1 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines BugReporter, a utility class for generating
11 // PathDiagnostics.
12 //
13 //===----------------------------------------------------------------------===//
14
15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
16 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
17 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
18 #include "clang/AST/ASTContext.h"
19 #include "clang/Analysis/CFG.h"
20 #include "clang/AST/DeclObjC.h"
21 #include "clang/AST/Expr.h"
22 #include "clang/AST/ParentMap.h"
23 #include "clang/AST/StmtObjC.h"
24 #include "clang/Basic/SourceManager.h"
25 #include "clang/Analysis/ProgramPoint.h"
26 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
27 #include "llvm/Support/raw_ostream.h"
28 #include "llvm/ADT/DenseMap.h"
29 #include "llvm/ADT/SmallString.h"
30 #include "llvm/ADT/STLExtras.h"
31 #include "llvm/ADT/OwningPtr.h"
32 #include "llvm/ADT/IntrusiveRefCntPtr.h"
33 #include <queue>
34
35 using namespace clang;
36 using namespace ento;
37
~BugReporterVisitor()38 BugReporterVisitor::~BugReporterVisitor() {}
39
anchor()40 void BugReporterContext::anchor() {}
41
42 //===----------------------------------------------------------------------===//
43 // Helper routines for walking the ExplodedGraph and fetching statements.
44 //===----------------------------------------------------------------------===//
45
GetStmt(const ProgramPoint & P)46 static inline const Stmt *GetStmt(const ProgramPoint &P) {
47 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P))
48 return SP->getStmt();
49 else if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P))
50 return BE->getSrc()->getTerminator();
51 else if (const CallEnter *CE = dyn_cast<CallEnter>(&P))
52 return CE->getCallExpr();
53 else if (const CallExitEnd *CEE = dyn_cast<CallExitEnd>(&P))
54 return CEE->getCalleeContext()->getCallSite();
55
56 return 0;
57 }
58
59 static inline const ExplodedNode*
GetPredecessorNode(const ExplodedNode * N)60 GetPredecessorNode(const ExplodedNode *N) {
61 return N->pred_empty() ? NULL : *(N->pred_begin());
62 }
63
64 static inline const ExplodedNode*
GetSuccessorNode(const ExplodedNode * N)65 GetSuccessorNode(const ExplodedNode *N) {
66 return N->succ_empty() ? NULL : *(N->succ_begin());
67 }
68
GetPreviousStmt(const ExplodedNode * N)69 static const Stmt *GetPreviousStmt(const ExplodedNode *N) {
70 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N))
71 if (const Stmt *S = GetStmt(N->getLocation()))
72 return S;
73
74 return 0;
75 }
76
GetNextStmt(const ExplodedNode * N)77 static const Stmt *GetNextStmt(const ExplodedNode *N) {
78 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N))
79 if (const Stmt *S = GetStmt(N->getLocation())) {
80 // Check if the statement is '?' or '&&'/'||'. These are "merges",
81 // not actual statement points.
82 switch (S->getStmtClass()) {
83 case Stmt::ChooseExprClass:
84 case Stmt::BinaryConditionalOperatorClass: continue;
85 case Stmt::ConditionalOperatorClass: continue;
86 case Stmt::BinaryOperatorClass: {
87 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode();
88 if (Op == BO_LAnd || Op == BO_LOr)
89 continue;
90 break;
91 }
92 default:
93 break;
94 }
95 return S;
96 }
97
98 return 0;
99 }
100
101 static inline const Stmt*
GetCurrentOrPreviousStmt(const ExplodedNode * N)102 GetCurrentOrPreviousStmt(const ExplodedNode *N) {
103 if (const Stmt *S = GetStmt(N->getLocation()))
104 return S;
105
106 return GetPreviousStmt(N);
107 }
108
109 static inline const Stmt*
GetCurrentOrNextStmt(const ExplodedNode * N)110 GetCurrentOrNextStmt(const ExplodedNode *N) {
111 if (const Stmt *S = GetStmt(N->getLocation()))
112 return S;
113
114 return GetNextStmt(N);
115 }
116
117 //===----------------------------------------------------------------------===//
118 // Diagnostic cleanup.
119 //===----------------------------------------------------------------------===//
120
121 /// Recursively scan through a path and prune out calls and macros pieces
122 /// that aren't needed. Return true if afterwards the path contains
123 /// "interesting stuff" which means it should be pruned from the parent path.
