1 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines BugReporter, a utility class for generating 11 // PathDiagnostics. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18 #include "clang/AST/ASTContext.h" 19 #include "clang/Analysis/CFG.h" 20 #include "clang/AST/Expr.h" 21 #include "clang/AST/ParentMap.h" 22 #include "clang/AST/StmtObjC.h" 23 #include "clang/Basic/SourceManager.h" 24 #include "clang/Analysis/ProgramPoint.h" 25 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 26 #include "llvm/Support/raw_ostream.h" 27 #include "llvm/ADT/DenseMap.h" 28 #include "llvm/ADT/STLExtras.h" 29 #include "llvm/ADT/OwningPtr.h" 30 #include <queue> 31 32 using namespace clang; 33 using namespace ento; 34 35 BugReporterVisitor::~BugReporterVisitor() {} 36 BugReporterContext::~BugReporterContext() { 37 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) 38 if ((*I)->isOwnedByReporterContext()) delete *I; 39 } 40 41 void BugReporterContext::addVisitor(BugReporterVisitor* visitor) { 42 if (!visitor) 43 return; 44 45 llvm::FoldingSetNodeID ID; 46 visitor->Profile(ID); 47 void *InsertPos; 48 49 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 50 delete visitor; 51 return; 52 } 53 54 CallbacksSet.InsertNode(visitor, InsertPos); 55 Callbacks = F.add(visitor, Callbacks); 56 } 57 58 //===----------------------------------------------------------------------===// 59 // Helper routines for walking the ExplodedGraph and fetching statements. 60 //===----------------------------------------------------------------------===// 61 62 static inline const Stmt* GetStmt(const ProgramPoint &P) { 63 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 64 return SP->getStmt(); 65 else if (const BlockEdge* BE = dyn_cast<BlockEdge>(&P)) 66 return BE->getSrc()->getTerminator(); 67 68 return 0; 69 } 70 71 static inline const ExplodedNode* 72 GetPredecessorNode(const ExplodedNode* N) { 73 return N->pred_empty() ? NULL : *(N->pred_begin()); 74 } 75 76 static inline const ExplodedNode* 77 GetSuccessorNode(const ExplodedNode* N) { 78 return N->succ_empty() ? NULL : *(N->succ_begin()); 79 } 80 81 static const Stmt* GetPreviousStmt(const ExplodedNode* N) { 82 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 83 if (const Stmt *S = GetStmt(N->getLocation())) 84 return S; 85 86 return 0; 87 } 88 89 static const Stmt* GetNextStmt(const ExplodedNode* N) { 90 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 91 if (const Stmt *S = GetStmt(N->getLocation())) { 92 // Check if the statement is '?' or '&&'/'||'. These are "merges", 93 // not actual statement points. 94 switch (S->getStmtClass()) { 95 case Stmt::ChooseExprClass: 96 case Stmt::BinaryConditionalOperatorClass: continue; 97 case Stmt::ConditionalOperatorClass: continue; 98 case Stmt::BinaryOperatorClass: { 99 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 100 if (Op == BO_LAnd || Op == BO_LOr) 101 continue; 102 break; 103 } 104 default: 105 break; 106 } 107 108 // Some expressions don't have locations. 109 if (S->getLocStart().isInvalid()) 110 continue; 111 112 return S; 113 } 114 115 return 0; 116 } 117 118 static inline const Stmt* 119 GetCurrentOrPreviousStmt(const ExplodedNode* N) { 120 if (const Stmt *S = GetStmt(N->getLocation())) 121 return S; 122 123 return GetPreviousStmt(N); 124 } 125 126 static inline const Stmt* 127 GetCurrentOrNextStmt(const ExplodedNode* N) { 128 if (const Stmt *S = GetStmt(N->getLocation())) 129 return S; 130 131 return GetNextStmt(N); 132 } 133 134 //===----------------------------------------------------------------------===// 135 // PathDiagnosticBuilder and its associated routines and helper objects. 136 //===----------------------------------------------------------------------===// 137 138 typedef llvm::DenseMap<const ExplodedNode*, 139 const ExplodedNode*> NodeBackMap; 140 141 namespace { 142 class NodeMapClosure : public BugReport::NodeResolver { 143 NodeBackMap& M; 144 public: 145 NodeMapClosure(NodeBackMap *m) : M(*m) {} 146 ~NodeMapClosure() {} 147 148 const ExplodedNode* getOriginalNode(const ExplodedNode* N) { 149 NodeBackMap::iterator I = M.find(N); 150 return I == M.end() ? 0 : I->second; 151 } 152 }; 153 154 class PathDiagnosticBuilder : public BugReporterContext { 155 BugReport *R; 156 PathDiagnosticClient *PDC; 157 llvm::OwningPtr<ParentMap> PM; 158 NodeMapClosure NMC; 159 public: 160 PathDiagnosticBuilder(GRBugReporter &br, 161 BugReport *r, NodeBackMap *Backmap, 162 PathDiagnosticClient *pdc) 163 : BugReporterContext(br), 164 R(r), PDC(pdc), NMC(Backmap) { 165 addVisitor(R); 166 } 167 168 PathDiagnosticLocation ExecutionContinues(const ExplodedNode* N); 169 170 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream& os, 171 const ExplodedNode* N); 172 173 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 174 175 ParentMap& getParentMap() { return R->getErrorNode()->getParentMap(); } 176 177 const Stmt *getParent(const Stmt *S) { 178 return getParentMap().getParent(S); 179 } 180 181 virtual NodeMapClosure& getNodeResolver() { return NMC; } 182 183 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 184 185 PathDiagnosticClient::PathGenerationScheme getGenerationScheme() const { 186 return PDC ? PDC->getGenerationScheme() : PathDiagnosticClient::Extensive; 187 } 188 189 bool supportsLogicalOpControlFlow() const { 190 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 191 } 192 }; 193 } // end anonymous namespace 194 195 PathDiagnosticLocation 196 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode* N) { 197 if (const Stmt *S = GetNextStmt(N)) 198 return PathDiagnosticLocation(S, getSourceManager()); 199 200 return FullSourceLoc(N->getLocationContext()->getDecl()->getBodyRBrace(), 201 getSourceManager()); 202 } 203 204 PathDiagnosticLocation 205 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream& os, 206 const ExplodedNode* N) { 207 208 // Slow, but probably doesn't matter. 209 if (os.str().empty()) 210 os << ' '; 211 212 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 213 214 if (Loc.asStmt()) 215 os << "Execution continues on line " 216 << getSourceManager().getInstantiationLineNumber(Loc.asLocation()) 217 << '.'; 218 else { 219 os << "Execution jumps to the end of the "; 220 const Decl *D = N->getLocationContext()->getDecl(); 221 if (isa<ObjCMethodDecl>(D)) 222 os << "method"; 223 else if (isa<FunctionDecl>(D)) 224 os << "function"; 225 else { 226 assert(isa<BlockDecl>(D)); 227 os << "anonymous block"; 228 } 229 os << '.'; 230 } 231 232 return Loc; 233 } 234 235 static bool IsNested(const Stmt *S, ParentMap &PM) { 236 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 237 return true; 238 239 const Stmt *Parent = PM.getParentIgnoreParens(S); 240 241 if (Parent) 242 switch (Parent->getStmtClass()) { 243 case Stmt::ForStmtClass: 244 case Stmt::DoStmtClass: 245 case Stmt::WhileStmtClass: 246 return true; 247 default: 248 break; 249 } 250 251 return false; 252 } 253 254 PathDiagnosticLocation 255 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 256 assert(S && "Null Stmt* passed to getEnclosingStmtLocation"); 257 ParentMap &P = getParentMap(); 258 SourceManager &SMgr = getSourceManager(); 259 260 while (IsNested(S, P)) { 261 const Stmt *Parent = P.getParentIgnoreParens(S); 262 263 if (!Parent) 264 break; 265 266 switch (Parent->getStmtClass()) { 267 case Stmt::BinaryOperatorClass: { 268 const BinaryOperator *B = cast<BinaryOperator>(Parent); 269 if (B->isLogicalOp()) 270 return PathDiagnosticLocation(S, SMgr); 271 break; 272 } 273 case Stmt::CompoundStmtClass: 274 case Stmt::StmtExprClass: 275 return PathDiagnosticLocation(S, SMgr); 276 case Stmt::ChooseExprClass: 277 // Similar to '?' if we are referring to condition, just have the edge 278 // point to the entire choose expression. 