BugReporter.cpp revision 9c378f705405d37f49795d5e915989de774fe11f
1// BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines BugReporter, a utility class for generating 11// PathDiagnostics. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18#include "clang/AST/ASTContext.h" 19#include "clang/Analysis/CFG.h" 20#include "clang/AST/Expr.h" 21#include "clang/AST/ParentMap.h" 22#include "clang/AST/StmtObjC.h" 23#include "clang/Basic/SourceManager.h" 24#include "clang/Analysis/ProgramPoint.h" 25#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 26#include "llvm/Support/raw_ostream.h" 27#include "llvm/ADT/DenseMap.h" 28#include "llvm/ADT/STLExtras.h" 29#include "llvm/ADT/OwningPtr.h" 30#include <queue> 31 32using namespace clang; 33using namespace ento; 34 35BugReporterVisitor::~BugReporterVisitor() {} 36BugReporterContext::~BugReporterContext() { 37 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) 38 if ((*I)->isOwnedByReporterContext()) delete *I; 39} 40 41void BugReporterContext::addVisitor(BugReporterVisitor* visitor) { 42 if (!visitor) 43 return; 44 45 llvm::FoldingSetNodeID ID; 46 visitor->Profile(ID); 47 void *InsertPos; 48 49 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 50 delete visitor; 51 return; 52 } 53 54 CallbacksSet.InsertNode(visitor, InsertPos); 55 Callbacks = F.add(visitor, Callbacks); 56} 57 58//===----------------------------------------------------------------------===// 59// Helper routines for walking the ExplodedGraph and fetching statements. 60//===----------------------------------------------------------------------===// 61 62static inline const Stmt *GetStmt(const ProgramPoint &P) { 63 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 64 return SP->getStmt(); 65 else if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) 66 return BE->getSrc()->getTerminator(); 67 68 return 0; 69} 70 71static inline const ExplodedNode* 72GetPredecessorNode(const ExplodedNode *N) { 73 return N->pred_empty() ? NULL : *(N->pred_begin()); 74} 75 76static inline const ExplodedNode* 77GetSuccessorNode(const ExplodedNode *N) { 78 return N->succ_empty() ? NULL : *(N->succ_begin()); 79} 80 81static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 82 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 83 if (const Stmt *S = GetStmt(N->getLocation())) 84 return S; 85 86 return 0; 87} 88 89static const Stmt *GetNextStmt(const ExplodedNode *N) { 90 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 91 if (const Stmt *S = GetStmt(N->getLocation())) { 92 // Check if the statement is '?' or '&&'/'||'. These are "merges", 93 // not actual statement points. 94 switch (S->getStmtClass()) { 95 case Stmt::ChooseExprClass: 96 case Stmt::BinaryConditionalOperatorClass: continue; 97 case Stmt::ConditionalOperatorClass: continue; 98 case Stmt::BinaryOperatorClass: { 99 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 100 if (Op == BO_LAnd || Op == BO_LOr) 101 continue; 102 break; 103 } 104 default: 105 break; 106 } 107 108 // Some expressions don't have locations. 109 if (S->getLocStart().isInvalid()) 110 continue; 111 112 return S; 113 } 114 115 return 0; 116} 117 118static inline const Stmt* 119GetCurrentOrPreviousStmt(const ExplodedNode *N) { 120 if (const Stmt *S = GetStmt(N->getLocation())) 121 return S; 122 123 return GetPreviousStmt(N); 124} 125 126static inline const Stmt* 127GetCurrentOrNextStmt(const ExplodedNode *N) { 128 if (const Stmt *S = GetStmt(N->getLocation())) 129 return S; 130 131 return GetNextStmt(N); 132} 133 134//===----------------------------------------------------------------------===// 135// PathDiagnosticBuilder and its associated routines and helper objects. 136//===----------------------------------------------------------------------===// 137 138typedef llvm::DenseMap<const ExplodedNode*, 139const ExplodedNode*> NodeBackMap; 140 141namespace { 142class NodeMapClosure : public BugReport::NodeResolver { 143 NodeBackMap& M; 144public: 145 NodeMapClosure(NodeBackMap *m) : M(*m) {} 146 ~NodeMapClosure() {} 147 148 const ExplodedNode *getOriginalNode(const ExplodedNode *N) { 149 NodeBackMap::iterator I = M.find(N); 150 return I == M.end() ? 0 : I->second; 151 } 152}; 153 154class PathDiagnosticBuilder : public BugReporterContext { 155 BugReport *R; 156 PathDiagnosticClient *PDC; 157 llvm::OwningPtr<ParentMap> PM; 158 NodeMapClosure NMC; 159public: 160 PathDiagnosticBuilder(GRBugReporter &br, 161 BugReport *r, NodeBackMap *Backmap, 162 PathDiagnosticClient *pdc) 163 : BugReporterContext(br), 164 R(r), PDC(pdc), NMC(Backmap) { 165 addVisitor(R); 166 } 167 168 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 169 170 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 171 const ExplodedNode *N); 172 173 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 174 175 ParentMap& getParentMap() { return R->getErrorNode()->getParentMap(); } 176 177 const Stmt *getParent(const Stmt *S) { 178 return getParentMap().getParent(S); 179 } 180 181 virtual NodeMapClosure& getNodeResolver() { return NMC; } 182 183 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 184 185 PathDiagnosticClient::PathGenerationScheme getGenerationScheme() const { 186 return PDC ? PDC->getGenerationScheme() : PathDiagnosticClient::Extensive; 187 } 188 189 bool supportsLogicalOpControlFlow() const { 190 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 191 } 192}; 193} // end anonymous namespace 194 195PathDiagnosticLocation 196PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 197 if (const Stmt *S = GetNextStmt(N)) 198 return PathDiagnosticLocation(S, getSourceManager()); 199 200 return FullSourceLoc(N->getLocationContext()->getDecl()->getBodyRBrace(), 201 getSourceManager()); 202} 203 204PathDiagnosticLocation 205PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 206 const ExplodedNode *N) { 207 208 // Slow, but probably doesn't matter. 209 if (os.str().empty()) 210 os << ' '; 211 212 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 213 214 if (Loc.asStmt()) 215 os << "Execution continues on line " 216 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 217 << '.'; 218 else { 219 os << "Execution jumps to the end of the "; 220 const Decl *D = N->getLocationContext()->getDecl(); 221 if (isa<ObjCMethodDecl>(D)) 222 os << "method"; 223 else if (isa<FunctionDecl>(D)) 224 os << "function"; 225 else { 226 assert(isa<BlockDecl>(D)); 227 os << "anonymous block"; 228 } 229 os << '.'; 230 } 231 232 return Loc; 233} 234 235static bool IsNested(const Stmt *S, ParentMap &PM) { 236 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 237 return true; 238 239 const Stmt *Parent = PM.getParentIgnoreParens(S); 240 241 if (Parent) 242 switch (Parent->getStmtClass()) { 243 case Stmt::ForStmtClass: 244 case Stmt::DoStmtClass: 245 case Stmt::WhileStmtClass: 246 return true; 247 default: 248 break; 249 } 250 251 return false; 252} 253 254PathDiagnosticLocation 255PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 256 assert(S && "Null Stmt *passed to getEnclosingStmtLocation"); 257 ParentMap &P = getParentMap(); 258 SourceManager &SMgr = getSourceManager(); 259 260 while (IsNested(S, P)) { 261 const Stmt *Parent = P.getParentIgnoreParens(S); 262 263 if (!Parent) 264 break; 265 266 switch (Parent->getStmtClass()) { 267 case Stmt::BinaryOperatorClass: { 268 const BinaryOperator *B = cast<BinaryOperator>(Parent); 269 if (B->isLogicalOp()) 270 return PathDiagnosticLocation(S, SMgr); 271 break; 272 } 273 case Stmt::CompoundStmtClass: 274 case Stmt::StmtExprClass: 275 return PathDiagnosticLocation(S, SMgr); 276 case Stmt::ChooseExprClass: 277 // Similar to '?' if we are referring to condition, just have the edge 278 // point to the entire choose expression. 