RemoveUneededCalls(PathPieces & pieces,BugReport * R)124 bool BugReporter::RemoveUneededCalls(PathPieces &pieces, BugReport *R) {
125 bool containsSomethingInteresting = false;
126 const unsigned N = pieces.size();
127
128 for (unsigned i = 0 ; i < N ; ++i) {
129 // Remove the front piece from the path. If it is still something we
130 // want to keep once we are done, we will push it back on the end.
131 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(pieces.front());
132 pieces.pop_front();
133
134 switch (piece->getKind()) {
135 case PathDiagnosticPiece::Call: {
136 PathDiagnosticCallPiece *call = cast<PathDiagnosticCallPiece>(piece);
137 // Check if the location context is interesting.
138 assert(LocationContextMap.count(call));
139 if (R->isInteresting(LocationContextMap[call])) {
140 containsSomethingInteresting = true;
141 break;
142 }
143 // Recursively clean out the subclass. Keep this call around if
144 // it contains any informative diagnostics.
145 if (!RemoveUneededCalls(call->path, R))
146 continue;
147 containsSomethingInteresting = true;
148 break;
149 }
150 case PathDiagnosticPiece::Macro: {
151 PathDiagnosticMacroPiece *macro = cast<PathDiagnosticMacroPiece>(piece);
152 if (!RemoveUneededCalls(macro->subPieces, R))
153 continue;
154 containsSomethingInteresting = true;
155 break;
156 }
157 case PathDiagnosticPiece::Event: {
158 PathDiagnosticEventPiece *event = cast<PathDiagnosticEventPiece>(piece);
159 // We never throw away an event, but we do throw it away wholesale
160 // as part of a path if we throw the entire path away.
161 containsSomethingInteresting |= !event->isPrunable();
162 break;
163 }
164 case PathDiagnosticPiece::ControlFlow:
165 break;
166 }
167
168 pieces.push_back(piece);
169 }
170
171 return containsSomethingInteresting;
172 }
173
174 //===----------------------------------------------------------------------===//
175 // PathDiagnosticBuilder and its associated routines and helper objects.
176 //===----------------------------------------------------------------------===//
177
178 typedef llvm::DenseMap<const ExplodedNode*,
179 const ExplodedNode*> NodeBackMap;
180
181 namespace {
182 class NodeMapClosure : public BugReport::NodeResolver {
183 NodeBackMap& M;
184 public:
NodeMapClosure(NodeBackMap * m)185 NodeMapClosure(NodeBackMap *m) : M(*m) {}
~NodeMapClosure()186 ~NodeMapClosure() {}
187
getOriginalNode(const ExplodedNode * N)188 const ExplodedNode *getOriginalNode(const ExplodedNode *N) {
189 NodeBackMap::iterator I = M.find(N);
190 return I == M.end() ? 0 : I->second;
191 }
192 };
193
194 class PathDiagnosticBuilder : public BugReporterContext {
195 BugReport *R;
196 PathDiagnosticConsumer *PDC;
197 OwningPtr<ParentMap> PM;
198 NodeMapClosure NMC;
199 public:
200 const LocationContext *LC;
201
PathDiagnosticBuilder(GRBugReporter & br,BugReport * r,NodeBackMap * Backmap,PathDiagnosticConsumer * pdc)202 PathDiagnosticBuilder(GRBugReporter &br,
203 BugReport *r, NodeBackMap *Backmap,
204 PathDiagnosticConsumer *pdc)
205 : BugReporterContext(br),
206 R(r), PDC(pdc), NMC(Backmap), LC(r->getErrorNode()->getLocationContext())
207 {}
208
209 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N);
210
211 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os,
212 const ExplodedNode *N);
213
getBugReport()214 BugReport *getBugReport() { return R; }
215
getCodeDecl()216 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); }
217
getParentMap()218 ParentMap& getParentMap() { return LC->getParentMap(); }
219
getParent(const Stmt * S)220 const Stmt *getParent(const Stmt *S) {
221 return getParentMap().getParent(S);
222 }
223
getNodeResolver()224 virtual NodeMapClosure& getNodeResolver() { return NMC; }
225
226 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S);
227
getGenerationScheme() const228 PathDiagnosticConsumer::PathGenerationScheme getGenerationScheme() const {
229 return PDC ? PDC->getGenerationScheme() : PathDiagnosticConsumer::Extensive;
230 }
231
supportsLogicalOpControlFlow() const232 bool supportsLogicalOpControlFlow() const {
233 return PDC ? PDC->supportsLogicalOpControlFlow() : true;
234 }
235 };
236 } // end anonymous namespace
237
238 PathDiagnosticLocation
ExecutionContinues(const ExplodedNode * N)239 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) {
240 if (const Stmt *S = GetNextStmt(N))
241 return PathDiagnosticLocation(S, getSourceManager(), LC);
242
243 return PathDiagnosticLocation::createDeclEnd(N->getLocationContext(),
244 getSourceManager());
245 }
246
247 PathDiagnosticLocation
ExecutionContinues(llvm::raw_string_ostream & os,const ExplodedNode * N)248 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os,
249 const ExplodedNode *N) {
250
251 // Slow, but probably doesn't matter.
