BugReporter.cpp revision 11abcecc8c919673237cf37384290a1ef1943976
1// BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines BugReporter, a utility class for generating 11// PathDiagnostics. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18#include "clang/AST/ASTContext.h" 19#include "clang/Analysis/CFG.h" 20#include "clang/AST/DeclObjC.h" 21#include "clang/AST/Expr.h" 22#include "clang/AST/ParentMap.h" 23#include "clang/AST/StmtObjC.h" 24#include "clang/Basic/SourceManager.h" 25#include "clang/Analysis/ProgramPoint.h" 26#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 27#include "llvm/Support/raw_ostream.h" 28#include "llvm/ADT/DenseMap.h" 29#include "llvm/ADT/SmallString.h" 30#include "llvm/ADT/STLExtras.h" 31#include "llvm/ADT/OwningPtr.h" 32#include "llvm/ADT/IntrusiveRefCntPtr.h" 33#include <queue> 34 35using namespace clang; 36using namespace ento; 37 38BugReporterVisitor::~BugReporterVisitor() {} 39 40void BugReporterContext::anchor() {} 41 42//===----------------------------------------------------------------------===// 43// Helper routines for walking the ExplodedGraph and fetching statements. 44//===----------------------------------------------------------------------===// 45 46static inline const Stmt *GetStmt(const ProgramPoint &P) { 47 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 48 return SP->getStmt(); 49 else if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) 50 return BE->getSrc()->getTerminator(); 51 52 return 0; 53} 54 55static inline const ExplodedNode* 56GetPredecessorNode(const ExplodedNode *N) { 57 return N->pred_empty() ? NULL : *(N->pred_begin()); 58} 59 60static inline const ExplodedNode* 61GetSuccessorNode(const ExplodedNode *N) { 62 return N->succ_empty() ? NULL : *(N->succ_begin()); 63} 64 65static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 66 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 67 if (const Stmt *S = GetStmt(N->getLocation())) 68 return S; 69 70 return 0; 71} 72 73static const Stmt *GetNextStmt(const ExplodedNode *N) { 74 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 75 if (const Stmt *S = GetStmt(N->getLocation())) { 76 // Check if the statement is '?' or '&&'/'||'. These are "merges", 77 // not actual statement points. 78 switch (S->getStmtClass()) { 79 case Stmt::ChooseExprClass: 80 case Stmt::BinaryConditionalOperatorClass: continue; 81 case Stmt::ConditionalOperatorClass: continue; 82 case Stmt::BinaryOperatorClass: { 83 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 84 if (Op == BO_LAnd || Op == BO_LOr) 85 continue; 86 break; 87 } 88 default: 89 break; 90 } 91 return S; 92 } 93 94 return 0; 95} 96 97static inline const Stmt* 98GetCurrentOrPreviousStmt(const ExplodedNode *N) { 99 if (const Stmt *S = GetStmt(N->getLocation())) 100 return S; 101 102 return GetPreviousStmt(N); 103} 104 105static inline const Stmt* 106GetCurrentOrNextStmt(const ExplodedNode *N) { 107 if (const Stmt *S = GetStmt(N->getLocation())) 108 return S; 109 110 return GetNextStmt(N); 111} 112 113//===----------------------------------------------------------------------===// 114// Diagnostic cleanup. 115//===----------------------------------------------------------------------===// 116 117/// Recursively scan through a path and prune out calls and macros pieces 118/// that aren't needed. Return true if afterwards the path contains 119/// "interesting stuff" which means it should be pruned from the parent path. 120static bool RemoveUneededCalls(PathPieces &pieces) { 121 bool containsSomethingInteresting = false; 122 const unsigned N = pieces.size(); 123 124 for (unsigned i = 0 ; i < N ; ++i) { 125 // Remove the front piece from the path. If it is still something we 126 // want to keep once we are done, we will push it back on the end. 127 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(pieces.front()); 128 pieces.pop_front(); 129 130 switch (piece->getKind()) { 131 case PathDiagnosticPiece::Call: { 132 PathDiagnosticCallPiece *call = cast<PathDiagnosticCallPiece>(piece); 133 // Recursively clean out the subclass. Keep this call around if 134 // it contains any informative diagnostics. 135 if (!RemoveUneededCalls(call->path)) 136 continue; 137 containsSomethingInteresting = true; 138 break; 139 } 140 case PathDiagnosticPiece::Macro: { 141 PathDiagnosticMacroPiece *macro = cast<PathDiagnosticMacroPiece>(piece); 142 if (!RemoveUneededCalls(macro->subPieces)) 143 continue; 144 containsSomethingInteresting = true; 145 break; 146 } 147 case PathDiagnosticPiece::Event: { 148 PathDiagnosticEventPiece *event = cast<PathDiagnosticEventPiece>(piece); 149 // We never throw away an event, but we do throw it away wholesale 150 // as part of a path if we throw the entire path away. 151 if (event->isPrunable()) 152 continue; 153 containsSomethingInteresting = true; 154 break; 155 } 156 case PathDiagnosticPiece::ControlFlow: 157 break; 158 } 159 160 pieces.push_back(piece); 161 } 162 163 return containsSomethingInteresting; 164} 165 166//===----------------------------------------------------------------------===// 167// PathDiagnosticBuilder and its associated routines and helper objects. 168//===----------------------------------------------------------------------===// 169 170typedef llvm::DenseMap<const ExplodedNode*, 171const ExplodedNode*> NodeBackMap; 172 173namespace { 174class NodeMapClosure : public BugReport::NodeResolver { 175 NodeBackMap& M; 176public: 177 NodeMapClosure(NodeBackMap *m) : M(*m) {} 178 ~NodeMapClosure() {} 179 180 const ExplodedNode *getOriginalNode(const ExplodedNode *N) { 181 NodeBackMap::iterator I = M.find(N); 182 return I == M.end() ? 0 : I->second; 183 } 184}; 185 186class PathDiagnosticBuilder : public BugReporterContext { 187 BugReport *R; 188 PathDiagnosticConsumer *PDC; 189 OwningPtr<ParentMap> PM; 190 NodeMapClosure NMC; 191public: 192 const LocationContext *LC; 193 194 PathDiagnosticBuilder(GRBugReporter &br, 195 BugReport *r, NodeBackMap *Backmap, 196 PathDiagnosticConsumer *pdc) 197 : BugReporterContext(br), 198 R(r), PDC(pdc), NMC(Backmap), LC(r->getErrorNode()->getLocationContext()) 199 {} 200 201 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 202 203 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 204 const ExplodedNode *N); 205 206 BugReport *getBugReport() { return R; } 207 208 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 209 210 ParentMap& getParentMap() { return LC->getParentMap(); } 211 212 const Stmt *getParent(const Stmt *S) { 213 return getParentMap().getParent(S); 214 } 215 216 virtual NodeMapClosure& getNodeResolver() { return NMC; } 217 218 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 219 220 PathDiagnosticConsumer::PathGenerationScheme getGenerationScheme() const { 221 return PDC ? PDC->getGenerationScheme() : PathDiagnosticConsumer::Extensive; 222 } 223 224 bool supportsLogicalOpControlFlow() const { 225 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 226 } 227}; 228} // end anonymous namespace 229 230PathDiagnosticLocation 231PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 232 if (const Stmt *S = GetNextStmt(N)) 233 return PathDiagnosticLocation(S, getSourceManager(), LC); 234 235 return PathDiagnosticLocation::createDeclEnd(N->getLocationContext(), 236 getSourceManager()); 237} 238 239PathDiagnosticLocation 240PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 241 const ExplodedNode *N) { 242 243 // Slow, but probably doesn't matter. 