279 if (cast<ChooseExpr>(Parent)->getCond() == S) 280 return PathDiagnosticLocation(Parent, SMgr); 281 else 282 return PathDiagnosticLocation(S, SMgr); 283 case Stmt::BinaryConditionalOperatorClass: 284 case Stmt::ConditionalOperatorClass: 285 // For '?', if we are referring to condition, just have the edge point 286 // to the entire '?' expression. 287 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S) 288 return PathDiagnosticLocation(Parent, SMgr); 289 else 290 return PathDiagnosticLocation(S, SMgr); 291 case Stmt::DoStmtClass: 292 return PathDiagnosticLocation(S, SMgr); 293 case Stmt::ForStmtClass: 294 if (cast<ForStmt>(Parent)->getBody() == S) 295 return PathDiagnosticLocation(S, SMgr); 296 break; 297 case Stmt::IfStmtClass: 298 if (cast<IfStmt>(Parent)->getCond() != S) 299 return PathDiagnosticLocation(S, SMgr); 300 break; 301 case Stmt::ObjCForCollectionStmtClass: 302 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 303 return PathDiagnosticLocation(S, SMgr); 304 break; 305 case Stmt::WhileStmtClass: 306 if (cast<WhileStmt>(Parent)->getCond() != S) 307 return PathDiagnosticLocation(S, SMgr); 308 break; 309 default: 310 break; 311 } 312 313 S = Parent; 314 } 315 316 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 317 318 // Special case: DeclStmts can appear in for statement declarations, in which 319 // case the ForStmt is the context. 320 if (isa<DeclStmt>(S)) { 321 if (const Stmt *Parent = P.getParent(S)) { 322 switch (Parent->getStmtClass()) { 323 case Stmt::ForStmtClass: 324 case Stmt::ObjCForCollectionStmtClass: 325 return PathDiagnosticLocation(Parent, SMgr); 326 default: 327 break; 328 } 329 } 330 } 331 else if (isa<BinaryOperator>(S)) { 332 // Special case: the binary operator represents the initialization 333 // code in a for statement (this can happen when the variable being 334 // initialized is an old variable. 335 if (const ForStmt *FS = 336 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 337 if (FS->getInit() == S) 338 return PathDiagnosticLocation(FS, SMgr); 339 } 340 } 341 342 return PathDiagnosticLocation(S, SMgr); 343 } 344 345 //===----------------------------------------------------------------------===// 346 // ScanNotableSymbols: closure-like callback for scanning Store bindings. 347 //===----------------------------------------------------------------------===// 348 349 static const VarDecl* 350 GetMostRecentVarDeclBinding(const ExplodedNode* N, 351 GRStateManager& VMgr, SVal X) { 352 353 for ( ; N ; N = N->pred_empty() ? 0 : *N->pred_begin()) { 354 355 ProgramPoint P = N->getLocation(); 356 357 if (!isa<PostStmt>(P)) 358 continue; 359 360 const DeclRefExpr* DR = dyn_cast<DeclRefExpr>(cast<PostStmt>(P).getStmt()); 361 362 if (!DR) 363 continue; 364 365 SVal Y = N->getState()->getSVal(DR); 366 367 if (X != Y) 368 continue; 369 370 const VarDecl* VD = dyn_cast<VarDecl>(DR->getDecl()); 371 372 if (!VD) 373 continue; 374 375 return VD; 376 } 377 378 return 0; 379 } 380 381 namespace { 382 class NotableSymbolHandler 383 : public StoreManager::BindingsHandler { 384 385 SymbolRef Sym; 386 const GRState* PrevSt; 387 const Stmt* S; 388 GRStateManager& VMgr; 389 const ExplodedNode* Pred; 390 PathDiagnostic& PD; 391 BugReporter& BR; 392 393 public: 394 395 NotableSymbolHandler(SymbolRef sym, const GRState* prevst, const Stmt* s, 396 GRStateManager& vmgr, const ExplodedNode* pred, 397 PathDiagnostic& pd, BugReporter& br) 398 : Sym(sym), PrevSt(prevst), S(s), VMgr(vmgr), Pred(pred), PD(pd), BR(br) {} 399 400 bool HandleBinding(StoreManager& SMgr, Store store, const MemRegion* R, 401 SVal V) { 402 403 SymbolRef ScanSym = V.getAsSymbol(); 404 405 if (ScanSym != Sym) 406 return true; 407 408 // Check if the previous state has this binding. 409 SVal X = PrevSt->getSVal(loc::MemRegionVal(R)); 410 411 if (X == V) // Same binding? 412 return true; 413 414 // Different binding. Only handle assignments for now. We don't pull 415 // this check out of the loop because we will eventually handle other 416 // cases. 417 418 VarDecl *VD = 0; 419 420 if (const BinaryOperator* B = dyn_cast<BinaryOperator>(S)) { 421 if (!B->isAssignmentOp()) 422 return true; 423 424 // What variable did we assign to? 425 DeclRefExpr* DR = dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenCasts()); 426 427 if (!DR) 428 return true; 429 430 VD = dyn_cast<VarDecl>(DR->getDecl()); 431 } 432 else if (const DeclStmt* DS = dyn_cast<DeclStmt>(S)) { 433 // FIXME: Eventually CFGs won't have DeclStmts. Right now we 434 // assume that each DeclStmt has a single Decl. This invariant 435 // holds by construction in the CFG. 436 VD = dyn_cast<VarDecl>(*DS->decl_begin()); 437 } 438 439 if (!VD) 440 return true; 441 442 // What is the most recently referenced variable with this binding? 443 const VarDecl* MostRecent = GetMostRecentVarDeclBinding(Pred, VMgr, V); 444 445 if (!MostRecent) 446 return true; 447 448 // Create the diagnostic. 449 FullSourceLoc L(S->getLocStart(), BR.getSourceManager()); 450 451 if (Loc::isLocType(VD->getType())) { 452 std::string msg = "'" + std::string(VD->getNameAsString()) + 453 "' now aliases '" + MostRecent->getNameAsString() + "'"; 454 455 PD.push_front(new PathDiagnosticEventPiece(L, msg)); 456 } 457 458 return true; 459 } 460 }; 461 } 462 463 static void HandleNotableSymbol(const ExplodedNode* N, 464 const Stmt* S, 465 SymbolRef Sym, BugReporter& BR, 466 PathDiagnostic& PD) { 467 468 const ExplodedNode* Pred = N->pred_empty() ? 0 : *N->pred_begin(); 469 const GRState* PrevSt = Pred ? Pred->getState() : 0; 470 471 if (!PrevSt) 472 return; 473 474 // Look at the region bindings of the current state that map to the 475 // specified symbol. Are any of them not in the previous state? 476 GRStateManager& VMgr = cast<GRBugReporter>(BR).getStateManager(); 477 NotableSymbolHandler H(Sym, PrevSt, S, VMgr, Pred, PD, BR); 478 cast<GRBugReporter>(BR).getStateManager().iterBindings(N->getState(), H); 479 } 480 481 namespace { 482 class ScanNotableSymbols 483 : public StoreManager::BindingsHandler { 484 485 llvm::SmallSet<SymbolRef, 10> AlreadyProcessed; 486 const ExplodedNode* N; 487 const Stmt* S; 488 GRBugReporter& BR; 489 PathDiagnostic& PD; 490 491 public: 492 ScanNotableSymbols(const ExplodedNode* n, const Stmt* s, 493 GRBugReporter& br, PathDiagnostic& pd) 494 : N(n), S(s), BR(br), PD(pd) {} 495 496 bool HandleBinding(StoreManager& SMgr, Store store, 497 const MemRegion* R, SVal V) { 498 499 SymbolRef ScanSym = V.getAsSymbol(); 500 501 if (!ScanSym) 502 return true; 503 504 if (!BR.isNotable(ScanSym)) 505 return true; 506 507 if (AlreadyProcessed.count(ScanSym)) 508 return true; 509 510 AlreadyProcessed.insert(ScanSym); 511 512 HandleNotableSymbol(N, S, ScanSym, BR, PD); 513 return true; 514 } 515 }; 516 } // end anonymous namespace 517 518 //===----------------------------------------------------------------------===// 519 // "Minimal" path diagnostic generation algorithm. 