1 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // This file defines BugReporter, a utility class for generating 11 // PathDiagnostics. 12 // 13 //===----------------------------------------------------------------------===// 14 15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16 #include "clang/AST/ASTContext.h" 17 #include "clang/AST/DeclObjC.h" 18 #include "clang/AST/Expr.h" 19 #include "clang/AST/ExprCXX.h" 20 #include "clang/AST/ParentMap.h" 21 #include "clang/AST/StmtCXX.h" 22 #include "clang/AST/StmtObjC.h" 23 #include "clang/Analysis/CFG.h" 24 #include "clang/Analysis/ProgramPoint.h" 25 #include "clang/Basic/SourceManager.h" 26 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 27 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 28 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 29 #include "llvm/ADT/DenseMap.h" 30 #include "llvm/ADT/IntrusiveRefCntPtr.h" 31 #include "llvm/ADT/STLExtras.h" 32 #include "llvm/ADT/SmallString.h" 33 #include "llvm/ADT/Statistic.h" 34 #include "llvm/Support/raw_ostream.h" 35 #include <memory> 36 #include <queue> 37 38 using namespace clang; 39 using namespace ento; 40 41 #define DEBUG_TYPE "BugReporter" 42 43 STATISTIC(MaxBugClassSize, 44 "The maximum number of bug reports in the same equivalence class"); 45 STATISTIC(MaxValidBugClassSize, 46 "The maximum number of bug reports in the same equivalence class " 47 "where at least one report is valid (not suppressed)"); 48 49 BugReporterVisitor::~BugReporterVisitor() {} 50 51 void BugReporterContext::anchor() {} 52 53 //===----------------------------------------------------------------------===// 54 // Helper routines for walking the ExplodedGraph and fetching statements. 55 //===----------------------------------------------------------------------===// 56 57 static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 58 for (N = N->getFirstPred(); N; N = N->getFirstPred()) 59 if (const Stmt *S = PathDiagnosticLocation::getStmt(N)) 60 return S; 61 62 return nullptr; 63 } 64 65 static inline const Stmt* 66 GetCurrentOrPreviousStmt(const ExplodedNode *N) { 67 if (const Stmt *S = PathDiagnosticLocation::getStmt(N)) 68 return S; 69 70 return GetPreviousStmt(N); 71 } 72 73 //===----------------------------------------------------------------------===// 74 // Diagnostic cleanup. 75 //===----------------------------------------------------------------------===// 76 77 static PathDiagnosticEventPiece * 78 eventsDescribeSameCondition(PathDiagnosticEventPiece *X, 79 PathDiagnosticEventPiece *Y) { 80 // Prefer diagnostics that come from ConditionBRVisitor over 81 // those that came from TrackConstraintBRVisitor. 82 const void *tagPreferred = ConditionBRVisitor::getTag(); 83 const void *tagLesser = TrackConstraintBRVisitor::getTag(); 84 85 if (X->getLocation() != Y->getLocation()) 86 return nullptr; 87 88 if (X->getTag() == tagPreferred && Y->getTag() == tagLesser) 89 return X; 90 91 if (Y->getTag() == tagPreferred && X->getTag() == tagLesser) 92 return Y; 93 94 return nullptr; 95 } 96 97 /// An optimization pass over PathPieces that removes redundant diagnostics 98 /// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both 99 /// BugReporterVisitors use different methods to generate diagnostics, with 100 /// one capable of emitting diagnostics in some cases but not in others. This 101 /// can lead to redundant diagnostic pieces at the same point in a path. 102 static void removeRedundantMsgs(PathPieces &path) { 103 unsigned N = path.size(); 104 if (N < 2) 105 return; 106 // NOTE: this loop intentionally is not using an iterator. Instead, we 107 // are streaming the path and modifying it in place. This is done by 108 // grabbing the front, processing it, and if we decide to keep it append 109 // it to the end of the path. The entire path is processed in this way. 110 for (unsigned i = 0; i < N; ++i) { 111 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(path.front()); 112 path.pop_front(); 113 114 switch (piece->getKind()) { 115 case clang::ento::PathDiagnosticPiece::Call: 116 removeRedundantMsgs(cast<PathDiagnosticCallPiece>(piece)->path); 117 break; 118 case clang::ento::PathDiagnosticPiece::Macro: 119 removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(piece)->subPieces); 120 break; 121 case clang::ento::PathDiagnosticPiece::ControlFlow: 122 break; 123 case clang::ento::PathDiagnosticPiece::Event: { 124 if (i == N-1) 125 break; 126 127 if (PathDiagnosticEventPiece *nextEvent = 128 dyn_cast<PathDiagnosticEventPiece>(path.front().get())) { 129 PathDiagnosticEventPiece *event = 130 cast<PathDiagnosticEventPiece>(piece); 131 // Check to see if we should keep one of the two pieces. If we 132 // come up with a preference, record which piece to keep, and consume 133 // another piece from the path. 134 if (PathDiagnosticEventPiece *pieceToKeep = 135 eventsDescribeSameCondition(event, nextEvent)) { 136 piece = pieceToKeep; 137 path.pop_front(); 138 ++i; 139 } 140 } 141 break; 142 } 143 } 144 path.push_back(piece); 145 } 146 } 147 148 /// A map from PathDiagnosticPiece to the LocationContext of the inlined 149 /// function call it represents. 150 typedef llvm::DenseMap<const PathPieces *, const LocationContext *> 151 LocationContextMap; 152 153 /// Recursively scan through a path and prune out calls and macros pieces 154 /// that aren't needed. Return true if afterwards the path contains 155 /// "interesting stuff" which means it shouldn't be pruned from the parent path. 156 static bool removeUnneededCalls(PathPieces &pieces, BugReport *R, 157 LocationContextMap &LCM) { 158 bool containsSomethingInteresting = false; 159 const unsigned N = pieces.size(); 160 161 for (unsigned i = 0 ; i < N ; ++i) { 162 // Remove the front piece from the path. If it is still something we 163 // want to keep once we are done, we will push it back on the end. 164 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(pieces.front()); 165 pieces.pop_front(); 166 167 switch (piece->getKind()) { 168 case PathDiagnosticPiece::Call: { 169 PathDiagnosticCallPiece *call = cast<PathDiagnosticCallPiece>(piece); 170 // Check if the location context is interesting. 171 assert(LCM.count(&call->path)); 172 if (R->isInteresting(LCM[&call->path])) { 173 containsSomethingInteresting = true; 174 break; 175 } 176 177 if (!removeUnneededCalls(call->path, R, LCM)) 178 continue; 179 180 containsSomethingInteresting = true; 181 break; 182 } 183 case PathDiagnosticPiece::Macro: { 184 PathDiagnosticMacroPiece *macro = cast<PathDiagnosticMacroPiece>(piece); 185 if (!removeUnneededCalls(macro->subPieces, R, LCM)) 186 continue; 187 containsSomethingInteresting = true; 188 break; 189 } 190 case PathDiagnosticPiece::Event: { 191 PathDiagnosticEventPiece *event = cast<PathDiagnosticEventPiece>(piece); 192 193 // We never throw away an event, but we do throw it away wholesale 194 // as part of a path if we throw the entire path away. 195 containsSomethingInteresting |= !event->isPrunable(); 196 break; 197 } 198 case PathDiagnosticPiece::ControlFlow: 199 break; 200 } 201 202 pieces.push_back(piece); 203 } 204 205 return containsSomethingInteresting; 206 } 207 208 /// Returns true if the given decl has been implicitly given a body, either by 209 /// the analyzer or by the compiler proper. 210 static bool hasImplicitBody(const Decl *D) { 211 assert(D); 212 return D->isImplicit() || !D->hasBody(); 213 } 214 215 /// Recursively scan through a path and make sure that all call pieces have 216 /// valid locations. 217 static void 218 adjustCallLocations(PathPieces &Pieces, 219 PathDiagnosticLocation *LastCallLocation = nullptr) { 220 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E; ++I) { 221 PathDiagnosticCallPiece *Call = dyn_cast<PathDiagnosticCallPiece>(*I); 222 223 if (!Call) { 224 assert((*I)->getLocation().asLocation().isValid()); 225 continue; 226 } 227 228 if (LastCallLocation) { 229 bool CallerIsImplicit = hasImplicitBody(Call->getCaller()); 230 if (CallerIsImplicit || !Call->callEnter.asLocation().isValid()) 231 Call->callEnter = *LastCallLocation; 232 if (CallerIsImplicit || !Call->callReturn.asLocation().isValid()) 233 Call->callReturn = *LastCallLocation; 234 } 235 236 // Recursively clean out the subclass. Keep this call around if 237 // it contains any informative diagnostics. 238 PathDiagnosticLocation *ThisCallLocation; 239 if (Call->callEnterWithin.asLocation().isValid() && 240 !hasImplicitBody(Call->getCallee())) 241 ThisCallLocation = &Call->callEnterWithin; 242 else 243 ThisCallLocation = &Call->callEnter; 244 245 assert(ThisCallLocation && "Outermost call has an invalid location"); 246 adjustCallLocations(Call->path, ThisCallLocation); 247 } 248 } 249 250 /// Remove edges in and out of C++ default initializer expressions. These are 251 /// for fields that have in-class initializers, as opposed to being initialized 252 /// explicitly in a constructor or braced list. 253 static void removeEdgesToDefaultInitializers(PathPieces &Pieces) { 254 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 255 if (PathDiagnosticCallPiece *C = dyn_cast<PathDiagnosticCallPiece>(*I)) 256 removeEdgesToDefaultInitializers(C->path); 257 258 if (PathDiagnosticMacroPiece *M = dyn_cast<PathDiagnosticMacroPiece>(*I)) 259 removeEdgesToDefaultInitializers(M->subPieces); 260 261 if (PathDiagnosticControlFlowPiece *CF = 262 dyn_cast<PathDiagnosticControlFlowPiece>(*I)) { 263 const Stmt *Start = CF->getStartLocation().asStmt(); 264 const Stmt *End = CF->getEndLocation().asStmt(); 265 if (Start && isa<CXXDefaultInitExpr>(Start)) { 266 I = Pieces.erase(I); 267 continue; 268 } else if (End && isa<CXXDefaultInitExpr>(End)) { 269 PathPieces::iterator Next = std::next(I); 270 if (Next != E) { 271 if (PathDiagnosticControlFlowPiece *NextCF = 272 dyn_cast<PathDiagnosticControlFlowPiece>(*Next)) { 273 NextCF->setStartLocation(CF->getStartLocation()); 274 } 275 } 276 I = Pieces.erase(I); 277 continue; 278 } 279 } 280 281 I++; 282 } 283 } 284 285 /// Remove all pieces with invalid locations as these cannot be serialized. 286 /// We might have pieces with invalid locations as a result of inlining Body 287 /// Farm generated functions. 288 static void removePiecesWithInvalidLocations(PathPieces &Pieces) { 289 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) { 290 if (PathDiagnosticCallPiece *C = dyn_cast<PathDiagnosticCallPiece>(*I)) 291 removePiecesWithInvalidLocations(C->path); 292 293 if (PathDiagnosticMacroPiece *M = dyn_cast<PathDiagnosticMacroPiece>(*I)) 294 removePiecesWithInvalidLocations(M->subPieces); 295 296 if (!(*I)->getLocation().isValid() || 297 !(*I)->getLocation().asLocation().isValid()) { 298 I = Pieces.erase(I); 299 continue; 300 } 301 I++; 302 } 303 } 304 305 //===----------------------------------------------------------------------===// 306 // PathDiagnosticBuilder and its associated routines and helper objects. 307 //===----------------------------------------------------------------------===// 308 309 namespace { 310 class NodeMapClosure : public BugReport::NodeResolver { 311 InterExplodedGraphMap &M; 312 public: 313 NodeMapClosure(InterExplodedGraphMap &m) : M(m) {} 314 315 const ExplodedNode *getOriginalNode(const ExplodedNode *N) override { 316 return M.lookup(N); 317 } 318 }; 319 320 class PathDiagnosticBuilder : public BugReporterContext { 321 BugReport *R; 322 PathDiagnosticConsumer *PDC; 323 NodeMapClosure NMC; 324 public: 325 const LocationContext *LC; 326 327 PathDiagnosticBuilder(GRBugReporter &br, 328 BugReport *r, InterExplodedGraphMap &Backmap, 329 PathDiagnosticConsumer *pdc) 330 : BugReporterContext(br), 331 R(r), PDC(pdc), NMC(Backmap), LC(r->getErrorNode()->getLocationContext()) 332 {} 333 334 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 335 336 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 337 const ExplodedNode *N); 338 339 BugReport *getBugReport() { return R; } 340 341 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 342 343 ParentMap& getParentMap() { return LC->getParentMap(); } 344 345 const Stmt *getParent(const Stmt *S) { 346 return getParentMap().getParent(S); 347 } 348 349 NodeMapClosure& getNodeResolver() override { return NMC; } 350 351 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 352 353 PathDiagnosticConsumer::PathGenerationScheme getGenerationScheme() const { 354 return PDC ? PDC->getGenerationScheme() : PathDiagnosticConsumer::Extensive; 355 } 356 357 bool supportsLogicalOpControlFlow() const { 358 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 359 } 360 }; 361 } // end anonymous namespace 362 363 PathDiagnosticLocation 364 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 365 if (const Stmt *S = PathDiagnosticLocation::getNextStmt(N)) 366 return PathDiagnosticLocation(S, getSourceManager(), LC); 367 368 return PathDiagnosticLocation::createDeclEnd(N->getLocationContext(), 369 getSourceManager()); 370 } 371 372 PathDiagnosticLocation 373 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 374 const ExplodedNode *N) { 375 376 // Slow, but probably doesn't matter. 377 if (os.str().empty()) 378 os << ' '; 379 380 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 381 382 if (Loc.asStmt()) 383 os << "Execution continues on line " 384 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 385 << '.'; 386 else { 387 os << "Execution jumps to the end of the "; 388 const Decl *D = N->getLocationContext()->getDecl(); 389 if (isa<ObjCMethodDecl>(D)) 390 os << "method"; 391 else if (isa<FunctionDecl>(D)) 392 os << "function"; 393 else { 394 assert(isa<BlockDecl>(D)); 395 os << "anonymous block"; 396 } 397 os << '.'; 398 } 399 400 return Loc; 401 } 402 403 static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) { 404 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 405 return PM.getParentIgnoreParens(S); 406 407 const Stmt *Parent = PM.getParentIgnoreParens(S); 408 if (!Parent) 409 return nullptr; 410 411 switch (Parent->getStmtClass()) { 412 case Stmt::ForStmtClass: 413 case Stmt::DoStmtClass: 414 case Stmt::WhileStmtClass: 415 case Stmt::ObjCForCollectionStmtClass: 416 case Stmt::CXXForRangeStmtClass: 417 return Parent; 418 default: 419 break; 420 } 421 422 return nullptr; 423 } 424 425 static PathDiagnosticLocation 426 getEnclosingStmtLocation(const Stmt *S, SourceManager &SMgr, const ParentMap &P, 427 const LocationContext *LC, bool allowNestedContexts) { 428 if (!S) 429 return PathDiagnosticLocation(); 430 431 while (const Stmt *Parent = getEnclosingParent(S, P)) { 432 switch (Parent->getStmtClass()) { 433 case Stmt::BinaryOperatorClass: { 434 const BinaryOperator *B = cast<BinaryOperator>(Parent); 435 if (B->isLogicalOp()) 436 return PathDiagnosticLocation(allowNestedContexts ? B : S, SMgr, LC); 437 break; 438 } 439 case Stmt::CompoundStmtClass: 440 case Stmt::StmtExprClass: 441 return PathDiagnosticLocation(S, SMgr, LC); 442 case Stmt::ChooseExprClass: 443 // Similar to '?' if we are referring to condition, just have the edge 444 // point to the entire choose expression. 