279 if (cast<ChooseExpr>(Parent)->getCond() == S) 280 return PathDiagnosticLocation(Parent, SMgr); 281 else 282 return PathDiagnosticLocation(S, SMgr); 283 case Stmt::BinaryConditionalOperatorClass: 284 case Stmt::ConditionalOperatorClass: 285 // For '?', if we are referring to condition, just have the edge point 286 // to the entire '?' expression. 287 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S) 288 return PathDiagnosticLocation(Parent, SMgr); 289 else 290 return PathDiagnosticLocation(S, SMgr); 291 case Stmt::DoStmtClass: 292 return PathDiagnosticLocation(S, SMgr); 293 case Stmt::ForStmtClass: 294 if (cast<ForStmt>(Parent)->getBody() == S) 295 return PathDiagnosticLocation(S, SMgr); 296 break; 297 case Stmt::IfStmtClass: 298 if (cast<IfStmt>(Parent)->getCond() != S) 299 return PathDiagnosticLocation(S, SMgr); 300 break; 301 case Stmt::ObjCForCollectionStmtClass: 302 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 303 return PathDiagnosticLocation(S, SMgr); 304 break; 305 case Stmt::WhileStmtClass: 306 if (cast<WhileStmt>(Parent)->getCond() != S) 307 return PathDiagnosticLocation(S, SMgr); 308 break; 309 default: 310 break; 311 } 312 313 S = Parent; 314 } 315 316 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 317 318 // Special case: DeclStmts can appear in for statement declarations, in which 319 // case the ForStmt is the context. 320 if (isa<DeclStmt>(S)) { 321 if (const Stmt *Parent = P.getParent(S)) { 322 switch (Parent->getStmtClass()) { 323 case Stmt::ForStmtClass: 324 case Stmt::ObjCForCollectionStmtClass: 325 return PathDiagnosticLocation(Parent, SMgr); 326 default: 327 break; 328 } 329 } 330 } 331 else if (isa<BinaryOperator>(S)) { 332 // Special case: the binary operator represents the initialization 333 // code in a for statement (this can happen when the variable being 334 // initialized is an old variable. 335 if (const ForStmt *FS = 336 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 337 if (FS->getInit() == S) 338 return PathDiagnosticLocation(FS, SMgr); 339 } 340 } 341 342 return PathDiagnosticLocation(S, SMgr); 343} 344 345//===----------------------------------------------------------------------===// 346// ScanNotableSymbols: closure-like callback for scanning Store bindings. 347//===----------------------------------------------------------------------===// 348 349static const VarDecl* 350GetMostRecentVarDeclBinding(const ExplodedNode *N, 351 GRStateManager& VMgr, SVal X) { 352 353 for ( ; N ; N = N->pred_empty() ? 0 : *N->pred_begin()) { 354 355 ProgramPoint P = N->getLocation(); 356 357 if (!isa<PostStmt>(P)) 358 continue; 359 360 const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(cast<PostStmt>(P).getStmt()); 361 362 if (!DR) 363 continue; 364 365 SVal Y = N->getState()->getSVal(DR); 366 367 if (X != Y) 368 continue; 369 370 const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl()); 371 372 if (!VD) 373 continue; 374 375 return VD; 376 } 377 378 return 0; 379} 380 381namespace { 382class NotableSymbolHandler 383: public StoreManager::BindingsHandler { 384 385 SymbolRef Sym; 386 const GRState *PrevSt; 387 const Stmt *S; 388 GRStateManager& VMgr; 389 const ExplodedNode *Pred; 390 PathDiagnostic& PD; 391 BugReporter& BR; 392 393public: 394 395 NotableSymbolHandler(SymbolRef sym, const GRState *prevst, const Stmt *s, 396 GRStateManager& vmgr, const ExplodedNode *pred, 397 PathDiagnostic& pd, BugReporter& br) 398 : Sym(sym), PrevSt(prevst), S(s), VMgr(vmgr), Pred(pred), PD(pd), BR(br) {} 399 400 bool HandleBinding(StoreManager& SMgr, Store store, const MemRegion* R, 401 SVal V) { 402 403 SymbolRef ScanSym = V.getAsSymbol(); 404 405 if (ScanSym != Sym) 406 return true; 407 408 // Check if the previous state has this binding. 409 SVal X = PrevSt->getSVal(loc::MemRegionVal(R)); 410 411 if (X == V) // Same binding? 412 return true; 413 414 // Different binding. Only handle assignments for now. We don't pull 415 // this check out of the loop because we will eventually handle other 416 // cases. 417 418 VarDecl *VD = 0; 419 420 if (const BinaryOperator* B = dyn_cast<BinaryOperator>(S)) { 421 if (!B->isAssignmentOp()) 422 return true; 423 424 // What variable did we assign to? 425 DeclRefExpr *DR = dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenCasts()); 426 427 if (!DR) 428 return true; 429 430 VD = dyn_cast<VarDecl>(DR->getDecl()); 431 } 432 else if (const DeclStmt *DS = dyn_cast<DeclStmt>(S)) { 433 // FIXME: Eventually CFGs won't have DeclStmts. Right now we 434 // assume that each DeclStmt has a single Decl. This invariant 435 // holds by construction in the CFG. 436 VD = dyn_cast<VarDecl>(*DS->decl_begin()); 437 } 438 439 if (!VD) 440 return true; 441 442 // What is the most recently referenced variable with this binding? 443 const VarDecl *MostRecent = GetMostRecentVarDeclBinding(Pred, VMgr, V); 444 445 if (!MostRecent) 446 return true; 447 448 // Create the diagnostic. 449 FullSourceLoc L(S->getLocStart(), BR.getSourceManager()); 450 451 if (Loc::isLocType(VD->getType())) { 452 std::string msg = "'" + std::string(VD->getNameAsString()) + 453 "' now aliases '" + MostRecent->getNameAsString() + "'"; 454 455 PD.push_front(new PathDiagnosticEventPiece(L, msg)); 456 } 457 458 return true; 459 } 460}; 461} 462 463static void HandleNotableSymbol(const ExplodedNode *N, 464 const Stmt *S, 465 SymbolRef Sym, BugReporter& BR, 466 PathDiagnostic& PD) { 467 468 const ExplodedNode *Pred = N->pred_empty() ? 0 : *N->pred_begin(); 469 const GRState *PrevSt = Pred ? Pred->getState() : 0; 470 471 if (!PrevSt) 472 return; 473 474 // Look at the region bindings of the current state that map to the 475 // specified symbol. Are any of them not in the previous state? 476 GRStateManager& VMgr = cast<GRBugReporter>(BR).getStateManager(); 477 NotableSymbolHandler H(Sym, PrevSt, S, VMgr, Pred, PD, BR); 478 cast<GRBugReporter>(BR).getStateManager().iterBindings(N->getState(), H); 479} 480 481namespace { 482class ScanNotableSymbols 483: public StoreManager::BindingsHandler { 484 485 llvm::SmallSet<SymbolRef, 10> AlreadyProcessed; 486 const ExplodedNode *N; 487 const Stmt *S; 488 GRBugReporter& BR; 489 PathDiagnostic& PD; 490 491public: 492 ScanNotableSymbols(const ExplodedNode *n, const Stmt *s, 493 GRBugReporter& br, PathDiagnostic& pd) 494 : N(n), S(s), BR(br), PD(pd) {} 495 496 bool HandleBinding(StoreManager& SMgr, Store store, 497 const MemRegion* R, SVal V) { 498 499 SymbolRef ScanSym = V.getAsSymbol(); 500 501 if (!ScanSym) 502 return true; 503 504 if (!BR.isNotable(ScanSym)) 505 return true; 506 507 if (AlreadyProcessed.count(ScanSym)) 508 return true; 509 510 AlreadyProcessed.insert(ScanSym); 511 512 HandleNotableSymbol(N, S, ScanSym, BR, PD); 513 return true; 514 } 515}; 516} // end anonymous namespace 517 518//===----------------------------------------------------------------------===// 519// "Minimal" path diagnostic generation algorithm. 