520 //===----------------------------------------------------------------------===// 521 522 static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM); 523 524 static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 525 PathDiagnosticBuilder &PDB, 526 const ExplodedNode *N) { 527 528 SourceManager& SMgr = PDB.getSourceManager(); 529 const ExplodedNode* NextNode = N->pred_empty() 530 ? NULL : *(N->pred_begin()); 531 while (NextNode) { 532 N = NextNode; 533 NextNode = GetPredecessorNode(N); 534 535 ProgramPoint P = N->getLocation(); 536 537 if (const BlockEdge* BE = dyn_cast<BlockEdge>(&P)) { 538 const CFGBlock* Src = BE->getSrc(); 539 const CFGBlock* Dst = BE->getDst(); 540 const Stmt* T = Src->getTerminator(); 541 542 if (!T) 543 continue; 544 545 FullSourceLoc Start(T->getLocStart(), SMgr); 546 547 switch (T->getStmtClass()) { 548 default: 549 break; 550 551 case Stmt::GotoStmtClass: 552 case Stmt::IndirectGotoStmtClass: { 553 const Stmt* S = GetNextStmt(N); 554 555 if (!S) 556 continue; 557 558 std::string sbuf; 559 llvm::raw_string_ostream os(sbuf); 560 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 561 562 os << "Control jumps to line " 563 << End.asLocation().getInstantiationLineNumber(); 564 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 565 os.str())); 566 break; 567 } 568 569 case Stmt::SwitchStmtClass: { 570 // Figure out what case arm we took. 571 std::string sbuf; 572 llvm::raw_string_ostream os(sbuf); 573 574 if (const Stmt* S = Dst->getLabel()) { 575 PathDiagnosticLocation End(S, SMgr); 576 577 switch (S->getStmtClass()) { 578 default: 579 os << "No cases match in the switch statement. " 580 "Control jumps to line " 581 << End.asLocation().getInstantiationLineNumber(); 582 break; 583 case Stmt::DefaultStmtClass: 584 os << "Control jumps to the 'default' case at line " 585 << End.asLocation().getInstantiationLineNumber(); 586 break; 587 588 case Stmt::CaseStmtClass: { 589 os << "Control jumps to 'case "; 590 const CaseStmt* Case = cast<CaseStmt>(S); 591 const Expr* LHS = Case->getLHS()->IgnoreParenCasts(); 592 593 // Determine if it is an enum. 594 bool GetRawInt = true; 595 596 if (const DeclRefExpr* DR = dyn_cast<DeclRefExpr>(LHS)) { 597 // FIXME: Maybe this should be an assertion. Are there cases 598 // were it is not an EnumConstantDecl? 599 const EnumConstantDecl* D = 600 dyn_cast<EnumConstantDecl>(DR->getDecl()); 601 602 if (D) { 603 GetRawInt = false; 604 os << D; 605 } 606 } 607 608 if (GetRawInt) 609 os << LHS->EvaluateAsInt(PDB.getASTContext()); 610 611 os << ":' at line " 612 << End.asLocation().getInstantiationLineNumber(); 613 break; 614 } 615 } 616 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 617 os.str())); 618 } 619 else { 620 os << "'Default' branch taken. "; 621 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 622 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 623 os.str())); 624 } 625 626 break; 627 } 628 629 case Stmt::BreakStmtClass: 630 case Stmt::ContinueStmtClass: { 631 std::string sbuf; 632 llvm::raw_string_ostream os(sbuf); 633 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 634 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 635 os.str())); 636 break; 637 } 638 639 // Determine control-flow for ternary '?'. 640 case Stmt::BinaryConditionalOperatorClass: 641 case Stmt::ConditionalOperatorClass: { 642 std::string sbuf; 643 llvm::raw_string_ostream os(sbuf); 644 os << "'?' condition is "; 645 646 if (*(Src->succ_begin()+1) == Dst) 647 os << "false"; 648 else 649 os << "true"; 650 651 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 652 653 if (const Stmt *S = End.asStmt()) 654 End = PDB.getEnclosingStmtLocation(S); 655 656 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 657 os.str())); 658 break; 659 } 660 661 // Determine control-flow for short-circuited '&&' and '||'. 662 case Stmt::BinaryOperatorClass: { 663 if (!PDB.supportsLogicalOpControlFlow()) 664 break; 665 666 const BinaryOperator *B = cast<BinaryOperator>(T); 667 std::string sbuf; 668 llvm::raw_string_ostream os(sbuf); 669 os << "Left side of '"; 670 671 if (B->getOpcode() == BO_LAnd) { 672 os << "&&" << "' is "; 673 674 if (*(Src->succ_begin()+1) == Dst) { 675 os << "false"; 676 PathDiagnosticLocation End(B->getLHS(), SMgr); 677 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 678 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 679 os.str())); 680 } 681 else { 682 os << "true"; 683 PathDiagnosticLocation Start(B->getLHS(), SMgr); 684 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 685 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 686 os.str())); 687 } 688 } 689 else { 690 assert(B->getOpcode() == BO_LOr); 691 os << "||" << "' is "; 692 693 if (*(Src->succ_begin()+1) == Dst) { 694 os << "false"; 695 PathDiagnosticLocation Start(B->getLHS(), SMgr); 696 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 697 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 698 os.str())); 699 } 700 else { 701 os << "true"; 702 PathDiagnosticLocation End(B->getLHS(), SMgr); 703 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 704 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 705 os.str())); 706 } 707 } 708 709 break; 710 } 711 712 case Stmt::DoStmtClass: { 713 if (*(Src->succ_begin()) == Dst) { 714 std::string sbuf; 715 llvm::raw_string_ostream os(sbuf); 716 717 os << "Loop condition is true. "; 718 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 719 720 if (const Stmt *S = End.asStmt()) 721 End = PDB.getEnclosingStmtLocation(S); 722 723 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 724 os.str())); 725 } 726 else { 727 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 728 729 if (const Stmt *S = End.asStmt()) 730 End = PDB.getEnclosingStmtLocation(S); 731 732 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 733 "Loop condition is false. Exiting loop")); 734 } 735 736 break; 737 } 738 739 case Stmt::WhileStmtClass: 740 case Stmt::ForStmtClass: { 741 if (*(Src->succ_begin()+1) == Dst) { 742 std::string sbuf; 743 llvm::raw_string_ostream os(sbuf); 744 745 os << "Loop condition is false. "; 746 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 747 if (const Stmt *S = End.asStmt()) 748 End = PDB.getEnclosingStmtLocation(S); 749 750 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 751 os.str())); 752 } 753 else { 754 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 755 if (const Stmt *S = End.asStmt()) 756 End = PDB.getEnclosingStmtLocation(S); 757 758 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 759 "Loop condition is true. Entering loop body")); 760 } 761 762 break; 763 } 764 765 case Stmt::IfStmtClass: { 766 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 767 768 if (const Stmt *S = End.asStmt()) 769 End = PDB.getEnclosingStmtLocation(S); 770 771 if (*(Src->succ_begin()+1) == Dst) 772 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 773 "Taking false branch")); 774 else 775 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 776 "Taking true branch")); 777 778 break; 779 } 780 } 781 } 782 783 if (NextNode) { 784 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(), 785 E = PDB.visitor_end(); I!