252 if (os.str().empty())
253 os << ' ';
254
255 const PathDiagnosticLocation &Loc = ExecutionContinues(N);
256
257 if (Loc.asStmt())
258 os << "Execution continues on line "
259 << getSourceManager().getExpansionLineNumber(Loc.asLocation())
260 << '.';
261 else {
262 os << "Execution jumps to the end of the ";
263 const Decl *D = N->getLocationContext()->getDecl();
264 if (isa<ObjCMethodDecl>(D))
265 os << "method";
266 else if (isa<FunctionDecl>(D))
267 os << "function";
268 else {
269 assert(isa<BlockDecl>(D));
270 os << "anonymous block";
271 }
272 os << '.';
273 }
274
275 return Loc;
276 }
277
IsNested(const Stmt * S,ParentMap & PM)278 static bool IsNested(const Stmt *S, ParentMap &PM) {
279 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S)))
280 return true;
281
282 const Stmt *Parent = PM.getParentIgnoreParens(S);
283
284 if (Parent)
285 switch (Parent->getStmtClass()) {
286 case Stmt::ForStmtClass:
287 case Stmt::DoStmtClass:
288 case Stmt::WhileStmtClass:
289 return true;
290 default:
291 break;
292 }
293
294 return false;
295 }
296
297 PathDiagnosticLocation
getEnclosingStmtLocation(const Stmt * S)298 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) {
299 assert(S && "Null Stmt *passed to getEnclosingStmtLocation");
300 ParentMap &P = getParentMap();
301 SourceManager &SMgr = getSourceManager();
302
303 while (IsNested(S, P)) {
304 const Stmt *Parent = P.getParentIgnoreParens(S);
305
306 if (!Parent)
307 break;
308
309 switch (Parent->getStmtClass()) {
310 case Stmt::BinaryOperatorClass: {
311 const BinaryOperator *B = cast<BinaryOperator>(Parent);
312 if (B->isLogicalOp())
313 return PathDiagnosticLocation(S, SMgr, LC);
314 break;
315 }
316 case Stmt::CompoundStmtClass:
317 case Stmt::StmtExprClass:
318 return PathDiagnosticLocation(S, SMgr, LC);
319 case Stmt::ChooseExprClass:
320 // Similar to '?' if we are referring to condition, just have the edge
321 // point to the entire choose expression.
322 if (cast<ChooseExpr>(Parent)->getCond() == S)
323 return PathDiagnosticLocation(Parent, SMgr, LC);
324 else
325 return PathDiagnosticLocation(S, SMgr, LC);
326 case Stmt::BinaryConditionalOperatorClass:
327 case Stmt::ConditionalOperatorClass:
328 // For '?', if we are referring to condition, just have the edge point
329 // to the entire '?' expression.
330 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S)
331 return PathDiagnosticLocation(Parent, SMgr, LC);
332 else
333 return PathDiagnosticLocation(S, SMgr, LC);
334 case Stmt::DoStmtClass:
335 return PathDiagnosticLocation(S, SMgr, LC);
336 case Stmt::ForStmtClass:
337 if (cast<ForStmt>(Parent)->getBody() == S)
338 return PathDiagnosticLocation(S, SMgr, LC);
339 break;
340 case Stmt::IfStmtClass:
341 if (cast<IfStmt>(Parent)->getCond() != S)
342 return PathDiagnosticLocation(S, SMgr, LC);
343 break;
344 case Stmt::ObjCForCollectionStmtClass:
345 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S)
346 return PathDiagnosticLocation(S, SMgr, LC);
347 break;
348 case Stmt::WhileStmtClass:
349 if (cast<WhileStmt>(Parent)->getCond() != S)
350 return PathDiagnosticLocation(S, SMgr, LC);
351 break;
352 default:
353 break;
354 }
355
356 S = Parent;
357 }
358
359 assert(S && "Cannot have null Stmt for PathDiagnosticLocation");
360
361 // Special case: DeclStmts can appear in for statement declarations, in which
362 // case the ForStmt is the context.