445 if (allowNestedContexts || cast<ChooseExpr>(Parent)->getCond() == S) 446 return PathDiagnosticLocation(Parent, SMgr, LC); 447 else 448 return PathDiagnosticLocation(S, SMgr, LC); 449 case Stmt::BinaryConditionalOperatorClass: 450 case Stmt::ConditionalOperatorClass: 451 // For '?', if we are referring to condition, just have the edge point 452 // to the entire '?' expression. 453 if (allowNestedContexts || 454 cast<AbstractConditionalOperator>(Parent)->getCond() == S) 455 return PathDiagnosticLocation(Parent, SMgr, LC); 456 else 457 return PathDiagnosticLocation(S, SMgr, LC); 458 case Stmt::CXXForRangeStmtClass: 459 if (cast<CXXForRangeStmt>(Parent)->getBody() == S) 460 return PathDiagnosticLocation(S, SMgr, LC); 461 break; 462 case Stmt::DoStmtClass: 463 return PathDiagnosticLocation(S, SMgr, LC); 464 case Stmt::ForStmtClass: 465 if (cast<ForStmt>(Parent)->getBody() == S) 466 return PathDiagnosticLocation(S, SMgr, LC); 467 break; 468 case Stmt::IfStmtClass: 469 if (cast<IfStmt>(Parent)->getCond() != S) 470 return PathDiagnosticLocation(S, SMgr, LC); 471 break; 472 case Stmt::ObjCForCollectionStmtClass: 473 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 474 return PathDiagnosticLocation(S, SMgr, LC); 475 break; 476 case Stmt::WhileStmtClass: 477 if (cast<WhileStmt>(Parent)->getCond() != S) 478 return PathDiagnosticLocation(S, SMgr, LC); 479 break; 480 default: 481 break; 482 } 483 484 S = Parent; 485 } 486 487 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 488 489 return PathDiagnosticLocation(S, SMgr, LC); 490 } 491 492 PathDiagnosticLocation 493 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 494 assert(S && "Null Stmt passed to getEnclosingStmtLocation"); 495 return ::getEnclosingStmtLocation(S, getSourceManager(), getParentMap(), LC, 496 /*allowNestedContexts=*/false); 497 } 498 499 //===----------------------------------------------------------------------===// 500 // "Visitors only" path diagnostic generation algorithm. 501 //===----------------------------------------------------------------------===// 502 static bool GenerateVisitorsOnlyPathDiagnostic(PathDiagnostic &PD, 503 PathDiagnosticBuilder &PDB, 504 const ExplodedNode *N, 505 ArrayRef<BugReporterVisitor *> visitors) { 506 // All path generation skips the very first node (the error node). 507 // This is because there is special handling for the end-of-path note. 508 N = N->getFirstPred(); 509 if (!N) 510 return true; 511 512 BugReport *R = PDB.getBugReport(); 513 while (const ExplodedNode *Pred = N->getFirstPred()) { 514 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 515 E = visitors.end(); 516 I != E; ++I) { 517 // Visit all the node pairs, but throw the path pieces away. 518 PathDiagnosticPiece *Piece = (*I)->VisitNode(N, Pred, PDB, *R); 519 delete Piece; 520 } 521 522 N = Pred; 523 } 524 525 return R->isValid(); 526 } 527 528 //===----------------------------------------------------------------------===// 529 // "Minimal" path diagnostic generation algorithm. 530 //===----------------------------------------------------------------------===// 531 typedef std::pair<PathDiagnosticCallPiece*, const ExplodedNode*> StackDiagPair; 532 typedef SmallVector<StackDiagPair, 6> StackDiagVector; 533 534 static void updateStackPiecesWithMessage(PathDiagnosticPiece *P, 535 StackDiagVector &CallStack) { 536 // If the piece contains a special message, add it to all the call 537 // pieces on the active stack. 538 if (PathDiagnosticEventPiece *ep = 539 dyn_cast<PathDiagnosticEventPiece>(P)) { 540 541 if (ep->hasCallStackHint()) 542 for (StackDiagVector::iterator I = CallStack.begin(), 543 E = CallStack.end(); I != E; ++I) { 544 PathDiagnosticCallPiece *CP = I->first; 545 const ExplodedNode *N = I->second; 546 std::string stackMsg = ep->getCallStackMessage(N); 547 548 // The last message on the path to final bug is the most important 549 // one. Since we traverse the path backwards, do not add the message 550 // if one has been previously added. 551 if (!CP->hasCallStackMessage()) 552 CP->setCallStackMessage(stackMsg); 553 } 554 } 555 } 556 557 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM); 558 559 static bool GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 560 PathDiagnosticBuilder &PDB, 561 const ExplodedNode *N, 562 LocationContextMap &LCM, 563 ArrayRef<BugReporterVisitor *> visitors) { 564 565 SourceManager& SMgr = PDB.getSourceManager(); 566 const LocationContext *LC = PDB.LC; 567 const ExplodedNode *NextNode = N->pred_empty() 568 ? nullptr : *(N->pred_begin()); 569 570 StackDiagVector CallStack; 571 572 while (NextNode) { 573 N = NextNode; 574 PDB.LC = N->getLocationContext(); 575 NextNode = N->getFirstPred(); 576 577 ProgramPoint P = N->getLocation(); 578 579 do { 580 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 581 PathDiagnosticCallPiece *C = 582 PathDiagnosticCallPiece::construct(N, *CE, SMgr); 583 // Record the mapping from call piece to LocationContext. 584 LCM[&C->path] = CE->getCalleeContext(); 585 PD.getActivePath().push_front(C); 586 PD.pushActivePath(&C->path); 587 CallStack.push_back(StackDiagPair(C, N)); 588 break; 589 } 590 591 if (Optional<CallEnter> CE = P.getAs<CallEnter>()) { 592 // Flush all locations, and pop the active path. 593 bool VisitedEntireCall = PD.isWithinCall(); 594 PD.popActivePath(); 595 596 // Either we just added a bunch of stuff to the top-level path, or 597 // we have a previous CallExitEnd. If the former, it means that the 598 // path terminated within a function call. We must then take the 599 // current contents of the active path and place it within 600 // a new PathDiagnosticCallPiece. 601 PathDiagnosticCallPiece *C; 602 if (VisitedEntireCall) { 603 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 604 } else { 605 const Decl *Caller = CE->getLocationContext()->getDecl(); 606 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 607 // Record the mapping from call piece to LocationContext. 608 LCM[&C->path] = CE->getCalleeContext(); 609 } 610 611 C->setCallee(*CE, SMgr); 612 if (!CallStack.empty()) { 613 assert(CallStack.back().first == C); 614 CallStack.pop_back(); 615 } 616 break; 617 } 618 619 if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) { 620 const CFGBlock *Src = BE->getSrc(); 621 const CFGBlock *Dst = BE->getDst(); 622 const Stmt *T = Src->getTerminator(); 623 624 if (!T) 625 break; 626 627 PathDiagnosticLocation Start = 628 PathDiagnosticLocation::createBegin(T, SMgr, 629 N->getLocationContext()); 630 631 switch (T->getStmtClass()) { 632 default: 633 break; 634 635 case Stmt::GotoStmtClass: 636 case Stmt::IndirectGotoStmtClass: { 637 const Stmt *S = PathDiagnosticLocation::getNextStmt(N); 638 639 if (!S) 640 break; 641 642 std::string sbuf; 643 llvm::raw_string_ostream os(sbuf); 644 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 645 646 os << "Control jumps to line " 647 << End.asLocation().getExpansionLineNumber(); 648 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 649 Start, End, os.str())); 650 break; 651 } 652 653 case Stmt::SwitchStmtClass: { 654 // Figure out what case arm we took. 655 std::string sbuf; 656 llvm::raw_string_ostream os(sbuf); 657 658 if (const Stmt *S = Dst->getLabel()) { 659 PathDiagnosticLocation End(S, SMgr, LC); 660 661 switch (S->getStmtClass()) { 662 default: 663 os << "No cases match in the switch statement. " 664 "Control jumps to line " 665 << End.asLocation().getExpansionLineNumber(); 666 break; 667 case Stmt::DefaultStmtClass: 668 os << "Control jumps to the 'default' case at line " 669 << End.asLocation().getExpansionLineNumber(); 670 break; 671 672 case Stmt::CaseStmtClass: { 673 os << "Control jumps to 'case "; 674 const CaseStmt *Case = cast<CaseStmt>(S); 675 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 676 677 // Determine if it is an enum. 678 bool GetRawInt = true; 679 680 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) { 681 // FIXME: Maybe this should be an assertion. Are there cases 682 // were it is not an EnumConstantDecl? 683 const EnumConstantDecl *D = 684 dyn_cast<EnumConstantDecl>(DR->getDecl()); 685 686 if (D) { 687 GetRawInt = false; 688 os << *D; 689 } 690 } 691 692 if (GetRawInt) 693 os << LHS->EvaluateKnownConstInt(PDB.getASTContext()); 694 695 os << ":' at line " 696 << End.asLocation().getExpansionLineNumber(); 697 break; 698 } 699 } 700 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 701 Start, End, os.str())); 702 } 703 else { 704 os << "'Default' branch taken. "; 705 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 706 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 707 Start, End, os.str())); 708 } 709 710 break; 711 } 712 713 case Stmt::BreakStmtClass: 714 case Stmt::ContinueStmtClass: { 715 std::string sbuf; 716 llvm::raw_string_ostream os(sbuf); 717 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 718 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 719 Start, End, os.str())); 720 break; 721 } 722 723 // Determine control-flow for ternary '?'. 724 case Stmt::BinaryConditionalOperatorClass: 725 case Stmt::ConditionalOperatorClass: { 726 std::string sbuf; 727 llvm::raw_string_ostream os(sbuf); 728 os << "'?' condition is "; 729 730 if (*(Src->succ_begin()+1) == Dst) 731 os << "false"; 732 else 733 os << "true"; 734 735 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 736 737 if (const Stmt *S = End.asStmt()) 738 End = PDB.getEnclosingStmtLocation(S); 739 740 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 741 Start, End, os.str())); 742 break; 743 } 744 745 // Determine control-flow for short-circuited '&&' and '||'. 746 case Stmt::BinaryOperatorClass: { 747 if (!PDB.supportsLogicalOpControlFlow()) 748 break; 749 750 const BinaryOperator *B = cast<BinaryOperator>(T); 751 std::string sbuf; 752 llvm::raw_string_ostream os(sbuf); 753 os << "Left side of '"; 754 755 if (B->getOpcode() == BO_LAnd) { 756 os << "&&" << "' is "; 757 758 if (*(Src->succ_begin()+1) == Dst) { 759 os << "false"; 760 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 761 PathDiagnosticLocation Start = 762 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 763 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 764 Start, End, os.str())); 765 } 766 else { 767 os << "true"; 768 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 769 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 770 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 771 Start, End, os.str())); 772 } 773 } 774 else { 775 assert(B->getOpcode() == BO_LOr); 776 os << "||" << "' is "; 777 778 if (*(Src->succ_begin()+1) == Dst) { 779 os << "false"; 780 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 781 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 782 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 783 Start, End, os.str())); 784 } 785 else { 786 os << "true"; 787 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 788 PathDiagnosticLocation Start = 789 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 790 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 791 Start, End, os.str())); 792 } 793 } 794 795 break; 796 } 797 798 case Stmt::DoStmtClass: { 799 if (*(Src->succ_begin()) == Dst) { 800 std::string sbuf; 801 llvm::raw_string_ostream os(sbuf); 802 803 os << "Loop condition is true. "; 804 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 805 806 if (const Stmt *S = End.asStmt()) 807 End = PDB.getEnclosingStmtLocation(S); 808 809 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 810 Start, End, os.str())); 811 } 812 else { 813 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 814 815 if (const Stmt *S = End.asStmt()) 816 End = PDB.getEnclosingStmtLocation(S); 817 818 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 819 Start, End, "Loop condition is false. Exiting loop")); 820 } 821 822 break; 823 } 824 825 case Stmt::WhileStmtClass: 826 case Stmt::ForStmtClass: { 827 if (*(Src->succ_begin()+1) == Dst) { 828 std::string sbuf; 829 llvm::raw_string_ostream os(sbuf); 830 831 os << "Loop condition is false. "; 832 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 833 if (const Stmt *S = End.asStmt()) 834 End = PDB.getEnclosingStmtLocation(S); 835 836 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 837 Start, End, os.str())); 838 } 839 else { 840 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 841 if (const Stmt *S = End.asStmt()) 842 End = PDB.getEnclosingStmtLocation(S); 843 844 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 845 Start, End, "Loop condition is true. Entering loop body")); 846 } 847 848 break; 849 } 850 851 case Stmt::IfStmtClass: { 852 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 853 854 if (const Stmt *S = End.asStmt()) 855 End = PDB.getEnclosingStmtLocation(S); 856 857 if (*(Src->succ_begin()+1) == Dst) 858 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 859 Start, End, "Taking false branch")); 860 else 861 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece( 862 Start, End, "Taking true branch")); 863 864 break; 865 } 866 } 867 } 868 } while(0); 869 870 if (NextNode) { 871 // Add diagnostic pieces from custom visitors. 872 BugReport *R = PDB.getBugReport(); 873 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 874 E = visitors.end(); 875 I != E; ++I) { 876 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 877 PD.getActivePath().push_front(p); 878 updateStackPiecesWithMessage(p, CallStack); 879 } 880 } 881 } 882 } 883 884 if (!PDB.getBugReport()->isValid()) 885 return false; 886 887 // After constructing the full PathDiagnostic, do a pass over it to compact 888 // PathDiagnosticPieces that occur within a macro. 889 CompactPathDiagnostic(PD.getMutablePieces(), PDB.getSourceManager()); 890 return true; 891 } 892 893 //===----------------------------------------------------------------------===// 894 // "Extensive" PathDiagnostic generation. 