=E; ++I) { 786 if (PathDiagnosticPiece* p = (*I)->VisitNode(N, NextNode, PDB)) 787 PD.push_front(p); 788 } 789 } 790 791 if (const PostStmt* PS = dyn_cast<PostStmt>(&P)) { 792 // Scan the region bindings, and see if a "notable" symbol has a new 793 // lval binding. 794 ScanNotableSymbols SNS(N, PS->getStmt(), PDB.getBugReporter(), PD); 795 PDB.getStateManager().iterBindings(N->getState(), SNS); 796 } 797 } 798 799 // After constructing the full PathDiagnostic, do a pass over it to compact 800 // PathDiagnosticPieces that occur within a macro. 801 CompactPathDiagnostic(PD, PDB.getSourceManager()); 802 } 803 804 //===----------------------------------------------------------------------===// 805 // "Extensive" PathDiagnostic generation. 806 //===----------------------------------------------------------------------===// 807 808 static bool IsControlFlowExpr(const Stmt *S) { 809 const Expr *E = dyn_cast<Expr>(S); 810 811 if (!E) 812 return false; 813 814 E = E->IgnoreParenCasts(); 815 816 if (isa<AbstractConditionalOperator>(E)) 817 return true; 818 819 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 820 if (B->isLogicalOp()) 821 return true; 822 823 return false; 824 } 825 826 namespace { 827 class ContextLocation : public PathDiagnosticLocation { 828 bool IsDead; 829 public: 830 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 831 : PathDiagnosticLocation(L), IsDead(isdead) {} 832 833 void markDead() { IsDead = true; } 834 bool isDead() const { return IsDead; } 835 }; 836 837 class EdgeBuilder { 838 std::vector<ContextLocation> CLocs; 839 typedef std::vector<ContextLocation>::iterator iterator; 840 PathDiagnostic &PD; 841 PathDiagnosticBuilder &PDB; 842 PathDiagnosticLocation PrevLoc; 843 844 bool IsConsumedExpr(const PathDiagnosticLocation &L); 845 846 bool containsLocation(const PathDiagnosticLocation &Container, 847 const PathDiagnosticLocation &Containee); 848 849 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 850 851 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 852 bool firstCharOnly = false) { 853 if (const Stmt *S = L.asStmt()) { 854 const Stmt *Original = S; 855 while (1) { 856 // Adjust the location for some expressions that are best referenced 857 // by one of their subexpressions. 858 switch (S->getStmtClass()) { 859 default: 860 break; 861 case Stmt::ParenExprClass: 862 case Stmt::GenericSelectionExprClass: 863 S = cast<Expr>(S)->IgnoreParens(); 864 firstCharOnly = true; 865 continue; 866 case Stmt::BinaryConditionalOperatorClass: 867 case Stmt::ConditionalOperatorClass: 868 S = cast<AbstractConditionalOperator>(S)->getCond(); 869 firstCharOnly = true; 870 continue; 871 case Stmt::ChooseExprClass: 872 S = cast<ChooseExpr>(S)->getCond(); 873 firstCharOnly = true; 874 continue; 875 case Stmt::BinaryOperatorClass: 876 S = cast<BinaryOperator>(S)->getLHS(); 877 firstCharOnly = true; 878 continue; 879 } 880 881 break; 882 } 883 884 if (S != Original) 885 L = PathDiagnosticLocation(S, L.getManager()); 886 } 887 888 if (firstCharOnly) 889 L = PathDiagnosticLocation(L.asLocation()); 890 891 return L; 892 } 893 894 void popLocation() { 895 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 896 // For contexts, we only one the first character as the range. 897 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 898 } 899 CLocs.pop_back(); 900 } 901 902 public: 903 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 904 : PD(pd), PDB(pdb) { 905 906 // If the PathDiagnostic already has pieces, add the enclosing statement 907 // of the first piece as a context as well. 908 if (!PD.empty()) { 909 PrevLoc = PD.begin()->getLocation(); 910 911 if (const Stmt *S = PrevLoc.asStmt()) 912 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 913 } 914 } 915 916 ~EdgeBuilder() { 917 while (!CLocs.empty()) popLocation(); 918 919 // Finally, add an initial edge from the start location of the first 920 // statement (if it doesn't already exist). 921 // FIXME: Should handle CXXTryStmt if analyser starts supporting C++. 922 if (const CompoundStmt *CS = 923 dyn_cast_or_null<CompoundStmt>(PDB.getCodeDecl().getBody())) 924 if (!CS->body_empty()) { 925 SourceLocation Loc = (*CS->body_begin())->getLocStart(); 926 rawAddEdge(PathDiagnosticLocation(Loc, PDB.getSourceManager())); 927 } 928 929 } 930 931 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 932 933 void rawAddEdge(PathDiagnosticLocation NewLoc); 934 935 void addContext(const Stmt *S); 936 void addExtendedContext(const Stmt *S); 937 }; 938 } // end anonymous namespace 939 940 941 PathDiagnosticLocation 942 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 943 if (const Stmt *S = L.asStmt()) { 944 if (IsControlFlowExpr(S)) 945 return L; 946 947 return PDB.getEnclosingStmtLocation(S); 948 } 949 950 return L; 951 } 952 953 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 954 const PathDiagnosticLocation &Containee) { 955 956 if (Container == Containee) 957 return true; 958 959 if (Container.asDecl()) 960 return true; 961 962 if (const Stmt *S = Containee.asStmt()) 963 if (const Stmt *ContainerS = Container.asStmt()) { 964 while (S) { 965 if (S == ContainerS) 966 return true; 967 S = PDB.getParent(S); 968 } 969 return false; 970 } 971 972 // Less accurate: compare using source ranges. 973 SourceRange ContainerR = Container.asRange(); 974 SourceRange ContaineeR = Containee.asRange(); 975 976 SourceManager &SM = PDB.getSourceManager(); 977 SourceLocation ContainerRBeg = SM.getInstantiationLoc(ContainerR.getBegin()); 978 SourceLocation ContainerREnd = SM.getInstantiationLoc(ContainerR.getEnd()); 979 SourceLocation ContaineeRBeg = SM.getInstantiationLoc(ContaineeR.getBegin()); 980 SourceLocation ContaineeREnd = SM.getInstantiationLoc(ContaineeR.getEnd()); 981 982 unsigned ContainerBegLine = SM.getInstantiationLineNumber(ContainerRBeg); 983 unsigned ContainerEndLine = SM.getInstantiationLineNumber(ContainerREnd); 984 unsigned ContaineeBegLine = SM.getInstantiationLineNumber(ContaineeRBeg); 985 unsigned ContaineeEndLine = SM.getInstantiationLineNumber(ContaineeREnd); 986 987 assert(ContainerBegLine <= ContainerEndLine); 988 assert(ContaineeBegLine <= ContaineeEndLine); 989 990 return (ContainerBegLine <= ContaineeBegLine && 991 ContainerEndLine >= ContaineeEndLine && 992 (ContainerBegLine != ContaineeBegLine || 993 SM.getInstantiationColumnNumber(ContainerRBeg) <= 994 SM.getInstantiationColumnNumber(ContaineeRBeg)) && 995 (ContainerEndLine != ContaineeEndLine || 996 SM.getInstantiationColumnNumber(ContainerREnd) >= 997 SM.getInstantiationColumnNumber(ContainerREnd))); 998 } 999 1000 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 1001 if (!PrevLoc.isValid()) { 1002 PrevLoc = NewLoc; 1003 return; 1004 } 1005 1006 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 1007 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 1008 1009 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1010 return; 1011 1012 // FIXME: Ignore intra-macro edges for now. 1013 if (NewLocClean.asLocation().getInstantiationLoc() == 1014 PrevLocClean.asLocation().getInstantiationLoc()) 1015 return; 1016 1017 PD.push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 1018 PrevLoc = NewLoc; 1019 } 1020 1021 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 1022 1023 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1024 return; 1025 1026 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1027 1028 while (!CLocs.empty()) { 1029 ContextLocation &TopContextLoc = CLocs.back(); 1030 1031 // Is the top location context the same as the one for the new location? 