BugReporter.cpp revision 9b663716449b618ba0390b1dbebc54fa8e971124
1// BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file defines BugReporter, a utility class for generating 11// PathDiagnostics. 12// 13//===----------------------------------------------------------------------===// 14 15#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 16#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 17#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 18#include "clang/AST/ASTContext.h" 19#include "clang/Analysis/CFG.h" 20#include "clang/AST/Expr.h" 21#include "clang/AST/ParentMap.h" 22#include "clang/AST/StmtObjC.h" 23#include "clang/Basic/SourceManager.h" 24#include "clang/Analysis/ProgramPoint.h" 25#include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 26#include "llvm/Support/raw_ostream.h" 27#include "llvm/ADT/DenseMap.h" 28#include "llvm/ADT/STLExtras.h" 29#include "llvm/ADT/OwningPtr.h" 30#include <queue> 31 32using namespace clang; 33using namespace ento; 34 35BugReporterVisitor::~BugReporterVisitor() {} 36BugReporterContext::~BugReporterContext() { 37 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) 38 if ((*I)->isOwnedByReporterContext()) delete *I; 39} 40 41void BugReporterContext::addVisitor(BugReporterVisitor* visitor) { 42 if (!visitor) 43 return; 44 45 llvm::FoldingSetNodeID ID; 46 visitor->Profile(ID); 47 void *InsertPos; 48 49 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 50 delete visitor; 51 return; 52 } 53 54 CallbacksSet.InsertNode(visitor, InsertPos); 55 Callbacks = F.add(visitor, Callbacks); 56} 57 58//===----------------------------------------------------------------------===// 59// Helper routines for walking the ExplodedGraph and fetching statements. 60//===----------------------------------------------------------------------===// 61 62static inline const Stmt* GetStmt(const ProgramPoint &P) { 63 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 64 return SP->getStmt(); 65 else if (const BlockEdge* BE = dyn_cast<BlockEdge>(&P)) 66 return BE->getSrc()->getTerminator(); 67 68 return 0; 69} 70 71static inline const ExplodedNode* 72GetPredecessorNode(const ExplodedNode* N) { 73 return N->pred_empty() ? NULL : *(N->pred_begin()); 74} 75 76static inline const ExplodedNode* 77GetSuccessorNode(const ExplodedNode* N) { 78 return N->succ_empty() ? NULL : *(N->succ_begin()); 79} 80 81static const Stmt* GetPreviousStmt(const ExplodedNode* N) { 82 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 83 if (const Stmt *S = GetStmt(N->getLocation())) 84 return S; 85 86 return 0; 87} 88 89static const Stmt* GetNextStmt(const ExplodedNode* N) { 90 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 91 if (const Stmt *S = GetStmt(N->getLocation())) { 92 // Check if the statement is '?' or '&&'/'||'. These are "merges", 93 // not actual statement points. 94 switch (S->getStmtClass()) { 95 case Stmt::ChooseExprClass: 96 case Stmt::ConditionalOperatorClass: continue; 97 case Stmt::BinaryOperatorClass: { 98 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 99 if (Op == BO_LAnd || Op == BO_LOr) 100 continue; 101 break; 102 } 103 default: 104 break; 105 } 106 107 // Some expressions don't have locations. 108 if (S->getLocStart().isInvalid()) 109 continue; 110 111 return S; 112 } 113 114 return 0; 115} 116 117static inline const Stmt* 118GetCurrentOrPreviousStmt(const ExplodedNode* N) { 119 if (const Stmt *S = GetStmt(N->getLocation())) 120 return S; 121 122 return GetPreviousStmt(N); 123} 124 125static inline const Stmt* 126GetCurrentOrNextStmt(const ExplodedNode* N) { 127 if (const Stmt *S = GetStmt(N->getLocation())) 128 return S; 129 130 return GetNextStmt(N); 131} 132 133//===----------------------------------------------------------------------===// 134// PathDiagnosticBuilder and its associated routines and helper objects. 135//===----------------------------------------------------------------------===// 136 137typedef llvm::DenseMap<const ExplodedNode*, 138const ExplodedNode*> NodeBackMap; 139 140namespace { 141class NodeMapClosure : public BugReport::NodeResolver { 142 NodeBackMap& M; 143public: 144 NodeMapClosure(NodeBackMap *m) : M(*m) {} 145 ~NodeMapClosure() {} 146 147 const ExplodedNode* getOriginalNode(const ExplodedNode* N) { 148 NodeBackMap::iterator I = M.find(N); 149 return I == M.end() ? 0 : I->second; 150 } 151}; 152 153class PathDiagnosticBuilder : public BugReporterContext { 154 BugReport *R; 155 PathDiagnosticClient *PDC; 156 llvm::OwningPtr<ParentMap> PM; 157 NodeMapClosure NMC; 158public: 159 PathDiagnosticBuilder(GRBugReporter &br, 160 BugReport *r, NodeBackMap *Backmap, 161 PathDiagnosticClient *pdc) 162 : BugReporterContext(br), 163 R(r), PDC(pdc), NMC(Backmap) { 164 addVisitor(R); 165 } 166 167 PathDiagnosticLocation ExecutionContinues(const ExplodedNode* N); 168 169 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream& os, 170 const ExplodedNode* N); 171 172 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 173 174 ParentMap& getParentMap() { return R->getErrorNode()->getParentMap(); } 175 176 const Stmt *getParent(const Stmt *S) { 177 return getParentMap().getParent(S); 178 } 179 180 virtual NodeMapClosure& getNodeResolver() { return NMC; } 181 182 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 183 184 PathDiagnosticClient::PathGenerationScheme getGenerationScheme() const { 185 return PDC ? PDC->getGenerationScheme() : PathDiagnosticClient::Extensive; 186 } 187 188 bool supportsLogicalOpControlFlow() const { 189 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 190 } 191}; 192} // end anonymous namespace 193 194PathDiagnosticLocation 195PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode* N) { 196 if (const Stmt *S = GetNextStmt(N)) 197 return PathDiagnosticLocation(S, getSourceManager()); 198 199 return FullSourceLoc(N->getLocationContext()->getDecl()->getBodyRBrace(), 200 getSourceManager()); 201} 202 203PathDiagnosticLocation 204PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream& os, 205 const ExplodedNode* N) { 206 207 // Slow, but probably doesn't matter. 208 if (os.str().empty()) 209 os << ' '; 210 211 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 212 213 if (Loc.asStmt()) 214 os << "Execution continues on line " 215 << getSourceManager().getInstantiationLineNumber(Loc.asLocation()) 216 << '.'; 217 else { 218 os << "Execution jumps to the end of the "; 219 const Decl *D = N->getLocationContext()->getDecl(); 220 if (isa<ObjCMethodDecl>(D)) 221 os << "method"; 222 else if (isa<FunctionDecl>(D)) 223 os << "function"; 224 else { 225 assert(isa<BlockDecl>(D)); 226 os << "anonymous block"; 227 } 228 os << '.'; 229 } 230 231 return Loc; 232} 233 234static bool IsNested(const Stmt *S, ParentMap &PM) { 235 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 236 return true; 237 238 const Stmt *Parent = PM.getParentIgnoreParens(S); 239 240 if (Parent) 241 switch (Parent->getStmtClass()) { 242 case Stmt::ForStmtClass: 243 case Stmt::DoStmtClass: 244 case Stmt::WhileStmtClass: 245 return true; 246 default: 247 break; 248 } 249 250 return false; 251} 252 253PathDiagnosticLocation 254PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 255 assert(S && "Null Stmt* passed to getEnclosingStmtLocation"); 256 ParentMap &P = getParentMap(); 257 SourceManager &SMgr = getSourceManager(); 258 259 while (IsNested(S, P)) { 260 const Stmt *Parent = P.getParentIgnoreParens(S); 261 262 if (!Parent) 263 break; 264 265 switch (Parent->getStmtClass()) { 266 case Stmt::BinaryOperatorClass: { 267 const BinaryOperator *B = cast<BinaryOperator>(Parent); 268 if (B->isLogicalOp()) 269 return PathDiagnosticLocation(S, SMgr); 270 break; 271 } 272 case Stmt::CompoundStmtClass: 273 case Stmt::StmtExprClass: 274 return PathDiagnosticLocation(S, SMgr); 275 case Stmt::ChooseExprClass: 276 // Similar to '?' if we are referring to condition, just have the edge 277 // point to the entire choose expression. 