244 if (os.str().empty()) 245 os << ' '; 246 247 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 248 249 if (Loc.asStmt()) 250 os << "Execution continues on line " 251 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 252 << '.'; 253 else { 254 os << "Execution jumps to the end of the "; 255 const Decl *D = N->getLocationContext()->getDecl(); 256 if (isa<ObjCMethodDecl>(D)) 257 os << "method"; 258 else if (isa<FunctionDecl>(D)) 259 os << "function"; 260 else { 261 assert(isa<BlockDecl>(D)); 262 os << "anonymous block"; 263 } 264 os << '.'; 265 } 266 267 return Loc; 268} 269 270static bool IsNested(const Stmt *S, ParentMap &PM) { 271 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 272 return true; 273 274 const Stmt *Parent = PM.getParentIgnoreParens(S); 275 276 if (Parent) 277 switch (Parent->getStmtClass()) { 278 case Stmt::ForStmtClass: 279 case Stmt::DoStmtClass: 280 case Stmt::WhileStmtClass: 281 return true; 282 default: 283 break; 284 } 285 286 return false; 287} 288 289PathDiagnosticLocation 290PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 291 assert(S && "Null Stmt *passed to getEnclosingStmtLocation"); 292 ParentMap &P = getParentMap(); 293 SourceManager &SMgr = getSourceManager(); 294 295 while (IsNested(S, P)) { 296 const Stmt *Parent = P.getParentIgnoreParens(S); 297 298 if (!Parent) 299 break; 300 301 switch (Parent->getStmtClass()) { 302 case Stmt::BinaryOperatorClass: { 303 const BinaryOperator *B = cast<BinaryOperator>(Parent); 304 if (B->isLogicalOp()) 305 return PathDiagnosticLocation(S, SMgr, LC); 306 break; 307 } 308 case Stmt::CompoundStmtClass: 309 case Stmt::StmtExprClass: 310 return PathDiagnosticLocation(S, SMgr, LC); 311 case Stmt::ChooseExprClass: 312 // Similar to '?' if we are referring to condition, just have the edge 313 // point to the entire choose expression. 314 if (cast<ChooseExpr>(Parent)->getCond() == S) 315 return PathDiagnosticLocation(Parent, SMgr, LC); 316 else 317 return PathDiagnosticLocation(S, SMgr, LC); 318 case Stmt::BinaryConditionalOperatorClass: 319 case Stmt::ConditionalOperatorClass: 320 // For '?', if we are referring to condition, just have the edge point 321 // to the entire '?' expression. 322 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S) 323 return PathDiagnosticLocation(Parent, SMgr, LC); 324 else 325 return PathDiagnosticLocation(S, SMgr, LC); 326 case Stmt::DoStmtClass: 327 return PathDiagnosticLocation(S, SMgr, LC); 328 case Stmt::ForStmtClass: 329 if (cast<ForStmt>(Parent)->getBody() == S) 330 return PathDiagnosticLocation(S, SMgr, LC); 331 break; 332 case Stmt::IfStmtClass: 333 if (cast<IfStmt>(Parent)->getCond() != S) 334 return PathDiagnosticLocation(S, SMgr, LC); 335 break; 336 case Stmt::ObjCForCollectionStmtClass: 337 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 338 return PathDiagnosticLocation(S, SMgr, LC); 339 break; 340 case Stmt::WhileStmtClass: 341 if (cast<WhileStmt>(Parent)->getCond() != S) 342 return PathDiagnosticLocation(S, SMgr, LC); 343 break; 344 default: 345 break; 346 } 347 348 S = Parent; 349 } 350 351 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 352 353 // Special case: DeclStmts can appear in for statement declarations, in which 354 // case the ForStmt is the context. 355 if (isa<DeclStmt>(S)) { 356 if (const Stmt *Parent = P.getParent(S)) { 357 switch (Parent->getStmtClass()) { 358 case Stmt::ForStmtClass: 359 case Stmt::ObjCForCollectionStmtClass: 360 return PathDiagnosticLocation(Parent, SMgr, LC); 361 default: 362 break; 363 } 364 } 365 } 366 else if (isa<BinaryOperator>(S)) { 367 // Special case: the binary operator represents the initialization 368 // code in a for statement (this can happen when the variable being 369 // initialized is an old variable. 370 if (const ForStmt *FS = 371 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 372 if (FS->getInit() == S) 373 return PathDiagnosticLocation(FS, SMgr, LC); 374 } 375 } 376 377 return PathDiagnosticLocation(S, SMgr, LC); 378} 379 380//===----------------------------------------------------------------------===// 381// "Minimal" path diagnostic generation algorithm. 382//===----------------------------------------------------------------------===// 383typedef std::pair<PathDiagnosticCallPiece*, const ExplodedNode*> StackDiagPair; 384typedef SmallVector<StackDiagPair, 6> StackDiagVector; 385 386static void updateStackPiecesWithMessage(PathDiagnosticPiece *P, 387 StackDiagVector &CallStack) { 388 // If the piece contains a special message, add it to all the call 389 // pieces on the active stack. 390 if (PathDiagnosticEventPiece *ep = 391 dyn_cast<PathDiagnosticEventPiece>(P)) { 392 393 if (ep->hasCallStackHint()) 394 for (StackDiagVector::iterator I = CallStack.begin(), 395 E = CallStack.end(); I != E; ++I) { 396 PathDiagnosticCallPiece *CP = I->first; 397 const ExplodedNode *N = I->second; 398 std::string stackMsg = ep->getCallStackMessage(N); 399 400 // The last message on the path to final bug is the most important 401 // one. Since we traverse the path backwards, do not add the message 402 // if one has been previously added. 403 if (!CP->hasCallStackMessage()) 404 CP->setCallStackMessage(stackMsg); 405 } 406 } 407} 408 409static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM); 410 411static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 412 PathDiagnosticBuilder &PDB, 413 const ExplodedNode *N, 414 ArrayRef<BugReporterVisitor *> visitors) { 415 416 SourceManager& SMgr = PDB.getSourceManager(); 417 const LocationContext *LC = PDB.LC; 418 const ExplodedNode *NextNode = N->pred_empty() 419 ? NULL : *(N->pred_begin()); 420 421 StackDiagVector CallStack; 422 423 while (NextNode) { 424 N = NextNode; 425 PDB.LC = N->getLocationContext(); 426 NextNode = GetPredecessorNode(N); 427 428 ProgramPoint P = N->getLocation(); 429 430 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) { 431 PathDiagnosticCallPiece *C = 432 PathDiagnosticCallPiece::construct(N, *CE, SMgr); 433 PD.getActivePath().push_front(C); 434 PD.pushActivePath(&C->path); 435 CallStack.push_back(StackDiagPair(C, N)); 436 continue; 437 } 438 439 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) { 440 PD.popActivePath(); 441 // The current active path should never be empty. Either we 442 // just added a bunch of stuff to the top-level path, or 443 // we have a previous CallExitEnd. If the front of the active 444 // path is not a PathDiagnosticCallPiece, it means that the 445 // path terminated within a function call. We must then take the 446 // current contents of the active path and place it within 447 // a new PathDiagnosticCallPiece. 448 assert(!PD.getActivePath().empty()); 449 PathDiagnosticCallPiece *C = 450 dyn_cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 451 if (!C) { 452 const Decl *Caller = CE->getLocationContext()->getDecl(); 453 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 454 } 455 C->setCallee(*CE, SMgr); 456 if (!CallStack.empty()) { 457 assert(CallStack.back().first == C); 458 CallStack.pop_back(); 459 } 460 continue; 461 } 462 463 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 464 const CFGBlock *Src = BE->getSrc(); 465 const CFGBlock *Dst = BE->getDst(); 466 const Stmt *T = Src->getTerminator(); 467 468 if (!T) 469 continue; 470 471 PathDiagnosticLocation Start = 472 PathDiagnosticLocation::createBegin(T, SMgr, 473 N->getLocationContext()); 474 475 switch (T->getStmtClass()) { 476 default: 477 break; 478 479 case Stmt::GotoStmtClass: 480 case Stmt::IndirectGotoStmtClass: { 481 const Stmt *S = GetNextStmt(N); 482 483 if (!S) 484 continue; 485 486 std::string sbuf; 487 llvm::raw_string_ostream os(sbuf); 488 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 489 490 os << "Control jumps to line " 491 << End.asLocation().getExpansionLineNumber(); 492 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 493 os.str())); 494 break; 495 } 496 497 case Stmt::SwitchStmtClass: { 498 // Figure out what case arm we took. 499 std::string sbuf; 500 llvm::raw_string_ostream os(sbuf); 501 502 if (const Stmt *S = Dst->getLabel()) { 503 PathDiagnosticLocation End(S, SMgr, LC); 504 505 switch (S->getStmtClass()) { 506 default: 507 os << "No cases match in the switch statement. " 508 "Control jumps to line " 509 << End.asLocation().getExpansionLineNumber(); 510 break; 511 case Stmt::DefaultStmtClass: 512 os << "Control jumps to the 'default' case at line " 513 << End.asLocation().getExpansionLineNumber(); 514 break; 515 516 case Stmt::CaseStmtClass: { 517 os << "Control jumps to 'case "; 518 const CaseStmt *Case = cast<CaseStmt>(S); 519 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 520 521 // Determine if it is an enum. 522 bool GetRawInt = true; 523 524 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) { 525 // FIXME: Maybe this should be an assertion. Are there cases 526 // were it is not an EnumConstantDecl? 