1032 if (TopContextLoc == CLoc) { 1033 if (alwaysAdd) { 1034 if (IsConsumedExpr(TopContextLoc) && 1035 !IsControlFlowExpr(TopContextLoc.asStmt())) 1036 TopContextLoc.markDead(); 1037 1038 rawAddEdge(NewLoc); 1039 } 1040 1041 return; 1042 } 1043 1044 if (containsLocation(TopContextLoc, CLoc)) { 1045 if (alwaysAdd) { 1046 rawAddEdge(NewLoc); 1047 1048 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 1049 CLocs.push_back(ContextLocation(CLoc, true)); 1050 return; 1051 } 1052 } 1053 1054 CLocs.push_back(CLoc); 1055 return; 1056 } 1057 1058 // Context does not contain the location. Flush it. 1059 popLocation(); 1060 } 1061 1062 // If we reach here, there is no enclosing context. Just add the edge. 1063 rawAddEdge(NewLoc); 1064 } 1065 1066 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1067 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 1068 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1069 1070 return false; 1071 } 1072 1073 void EdgeBuilder::addExtendedContext(const Stmt *S) { 1074 if (!S) 1075 return; 1076 1077 const Stmt *Parent = PDB.getParent(S); 1078 while (Parent) { 1079 if (isa<CompoundStmt>(Parent)) 1080 Parent = PDB.getParent(Parent); 1081 else 1082 break; 1083 } 1084 1085 if (Parent) { 1086 switch (Parent->getStmtClass()) { 1087 case Stmt::DoStmtClass: 1088 case Stmt::ObjCAtSynchronizedStmtClass: 1089 addContext(Parent); 1090 default: 1091 break; 1092 } 1093 } 1094 1095 addContext(S); 1096 } 1097 1098 void EdgeBuilder::addContext(const Stmt *S) { 1099 if (!S) 1100 return; 1101 1102 PathDiagnosticLocation L(S, PDB.getSourceManager()); 1103 1104 while (!CLocs.empty()) { 1105 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1106 1107 // Is the top location context the same as the one for the new location? 1108 if (TopContextLoc == L) 1109 return; 1110 1111 if (containsLocation(TopContextLoc, L)) { 1112 CLocs.push_back(L); 1113 return; 1114 } 1115 1116 // Context does not contain the location. Flush it. 1117 popLocation(); 1118 } 1119 1120 CLocs.push_back(L); 1121 } 1122 1123 static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1124 PathDiagnosticBuilder &PDB, 1125 const ExplodedNode *N) { 1126 EdgeBuilder EB(PD, PDB); 1127 1128 const ExplodedNode* NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 1129 while (NextNode) { 1130 N = NextNode; 1131 NextNode = GetPredecessorNode(N); 1132 ProgramPoint P = N->getLocation(); 1133 1134 do { 1135 // Block edges. 1136 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 1137 const CFGBlock &Blk = *BE->getSrc(); 1138 const Stmt *Term = Blk.getTerminator(); 1139 1140 // Are we jumping to the head of a loop? Add a special diagnostic. 1141 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) { 1142 PathDiagnosticLocation L(Loop, PDB.getSourceManager()); 1143 const CompoundStmt *CS = NULL; 1144 1145 if (!Term) { 1146 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1147 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1148 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1149 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1150 } 1151 1152 PathDiagnosticEventPiece *p = 1153 new PathDiagnosticEventPiece(L, 1154 "Looping back to the head of the loop"); 1155 1156 EB.addEdge(p->getLocation(), true); 1157 PD.push_front(p); 1158 1159 if (CS) { 1160 PathDiagnosticLocation BL(CS->getRBracLoc(), 1161 PDB.getSourceManager()); 1162 BL = PathDiagnosticLocation(BL.asLocation()); 1163 EB.addEdge(BL); 1164 } 1165 } 1166 1167 if (Term) 1168 EB.addContext(Term); 1169 1170 break; 1171 } 1172 1173 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 1174 if (const CFGStmt *S = BE->getFirstElement().getAs<CFGStmt>()) { 1175 const Stmt *stmt = S->getStmt(); 1176 if (IsControlFlowExpr(stmt)) { 1177 // Add the proper context for '&&', '||', and '?'. 1178 EB.addContext(stmt); 1179 } 1180 else 1181 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1182 } 1183 1184 break; 1185 } 1186 } while (0); 1187 1188 if (!NextNode) 1189 continue; 1190 1191 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(), 1192 E = PDB.visitor_end(); I!=E; ++I) { 1193 if (PathDiagnosticPiece* p = (*I)->VisitNode(N, NextNode, PDB)) { 1194 const PathDiagnosticLocation &Loc = p->getLocation(); 1195 EB.addEdge(Loc, true); 1196 PD.push_front(p); 1197 if (const Stmt *S = Loc.asStmt()) 1198 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1199 } 1200 } 1201 } 1202 } 1203 1204 //===----------------------------------------------------------------------===// 1205 // Methods for BugType and subclasses. 1206 //===----------------------------------------------------------------------===// 1207 BugType::~BugType() { } 1208 1209 void BugType::FlushReports(BugReporter &BR) {} 1210 1211 //===----------------------------------------------------------------------===// 1212 // Methods for BugReport and subclasses. 1213 //===----------------------------------------------------------------------===// 1214 BugReport::~BugReport() {} 1215 RangedBugReport::~RangedBugReport() {} 1216 1217 const Stmt* BugReport::getStmt() const { 1218 ProgramPoint ProgP = ErrorNode->getLocation(); 1219 const Stmt *S = NULL; 1220 1221 if (BlockEntrance* BE = dyn_cast<BlockEntrance>(&ProgP)) { 1222 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 1223 if (BE->getBlock() == &Exit) 1224 S = GetPreviousStmt(ErrorNode); 1225 } 1226 if (!S) 1227 S = GetStmt(ProgP); 1228 1229 return S; 1230 } 1231 1232 PathDiagnosticPiece* 1233 BugReport::getEndPath(BugReporterContext& BRC, 1234 const ExplodedNode* EndPathNode) { 1235 1236 const Stmt* S = getStmt(); 1237 1238 if (!S) 1239 return NULL; 1240 1241 BugReport::ranges_iterator Beg, End; 1242 llvm::tie(Beg, End) = getRanges(); 1243 PathDiagnosticLocation L(S, BRC.getSourceManager()); 1244 1245 // Only add the statement itself as a range if we didn't specify any 1246 // special ranges for this report. 