278 if (cast<ChooseExpr>(Parent)->getCond() == S) 279 return PathDiagnosticLocation(Parent, SMgr); 280 else 281 return PathDiagnosticLocation(S, SMgr); 282 case Stmt::ConditionalOperatorClass: 283 // For '?', if we are referring to condition, just have the edge point 284 // to the entire '?' expression. 285 if (cast<ConditionalOperator>(Parent)->getCond() == S) 286 return PathDiagnosticLocation(Parent, SMgr); 287 else 288 return PathDiagnosticLocation(S, SMgr); 289 case Stmt::DoStmtClass: 290 return PathDiagnosticLocation(S, SMgr); 291 case Stmt::ForStmtClass: 292 if (cast<ForStmt>(Parent)->getBody() == S) 293 return PathDiagnosticLocation(S, SMgr); 294 break; 295 case Stmt::IfStmtClass: 296 if (cast<IfStmt>(Parent)->getCond() != S) 297 return PathDiagnosticLocation(S, SMgr); 298 break; 299 case Stmt::ObjCForCollectionStmtClass: 300 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 301 return PathDiagnosticLocation(S, SMgr); 302 break; 303 case Stmt::WhileStmtClass: 304 if (cast<WhileStmt>(Parent)->getCond() != S) 305 return PathDiagnosticLocation(S, SMgr); 306 break; 307 default: 308 break; 309 } 310 311 S = Parent; 312 } 313 314 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 315 316 // Special case: DeclStmts can appear in for statement declarations, in which 317 // case the ForStmt is the context. 318 if (isa<DeclStmt>(S)) { 319 if (const Stmt *Parent = P.getParent(S)) { 320 switch (Parent->getStmtClass()) { 321 case Stmt::ForStmtClass: 322 case Stmt::ObjCForCollectionStmtClass: 323 return PathDiagnosticLocation(Parent, SMgr); 324 default: 325 break; 326 } 327 } 328 } 329 else if (isa<BinaryOperator>(S)) { 330 // Special case: the binary operator represents the initialization 331 // code in a for statement (this can happen when the variable being 332 // initialized is an old variable. 333 if (const ForStmt *FS = 334 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 335 if (FS->getInit() == S) 336 return PathDiagnosticLocation(FS, SMgr); 337 } 338 } 339 340 return PathDiagnosticLocation(S, SMgr); 341} 342 343//===----------------------------------------------------------------------===// 344// ScanNotableSymbols: closure-like callback for scanning Store bindings. 345//===----------------------------------------------------------------------===// 346 347static const VarDecl* 348GetMostRecentVarDeclBinding(const ExplodedNode* N, 349 GRStateManager& VMgr, SVal X) { 350 351 for ( ; N ; N = N->pred_empty() ? 0 : *N->pred_begin()) { 352 353 ProgramPoint P = N->getLocation(); 354 355 if (!isa<PostStmt>(P)) 356 continue; 357 358 const DeclRefExpr* DR = dyn_cast<DeclRefExpr>(cast<PostStmt>(P).getStmt()); 359 360 if (!DR) 361 continue; 362 363 SVal Y = N->getState()->getSVal(DR); 364 365 if (X != Y) 366 continue; 367 368 const VarDecl* VD = dyn_cast<VarDecl>(DR->getDecl()); 369 370 if (!VD) 371 continue; 372 373 return VD; 374 } 375 376 return 0; 377} 378 379namespace { 380class NotableSymbolHandler 381: public StoreManager::BindingsHandler { 382 383 SymbolRef Sym; 384 const GRState* PrevSt; 385 const Stmt* S; 386 GRStateManager& VMgr; 387 const ExplodedNode* Pred; 388 PathDiagnostic& PD; 389 BugReporter& BR; 390 391public: 392 393 NotableSymbolHandler(SymbolRef sym, const GRState* prevst, const Stmt* s, 394 GRStateManager& vmgr, const ExplodedNode* pred, 395 PathDiagnostic& pd, BugReporter& br) 396 : Sym(sym), PrevSt(prevst), S(s), VMgr(vmgr), Pred(pred), PD(pd), BR(br) {} 397 398 bool HandleBinding(StoreManager& SMgr, Store store, const MemRegion* R, 399 SVal V) { 400 401 SymbolRef ScanSym = V.getAsSymbol(); 402 403 if (ScanSym != Sym) 404 return true; 405 406 // Check if the previous state has this binding. 407 SVal X = PrevSt->getSVal(loc::MemRegionVal(R)); 408 409 if (X == V) // Same binding? 410 return true; 411 412 // Different binding. Only handle assignments for now. We don't pull 413 // this check out of the loop because we will eventually handle other 414 // cases. 415 416 VarDecl *VD = 0; 417 418 if (const BinaryOperator* B = dyn_cast<BinaryOperator>(S)) { 419 if (!B->isAssignmentOp()) 420 return true; 421 422 // What variable did we assign to? 423 DeclRefExpr* DR = dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenCasts()); 424 425 if (!DR) 426 return true; 427 428 VD = dyn_cast<VarDecl>(DR->getDecl()); 429 } 430 else if (const DeclStmt* DS = dyn_cast<DeclStmt>(S)) { 431 // FIXME: Eventually CFGs won't have DeclStmts. Right now we 432 // assume that each DeclStmt has a single Decl. This invariant 433 // holds by contruction in the CFG. 434 VD = dyn_cast<VarDecl>(*DS->decl_begin()); 435 } 436 437 if (!VD) 438 return true; 439 440 // What is the most recently referenced variable with this binding? 441 const VarDecl* MostRecent = GetMostRecentVarDeclBinding(Pred, VMgr, V); 442 443 if (!MostRecent) 444 return true; 445 446 // Create the diagnostic. 447 FullSourceLoc L(S->getLocStart(), BR.getSourceManager()); 448 449 if (Loc::IsLocType(VD->getType())) { 450 std::string msg = "'" + std::string(VD->getNameAsString()) + 451 "' now aliases '" + MostRecent->getNameAsString() + "'"; 452 453 PD.push_front(new PathDiagnosticEventPiece(L, msg)); 454 } 455 456 return true; 457 } 458}; 459} 460 461static void HandleNotableSymbol(const ExplodedNode* N, 462 const Stmt* S, 463 SymbolRef Sym, BugReporter& BR, 464 PathDiagnostic& PD) { 465 466 const ExplodedNode* Pred = N->pred_empty() ? 0 : *N->pred_begin(); 467 const GRState* PrevSt = Pred ? Pred->getState() : 0; 468 469 if (!PrevSt) 470 return; 471 472 // Look at the region bindings of the current state that map to the 473 // specified symbol. Are any of them not in the previous state? 