520//===----------------------------------------------------------------------===// 521 522static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM); 523 524static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 525 PathDiagnosticBuilder &PDB, 526 const ExplodedNode *N) { 527 528 SourceManager& SMgr = PDB.getSourceManager(); 529 const ExplodedNode *NextNode = N->pred_empty() 530 ? NULL : *(N->pred_begin()); 531 while (NextNode) { 532 N = NextNode; 533 NextNode = GetPredecessorNode(N); 534 535 ProgramPoint P = N->getLocation(); 536 537 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 538 const CFGBlock *Src = BE->getSrc(); 539 const CFGBlock *Dst = BE->getDst(); 540 const Stmt *T = Src->getTerminator(); 541 542 if (!T) 543 continue; 544 545 FullSourceLoc Start(T->getLocStart(), SMgr); 546 547 switch (T->getStmtClass()) { 548 default: 549 break; 550 551 case Stmt::GotoStmtClass: 552 case Stmt::IndirectGotoStmtClass: { 553 const Stmt *S = GetNextStmt(N); 554 555 if (!S) 556 continue; 557 558 std::string sbuf; 559 llvm::raw_string_ostream os(sbuf); 560 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 561 562 os << "Control jumps to line " 563 << End.asLocation().getExpansionLineNumber(); 564 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 565 os.str())); 566 break; 567 } 568 569 case Stmt::SwitchStmtClass: { 570 // Figure out what case arm we took. 571 std::string sbuf; 572 llvm::raw_string_ostream os(sbuf); 573 574 if (const Stmt *S = Dst->getLabel()) { 575 PathDiagnosticLocation End(S, SMgr); 576 577 switch (S->getStmtClass()) { 578 default: 579 os << "No cases match in the switch statement. " 580 "Control jumps to line " 581 << End.asLocation().getExpansionLineNumber(); 582 break; 583 case Stmt::DefaultStmtClass: 584 os << "Control jumps to the 'default' case at line " 585 << End.asLocation().getExpansionLineNumber(); 586 break; 587 588 case Stmt::CaseStmtClass: { 589 os << "Control jumps to 'case "; 590 const CaseStmt *Case = cast<CaseStmt>(S); 591 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 592 593 // Determine if it is an enum. 594 bool GetRawInt = true; 595 596 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) { 597 // FIXME: Maybe this should be an assertion. Are there cases 598 // were it is not an EnumConstantDecl? 599 const EnumConstantDecl *D = 600 dyn_cast<EnumConstantDecl>(DR->getDecl()); 601 602 if (D) { 603 GetRawInt = false; 604 os << D; 605 } 606 } 607 608 if (GetRawInt) 609 os << LHS->EvaluateAsInt(PDB.getASTContext()); 610 611 os << ":' at line " 612 << End.asLocation().getExpansionLineNumber(); 613 break; 614 } 615 } 616 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 617 os.str())); 618 } 619 else { 620 os << "'Default' branch taken. "; 621 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 622 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 623 os.str())); 624 } 625 626 break; 627 } 628 629 case Stmt::BreakStmtClass: 630 case Stmt::ContinueStmtClass: { 631 std::string sbuf; 632 llvm::raw_string_ostream os(sbuf); 633 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 634 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 635 os.str())); 636 break; 637 } 638 639 // Determine control-flow for ternary '?'. 640 case Stmt::BinaryConditionalOperatorClass: 641 case Stmt::ConditionalOperatorClass: { 642 std::string sbuf; 643 llvm::raw_string_ostream os(sbuf); 644 os << "'?' condition is "; 645 646 if (*(Src->succ_begin()+1) == Dst) 647 os << "false"; 648 else 649 os << "true"; 650 651 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 652 653 if (const Stmt *S = End.asStmt()) 654 End = PDB.getEnclosingStmtLocation(S); 655 656 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 657 os.str())); 658 break; 659 } 660 661 // Determine control-flow for short-circuited '&&' and '||'. 662 case Stmt::BinaryOperatorClass: { 663 if (!PDB.supportsLogicalOpControlFlow()) 664 break; 665 666 const BinaryOperator *B = cast<BinaryOperator>(T); 667 std::string sbuf; 668 llvm::raw_string_ostream os(sbuf); 669 os << "Left side of '"; 670 671 if (B->getOpcode() == BO_LAnd) { 672 os << "&&" << "' is "; 673 674 if (*(Src->succ_begin()+1) == Dst) { 675 os << "false"; 676 PathDiagnosticLocation End(B->getLHS(), SMgr); 677 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 678 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 679 os.str())); 680 } 681 else { 682 os << "true"; 683 PathDiagnosticLocation Start(B->getLHS(), SMgr); 684 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 685 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 686 os.str())); 687 } 688 } 689 else { 690 assert(B->getOpcode() == BO_LOr); 691 os << "||" << "' is "; 692 693 if (*(Src->succ_begin()+1) == Dst) { 694 os << "false"; 695 PathDiagnosticLocation Start(B->getLHS(), SMgr); 696 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 697 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 698 os.str())); 699 } 700 else { 701 os << "true"; 702 PathDiagnosticLocation End(B->getLHS(), SMgr); 703 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 704 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 705 os.str())); 706 } 707 } 708 709 break; 710 } 711 712 case Stmt::DoStmtClass: { 713 if (*(Src->succ_begin()) == Dst) { 714 std::string sbuf; 715 llvm::raw_string_ostream os(sbuf); 716 717 os << "Loop condition is true. "; 718 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 719 720 if (const Stmt *S = End.asStmt()) 721 End = PDB.getEnclosingStmtLocation(S); 722 723 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 724 os.str())); 725 } 726 else { 727 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 728 729 if (const Stmt *S = End.asStmt()) 730 End = PDB.getEnclosingStmtLocation(S); 731 732 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 733 "Loop condition is false. Exiting loop")); 734 } 735 736 break; 737 } 738 739 case Stmt::WhileStmtClass: 740 case Stmt::ForStmtClass: { 741 if (*(Src->succ_begin()+1) == Dst) { 742 std::string sbuf; 743 llvm::raw_string_ostream os(sbuf); 744 745 os << "Loop condition is false. "; 746 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 747 if (const Stmt *S = End.asStmt()) 748 End = PDB.getEnclosingStmtLocation(S); 749 750 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 751 os.str())); 752 } 753 else { 754 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 755 if (const Stmt *S = End.asStmt()) 756 End = PDB.getEnclosingStmtLocation(S); 757 758 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 759 "Loop condition is true. Entering loop body")); 760 } 761 762 break; 763 } 764 765 case Stmt::IfStmtClass: { 766 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 767 768 if (const Stmt *S = End.asStmt()) 769 End = PDB.getEnclosingStmtLocation(S); 770 771 if (*(Src->succ_begin()+1) == Dst) 772 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 773 "Taking false branch")); 774 else 775 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 776 "Taking true branch")); 777 778 break; 779 } 780 } 781 } 782 783 if (NextNode) { 784 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(), 785 E = PDB.visitor_end(); I!