895 //===----------------------------------------------------------------------===// 896 897 static bool IsControlFlowExpr(const Stmt *S) { 898 const Expr *E = dyn_cast<Expr>(S); 899 900 if (!E) 901 return false; 902 903 E = E->IgnoreParenCasts(); 904 905 if (isa<AbstractConditionalOperator>(E)) 906 return true; 907 908 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 909 if (B->isLogicalOp()) 910 return true; 911 912 return false; 913 } 914 915 namespace { 916 class ContextLocation : public PathDiagnosticLocation { 917 bool IsDead; 918 public: 919 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 920 : PathDiagnosticLocation(L), IsDead(isdead) {} 921 922 void markDead() { IsDead = true; } 923 bool isDead() const { return IsDead; } 924 }; 925 926 static PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 927 const LocationContext *LC, 928 bool firstCharOnly = false) { 929 if (const Stmt *S = L.asStmt()) { 930 const Stmt *Original = S; 931 while (1) { 932 // Adjust the location for some expressions that are best referenced 933 // by one of their subexpressions. 934 switch (S->getStmtClass()) { 935 default: 936 break; 937 case Stmt::ParenExprClass: 938 case Stmt::GenericSelectionExprClass: 939 S = cast<Expr>(S)->IgnoreParens(); 940 firstCharOnly = true; 941 continue; 942 case Stmt::BinaryConditionalOperatorClass: 943 case Stmt::ConditionalOperatorClass: 944 S = cast<AbstractConditionalOperator>(S)->getCond(); 945 firstCharOnly = true; 946 continue; 947 case Stmt::ChooseExprClass: 948 S = cast<ChooseExpr>(S)->getCond(); 949 firstCharOnly = true; 950 continue; 951 case Stmt::BinaryOperatorClass: 952 S = cast<BinaryOperator>(S)->getLHS(); 953 firstCharOnly = true; 954 continue; 955 } 956 957 break; 958 } 959 960 if (S != Original) 961 L = PathDiagnosticLocation(S, L.getManager(), LC); 962 } 963 964 if (firstCharOnly) 965 L = PathDiagnosticLocation::createSingleLocation(L); 966 967 return L; 968 } 969 970 class EdgeBuilder { 971 std::vector<ContextLocation> CLocs; 972 typedef std::vector<ContextLocation>::iterator iterator; 973 PathDiagnostic &PD; 974 PathDiagnosticBuilder &PDB; 975 PathDiagnosticLocation PrevLoc; 976 977 bool IsConsumedExpr(const PathDiagnosticLocation &L); 978 979 bool containsLocation(const PathDiagnosticLocation &Container, 980 const PathDiagnosticLocation &Containee); 981 982 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 983 984 985 986 void popLocation() { 987 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 988 // For contexts, we only one the first character as the range. 989 rawAddEdge(cleanUpLocation(CLocs.back(), PDB.LC, true)); 990 } 991 CLocs.pop_back(); 992 } 993 994 public: 995 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 996 : PD(pd), PDB(pdb) { 997 998 // If the PathDiagnostic already has pieces, add the enclosing statement 999 // of the first piece as a context as well. 1000 if (!PD.path.empty()) { 1001 PrevLoc = (*PD.path.begin())->getLocation(); 1002 1003 if (const Stmt *S = PrevLoc.asStmt()) 1004 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1005 } 1006 } 1007 1008 ~EdgeBuilder() { 1009 while (!CLocs.empty()) popLocation(); 1010 1011 // Finally, add an initial edge from the start location of the first 1012 // statement (if it doesn't already exist). 1013 PathDiagnosticLocation L = PathDiagnosticLocation::createDeclBegin( 1014 PDB.LC, 1015 PDB.getSourceManager()); 1016 if (L.isValid()) 1017 rawAddEdge(L); 1018 } 1019 1020 void flushLocations() { 1021 while (!CLocs.empty()) 1022 popLocation(); 1023 PrevLoc = PathDiagnosticLocation(); 1024 } 1025 1026 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false, 1027 bool IsPostJump = false); 1028 1029 void rawAddEdge(PathDiagnosticLocation NewLoc); 1030 1031 void addContext(const Stmt *S); 1032 void addContext(const PathDiagnosticLocation &L); 1033 void addExtendedContext(const Stmt *S); 1034 }; 1035 } // end anonymous namespace 1036 1037 1038 PathDiagnosticLocation 1039 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 1040 if (const Stmt *S = L.asStmt()) { 1041 if (IsControlFlowExpr(S)) 1042 return L; 1043 1044 return PDB.getEnclosingStmtLocation(S); 1045 } 1046 1047 return L; 1048 } 1049 1050 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 1051 const PathDiagnosticLocation &Containee) { 1052 1053 if (Container == Containee) 1054 return true; 1055 1056 if (Container.asDecl()) 1057 return true; 1058 1059 if (const Stmt *S = Containee.asStmt()) 1060 if (const Stmt *ContainerS = Container.asStmt()) { 1061 while (S) { 1062 if (S == ContainerS) 1063 return true; 1064 S = PDB.getParent(S); 1065 } 1066 return false; 1067 } 1068 1069 // Less accurate: compare using source ranges. 1070 SourceRange ContainerR = Container.asRange(); 1071 SourceRange ContaineeR = Containee.asRange(); 1072 1073 SourceManager &SM = PDB.getSourceManager(); 1074 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 1075 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 1076 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 1077 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 1078 1079 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 1080 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 1081 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 1082 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 1083 1084 assert(ContainerBegLine <= ContainerEndLine); 1085 assert(ContaineeBegLine <= ContaineeEndLine); 1086 1087 return (ContainerBegLine <= ContaineeBegLine && 1088 ContainerEndLine >= ContaineeEndLine && 1089 (ContainerBegLine != ContaineeBegLine || 1090 SM.getExpansionColumnNumber(ContainerRBeg) <= 1091 SM.getExpansionColumnNumber(ContaineeRBeg)) && 1092 (ContainerEndLine != ContaineeEndLine || 1093 SM.getExpansionColumnNumber(ContainerREnd) >= 1094 SM.getExpansionColumnNumber(ContaineeREnd))); 1095 } 1096 1097 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 1098 if (!PrevLoc.isValid()) { 1099 PrevLoc = NewLoc; 1100 return; 1101 } 1102 1103 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc, PDB.LC); 1104 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc, PDB.LC); 1105 1106 if (PrevLocClean.asLocation().isInvalid()) { 1107 PrevLoc = NewLoc; 1108 return; 1109 } 1110 1111 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1112 return; 1113 1114 // FIXME: Ignore intra-macro edges for now. 1115 if (NewLocClean.asLocation().getExpansionLoc() == 1116 PrevLocClean.asLocation().getExpansionLoc()) 1117 return; 1118 1119 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 1120 PrevLoc = NewLoc; 1121 } 1122 1123 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd, 1124 bool IsPostJump) { 1125 1126 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1127 return; 1128 1129 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1130 1131 while (!CLocs.empty()) { 1132 ContextLocation &TopContextLoc = CLocs.back(); 1133 1134 // Is the top location context the same as the one for the new location? 1135 if (TopContextLoc == CLoc) { 1136 if (alwaysAdd) { 1137 if (IsConsumedExpr(TopContextLoc)) 1138 TopContextLoc.markDead(); 1139 1140 rawAddEdge(NewLoc); 1141 } 1142 1143 if (IsPostJump) 1144 TopContextLoc.markDead(); 1145 return; 1146 } 1147 1148 if (containsLocation(TopContextLoc, CLoc)) { 1149 if (alwaysAdd) { 1150 rawAddEdge(NewLoc); 1151 1152 if (IsConsumedExpr(CLoc)) { 1153 CLocs.push_back(ContextLocation(CLoc, /*IsDead=*/true)); 1154 return; 1155 } 1156 } 1157 1158 CLocs.push_back(ContextLocation(CLoc, /*IsDead=*/IsPostJump)); 1159 return; 1160 } 1161 1162 // Context does not contain the location. Flush it. 1163 popLocation(); 1164 } 1165 1166 // If we reach here, there is no enclosing context. Just add the edge. 1167 rawAddEdge(NewLoc); 1168 } 1169 1170 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1171 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 1172 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1173 1174 return false; 1175 } 1176 1177 void EdgeBuilder::addExtendedContext(const Stmt *S) { 1178 if (!S) 1179 return; 1180 1181 const Stmt *Parent = PDB.getParent(S); 1182 while (Parent) { 1183 if (isa<CompoundStmt>(Parent)) 1184 Parent = PDB.getParent(Parent); 1185 else 1186 break; 1187 } 1188 1189 if (Parent) { 1190 switch (Parent->getStmtClass()) { 1191 case Stmt::DoStmtClass: 1192 case Stmt::ObjCAtSynchronizedStmtClass: 1193 addContext(Parent); 1194 default: 1195 break; 1196 } 1197 } 1198 1199 addContext(S); 1200 } 1201 1202 void EdgeBuilder::addContext(const Stmt *S) { 1203 if (!S) 1204 return; 1205 1206 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.LC); 1207 addContext(L); 1208 } 1209 1210 void EdgeBuilder::addContext(const PathDiagnosticLocation &L) { 1211 while (!CLocs.empty()) { 1212 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1213 1214 // Is the top location context the same as the one for the new location? 1215 if (TopContextLoc == L) 1216 return; 1217 1218 if (containsLocation(TopContextLoc, L)) { 1219 CLocs.push_back(L); 1220 return; 1221 } 1222 1223 // Context does not contain the location. Flush it. 1224 popLocation(); 1225 } 1226 1227 CLocs.push_back(L); 1228 } 1229 1230 // Cone-of-influence: support the reverse propagation of "interesting" symbols 1231 // and values by tracing interesting calculations backwards through evaluated 1232 // expressions along a path. This is probably overly complicated, but the idea 1233 // is that if an expression computed an "interesting" value, the child 1234 // expressions are are also likely to be "interesting" as well (which then 1235 // propagates to the values they in turn compute). This reverse propagation 1236 // is needed to track interesting correlations across function call boundaries, 1237 // where formal arguments bind to actual arguments, etc. This is also needed 1238 // because the constraint solver sometimes simplifies certain symbolic values 1239 // into constants when appropriate, and this complicates reasoning about 1240 // interesting values. 1241 typedef llvm::DenseSet<const Expr *> InterestingExprs; 1242 1243 static void reversePropagateIntererstingSymbols(BugReport &R, 1244 InterestingExprs &IE, 1245 const ProgramState *State, 1246 const Expr *Ex, 1247 const LocationContext *LCtx) { 1248 SVal V = State->getSVal(Ex, LCtx); 1249 if (!(R.isInteresting(V) || IE.count(Ex))) 1250 return; 1251 1252 switch (Ex->getStmtClass()) { 1253 default: 1254 if (!isa<CastExpr>(Ex)) 1255 break; 1256 // Fall through. 1257 case Stmt::BinaryOperatorClass: 1258 case Stmt::UnaryOperatorClass: { 1259 for (Stmt::const_child_iterator CI = Ex->child_begin(), 1260 CE = Ex->child_end(); 1261 CI != CE; ++CI) { 1262 if (const Expr *child = dyn_cast_or_null<Expr>(*CI)) { 1263 IE.insert(child); 1264 SVal ChildV = State->getSVal(child, LCtx); 1265 R.markInteresting(ChildV); 1266 } 1267 } 1268 break; 1269 } 1270 } 1271 1272 R.markInteresting(V); 1273 } 1274 1275 static void reversePropagateInterestingSymbols(BugReport &R, 1276 InterestingExprs &IE, 1277 const ProgramState *State, 1278 const LocationContext *CalleeCtx, 1279 const LocationContext *CallerCtx) 1280 { 1281 // FIXME: Handle non-CallExpr-based CallEvents. 1282 const StackFrameContext *Callee = CalleeCtx->getCurrentStackFrame(); 1283 const Stmt *CallSite = Callee->getCallSite(); 1284 if (const CallExpr *CE = dyn_cast_or_null<CallExpr>(CallSite)) { 1285 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeCtx->getDecl())) { 1286 FunctionDecl::param_const_iterator PI = FD->param_begin(), 1287 PE = FD->param_end(); 1288 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end(); 1289 for (; AI != AE && PI != PE; ++AI, ++PI) { 1290 if (const Expr *ArgE = *AI) { 1291 if (const ParmVarDecl *PD = *PI) { 1292 Loc LV = State->getLValue(PD, CalleeCtx); 1293 if (R.isInteresting(LV) || R.isInteresting(State->getRawSVal(LV))) 1294 IE.insert(ArgE); 1295 } 1296 } 1297 } 1298 } 1299 } 1300 } 1301 1302 //===----------------------------------------------------------------------===// 1303 // Functions for determining if a loop was executed 0 times. 1304 //===----------------------------------------------------------------------===// 1305 1306 static bool isLoop(const Stmt *Term) { 1307 switch (Term->getStmtClass()) { 1308 case Stmt::ForStmtClass: 1309 case Stmt::WhileStmtClass: 1310 case Stmt::ObjCForCollectionStmtClass: 1311 case Stmt::CXXForRangeStmtClass: 1312 return true; 1313 default: 1314 // Note that we intentionally do not include do..while here. 1315 return false; 1316 } 1317 } 1318 1319 static bool isJumpToFalseBranch(const BlockEdge *BE) { 1320 const CFGBlock *Src = BE->getSrc(); 1321 assert(Src->succ_size() == 2); 1322 return (*(Src->succ_begin()+1) == BE->getDst()); 1323 } 1324 1325 /// Return true if the terminator is a loop and the destination is the 1326 /// false branch. 1327 static bool isLoopJumpPastBody(const Stmt *Term, const BlockEdge *BE) { 1328 if (!isLoop(Term)) 1329 return false; 1330 1331 // Did we take the false branch? 1332 return isJumpToFalseBranch(BE); 1333 } 1334 1335 static bool isContainedByStmt(ParentMap &PM, const Stmt *S, const Stmt *SubS) { 1336 while (SubS) { 1337 if (SubS == S) 1338 return true; 1339 SubS = PM.getParent(SubS); 1340 } 1341 return false; 1342 } 1343 1344 static const Stmt *getStmtBeforeCond(ParentMap &PM, const Stmt *Term, 1345 const ExplodedNode *N) { 1346 while (N) { 1347 Optional<StmtPoint> SP = N->getLocation().getAs<StmtPoint>(); 1348 if (SP) { 1349 const Stmt *S = SP->getStmt(); 1350 if (!isContainedByStmt(PM, Term, S)) 1351 return S; 1352 } 1353 N = N->getFirstPred(); 1354 } 1355 return nullptr; 1356 } 1357 1358 static bool isInLoopBody(ParentMap &PM, const Stmt *S, const Stmt *Term) { 1359 const Stmt *LoopBody = nullptr; 1360 switch (Term->getStmtClass()) { 1361 case Stmt::CXXForRangeStmtClass: { 1362 const CXXForRangeStmt *FR = cast<CXXForRangeStmt>(Term); 1363 if (isContainedByStmt(PM, FR->getInc(), S)) 1364 return true; 1365 if (isContainedByStmt(PM, FR->getLoopVarStmt(), S)) 1366 return true; 1367 LoopBody = FR->getBody(); 1368 break; 1369 } 1370 case Stmt::ForStmtClass: { 1371 const ForStmt *FS = cast<ForStmt>(Term); 1372 if (isContainedByStmt(PM, FS->getInc(), S)) 1373 return true; 1374 LoopBody = FS->getBody(); 1375 break; 1376 } 1377 case Stmt::ObjCForCollectionStmtClass: { 1378 const ObjCForCollectionStmt *FC = cast<ObjCForCollectionStmt>(Term); 1379 LoopBody = FC->getBody(); 1380 break; 1381 } 1382 case Stmt::WhileStmtClass: 1383 LoopBody = cast<WhileStmt>(Term)->getBody(); 1384 break; 1385 default: 1386 return false; 1387 } 1388 return isContainedByStmt(PM, LoopBody, S); 1389 } 1390 1391 //===----------------------------------------------------------------------===// 1392 // Top-level logic for generating extensive path diagnostics. 