474 GRStateManager& VMgr = cast<GRBugReporter>(BR).getStateManager(); 475 NotableSymbolHandler H(Sym, PrevSt, S, VMgr, Pred, PD, BR); 476 cast<GRBugReporter>(BR).getStateManager().iterBindings(N->getState(), H); 477} 478 479namespace { 480class ScanNotableSymbols 481: public StoreManager::BindingsHandler { 482 483 llvm::SmallSet<SymbolRef, 10> AlreadyProcessed; 484 const ExplodedNode* N; 485 const Stmt* S; 486 GRBugReporter& BR; 487 PathDiagnostic& PD; 488 489public: 490 ScanNotableSymbols(const ExplodedNode* n, const Stmt* s, 491 GRBugReporter& br, PathDiagnostic& pd) 492 : N(n), S(s), BR(br), PD(pd) {} 493 494 bool HandleBinding(StoreManager& SMgr, Store store, 495 const MemRegion* R, SVal V) { 496 497 SymbolRef ScanSym = V.getAsSymbol(); 498 499 if (!ScanSym) 500 return true; 501 502 if (!BR.isNotable(ScanSym)) 503 return true; 504 505 if (AlreadyProcessed.count(ScanSym)) 506 return true; 507 508 AlreadyProcessed.insert(ScanSym); 509 510 HandleNotableSymbol(N, S, ScanSym, BR, PD); 511 return true; 512 } 513}; 514} // end anonymous namespace 515 516//===----------------------------------------------------------------------===// 517// "Minimal" path diagnostic generation algorithm. 518//===----------------------------------------------------------------------===// 519 520static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM); 521 522static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 523 PathDiagnosticBuilder &PDB, 524 const ExplodedNode *N) { 525 526 SourceManager& SMgr = PDB.getSourceManager(); 527 const ExplodedNode* NextNode = N->pred_empty() 528 ? NULL : *(N->pred_begin()); 529 while (NextNode) { 530 N = NextNode; 531 NextNode = GetPredecessorNode(N); 532 533 ProgramPoint P = N->getLocation(); 534 535 if (const BlockEdge* BE = dyn_cast<BlockEdge>(&P)) { 536 const CFGBlock* Src = BE->getSrc(); 537 const CFGBlock* Dst = BE->getDst(); 538 const Stmt* T = Src->getTerminator(); 539 540 if (!T) 541 continue; 542 543 FullSourceLoc Start(T->getLocStart(), SMgr); 544 545 switch (T->getStmtClass()) { 546 default: 547 break; 548 549 case Stmt::GotoStmtClass: 550 case Stmt::IndirectGotoStmtClass: { 551 const Stmt* S = GetNextStmt(N); 552 553 if (!S) 554 continue; 555 556 std::string sbuf; 557 llvm::raw_string_ostream os(sbuf); 558 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 559 560 os << "Control jumps to line " 561 << End.asLocation().getInstantiationLineNumber(); 562 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 563 os.str())); 564 break; 565 } 566 567 case Stmt::SwitchStmtClass: { 568 // Figure out what case arm we took. 569 std::string sbuf; 570 llvm::raw_string_ostream os(sbuf); 571 572 if (const Stmt* S = Dst->getLabel()) { 573 PathDiagnosticLocation End(S, SMgr); 574 575 switch (S->getStmtClass()) { 576 default: 577 os << "No cases match in the switch statement. " 578 "Control jumps to line " 579 << End.asLocation().getInstantiationLineNumber(); 580 break; 581 case Stmt::DefaultStmtClass: 582 os << "Control jumps to the 'default' case at line " 583 << End.asLocation().getInstantiationLineNumber(); 584 break; 585 586 case Stmt::CaseStmtClass: { 587 os << "Control jumps to 'case "; 588 const CaseStmt* Case = cast<CaseStmt>(S); 589 const Expr* LHS = Case->getLHS()->IgnoreParenCasts(); 590 591 // Determine if it is an enum. 592 bool GetRawInt = true; 593 594 if (const DeclRefExpr* DR = dyn_cast<DeclRefExpr>(LHS)) { 595 // FIXME: Maybe this should be an assertion. Are there cases 596 // were it is not an EnumConstantDecl? 597 const EnumConstantDecl* D = 598 dyn_cast<EnumConstantDecl>(DR->getDecl()); 599 600 if (D) { 601 GetRawInt = false; 602 os << D; 603 } 604 } 605 606 if (GetRawInt) 607 os << LHS->EvaluateAsInt(PDB.getASTContext()); 608 609 os << ":' at line " 610 << End.asLocation().getInstantiationLineNumber(); 611 break; 612 } 613 } 614 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 615 os.str())); 616 } 617 else { 618 os << "'Default' branch taken. "; 619 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 620 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 621 os.str())); 622 } 623 624 break; 625 } 626 627 case Stmt::BreakStmtClass: 628 case Stmt::ContinueStmtClass: { 629 std::string sbuf; 630 llvm::raw_string_ostream os(sbuf); 631 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 632 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 633 os.str())); 634 break; 635 } 636 637 // Determine control-flow for ternary '?'. 638 case Stmt::ConditionalOperatorClass: { 639 std::string sbuf; 640 llvm::raw_string_ostream os(sbuf); 641 os << "'?' condition is "; 642 643 if (*(Src->succ_begin()+1) == Dst) 644 os << "false"; 645 else 646 os << "true"; 647 648 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 649 650 if (const Stmt *S = End.asStmt()) 651 End = PDB.getEnclosingStmtLocation(S); 652 653 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 654 os.str())); 655 break; 656 } 657 658 // Determine control-flow for short-circuited '&&' and '||'. 659 case Stmt::BinaryOperatorClass: { 660 if (!PDB.supportsLogicalOpControlFlow()) 661 break; 662 663 const BinaryOperator *B = cast<BinaryOperator>(T); 664 std::string sbuf; 665 llvm::raw_string_ostream os(sbuf); 666 os << "Left side of '"; 667 668 if (B->getOpcode() == BO_LAnd) { 669 os << "&&" << "' is "; 670 671 if (*(Src->succ_begin()+1) == Dst) { 672 os << "false"; 673 PathDiagnosticLocation End(B->getLHS(), SMgr); 674 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 675 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 676 os.str())); 677 } 678 else { 679 os << "true"; 680 PathDiagnosticLocation Start(B->getLHS(), SMgr); 681 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 682 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 683 os.str())); 684 } 685 } 686 else { 687 assert(B->getOpcode() == BO_LOr); 688 os << "||" << "' is "; 689 690 if (*(Src->succ_begin()+1) == Dst) { 691 os << "false"; 692 PathDiagnosticLocation Start(B->getLHS(), SMgr); 693 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 694 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 695 os.str())); 696 } 697 else { 698 os << "true"; 699 PathDiagnosticLocation End(B->getLHS(), SMgr); 700 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr); 701 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 702 os.str())); 703 } 704 } 705 706 break; 707 } 708 709 case Stmt::DoStmtClass: { 710 if (*(Src->succ_begin()) == Dst) { 711 std::string sbuf; 712 llvm::raw_string_ostream os(sbuf); 713 714 os << "Loop condition is true. "; 715 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 716 717 if (const Stmt *S = End.asStmt()) 718 End = PDB.getEnclosingStmtLocation(S); 719 720 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 721 os.str())); 722 } 723 else { 724 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 725 726 if (const Stmt *S = End.asStmt()) 727 End = PDB.getEnclosingStmtLocation(S); 728 729 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 730 "Loop condition is false. Exiting loop")); 731 } 732 733 break; 734 } 735 736 case Stmt::WhileStmtClass: 737 case Stmt::ForStmtClass: { 738 if (*(Src->succ_begin()+1) == Dst) { 739 std::string sbuf; 740 llvm::raw_string_ostream os(sbuf); 741 742 os << "Loop condition is false. "; 743 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 744 if (const Stmt *S = End.asStmt()) 745 End = PDB.getEnclosingStmtLocation(S); 746 747 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 748 os.str())); 749 } 750 else { 751 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 752 if (const Stmt *S = End.asStmt()) 753 End = PDB.getEnclosingStmtLocation(S); 754 755 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 756 "Loop condition is true. Entering loop body")); 757 } 758 759 break; 760 } 761 762 case Stmt::IfStmtClass: { 763 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 764 765 if (const Stmt *S = End.asStmt()) 766 End = PDB.getEnclosingStmtLocation(S); 767 768 if (*(Src->succ_begin()+1) == Dst) 769 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 770 "Taking false branch")); 771 else 772 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End, 773 "Taking true branch")); 774 775 break; 776 } 777 } 778 } 779 780 if (NextNode) { 781 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(), 782 E = PDB.visitor_end(); I!