363 if (isa<DeclStmt>(S)) {
364 if (const Stmt *Parent = P.getParent(S)) {
365 switch (Parent->getStmtClass()) {
366 case Stmt::ForStmtClass:
367 case Stmt::ObjCForCollectionStmtClass:
368 return PathDiagnosticLocation(Parent, SMgr, LC);
369 default:
370 break;
371 }
372 }
373 }
374 else if (isa<BinaryOperator>(S)) {
375 // Special case: the binary operator represents the initialization
376 // code in a for statement (this can happen when the variable being
377 // initialized is an old variable.
378 if (const ForStmt *FS =
379 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) {
380 if (FS->getInit() == S)
381 return PathDiagnosticLocation(FS, SMgr, LC);
382 }
383 }
384
385 return PathDiagnosticLocation(S, SMgr, LC);
386 }
387
388 //===----------------------------------------------------------------------===//
389 // "Minimal" path diagnostic generation algorithm.
390 //===----------------------------------------------------------------------===//
391 typedef std::pair<PathDiagnosticCallPiece*, const ExplodedNode*> StackDiagPair;
392 typedef SmallVector<StackDiagPair, 6> StackDiagVector;
393
updateStackPiecesWithMessage(PathDiagnosticPiece * P,StackDiagVector & CallStack)394 static void updateStackPiecesWithMessage(PathDiagnosticPiece *P,
395 StackDiagVector &CallStack) {
396 // If the piece contains a special message, add it to all the call
397 // pieces on the active stack.
398 if (PathDiagnosticEventPiece *ep =
399 dyn_cast<PathDiagnosticEventPiece>(P)) {
400
401 if (ep->hasCallStackHint())
402 for (StackDiagVector::iterator I = CallStack.begin(),
403 E = CallStack.end(); I != E; ++I) {
404 PathDiagnosticCallPiece *CP = I->first;
405 const ExplodedNode *N = I->second;
406 std::string stackMsg = ep->getCallStackMessage(N);
407
408 // The last message on the path to final bug is the most important
409 // one. Since we traverse the path backwards, do not add the message
410 // if one has been previously added.
411 if (!CP->hasCallStackMessage())
412 CP->setCallStackMessage(stackMsg);
413 }
414 }
415 }
416
417 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM);
418
GenerateMinimalPathDiagnostic(PathDiagnostic & PD,PathDiagnosticBuilder & PDB,const ExplodedNode * N,ArrayRef<BugReporterVisitor * > visitors)419 static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD,
420 PathDiagnosticBuilder &PDB,
421 const ExplodedNode *N,
422 ArrayRef<BugReporterVisitor *> visitors) {
423
424 SourceManager& SMgr = PDB.getSourceManager();
425 const LocationContext *LC = PDB.LC;
426 const ExplodedNode *NextNode = N->pred_empty()
427 ? NULL : *(N->pred_begin());
428
429 StackDiagVector CallStack;
430
431 while (NextNode) {
432 N = NextNode;
433 PDB.LC = N->getLocationContext();
434 NextNode = GetPredecessorNode(N);
435
436 ProgramPoint P = N->getLocation();
437
438 do {
439 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) {
440 PathDiagnosticCallPiece *C =
441 PathDiagnosticCallPiece::construct(N, *CE, SMgr);
442 GRBugReporter& BR = PDB.getBugReporter();
443 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext());
444 PD.getActivePath().push_front(C);
445 PD.pushActivePath(&C->path);
446 CallStack.push_back(StackDiagPair(C, N));
447 break;
448 }
449
450 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) {
451 // Flush all locations, and pop the active path.
452 bool VisitedEntireCall = PD.isWithinCall();
453 PD.popActivePath();
454
455 // Either we just added a bunch of stuff to the top-level path, or
456 // we have a previous CallExitEnd. If the former, it means that the
457 // path terminated within a function call. We must then take the
458 // current contents of the active path and place it within
459 // a new PathDiagnosticCallPiece.