1393 //===----------------------------------------------------------------------===// 1394 1395 static bool GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1396 PathDiagnosticBuilder &PDB, 1397 const ExplodedNode *N, 1398 LocationContextMap &LCM, 1399 ArrayRef<BugReporterVisitor *> visitors) { 1400 EdgeBuilder EB(PD, PDB); 1401 const SourceManager& SM = PDB.getSourceManager(); 1402 StackDiagVector CallStack; 1403 InterestingExprs IE; 1404 1405 const ExplodedNode *NextNode = N->pred_empty() ? nullptr : *(N->pred_begin()); 1406 while (NextNode) { 1407 N = NextNode; 1408 NextNode = N->getFirstPred(); 1409 ProgramPoint P = N->getLocation(); 1410 1411 do { 1412 if (Optional<PostStmt> PS = P.getAs<PostStmt>()) { 1413 if (const Expr *Ex = PS->getStmtAs<Expr>()) 1414 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1415 N->getState().get(), Ex, 1416 N->getLocationContext()); 1417 } 1418 1419 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 1420 const Stmt *S = CE->getCalleeContext()->getCallSite(); 1421 if (const Expr *Ex = dyn_cast_or_null<Expr>(S)) { 1422 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1423 N->getState().get(), Ex, 1424 N->getLocationContext()); 1425 } 1426 1427 PathDiagnosticCallPiece *C = 1428 PathDiagnosticCallPiece::construct(N, *CE, SM); 1429 LCM[&C->path] = CE->getCalleeContext(); 1430 1431 EB.addEdge(C->callReturn, /*AlwaysAdd=*/true, /*IsPostJump=*/true); 1432 EB.flushLocations(); 1433 1434 PD.getActivePath().push_front(C); 1435 PD.pushActivePath(&C->path); 1436 CallStack.push_back(StackDiagPair(C, N)); 1437 break; 1438 } 1439 1440 // Pop the call hierarchy if we are done walking the contents 1441 // of a function call. 1442 if (Optional<CallEnter> CE = P.getAs<CallEnter>()) { 1443 // Add an edge to the start of the function. 1444 const Decl *D = CE->getCalleeContext()->getDecl(); 1445 PathDiagnosticLocation pos = 1446 PathDiagnosticLocation::createBegin(D, SM); 1447 EB.addEdge(pos); 1448 1449 // Flush all locations, and pop the active path. 1450 bool VisitedEntireCall = PD.isWithinCall(); 1451 EB.flushLocations(); 1452 PD.popActivePath(); 1453 PDB.LC = N->getLocationContext(); 1454 1455 // Either we just added a bunch of stuff to the top-level path, or 1456 // we have a previous CallExitEnd. If the former, it means that the 1457 // path terminated within a function call. We must then take the 1458 // current contents of the active path and place it within 1459 // a new PathDiagnosticCallPiece. 1460 PathDiagnosticCallPiece *C; 1461 if (VisitedEntireCall) { 1462 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 1463 } else { 1464 const Decl *Caller = CE->getLocationContext()->getDecl(); 1465 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 1466 LCM[&C->path] = CE->getCalleeContext(); 1467 } 1468 1469 C->setCallee(*CE, SM); 1470 EB.addContext(C->getLocation()); 1471 1472 if (!CallStack.empty()) { 1473 assert(CallStack.back().first == C); 1474 CallStack.pop_back(); 1475 } 1476 break; 1477 } 1478 1479 // Note that is important that we update the LocationContext 1480 // after looking at CallExits. CallExit basically adds an 1481 // edge in the *caller*, so we don't want to update the LocationContext 1482 // too soon. 1483 PDB.LC = N->getLocationContext(); 1484 1485 // Block edges. 1486 if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) { 1487 // Does this represent entering a call? If so, look at propagating 1488 // interesting symbols across call boundaries. 1489 if (NextNode) { 1490 const LocationContext *CallerCtx = NextNode->getLocationContext(); 1491 const LocationContext *CalleeCtx = PDB.LC; 1492 if (CallerCtx != CalleeCtx) { 1493 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE, 1494 N->getState().get(), 1495 CalleeCtx, CallerCtx); 1496 } 1497 } 1498 1499 // Are we jumping to the head of a loop? Add a special diagnostic. 1500 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1501 PathDiagnosticLocation L(Loop, SM, PDB.LC); 1502 const CompoundStmt *CS = nullptr; 1503 1504 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1505 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1506 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1507 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1508 1509 PathDiagnosticEventPiece *p = 1510 new PathDiagnosticEventPiece(L, 1511 "Looping back to the head of the loop"); 1512 p->setPrunable(true); 1513 1514 EB.addEdge(p->getLocation(), true); 1515 PD.getActivePath().push_front(p); 1516 1517 if (CS) { 1518 PathDiagnosticLocation BL = 1519 PathDiagnosticLocation::createEndBrace(CS, SM); 1520 EB.addEdge(BL); 1521 } 1522 } 1523 1524 const CFGBlock *BSrc = BE->getSrc(); 1525 ParentMap &PM = PDB.getParentMap(); 1526 1527 if (const Stmt *Term = BSrc->getTerminator()) { 1528 // Are we jumping past the loop body without ever executing the 1529 // loop (because the condition was false)? 1530 if (isLoopJumpPastBody(Term, &*BE) && 1531 !isInLoopBody(PM, 1532 getStmtBeforeCond(PM, 1533 BSrc->getTerminatorCondition(), 1534 N), 1535 Term)) { 1536 PathDiagnosticLocation L(Term, SM, PDB.LC); 1537 PathDiagnosticEventPiece *PE = 1538 new PathDiagnosticEventPiece(L, "Loop body executed 0 times"); 1539 PE->setPrunable(true); 1540 1541 EB.addEdge(PE->getLocation(), true); 1542 PD.getActivePath().push_front(PE); 1543 } 1544 1545 // In any case, add the terminator as the current statement 1546 // context for control edges. 1547 EB.addContext(Term); 1548 } 1549 1550 break; 1551 } 1552 1553 if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) { 1554 Optional<CFGElement> First = BE->getFirstElement(); 1555 if (Optional<CFGStmt> S = First ? First->getAs<CFGStmt>() : None) { 1556 const Stmt *stmt = S->getStmt(); 1557 if (IsControlFlowExpr(stmt)) { 1558 // Add the proper context for '&&', '||', and '?'. 1559 EB.addContext(stmt); 1560 } 1561 else 1562 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1563 } 1564 1565 break; 1566 } 1567 1568 1569 } while (0); 1570 1571 if (!NextNode) 1572 continue; 1573 1574 // Add pieces from custom visitors. 1575 BugReport *R = PDB.getBugReport(); 1576 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 1577 E = visitors.end(); 1578 I != E; ++I) { 1579 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 1580 const PathDiagnosticLocation &Loc = p->getLocation(); 1581 EB.addEdge(Loc, true); 1582 PD.getActivePath().push_front(p); 1583 updateStackPiecesWithMessage(p, CallStack); 1584 1585 if (const Stmt *S = Loc.asStmt()) 1586 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1587 } 1588 } 1589 } 1590 1591 return PDB.getBugReport()->isValid(); 1592 } 1593 1594 /// \brief Adds a sanitized control-flow diagnostic edge to a path. 1595 static void addEdgeToPath(PathPieces &path, 1596 PathDiagnosticLocation &PrevLoc, 1597 PathDiagnosticLocation NewLoc, 1598 const LocationContext *LC) { 1599 if (!NewLoc.isValid()) 1600 return; 1601 1602 SourceLocation NewLocL = NewLoc.asLocation(); 1603 if (NewLocL.isInvalid()) 1604 return; 1605 1606 if (!PrevLoc.isValid() || !PrevLoc.asLocation().isValid()) { 1607 PrevLoc = NewLoc; 1608 return; 1609 } 1610 1611 // Ignore self-edges, which occur when there are multiple nodes at the same 1612 // statement. 1613 if (NewLoc.asStmt() && NewLoc.asStmt() == PrevLoc.asStmt()) 1614 return; 1615 1616 path.push_front(new PathDiagnosticControlFlowPiece(NewLoc, 1617 PrevLoc)); 1618 PrevLoc = NewLoc; 1619 } 1620 1621 /// A customized wrapper for CFGBlock::getTerminatorCondition() 1622 /// which returns the element for ObjCForCollectionStmts. 1623 static const Stmt *getTerminatorCondition(const CFGBlock *B) { 1624 const Stmt *S = B->getTerminatorCondition(); 1625 if (const ObjCForCollectionStmt *FS = 1626 dyn_cast_or_null<ObjCForCollectionStmt>(S)) 1627 return FS->getElement(); 1628 return S; 1629 } 1630 1631 static const char StrEnteringLoop[] = "Entering loop body"; 1632 static const char StrLoopBodyZero[] = "Loop body executed 0 times"; 1633 static const char StrLoopRangeEmpty[] = 1634 "Loop body skipped when range is empty"; 1635 static const char StrLoopCollectionEmpty[] = 1636 "Loop body skipped when collection is empty"; 1637 1638 static bool 1639 GenerateAlternateExtensivePathDiagnostic(PathDiagnostic& PD, 1640 PathDiagnosticBuilder &PDB, 1641 const ExplodedNode *N, 1642 LocationContextMap &LCM, 1643 ArrayRef<BugReporterVisitor *> visitors) { 1644 1645 BugReport *report = PDB.getBugReport(); 1646 const SourceManager& SM = PDB.getSourceManager(); 1647 StackDiagVector CallStack; 1648 InterestingExprs IE; 1649 1650 PathDiagnosticLocation PrevLoc = PD.getLocation(); 1651 1652 const ExplodedNode *NextNode = N->getFirstPred(); 1653 while (NextNode) { 1654 N = NextNode; 1655 NextNode = N->getFirstPred(); 1656 ProgramPoint P = N->getLocation(); 1657 1658 do { 1659 // Have we encountered an entrance to a call? It may be 1660 // the case that we have not encountered a matching 1661 // call exit before this point. This means that the path 1662 // terminated within the call itself. 1663 if (Optional<CallEnter> CE = P.getAs<CallEnter>()) { 1664 // Add an edge to the start of the function. 1665 const StackFrameContext *CalleeLC = CE->getCalleeContext(); 1666 const Decl *D = CalleeLC->getDecl(); 1667 addEdgeToPath(PD.getActivePath(), PrevLoc, 1668 PathDiagnosticLocation::createBegin(D, SM), 1669 CalleeLC); 1670 1671 // Did we visit an entire call? 1672 bool VisitedEntireCall = PD.isWithinCall(); 1673 PD.popActivePath(); 1674 1675 PathDiagnosticCallPiece *C; 1676 if (VisitedEntireCall) { 1677 PathDiagnosticPiece *P = PD.getActivePath().front().get(); 1678 C = cast<PathDiagnosticCallPiece>(P); 1679 } else { 1680 const Decl *Caller = CE->getLocationContext()->getDecl(); 1681 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 1682 1683 // Since we just transferred the path over to the call piece, 1684 // reset the mapping from active to location context. 1685 assert(PD.getActivePath().size() == 1 && 1686 PD.getActivePath().front() == C); 1687 LCM[&PD.getActivePath()] = nullptr; 1688 1689 // Record the location context mapping for the path within 1690 // the call. 1691 assert(LCM[&C->path] == nullptr || 1692 LCM[&C->path] == CE->getCalleeContext()); 1693 LCM[&C->path] = CE->getCalleeContext(); 1694 1695 // If this is the first item in the active path, record 1696 // the new mapping from active path to location context. 1697 const LocationContext *&NewLC = LCM[&PD.getActivePath()]; 1698 if (!NewLC) 1699 NewLC = N->getLocationContext(); 1700 1701 PDB.LC = NewLC; 1702 } 1703 C->setCallee(*CE, SM); 1704 1705 // Update the previous location in the active path. 1706 PrevLoc = C->getLocation(); 1707 1708 if (!CallStack.empty()) { 1709 assert(CallStack.back().first == C); 1710 CallStack.pop_back(); 1711 } 1712 break; 1713 } 1714 1715 // Query the location context here and the previous location 1716 // as processing CallEnter may change the active path. 1717 PDB.LC = N->getLocationContext(); 1718 1719 // Record the mapping from the active path to the location 1720 // context. 1721 assert(!LCM[&PD.getActivePath()] || 1722 LCM[&PD.getActivePath()] == PDB.LC); 1723 LCM[&PD.getActivePath()] = PDB.LC; 1724 1725 // Have we encountered an exit from a function call? 1726 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) { 1727 const Stmt *S = CE->getCalleeContext()->getCallSite(); 1728 // Propagate the interesting symbols accordingly. 1729 if (const Expr *Ex = dyn_cast_or_null<Expr>(S)) { 1730 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1731 N->getState().get(), Ex, 1732 N->getLocationContext()); 1733 } 1734 1735 // We are descending into a call (backwards). Construct 1736 // a new call piece to contain the path pieces for that call. 1737 PathDiagnosticCallPiece *C = 1738 PathDiagnosticCallPiece::construct(N, *CE, SM); 1739 1740 // Record the location context for this call piece. 1741 LCM[&C->path] = CE->getCalleeContext(); 1742 1743 // Add the edge to the return site. 1744 addEdgeToPath(PD.getActivePath(), PrevLoc, C->callReturn, PDB.LC); 1745 PD.getActivePath().push_front(C); 1746 PrevLoc.invalidate(); 1747 1748 // Make the contents of the call the active path for now. 1749 PD.pushActivePath(&C->path); 1750 CallStack.push_back(StackDiagPair(C, N)); 1751 break; 1752 } 1753 1754 if (Optional<PostStmt> PS = P.getAs<PostStmt>()) { 1755 // For expressions, make sure we propagate the 1756 // interesting symbols correctly. 1757 if (const Expr *Ex = PS->getStmtAs<Expr>()) 1758 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1759 N->getState().get(), Ex, 1760 N->getLocationContext()); 1761 1762 // Add an edge. If this is an ObjCForCollectionStmt do 1763 // not add an edge here as it appears in the CFG both 1764 // as a terminator and as a terminator condition. 1765 if (!isa<ObjCForCollectionStmt>(PS->getStmt())) { 1766 PathDiagnosticLocation L = 1767 PathDiagnosticLocation(PS->getStmt(), SM, PDB.LC); 1768 addEdgeToPath(PD.getActivePath(), PrevLoc, L, PDB.LC); 1769 } 1770 break; 1771 } 1772 1773 // Block edges. 1774 if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) { 1775 // Does this represent entering a call? If so, look at propagating 1776 // interesting symbols across call boundaries. 1777 if (NextNode) { 1778 const LocationContext *CallerCtx = NextNode->getLocationContext(); 1779 const LocationContext *CalleeCtx = PDB.LC; 1780 if (CallerCtx != CalleeCtx) { 1781 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE, 1782 N->getState().get(), 1783 CalleeCtx, CallerCtx); 1784 } 1785 } 1786 1787 // Are we jumping to the head of a loop? Add a special diagnostic. 1788 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) { 1789 PathDiagnosticLocation L(Loop, SM, PDB.LC); 1790 const Stmt *Body = nullptr; 1791 1792 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1793 Body = FS->getBody(); 1794 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1795 Body = WS->getBody(); 1796 else if (const ObjCForCollectionStmt *OFS = 1797 dyn_cast<ObjCForCollectionStmt>(Loop)) { 1798 Body = OFS->getBody(); 1799 } else if (const CXXForRangeStmt *FRS = 1800 dyn_cast<CXXForRangeStmt>(Loop)) { 1801 Body = FRS->getBody(); 1802 } 1803 // do-while statements are explicitly excluded here 1804 1805 PathDiagnosticEventPiece *p = 1806 new PathDiagnosticEventPiece(L, "Looping back to the head " 1807 "of the loop"); 1808 p->setPrunable(true); 1809 1810 addEdgeToPath(PD.getActivePath(), PrevLoc, p->getLocation(), PDB.LC); 1811 PD.getActivePath().push_front(p); 1812 1813 if (const CompoundStmt *CS = dyn_cast_or_null<CompoundStmt>(Body)) { 1814 addEdgeToPath(PD.getActivePath(), PrevLoc, 1815 PathDiagnosticLocation::createEndBrace(CS, SM), 1816 PDB.LC); 1817 } 1818 } 1819 1820 const CFGBlock *BSrc = BE->getSrc(); 1821 ParentMap &PM = PDB.getParentMap(); 1822 1823 if (const Stmt *Term = BSrc->getTerminator()) { 1824 // Are we jumping past the loop body without ever executing the 1825 // loop (because the condition was false)? 