=E; ++I) { 783 if (PathDiagnosticPiece* p = (*I)->VisitNode(N, NextNode, PDB)) 784 PD.push_front(p); 785 } 786 } 787 788 if (const PostStmt* PS = dyn_cast<PostStmt>(&P)) { 789 // Scan the region bindings, and see if a "notable" symbol has a new 790 // lval binding. 791 ScanNotableSymbols SNS(N, PS->getStmt(), PDB.getBugReporter(), PD); 792 PDB.getStateManager().iterBindings(N->getState(), SNS); 793 } 794 } 795 796 // After constructing the full PathDiagnostic, do a pass over it to compact 797 // PathDiagnosticPieces that occur within a macro. 798 CompactPathDiagnostic(PD, PDB.getSourceManager()); 799} 800 801//===----------------------------------------------------------------------===// 802// "Extensive" PathDiagnostic generation. 803//===----------------------------------------------------------------------===// 804 805static bool IsControlFlowExpr(const Stmt *S) { 806 const Expr *E = dyn_cast<Expr>(S); 807 808 if (!E) 809 return false; 810 811 E = E->IgnoreParenCasts(); 812 813 if (isa<ConditionalOperator>(E)) 814 return true; 815 816 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 817 if (B->isLogicalOp()) 818 return true; 819 820 return false; 821} 822 823namespace { 824class ContextLocation : public PathDiagnosticLocation { 825 bool IsDead; 826public: 827 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 828 : PathDiagnosticLocation(L), IsDead(isdead) {} 829 830 void markDead() { IsDead = true; } 831 bool isDead() const { return IsDead; } 832}; 833 834class EdgeBuilder { 835 std::vector<ContextLocation> CLocs; 836 typedef std::vector<ContextLocation>::iterator iterator; 837 PathDiagnostic &PD; 838 PathDiagnosticBuilder &PDB; 839 PathDiagnosticLocation PrevLoc; 840 841 bool IsConsumedExpr(const PathDiagnosticLocation &L); 842 843 bool containsLocation(const PathDiagnosticLocation &Container, 844 const PathDiagnosticLocation &Containee); 845 846 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 847 848 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 849 bool firstCharOnly = false) { 850 if (const Stmt *S = L.asStmt()) { 851 const Stmt *Original = S; 852 while (1) { 853 // Adjust the location for some expressions that are best referenced 854 // by one of their subexpressions. 855 switch (S->getStmtClass()) { 856 default: 857 break; 858 case Stmt::ParenExprClass: 859 S = cast<ParenExpr>(S)->IgnoreParens(); 860 firstCharOnly = true; 861 continue; 862 case Stmt::ConditionalOperatorClass: 863 S = cast<ConditionalOperator>(S)->getCond(); 864 firstCharOnly = true; 865 continue; 866 case Stmt::ChooseExprClass: 867 S = cast<ChooseExpr>(S)->getCond(); 868 firstCharOnly = true; 869 continue; 870 case Stmt::BinaryOperatorClass: 871 S = cast<BinaryOperator>(S)->getLHS(); 872 firstCharOnly = true; 873 continue; 874 } 875 876 break; 877 } 878 879 if (S != Original) 880 L = PathDiagnosticLocation(S, L.getManager()); 881 } 882 883 if (firstCharOnly) 884 L = PathDiagnosticLocation(L.asLocation()); 885 886 return L; 887 } 888 889 void popLocation() { 890 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 891 // For contexts, we only one the first character as the range. 892 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 893 } 894 CLocs.pop_back(); 895 } 896 897public: 898 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 899 : PD(pd), PDB(pdb) { 900 901 // If the PathDiagnostic already has pieces, add the enclosing statement 902 // of the first piece as a context as well. 903 if (!PD.empty()) { 904 PrevLoc = PD.begin()->getLocation(); 905 906 if (const Stmt *S = PrevLoc.asStmt()) 907 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 908 } 909 } 910 911 ~EdgeBuilder() { 912 while (!CLocs.empty()) popLocation(); 913 914 // Finally, add an initial edge from the start location of the first 915 // statement (if it doesn't already exist). 916 // FIXME: Should handle CXXTryStmt if analyser starts supporting C++. 917 if (const CompoundStmt *CS = 918 dyn_cast_or_null<CompoundStmt>(PDB.getCodeDecl().getBody())) 919 if (!CS->body_empty()) { 920 SourceLocation Loc = (*CS->body_begin())->getLocStart(); 921 rawAddEdge(PathDiagnosticLocation(Loc, PDB.getSourceManager())); 922 } 923 924 } 925 926 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 927 928 void rawAddEdge(PathDiagnosticLocation NewLoc); 929 930 void addContext(const Stmt *S); 931 void addExtendedContext(const Stmt *S); 932}; 933} // end anonymous namespace 934 935 936PathDiagnosticLocation 937EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 938 if (const Stmt *S = L.asStmt()) { 939 if (IsControlFlowExpr(S)) 940 return L; 941 942 return PDB.getEnclosingStmtLocation(S); 943 } 944 945 return L; 946} 947 948bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 949 const PathDiagnosticLocation &Containee) { 950 951 if (Container == Containee) 952 return true; 953 954 if (Container.asDecl()) 955 return true; 956 957 if (const Stmt *S = Containee.asStmt()) 958 if (const Stmt *ContainerS = Container.asStmt()) { 959 while (S) { 960 if (S == ContainerS) 961 return true; 962 S = PDB.getParent(S); 963 } 964 return false; 965 } 966 967 // Less accurate: compare using source ranges. 968 SourceRange ContainerR = Container.asRange(); 969 SourceRange ContaineeR = Containee.asRange(); 970 971 SourceManager &SM = PDB.getSourceManager(); 972 SourceLocation ContainerRBeg = SM.getInstantiationLoc(ContainerR.getBegin()); 973 SourceLocation ContainerREnd = SM.getInstantiationLoc(ContainerR.getEnd()); 974 SourceLocation ContaineeRBeg = SM.getInstantiationLoc(ContaineeR.getBegin()); 975 SourceLocation ContaineeREnd = SM.getInstantiationLoc(ContaineeR.getEnd()); 976 977 unsigned ContainerBegLine = SM.getInstantiationLineNumber(ContainerRBeg); 978 unsigned ContainerEndLine = SM.getInstantiationLineNumber(ContainerREnd); 979 unsigned ContaineeBegLine = SM.getInstantiationLineNumber(ContaineeRBeg); 980 unsigned ContaineeEndLine = SM.getInstantiationLineNumber(ContaineeREnd); 981 982 assert(ContainerBegLine <= ContainerEndLine); 983 assert(ContaineeBegLine <= ContaineeEndLine); 984 985 return (ContainerBegLine <= ContaineeBegLine && 986 ContainerEndLine >= ContaineeEndLine && 987 (ContainerBegLine != ContaineeBegLine || 988 SM.getInstantiationColumnNumber(ContainerRBeg) <= 989 SM.getInstantiationColumnNumber(ContaineeRBeg)) && 