=E; ++I) { 786 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB)) 787 PD.push_front(p); 788 } 789 } 790 791 if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) { 792 // Scan the region bindings, and see if a "notable" symbol has a new 793 // lval binding. 794 ScanNotableSymbols SNS(N, PS->getStmt(), PDB.getBugReporter(), PD); 795 PDB.getStateManager().iterBindings(N->getState(), SNS); 796 } 797 } 798 799 // After constructing the full PathDiagnostic, do a pass over it to compact 800 // PathDiagnosticPieces that occur within a macro. 801 CompactPathDiagnostic(PD, PDB.getSourceManager()); 802} 803 804//===----------------------------------------------------------------------===// 805// "Extensive" PathDiagnostic generation. 806//===----------------------------------------------------------------------===// 807 808static bool IsControlFlowExpr(const Stmt *S) { 809 const Expr *E = dyn_cast<Expr>(S); 810 811 if (!E) 812 return false; 813 814 E = E->IgnoreParenCasts(); 815 816 if (isa<AbstractConditionalOperator>(E)) 817 return true; 818 819 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 820 if (B->isLogicalOp()) 821 return true; 822 823 return false; 824} 825 826namespace { 827class ContextLocation : public PathDiagnosticLocation { 828 bool IsDead; 829public: 830 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 831 : PathDiagnosticLocation(L), IsDead(isdead) {} 832 833 void markDead() { IsDead = true; } 834 bool isDead() const { return IsDead; } 835}; 836 837class EdgeBuilder { 838 std::vector<ContextLocation> CLocs; 839 typedef std::vector<ContextLocation>::iterator iterator; 840 PathDiagnostic &PD; 841 PathDiagnosticBuilder &PDB; 842 PathDiagnosticLocation PrevLoc; 843 844 bool IsConsumedExpr(const PathDiagnosticLocation &L); 845 846 bool containsLocation(const PathDiagnosticLocation &Container, 847 const PathDiagnosticLocation &Containee); 848 849 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 850 851 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 852 bool firstCharOnly = false) { 853 if (const Stmt *S = L.asStmt()) { 854 const Stmt *Original = S; 855 while (1) { 856 // Adjust the location for some expressions that are best referenced 857 // by one of their subexpressions. 858 switch (S->getStmtClass()) { 859 default: 860 break; 861 case Stmt::ParenExprClass: 862 case Stmt::GenericSelectionExprClass: 863 S = cast<Expr>(S)->IgnoreParens(); 864 firstCharOnly = true; 865 continue; 866 case Stmt::BinaryConditionalOperatorClass: 867 case Stmt::ConditionalOperatorClass: 868 S = cast<AbstractConditionalOperator>(S)->getCond(); 869 firstCharOnly = true; 870 continue; 871 case Stmt::ChooseExprClass: 872 S = cast<ChooseExpr>(S)->getCond(); 873 firstCharOnly = true; 874 continue; 875 case Stmt::BinaryOperatorClass: 876 S = cast<BinaryOperator>(S)->getLHS(); 877 firstCharOnly = true; 878 continue; 879 } 880 881 break; 882 } 883 884 if (S != Original) 885 L = PathDiagnosticLocation(S, L.getManager()); 886 } 887 888 if (firstCharOnly) 889 L = PathDiagnosticLocation(L.asLocation()); 890 891 return L; 892 } 893 894 void popLocation() { 895 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 896 // For contexts, we only one the first character as the range. 897 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 898 } 899 CLocs.pop_back(); 900 } 901 902public: 903 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 904 : PD(pd), PDB(pdb) { 905 906 // If the PathDiagnostic already has pieces, add the enclosing statement 907 // of the first piece as a context as well. 908 if (!PD.empty()) { 909 PrevLoc = PD.begin()->getLocation(); 910 911 if (const Stmt *S = PrevLoc.asStmt()) 912 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 913 } 914 } 915 916 ~EdgeBuilder() { 917 while (!CLocs.empty()) popLocation(); 918 919 // Finally, add an initial edge from the start location of the first 920 // statement (if it doesn't already exist). 921 // FIXME: Should handle CXXTryStmt if analyser starts supporting C++. 922 if (const CompoundStmt *CS = 923 dyn_cast_or_null<CompoundStmt>(PDB.getCodeDecl().getBody())) 924 if (!CS->body_empty()) { 925 SourceLocation Loc = (*CS->body_begin())->getLocStart(); 926 rawAddEdge(PathDiagnosticLocation(Loc, PDB.getSourceManager())); 927 } 928 929 } 930 931 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 932 933 void rawAddEdge(PathDiagnosticLocation NewLoc); 934 935 void addContext(const Stmt *S); 936 void addExtendedContext(const Stmt *S); 937}; 938} // end anonymous namespace 939 940 941PathDiagnosticLocation 942EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 943 if (const Stmt *S = L.asStmt()) { 944 if (IsControlFlowExpr(S)) 945 return L; 946 947 return PDB.getEnclosingStmtLocation(S); 948 } 949 950 return L; 951} 952 953bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 954 const PathDiagnosticLocation &Containee) { 955 956 if (Container == Containee) 957 return true; 958 959 if (Container.asDecl()) 960 return true; 961 962 if (const Stmt *S = Containee.asStmt()) 963 if (const Stmt *ContainerS = Container.asStmt()) { 964 while (S) { 965 if (S == ContainerS) 966 return true; 967 S = PDB.getParent(S); 968 } 969 return false; 970 } 971 972 // Less accurate: compare using source ranges. 973 SourceRange ContainerR = Container.asRange(); 974 SourceRange ContaineeR = Containee.asRange(); 975 976 SourceManager &SM = PDB.getSourceManager(); 977 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 978 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 979 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 980 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 981 982 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 983 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 984 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 985 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 986 987 assert(ContainerBegLine <= ContainerEndLine); 988 assert(ContaineeBegLine <= ContaineeEndLine); 989 990 return (ContainerBegLine <= ContaineeBegLine && 991 ContainerEndLine >= ContaineeEndLine && 992 (ContainerBegLine != ContaineeBegLine || 993 SM.getExpansionColumnNumber(ContainerRBeg) <= 994 SM.getExpansionColumnNumber(ContaineeRBeg)) && 995 (ContainerEndLine != ContaineeEndLine || 996 SM.getExpansionColumnNumber(ContainerREnd) >= 997 SM.getExpansionColumnNumber(ContainerREnd))); 998} 999 1000void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 1001 if (!PrevLoc.isValid()) { 1002 PrevLoc = NewLoc; 1003 return; 1004 } 1005 1006 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 1007 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 1008 1009 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1010 return; 1011 1012 // FIXME: Ignore intra-macro edges for now. 1013 if (NewLocClean.asLocation().getExpansionLoc() == 1014 PrevLocClean.asLocation().getExpansionLoc()) 1015 return; 1016 1017 PD.push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 1018 PrevLoc = NewLoc; 1019} 1020 1021void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 1022 1023 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1024 return; 1025 1026 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1027 1028 while (!CLocs.empty()) { 1029 ContextLocation &TopContextLoc = CLocs.back(); 1030 1031 // Is the top location context the same as the one for the new location? 