1826 if (isLoop(Term)) { 1827 const Stmt *TermCond = getTerminatorCondition(BSrc); 1828 bool IsInLoopBody = 1829 isInLoopBody(PM, getStmtBeforeCond(PM, TermCond, N), Term); 1830 1831 const char *str = nullptr; 1832 1833 if (isJumpToFalseBranch(&*BE)) { 1834 if (!IsInLoopBody) { 1835 if (isa<ObjCForCollectionStmt>(Term)) { 1836 str = StrLoopCollectionEmpty; 1837 } else if (isa<CXXForRangeStmt>(Term)) { 1838 str = StrLoopRangeEmpty; 1839 } else { 1840 str = StrLoopBodyZero; 1841 } 1842 } 1843 } else { 1844 str = StrEnteringLoop; 1845 } 1846 1847 if (str) { 1848 PathDiagnosticLocation L(TermCond ? TermCond : Term, SM, PDB.LC); 1849 PathDiagnosticEventPiece *PE = 1850 new PathDiagnosticEventPiece(L, str); 1851 PE->setPrunable(true); 1852 addEdgeToPath(PD.getActivePath(), PrevLoc, 1853 PE->getLocation(), PDB.LC); 1854 PD.getActivePath().push_front(PE); 1855 } 1856 } else if (isa<BreakStmt>(Term) || isa<ContinueStmt>(Term) || 1857 isa<GotoStmt>(Term)) { 1858 PathDiagnosticLocation L(Term, SM, PDB.LC); 1859 addEdgeToPath(PD.getActivePath(), PrevLoc, L, PDB.LC); 1860 } 1861 } 1862 break; 1863 } 1864 } while (0); 1865 1866 if (!NextNode) 1867 continue; 1868 1869 // Add pieces from custom visitors. 1870 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 1871 E = visitors.end(); 1872 I != E; ++I) { 1873 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *report)) { 1874 addEdgeToPath(PD.getActivePath(), PrevLoc, p->getLocation(), PDB.LC); 1875 PD.getActivePath().push_front(p); 1876 updateStackPiecesWithMessage(p, CallStack); 1877 } 1878 } 1879 } 1880 1881 // Add an edge to the start of the function. 1882 // We'll prune it out later, but it helps make diagnostics more uniform. 1883 const StackFrameContext *CalleeLC = PDB.LC->getCurrentStackFrame(); 1884 const Decl *D = CalleeLC->getDecl(); 1885 addEdgeToPath(PD.getActivePath(), PrevLoc, 1886 PathDiagnosticLocation::createBegin(D, SM), 1887 CalleeLC); 1888 1889 return report->isValid(); 1890 } 1891 1892 static const Stmt *getLocStmt(PathDiagnosticLocation L) { 1893 if (!L.isValid()) 1894 return nullptr; 1895 return L.asStmt(); 1896 } 1897 1898 static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) { 1899 if (!S) 1900 return nullptr; 1901 1902 while (true) { 1903 S = PM.getParentIgnoreParens(S); 1904 1905 if (!S) 1906 break; 1907 1908 if (isa<ExprWithCleanups>(S) || 1909 isa<CXXBindTemporaryExpr>(S) || 1910 isa<SubstNonTypeTemplateParmExpr>(S)) 1911 continue; 1912 1913 break; 1914 } 1915 1916 return S; 1917 } 1918 1919 static bool isConditionForTerminator(const Stmt *S, const Stmt *Cond) { 1920 switch (S->getStmtClass()) { 1921 case Stmt::BinaryOperatorClass: { 1922 const BinaryOperator *BO = cast<BinaryOperator>(S); 1923 if (!BO->isLogicalOp()) 1924 return false; 1925 return BO->getLHS() == Cond || BO->getRHS() == Cond; 1926 } 1927 case Stmt::IfStmtClass: 1928 return cast<IfStmt>(S)->getCond() == Cond; 1929 case Stmt::ForStmtClass: 1930 return cast<ForStmt>(S)->getCond() == Cond; 1931 case Stmt::WhileStmtClass: 1932 return cast<WhileStmt>(S)->getCond() == Cond; 1933 case Stmt::DoStmtClass: 1934 return cast<DoStmt>(S)->getCond() == Cond; 1935 case Stmt::ChooseExprClass: 1936 return cast<ChooseExpr>(S)->getCond() == Cond; 1937 case Stmt::IndirectGotoStmtClass: 1938 return cast<IndirectGotoStmt>(S)->getTarget() == Cond; 1939 case Stmt::SwitchStmtClass: 1940 return cast<SwitchStmt>(S)->getCond() == Cond; 1941 case Stmt::BinaryConditionalOperatorClass: 1942 return cast<BinaryConditionalOperator>(S)->getCond() == Cond; 1943 case Stmt::ConditionalOperatorClass: { 1944 const ConditionalOperator *CO = cast<ConditionalOperator>(S); 1945 return CO->getCond() == Cond || 1946 CO->getLHS() == Cond || 1947 CO->getRHS() == Cond; 1948 } 1949 case Stmt::ObjCForCollectionStmtClass: 1950 return cast<ObjCForCollectionStmt>(S)->getElement() == Cond; 1951 case Stmt::CXXForRangeStmtClass: { 1952 const CXXForRangeStmt *FRS = cast<CXXForRangeStmt>(S); 1953 return FRS->getCond() == Cond || FRS->getRangeInit() == Cond; 1954 } 1955 default: 1956 return false; 1957 } 1958 } 1959 1960 static bool isIncrementOrInitInForLoop(const Stmt *S, const Stmt *FL) { 1961 if (const ForStmt *FS = dyn_cast<ForStmt>(FL)) 1962 return FS->getInc() == S || FS->getInit() == S; 1963 if (const CXXForRangeStmt *FRS = dyn_cast<CXXForRangeStmt>(FL)) 1964 return FRS->getInc() == S || FRS->getRangeStmt() == S || 1965 FRS->getLoopVarStmt() || FRS->getRangeInit() == S; 1966 return false; 1967 } 1968 1969 typedef llvm::DenseSet<const PathDiagnosticCallPiece *> 1970 OptimizedCallsSet; 1971 1972 /// Adds synthetic edges from top-level statements to their subexpressions. 1973 /// 1974 /// This avoids a "swoosh" effect, where an edge from a top-level statement A 1975 /// points to a sub-expression B.1 that's not at the start of B. In these cases, 1976 /// we'd like to see an edge from A to B, then another one from B to B.1. 1977 static void addContextEdges(PathPieces &pieces, SourceManager &SM, 1978 const ParentMap &PM, const LocationContext *LCtx) { 1979 PathPieces::iterator Prev = pieces.end(); 1980 for (PathPieces::iterator I = pieces.begin(), E = Prev; I != E; 1981 Prev = I, ++I) { 1982 PathDiagnosticControlFlowPiece *Piece = 1983 dyn_cast<PathDiagnosticControlFlowPiece>(*I); 1984 1985 if (!Piece) 1986 continue; 1987 1988 PathDiagnosticLocation SrcLoc = Piece->getStartLocation(); 1989 SmallVector<PathDiagnosticLocation, 4> SrcContexts; 1990 1991 PathDiagnosticLocation NextSrcContext = SrcLoc; 1992 const Stmt *InnerStmt = nullptr; 1993 while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) { 1994 SrcContexts.push_back(NextSrcContext); 1995 InnerStmt = NextSrcContext.asStmt(); 1996 NextSrcContext = getEnclosingStmtLocation(InnerStmt, SM, PM, LCtx, 1997 /*allowNested=*/true); 1998 } 1999 2000 // Repeatedly split the edge as necessary. 2001 // This is important for nested logical expressions (||, &&, ?:) where we 2002 // want to show all the levels of context. 2003 while (true) { 2004 const Stmt *Dst = getLocStmt(Piece->getEndLocation()); 2005 2006 // We are looking at an edge. Is the destination within a larger 2007 // expression? 2008 PathDiagnosticLocation DstContext = 2009 getEnclosingStmtLocation(Dst, SM, PM, LCtx, /*allowNested=*/true); 2010 if (!DstContext.isValid() || DstContext.asStmt() == Dst) 2011 break; 2012 2013 // If the source is in the same context, we're already good. 2014 if (std::find(SrcContexts.begin(), SrcContexts.end(), DstContext) != 2015 SrcContexts.end()) 2016 break; 2017 2018 // Update the subexpression node to point to the context edge. 2019 Piece->setStartLocation(DstContext); 2020 2021 // Try to extend the previous edge if it's at the same level as the source 2022 // context. 2023 if (Prev != E) { 2024 PathDiagnosticControlFlowPiece *PrevPiece = 2025 dyn_cast<PathDiagnosticControlFlowPiece>(*Prev); 2026 2027 if (PrevPiece) { 2028 if (const Stmt *PrevSrc = getLocStmt(PrevPiece->getStartLocation())) { 2029 const Stmt *PrevSrcParent = getStmtParent(PrevSrc, PM); 2030 if (PrevSrcParent == getStmtParent(getLocStmt(DstContext), PM)) { 2031 PrevPiece->setEndLocation(DstContext); 2032 break; 2033 } 2034 } 2035 } 2036 } 2037 2038 // Otherwise, split the current edge into a context edge and a 2039 // subexpression edge. Note that the context statement may itself have 2040 // context. 2041 Piece = new PathDiagnosticControlFlowPiece(SrcLoc, DstContext); 2042 I = pieces.insert(I, Piece); 2043 } 2044 } 2045 } 2046 2047 /// \brief Move edges from a branch condition to a branch target 2048 /// when the condition is simple. 2049 /// 2050 /// This restructures some of the work of addContextEdges. That function 2051 /// creates edges this may destroy, but they work together to create a more 2052 /// aesthetically set of edges around branches. After the call to 2053 /// addContextEdges, we may have (1) an edge to the branch, (2) an edge from 2054 /// the branch to the branch condition, and (3) an edge from the branch 2055 /// condition to the branch target. We keep (1), but may wish to remove (2) 2056 /// and move the source of (3) to the branch if the branch condition is simple. 2057 /// 2058 static void simplifySimpleBranches(PathPieces &pieces) { 2059 for (PathPieces::iterator I = pieces.begin(), E = pieces.end(); I != E; ++I) { 2060 2061 PathDiagnosticControlFlowPiece *PieceI = 2062 dyn_cast<PathDiagnosticControlFlowPiece>(*I); 2063 2064 if (!PieceI) 2065 continue; 2066 2067 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation()); 2068 const Stmt *s1End = getLocStmt(PieceI->getEndLocation()); 2069 2070 if (!s1Start || !s1End) 2071 continue; 2072 2073 PathPieces::iterator NextI = I; ++NextI; 2074 if (NextI == E) 2075 break; 2076 2077 PathDiagnosticControlFlowPiece *PieceNextI = nullptr; 2078 2079 while (true) { 2080 if (NextI == E) 2081 break; 2082 2083 PathDiagnosticEventPiece *EV = dyn_cast<PathDiagnosticEventPiece>(*NextI); 2084 if (EV) { 2085 StringRef S = EV->getString(); 2086 if (S == StrEnteringLoop || S == StrLoopBodyZero || 2087 S == StrLoopCollectionEmpty || S == StrLoopRangeEmpty) { 2088 ++NextI; 2089 continue; 2090 } 2091 break; 2092 } 2093 2094 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(*NextI); 2095 break; 2096 } 2097 2098 if (!PieceNextI) 2099 continue; 2100 2101 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation()); 2102 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation()); 2103 2104 if (!s2Start || !s2End || s1End != s2Start) 2105 continue; 2106 2107 // We only perform this transformation for specific branch kinds. 2108 // We don't want to do this for do..while, for example. 2109 if (!(isa<ForStmt>(s1Start) || isa<WhileStmt>(s1Start) || 2110 isa<IfStmt>(s1Start) || isa<ObjCForCollectionStmt>(s1Start) || 2111 isa<CXXForRangeStmt>(s1Start))) 2112 continue; 2113 2114 // Is s1End the branch condition? 2115 if (!isConditionForTerminator(s1Start, s1End)) 2116 continue; 2117 2118 // Perform the hoisting by eliminating (2) and changing the start 2119 // location of (3). 2120 PieceNextI->setStartLocation(PieceI->getStartLocation()); 2121 I = pieces.erase(I); 2122 } 2123 } 2124 2125 /// Returns the number of bytes in the given (character-based) SourceRange. 2126 /// 2127 /// If the locations in the range are not on the same line, returns None. 2128 /// 2129 /// Note that this does not do a precise user-visible character or column count. 2130 static Optional<size_t> getLengthOnSingleLine(SourceManager &SM, 2131 SourceRange Range) { 2132 SourceRange ExpansionRange(SM.getExpansionLoc(Range.getBegin()), 2133 SM.getExpansionRange(Range.getEnd()).second); 2134 2135 FileID FID = SM.getFileID(ExpansionRange.getBegin()); 2136 if (FID != SM.getFileID(ExpansionRange.getEnd())) 2137 return None; 2138 2139 bool Invalid; 2140 const llvm::MemoryBuffer *Buffer = SM.getBuffer(FID, &Invalid); 2141 if (Invalid) 2142 return None; 2143 2144 unsigned BeginOffset = SM.getFileOffset(ExpansionRange.getBegin()); 2145 unsigned EndOffset = SM.getFileOffset(ExpansionRange.getEnd()); 2146 StringRef Snippet = Buffer->getBuffer().slice(BeginOffset, EndOffset); 2147 2148 // We're searching the raw bytes of the buffer here, which might include 2149 // escaped newlines and such. That's okay; we're trying to decide whether the 2150 // SourceRange is covering a large or small amount of space in the user's 2151 // editor. 2152 if (Snippet.find_first_of("\r\n") != StringRef::npos) 2153 return None; 2154 2155 // This isn't Unicode-aware, but it doesn't need to be. 2156 return Snippet.size(); 2157 } 2158 2159 /// \sa getLengthOnSingleLine(SourceManager, SourceRange) 2160 static Optional<size_t> getLengthOnSingleLine(SourceManager &SM, 2161 const Stmt *S) { 2162 return getLengthOnSingleLine(SM, S->getSourceRange()); 2163 } 2164 2165 /// Eliminate two-edge cycles created by addContextEdges(). 2166 /// 2167 /// Once all the context edges are in place, there are plenty of cases where 2168 /// there's a single edge from a top-level statement to a subexpression, 2169 /// followed by a single path note, and then a reverse edge to get back out to 2170 /// the top level. If the statement is simple enough, the subexpression edges 2171 /// just add noise and make it harder to understand what's going on. 2172 /// 2173 /// This function only removes edges in pairs, because removing only one edge 2174 /// might leave other edges dangling. 2175 /// 2176 /// This will not remove edges in more complicated situations: 2177 /// - if there is more than one "hop" leading to or from a subexpression. 2178 /// - if there is an inlined call between the edges instead of a single event. 2179 /// - if the whole statement is large enough that having subexpression arrows 2180 /// might be helpful. 2181 static void removeContextCycles(PathPieces &Path, SourceManager &SM, 2182 ParentMap &PM) { 2183 for (PathPieces::iterator I = Path.begin(), E = Path.end(); I != E; ) { 2184 // Pattern match the current piece and its successor. 2185 PathDiagnosticControlFlowPiece *PieceI = 2186 dyn_cast<PathDiagnosticControlFlowPiece>(*I); 2187 2188 if (!PieceI) { 2189 ++I; 2190 continue; 2191 } 2192 2193 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation()); 2194 const Stmt *s1End = getLocStmt(PieceI->getEndLocation()); 2195 2196 PathPieces::iterator NextI = I; ++NextI; 2197 if (NextI == E) 2198 break; 2199 2200 PathDiagnosticControlFlowPiece *PieceNextI = 2201 dyn_cast<PathDiagnosticControlFlowPiece>(*NextI); 2202 2203 if (!PieceNextI) { 2204 if (isa<PathDiagnosticEventPiece>(*NextI)) { 2205 ++NextI; 2206 if (NextI == E) 2207 break; 2208 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(*NextI); 2209 } 2210 2211 if (!PieceNextI) { 2212 ++I; 2213 continue; 2214 } 2215 } 2216 2217 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation()); 2218 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation()); 2219 2220 if (s1Start && s2Start && s1Start == s2End && s2Start == s1End) { 2221 const size_t MAX_SHORT_LINE_LENGTH = 80; 2222 Optional<size_t> s1Length = getLengthOnSingleLine(SM, s1Start); 2223 if (s1Length && *s1Length <= MAX_SHORT_LINE_LENGTH) { 2224 Optional<size_t> s2Length = getLengthOnSingleLine(SM, s2Start); 2225 if (s2Length && *s2Length <= MAX_SHORT_LINE_LENGTH) { 2226 Path.erase(I); 2227 I = Path.erase(NextI); 2228 continue; 2229 } 2230 } 2231 } 2232 2233 ++I; 2234 } 2235 } 2236 2237 /// \brief Return true if X is contained by Y. 2238 static bool lexicalContains(ParentMap &PM, 2239 const Stmt *X, 2240 const Stmt *Y) { 2241 while (X) { 2242 if (X == Y) 2243 return true; 2244 X = PM.getParent(X); 2245 } 2246 return false; 2247 } 2248 2249 // Remove short edges on the same line less than 3 columns in difference. 