990 (ContainerEndLine != ContaineeEndLine || 991 SM.getInstantiationColumnNumber(ContainerREnd) >= 992 SM.getInstantiationColumnNumber(ContainerREnd))); 993} 994 995void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 996 if (!PrevLoc.isValid()) { 997 PrevLoc = NewLoc; 998 return; 999 } 1000 1001 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 1002 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 1003 1004 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 1005 return; 1006 1007 // FIXME: Ignore intra-macro edges for now. 1008 if (NewLocClean.asLocation().getInstantiationLoc() == 1009 PrevLocClean.asLocation().getInstantiationLoc()) 1010 return; 1011 1012 PD.push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 1013 PrevLoc = NewLoc; 1014} 1015 1016void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 1017 1018 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 1019 return; 1020 1021 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 1022 1023 while (!CLocs.empty()) { 1024 ContextLocation &TopContextLoc = CLocs.back(); 1025 1026 // Is the top location context the same as the one for the new location? 1027 if (TopContextLoc == CLoc) { 1028 if (alwaysAdd) { 1029 if (IsConsumedExpr(TopContextLoc) && 1030 !IsControlFlowExpr(TopContextLoc.asStmt())) 1031 TopContextLoc.markDead(); 1032 1033 rawAddEdge(NewLoc); 1034 } 1035 1036 return; 1037 } 1038 1039 if (containsLocation(TopContextLoc, CLoc)) { 1040 if (alwaysAdd) { 1041 rawAddEdge(NewLoc); 1042 1043 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 1044 CLocs.push_back(ContextLocation(CLoc, true)); 1045 return; 1046 } 1047 } 1048 1049 CLocs.push_back(CLoc); 1050 return; 1051 } 1052 1053 // Context does not contain the location. Flush it. 1054 popLocation(); 1055 } 1056 1057 // If we reach here, there is no enclosing context. Just add the edge. 1058 rawAddEdge(NewLoc); 1059} 1060 1061bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 1062 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 1063 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 1064 1065 return false; 1066} 1067 1068void EdgeBuilder::addExtendedContext(const Stmt *S) { 1069 if (!S) 1070 return; 1071 1072 const Stmt *Parent = PDB.getParent(S); 1073 while (Parent) { 1074 if (isa<CompoundStmt>(Parent)) 1075 Parent = PDB.getParent(Parent); 1076 else 1077 break; 1078 } 1079 1080 if (Parent) { 1081 switch (Parent->getStmtClass()) { 1082 case Stmt::DoStmtClass: 1083 case Stmt::ObjCAtSynchronizedStmtClass: 1084 addContext(Parent); 1085 default: 1086 break; 1087 } 1088 } 1089 1090 addContext(S); 1091} 1092 1093void EdgeBuilder::addContext(const Stmt *S) { 1094 if (!S) 1095 return; 1096 1097 PathDiagnosticLocation L(S, PDB.getSourceManager()); 1098 1099 while (!CLocs.empty()) { 1100 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 1101 1102 // Is the top location context the same as the one for the new location? 1103 if (TopContextLoc == L) 1104 return; 1105 1106 if (containsLocation(TopContextLoc, L)) { 1107 CLocs.push_back(L); 1108 return; 1109 } 1110 1111 // Context does not contain the location. Flush it. 1112 popLocation(); 1113 } 1114 1115 CLocs.push_back(L); 1116} 1117 1118static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 1119 PathDiagnosticBuilder &PDB, 1120 const ExplodedNode *N) { 1121 EdgeBuilder EB(PD, PDB); 1122 1123 const ExplodedNode* NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 1124 while (NextNode) { 1125 N = NextNode; 1126 NextNode = GetPredecessorNode(N); 1127 ProgramPoint P = N->getLocation(); 1128 1129 do { 1130 // Block edges. 1131 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 1132 const CFGBlock &Blk = *BE->getSrc(); 1133 const Stmt *Term = Blk.getTerminator(); 1134 1135 // Are we jumping to the head of a loop? Add a special diagnostic. 1136 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) { 1137 PathDiagnosticLocation L(Loop, PDB.getSourceManager()); 1138 const CompoundStmt *CS = NULL; 1139 1140 if (!Term) { 1141 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 1142 CS = dyn_cast<CompoundStmt>(FS->getBody()); 1143 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 1144 CS = dyn_cast<CompoundStmt>(WS->getBody()); 1145 } 1146 1147 PathDiagnosticEventPiece *p = 1148 new PathDiagnosticEventPiece(L, 1149 "Looping back to the head of the loop"); 1150 1151 EB.addEdge(p->getLocation(), true); 1152 PD.push_front(p); 1153 1154 if (CS) { 1155 PathDiagnosticLocation BL(CS->getRBracLoc(), 1156 PDB.getSourceManager()); 1157 BL = PathDiagnosticLocation(BL.asLocation()); 1158 EB.addEdge(BL); 1159 } 1160 } 1161 1162 if (Term) 1163 EB.addContext(Term); 1164 1165 break; 1166 } 1167 1168 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 1169 if (CFGStmt S = BE->getFirstElement().getAs<CFGStmt>()) { 1170 if (IsControlFlowExpr(S)) { 1171 // Add the proper context for '&&', '||', and '?'. 1172 EB.addContext(S); 1173 } 1174 else 1175 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1176 } 1177 1178 break; 1179 } 1180 } while (0); 1181 1182 if (!NextNode) 1183 continue; 1184 1185 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(), 1186 E = PDB.visitor_end(); I!=E; ++I) { 1187 if (PathDiagnosticPiece* p = (*I)->VisitNode(N, NextNode, PDB)) { 1188 const PathDiagnosticLocation &Loc = p->getLocation(); 1189 EB.addEdge(Loc, true); 1190 PD.push_front(p); 1191 if (const Stmt *S = Loc.asStmt()) 1192 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 1193 } 1194 } 1195 } 1196} 1197 1198//===----------------------------------------------------------------------===// 1199// Methods for BugType and subclasses. 1200//===----------------------------------------------------------------------===// 1201BugType::~BugType() { 1202 // Free up the equivalence class objects. Observe that we get a pointer to 1203 // the object first before incrementing the iterator, as destroying the 1204 // node before doing so means we will read from freed memory. 1205 for (iterator I = begin(), E = end(); I !=E; ) { 1206 BugReportEquivClass *EQ = &*I; 1207 ++I; 1208 delete EQ; 1209 } 1210} 1211void BugType::FlushReports(BugReporter &BR) {} 1212 1213//===----------------------------------------------------------------------===// 1214// Methods for BugReport and subclasses. 1215//===----------------------------------------------------------------------===// 1216BugReport::~BugReport() {} 1217RangedBugReport::~RangedBugReport() {} 1218 1219const Stmt* BugReport::getStmt() const { 1220 ProgramPoint ProgP = ErrorNode->getLocation(); 1221 const Stmt *S = NULL; 1222 1223 if (BlockEntrance* BE = dyn_cast<BlockEntrance>(&ProgP)) { 1224 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 1225 if (BE->getBlock() == &Exit) 1226 S = GetPreviousStmt(ErrorNode); 1227 } 1228 if (!S) 1229 S = GetStmt(ProgP); 1230 1231 return S; 1232} 1233 1234PathDiagnosticPiece* 1235BugReport::getEndPath(BugReporterContext& BRC, 1236 const ExplodedNode* EndPathNode) { 1237 1238 const Stmt* S = getStmt(); 1239 1240 if (!S) 1241 return NULL; 1242 1243 BugReport::ranges_iterator Beg, End; 1244 llvm::tie(Beg, End) = getRanges(); 1245 PathDiagnosticLocation L(S, BRC.getSourceManager()); 1246 1247 // Only add the statement itself as a range if we didn't specify any 1248 // special ranges for this report. 