1032 if (TopContextLoc == CLoc) { 1033 if (alwaysAdd) { 1034 if (IsConsumedExpr(TopContextLoc) && 1035 !IsControlFlowExpr(TopContextLoc.asStmt())) 1036 TopContextLoc.markDead(); 1037 1038 rawAddEdge(NewLoc); 1039 } 1040 1041 return; 1042 } 1043 1044 if (containsLocation(TopContextLoc, CLoc)) { 1045 if (alwaysAdd) { 1046 rawAddEdge(NewLoc); 1047 1048 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 1049 CLocs.push_back(ContextLocation(CLoc, true)); 1050 return; 1051 } 1052 } 1053 1054 CLocs.push_back(CLoc); 1055 return; 1056 } 1057 1058 // Context does not contain the location. Flush it. 1059 popLocation(); 1060 } 1061 1062 // If we reach here, there is no enclosing context. Just add the edge. 1063 rawAddEdge(NewLoc); 1064} 1065 1066bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1067 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 1068 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1069 1070 return false; 1071} 1072 1073void EdgeBuilder::addExtendedContext(const Stmt *S) { 1074 if (!S) 1075 return; 1076 1077 const Stmt *Parent = PDB.getParent(S); 1078 while (Parent) { 1079 if (isa<CompoundStmt>(Parent)) 1080 Parent = PDB.getParent(Parent); 1081 else 1082 break; 1083 } 1084 1085 if (Parent) { 1086 switch (Parent->getStmtClass()) { 1087 case Stmt::DoStmtClass: 1088 case Stmt::ObjCAtSynchronizedStmtClass: 1089 addContext(Parent); 1090 default: 1091 break; 1092 } 1093 } 1094 1095 addContext(S); 1096} 1097 1098void EdgeBuilder::addContext(const Stmt *S) { 1099 if (!S) 1100 return; 1101 1102 PathDiagnosticLocation L(S, PDB.getSourceManager()); 1103 1104 while (!CLocs.empty()) { 1105 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1106 1107 // Is the top location context the same as the one for the new location? 1108 if (TopContextLoc == L) 1109 return; 1110 1111 if (containsLocation(TopContextLoc, L)) { 1112 CLocs.push_back(L); 1113 return; 1114 } 1115 1116 // Context does not contain the location. Flush it. 1117 popLocation(); 1118 } 1119 1120 CLocs.push_back(L); 1121} 1122 1123static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1124 PathDiagnosticBuilder &PDB, 1125 const ExplodedNode *N) { 1126 EdgeBuilder EB(PD, PDB); 1127 1128 const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 1129 while (NextNode) { 1130 N = NextNode; 1131 NextNode = GetPredecessorNode(N); 1132 ProgramPoint P = N->getLocation(); 1133 1134 do { 1135 // Block edges. 1136 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 1137 const CFGBlock &Blk = *BE->getSrc(); 1138 const Stmt *Term = Blk.getTerminator(); 1139 1140 // Are we jumping to the head of a loop? Add a special diagnostic. 1141 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) { 1142 PathDiagnosticLocation L(Loop, PDB.getSourceManager()); 1143 const CompoundStmt *CS = NULL; 1144 1145 if (!Term) { 1146 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1147 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1148 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1149 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1150 } 1151 1152 PathDiagnosticEventPiece *p = 1153 new PathDiagnosticEventPiece(L, 1154 "Looping back to the head of the loop"); 1155 1156 EB.addEdge(p->getLocation(), true); 1157 PD.push_front(p); 1158 1159 if (CS) { 1160 PathDiagnosticLocation BL(CS->getRBracLoc(), 1161 PDB.getSourceManager()); 1162 BL = PathDiagnosticLocation(BL.asLocation()); 1163 EB.addEdge(BL); 1164 } 1165 } 1166 1167 if (Term) 1168 EB.addContext(Term); 1169 1170 break; 1171 } 1172 1173 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 1174 if (const CFGStmt *S = BE->getFirstElement().getAs<CFGStmt>()) { 1175 const Stmt *stmt = S->getStmt(); 1176 if (IsControlFlowExpr(stmt)) { 1177 // Add the proper context for '&&', '||', and '?'. 1178 EB.addContext(stmt); 1179 } 1180 else 1181 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 1182 } 1183 1184 break; 1185 } 1186 } while (0); 1187 1188 if (!NextNode) 1189 continue; 1190 1191 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(), 1192 E = PDB.visitor_end(); I!=E; ++I) { 1193 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB)) { 1194 const PathDiagnosticLocation &Loc = p->getLocation(); 1195 EB.addEdge(Loc, true); 1196 PD.push_front(p); 1197 if (const Stmt *S = Loc.asStmt()) 1198 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1199 } 1200 } 1201 } 1202} 1203 1204//===----------------------------------------------------------------------===// 1205// Methods for BugType and subclasses. 1206//===----------------------------------------------------------------------===// 1207BugType::~BugType() { } 1208 1209void BugType::FlushReports(BugReporter &BR) {} 1210 1211//===----------------------------------------------------------------------===// 1212// Methods for BugReport and subclasses. 1213//===----------------------------------------------------------------------===// 1214BugReport::~BugReport() {} 1215RangedBugReport::~RangedBugReport() {} 1216 1217const Stmt *BugReport::getStmt() const { 1218 ProgramPoint ProgP = ErrorNode->getLocation(); 1219 const Stmt *S = NULL; 1220 1221 if (BlockEntrance *BE = dyn_cast<BlockEntrance>(&ProgP)) { 1222 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 1223 if (BE->getBlock() == &Exit) 1224 S = GetPreviousStmt(ErrorNode); 1225 } 1226 if (!S) 1227 S = GetStmt(ProgP); 1228 1229 return S; 1230} 1231 1232PathDiagnosticPiece* 1233BugReport::getEndPath(BugReporterContext &BRC, 1234 const ExplodedNode *EndPathNode) { 1235 1236 const ProgramPoint &PP = EndPathNode->getLocation(); 1237 PathDiagnosticLocation L; 1238 1239 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&PP)) { 1240 const CFGBlock *block = BE->getBlock(); 1241 if (block->getBlockID() == 0) { 1242 L = PathDiagnosticLocation( 1243 EndPathNode->getLocationContext()->getDecl()->getBodyRBrace(), 1244 BRC.getSourceManager()); 1245 } 1246 } 1247 1248 if (!L.isValid()) { 1249 const Stmt *S = getStmt(); 1250 1251 if (!S) 1252 return NULL; 1253 1254 L = PathDiagnosticLocation(S, BRC.getSourceManager()); 1255 } 1256 1257 BugReport::ranges_iterator Beg, End; 1258 llvm::tie(Beg, End) = getRanges(); 1259 1260 // Only add the statement itself as a range if we didn't specify any 1261 // special ranges for this report. 