2250 static void removePunyEdges(PathPieces &path, 2251 SourceManager &SM, 2252 ParentMap &PM) { 2253 2254 bool erased = false; 2255 2256 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; 2257 erased ? I : ++I) { 2258 2259 erased = false; 2260 2261 PathDiagnosticControlFlowPiece *PieceI = 2262 dyn_cast<PathDiagnosticControlFlowPiece>(*I); 2263 2264 if (!PieceI) 2265 continue; 2266 2267 const Stmt *start = getLocStmt(PieceI->getStartLocation()); 2268 const Stmt *end = getLocStmt(PieceI->getEndLocation()); 2269 2270 if (!start || !end) 2271 continue; 2272 2273 const Stmt *endParent = PM.getParent(end); 2274 if (!endParent) 2275 continue; 2276 2277 if (isConditionForTerminator(end, endParent)) 2278 continue; 2279 2280 SourceLocation FirstLoc = start->getLocStart(); 2281 SourceLocation SecondLoc = end->getLocStart(); 2282 2283 if (!SM.isWrittenInSameFile(FirstLoc, SecondLoc)) 2284 continue; 2285 if (SM.isBeforeInTranslationUnit(SecondLoc, FirstLoc)) 2286 std::swap(SecondLoc, FirstLoc); 2287 2288 SourceRange EdgeRange(FirstLoc, SecondLoc); 2289 Optional<size_t> ByteWidth = getLengthOnSingleLine(SM, EdgeRange); 2290 2291 // If the statements are on different lines, continue. 2292 if (!ByteWidth) 2293 continue; 2294 2295 const size_t MAX_PUNY_EDGE_LENGTH = 2; 2296 if (*ByteWidth <= MAX_PUNY_EDGE_LENGTH) { 2297 // FIXME: There are enough /bytes/ between the endpoints of the edge, but 2298 // there might not be enough /columns/. A proper user-visible column count 2299 // is probably too expensive, though. 2300 I = path.erase(I); 2301 erased = true; 2302 continue; 2303 } 2304 } 2305 } 2306 2307 static void removeIdenticalEvents(PathPieces &path) { 2308 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ++I) { 2309 PathDiagnosticEventPiece *PieceI = 2310 dyn_cast<PathDiagnosticEventPiece>(*I); 2311 2312 if (!PieceI) 2313 continue; 2314 2315 PathPieces::iterator NextI = I; ++NextI; 2316 if (NextI == E) 2317 return; 2318 2319 PathDiagnosticEventPiece *PieceNextI = 2320 dyn_cast<PathDiagnosticEventPiece>(*NextI); 2321 2322 if (!PieceNextI) 2323 continue; 2324 2325 // Erase the second piece if it has the same exact message text. 2326 if (PieceI->getString() == PieceNextI->getString()) { 2327 path.erase(NextI); 2328 } 2329 } 2330 } 2331 2332 static bool optimizeEdges(PathPieces &path, SourceManager &SM, 2333 OptimizedCallsSet &OCS, 2334 LocationContextMap &LCM) { 2335 bool hasChanges = false; 2336 const LocationContext *LC = LCM[&path]; 2337 assert(LC); 2338 ParentMap &PM = LC->getParentMap(); 2339 2340 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ) { 2341 // Optimize subpaths. 2342 if (PathDiagnosticCallPiece *CallI = dyn_cast<PathDiagnosticCallPiece>(*I)){ 2343 // Record the fact that a call has been optimized so we only do the 2344 // effort once. 2345 if (!OCS.count(CallI)) { 2346 while (optimizeEdges(CallI->path, SM, OCS, LCM)) {} 2347 OCS.insert(CallI); 2348 } 2349 ++I; 2350 continue; 2351 } 2352 2353 // Pattern match the current piece and its successor. 2354 PathDiagnosticControlFlowPiece *PieceI = 2355 dyn_cast<PathDiagnosticControlFlowPiece>(*I); 2356 2357 if (!PieceI) { 2358 ++I; 2359 continue; 2360 } 2361 2362 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation()); 2363 const Stmt *s1End = getLocStmt(PieceI->getEndLocation()); 2364 const Stmt *level1 = getStmtParent(s1Start, PM); 2365 const Stmt *level2 = getStmtParent(s1End, PM); 2366 2367 PathPieces::iterator NextI = I; ++NextI; 2368 if (NextI == E) 2369 break; 2370 2371 PathDiagnosticControlFlowPiece *PieceNextI = 2372 dyn_cast<PathDiagnosticControlFlowPiece>(*NextI); 2373 2374 if (!PieceNextI) { 2375 ++I; 2376 continue; 2377 } 2378 2379 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation()); 2380 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation()); 2381 const Stmt *level3 = getStmtParent(s2Start, PM); 2382 const Stmt *level4 = getStmtParent(s2End, PM); 2383 2384 // Rule I. 2385 // 2386 // If we have two consecutive control edges whose end/begin locations 2387 // are at the same level (e.g. statements or top-level expressions within 2388 // a compound statement, or siblings share a single ancestor expression), 2389 // then merge them if they have no interesting intermediate event. 2390 // 2391 // For example: 2392 // 2393 // (1.1 -> 1.2) -> (1.2 -> 1.3) becomes (1.1 -> 1.3) because the common 2394 // parent is '1'. Here 'x.y.z' represents the hierarchy of statements. 2395 // 2396 // NOTE: this will be limited later in cases where we add barriers 2397 // to prevent this optimization. 2398 // 2399 if (level1 && level1 == level2 && level1 == level3 && level1 == level4) { 2400 PieceI->setEndLocation(PieceNextI->getEndLocation()); 2401 path.erase(NextI); 2402 hasChanges = true; 2403 continue; 2404 } 2405 2406 // Rule II. 2407 // 2408 // Eliminate edges between subexpressions and parent expressions 2409 // when the subexpression is consumed. 2410 // 2411 // NOTE: this will be limited later in cases where we add barriers 2412 // to prevent this optimization. 2413 // 2414 if (s1End && s1End == s2Start && level2) { 2415 bool removeEdge = false; 2416 // Remove edges into the increment or initialization of a 2417 // loop that have no interleaving event. This means that 2418 // they aren't interesting. 2419 if (isIncrementOrInitInForLoop(s1End, level2)) 2420 removeEdge = true; 2421 // Next only consider edges that are not anchored on 2422 // the condition of a terminator. This are intermediate edges 2423 // that we might want to trim. 2424 else if (!isConditionForTerminator(level2, s1End)) { 2425 // Trim edges on expressions that are consumed by 2426 // the parent expression. 2427 if (isa<Expr>(s1End) && PM.isConsumedExpr(cast<Expr>(s1End))) { 2428 removeEdge = true; 2429 } 2430 // Trim edges where a lexical containment doesn't exist. 2431 // For example: 2432 // 2433 // X -> Y -> Z 2434 // 2435 // If 'Z' lexically contains Y (it is an ancestor) and 2436 // 'X' does not lexically contain Y (it is a descendant OR 2437 // it has no lexical relationship at all) then trim. 2438 // 2439 // This can eliminate edges where we dive into a subexpression 2440 // and then pop back out, etc. 2441 else if (s1Start && s2End && 2442 lexicalContains(PM, s2Start, s2End) && 2443 !lexicalContains(PM, s1End, s1Start)) { 2444 removeEdge = true; 2445 } 2446 // Trim edges from a subexpression back to the top level if the 2447 // subexpression is on a different line. 2448 // 2449 // A.1 -> A -> B 2450 // becomes 2451 // A.1 -> B 2452 // 2453 // These edges just look ugly and don't usually add anything. 2454 else if (s1Start && s2End && 2455 lexicalContains(PM, s1Start, s1End)) { 2456 SourceRange EdgeRange(PieceI->getEndLocation().asLocation(), 2457 PieceI->getStartLocation().asLocation()); 2458 if (!getLengthOnSingleLine(SM, EdgeRange).hasValue()) 2459 removeEdge = true; 2460 } 2461 } 2462 2463 if (removeEdge) { 2464 PieceI->setEndLocation(PieceNextI->getEndLocation()); 2465 path.erase(NextI); 2466 hasChanges = true; 2467 continue; 2468 } 2469 } 2470 2471 // Optimize edges for ObjC fast-enumeration loops. 2472 // 2473 // (X -> collection) -> (collection -> element) 2474 // 2475 // becomes: 2476 // 2477 // (X -> element) 2478 if (s1End == s2Start) { 2479 const ObjCForCollectionStmt *FS = 2480 dyn_cast_or_null<ObjCForCollectionStmt>(level3); 2481 if (FS && FS->getCollection()->IgnoreParens() == s2Start && 2482 s2End == FS->getElement()) { 2483 PieceI->setEndLocation(PieceNextI->getEndLocation()); 2484 path.erase(NextI); 2485 hasChanges = true; 2486 continue; 2487 } 2488 } 2489 2490 // No changes at this index? Move to the next one. 2491 ++I; 2492 } 2493 2494 if (!hasChanges) { 2495 // Adjust edges into subexpressions to make them more uniform 2496 // and aesthetically pleasing. 2497 addContextEdges(path, SM, PM, LC); 2498 // Remove "cyclical" edges that include one or more context edges. 2499 removeContextCycles(path, SM, PM); 2500 // Hoist edges originating from branch conditions to branches 2501 // for simple branches. 2502 simplifySimpleBranches(path); 2503 // Remove any puny edges left over after primary optimization pass. 2504 removePunyEdges(path, SM, PM); 2505 // Remove identical events. 2506 removeIdenticalEvents(path); 2507 } 2508 2509 return hasChanges; 2510 } 2511 2512 /// Drop the very first edge in a path, which should be a function entry edge. 2513 /// 2514 /// If the first edge is not a function entry edge (say, because the first 2515 /// statement had an invalid source location), this function does nothing. 2516 // FIXME: We should just generate invalid edges anyway and have the optimizer 2517 // deal with them. 2518 static void dropFunctionEntryEdge(PathPieces &Path, 2519 LocationContextMap &LCM, 2520 SourceManager &SM) { 2521 const PathDiagnosticControlFlowPiece *FirstEdge = 2522 dyn_cast<PathDiagnosticControlFlowPiece>(Path.front()); 2523 if (!FirstEdge) 2524 return; 2525 2526 const Decl *D = LCM[&Path]->getDecl(); 2527 PathDiagnosticLocation EntryLoc = PathDiagnosticLocation::createBegin(D, SM); 2528 if (FirstEdge->getStartLocation() != EntryLoc) 2529 return; 2530 2531 Path.pop_front(); 2532 } 2533 2534 2535 //===----------------------------------------------------------------------===// 2536 // Methods for BugType and subclasses. 2537 //===----------------------------------------------------------------------===// 2538 void BugType::anchor() { } 2539 2540 void BugType::FlushReports(BugReporter &BR) {} 2541 2542 void BuiltinBug::anchor() {} 2543 2544 //===----------------------------------------------------------------------===// 2545 // Methods for BugReport and subclasses. 2546 //===----------------------------------------------------------------------===// 2547 2548 void BugReport::NodeResolver::anchor() {} 2549 2550 void BugReport::addVisitor(BugReporterVisitor* visitor) { 2551 if (!visitor) 2552 return; 2553 2554 llvm::FoldingSetNodeID ID; 2555 visitor->Profile(ID); 2556 void *InsertPos; 2557 2558 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 2559 delete visitor; 2560 return; 2561 } 2562 2563 CallbacksSet.InsertNode(visitor, InsertPos); 2564 Callbacks.push_back(visitor); 2565 ++ConfigurationChangeToken; 2566 } 2567 2568 BugReport::~BugReport() { 2569 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) { 2570 delete *I; 2571 } 2572 while (!interestingSymbols.empty()) { 2573 popInterestingSymbolsAndRegions(); 2574 } 2575 } 2576 2577 const Decl *BugReport::getDeclWithIssue() const { 2578 if (DeclWithIssue) 2579 return DeclWithIssue; 2580 2581 const ExplodedNode *N = getErrorNode(); 2582 if (!N) 2583 return nullptr; 2584 2585 const LocationContext *LC = N->getLocationContext(); 2586 return LC->getCurrentStackFrame()->getDecl(); 2587 } 2588 2589 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const { 2590 hash.AddPointer(&BT); 2591 hash.AddString(Description); 2592 PathDiagnosticLocation UL = getUniqueingLocation(); 2593 if (UL.isValid()) { 2594 UL.Profile(hash); 2595 } else if (Location.isValid()) { 2596 Location.Profile(hash); 2597 } else { 2598 assert(ErrorNode); 2599 hash.AddPointer(GetCurrentOrPreviousStmt(ErrorNode)); 2600 } 2601 2602 for (SmallVectorImpl<SourceRange>::const_iterator I = 2603 Ranges.begin(), E = Ranges.end(); I != E; ++I) { 2604 const SourceRange range = *I; 2605 if (!range.isValid()) 2606 continue; 2607 hash.AddInteger(range.getBegin().getRawEncoding()); 2608 hash.AddInteger(range.getEnd().getRawEncoding()); 2609 } 2610 } 2611 2612 void BugReport::markInteresting(SymbolRef sym) { 2613 if (!sym) 2614 return; 2615 2616 // If the symbol wasn't already in our set, note a configuration change. 2617 if (getInterestingSymbols().insert(sym).second) 2618 ++ConfigurationChangeToken; 2619 2620 if (const SymbolMetadata *meta = dyn_cast<SymbolMetadata>(sym)) 2621 getInterestingRegions().insert(meta->getRegion()); 2622 } 2623 2624 void BugReport::markInteresting(const MemRegion *R) { 2625 if (!R) 2626 return; 2627 2628 // If the base region wasn't already in our set, note a configuration change. 2629 R = R->getBaseRegion(); 2630 if (getInterestingRegions().insert(R).second) 2631 ++ConfigurationChangeToken; 2632 2633 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 2634 getInterestingSymbols().insert(SR->getSymbol()); 2635 } 2636 2637 void BugReport::markInteresting(SVal V) { 2638 markInteresting(V.getAsRegion()); 2639 markInteresting(V.getAsSymbol()); 2640 } 2641 2642 void BugReport::markInteresting(const LocationContext *LC) { 2643 if (!LC) 2644 return; 2645 InterestingLocationContexts.insert(LC); 2646 } 2647 2648 bool BugReport::isInteresting(SVal V) { 2649 return isInteresting(V.getAsRegion()) || isInteresting(V.getAsSymbol()); 2650 } 2651 2652 bool BugReport::isInteresting(SymbolRef sym) { 2653 if (!sym) 2654 return false; 2655 // We don't currently consider metadata symbols to be interesting 2656 // even if we know their region is interesting. Is that correct behavior? 2657 return getInterestingSymbols().count(sym); 2658 } 2659 2660 bool BugReport::isInteresting(const MemRegion *R) { 2661 if (!R) 2662 return false; 2663 R = R->getBaseRegion(); 2664 bool b = getInterestingRegions().count(R); 2665 if (b) 2666 return true; 2667 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 2668 return getInterestingSymbols().count(SR->getSymbol()); 2669 return false; 2670 } 2671 2672 bool BugReport::isInteresting(const LocationContext *LC) { 2673 if (!LC) 2674 return false; 2675 return InterestingLocationContexts.count(LC); 2676 } 2677 2678 void BugReport::lazyInitializeInterestingSets() { 2679 if (interestingSymbols.empty()) { 2680 interestingSymbols.push_back(new Symbols()); 2681 interestingRegions.push_back(new Regions()); 2682 } 2683 } 2684 2685 BugReport::Symbols &BugReport::getInterestingSymbols() { 2686 lazyInitializeInterestingSets(); 2687 return *interestingSymbols.back(); 2688 } 2689 2690 BugReport::Regions &BugReport::getInterestingRegions() { 2691 lazyInitializeInterestingSets(); 2692 return *interestingRegions.back(); 2693 } 2694 2695 void BugReport::pushInterestingSymbolsAndRegions() { 2696 interestingSymbols.push_back(new Symbols(getInterestingSymbols())); 2697 interestingRegions.push_back(new Regions(getInterestingRegions())); 2698 } 2699 2700 void BugReport::popInterestingSymbolsAndRegions() { 2701 delete interestingSymbols.pop_back_val(); 2702 delete interestingRegions.pop_back_val(); 2703 } 2704 2705 const Stmt *BugReport::getStmt() const { 2706 if (!ErrorNode) 2707 return nullptr; 2708 2709 ProgramPoint ProgP = ErrorNode->getLocation(); 2710 const Stmt *S = nullptr; 2711 2712 if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) { 2713 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 2714 if (BE->getBlock() == &Exit) 2715 S = GetPreviousStmt(ErrorNode); 2716 } 2717 if (!S) 2718 S = PathDiagnosticLocation::getStmt(ErrorNode); 2719 2720 return S; 2721 } 2722 2723 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 2724 BugReport::getRanges() { 2725 // If no custom ranges, add the range of the statement corresponding to 2726 // the error node. 2727 if (Ranges.empty()) { 2728 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt())) 2729 addRange(E->getSourceRange()); 2730 else 2731 return std::make_pair(ranges_iterator(), ranges_iterator()); 2732 } 2733 2734 // User-specified absence of range info. 2735 if (Ranges.size() == 1 && !Ranges.begin()->isValid()) 2736 return std::make_pair(ranges_iterator(), ranges_iterator()); 2737 2738 return std::make_pair(Ranges.begin(), Ranges.end()); 2739 } 2740 2741 PathDiagnosticLocation BugReport::getLocation(const SourceManager &SM) const { 2742 if (ErrorNode) { 2743 assert(!Location.isValid() && 2744 "Either Location or ErrorNode should be specified but not both."); 2745 return PathDiagnosticLocation::createEndOfPath(ErrorNode, SM); 2746 } 2747 2748 assert(Location.isValid()); 2749 return Location; 2750 } 2751 2752 //===----------------------------------------------------------------------===// 2753 // Methods for BugReporter and subclasses. 