1249 PathDiagnosticPiece* P = new PathDiagnosticEventPiece(L, getDescription(), 1250 Beg == End); 1251 1252 for (; Beg != End; ++Beg) 1253 P->addRange(*Beg); 1254 1255 return P; 1256} 1257 1258std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 1259BugReport::getRanges() const { 1260 if (const Expr* E = dyn_cast_or_null<Expr>(getStmt())) { 1261 R = E->getSourceRange(); 1262 assert(R.isValid()); 1263 return std::make_pair(&R, &R+1); 1264 } 1265 else 1266 return std::make_pair(ranges_iterator(), ranges_iterator()); 1267} 1268 1269SourceLocation BugReport::getLocation() const { 1270 if (ErrorNode) 1271 if (const Stmt* S = GetCurrentOrPreviousStmt(ErrorNode)) { 1272 // For member expressions, return the location of the '.' or '->'. 1273 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 1274 return ME->getMemberLoc(); 1275 // For binary operators, return the location of the operator. 1276 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 1277 return B->getOperatorLoc(); 1278 1279 return S->getLocStart(); 1280 } 1281 1282 return FullSourceLoc(); 1283} 1284 1285PathDiagnosticPiece* BugReport::VisitNode(const ExplodedNode* N, 1286 const ExplodedNode* PrevN, 1287 BugReporterContext &BRC) { 1288 return NULL; 1289} 1290 1291//===----------------------------------------------------------------------===// 1292// Methods for BugReporter and subclasses. 1293//===----------------------------------------------------------------------===// 1294 1295BugReportEquivClass::~BugReportEquivClass() { 1296 for (iterator I=begin(), E=end(); I!=E; ++I) delete *I; 1297} 1298 1299GRBugReporter::~GRBugReporter() { } 1300BugReporterData::~BugReporterData() {} 1301 1302ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 1303 1304GRStateManager& 1305GRBugReporter::getStateManager() { return Eng.getStateManager(); } 1306 1307BugReporter::~BugReporter() { FlushReports(); } 1308 1309void BugReporter::FlushReports() { 1310 if (BugTypes.isEmpty()) 1311 return; 1312 1313 // First flush the warnings for each BugType. This may end up creating new 1314 // warnings and new BugTypes. Because ImmutableSet is a functional data 1315 // structure, we do not need to worry about the iterators being invalidated. 1316 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 1317 const_cast<BugType*>(*I)->FlushReports(*this); 1318 1319 // Iterate through BugTypes a second time. BugTypes may have been updated 1320 // with new BugType objects and new warnings. 1321 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) { 1322 BugType *BT = const_cast<BugType*>(*I); 1323 1324 typedef llvm::FoldingSet<BugReportEquivClass> SetTy; 1325 SetTy& EQClasses = BT->EQClasses; 1326 1327 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){ 1328 BugReportEquivClass& EQ = *EI; 1329 FlushReport(EQ); 1330 } 1331 1332 // Delete the BugType object. 1333 delete BT; 1334 } 1335 1336 // Remove all references to the BugType objects. 1337 BugTypes = F.getEmptySet(); 1338} 1339 1340//===----------------------------------------------------------------------===// 1341// PathDiagnostics generation. 1342//===----------------------------------------------------------------------===// 1343 1344static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1345 std::pair<ExplodedNode*, unsigned> > 1346MakeReportGraph(const ExplodedGraph* G, 1347 llvm::SmallVectorImpl<const ExplodedNode*> &nodes) { 1348 1349 // Create the trimmed graph. It will contain the shortest paths from the 1350 // error nodes to the root. In the new graph we should only have one 1351 // error node unless there are two or more error nodes with the same minimum 1352 // path length. 1353 ExplodedGraph* GTrim; 1354 InterExplodedGraphMap* NMap; 1355 1356 llvm::DenseMap<const void*, const void*> InverseMap; 1357 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 1358 &InverseMap); 1359 1360 // Create owning pointers for GTrim and NMap just to ensure that they are 1361 // released when this function exists. 1362 llvm::OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 1363 llvm::OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 1364 1365 // Find the (first) error node in the trimmed graph. We just need to consult 1366 // the node map (NMap) which maps from nodes in the original graph to nodes 1367 // in the new graph. 1368 1369 std::queue<const ExplodedNode*> WS; 1370 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 1371 IndexMapTy IndexMap; 1372 1373 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 1374 const ExplodedNode *originalNode = nodes[nodeIndex]; 1375 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 1376 WS.push(N); 1377 IndexMap[originalNode] = nodeIndex; 1378 } 1379 } 1380 1381 assert(!WS.empty() && "No error node found in the trimmed graph."); 1382 1383 // Create a new (third!) graph with a single path. This is the graph 1384 // that will be returned to the caller. 1385 ExplodedGraph *GNew = new ExplodedGraph(); 1386 1387 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 1388 // to the root node, and then construct a new graph that contains only 1389 // a single path. 1390 llvm::DenseMap<const void*,unsigned> Visited; 1391 1392 unsigned cnt = 0; 1393 const ExplodedNode* Root = 0; 1394 1395 while (!WS.empty()) { 1396 const ExplodedNode* Node = WS.front(); 1397 WS.pop(); 1398 1399 if (Visited.find(Node) != Visited.end()) 1400 continue; 1401 1402 Visited[Node] = cnt++; 1403 1404 if (Node->pred_empty()) { 1405 Root = Node; 1406 break; 1407 } 1408 1409 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 1410 E=Node->pred_end(); I!=E; ++I) 1411 WS.push(*I); 1412 } 1413 1414 assert(Root); 1415 1416 // Now walk from the root down the BFS path, always taking the successor 1417 // with the lowest number. 1418 ExplodedNode *Last = 0, *First = 0; 1419 NodeBackMap *BM = new NodeBackMap(); 1420 unsigned NodeIndex = 0; 1421 1422 for ( const ExplodedNode *N = Root ;;) { 1423 // Lookup the number associated with the current node. 1424 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 1425 assert(I != Visited.end()); 1426 1427 // Create the equivalent node in the new graph with the same state 1428 // and location. 1429 ExplodedNode* NewN = GNew->getNode(N->getLocation(), N->getState()); 1430 1431 // Store the mapping to the original node. 1432 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 1433 assert(IMitr != InverseMap.end() && "No mapping to original node."); 1434 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 1435 1436 // Link up the new node with the previous node. 1437 if (Last) 1438 NewN->addPredecessor(Last, *GNew); 1439 1440 Last = NewN; 1441 1442 // Are we at the final node? 1443 IndexMapTy::iterator IMI = 1444 IndexMap.find((const ExplodedNode*)(IMitr->second)); 1445 if (IMI != IndexMap.end()) { 1446 First = NewN; 1447 NodeIndex = IMI->second; 1448 break; 1449 } 1450 1451 // Find the next successor node. We choose the node that is marked 1452 // with the lowest DFS number. 