460 PathDiagnosticCallPiece *C;
461 if (VisitedEntireCall) {
462 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front());
463 } else {
464 const Decl *Caller = CE->getLocationContext()->getDecl();
465 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller);
466 GRBugReporter& BR = PDB.getBugReporter();
467 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext());
468 }
469
470 C->setCallee(*CE, SMgr);
471 if (!CallStack.empty()) {
472 assert(CallStack.back().first == C);
473 CallStack.pop_back();
474 }
475 break;
476 }
477
478 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) {
479 const CFGBlock *Src = BE->getSrc();
480 const CFGBlock *Dst = BE->getDst();
481 const Stmt *T = Src->getTerminator();
482
483 if (!T)
484 break;
485
486 PathDiagnosticLocation Start =
487 PathDiagnosticLocation::createBegin(T, SMgr,
488 N->getLocationContext());
489
490 switch (T->getStmtClass()) {
491 default:
492 break;
493
494 case Stmt::GotoStmtClass:
495 case Stmt::IndirectGotoStmtClass: {
496 const Stmt *S = GetNextStmt(N);
497
498 if (!S)
499 break;
500
501 std::string sbuf;
502 llvm::raw_string_ostream os(sbuf);
503 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S);
504
505 os << "Control jumps to line "
506 << End.asLocation().getExpansionLineNumber();
507 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
508 Start, End, os.str()));
509 break;
510 }
511
512 case Stmt::SwitchStmtClass: {
513 // Figure out what case arm we took.
514 std::string sbuf;
515 llvm::raw_string_ostream os(sbuf);
516
517 if (const Stmt *S = Dst->getLabel()) {
518 PathDiagnosticLocation End(S, SMgr, LC);
519
520 switch (S->getStmtClass()) {
521 default:
522 os << "No cases match in the switch statement. "
523 "Control jumps to line "
524 << End.asLocation().getExpansionLineNumber();
525 break;
526 case Stmt::DefaultStmtClass:
527 os << "Control jumps to the 'default' case at line "
528 << End.asLocation().getExpansionLineNumber();
529 break;
530
531 case Stmt::CaseStmtClass: {
532 os << "Control jumps to 'case ";
533 const CaseStmt *Case = cast<CaseStmt>(S);
534 const Expr *LHS = Case->getLHS()->IgnoreParenCasts();
535
536 // Determine if it is an enum.
537 bool GetRawInt = true;
538
539 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) {
540 // FIXME: Maybe this should be an assertion. Are there cases
541 // were it is not an EnumConstantDecl?
542 const EnumConstantDecl *D =
543 dyn_cast<EnumConstantDecl>(DR->getDecl());
544
545 if (D) {
546 GetRawInt = false;
547 os << *D;
548 }
549 }
550
551 if (GetRawInt)
552 os << LHS->EvaluateKnownConstInt(PDB.getASTContext());
553
554 os << ":' at line "
555 << End.asLocation().getExpansionLineNumber();
556 break;
557 }
558 }
559 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
560 Start, End, os.str()));
561 }
562 else {
563 os << "'Default' branch taken. ";
564 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N);
565 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
566 Start, End, os.str()));
567 }
568
569 break;
570 }
571
572 case Stmt::BreakStmtClass:
573 case Stmt::ContinueStmtClass: {
574 std::string sbuf;
575 llvm::raw_string_ostream os(sbuf);
576 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
577 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
578 Start, End, os.str()));
579 break;
580 }
581
582 // Determine control-flow for ternary '?'.
583 case Stmt::BinaryConditionalOperatorClass:
584 case Stmt::ConditionalOperatorClass: {
585 std::string sbuf;
586 llvm::raw_string_ostream os(sbuf);
587 os << "'?' condition is ";
588
589 if (*(Src->succ_begin()+1) == Dst)
590 os << "false";
591 else
592 os << "true";
593
594 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
595
596 if (const Stmt *S = End.asStmt())
597 End = PDB.getEnclosingStmtLocation(S);
598
599 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
600 Start, End, os.str()));
601 break;
602 }
603
604 // Determine control-flow for short-circuited '&&' and '||'.
