); 3212 assert(LastP); 3213 const SourceManager &SMgr = LastP->getLocation().getManager(); 3214 3215 // We only need to check if the report ends inside headers, if the last piece 3216 // is a call piece. 3217 if (auto *CP = dyn_cast<PathDiagnosticCallPiece>(LastP)) { 3218 CP = getFirstStackedCallToHeaderFile(CP, SMgr); 3219 if (CP) { 3220 // Mark the piece. 3221 CP->setAsLastInMainSourceFile(); 3222 3223 // Update the path diagnostic message. 3224 const auto *ND = dyn_cast<NamedDecl>(CP->getCallee()); 3225 if (ND) { 3226 SmallString<200> buf; 3227 llvm::raw_svector_ostream os(buf); 3228 os << " (within a call to '" << ND->getDeclName() << "')"; 3229 PD.appendToDesc(os.str()); 3230 } 3231 3232 // Reset the report containing declaration and location. 3233 PD.setDeclWithIssue(CP->getCaller()); 3234 PD.setLocation(CP->getLocation()); 3235 3236 return; 3237 } 3238 } 3239 } 3240 3241 3242 3243 std::unique_ptr<DiagnosticForConsumerMapTy> 3244 PathSensitiveBugReporter::generateDiagnosticForConsumerMap( 3245 BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers, 3246 ArrayRef<BugReport *> bugReports) { 3247 std::vector<BasicBugReport *> BasicBugReports; 3248 std::vector<PathSensitiveBugReport *> PathSensitiveBugReports; 3249 if (isa<BasicBugReport>(exampleReport)) 3250 return BugReporter::generateDiagnosticForConsumerMap(exampleReport, 3251 consumers, bugReports); 3252 3253 // Generate the full path sensitive diagnostic, using the generation scheme 3254 // specified by the PathDiagnosticConsumer. Note that we have to generate 3255 // path diagnostics even for consumers which do not support paths, because 3256 // the BugReporterVisitors may mark this bug as a false positive. 3257 assert(!bugReports.empty()); 3258 MaxBugClassSize.updateMax(bugReports.size()); 3259 3260 // Avoid copying the whole array because there may be a lot of reports. 3261 ArrayRef<PathSensitiveBugReport *> convertedArrayOfReports( 3262 reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.begin()), 3263 reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.end())); 3264 std::unique_ptr<DiagnosticForConsumerMapTy> Out = generatePathDiagnostics( 3265 consumers, convertedArrayOfReports); 3266 3267 if (Out->empty()) 3268 return Out; 3269 3270 MaxValidBugClassSize.updateMax(bugReports.size()); 3271 3272 // Examine the report and see if the last piece is in a header. Reset the 3273 // report location to the last piece in the main source file. 3274 const AnalyzerOptions &Opts = getAnalyzerOptions(); 3275 for (auto const &P : *Out) 3276 if (Opts.ShouldReportIssuesInMainSourceFile && !Opts.AnalyzeAll) 3277 resetDiagnosticLocationToMainFile(*P.second); 3278 3279 return Out; 3280 } 3281 3282 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3283 const CheckerBase *Checker, StringRef Name, 3284 StringRef Category, StringRef Str, 3285 PathDiagnosticLocation Loc, 3286 ArrayRef<SourceRange> Ranges, 3287 ArrayRef<FixItHint> Fixits) { 3288 EmitBasicReport(DeclWithIssue, Checker->getCheckerName(), Name, Category, Str, 3289 Loc, Ranges, Fixits); 3290 } 3291 3292 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3293 CheckerNameRef CheckName, 3294 StringRef name, StringRef category, 3295 StringRef str, PathDiagnosticLocation Loc, 3296 ArrayRef<SourceRange> Ranges, 3297 ArrayRef<FixItHint> Fixits) { 3298 // 'BT' is owned by BugReporter. 3299 BugType *BT = getBugTypeForName(CheckName, name, category); 3300 auto R = std::make_unique<BasicBugReport>(*BT, str, Loc); 3301 R->setDeclWithIssue(DeclWithIssue); 3302 for (const auto &SR : Ranges) 3303 R->addRange(SR); 3304 for (const auto &FH : Fixits) 3305 R->addFixItHint(FH); 3306 emitReport(std::move(R)); 3307 } 3308 3309 BugType *BugReporter::getBugTypeForName(CheckerNameRef CheckName, 3310 StringRef name, StringRef category) { 3311 SmallString<136> fullDesc; 3312 llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name 3313 << ":" << category; 3314 std::unique_ptr<BugType> &BT = StrBugTypes[fullDesc]; 3315 if (!BT) 3316 BT = std::make_unique<BugType>(CheckName, name, category); 3317 return BT.get(); 3318 } 3319
Indexes created Mon Jun 08 00:24:58 UTC 2026