1247 PathDiagnosticPiece* P = new PathDiagnosticEventPiece(L, getDescription(), 1248 Beg == End); 1249 1250 for (; Beg != End; ++Beg) 1251 P->addRange(*Beg); 1252 1253 return P; 1254 } 1255 1256 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 1257 BugReport::getRanges() const { 1258 if (const Expr* E = dyn_cast_or_null<Expr>(getStmt())) { 1259 R = E->getSourceRange(); 1260 assert(R.isValid()); 1261 return std::make_pair(&R, &R+1); 1262 } 1263 else 1264 return std::make_pair(ranges_iterator(), ranges_iterator()); 1265 } 1266 1267 SourceLocation BugReport::getLocation() const { 1268 if (ErrorNode) 1269 if (const Stmt* S = GetCurrentOrPreviousStmt(ErrorNode)) { 1270 // For member expressions, return the location of the '.' or '->'. 1271 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 1272 return ME->getMemberLoc(); 1273 // For binary operators, return the location of the operator. 1274 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 1275 return B->getOperatorLoc(); 1276 1277 return S->getLocStart(); 1278 } 1279 1280 return FullSourceLoc(); 1281 } 1282 1283 PathDiagnosticPiece* BugReport::VisitNode(const ExplodedNode* N, 1284 const ExplodedNode* PrevN, 1285 BugReporterContext &BRC) { 1286 return NULL; 1287 } 1288 1289 //===----------------------------------------------------------------------===// 1290 // Methods for BugReporter and subclasses. 1291 //===----------------------------------------------------------------------===// 1292 1293 BugReportEquivClass::~BugReportEquivClass() { 1294 for (iterator I=begin(), E=end(); I!=E; ++I) delete *I; 1295 } 1296 1297 GRBugReporter::~GRBugReporter() { } 1298 BugReporterData::~BugReporterData() {} 1299 1300 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 1301 1302 GRStateManager& 1303 GRBugReporter::getStateManager() { return Eng.getStateManager(); } 1304 1305 BugReporter::~BugReporter() { FlushReports(); } 1306 1307 void BugReporter::FlushReports() { 1308 if (BugTypes.isEmpty()) 1309 return; 1310 1311 // First flush the warnings for each BugType. This may end up creating new 1312 // warnings and new BugTypes. 1313 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 1314 // Turn NSErrorChecker into a proper checker and remove this. 1315 llvm::SmallVector<const BugType*, 16> bugTypes; 1316 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 1317 bugTypes.push_back(*I); 1318 for (llvm::SmallVector<const BugType*, 16>::iterator 1319 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 1320 const_cast<BugType*>(*I)->FlushReports(*this); 1321 1322 typedef llvm::FoldingSet<BugReportEquivClass> SetTy; 1323 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){ 1324 BugReportEquivClass& EQ = *EI; 1325 FlushReport(EQ); 1326 } 1327 1328 // BugReporter owns and deletes only BugTypes created implicitly through 1329 // EmitBasicReport. 1330 // FIXME: There are leaks from checkers that assume that the BugTypes they 1331 // create will be destroyed by the BugReporter. 1332 for (llvm::StringMap<BugType*>::iterator 1333 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I) 1334 delete I->second; 1335 1336 // Remove all references to the BugType objects. 1337 BugTypes = F.getEmptySet(); 1338 } 1339 1340 //===----------------------------------------------------------------------===// 1341 // PathDiagnostics generation. 1342 //===----------------------------------------------------------------------===// 1343 1344 static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1345 std::pair<ExplodedNode*, unsigned> > 1346 MakeReportGraph(const ExplodedGraph* G, 1347 llvm::SmallVectorImpl<const ExplodedNode*> &nodes) { 1348 1349 // Create the trimmed graph. It will contain the shortest paths from the 1350 // error nodes to the root. In the new graph we should only have one 1351 // error node unless there are two or more error nodes with the same minimum 1352 // path length. 1353 ExplodedGraph* GTrim; 1354 InterExplodedGraphMap* NMap; 1355 1356 llvm::DenseMap<const void*, const void*> InverseMap; 1357 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 1358 &InverseMap); 1359 1360 // Create owning pointers for GTrim and NMap just to ensure that they are 1361 // released when this function exists. 1362 llvm::OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 1363 llvm::OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 1364 1365 // Find the (first) error node in the trimmed graph. We just need to consult 1366 // the node map (NMap) which maps from nodes in the original graph to nodes 1367 // in the new graph. 1368 1369 std::queue<const ExplodedNode*> WS; 1370 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 1371 IndexMapTy IndexMap; 1372 1373 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 1374 const ExplodedNode *originalNode = nodes[nodeIndex]; 1375 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 1376 WS.push(N); 1377 IndexMap[originalNode] = nodeIndex; 1378 } 1379 } 1380 1381 assert(!WS.empty() && "No error node found in the trimmed graph."); 1382 1383 // Create a new (third!) graph with a single path. This is the graph 1384 // that will be returned to the caller. 1385 ExplodedGraph *GNew = new ExplodedGraph(); 1386 1387 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 1388 // to the root node, and then construct a new graph that contains only 1389 // a single path. 1390 llvm::DenseMap<const void*,unsigned> Visited; 1391 1392 unsigned cnt = 0; 1393 const ExplodedNode* Root = 0; 1394 1395 while (!WS.empty()) { 1396 const ExplodedNode* Node = WS.front(); 1397 WS.pop(); 1398 1399 if (Visited.find(Node) != Visited.end()) 1400 continue; 1401 1402 Visited[Node] = cnt++; 1403 1404 if (Node->pred_empty()) { 1405 Root = Node; 1406 break; 1407 } 1408 1409 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 1410 E=Node->pred_end(); I!=E; ++I) 1411 WS.push(*I); 1412 } 1413 1414 assert(Root); 1415 1416 // Now walk from the root down the BFS path, always taking the successor 1417 // with the lowest number. 1418 ExplodedNode *Last = 0, *First = 0; 1419 NodeBackMap *BM = new NodeBackMap(); 1420 unsigned NodeIndex = 0; 1421 1422 for ( const ExplodedNode *N = Root ;;) { 1423 // Lookup the number associated with the current node. 1424 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 1425 assert(I != Visited.end()); 1426 1427 // Create the equivalent node in the new graph with the same state 1428 // and location. 1429 ExplodedNode* NewN = GNew->getNode(N->getLocation(), N->getState()); 1430 1431 // Store the mapping to the original node. 1432 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 1433 assert(IMitr != InverseMap.end() && "No mapping to original node."); 1434 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 1435 1436 // Link up the new node with the previous node. 1437 if (Last) 1438 NewN->addPredecessor(Last, *GNew); 1439 1440 Last = NewN; 1441 1442 // Are we at the final node? 1443 IndexMapTy::iterator IMI = 1444 IndexMap.find((const ExplodedNode*)(IMitr->second)); 1445 if (IMI != IndexMap.end()) { 1446 First = NewN; 1447 NodeIndex = IMI->second; 1448 break; 1449 } 1450 1451 // Find the next successor node. We choose the node that is marked 1452 // with the lowest DFS number. 