1453 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 1454 ExplodedNode::const_succ_iterator SE = N->succ_end(); 1455 N = 0; 1456 1457 for (unsigned MinVal = 0; SI != SE; ++SI) { 1458 1459 I = Visited.find(*SI); 1460 1461 if (I == Visited.end()) 1462 continue; 1463 1464 if (!N || I->second < MinVal) { 1465 N = *SI; 1466 MinVal = I->second; 1467 } 1468 } 1469 1470 assert(N); 1471 } 1472 1473 assert(First); 1474 1475 return std::make_pair(std::make_pair(GNew, BM), 1476 std::make_pair(First, NodeIndex)); 1477} 1478 1479/// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 1480/// and collapses PathDiagosticPieces that are expanded by macros. 1481static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM) { 1482 typedef std::vector<std::pair<PathDiagnosticMacroPiece*, SourceLocation> > 1483 MacroStackTy; 1484 1485 typedef std::vector<PathDiagnosticPiece*> 1486 PiecesTy; 1487 1488 MacroStackTy MacroStack; 1489 PiecesTy Pieces; 1490 1491 for (PathDiagnostic::iterator I = PD.begin(), E = PD.end(); I!=E; ++I) { 1492 // Get the location of the PathDiagnosticPiece. 1493 const FullSourceLoc Loc = I->getLocation().asLocation(); 1494 1495 // Determine the instantiation location, which is the location we group 1496 // related PathDiagnosticPieces. 1497 SourceLocation InstantiationLoc = Loc.isMacroID() ? 1498 SM.getInstantiationLoc(Loc) : 1499 SourceLocation(); 1500 1501 if (Loc.isFileID()) { 1502 MacroStack.clear(); 1503 Pieces.push_back(&*I); 1504 continue; 1505 } 1506 1507 assert(Loc.isMacroID()); 1508 1509 // Is the PathDiagnosticPiece within the same macro group? 1510 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 1511 MacroStack.back().first->push_back(&*I); 1512 continue; 1513 } 1514 1515 // We aren't in the same group. Are we descending into a new macro 1516 // or are part of an old one? 1517 PathDiagnosticMacroPiece *MacroGroup = 0; 1518 1519 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 1520 SM.getInstantiationLoc(Loc) : 1521 SourceLocation(); 1522 1523 // Walk the entire macro stack. 1524 while (!MacroStack.empty()) { 1525 if (InstantiationLoc == MacroStack.back().second) { 1526 MacroGroup = MacroStack.back().first; 1527 break; 1528 } 1529 1530 if (ParentInstantiationLoc == MacroStack.back().second) { 1531 MacroGroup = MacroStack.back().first; 1532 break; 1533 } 1534 1535 MacroStack.pop_back(); 1536 } 1537 1538 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 1539 // Create a new macro group and add it to the stack. 1540 PathDiagnosticMacroPiece *NewGroup = new PathDiagnosticMacroPiece(Loc); 1541 1542 if (MacroGroup) 1543 MacroGroup->push_back(NewGroup); 1544 else { 1545 assert(InstantiationLoc.isFileID()); 1546 Pieces.push_back(NewGroup); 1547 } 1548 1549 MacroGroup = NewGroup; 1550 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 1551 } 1552 1553 // Finally, add the PathDiagnosticPiece to the group. 1554 MacroGroup->push_back(&*I); 1555 } 1556 1557 // Now take the pieces and construct a new PathDiagnostic. 1558 PD.resetPath(false); 1559 1560 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) { 1561 if (PathDiagnosticMacroPiece *MP=dyn_cast<PathDiagnosticMacroPiece>(*I)) 1562 if (!MP->containsEvent()) { 1563 delete MP; 1564 continue; 1565 } 1566 1567 PD.push_back(*I); 1568 } 1569} 1570 1571void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD, 1572 llvm::SmallVectorImpl<BugReport *> &bugReports) { 1573 1574 assert(!bugReports.empty()); 1575 llvm::SmallVector<const ExplodedNode *, 10> errorNodes; 1576 for (llvm::SmallVectorImpl<BugReport*>::iterator I = bugReports.begin(), 1577 E = bugReports.end(); I != E; ++I) { 1578 errorNodes.push_back((*I)->getErrorNode()); 1579 } 1580 1581 // Construct a new graph that contains only a single path from the error 1582 // node to a root. 1583 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 1584 std::pair<ExplodedNode*, unsigned> >& 1585 GPair = MakeReportGraph(&getGraph(), errorNodes); 1586 1587 // Find the BugReport with the original location. 1588 assert(GPair.second.second < bugReports.size()); 1589 BugReport *R = bugReports[GPair.second.second]; 1590 assert(R && "No original report found for sliced graph."); 1591 1592 llvm::OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 1593 llvm::OwningPtr<NodeBackMap> BackMap(GPair.first.second); 1594 const ExplodedNode *N = GPair.second.first; 1595 1596 // Start building the path diagnostic... 1597 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), getPathDiagnosticClient()); 1598 1599 if (PathDiagnosticPiece* Piece = R->getEndPath(PDB, N)) 1600 PD.push_back(Piece); 1601 else 1602 return; 1603 1604 // Register node visitors. 1605 R->registerInitialVisitors(PDB, N); 1606 bugreporter::registerNilReceiverVisitor(PDB); 1607 1608 switch (PDB.getGenerationScheme()) { 1609 case PathDiagnosticClient::Extensive: 1610 GenerateExtensivePathDiagnostic(PD, PDB, N); 1611 break; 1612 case PathDiagnosticClient::Minimal: 1613 GenerateMinimalPathDiagnostic(PD, PDB, N); 1614 break; 1615 } 1616} 1617 1618void BugReporter::Register(BugType *BT) { 1619 BugTypes = F.add(BugTypes, BT); 1620} 1621 1622void BugReporter::EmitReport(BugReport* R) { 1623 // Compute the bug report's hash to determine its equivalence class. 1624 llvm::FoldingSetNodeID ID; 1625 R->Profile(ID); 1626 1627 // Lookup the equivance class. If there isn't one, create it. 1628 BugType& BT = R->getBugType(); 1629 Register(&BT); 1630 void *InsertPos; 1631 BugReportEquivClass* EQ = BT.EQClasses.FindNodeOrInsertPos(ID, InsertPos); 1632 1633 if (!EQ) { 1634 EQ = new BugReportEquivClass(R); 1635 BT.EQClasses.InsertNode(EQ, InsertPos); 1636 } 1637 else 1638 EQ->AddReport(R); 1639} 1640 1641 1642//===----------------------------------------------------------------------===// 1643// Emitting reports in equivalence classes. 1644//===----------------------------------------------------------------------===// 1645 1646namespace { 1647struct FRIEC_WLItem { 1648 const ExplodedNode *N; 1649 ExplodedNode::const_succ_iterator I, E; 1650 1651 FRIEC_WLItem(const ExplodedNode *n) 1652 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 1653}; 1654} 1655 1656static BugReport * 1657FindReportInEquivalenceClass(BugReportEquivClass& EQ, 1658 llvm::SmallVectorImpl<BugReport*> &bugReports) { 1659 1660 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 1661 assert(I != E); 1662 BugReport *R = *I; 1663 BugType& BT = R->getBugType(); 1664 1665 // If we don't need to suppress any of the nodes because they are 1666 // post-dominated by a sink, simply add all the nodes in the equivalence class 1667 // to 'Nodes'. Any of the reports will serve as a "representative" report. 