2754 //===----------------------------------------------------------------------===// 2755 2756 BugReportEquivClass::~BugReportEquivClass() { } 2757 GRBugReporter::~GRBugReporter() { } 2758 BugReporterData::~BugReporterData() {} 2759 2760 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 2761 2762 ProgramStateManager& 2763 GRBugReporter::getStateManager() { return Eng.getStateManager(); } 2764 2765 BugReporter::~BugReporter() { 2766 FlushReports(); 2767 2768 // Free the bug reports we are tracking. 2769 typedef std::vector<BugReportEquivClass *> ContTy; 2770 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end(); 2771 I != E; ++I) { 2772 delete *I; 2773 } 2774 } 2775 2776 void BugReporter::FlushReports() { 2777 if (BugTypes.isEmpty()) 2778 return; 2779 2780 // First flush the warnings for each BugType. This may end up creating new 2781 // warnings and new BugTypes. 2782 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 2783 // Turn NSErrorChecker into a proper checker and remove this. 2784 SmallVector<const BugType*, 16> bugTypes; 2785 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 2786 bugTypes.push_back(*I); 2787 for (SmallVectorImpl<const BugType *>::iterator 2788 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 2789 const_cast<BugType*>(*I)->FlushReports(*this); 2790 2791 // We need to flush reports in deterministic order to ensure the order 2792 // of the reports is consistent between runs. 2793 typedef std::vector<BugReportEquivClass *> ContVecTy; 2794 for (ContVecTy::iterator EI=EQClassesVector.begin(), EE=EQClassesVector.end(); 2795 EI != EE; ++EI){ 2796 BugReportEquivClass& EQ = **EI; 2797 FlushReport(EQ); 2798 } 2799 2800 // BugReporter owns and deletes only BugTypes created implicitly through 2801 // EmitBasicReport. 2802 // FIXME: There are leaks from checkers that assume that the BugTypes they 2803 // create will be destroyed by the BugReporter. 2804 llvm::DeleteContainerSeconds(StrBugTypes); 2805 2806 // Remove all references to the BugType objects. 2807 BugTypes = F.getEmptySet(); 2808 } 2809 2810 //===----------------------------------------------------------------------===// 2811 // PathDiagnostics generation. 2812 //===----------------------------------------------------------------------===// 2813 2814 namespace { 2815 /// A wrapper around a report graph, which contains only a single path, and its 2816 /// node maps. 2817 class ReportGraph { 2818 public: 2819 InterExplodedGraphMap BackMap; 2820 std::unique_ptr<ExplodedGraph> Graph; 2821 const ExplodedNode *ErrorNode; 2822 size_t Index; 2823 }; 2824 2825 /// A wrapper around a trimmed graph and its node maps. 2826 class TrimmedGraph { 2827 InterExplodedGraphMap InverseMap; 2828 2829 typedef llvm::DenseMap<const ExplodedNode *, unsigned> PriorityMapTy; 2830 PriorityMapTy PriorityMap; 2831 2832 typedef std::pair<const ExplodedNode *, size_t> NodeIndexPair; 2833 SmallVector<NodeIndexPair, 32> ReportNodes; 2834 2835 std::unique_ptr<ExplodedGraph> G; 2836 2837 /// A helper class for sorting ExplodedNodes by priority. 2838 template <bool Descending> 2839 class PriorityCompare { 2840 const PriorityMapTy &PriorityMap; 2841 2842 public: 2843 PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {} 2844 2845 bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const { 2846 PriorityMapTy::const_iterator LI = PriorityMap.find(LHS); 2847 PriorityMapTy::const_iterator RI = PriorityMap.find(RHS); 2848 PriorityMapTy::const_iterator E = PriorityMap.end(); 2849 2850 if (LI == E) 2851 return Descending; 2852 if (RI == E) 2853 return !Descending; 2854 2855 return Descending ? LI->second > RI->second 2856 : LI->second < RI->second; 2857 } 2858 2859 bool operator()(const NodeIndexPair &LHS, const NodeIndexPair &RHS) const { 2860 return (*this)(LHS.first, RHS.first); 2861 } 2862 }; 2863 2864 public: 2865 TrimmedGraph(const ExplodedGraph *OriginalGraph, 2866 ArrayRef<const ExplodedNode *> Nodes); 2867 2868 bool popNextReportGraph(ReportGraph &GraphWrapper); 2869 }; 2870 } 2871 2872 TrimmedGraph::TrimmedGraph(const ExplodedGraph *OriginalGraph, 2873 ArrayRef<const ExplodedNode *> Nodes) { 2874 // The trimmed graph is created in the body of the constructor to ensure 2875 // that the DenseMaps have been initialized already. 2876 InterExplodedGraphMap ForwardMap; 2877 G.reset(OriginalGraph->trim(Nodes, &ForwardMap, &InverseMap)); 2878 2879 // Find the (first) error node in the trimmed graph. We just need to consult 2880 // the node map which maps from nodes in the original graph to nodes 2881 // in the new graph. 2882 llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes; 2883 2884 for (unsigned i = 0, count = Nodes.size(); i < count; ++i) { 2885 if (const ExplodedNode *NewNode = ForwardMap.lookup(Nodes[i])) { 2886 ReportNodes.push_back(std::make_pair(NewNode, i)); 2887 RemainingNodes.insert(NewNode); 2888 } 2889 } 2890 2891 assert(!RemainingNodes.empty() && "No error node found in the trimmed graph"); 2892 2893 // Perform a forward BFS to find all the shortest paths. 2894 std::queue<const ExplodedNode *> WS; 2895 2896 assert(G->num_roots() == 1); 2897 WS.push(*G->roots_begin()); 2898 unsigned Priority = 0; 2899 2900 while (!WS.empty()) { 2901 const ExplodedNode *Node = WS.front(); 2902 WS.pop(); 2903 2904 PriorityMapTy::iterator PriorityEntry; 2905 bool IsNew; 2906 std::tie(PriorityEntry, IsNew) = 2907 PriorityMap.insert(std::make_pair(Node, Priority)); 2908 ++Priority; 2909 2910 if (!IsNew) { 2911 assert(PriorityEntry->second <= Priority); 2912 continue; 2913 } 2914 2915 if (RemainingNodes.erase(Node)) 2916 if (RemainingNodes.empty()) 2917 break; 2918 2919 for (ExplodedNode::const_pred_iterator I = Node->succ_begin(), 2920 E = Node->succ_end(); 2921 I != E; ++I) 2922 WS.push(*I); 2923 } 2924 2925 // Sort the error paths from longest to shortest. 2926 std::sort(ReportNodes.begin(), ReportNodes.end(), 2927 PriorityCompare<true>(PriorityMap)); 2928 } 2929 2930 bool TrimmedGraph::popNextReportGraph(ReportGraph &GraphWrapper) { 2931 if (ReportNodes.empty()) 2932 return false; 2933 2934 const ExplodedNode *OrigN; 2935 std::tie(OrigN, GraphWrapper.Index) = ReportNodes.pop_back_val(); 2936 assert(PriorityMap.find(OrigN) != PriorityMap.end() && 2937 "error node not accessible from root"); 2938 2939 // Create a new graph with a single path. This is the graph 2940 // that will be returned to the caller. 2941 ExplodedGraph *GNew = new ExplodedGraph(); 2942 GraphWrapper.Graph.reset(GNew); 2943 GraphWrapper.BackMap.clear(); 2944 2945 // Now walk from the error node up the BFS path, always taking the 2946 // predeccessor with the lowest number. 2947 ExplodedNode *Succ = nullptr; 2948 while (true) { 2949 // Create the equivalent node in the new graph with the same state 2950 // and location. 2951 ExplodedNode *NewN = GNew->getNode(OrigN->getLocation(), OrigN->getState(), 2952 OrigN->isSink()); 2953 2954 // Store the mapping to the original node. 2955 InterExplodedGraphMap::const_iterator IMitr = InverseMap.find(OrigN); 2956 assert(IMitr != InverseMap.end() && "No mapping to original node."); 2957 GraphWrapper.BackMap[NewN] = IMitr->second; 2958 2959 // Link up the new node with the previous node. 2960 if (Succ) 2961 Succ->addPredecessor(NewN, *GNew); 2962 else 2963 GraphWrapper.ErrorNode = NewN; 2964 2965 Succ = NewN; 2966 2967 // Are we at the final node? 2968 if (OrigN->pred_empty()) { 2969 GNew->addRoot(NewN); 2970 break; 2971 } 2972 2973 // Find the next predeccessor node. We choose the node that is marked 2974 // with the lowest BFS number. 2975 OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(), 2976 PriorityCompare<false>(PriorityMap)); 2977 } 2978 2979 return true; 2980 } 2981 2982 2983 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 2984 /// and collapses PathDiagosticPieces that are expanded by macros. 2985 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM) { 2986 typedef std::vector<std::pair<IntrusiveRefCntPtr<PathDiagnosticMacroPiece>, 2987 SourceLocation> > MacroStackTy; 2988 2989 typedef std::vector<IntrusiveRefCntPtr<PathDiagnosticPiece> > 2990 PiecesTy; 2991 2992 MacroStackTy MacroStack; 2993 PiecesTy Pieces; 2994 2995 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 2996 I!=E; ++I) { 2997 2998 PathDiagnosticPiece *piece = I->get(); 2999 3000 // Recursively compact calls. 3001 if (PathDiagnosticCallPiece *call=dyn_cast<PathDiagnosticCallPiece>(piece)){ 3002 CompactPathDiagnostic(call->path, SM); 3003 } 3004 3005 // Get the location of the PathDiagnosticPiece. 3006 const FullSourceLoc Loc = piece->getLocation().asLocation(); 3007 3008 // Determine the instantiation location, which is the location we group 3009 // related PathDiagnosticPieces. 3010 SourceLocation InstantiationLoc = Loc.isMacroID() ? 3011 SM.getExpansionLoc(Loc) : 3012 SourceLocation(); 3013 3014 if (Loc.isFileID()) { 3015 MacroStack.clear(); 3016 Pieces.push_back(piece); 3017 continue; 3018 } 3019 3020 assert(Loc.isMacroID()); 3021 3022 // Is the PathDiagnosticPiece within the same macro group? 3023 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 3024 MacroStack.back().first->subPieces.push_back(piece); 3025 continue; 3026 } 3027 3028 // We aren't in the same group. Are we descending into a new macro 3029 // or are part of an old one? 3030 IntrusiveRefCntPtr<PathDiagnosticMacroPiece> MacroGroup; 3031 3032 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 3033 SM.getExpansionLoc(Loc) : 3034 SourceLocation(); 3035 3036 // Walk the entire macro stack. 3037 while (!MacroStack.empty()) { 3038 if (InstantiationLoc == MacroStack.back().second) { 3039 MacroGroup = MacroStack.back().first; 3040 break; 3041 } 3042 3043 if (ParentInstantiationLoc == MacroStack.back().second) { 3044 MacroGroup = MacroStack.back().first; 3045 break; 3046 } 3047 3048 MacroStack.pop_back(); 3049 } 3050 3051 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 3052 // Create a new macro group and add it to the stack. 3053 PathDiagnosticMacroPiece *NewGroup = 3054 new PathDiagnosticMacroPiece( 3055 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 3056 3057 if (MacroGroup) 3058 MacroGroup->subPieces.push_back(NewGroup); 3059 else { 3060 assert(InstantiationLoc.isFileID()); 3061 Pieces.push_back(NewGroup); 3062 } 3063 3064 MacroGroup = NewGroup; 3065 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 3066 } 3067 3068 // Finally, add the PathDiagnosticPiece to the group. 3069 MacroGroup->subPieces.push_back(piece); 3070 } 3071 3072 // Now take the pieces and construct a new PathDiagnostic. 3073 path.clear(); 3074 3075 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) 3076 path.push_back(*I); 3077 } 3078 3079 bool GRBugReporter::generatePathDiagnostic(PathDiagnostic& PD, 3080 PathDiagnosticConsumer &PC, 3081 ArrayRef<BugReport *> &bugReports) { 3082 assert(!bugReports.empty()); 3083 3084 bool HasValid = false; 3085 bool HasInvalid = false; 3086 SmallVector<const ExplodedNode *, 32> errorNodes; 3087 for (ArrayRef<BugReport*>::iterator I = bugReports.begin(), 3088 E = bugReports.end(); I != E; ++I) { 3089 if ((*I)->isValid()) { 3090 HasValid = true; 3091 errorNodes.push_back((*I)->getErrorNode()); 3092 } else { 3093 // Keep the errorNodes list in sync with the bugReports list. 3094 HasInvalid = true; 3095 errorNodes.push_back(nullptr); 3096 } 3097 } 3098 3099 // If all the reports have been marked invalid by a previous path generation, 3100 // we're done. 3101 if (!HasValid) 3102 return false; 3103 3104 typedef PathDiagnosticConsumer::PathGenerationScheme PathGenerationScheme; 3105 PathGenerationScheme ActiveScheme = PC.getGenerationScheme(); 3106 3107 if (ActiveScheme == PathDiagnosticConsumer::Extensive) { 3108 AnalyzerOptions &options = getAnalyzerOptions(); 3109 if (options.getBooleanOption("path-diagnostics-alternate", true)) { 3110 ActiveScheme = PathDiagnosticConsumer::AlternateExtensive; 3111 } 3112 } 3113 3114 TrimmedGraph TrimG(&getGraph(), errorNodes); 3115 ReportGraph ErrorGraph; 3116 3117 while (TrimG.popNextReportGraph(ErrorGraph)) { 3118 // Find the BugReport with the original location. 3119 assert(ErrorGraph.Index < bugReports.size()); 3120 BugReport *R = bugReports[ErrorGraph.Index]; 3121 assert(R && "No original report found for sliced graph."); 3122 assert(R->isValid() && "Report selected by trimmed graph marked invalid."); 3123 3124 // Start building the path diagnostic... 3125 PathDiagnosticBuilder PDB(*this, R, ErrorGraph.BackMap, &PC); 3126 const ExplodedNode *N = ErrorGraph.ErrorNode; 3127 3128 // Register additional node visitors. 3129 R->addVisitor(new NilReceiverBRVisitor()); 3130 R->addVisitor(new ConditionBRVisitor()); 3131 R->addVisitor(new LikelyFalsePositiveSuppressionBRVisitor()); 3132 3133 BugReport::VisitorList visitors; 3134 unsigned origReportConfigToken, finalReportConfigToken; 3135 LocationContextMap LCM; 3136 3137 // While generating diagnostics, it's possible the visitors will decide 3138 // new symbols and regions are interesting, or add other visitors based on 3139 // the information they find. If they do, we need to regenerate the path 3140 // based on our new report configuration. 3141 do { 3142 // Get a clean copy of all the visitors. 3143 for (BugReport::visitor_iterator I = R->visitor_begin(), 3144 E = R->visitor_end(); I != E; ++I) 3145 visitors.push_back((*I)->clone()); 3146 3147 // Clear out the active path from any previous work. 3148 PD.resetPath(); 3149 origReportConfigToken = R->getConfigurationChangeToken(); 3150 3151 // Generate the very last diagnostic piece - the piece is visible before 3152 // the trace is expanded. 