527 const EnumConstantDecl *D = 528 dyn_cast<EnumConstantDecl>(DR->getDecl()); 529 530 if (D) { 531 GetRawInt = false; 532 os << *D; 533 } 534 } 535 536 if (GetRawInt) 537 os << LHS->EvaluateKnownConstInt(PDB.getASTContext()); 538 539 os << ":' at line " 540 << End.asLocation().getExpansionLineNumber(); 541 break; 542 } 543 } 544 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 545 os.str())); 546 } 547 else { 548 os << "'Default' branch taken. "; 549 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 550 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 551 os.str())); 552 } 553 554 break; 555 } 556 557 case Stmt::BreakStmtClass: 558 case Stmt::ContinueStmtClass: { 559 std::string sbuf; 560 llvm::raw_string_ostream os(sbuf); 561 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 562 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 563 os.str())); 564 break; 565 } 566 567 // Determine control-flow for ternary '?'. 568 case Stmt::BinaryConditionalOperatorClass: 569 case Stmt::ConditionalOperatorClass: { 570 std::string sbuf; 571 llvm::raw_string_ostream os(sbuf); 572 os << "'?' condition is "; 573 574 if (*(Src->succ_begin()+1) == Dst) 575 os << "false"; 576 else 577 os << "true"; 578 579 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 580 581 if (const Stmt *S = End.asStmt()) 582 End = PDB.getEnclosingStmtLocation(S); 583 584 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 585 os.str())); 586 break; 587 } 588 589 // Determine control-flow for short-circuited '&&' and '||'. 590 case Stmt::BinaryOperatorClass: { 591 if (!PDB.supportsLogicalOpControlFlow()) 592 break; 593 594 const BinaryOperator *B = cast<BinaryOperator>(T); 595 std::string sbuf; 596 llvm::raw_string_ostream os(sbuf); 597 os << "Left side of '"; 598 599 if (B->getOpcode() == BO_LAnd) { 600 os << "&&" << "' is "; 601 602 if (*(Src->succ_begin()+1) == Dst) { 603 os << "false"; 604 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 605 PathDiagnosticLocation Start = 606 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 607 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 608 os.str())); 609 } 610 else { 611 os << "true"; 612 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 613 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 614 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 615 os.str())); 616 } 617 } 618 else { 619 assert(B->getOpcode() == BO_LOr); 620 os << "||" << "' is "; 621 622 if (*(Src->succ_begin()+1) == Dst) { 623 os << "false"; 624 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 625 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 626 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 627 os.str())); 628 } 629 else { 630 os << "true"; 631 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 632 PathDiagnosticLocation Start = 633 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 634 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 635 os.str())); 636 } 637 } 638 639 break; 640 } 641 642 case Stmt::DoStmtClass: { 643 if (*(Src->succ_begin()) == Dst) { 644 std::string sbuf; 645 llvm::raw_string_ostream os(sbuf); 646 647 os << "Loop condition is true. "; 648 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 649 650 if (const Stmt *S = End.asStmt()) 651 End = PDB.getEnclosingStmtLocation(S); 652 653 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 654 os.str())); 655 } 656 else { 657 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 658 659 if (const Stmt *S = End.asStmt()) 660 End = PDB.getEnclosingStmtLocation(S); 661 662 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 663 "Loop condition is false. Exiting loop")); 664 } 665 666 break; 667 } 668 669 case Stmt::WhileStmtClass: 670 case Stmt::ForStmtClass: { 671 if (*(Src->succ_begin()+1) == Dst) { 672 std::string sbuf; 673 llvm::raw_string_ostream os(sbuf); 674 675 os << "Loop condition is false. "; 676 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 677 if (const Stmt *S = End.asStmt()) 678 End = PDB.getEnclosingStmtLocation(S); 679 680 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 681 os.str())); 682 } 683 else { 684 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 685 if (const Stmt *S = End.asStmt()) 686 End = PDB.getEnclosingStmtLocation(S); 687 688 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 689 "Loop condition is true. Entering loop body")); 690 } 691 692 break; 693 } 694 695 case Stmt::IfStmtClass: { 696 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 697 698 if (const Stmt *S = End.asStmt()) 699 End = PDB.getEnclosingStmtLocation(S); 700 701 if (*(Src->succ_begin()+1) == Dst) 702 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 703 "Taking false branch")); 704 else 705 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 706 "Taking true branch")); 707 708 break; 709 } 710 } 711 } 712 713 if (NextNode) { 714 // Add diagnostic pieces from custom visitors. 715 BugReport *R = PDB.getBugReport(); 716 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 717 E = visitors.end(); 718 I != E; ++I) { 719 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 720 PD.getActivePath().push_front(p); 721 updateStackPiecesWithMessage(p, CallStack); 722 } 723 } 724 } 725 } 726 727 // After constructing the full PathDiagnostic, do a pass over it to compact 728 // PathDiagnosticPieces that occur within a macro. 729 CompactPathDiagnostic(PD.getMutablePieces(), PDB.getSourceManager()); 730} 731 732//===----------------------------------------------------------------------===// 733// "Extensive" PathDiagnostic generation. 734//===----------------------------------------------------------------------===// 735 736static bool IsControlFlowExpr(const Stmt *S) { 737 const Expr *E = dyn_cast<Expr>(S); 738 739 if (!E) 740 return false; 741 742 E = E->IgnoreParenCasts(); 743 744 if (isa<AbstractConditionalOperator>(E)) 745 return true; 746 747 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 748 if (B->isLogicalOp()) 749 return true; 750 751 return false; 752} 753 754namespace { 755class ContextLocation : public PathDiagnosticLocation { 756 bool IsDead; 757public: 758 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 759 : PathDiagnosticLocation(L), IsDead(isdead) {} 760 761 void markDead() { IsDead = true; } 762 bool isDead() const { return IsDead; } 763}; 764 765class EdgeBuilder { 766 std::vector<ContextLocation> CLocs; 767 typedef std::vector<ContextLocation>::iterator iterator; 768 PathDiagnostic &PD; 769 PathDiagnosticBuilder &PDB; 770 PathDiagnosticLocation PrevLoc; 771 772 bool IsConsumedExpr(const PathDiagnosticLocation &L); 773 774 bool containsLocation(const PathDiagnosticLocation &Container, 775 const PathDiagnosticLocation &Containee); 776 777 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 778 779 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 780 bool firstCharOnly = false) { 781 if (const Stmt *S = L.asStmt()) { 782 const Stmt *Original = S; 783 while (1) { 784 // Adjust the location for some expressions that are best referenced 785 // by one of their subexpressions. 786 switch (S->getStmtClass()) { 787 default: 788 break; 789 case Stmt::ParenExprClass: 790 case Stmt::GenericSelectionExprClass: 791 S = cast<Expr>(S)->IgnoreParens(); 792 firstCharOnly = true; 793 continue; 794 case Stmt::BinaryConditionalOperatorClass: 795 case Stmt::ConditionalOperatorClass: 796 S = cast<AbstractConditionalOperator>(S)->getCond(); 797 firstCharOnly = true; 798 continue; 799 case Stmt::ChooseExprClass: 800 S = cast<ChooseExpr>(S)->getCond(); 801 firstCharOnly = true; 802 continue; 803 case Stmt::BinaryOperatorClass: 804 S = cast<BinaryOperator>(S)->getLHS(); 805 firstCharOnly = true; 806 continue; 807 } 808 809 break; 810 } 811 812 if (S != Original) 813 L = PathDiagnosticLocation(S, L.getManager(), PDB.LC); 814 } 815 816 if (firstCharOnly) 817 L = PathDiagnosticLocation::createSingleLocation(L); 818 819 return L; 820 } 821 822 void popLocation() { 823 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 824 // For contexts, we only one the first character as the range. 825 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 826 } 827 CLocs.pop_back(); 828 } 829 830public: 831 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 832 : PD(pd), PDB(pdb) { 833 834 // If the PathDiagnostic already has pieces, add the enclosing statement 835 // of the first piece as a context as well. 836 if (!PD.path.empty()) { 837 PrevLoc = (*PD.path.begin())->getLocation(); 838 839 if (const Stmt *S = PrevLoc.asStmt()) 840 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 841 } 842 } 843 844 ~EdgeBuilder() { 845 while (!CLocs.empty()) popLocation(); 846 847 // Finally, add an initial edge from the start location of the first 848 // statement (if it doesn't already exist). 