1262 PathDiagnosticPiece *P = new PathDiagnosticEventPiece(L, getDescription(), 1263 Beg == End); 1264 1265 for (; Beg != End; ++Beg) 1266 P->addRange(*Beg); 1267 1268 return P; 1269} 1270 1271std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 1272BugReport::getRanges() const { 1273 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt())) { 1274 R = E->getSourceRange(); 1275 assert(R.isValid()); 1276 return std::make_pair(&R, &R+1); 1277 } 1278 else 1279 return std::make_pair(ranges_iterator(), ranges_iterator()); 1280} 1281 1282SourceLocation BugReport::getLocation() const { 1283 if (ErrorNode) 1284 if (const Stmt *S = GetCurrentOrPreviousStmt(ErrorNode)) { 1285 // For member expressions, return the location of the '.' or '->'. 1286 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 1287 return ME->getMemberLoc(); 1288 // For binary operators, return the location of the operator. 1289 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 1290 return B->getOperatorLoc(); 1291 1292 return S->getLocStart(); 1293 } 1294 1295 return FullSourceLoc(); 1296} 1297 1298PathDiagnosticPiece *BugReport::VisitNode(const ExplodedNode *N, 1299 const ExplodedNode *PrevN, 1300 BugReporterContext &BRC) { 1301 return NULL; 1302} 1303 1304//===----------------------------------------------------------------------===// 1305// Methods for BugReporter and subclasses. 1306//===----------------------------------------------------------------------===// 1307 1308BugReportEquivClass::~BugReportEquivClass() { 1309 for (iterator I=begin(), E=end(); I!=E; ++I) delete *I; 1310} 1311 1312GRBugReporter::~GRBugReporter() { } 1313BugReporterData::~BugReporterData() {} 1314 1315ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 1316 1317GRStateManager& 1318GRBugReporter::getStateManager() { return Eng.getStateManager(); } 1319 1320BugReporter::~BugReporter() { FlushReports(); } 1321 1322void BugReporter::FlushReports() { 1323 if (BugTypes.isEmpty()) 1324 return; 1325 1326 // First flush the warnings for each BugType. This may end up creating new 1327 // warnings and new BugTypes. 1328 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 1329 // Turn NSErrorChecker into a proper checker and remove this. 1330 SmallVector<const BugType*, 16> bugTypes; 1331 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 1332 bugTypes.push_back(*I); 1333 for (SmallVector<const BugType*, 16>::iterator 1334 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 1335 const_cast<BugType*>(*I)->FlushReports(*this); 1336 1337 typedef llvm::FoldingSet<BugReportEquivClass> SetTy; 1338 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){ 1339 BugReportEquivClass& EQ = *EI; 1340 FlushReport(EQ); 1341 } 1342 1343 // BugReporter owns and deletes only BugTypes created implicitly through 1344 // EmitBasicReport. 1345 // FIXME: There are leaks from checkers that assume that the BugTypes they 1346 // create will be destroyed by the BugReporter. 1347 for (llvm::StringMap<BugType*>::iterator 1348 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I) 1349 delete I->second; 1350 1351 // Remove all references to the BugType objects. 1352 BugTypes = F.getEmptySet(); 1353} 1354 1355//===----------------------------------------------------------------------===// 1356// PathDiagnostics generation. 1357//===----------------------------------------------------------------------===// 1358 1359static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1360 std::pair<ExplodedNode*, unsigned> > 1361MakeReportGraph(const ExplodedGraph* G, 1362 SmallVectorImpl<const ExplodedNode*> &nodes) { 1363 1364 // Create the trimmed graph. It will contain the shortest paths from the 1365 // error nodes to the root. In the new graph we should only have one 1366 // error node unless there are two or more error nodes with the same minimum 1367 // path length. 1368 ExplodedGraph* GTrim; 1369 InterExplodedGraphMap* NMap; 1370 1371 llvm::DenseMap<const void*, const void*> InverseMap; 1372 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 1373 &InverseMap); 1374 1375 // Create owning pointers for GTrim and NMap just to ensure that they are 1376 // released when this function exists. 1377 llvm::OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 1378 llvm::OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 1379 1380 // Find the (first) error node in the trimmed graph. We just need to consult 1381 // the node map (NMap) which maps from nodes in the original graph to nodes 1382 // in the new graph. 1383 1384 std::queue<const ExplodedNode*> WS; 1385 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 1386 IndexMapTy IndexMap; 1387 1388 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 1389 const ExplodedNode *originalNode = nodes[nodeIndex]; 1390 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 1391 WS.push(N); 1392 IndexMap[originalNode] = nodeIndex; 1393 } 1394 } 1395 1396 assert(!WS.empty() && "No error node found in the trimmed graph."); 1397 1398 // Create a new (third!) graph with a single path. This is the graph 1399 // that will be returned to the caller. 1400 ExplodedGraph *GNew = new ExplodedGraph(); 1401 1402 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 1403 // to the root node, and then construct a new graph that contains only 1404 // a single path. 1405 llvm::DenseMap<const void*,unsigned> Visited; 1406 1407 unsigned cnt = 0; 1408 const ExplodedNode *Root = 0; 1409 1410 while (!WS.empty()) { 1411 const ExplodedNode *Node = WS.front(); 1412 WS.pop(); 1413 1414 if (Visited.find(Node) != Visited.end()) 1415 continue; 1416 1417 Visited[Node] = cnt++; 1418 1419 if (Node->pred_empty()) { 1420 Root = Node; 1421 break; 1422 } 1423 1424 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 1425 E=Node->pred_end(); I!=E; ++I) 1426 WS.push(*I); 1427 } 1428 1429 assert(Root); 1430 1431 // Now walk from the root down the BFS path, always taking the successor 1432 // with the lowest number. 1433 ExplodedNode *Last = 0, *First = 0; 1434 NodeBackMap *BM = new NodeBackMap(); 1435 unsigned NodeIndex = 0; 1436 1437 for ( const ExplodedNode *N = Root ;;) { 1438 // Lookup the number associated with the current node. 1439 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 1440 assert(I != Visited.end()); 1441 1442 // Create the equivalent node in the new graph with the same state 1443 // and location. 1444 ExplodedNode *NewN = GNew->getNode(N->getLocation(), N->getState()); 1445 1446 // Store the mapping to the original node. 1447 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 1448 assert(IMitr != InverseMap.end() && "No mapping to original node."); 1449 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 1450 1451 // Link up the new node with the previous node. 1452 if (Last) 1453 NewN->addPredecessor(Last, *GNew); 1454 1455 Last = NewN; 1456 1457 // Are we at the final node? 1458 IndexMapTy::iterator IMI = 1459 IndexMap.find((const ExplodedNode*)(IMitr->second)); 1460 if (IMI != IndexMap.end()) { 1461 First = NewN; 1462 NodeIndex = IMI->second; 1463 break; 1464 } 1465 1466 // Find the next successor node. We choose the node that is marked 1467 // with the lowest DFS number. 