1453 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 1454 ExplodedNode::const_succ_iterator SE = N->succ_end(); 1455 N = 0; 1456 1457 for (unsigned MinVal = 0; SI != SE; ++SI) { 1458 1459 I = Visited.find(*SI); 1460 1461 if (I == Visited.end()) 1462 continue; 1463 1464 if (!N || I->second < MinVal) { 1465 N = *SI; 1466 MinVal = I->second; 1467 } 1468 } 1469 1470 assert(N); 1471 } 1472 1473 assert(First); 1474 1475 return std::make_pair(std::make_pair(GNew, BM), 1476 std::make_pair(First, NodeIndex)); 1477 } 1478 1479 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 1480 /// and collapses PathDiagosticPieces that are expanded by macros. 1481 static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM) { 1482 typedef std::vector<std::pair<PathDiagnosticMacroPiece*, SourceLocation> > 1483 MacroStackTy; 1484 1485 typedef std::vector<PathDiagnosticPiece*> 1486 PiecesTy; 1487 1488 MacroStackTy MacroStack; 1489 PiecesTy Pieces; 1490 1491 for (PathDiagnostic::iterator I = PD.begin(), E = PD.end(); I!=E; ++I) { 1492 // Get the location of the PathDiagnosticPiece. 1493 const FullSourceLoc Loc = I->getLocation().asLocation(); 1494 1495 // Determine the instantiation location, which is the location we group 1496 // related PathDiagnosticPieces. 1497 SourceLocation InstantiationLoc = Loc.isMacroID() ? 1498 SM.getInstantiationLoc(Loc) : 1499 SourceLocation(); 1500 1501 if (Loc.isFileID()) { 1502 MacroStack.clear(); 1503 Pieces.push_back(&*I); 1504 continue; 1505 } 1506 1507 assert(Loc.isMacroID()); 1508 1509 // Is the PathDiagnosticPiece within the same macro group? 1510 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 1511 MacroStack.back().first->push_back(&*I); 1512 continue; 1513 } 1514 1515 // We aren't in the same group. Are we descending into a new macro 1516 // or are part of an old one? 1517 PathDiagnosticMacroPiece *MacroGroup = 0; 1518 1519 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 1520 SM.getInstantiationLoc(Loc) : 1521 SourceLocation(); 1522 1523 // Walk the entire macro stack. 1524 while (!MacroStack.empty()) { 1525 if (InstantiationLoc == MacroStack.back().second) { 1526 MacroGroup = MacroStack.back().first; 1527 break; 1528 } 1529 1530 if (ParentInstantiationLoc == MacroStack.back().second) { 1531 MacroGroup = MacroStack.back().first; 1532 break; 1533 } 1534 1535 MacroStack.pop_back(); 1536 } 1537 1538 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 1539 // Create a new macro group and add it to the stack. 1540 PathDiagnosticMacroPiece *NewGroup = new PathDiagnosticMacroPiece(Loc); 1541 1542 if (MacroGroup) 1543 MacroGroup->push_back(NewGroup); 1544 else { 1545 assert(InstantiationLoc.isFileID()); 1546 Pieces.push_back(NewGroup); 1547 } 1548 1549 MacroGroup = NewGroup; 1550 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 1551 } 1552 1553 // Finally, add the PathDiagnosticPiece to the group. 1554 MacroGroup->push_back(&*I); 1555 } 1556 1557 // Now take the pieces and construct a new PathDiagnostic. 1558 PD.resetPath(false); 1559 1560 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) { 1561 if (PathDiagnosticMacroPiece *MP=dyn_cast<PathDiagnosticMacroPiece>(*I)) 1562 if (!MP->containsEvent()) { 1563 delete MP; 1564 continue; 1565 } 1566 1567 PD.push_back(*I); 1568 } 1569 } 1570 1571 void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD, 1572 llvm::SmallVectorImpl<BugReport *> &bugReports) { 1573 1574 assert(!bugReports.empty()); 1575 llvm::SmallVector<const ExplodedNode *, 10> errorNodes; 1576 for (llvm::SmallVectorImpl<BugReport*>::iterator I = bugReports.begin(), 1577 E = bugReports.end(); I != E; ++I) { 1578 errorNodes.push_back((*I)->getErrorNode()); 1579 } 1580 1581 // Construct a new graph that contains only a single path from the error 1582 // node to a root. 1583 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1584 std::pair<ExplodedNode*, unsigned> >& 1585 GPair = MakeReportGraph(&getGraph(), errorNodes); 1586 1587 // Find the BugReport with the original location. 1588 assert(GPair.second.second < bugReports.size()); 1589 BugReport *R = bugReports[GPair.second.second]; 1590 assert(R && "No original report found for sliced graph."); 1591 1592 llvm::OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 1593 llvm::OwningPtr<NodeBackMap> BackMap(GPair.first.second); 1594 const ExplodedNode *N = GPair.second.first; 1595 1596 // Start building the path diagnostic... 1597 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), getPathDiagnosticClient()); 1598 1599 if (PathDiagnosticPiece* Piece = R->getEndPath(PDB, N)) 1600 PD.push_back(Piece); 1601 else 1602 return; 1603 1604 // Register node visitors. 1605 R->registerInitialVisitors(PDB, N); 1606 bugreporter::registerNilReceiverVisitor(PDB); 1607 1608 switch (PDB.getGenerationScheme()) { 1609 case PathDiagnosticClient::Extensive: 1610 GenerateExtensivePathDiagnostic(PD, PDB, N); 1611 break; 1612 case PathDiagnosticClient::Minimal: 1613 GenerateMinimalPathDiagnostic(PD, PDB, N); 1614 break; 1615 } 1616 } 1617 1618 void BugReporter::Register(BugType *BT) { 1619 BugTypes = F.add(BugTypes, BT); 1620 } 1621 1622 void BugReporter::EmitReport(BugReport* R) { 1623 // Compute the bug report's hash to determine its equivalence class. 1624 llvm::FoldingSetNodeID ID; 1625 R->Profile(ID); 1626 1627 // Lookup the equivance class. If there isn't one, create it. 1628 BugType& BT = R->getBugType(); 1629 Register(&BT); 1630 void *InsertPos; 1631 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 1632 1633 if (!EQ) { 1634 EQ = new BugReportEquivClass(R); 1635 EQClasses.InsertNode(EQ, InsertPos); 1636 } 1637 else 1638 EQ->AddReport(R); 1639 } 1640 1641 1642 //===----------------------------------------------------------------------===// 1643 // Emitting reports in equivalence classes. 1644 //===----------------------------------------------------------------------===// 1645 1646 namespace { 1647 struct FRIEC_WLItem { 1648 const ExplodedNode *N; 1649 ExplodedNode::const_succ_iterator I, E; 1650 1651 FRIEC_WLItem(const ExplodedNode *n) 1652 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 1653 }; 1654 } 1655 1656 static BugReport * 1657 FindReportInEquivalenceClass(BugReportEquivClass& EQ, 1658 llvm::SmallVectorImpl<BugReport*> &bugReports) { 1659 1660 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 1661 assert(I != E); 1662 BugReport *R = *I; 1663 BugType& BT = R->getBugType(); 1664 1665 // If we don't need to suppress any of the nodes because they are 1666 // post-dominated by a sink, simply add all the nodes in the equivalence class 1667 // to 'Nodes'. Any of the reports will serve as a "representative" report. 1668 if (!BT.isSuppressOnSink()) { 1669 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 1670 const ExplodedNode* N = I->getErrorNode(); 1671 if (N) { 1672 R = *I; 1673 bugReports.push_back(R); 1674 } 1675 } 1676 return R; 1677 } 1678 1679 // For bug reports that should be suppressed when all paths are post-dominated 1680 // by a sink node, iterate through the reports in the equivalence class 1681 // until we find one that isn't post-dominated (if one exists). We use a 1682 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 1683 // this as a recursive function, but we don't want to risk blowing out the 1684 // stack for very long paths. 