3153 std::unique_ptr<PathDiagnosticPiece> LastPiece; 3154 for (BugReport::visitor_iterator I = visitors.begin(), E = visitors.end(); 3155 I != E; ++I) { 3156 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) { 3157 assert (!LastPiece && 3158 "There can only be one final piece in a diagnostic."); 3159 LastPiece.reset(Piece); 3160 } 3161 } 3162 3163 if (ActiveScheme != PathDiagnosticConsumer::None) { 3164 if (!LastPiece) 3165 LastPiece.reset(BugReporterVisitor::getDefaultEndPath(PDB, N, *R)); 3166 assert(LastPiece); 3167 PD.setEndOfPath(LastPiece.release()); 3168 } 3169 3170 // Make sure we get a clean location context map so we don't 3171 // hold onto old mappings. 3172 LCM.clear(); 3173 3174 switch (ActiveScheme) { 3175 case PathDiagnosticConsumer::AlternateExtensive: 3176 GenerateAlternateExtensivePathDiagnostic(PD, PDB, N, LCM, visitors); 3177 break; 3178 case PathDiagnosticConsumer::Extensive: 3179 GenerateExtensivePathDiagnostic(PD, PDB, N, LCM, visitors); 3180 break; 3181 case PathDiagnosticConsumer::Minimal: 3182 GenerateMinimalPathDiagnostic(PD, PDB, N, LCM, visitors); 3183 break; 3184 case PathDiagnosticConsumer::None: 3185 GenerateVisitorsOnlyPathDiagnostic(PD, PDB, N, visitors); 3186 break; 3187 } 3188 3189 // Clean up the visitors we used. 3190 llvm::DeleteContainerPointers(visitors); 3191 3192 // Did anything change while generating this path? 3193 finalReportConfigToken = R->getConfigurationChangeToken(); 3194 } while (finalReportConfigToken != origReportConfigToken); 3195 3196 if (!R->isValid()) 3197 continue; 3198 3199 // Finally, prune the diagnostic path of uninteresting stuff. 3200 if (!PD.path.empty()) { 3201 if (R->shouldPrunePath() && getAnalyzerOptions().shouldPrunePaths()) { 3202 bool stillHasNotes = removeUnneededCalls(PD.getMutablePieces(), R, LCM); 3203 assert(stillHasNotes); 3204 (void)stillHasNotes; 3205 } 3206 3207 // Redirect all call pieces to have valid locations. 3208 adjustCallLocations(PD.getMutablePieces()); 3209 removePiecesWithInvalidLocations(PD.getMutablePieces()); 3210 3211 if (ActiveScheme == PathDiagnosticConsumer::AlternateExtensive) { 3212 SourceManager &SM = getSourceManager(); 3213 3214 // Reduce the number of edges from a very conservative set 3215 // to an aesthetically pleasing subset that conveys the 3216 // necessary information. 3217 OptimizedCallsSet OCS; 3218 while (optimizeEdges(PD.getMutablePieces(), SM, OCS, LCM)) {} 3219 3220 // Drop the very first function-entry edge. It's not really necessary 3221 // for top-level functions. 3222 dropFunctionEntryEdge(PD.getMutablePieces(), LCM, SM); 3223 } 3224 3225 // Remove messages that are basically the same, and edges that may not 3226 // make sense. 3227 // We have to do this after edge optimization in the Extensive mode. 3228 removeRedundantMsgs(PD.getMutablePieces()); 3229 removeEdgesToDefaultInitializers(PD.getMutablePieces()); 3230 } 3231 3232 // We found a report and didn't suppress it. 3233 return true; 3234 } 3235 3236 // We suppressed all the reports in this equivalence class. 3237 assert(!HasInvalid && "Inconsistent suppression"); 3238 (void)HasInvalid; 3239 return false; 3240 } 3241 3242 void BugReporter::Register(BugType *BT) { 3243 BugTypes = F.add(BugTypes, BT); 3244 } 3245 3246 void BugReporter::emitReport(BugReport* R) { 3247 // To guarantee memory release. 3248 std::unique_ptr<BugReport> UniqueR(R); 3249 3250 // Defensive checking: throw the bug away if it comes from a BodyFarm- 3251 // generated body. We do this very early because report processing relies 3252 // on the report's location being valid. 3253 // FIXME: Valid bugs can occur in BodyFarm-generated bodies, so really we 3254 // need to just find a reasonable location like we do later on with the path 3255 // pieces. 3256 if (const ExplodedNode *E = R->getErrorNode()) { 3257 const LocationContext *LCtx = E->getLocationContext(); 3258 if (LCtx->getAnalysisDeclContext()->isBodyAutosynthesized()) 3259 return; 3260 } 3261 3262 bool ValidSourceLoc = R->getLocation(getSourceManager()).isValid(); 3263 assert(ValidSourceLoc); 3264 // If we mess up in a release build, we'd still prefer to just drop the bug 3265 // instead of trying to go on. 3266 if (!ValidSourceLoc) 3267 return; 3268 3269 // Compute the bug report's hash to determine its equivalence class. 3270 llvm::FoldingSetNodeID ID; 3271 R->Profile(ID); 3272 3273 // Lookup the equivance class. If there isn't one, create it. 3274 BugType& BT = R->getBugType(); 3275 Register(&BT); 3276 void *InsertPos; 3277 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 3278 3279 if (!EQ) { 3280 EQ = new BugReportEquivClass(UniqueR.release()); 3281 EQClasses.InsertNode(EQ, InsertPos); 3282 EQClassesVector.push_back(EQ); 3283 } 3284 else 3285 EQ->AddReport(UniqueR.release()); 3286 } 3287 3288 3289 //===----------------------------------------------------------------------===// 3290 // Emitting reports in equivalence classes. 3291 //===----------------------------------------------------------------------===// 3292 3293 namespace { 3294 struct FRIEC_WLItem { 3295 const ExplodedNode *N; 3296 ExplodedNode::const_succ_iterator I, E; 3297 3298 FRIEC_WLItem(const ExplodedNode *n) 3299 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 3300 }; 3301 } 3302 3303 static BugReport * 3304 FindReportInEquivalenceClass(BugReportEquivClass& EQ, 3305 SmallVectorImpl<BugReport*> &bugReports) { 3306 3307 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 3308 assert(I != E); 3309 BugType& BT = I->getBugType(); 3310 3311 // If we don't need to suppress any of the nodes because they are 3312 // post-dominated by a sink, simply add all the nodes in the equivalence class 3313 // to 'Nodes'. Any of the reports will serve as a "representative" report. 3314 if (!BT.isSuppressOnSink()) { 3315 BugReport *R = I; 3316 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 3317 const ExplodedNode *N = I->getErrorNode(); 3318 if (N) { 3319 R = I; 3320 bugReports.push_back(R); 3321 } 3322 } 3323 return R; 3324 } 3325 3326 // For bug reports that should be suppressed when all paths are post-dominated 3327 // by a sink node, iterate through the reports in the equivalence class 3328 // until we find one that isn't post-dominated (if one exists). We use a 3329 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 3330 // this as a recursive function, but we don't want to risk blowing out the 3331 // stack for very long paths. 3332 BugReport *exampleReport = nullptr; 3333 3334 for (; I != E; ++I) { 3335 const ExplodedNode *errorNode = I->getErrorNode(); 3336 3337 if (!errorNode) 3338 continue; 3339 if (errorNode->isSink()) { 3340 llvm_unreachable( 3341 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 3342 } 3343 // No successors? By definition this nodes isn't post-dominated by a sink. 3344 if (errorNode->succ_empty()) { 3345 bugReports.push_back(I); 3346 if (!exampleReport) 3347 exampleReport = I; 3348 continue; 3349 } 3350 3351 // At this point we know that 'N' is not a sink and it has at least one 3352 // successor. Use a DFS worklist to find a non-sink end-of-path node. 3353 typedef FRIEC_WLItem WLItem; 3354 typedef SmallVector<WLItem, 10> DFSWorkList; 3355 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 3356 3357 DFSWorkList WL; 3358 WL.push_back(errorNode); 3359 Visited[errorNode] = 1; 3360 3361 while (!WL.empty()) { 3362 WLItem &WI = WL.back(); 3363 assert(!WI.N->succ_empty()); 3364 3365 for (; WI.I != WI.E; ++WI.I) { 3366 const ExplodedNode *Succ = *WI.I; 3367 // End-of-path node? 3368 if (Succ->succ_empty()) { 3369 // If we found an end-of-path node that is not a sink. 3370 if (!Succ->isSink()) { 3371 bugReports.push_back(I); 3372 if (!exampleReport) 3373 exampleReport = I; 3374 WL.clear(); 3375 break; 3376 } 3377 // Found a sink? Continue on to the next successor. 3378 continue; 3379 } 3380 // Mark the successor as visited. If it hasn't been explored, 3381 // enqueue it to the DFS worklist. 3382 unsigned &mark = Visited[Succ]; 3383 if (!mark) { 3384 mark = 1; 3385 WL.push_back(Succ); 3386 break; 3387 } 3388 } 3389 3390 // The worklist may have been cleared at this point. First 3391 // check if it is empty before checking the last item. 3392 if (!WL.empty() && &WL.back() == &WI) 3393 WL.pop_back(); 3394 } 3395 } 3396 3397 // ExampleReport will be NULL if all the nodes in the equivalence class 3398 // were post-dominated by sinks. 3399 return exampleReport; 3400 } 3401 3402 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 3403 SmallVector<BugReport*, 10> bugReports; 3404 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 3405 if (exampleReport) { 3406 for (PathDiagnosticConsumer *PDC : getPathDiagnosticConsumers()) { 3407 FlushReport(exampleReport, *PDC, bugReports); 3408 } 3409 } 3410 } 3411 3412 void BugReporter::FlushReport(BugReport *exampleReport, 3413 PathDiagnosticConsumer &PD, 3414 ArrayRef<BugReport*> bugReports) { 3415 3416 // FIXME: Make sure we use the 'R' for the path that was actually used. 3417 // Probably doesn't make a difference in practice. 3418 BugType& BT = exampleReport->getBugType(); 3419 3420 std::unique_ptr<PathDiagnostic> D(new PathDiagnostic( 3421 exampleReport->getBugType().getCheckName(), 3422 exampleReport->getDeclWithIssue(), exampleReport->getBugType().getName(), 3423 exampleReport->getDescription(), 3424 exampleReport->getShortDescription(/*Fallback=*/false), BT.getCategory(), 3425 exampleReport->getUniqueingLocation(), 3426 exampleReport->getUniqueingDecl())); 3427 3428 MaxBugClassSize = std::max(bugReports.size(), 3429 static_cast<size_t>(MaxBugClassSize)); 3430 3431 // Generate the full path diagnostic, using the generation scheme 3432 // specified by the PathDiagnosticConsumer. Note that we have to generate 3433 // path diagnostics even for consumers which do not support paths, because 3434 // the BugReporterVisitors may mark this bug as a false positive. 3435 if (!bugReports.empty()) 3436 if (!generatePathDiagnostic(*D.get(), PD, bugReports)) 3437 return; 3438 3439 MaxValidBugClassSize = std::max(bugReports.size(), 3440 static_cast<size_t>(MaxValidBugClassSize)); 3441 3442 // Examine the report and see if the last piece is in a header. Reset the 3443 // report location to the last piece in the main source file. 3444 AnalyzerOptions& Opts = getAnalyzerOptions(); 3445 if (Opts.shouldReportIssuesInMainSourceFile() && !Opts.AnalyzeAll) 3446 D->resetDiagnosticLocationToMainFile(); 3447 3448 // If the path is empty, generate a single step path with the location 3449 // of the issue. 3450 if (D->path.empty()) { 3451 PathDiagnosticLocation L = exampleReport->getLocation(getSourceManager()); 3452 PathDiagnosticPiece *piece = 3453 new PathDiagnosticEventPiece(L, exampleReport->getDescription()); 3454 BugReport::ranges_iterator Beg, End; 3455 std::tie(Beg, End) = exampleReport->getRanges(); 3456 for ( ; Beg != End; ++Beg) 3457 piece->addRange(*Beg); 3458 D->setEndOfPath(piece); 3459 } 3460 3461 // Get the meta data. 3462 const BugReport::ExtraTextList &Meta = exampleReport->getExtraText(); 3463 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(), 3464 e = Meta.end(); i != e; ++i) { 3465 D->addMeta(*i); 3466 } 3467 3468 PD.HandlePathDiagnostic(D.release()); 3469 } 3470 3471 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3472 const CheckerBase *Checker, 3473 StringRef Name, StringRef Category, 3474 StringRef Str, PathDiagnosticLocation Loc, 3475 ArrayRef<SourceRange> Ranges) { 3476 EmitBasicReport(DeclWithIssue, Checker->getCheckName(), Name, Category, Str, 3477 Loc, Ranges); 3478 } 3479 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 3480 CheckName CheckName, 3481 StringRef name, StringRef category, 3482 StringRef str, PathDiagnosticLocation Loc, 3483 ArrayRef<SourceRange> Ranges) { 3484 3485 // 'BT' is owned by BugReporter. 3486 BugType *BT = getBugTypeForName(CheckName, name, category); 3487 BugReport *R = new BugReport(*BT, str, Loc); 3488 R->setDeclWithIssue(DeclWithIssue); 3489 for (ArrayRef<SourceRange>::iterator I = Ranges.begin(), E = Ranges.end(); 3490 I != E; ++I) 3491 R->addRange(*I); 3492 emitReport(R); 3493 } 3494 3495 BugType *BugReporter::getBugTypeForName(CheckName CheckName, StringRef name, 3496 StringRef category) { 3497 SmallString<136> fullDesc; 3498 llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name 3499 << ":" << category; 3500 llvm::StringMapEntry<BugType *> & 3501 entry = StrBugTypes.GetOrCreateValue(fullDesc); 3502 BugType *BT = entry.getValue(); 3503 if (!BT) { 3504 BT = new BugType(CheckName, name, category); 3505 entry.setValue(BT); 3506 } 3507 return BT; 3508 } 3509 3510 LLVM_DUMP_METHOD void PathPieces::dump() const { 3511 unsigned index = 0; 3512 for (PathPieces::const_iterator I = begin(), E = end(); I != E; ++I) { 3513 llvm::errs() << "[" << index++ << "] "; 3514 (*I)->dump(); 3515 llvm::errs() << "\n"; 3516 } 3517 } 3518 3519 void PathDiagnosticCallPiece::dump() const { 3520 llvm::errs() << "CALL\n--------------\n"; 3521 3522 if (const Stmt *SLoc = getLocStmt(getLocation())) 3523 SLoc->dump(); 3524 else if (const NamedDecl *ND = dyn_cast<NamedDecl>(getCallee())) 3525 llvm::errs() << *ND << "\n"; 3526 else 3527 getLocation().dump(); 3528 } 3529 3530 void PathDiagnosticEventPiece::dump() const { 3531 llvm::errs() << "EVENT\n--------------\n"; 3532 llvm::errs() << getString() << "\n"; 3533 llvm::errs() << " ---- at ----\n"; 3534 getLocation().dump(); 3535 } 3536 3537 void PathDiagnosticControlFlowPiece::dump() const { 3538 llvm::errs() << "CONTROL\n--------------\n"; 3539 getStartLocation().dump(); 3540 llvm::errs() << " ---- to ----\n"; 3541 getEndLocation().dump(); 3542 } 3543 3544 void PathDiagnosticMacroPiece::dump() const { 3545 llvm::errs() << "MACRO\n--------------\n"; 3546 // FIXME: Print which macro is being invoked. 3547 } 3548 3549 void PathDiagnosticLocation::dump() const { 3550 if (!isValid()) { 3551 llvm::errs() << "<INVALID>\n"; 3552 return; 3553 } 3554 3555 switch (K) { 3556 case RangeK: 3557 // FIXME: actually print the range. 3558 llvm::errs() << "<range>\n"; 3559 break; 3560 case SingleLocK: 3561 asLocation().dump(); 3562 llvm::errs() << "\n"; 3563 break; 3564 case StmtK: 3565 if (S) 3566 S->dump(); 3567 else 3568 llvm::errs() << "<NULL STMT>\n"; 3569 break; 3570 case DeclK: 3571 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(D)) 3572 llvm::errs() << *ND << "\n"; 3573 else if (isa<BlockDecl>(D)) 3574 // FIXME: Make this nicer. 3575 llvm::errs() << "<block>\n"; 3576 else if (D) 3577 llvm::errs() << "<unknown decl>\n"; 3578 else 3579 llvm::errs() << "<NULL DECL>\n"; 3580 break; 3581 } 3582 } 3583