849 PathDiagnosticLocation L = PathDiagnosticLocation::createDeclBegin( 850 PDB.LC, 851 PDB.getSourceManager()); 852 if (L.isValid()) 853 rawAddEdge(L); 854 } 855 856 void flushLocations() { 857 while (!CLocs.empty()) 858 popLocation(); 859 PrevLoc = PathDiagnosticLocation(); 860 } 861 862 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 863 864 void rawAddEdge(PathDiagnosticLocation NewLoc); 865 866 void addContext(const Stmt *S); 867 void addExtendedContext(const Stmt *S); 868}; 869} // end anonymous namespace 870 871 872PathDiagnosticLocation 873EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 874 if (const Stmt *S = L.asStmt()) { 875 if (IsControlFlowExpr(S)) 876 return L; 877 878 return PDB.getEnclosingStmtLocation(S); 879 } 880 881 return L; 882} 883 884bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 885 const PathDiagnosticLocation &Containee) { 886 887 if (Container == Containee) 888 return true; 889 890 if (Container.asDecl()) 891 return true; 892 893 if (const Stmt *S = Containee.asStmt()) 894 if (const Stmt *ContainerS = Container.asStmt()) { 895 while (S) { 896 if (S == ContainerS) 897 return true; 898 S = PDB.getParent(S); 899 } 900 return false; 901 } 902 903 // Less accurate: compare using source ranges. 904 SourceRange ContainerR = Container.asRange(); 905 SourceRange ContaineeR = Containee.asRange(); 906 907 SourceManager &SM = PDB.getSourceManager(); 908 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 909 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 910 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 911 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 912 913 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 914 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 915 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 916 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 917 918 assert(ContainerBegLine <= ContainerEndLine); 919 assert(ContaineeBegLine <= ContaineeEndLine); 920 921 return (ContainerBegLine <= ContaineeBegLine && 922 ContainerEndLine >= ContaineeEndLine && 923 (ContainerBegLine != ContaineeBegLine || 924 SM.getExpansionColumnNumber(ContainerRBeg) <= 925 SM.getExpansionColumnNumber(ContaineeRBeg)) && 926 (ContainerEndLine != ContaineeEndLine || 927 SM.getExpansionColumnNumber(ContainerREnd) >= 928 SM.getExpansionColumnNumber(ContaineeREnd))); 929} 930 931void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 932 if (!PrevLoc.isValid()) { 933 PrevLoc = NewLoc; 934 return; 935 } 936 937 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 938 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 939 940 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 941 return; 942 943 // FIXME: Ignore intra-macro edges for now. 944 if (NewLocClean.asLocation().getExpansionLoc() == 945 PrevLocClean.asLocation().getExpansionLoc()) 946 return; 947 948 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 949 PrevLoc = NewLoc; 950} 951 952void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 953 954 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 955 return; 956 957 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 958 959 while (!CLocs.empty()) { 960 ContextLocation &TopContextLoc = CLocs.back(); 961 962 // Is the top location context the same as the one for the new location? 963 if (TopContextLoc == CLoc) { 964 if (alwaysAdd) { 965 if (IsConsumedExpr(TopContextLoc) && 966 !IsControlFlowExpr(TopContextLoc.asStmt())) 967 TopContextLoc.markDead(); 968 969 rawAddEdge(NewLoc); 970 } 971 972 return; 973 } 974 975 if (containsLocation(TopContextLoc, CLoc)) { 976 if (alwaysAdd) { 977 rawAddEdge(NewLoc); 978 979 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 980 CLocs.push_back(ContextLocation(CLoc, true)); 981 return; 982 } 983 } 984 985 CLocs.push_back(CLoc); 986 return; 987 } 988 989 // Context does not contain the location. Flush it. 990 popLocation(); 991 } 992 993 // If we reach here, there is no enclosing context. Just add the edge. 994 rawAddEdge(NewLoc); 995} 996 997bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 998 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 999 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1000 1001 return false; 1002} 1003 1004void EdgeBuilder::addExtendedContext(const Stmt *S) { 1005 if (!S) 1006 return; 1007 1008 const Stmt *Parent = PDB.getParent(S); 1009 while (Parent) { 1010 if (isa<CompoundStmt>(Parent)) 1011 Parent = PDB.getParent(Parent); 1012 else 1013 break; 1014 } 1015 1016 if (Parent) { 1017 switch (Parent->getStmtClass()) { 1018 case Stmt::DoStmtClass: 1019 case Stmt::ObjCAtSynchronizedStmtClass: 1020 addContext(Parent); 1021 default: 1022 break; 1023 } 1024 } 1025 1026 addContext(S); 1027} 1028 1029void EdgeBuilder::addContext(const Stmt *S) { 1030 if (!S) 1031 return; 1032 1033 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.LC); 1034 1035 while (!CLocs.empty()) { 1036 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1037 1038 // Is the top location context the same as the one for the new location? 1039 if (TopContextLoc == L) 1040 return; 1041 1042 if (containsLocation(TopContextLoc, L)) { 1043 CLocs.push_back(L); 1044 return; 1045 } 1046 1047 // Context does not contain the location. Flush it. 1048 popLocation(); 1049 } 1050 1051 CLocs.push_back(L); 1052} 1053 1054// Cone-of-influence: support the reverse propagation of "interesting" symbols 1055// and values by tracing interesting calculations backwards through evaluated 1056// expressions along a path. This is probably overly complicated, but the idea 1057// is that if an expression computed an "interesting" value, the child 1058// expressions are are also likely to be "interesting" as well (which then 1059// propagates to the values they in turn compute). This reverse propagation 1060// is needed to track interesting correlations across function call boundaries, 1061// where formal arguments bind to actual arguments, etc. This is also needed 1062// because the constraint solver sometimes simplifies certain symbolic values 1063// into constants when appropriate, and this complicates reasoning about 1064// interesting values. 1065typedef llvm::DenseSet<const Expr *> InterestingExprs; 1066 1067static void reversePropagateIntererstingSymbols(BugReport &R, 1068 InterestingExprs &IE, 1069 const ProgramState *State, 1070 const Expr *Ex, 1071 const LocationContext *LCtx) { 1072 SVal V = State->getSVal(Ex, LCtx); 1073 if (!(R.isInteresting(V) || IE.count(Ex))) 1074 return; 1075 1076 switch (Ex->getStmtClass()) { 1077 default: 1078 if (!isa<CastExpr>(Ex)) 1079 break; 1080 // Fall through. 1081 case Stmt::BinaryOperatorClass: 1082 case Stmt::UnaryOperatorClass: { 1083 for (Stmt::const_child_iterator CI = Ex->child_begin(), 1084 CE = Ex->child_end(); 1085 CI != CE; ++CI) { 1086 if (const Expr *child = dyn_cast_or_null<Expr>(*CI)) { 1087 IE.insert(child); 1088 SVal ChildV = State->getSVal(child, LCtx); 1089 R.markInteresting(ChildV); 1090 } 1091 break; 1092 } 1093 } 1094 } 1095 1096 R.markInteresting(V); 1097} 1098 1099static void reversePropagateInterestingSymbols(BugReport &R, 1100 InterestingExprs &IE, 1101 const ProgramState *State, 1102 const LocationContext *CalleeCtx, 1103 const LocationContext *CallerCtx) 1104{ 1105 // FIXME: Handle CXXConstructExpr. 1106 // FIXME: Handle calls to blocks. 