1668 if (!BT.isSuppressOnSink()) { 1669 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 1670 const ExplodedNode* N = I->getErrorNode(); 1671 if (N) { 1672 R = *I; 1673 bugReports.push_back(R); 1674 } 1675 } 1676 return R; 1677 } 1678 1679 // For bug reports that should be suppressed when all paths are post-dominated 1680 // by a sink node, iterate through the reports in the equivalence class 1681 // until we find one that isn't post-dominated (if one exists). We use a 1682 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 1683 // this as a recursive function, but we don't want to risk blowing out the 1684 // stack for very long paths. 1685 BugReport *exampleReport = 0; 1686 1687 for (; I != E; ++I) { 1688 R = *I; 1689 const ExplodedNode *errorNode = R->getErrorNode(); 1690 1691 if (!errorNode) 1692 continue; 1693 if (errorNode->isSink()) { 1694 assert(false && 1695 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 1696 return 0; 1697 } 1698 // No successors? By definition this nodes isn't post-dominated by a sink. 1699 if (errorNode->succ_empty()) { 1700 bugReports.push_back(R); 1701 if (!exampleReport) 1702 exampleReport = R; 1703 continue; 1704 } 1705 1706 // At this point we know that 'N' is not a sink and it has at least one 1707 // successor. Use a DFS worklist to find a non-sink end-of-path node. 1708 typedef FRIEC_WLItem WLItem; 1709 typedef llvm::SmallVector<WLItem, 10> DFSWorkList; 1710 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 1711 1712 DFSWorkList WL; 1713 WL.push_back(errorNode); 1714 Visited[errorNode] = 1; 1715 1716 while (!WL.empty()) { 1717 WLItem &WI = WL.back(); 1718 assert(!WI.N->succ_empty()); 1719 1720 for (; WI.I != WI.E; ++WI.I) { 1721 const ExplodedNode *Succ = *WI.I; 1722 // End-of-path node? 1723 if (Succ->succ_empty()) { 1724 // If we found an end-of-path node that is not a sink. 1725 if (!Succ->isSink()) { 1726 bugReports.push_back(R); 1727 if (!exampleReport) 1728 exampleReport = R; 1729 WL.clear(); 1730 break; 1731 } 1732 // Found a sink? Continue on to the next successor. 1733 continue; 1734 } 1735 // Mark the successor as visited. If it hasn't been explored, 1736 // enqueue it to the DFS worklist. 1737 unsigned &mark = Visited[Succ]; 1738 if (!mark) { 1739 mark = 1; 1740 WL.push_back(Succ); 1741 break; 1742 } 1743 } 1744 1745 // The worklist may have been cleared at this point. First 1746 // check if it is empty before checking the last item. 1747 if (!WL.empty() && &WL.back() == &WI) 1748 WL.pop_back(); 1749 } 1750 } 1751 1752 // ExampleReport will be NULL if all the nodes in the equivalence class 1753 // were post-dominated by sinks. 1754 return exampleReport; 1755} 1756 1757//===----------------------------------------------------------------------===// 1758// DiagnosticCache. This is a hack to cache analyzer diagnostics. It 1759// uses global state, which eventually should go elsewhere. 1760//===----------------------------------------------------------------------===// 1761namespace { 1762class DiagCacheItem : public llvm::FoldingSetNode { 1763 llvm::FoldingSetNodeID ID; 1764public: 1765 DiagCacheItem(BugReport *R, PathDiagnostic *PD) { 1766 ID.AddString(R->getBugType().getName()); 1767 ID.AddString(R->getBugType().getCategory()); 1768 ID.AddString(R->getDescription()); 1769 ID.AddInteger(R->getLocation().getRawEncoding()); 1770 PD->Profile(ID); 1771 } 1772 1773 void Profile(llvm::FoldingSetNodeID &id) { 1774 id = ID; 1775 } 1776 1777 llvm::FoldingSetNodeID &getID() { return ID; } 1778}; 1779} 1780 1781static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) { 1782 // FIXME: Eventually this diagnostic cache should reside in something 1783 // like AnalysisManager instead of being a static variable. This is 1784 // really unsafe in the long term. 1785 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache; 1786 static DiagnosticCache DC; 1787 1788 void *InsertPos; 1789 DiagCacheItem *Item = new DiagCacheItem(R, PD); 1790 1791 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) { 1792 delete Item; 1793 return true; 1794 } 1795 1796 DC.InsertNode(Item, InsertPos); 1797 return false; 1798} 1799 1800void BugReporter::FlushReport(BugReportEquivClass& EQ) { 1801 llvm::SmallVector<BugReport*, 10> bugReports; 1802 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 1803 if (!exampleReport) 1804 return; 1805 1806 PathDiagnosticClient* PD = getPathDiagnosticClient(); 1807 1808 // FIXME: Make sure we use the 'R' for the path that was actually used. 1809 // Probably doesn't make a difference in practice. 1810 BugType& BT = exampleReport->getBugType(); 1811 1812 llvm::OwningPtr<PathDiagnostic> 1813 D(new PathDiagnostic(exampleReport->getBugType().getName(), 1814 !PD || PD->useVerboseDescription() 1815 ? exampleReport->getDescription() 1816 : exampleReport->getShortDescription(), 1817 BT.getCategory())); 1818 1819 if (!bugReports.empty()) 1820 GeneratePathDiagnostic(*D.get(), bugReports); 1821 1822 if (IsCachedDiagnostic(exampleReport, D.get())) 1823 return; 1824 1825 // Get the meta data. 1826 std::pair<const char**, const char**> Meta = 1827 exampleReport->getExtraDescriptiveText(); 1828 for (const char** s = Meta.first; s != Meta.second; ++s) 1829 D->addMeta(*s); 1830 1831 // Emit a summary diagnostic to the regular Diagnostics engine. 1832 BugReport::ranges_iterator Beg, End; 1833 llvm::tie(Beg, End) = exampleReport->getRanges(); 1834 Diagnostic &Diag = getDiagnostic(); 1835 FullSourceLoc L(exampleReport->getLocation(), getSourceManager()); 1836 1837 // Search the description for '%', as that will be interpretted as a 1838 // format character by FormatDiagnostics. 1839 llvm::StringRef desc = exampleReport->getShortDescription(); 1840 unsigned ErrorDiag; 1841 { 1842 llvm::SmallString<512> TmpStr; 1843 llvm::raw_svector_ostream Out(TmpStr); 1844 for (llvm::StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I) 1845 if (*I == '%') 1846 Out << "%%"; 1847 else 1848 Out << *I; 1849 1850 Out.flush(); 1851 ErrorDiag = Diag.getCustomDiagID(Diagnostic::Warning, TmpStr); 1852 } 1853 1854 { 1855 DiagnosticBuilder diagBuilder = Diag.Report(L, ErrorDiag); 1856 for (BugReport::ranges_iterator I = Beg; I != End; ++I) 1857 diagBuilder << *I; 1858 } 1859 1860 // Emit a full diagnostic for the path if we have a PathDiagnosticClient. 1861 if (!PD) 1862 return; 1863 1864 if (D->empty()) { 1865 PathDiagnosticPiece* piece = 1866 new PathDiagnosticEventPiece(L, exampleReport->getDescription()); 1867 1868 for ( ; Beg != End; ++Beg) piece->addRange(*Beg); 1869 D->push_back(piece); 1870 } 1871 1872 PD->HandlePathDiagnostic(D.take()); 1873} 1874 1875void BugReporter::EmitBasicReport(llvm::StringRef name, llvm::StringRef str, 1876 SourceLocation Loc, 1877 SourceRange* RBeg, unsigned NumRanges) { 1878 EmitBasicReport(name, "", str, Loc, RBeg, NumRanges); 1879} 1880 1881void BugReporter::EmitBasicReport(llvm::StringRef name, 1882 llvm::StringRef category, 1883 llvm::StringRef str, SourceLocation Loc, 1884 SourceRange* RBeg, unsigned NumRanges) { 1885 1886 // 'BT' will be owned by BugReporter as soon as we call 'EmitReport'. 1887 BugType *BT = new BugType(name, category); 1888 FullSourceLoc L = getContext().getFullLoc(Loc); 1889 RangedBugReport *R = new DiagBugReport(*BT, str, L); 1890 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 1891 EmitReport(R); 1892} 1893