1468 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 1469 ExplodedNode::const_succ_iterator SE = N->succ_end(); 1470 N = 0; 1471 1472 for (unsigned MinVal = 0; SI != SE; ++SI) { 1473 1474 I = Visited.find(*SI); 1475 1476 if (I == Visited.end()) 1477 continue; 1478 1479 if (!N || I->second < MinVal) { 1480 N = *SI; 1481 MinVal = I->second; 1482 } 1483 } 1484 1485 assert(N); 1486 } 1487 1488 assert(First); 1489 1490 return std::make_pair(std::make_pair(GNew, BM), 1491 std::make_pair(First, NodeIndex)); 1492} 1493 1494/// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 1495/// and collapses PathDiagosticPieces that are expanded by macros. 1496static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM) { 1497 typedef std::vector<std::pair<PathDiagnosticMacroPiece*, SourceLocation> > 1498 MacroStackTy; 1499 1500 typedef std::vector<PathDiagnosticPiece*> 1501 PiecesTy; 1502 1503 MacroStackTy MacroStack; 1504 PiecesTy Pieces; 1505 1506 for (PathDiagnostic::iterator I = PD.begin(), E = PD.end(); I!=E; ++I) { 1507 // Get the location of the PathDiagnosticPiece. 1508 const FullSourceLoc Loc = I->getLocation().asLocation(); 1509 1510 // Determine the instantiation location, which is the location we group 1511 // related PathDiagnosticPieces. 1512 SourceLocation InstantiationLoc = Loc.isMacroID() ? 1513 SM.getExpansionLoc(Loc) : 1514 SourceLocation(); 1515 1516 if (Loc.isFileID()) { 1517 MacroStack.clear(); 1518 Pieces.push_back(&*I); 1519 continue; 1520 } 1521 1522 assert(Loc.isMacroID()); 1523 1524 // Is the PathDiagnosticPiece within the same macro group? 1525 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 1526 MacroStack.back().first->push_back(&*I); 1527 continue; 1528 } 1529 1530 // We aren't in the same group. Are we descending into a new macro 1531 // or are part of an old one? 1532 PathDiagnosticMacroPiece *MacroGroup = 0; 1533 1534 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 1535 SM.getExpansionLoc(Loc) : 1536 SourceLocation(); 1537 1538 // Walk the entire macro stack. 1539 while (!MacroStack.empty()) { 1540 if (InstantiationLoc == MacroStack.back().second) { 1541 MacroGroup = MacroStack.back().first; 1542 break; 1543 } 1544 1545 if (ParentInstantiationLoc == MacroStack.back().second) { 1546 MacroGroup = MacroStack.back().first; 1547 break; 1548 } 1549 1550 MacroStack.pop_back(); 1551 } 1552 1553 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 1554 // Create a new macro group and add it to the stack. 1555 PathDiagnosticMacroPiece *NewGroup = new PathDiagnosticMacroPiece(Loc); 1556 1557 if (MacroGroup) 1558 MacroGroup->push_back(NewGroup); 1559 else { 1560 assert(InstantiationLoc.isFileID()); 1561 Pieces.push_back(NewGroup); 1562 } 1563 1564 MacroGroup = NewGroup; 1565 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 1566 } 1567 1568 // Finally, add the PathDiagnosticPiece to the group. 1569 MacroGroup->push_back(&*I); 1570 } 1571 1572 // Now take the pieces and construct a new PathDiagnostic. 1573 PD.resetPath(false); 1574 1575 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) { 1576 if (PathDiagnosticMacroPiece *MP=dyn_cast<PathDiagnosticMacroPiece>(*I)) 1577 if (!MP->containsEvent()) { 1578 delete MP; 1579 continue; 1580 } 1581 1582 PD.push_back(*I); 1583 } 1584} 1585 1586void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD, 1587 SmallVectorImpl<BugReport *> &bugReports) { 1588 1589 assert(!bugReports.empty()); 1590 SmallVector<const ExplodedNode *, 10> errorNodes; 1591 for (SmallVectorImpl<BugReport*>::iterator I = bugReports.begin(), 1592 E = bugReports.end(); I != E; ++I) { 1593 errorNodes.push_back((*I)->getErrorNode()); 1594 } 1595 1596 // Construct a new graph that contains only a single path from the error 1597 // node to a root. 1598 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1599 std::pair<ExplodedNode*, unsigned> >& 1600 GPair = MakeReportGraph(&getGraph(), errorNodes); 1601 1602 // Find the BugReport with the original location. 1603 assert(GPair.second.second < bugReports.size()); 1604 BugReport *R = bugReports[GPair.second.second]; 1605 assert(R && "No original report found for sliced graph."); 1606 1607 llvm::OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 1608 llvm::OwningPtr<NodeBackMap> BackMap(GPair.first.second); 1609 const ExplodedNode *N = GPair.second.first; 1610 1611 // Start building the path diagnostic... 1612 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), getPathDiagnosticClient()); 1613 1614 if (PathDiagnosticPiece *Piece = R->getEndPath(PDB, N)) 1615 PD.push_back(Piece); 1616 else 1617 return; 1618 1619 // Register node visitors. 1620 R->registerInitialVisitors(PDB, N); 1621 bugreporter::registerNilReceiverVisitor(PDB); 1622 bugreporter::registerConditionVisitor(PDB); 1623 1624 switch (PDB.getGenerationScheme()) { 1625 case PathDiagnosticClient::Extensive: 1626 GenerateExtensivePathDiagnostic(PD, PDB, N); 1627 break; 1628 case PathDiagnosticClient::Minimal: 1629 GenerateMinimalPathDiagnostic(PD, PDB, N); 1630 break; 1631 } 1632} 1633 1634void BugReporter::Register(BugType *BT) { 1635 BugTypes = F.add(BugTypes, BT); 1636} 1637 1638void BugReporter::EmitReport(BugReport* R) { 1639 // Compute the bug report's hash to determine its equivalence class. 1640 llvm::FoldingSetNodeID ID; 1641 R->Profile(ID); 1642 1643 // Lookup the equivance class. If there isn't one, create it. 1644 BugType& BT = R->getBugType(); 1645 Register(&BT); 1646 void *InsertPos; 1647 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 1648 1649 if (!EQ) { 1650 EQ = new BugReportEquivClass(R); 1651 EQClasses.InsertNode(EQ, InsertPos); 1652 } 1653 else 1654 EQ->AddReport(R); 1655} 1656 1657 1658//===----------------------------------------------------------------------===// 1659// Emitting reports in equivalence classes. 1660//===----------------------------------------------------------------------===// 1661 1662namespace { 1663struct FRIEC_WLItem { 1664 const ExplodedNode *N; 1665 ExplodedNode::const_succ_iterator I, E; 1666 1667 FRIEC_WLItem(const ExplodedNode *n) 1668 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 1669}; 1670} 1671 1672static BugReport * 1673FindReportInEquivalenceClass(BugReportEquivClass& EQ, 1674 SmallVectorImpl<BugReport*> &bugReports) { 1675 1676 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 1677 assert(I != E); 1678 BugReport *R = *I; 1679 BugType& BT = R->getBugType(); 1680 1681 // If we don't need to suppress any of the nodes because they are 1682 // post-dominated by a sink, simply add all the nodes in the equivalence class 1683 // to 'Nodes'. Any of the reports will serve as a "representative" report. 1684 if (!BT.isSuppressOnSink()) { 1685 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 1686 const ExplodedNode *N = I->getErrorNode(); 1687 if (N) { 1688 R = *I; 1689 bugReports.push_back(R); 1690 } 1691 } 1692 return R; 1693 } 1694 1695 // For bug reports that should be suppressed when all paths are post-dominated 1696 // by a sink node, iterate through the reports in the equivalence class 1697 // until we find one that isn't post-dominated (if one exists). We use a 1698 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 1699 // this as a recursive function, but we don't want to risk blowing out the 1700 // stack for very long paths. 