1107 const StackFrameContext *Callee = CalleeCtx->getCurrentStackFrame(); 1108 const Stmt *CallSite = Callee->getCallSite(); 1109 if (const CallExpr *CE = dyn_cast<CallExpr>(CallSite)) { 1110 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeCtx->getDecl())) { 1111 FunctionDecl::param_const_iterator PI = FD->param_begin(), 1112 PE = FD->param_end(); 1113 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end(); 1114 for (; AI != AE && PI != PE; ++AI, ++PI) { 1115 if (const Expr *ArgE = *AI) { 1116 if (const ParmVarDecl *PD = *PI) { 1117 Loc LV = State->getLValue(PD, CalleeCtx); 1118 if (R.isInteresting(LV) || R.isInteresting(State->getRawSVal(LV))) 1119 IE.insert(ArgE); 1120 } 1121 } 1122 } 1123 } 1124 } 1125} 1126 1127static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1128 PathDiagnosticBuilder &PDB, 1129 const ExplodedNode *N, 1130 ArrayRef<BugReporterVisitor *> visitors) { 1131 EdgeBuilder EB(PD, PDB); 1132 const SourceManager& SM = PDB.getSourceManager(); 1133 StackDiagVector CallStack; 1134 InterestingExprs IE; 1135 1136 const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 1137 while (NextNode) { 1138 N = NextNode; 1139 NextNode = GetPredecessorNode(N); 1140 ProgramPoint P = N->getLocation(); 1141 1142 do { 1143 if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) { 1144 if (const Expr *Ex = PS->getStmtAs<Expr>()) 1145 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 1146 N->getState().getPtr(), Ex, 1147 N->getLocationContext()); 1148 } 1149 1150 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) { 1151 const StackFrameContext *LCtx = 1152 CE->getLocationContext()->getCurrentStackFrame(); 1153 PathDiagnosticLocation Loc(CE->getStmt(), 1154 PDB.getSourceManager(), 1155 LCtx); 1156 EB.addEdge(Loc, true); 1157 EB.flushLocations(); 1158 PathDiagnosticCallPiece *C = 1159 PathDiagnosticCallPiece::construct(N, *CE, SM); 1160 PD.getActivePath().push_front(C); 1161 PD.pushActivePath(&C->path); 1162 CallStack.push_back(StackDiagPair(C, N)); 1163 break; 1164 } 1165 1166 // Pop the call hierarchy if we are done walking the contents 1167 // of a function call. 1168 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) { 1169 // Add an edge to the start of the function. 1170 const Decl *D = CE->getCalleeContext()->getDecl(); 1171 PathDiagnosticLocation pos = 1172 PathDiagnosticLocation::createBegin(D, SM); 1173 EB.addEdge(pos); 1174 1175 // Flush all locations, and pop the active path. 1176 EB.flushLocations(); 1177 PD.popActivePath(); 1178 assert(!PD.getActivePath().empty()); 1179 PDB.LC = N->getLocationContext(); 1180 1181 // The current active path should never be empty. Either we 1182 // just added a bunch of stuff to the top-level path, or 1183 // we have a previous CallExitEnd. If the front of the active 1184 // path is not a PathDiagnosticCallPiece, it means that the 1185 // path terminated within a function call. We must then take the 1186 // current contents of the active path and place it within 1187 // a new PathDiagnosticCallPiece. 1188 PathDiagnosticCallPiece *C = 1189 dyn_cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 1190 if (!C) { 1191 const Decl * Caller = CE->getLocationContext()->getDecl(); 1192 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 1193 } 1194 C->setCallee(*CE, SM); 1195 EB.addContext(CE->getCallExpr()); 1196 1197 if (!CallStack.empty()) { 1198 assert(CallStack.back().first == C); 1199 CallStack.pop_back(); 1200 } 1201 break; 1202 } 1203 1204 // Note that is important that we update the LocationContext 1205 // after looking at CallExits. CallExit basically adds an 1206 // edge in the *caller*, so we don't want to update the LocationContext 1207 // too soon. 1208 PDB.LC = N->getLocationContext(); 1209 1210 // Block edges. 1211 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 1212 // Does this represent entering a call? If so, look at propagating 1213 // interesting symbols across call boundaries. 1214 if (NextNode) { 1215 const LocationContext *CallerCtx = NextNode->getLocationContext(); 1216 const LocationContext *CalleeCtx = PDB.LC; 1217 if (CallerCtx != CalleeCtx) { 1218 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE, 1219 N->getState().getPtr(), 1220 CalleeCtx, CallerCtx); 1221 } 1222 } 1223 1224 const CFGBlock &Blk = *BE->getSrc(); 1225 const Stmt *Term = Blk.getTerminator(); 1226 1227 // Are we jumping to the head of a loop? Add a special diagnostic. 1228 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) { 1229 PathDiagnosticLocation L(Loop, SM, PDB.LC); 1230 const CompoundStmt *CS = NULL; 1231 1232 if (!Term) { 1233 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1234 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1235 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1236 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1237 } 1238 1239 PathDiagnosticEventPiece *p = 1240 new PathDiagnosticEventPiece(L, 1241 "Looping back to the head of the loop"); 1242 p->setPrunable(true); 1243 1244 EB.addEdge(p->getLocation(), true); 1245 PD.getActivePath().push_front(p); 1246 1247 if (CS) { 1248 PathDiagnosticLocation BL = 1249 PathDiagnosticLocation::createEndBrace(CS, SM); 1250 EB.addEdge(BL); 1251 } 1252 } 1253 1254 if (Term) 1255 EB.addContext(Term); 1256 1257 break; 1258 } 1259 1260 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 1261 if (const CFGStmt *S = BE->getFirstElement().getAs<CFGStmt>()) { 1262 const Stmt *stmt = S->getStmt(); 1263 if (IsControlFlowExpr(stmt)) { 1264 // Add the proper context for '&&', '||', and '?'. 1265 EB.addContext(stmt); 1266 } 1267 else 1268 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1269 } 1270 1271 break; 1272 } 1273 1274 1275 } while (0); 1276 1277 if (!NextNode) 1278 continue; 1279 1280 // Add pieces from custom visitors. 1281 BugReport *R = PDB.getBugReport(); 1282 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 1283 E = visitors.end(); 1284 I != E; ++I) { 1285 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 1286 const PathDiagnosticLocation &Loc = p->getLocation(); 1287 EB.addEdge(Loc, true); 1288 PD.getActivePath().push_front(p); 1289 updateStackPiecesWithMessage(p, CallStack); 1290 1291 if (const Stmt *S = Loc.asStmt()) 1292 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1293 } 1294 } 1295 } 1296} 1297 1298//===----------------------------------------------------------------------===// 1299// Methods for BugType and subclasses. 1300//===----------------------------------------------------------------------===// 1301BugType::~BugType() { } 1302 1303void BugType::FlushReports(BugReporter &BR) {} 1304 1305void BuiltinBug::anchor() {} 1306 1307//===----------------------------------------------------------------------===// 1308// Methods for BugReport and subclasses. 1309//===----------------------------------------------------------------------===// 1310 1311void BugReport::NodeResolver::anchor() {} 1312 1313void BugReport::addVisitor(BugReporterVisitor* visitor) { 1314 if (!visitor) 1315 return; 1316 1317 llvm::FoldingSetNodeID ID; 1318 visitor->Profile(ID); 1319 void *InsertPos; 1320 1321 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 1322 delete visitor; 1323 return; 1324 } 1325 1326 CallbacksSet.InsertNode(visitor, InsertPos); 1327 Callbacks.push_back(visitor); 1328 ++ConfigurationChangeToken; 1329} 1330 1331BugReport::~BugReport() { 1332 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) { 1333 delete *I; 1334 } 1335} 1336 1337const Decl *BugReport::getDeclWithIssue() const { 1338 if (DeclWithIssue) 1339 return DeclWithIssue; 1340 1341 const ExplodedNode *N = getErrorNode(); 1342 if (!N) 1343 return 0; 1344 1345 const LocationContext *LC = N->getLocationContext(); 1346 return LC->getCurrentStackFrame()->getDecl(); 1347} 1348 1349void BugReport::Profile(llvm::FoldingSetNodeID& hash) const { 1350 hash.AddPointer(&BT); 1351 hash.AddString(Description); 1352 if (UniqueingLocation.isValid()) { 1353 UniqueingLocation.Profile(hash); 1354 } else if (Location.isValid()) { 1355 Location.Profile(hash); 1356 } else { 1357 assert(ErrorNode); 1358 hash.AddPointer(GetCurrentOrPreviousStmt(ErrorNode)); 1359 } 1360 1361 for (SmallVectorImpl<SourceRange>::const_iterator I = 1362 Ranges.begin(), E = Ranges.end(); I != E; ++I) { 1363 const SourceRange range = *I; 1364 if (!range.isValid()) 1365 continue; 1366 hash.AddInteger(range.getBegin().getRawEncoding()); 1367 hash.AddInteger(range.getEnd().getRawEncoding()); 1368 } 1369} 1370 1371void BugReport::markInteresting(SymbolRef sym) { 1372 if (!sym) 1373 return; 1374 1375 // If the symbol wasn't already in our set, note a configuration change. 1376 if (interestingSymbols.insert(sym).second) 1377 ++ConfigurationChangeToken; 1378 1379 if (const SymbolMetadata *meta = dyn_cast<SymbolMetadata>(sym)) 1380 interestingRegions.insert(meta->getRegion()); 1381} 1382 1383void BugReport::markInteresting(const MemRegion *R) { 1384 if (!R) 1385 return; 1386 1387 // If the base region wasn't already in our set, note a configuration change. 