1685 BugReport *exampleReport = 0; 1686 1687 for (; I != E; ++I) { 1688 R = *I; 1689 const ExplodedNode *errorNode = R->getErrorNode(); 1690 1691 if (!errorNode) 1692 continue; 1693 if (errorNode->isSink()) { 1694 assert(false && 1695 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 1696 return 0; 1697 } 1698 // No successors? By definition this nodes isn't post-dominated by a sink. 1699 if (errorNode->succ_empty()) { 1700 bugReports.push_back(R); 1701 if (!exampleReport) 1702 exampleReport = R; 1703 continue; 1704 } 1705 1706 // At this point we know that 'N' is not a sink and it has at least one 1707 // successor. Use a DFS worklist to find a non-sink end-of-path node. 1708 typedef FRIEC_WLItem WLItem; 1709 typedef llvm::SmallVector<WLItem, 10> DFSWorkList; 1710 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 1711 1712 DFSWorkList WL; 1713 WL.push_back(errorNode); 1714 Visited[errorNode] = 1; 1715 1716 while (!WL.empty()) { 1717 WLItem &WI = WL.back(); 1718 assert(!WI.N->succ_empty()); 1719 1720 for (; WI.I != WI.E; ++WI.I) { 1721 const ExplodedNode *Succ = *WI.I; 1722 // End-of-path node? 1723 if (Succ->succ_empty()) { 1724 // If we found an end-of-path node that is not a sink. 1725 if (!Succ->isSink()) { 1726 bugReports.push_back(R); 1727 if (!exampleReport) 1728 exampleReport = R; 1729 WL.clear(); 1730 break; 1731 } 1732 // Found a sink? Continue on to the next successor. 1733 continue; 1734 } 1735 // Mark the successor as visited. If it hasn't been explored, 1736 // enqueue it to the DFS worklist. 1737 unsigned &mark = Visited[Succ]; 1738 if (!mark) { 1739 mark = 1; 1740 WL.push_back(Succ); 1741 break; 1742 } 1743 } 1744 1745 // The worklist may have been cleared at this point. First 1746 // check if it is empty before checking the last item. 1747 if (!WL.empty() && &WL.back() == &WI) 1748 WL.pop_back(); 1749 } 1750 } 1751 1752 // ExampleReport will be NULL if all the nodes in the equivalence class 1753 // were post-dominated by sinks. 1754 return exampleReport; 1755 } 1756 1757 //===----------------------------------------------------------------------===// 1758 // DiagnosticCache. This is a hack to cache analyzer diagnostics. It 1759 // uses global state, which eventually should go elsewhere. 1760 //===----------------------------------------------------------------------===// 1761 namespace { 1762 class DiagCacheItem : public llvm::FoldingSetNode { 1763 llvm::FoldingSetNodeID ID; 1764 public: 1765 DiagCacheItem(BugReport *R, PathDiagnostic *PD) { 1766 ID.AddString(R->getBugType().getName()); 1767 ID.AddString(R->getBugType().getCategory()); 1768 ID.AddString(R->getDescription()); 1769 ID.AddInteger(R->getLocation().getRawEncoding()); 1770 PD->Profile(ID); 1771 } 1772 1773 void Profile(llvm::FoldingSetNodeID &id) { 1774 id = ID; 1775 } 1776 1777 llvm::FoldingSetNodeID &getID() { return ID; } 1778 }; 1779 } 1780 1781 static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) { 1782 // FIXME: Eventually this diagnostic cache should reside in something 1783 // like AnalysisManager instead of being a static variable. This is 1784 // really unsafe in the long term. 1785 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache; 1786 static DiagnosticCache DC; 1787 1788 void *InsertPos; 1789 DiagCacheItem *Item = new DiagCacheItem(R, PD); 1790 1791 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) { 1792 delete Item; 1793 return true; 1794 } 1795 1796 DC.InsertNode(Item, InsertPos); 1797 return false; 1798 } 1799 1800 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 1801 llvm::SmallVector<BugReport*, 10> bugReports; 1802 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 1803 if (!exampleReport) 1804 return; 1805 1806 PathDiagnosticClient* PD = getPathDiagnosticClient(); 1807 1808 // FIXME: Make sure we use the 'R' for the path that was actually used. 1809 // Probably doesn't make a difference in practice. 1810 BugType& BT = exampleReport->getBugType(); 1811 1812 llvm::OwningPtr<PathDiagnostic> 1813 D(new PathDiagnostic(exampleReport->getBugType().getName(), 1814 !PD || PD->useVerboseDescription() 1815 ? exampleReport->getDescription() 1816 : exampleReport->getShortDescription(), 1817 BT.getCategory())); 1818 1819 if (!bugReports.empty()) 1820 GeneratePathDiagnostic(*D.get(), bugReports); 1821 1822 if (IsCachedDiagnostic(exampleReport, D.get())) 1823 return; 1824 1825 // Get the meta data. 1826 std::pair<const char**, const char**> Meta = 1827 exampleReport->getExtraDescriptiveText(); 1828 for (const char** s = Meta.first; s != Meta.second; ++s) 1829 D->addMeta(*s); 1830 1831 // Emit a summary diagnostic to the regular Diagnostics engine. 1832 BugReport::ranges_iterator Beg, End; 1833 llvm::tie(Beg, End) = exampleReport->getRanges(); 1834 Diagnostic &Diag = getDiagnostic(); 1835 FullSourceLoc L(exampleReport->getLocation(), getSourceManager()); 1836 1837 // Search the description for '%', as that will be interpretted as a 1838 // format character by FormatDiagnostics. 1839 llvm::StringRef desc = exampleReport->getShortDescription(); 1840 unsigned ErrorDiag; 1841 { 1842 llvm::SmallString<512> TmpStr; 1843 llvm::raw_svector_ostream Out(TmpStr); 1844 for (llvm::StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I) 1845 if (*I == '%') 1846 Out << "%%"; 1847 else 1848 Out << *I; 1849 1850 Out.flush(); 1851 ErrorDiag = Diag.getCustomDiagID(Diagnostic::Warning, TmpStr); 1852 } 1853 1854 { 1855 DiagnosticBuilder diagBuilder = Diag.Report(L, ErrorDiag); 1856 for (BugReport::ranges_iterator I = Beg; I != End; ++I) 1857 diagBuilder << *I; 1858 } 1859 1860 // Emit a full diagnostic for the path if we have a PathDiagnosticClient. 1861 if (!PD) 1862 return; 1863 1864 if (D->empty()) { 1865 PathDiagnosticPiece* piece = 1866 new PathDiagnosticEventPiece(L, exampleReport->getDescription()); 1867 1868 for ( ; Beg != End; ++Beg) piece->addRange(*Beg); 1869 D->push_back(piece); 1870 } 1871 1872 PD->HandlePathDiagnostic(D.take()); 1873 } 1874 1875 void BugReporter::EmitBasicReport(llvm::StringRef name, llvm::StringRef str, 1876 SourceLocation Loc, 1877 SourceRange* RBeg, unsigned NumRanges) { 1878 EmitBasicReport(name, "", str, Loc, RBeg, NumRanges); 1879 } 1880 1881 void BugReporter::EmitBasicReport(llvm::StringRef name, 1882 llvm::StringRef category, 1883 llvm::StringRef str, SourceLocation Loc, 1884 SourceRange* RBeg, unsigned NumRanges) { 1885 1886 // 'BT' is owned by BugReporter. 1887 BugType *BT = getBugTypeForName(name, category); 1888 FullSourceLoc L = getContext().getFullLoc(Loc); 1889 RangedBugReport *R = new DiagBugReport(*BT, str, L); 1890 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 1891 EmitReport(R); 1892 } 1893 1894 BugType *BugReporter::getBugTypeForName(llvm::StringRef name, 1895 llvm::StringRef category) { 1896 llvm::SmallString<136> fullDesc; 1897 llvm::raw_svector_ostream(fullDesc) << name << ":" << category; 1898 llvm::StringMapEntry<BugType *> & 1899 entry = StrBugTypes.GetOrCreateValue(fullDesc); 1900 BugType *BT = entry.getValue(); 1901 if (!BT) { 1902 BT = new BugType(name, category); 1903 entry.setValue(BT); 1904 } 1905 return BT; 1906 } 1907