1701 BugReport *exampleReport = 0; 1702 1703 for (; I != E; ++I) { 1704 R = *I; 1705 const ExplodedNode *errorNode = R->getErrorNode(); 1706 1707 if (!errorNode) 1708 continue; 1709 if (errorNode->isSink()) { 1710 assert(false && 1711 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 1712 return 0; 1713 } 1714 // No successors? By definition this nodes isn't post-dominated by a sink. 1715 if (errorNode->succ_empty()) { 1716 bugReports.push_back(R); 1717 if (!exampleReport) 1718 exampleReport = R; 1719 continue; 1720 } 1721 1722 // At this point we know that 'N' is not a sink and it has at least one 1723 // successor. Use a DFS worklist to find a non-sink end-of-path node. 1724 typedef FRIEC_WLItem WLItem; 1725 typedef SmallVector<WLItem, 10> DFSWorkList; 1726 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 1727 1728 DFSWorkList WL; 1729 WL.push_back(errorNode); 1730 Visited[errorNode] = 1; 1731 1732 while (!WL.empty()) { 1733 WLItem &WI = WL.back(); 1734 assert(!WI.N->succ_empty()); 1735 1736 for (; WI.I != WI.E; ++WI.I) { 1737 const ExplodedNode *Succ = *WI.I; 1738 // End-of-path node? 1739 if (Succ->succ_empty()) { 1740 // If we found an end-of-path node that is not a sink. 1741 if (!Succ->isSink()) { 1742 bugReports.push_back(R); 1743 if (!exampleReport) 1744 exampleReport = R; 1745 WL.clear(); 1746 break; 1747 } 1748 // Found a sink? Continue on to the next successor. 1749 continue; 1750 } 1751 // Mark the successor as visited. If it hasn't been explored, 1752 // enqueue it to the DFS worklist. 1753 unsigned &mark = Visited[Succ]; 1754 if (!mark) { 1755 mark = 1; 1756 WL.push_back(Succ); 1757 break; 1758 } 1759 } 1760 1761 // The worklist may have been cleared at this point. First 1762 // check if it is empty before checking the last item. 1763 if (!WL.empty() && &WL.back() == &WI) 1764 WL.pop_back(); 1765 } 1766 } 1767 1768 // ExampleReport will be NULL if all the nodes in the equivalence class 1769 // were post-dominated by sinks. 1770 return exampleReport; 1771} 1772 1773//===----------------------------------------------------------------------===// 1774// DiagnosticCache. This is a hack to cache analyzer diagnostics. It 1775// uses global state, which eventually should go elsewhere. 1776//===----------------------------------------------------------------------===// 1777namespace { 1778class DiagCacheItem : public llvm::FoldingSetNode { 1779 llvm::FoldingSetNodeID ID; 1780public: 1781 DiagCacheItem(BugReport *R, PathDiagnostic *PD) { 1782 ID.AddString(R->getBugType().getName()); 1783 ID.AddString(R->getBugType().getCategory()); 1784 ID.AddString(R->getDescription()); 1785 ID.AddInteger(R->getLocation().getRawEncoding()); 1786 PD->Profile(ID); 1787 } 1788 1789 void Profile(llvm::FoldingSetNodeID &id) { 1790 id = ID; 1791 } 1792 1793 llvm::FoldingSetNodeID &getID() { return ID; } 1794}; 1795} 1796 1797static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) { 1798 // FIXME: Eventually this diagnostic cache should reside in something 1799 // like AnalysisManager instead of being a static variable. This is 1800 // really unsafe in the long term. 1801 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache; 1802 static DiagnosticCache DC; 1803 1804 void *InsertPos; 1805 DiagCacheItem *Item = new DiagCacheItem(R, PD); 1806 1807 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) { 1808 delete Item; 1809 return true; 1810 } 1811 1812 DC.InsertNode(Item, InsertPos); 1813 return false; 1814} 1815 1816void BugReporter::FlushReport(BugReportEquivClass& EQ) { 1817 SmallVector<BugReport*, 10> bugReports; 1818 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 1819 if (!exampleReport) 1820 return; 1821 1822 PathDiagnosticClient* PD = getPathDiagnosticClient(); 1823 1824 // FIXME: Make sure we use the 'R' for the path that was actually used. 1825 // Probably doesn't make a difference in practice. 1826 BugType& BT = exampleReport->getBugType(); 1827 1828 llvm::OwningPtr<PathDiagnostic> 1829 D(new PathDiagnostic(exampleReport->getBugType().getName(), 1830 !PD || PD->useVerboseDescription() 1831 ? exampleReport->getDescription() 1832 : exampleReport->getShortDescription(), 1833 BT.getCategory())); 1834 1835 if (!bugReports.empty()) 1836 GeneratePathDiagnostic(*D.get(), bugReports); 1837 1838 if (IsCachedDiagnostic(exampleReport, D.get())) 1839 return; 1840 1841 // Get the meta data. 1842 std::pair<const char**, const char**> Meta = 1843 exampleReport->getExtraDescriptiveText(); 1844 for (const char** s = Meta.first; s != Meta.second; ++s) 1845 D->addMeta(*s); 1846 1847 // Emit a summary diagnostic to the regular Diagnostics engine. 1848 BugReport::ranges_iterator Beg, End; 1849 llvm::tie(Beg, End) = exampleReport->getRanges(); 1850 Diagnostic &Diag = getDiagnostic(); 1851 FullSourceLoc L(exampleReport->getLocation(), getSourceManager()); 1852 1853 // Search the description for '%', as that will be interpretted as a 1854 // format character by FormatDiagnostics. 1855 StringRef desc = exampleReport->getShortDescription(); 1856 unsigned ErrorDiag; 1857 { 1858 llvm::SmallString<512> TmpStr; 1859 llvm::raw_svector_ostream Out(TmpStr); 1860 for (StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I) 1861 if (*I == '%') 1862 Out << "%%"; 1863 else 1864 Out << *I; 1865 1866 Out.flush(); 1867 ErrorDiag = Diag.getCustomDiagID(Diagnostic::Warning, TmpStr); 1868 } 1869 1870 { 1871 DiagnosticBuilder diagBuilder = Diag.Report(L, ErrorDiag); 1872 for (BugReport::ranges_iterator I = Beg; I != End; ++I) 1873 diagBuilder << *I; 1874 } 1875 1876 // Emit a full diagnostic for the path if we have a PathDiagnosticClient. 1877 if (!PD) 1878 return; 1879 1880 if (D->empty()) { 1881 PathDiagnosticPiece *piece = 1882 new PathDiagnosticEventPiece(L, exampleReport->getDescription()); 1883 1884 for ( ; Beg != End; ++Beg) piece->addRange(*Beg); 1885 D->push_back(piece); 1886 } 1887 1888 PD->HandlePathDiagnostic(D.take()); 1889} 1890 1891void BugReporter::EmitBasicReport(StringRef name, StringRef str, 1892 SourceLocation Loc, 1893 SourceRange* RBeg, unsigned NumRanges) { 1894 EmitBasicReport(name, "", str, Loc, RBeg, NumRanges); 1895} 1896 1897void BugReporter::EmitBasicReport(StringRef name, 1898 StringRef category, 1899 StringRef str, SourceLocation Loc, 1900 SourceRange* RBeg, unsigned NumRanges) { 1901 1902 // 'BT' is owned by BugReporter. 1903 BugType *BT = getBugTypeForName(name, category); 1904 FullSourceLoc L = getContext().getFullLoc(Loc); 1905 RangedBugReport *R = new DiagBugReport(*BT, str, L); 1906 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 1907 EmitReport(R); 1908} 1909 1910BugType *BugReporter::getBugTypeForName(StringRef name, 1911 StringRef category) { 1912 llvm::SmallString<136> fullDesc; 1913 llvm::raw_svector_ostream(fullDesc) << name << ":" << category; 1914 llvm::StringMapEntry<BugType *> & 1915 entry = StrBugTypes.GetOrCreateValue(fullDesc); 1916 BugType *BT = entry.getValue(); 1917 if (!BT) { 1918 BT = new BugType(name, category); 1919 entry.setValue(BT); 1920 } 1921 return BT; 1922} 1923