1388 R = R->getBaseRegion(); 1389 if (interestingRegions.insert(R).second) 1390 ++ConfigurationChangeToken; 1391 1392 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 1393 interestingSymbols.insert(SR->getSymbol()); 1394} 1395 1396void BugReport::markInteresting(SVal V) { 1397 markInteresting(V.getAsRegion()); 1398 markInteresting(V.getAsSymbol()); 1399} 1400 1401bool BugReport::isInteresting(SVal V) const { 1402 return isInteresting(V.getAsRegion()) || isInteresting(V.getAsSymbol()); 1403} 1404 1405bool BugReport::isInteresting(SymbolRef sym) const { 1406 if (!sym) 1407 return false; 1408 // We don't currently consider metadata symbols to be interesting 1409 // even if we know their region is interesting. Is that correct behavior? 1410 return interestingSymbols.count(sym); 1411} 1412 1413bool BugReport::isInteresting(const MemRegion *R) const { 1414 if (!R) 1415 return false; 1416 R = R->getBaseRegion(); 1417 bool b = interestingRegions.count(R); 1418 if (b) 1419 return true; 1420 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 1421 return interestingSymbols.count(SR->getSymbol()); 1422 return false; 1423} 1424 1425 1426const Stmt *BugReport::getStmt() const { 1427 if (!ErrorNode) 1428 return 0; 1429 1430 ProgramPoint ProgP = ErrorNode->getLocation(); 1431 const Stmt *S = NULL; 1432 1433 if (BlockEntrance *BE = dyn_cast<BlockEntrance>(&ProgP)) { 1434 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 1435 if (BE->getBlock() == &Exit) 1436 S = GetPreviousStmt(ErrorNode); 1437 } 1438 if (!S) 1439 S = GetStmt(ProgP); 1440 1441 return S; 1442} 1443 1444std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 1445BugReport::getRanges() { 1446 // If no custom ranges, add the range of the statement corresponding to 1447 // the error node. 1448 if (Ranges.empty()) { 1449 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt())) 1450 addRange(E->getSourceRange()); 1451 else 1452 return std::make_pair(ranges_iterator(), ranges_iterator()); 1453 } 1454 1455 // User-specified absence of range info. 1456 if (Ranges.size() == 1 && !Ranges.begin()->isValid()) 1457 return std::make_pair(ranges_iterator(), ranges_iterator()); 1458 1459 return std::make_pair(Ranges.begin(), Ranges.end()); 1460} 1461 1462PathDiagnosticLocation BugReport::getLocation(const SourceManager &SM) const { 1463 if (ErrorNode) { 1464 assert(!Location.isValid() && 1465 "Either Location or ErrorNode should be specified but not both."); 1466 1467 if (const Stmt *S = GetCurrentOrPreviousStmt(ErrorNode)) { 1468 const LocationContext *LC = ErrorNode->getLocationContext(); 1469 1470 // For member expressions, return the location of the '.' or '->'. 1471 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 1472 return PathDiagnosticLocation::createMemberLoc(ME, SM); 1473 // For binary operators, return the location of the operator. 1474 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 1475 return PathDiagnosticLocation::createOperatorLoc(B, SM); 1476 1477 return PathDiagnosticLocation::createBegin(S, SM, LC); 1478 } 1479 } else { 1480 assert(Location.isValid()); 1481 return Location; 1482 } 1483 1484 return PathDiagnosticLocation(); 1485} 1486 1487//===----------------------------------------------------------------------===// 1488// Methods for BugReporter and subclasses. 1489//===----------------------------------------------------------------------===// 1490 1491BugReportEquivClass::~BugReportEquivClass() { } 1492GRBugReporter::~GRBugReporter() { } 1493BugReporterData::~BugReporterData() {} 1494 1495ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 1496 1497ProgramStateManager& 1498GRBugReporter::getStateManager() { return Eng.getStateManager(); } 1499 1500BugReporter::~BugReporter() { 1501 FlushReports(); 1502 1503 // Free the bug reports we are tracking. 1504 typedef std::vector<BugReportEquivClass *> ContTy; 1505 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end(); 1506 I != E; ++I) { 1507 delete *I; 1508 } 1509} 1510 1511void BugReporter::FlushReports() { 1512 if (BugTypes.isEmpty()) 1513 return; 1514 1515 // First flush the warnings for each BugType. This may end up creating new 1516 // warnings and new BugTypes. 1517 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 1518 // Turn NSErrorChecker into a proper checker and remove this. 1519 SmallVector<const BugType*, 16> bugTypes; 1520 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 1521 bugTypes.push_back(*I); 1522 for (SmallVector<const BugType*, 16>::iterator 1523 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 1524 const_cast<BugType*>(*I)->FlushReports(*this); 1525 1526 typedef llvm::FoldingSet<BugReportEquivClass> SetTy; 1527 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){ 1528 BugReportEquivClass& EQ = *EI; 1529 FlushReport(EQ); 1530 } 1531 1532 // BugReporter owns and deletes only BugTypes created implicitly through 1533 // EmitBasicReport. 1534 // FIXME: There are leaks from checkers that assume that the BugTypes they 1535 // create will be destroyed by the BugReporter. 1536 for (llvm::StringMap<BugType*>::iterator 1537 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I) 1538 delete I->second; 1539 1540 // Remove all references to the BugType objects. 1541 BugTypes = F.getEmptySet(); 1542} 1543 1544//===----------------------------------------------------------------------===// 1545// PathDiagnostics generation. 1546//===----------------------------------------------------------------------===// 1547 1548static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1549 std::pair<ExplodedNode*, unsigned> > 1550MakeReportGraph(const ExplodedGraph* G, 1551 SmallVectorImpl<const ExplodedNode*> &nodes) { 1552 1553 // Create the trimmed graph. It will contain the shortest paths from the 1554 // error nodes to the root. In the new graph we should only have one 1555 // error node unless there are two or more error nodes with the same minimum 1556 // path length. 1557 ExplodedGraph* GTrim; 1558 InterExplodedGraphMap* NMap; 1559 1560 llvm::DenseMap<const void*, const void*> InverseMap; 1561 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 1562 &InverseMap); 1563 1564 // Create owning pointers for GTrim and NMap just to ensure that they are 1565 // released when this function exists. 1566 OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 1567 OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 1568 1569 // Find the (first) error node in the trimmed graph. We just need to consult 1570 // the node map (NMap) which maps from nodes in the original graph to nodes 1571 // in the new graph. 1572 1573 std::queue<const ExplodedNode*> WS; 1574 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 1575 IndexMapTy IndexMap; 1576 1577 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 1578 const ExplodedNode *originalNode = nodes[nodeIndex]; 1579 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 1580 WS.push(N); 1581 IndexMap[originalNode] = nodeIndex; 1582 } 1583 } 1584 1585 assert(!WS.empty() && "No error node found in the trimmed graph."); 1586 1587 // Create a new (third!) graph with a single path. This is the graph 1588 // that will be returned to the caller. 1589 ExplodedGraph *GNew = new ExplodedGraph(); 1590 1591 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 1592 // to the root node, and then construct a new graph that contains only 1593 // a single path. 1594 llvm::DenseMap<const void*,unsigned> Visited; 1595 1596 unsigned cnt = 0; 1597 const ExplodedNode *Root = 0; 1598 1599 while (!WS.empty()) { 1600 const ExplodedNode *Node = WS.front(); 1601 WS.pop(); 1602 1603 if (Visited.find(Node) != Visited.end()) 1604 continue; 1605 1606 Visited[Node] = cnt++; 1607 1608 if (Node->pred_empty()) { 1609 Root = Node; 1610 break; 1611 } 1612 1613 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 1614 E=Node->pred_end(); I!=E; ++I) 1615 WS.push(*I); 1616 } 1617 1618 assert(Root); 1619 1620 // Now walk from the root down the BFS path, always taking the successor 1621 // with the lowest number. 1622 ExplodedNode *Last = 0, *First = 0; 1623 NodeBackMap *BM = new NodeBackMap(); 1624 unsigned NodeIndex = 0; 1625 1626 for ( const ExplodedNode *N = Root ;;) { 1627 // Lookup the number associated with the current node. 1628 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 1629 assert(I != Visited.end()); 1630 1631 // Create the equivalent node in the new graph with the same state 1632 // and location. 1633 ExplodedNode *NewN = GNew->getNode(N->getLocation(), N->getState()); 1634 1635 // Store the mapping to the original node. 1636 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 1637 assert(IMitr != InverseMap.end() && "No mapping to original node."); 1638 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 1639 1640 // Link up the new node with the previous node. 1641 if (Last) 1642 NewN->addPredecessor(Last, *GNew); 1643 1644 Last = NewN; 1645 1646 // Are we at the final node? 1647 IndexMapTy::iterator IMI = 1648 IndexMap.find((const ExplodedNode*)(IMitr->second)); 1649 if (IMI != IndexMap.end()) { 1650 First = NewN; 1651 NodeIndex = IMI->second; 1652 break; 1653 } 1654 1655 // Find the next successor node. We choose the node that is marked 1656 // with the lowest DFS number. 1657 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 1658 ExplodedNode::const_succ_iterator SE = N->succ_end(); 1659 N = 0; 1660 1661 for (unsigned MinVal = 0; SI != SE; ++SI) { 1662 1663 I = Visited.find(*SI); 1664 1665 if (I == Visited.end()) 1666 continue; 1667 1668 if (!N || I->second < MinVal) { 1669 N = *SI; 1670 MinVal = I->second; 1671 } 1672 } 1673 1674 assert(N); 1675 } 1676 1677 assert(First); 1678 1679 return std::make_pair(std::make_pair(GNew, BM), 1680 std::make_pair(First, NodeIndex)); 1681} 1682 1683/// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 1684/// and collapses PathDiagosticPieces that are expanded by macros. 1685static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM) { 1686 typedef std::vector<std::pair<IntrusiveRefCntPtr<PathDiagnosticMacroPiece>, 1687 SourceLocation> > MacroStackTy; 1688 1689 typedef std::vector<IntrusiveRefCntPtr<PathDiagnosticPiece> > 1690 PiecesTy; 1691 1692 MacroStackTy MacroStack; 1693 PiecesTy Pieces; 1694 1695 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 1696 I!=E; ++I) { 1697 1698 PathDiagnosticPiece *piece = I->getPtr(); 1699 1700 // Recursively compact calls. 1701 if (PathDiagnosticCallPiece *call=dyn_cast<PathDiagnosticCallPiece>(piece)){ 1702 CompactPathDiagnostic(call->path, SM); 1703 } 1704 1705 // Get the location of the PathDiagnosticPiece. 1706 const FullSourceLoc Loc = piece->getLocation().asLocation(); 1707 1708 // Determine the instantiation location, which is the location we group 1709 // related PathDiagnosticPieces. 1710 SourceLocation InstantiationLoc = Loc.isMacroID() ? 1711 SM.getExpansionLoc(Loc) : 1712 SourceLocation(); 1713 1714 if (Loc.isFileID()) { 1715 MacroStack.clear(); 1716 Pieces.push_back(piece); 1717 continue; 1718 } 1719 1720 assert(Loc.isMacroID()); 1721 1722 // Is the PathDiagnosticPiece within the same macro group? 1723 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 1724 MacroStack.back().first->subPieces.push_back(piece); 1725 continue; 1726 } 1727 1728 // We aren't in the same group. Are we descending into a new macro 1729 // or are part of an old one? 1730 IntrusiveRefCntPtr<PathDiagnosticMacroPiece> MacroGroup; 1731 1732 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 1733 SM.getExpansionLoc(Loc) : 1734 SourceLocation(); 1735 1736 // Walk the entire macro stack. 1737 while (!MacroStack.empty()) { 1738 if (InstantiationLoc == MacroStack.back().second) { 1739 MacroGroup = MacroStack.back().first; 1740 break; 1741 } 1742 1743 if (ParentInstantiationLoc == MacroStack.back().second) { 1744 MacroGroup = MacroStack.back().first; 1745 break; 1746 } 1747 1748 MacroStack.pop_back(); 1749 } 1750 1751 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 1752 // Create a new macro group and add it to the stack. 1753 PathDiagnosticMacroPiece *NewGroup = 1754 new PathDiagnosticMacroPiece( 1755 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 1756 1757 if (MacroGroup) 1758 MacroGroup->subPieces.push_back(NewGroup); 1759 else { 1760 assert(InstantiationLoc.isFileID()); 1761 Pieces.push_back(NewGroup); 1762 } 1763 1764 MacroGroup = NewGroup; 1765 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 1766 } 1767 1768 // Finally, add the PathDiagnosticPiece to the group. 1769 MacroGroup->subPieces.push_back(piece); 1770 } 1771 1772 // Now take the pieces and construct a new PathDiagnostic. 1773 path.clear(); 1774 1775 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) 1776 path.push_back(*I); 1777} 1778 1779void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD, 1780 SmallVectorImpl<BugReport *> &bugReports) { 1781 1782 assert(!bugReports.empty()); 1783 SmallVector<const ExplodedNode *, 10> errorNodes; 1784 for (SmallVectorImpl<BugReport*>::iterator I = bugReports.begin(), 1785 E = bugReports.end(); I != E; ++I) { 1786 errorNodes.push_back((*I)->getErrorNode()); 1787 } 1788 1789 // Construct a new graph that contains only a single path from the error 1790 // node to a root. 1791 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1792 std::pair<ExplodedNode*, unsigned> >& 1793 GPair = MakeReportGraph(&getGraph(), errorNodes); 1794 1795 // Find the BugReport with the original location. 1796 assert(GPair.second.second < bugReports.size()); 1797 BugReport *R = bugReports[GPair.second.second]; 1798 assert(R && "No original report found for sliced graph."); 1799 1800 OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 1801 OwningPtr<NodeBackMap> BackMap(GPair.first.second); 1802 const ExplodedNode *N = GPair.second.first; 1803 1804 // Start building the path diagnostic... 1805 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), 1806 getPathDiagnosticConsumer()); 1807 1808 // Register additional node visitors. 1809 R->addVisitor(new NilReceiverBRVisitor()); 1810 R->addVisitor(new ConditionBRVisitor()); 1811 1812 BugReport::VisitorList visitors; 1813 unsigned originalReportConfigToken, finalReportConfigToken; 1814 1815 // While generating diagnostics, it's possible the visitors will decide 1816 // new symbols and regions are interesting, or add other visitors based on 1817 // the information they find. If they do, we need to regenerate the path 1818 // based on our new report configuration. 1819 do { 1820 // Get a clean copy of all the visitors. 1821 for (BugReport::visitor_iterator I = R->visitor_begin(), 1822 E = R->visitor_end(); I != E; ++I) 1823 visitors.push_back((*I)->clone()); 1824 1825 // Clear out the active path from any previous work. 1826 PD.getActivePath().clear(); 1827 originalReportConfigToken = R->getConfigurationChangeToken(); 1828 1829 // Generate the very last diagnostic piece - the piece is visible before 1830 // the trace is expanded. 1831 PathDiagnosticPiece *LastPiece = 0; 1832 for (BugReport::visitor_iterator I = visitors.begin(), E = visitors.end(); 1833 I != E; ++I) { 1834 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) { 1835 assert (!LastPiece && 1836 "There can only be one final piece in a diagnostic."); 1837 LastPiece = Piece; 1838 } 1839 } 1840 if (!LastPiece) 1841 LastPiece = BugReporterVisitor::getDefaultEndPath(PDB, N, *R); 1842 if (LastPiece) 1843 PD.getActivePath().push_back(LastPiece); 1844 else 1845 return; 1846 1847 switch (PDB.getGenerationScheme()) { 1848 case PathDiagnosticConsumer::Extensive: 1849 GenerateExtensivePathDiagnostic(PD, PDB, N, visitors); 1850 break; 1851 case PathDiagnosticConsumer::Minimal: 1852 GenerateMinimalPathDiagnostic(PD, PDB, N, visitors); 1853 break; 1854 } 1855 1856 // Clean up the visitors we used. 1857 llvm::DeleteContainerPointers(visitors); 1858 1859 // Did anything change while generating this path? 1860 finalReportConfigToken = R->getConfigurationChangeToken(); 1861 } while(finalReportConfigToken != originalReportConfigToken); 1862 1863 // Finally, prune the diagnostic path of uninteresting stuff. 1864 bool hasSomethingInteresting = RemoveUneededCalls(PD.getMutablePieces()); 1865 assert(hasSomethingInteresting); 1866 (void) hasSomethingInteresting; 1867} 1868 1869void BugReporter::Register(BugType *BT) { 1870 BugTypes = F.add(BugTypes, BT); 1871} 1872 1873void BugReporter::EmitReport(BugReport* R) { 1874 // Compute the bug report's hash to determine its equivalence class. 1875 llvm::FoldingSetNodeID ID; 1876 R->Profile(ID); 1877 1878 // Lookup the equivance class. If there isn't one, create it. 1879 BugType& BT = R->getBugType(); 1880 Register(&BT); 1881 void *InsertPos; 1882 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 1883 1884 if (!EQ) { 1885 EQ = new BugReportEquivClass(R); 1886 EQClasses.InsertNode(EQ, InsertPos); 1887 EQClassesVector.push_back(EQ); 1888 } 1889 else 1890 EQ->AddReport(R); 1891} 1892 1893 1894//===----------------------------------------------------------------------===// 1895// Emitting reports in equivalence classes. 1896//===----------------------------------------------------------------------===// 1897 1898namespace { 1899struct FRIEC_WLItem { 1900 const ExplodedNode *N; 1901 ExplodedNode::const_succ_iterator I, E; 1902 1903 FRIEC_WLItem(const ExplodedNode *n) 1904 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 1905}; 1906} 1907 1908static BugReport * 1909FindReportInEquivalenceClass(BugReportEquivClass& EQ, 1910 SmallVectorImpl<BugReport*> &bugReports) { 1911 1912 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 1913 assert(I != E); 1914 BugType& BT = I->getBugType(); 1915 1916 // If we don't need to suppress any of the nodes because they are 1917 // post-dominated by a sink, simply add all the nodes in the equivalence class 1918 // to 'Nodes'. Any of the reports will serve as a "representative" report. 1919 if (!BT.isSuppressOnSink()) { 1920 BugReport *R = I; 1921 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 1922 const ExplodedNode *N = I->getErrorNode(); 1923 if (N) { 1924 R = I; 1925 bugReports.push_back(R); 1926 } 1927 } 1928 return R; 1929 } 1930 1931 // For bug reports that should be suppressed when all paths are post-dominated 1932 // by a sink node, iterate through the reports in the equivalence class 1933 // until we find one that isn't post-dominated (if one exists). We use a 1934 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 1935 // this as a recursive function, but we don't want to risk blowing out the 1936 // stack for very long paths. 1937 BugReport *exampleReport = 0; 1938 1939 for (; I != E; ++I) { 1940 const ExplodedNode *errorNode = I->getErrorNode(); 1941 1942 if (!errorNode) 1943 continue; 1944 if (errorNode->isSink()) { 1945 llvm_unreachable( 1946 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 1947 } 1948 // No successors? By definition this nodes isn't post-dominated by a sink. 1949 if (errorNode->succ_empty()) { 1950 bugReports.push_back(I); 1951 if (!exampleReport) 1952 exampleReport = I; 1953 continue; 1954 } 1955 1956 // At this point we know that 'N' is not a sink and it has at least one 1957 // successor. Use a DFS worklist to find a non-sink end-of-path node. 1958 typedef FRIEC_WLItem WLItem; 1959 typedef SmallVector<WLItem, 10> DFSWorkList; 1960 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 1961 1962 DFSWorkList WL; 1963 WL.push_back(errorNode); 1964 Visited[errorNode] = 1; 1965 1966 while (!WL.empty()) { 1967 WLItem &WI = WL.back(); 1968 assert(!WI.N->succ_empty()); 1969 1970 for (; WI.I != WI.E; ++WI.I) { 1971 const ExplodedNode *Succ = *WI.I; 1972 // End-of-path node? 1973 if (Succ->succ_empty()) { 1974 // If we found an end-of-path node that is not a sink. 1975 if (!Succ->isSink()) { 1976 bugReports.push_back(I); 1977 if (!exampleReport) 1978 exampleReport = I; 1979 WL.clear(); 1980 break; 1981 } 1982 // Found a sink? Continue on to the next successor. 1983 continue; 1984 } 1985 // Mark the successor as visited. If it hasn't been explored, 1986 // enqueue it to the DFS worklist. 1987 unsigned &mark = Visited[Succ]; 1988 if (!mark) { 1989 mark = 1; 1990 WL.push_back(Succ); 1991 break; 1992 } 1993 } 1994 1995 // The worklist may have been cleared at this point. First 1996 // check if it is empty before checking the last item. 1997 if (!WL.empty() && &WL.back() == &WI) 1998 WL.pop_back(); 1999 } 2000 } 2001 2002 // ExampleReport will be NULL if all the nodes in the equivalence class 2003 // were post-dominated by sinks. 2004 return exampleReport; 2005} 2006 2007//===----------------------------------------------------------------------===// 2008// DiagnosticCache. This is a hack to cache analyzer diagnostics. It 2009// uses global state, which eventually should go elsewhere. 2010//===----------------------------------------------------------------------===// 2011namespace { 2012class DiagCacheItem : public llvm::FoldingSetNode { 2013 llvm::FoldingSetNodeID ID; 2014public: 2015 DiagCacheItem(BugReport *R, PathDiagnostic *PD) { 2016 R->Profile(ID); 2017 PD->Profile(ID); 2018 } 2019 2020 void Profile(llvm::FoldingSetNodeID &id) { 2021 id = ID; 2022 } 2023 2024 llvm::FoldingSetNodeID &getID() { return ID; } 2025}; 2026} 2027 2028static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) { 2029 // FIXME: Eventually this diagnostic cache should reside in something 2030 // like AnalysisManager instead of being a static variable. This is 2031 // really unsafe in the long term. 2032 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache; 2033 static DiagnosticCache DC; 2034 2035 void *InsertPos; 2036 DiagCacheItem *Item = new DiagCacheItem(R, PD); 2037 2038 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) { 2039 delete Item; 2040 return true; 2041 } 2042 2043 DC.InsertNode(Item, InsertPos); 2044 return false; 2045} 2046 2047void BugReporter::FlushReport(BugReportEquivClass& EQ) { 2048 SmallVector<BugReport*, 10> bugReports; 2049 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 2050 if (!exampleReport) 2051 return; 2052 2053 PathDiagnosticConsumer* PD = getPathDiagnosticConsumer(); 2054 2055 // FIXME: Make sure we use the 'R' for the path that was actually used. 2056 // Probably doesn't make a difference in practice. 2057 BugType& BT = exampleReport->getBugType(); 2058 2059 OwningPtr<PathDiagnostic> 2060 D(new PathDiagnostic(exampleReport->getDeclWithIssue(), 2061 exampleReport->getBugType().getName(), 2062 !PD || PD->useVerboseDescription() 2063 ? exampleReport->getDescription() 2064 : exampleReport->getShortDescription(), 2065 BT.getCategory())); 2066 2067 if (!bugReports.empty()) 2068 GeneratePathDiagnostic(*D.get(), bugReports); 2069 2070 // Get the meta data. 2071 const BugReport::ExtraTextList &Meta = 2072 exampleReport->getExtraText(); 2073 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(), 2074 e = Meta.end(); i != e; ++i) { 2075 D->addMeta(*i); 2076 } 2077 2078 // Emit a summary diagnostic to the regular Diagnostics engine. 2079 BugReport::ranges_iterator Beg, End; 2080 llvm::tie(Beg, End) = exampleReport->getRanges(); 2081 DiagnosticsEngine &Diag = getDiagnostic(); 2082 2083 if (!IsCachedDiagnostic(exampleReport, D.get())) { 2084 // Search the description for '%', as that will be interpretted as a 2085 // format character by FormatDiagnostics. 2086 StringRef desc = exampleReport->getShortDescription(); 2087 2088 SmallString<512> TmpStr; 2089 llvm::raw_svector_ostream Out(TmpStr); 2090 for (StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I) { 2091 if (*I == '%') 2092 Out << "%%"; 2093 else 2094 Out << *I; 2095 } 2096 2097 Out.flush(); 2098 unsigned ErrorDiag = Diag.getCustomDiagID(DiagnosticsEngine::Warning, TmpStr); 2099 2100 DiagnosticBuilder diagBuilder = Diag.Report( 2101 exampleReport->getLocation(getSourceManager()).asLocation(), ErrorDiag); 2102 for (BugReport::ranges_iterator I = Beg; I != End; ++I) 2103 diagBuilder << *I; 2104 } 2105 2106 // Emit a full diagnostic for the path if we have a PathDiagnosticConsumer. 2107 if (!PD) 2108 return; 2109 2110 if (D->path.empty()) { 2111 PathDiagnosticPiece *piece = new PathDiagnosticEventPiece( 2112 exampleReport->getLocation(getSourceManager()), 2113 exampleReport->getDescription()); 2114 for ( ; Beg != End; ++Beg) 2115 piece->addRange(*Beg); 2116 2117 D->getActivePath().push_back(piece); 2118 } 2119 2120 PD->HandlePathDiagnostic(D.take()); 2121} 2122 2123void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 2124 StringRef name, 2125 StringRef category, 2126 StringRef str, PathDiagnosticLocation Loc, 2127 SourceRange* RBeg, unsigned NumRanges) { 2128 2129 // 'BT' is owned by BugReporter. 2130 BugType *BT = getBugTypeForName(name, category); 2131 BugReport *R = new BugReport(*BT, str, Loc); 2132 R->setDeclWithIssue(DeclWithIssue); 2133 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 2134 EmitReport(R); 2135} 2136 2137BugType *BugReporter::getBugTypeForName(StringRef name, 2138 StringRef category) { 2139 SmallString<136> fullDesc; 2140 llvm::raw_svector_ostream(fullDesc) << name << ":" << category; 2141 llvm::StringMapEntry<BugType *> & 2142 entry = StrBugTypes.GetOrCreateValue(fullDesc); 2143 BugType *BT = entry.getValue(); 2144 if (!BT) { 2145 BT = new BugType(name, category); 2146 entry.setValue(BT); 2147 } 2148 return BT; 2149} 2150