605 case Stmt::BinaryOperatorClass: {
606 if (!PDB.supportsLogicalOpControlFlow())
607 break;
608
609 const BinaryOperator *B = cast<BinaryOperator>(T);
610 std::string sbuf;
611 llvm::raw_string_ostream os(sbuf);
612 os << "Left side of '";
613
614 if (B->getOpcode() == BO_LAnd) {
615 os << "&&" << "' is ";
616
617 if (*(Src->succ_begin()+1) == Dst) {
618 os << "false";
619 PathDiagnosticLocation End(B->getLHS(), SMgr, LC);
620 PathDiagnosticLocation Start =
621 PathDiagnosticLocation::createOperatorLoc(B, SMgr);
622 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
623 Start, End, os.str()));
624 }
625 else {
626 os << "true";
627 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC);
628 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
629 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
630 Start, End, os.str()));
631 }
632 }
633 else {
634 assert(B->getOpcode() == BO_LOr);
635 os << "||" << "' is ";
636
637 if (*(Src->succ_begin()+1) == Dst) {
638 os << "false";
639 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC);
640 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
641 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
642 Start, End, os.str()));
643 }
644 else {
645 os << "true";
646 PathDiagnosticLocation End(B->getLHS(), SMgr, LC);
647 PathDiagnosticLocation Start =
648 PathDiagnosticLocation::createOperatorLoc(B, SMgr);
649 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
650 Start, End, os.str()));
651 }
652 }
653
654 break;
655 }
656
657 case Stmt::DoStmtClass: {
658 if (*(Src->succ_begin()) == Dst) {
659 std::string sbuf;
660 llvm::raw_string_ostream os(sbuf);
661
662 os << "Loop condition is true. ";
663 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
664
665 if (const Stmt *S = End.asStmt())
666 End = PDB.getEnclosingStmtLocation(S);
667
668 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
669 Start, End, os.str()));
670 }
671 else {
672 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
673
674 if (const Stmt *S = End.asStmt())
675 End = PDB.getEnclosingStmtLocation(S);
676
677 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
678 Start, End, "Loop condition is false. Exiting loop"));
679 }
680
681 break;
682 }
683
684 case Stmt::WhileStmtClass:
685 case Stmt::ForStmtClass: {
686 if (*(Src->succ_begin()+1) == Dst) {
687 std::string sbuf;
688 llvm::raw_string_ostream os(sbuf);
689
690 os << "Loop condition is false. ";
691 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
692 if (const Stmt *S = End.asStmt())
693 End = PDB.getEnclosingStmtLocation(S);
694
695 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
696 Start, End, os.str()));
697 }
698 else {
699 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
700 if (const Stmt *S = End.asStmt())
701 End = PDB.getEnclosingStmtLocation(S);
702
703 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
704 Start, End, "Loop condition is true. Entering loop body"));
705 }
706
707 break;
708 }
709
710 case Stmt::IfStmtClass: {
711 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
712
713 if (const Stmt *S = End.asStmt())
714 End = PDB.getEnclosingStmtLocation(S);
715
716 if (*(Src->succ_begin()+1) == Dst)
717 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
718 Start, End, "Taking false branch"));
719 else
720 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
721 Start, End, "Taking true branch"));
722
723 break;
724 }
725 }
726 }
727 } while(0);
728
729 if (NextNode) {
730 // Add diagnostic pieces from custom visitors.
731 BugReport *R = PDB.getBugReport();
732 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(),
733 E = visitors.end();
734 I != E; ++I) {
735 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) {
736 PD.getActivePath().push_front(p);
737 updateStackPiecesWithMessage(p, CallStack);
738 }
739 }
740 }
741 }
742
743 // After constructing the full PathDiagnostic, do a pass over it to compact
744 // PathDiagnosticPieces that occur within a macro.
745 CompactPathDiagnostic(PD.getMutablePieces(), PDB.getSourceManager());
746 }
747
748 //===----------------------------------------------------------------------===//
749 // "Extensive" PathDiagnostic generation.
750 //===----------------------------------------------------------------------===//
751
IsControlFlowExpr(const Stmt * S)752 static bool IsControlFlowExpr(const Stmt *S) {
753 const Expr *E = dyn_cast<Expr>(S);
754
755 if (!E)
756 return false;
757
758 E = E->IgnoreParenCasts();
759
760 if (isa<AbstractConditionalOperator>(E))
761 return true;
762
763 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E))
764 if (B->isLogicalOp())
765 return true;
766
767 return false;
768 }
769
770 namespace {
771 class ContextLocation : public PathDiagnosticLocation {
772 bool IsDead;
773 public:
ContextLocation(const PathDiagnosticLocation & L,bool isdead=false)774 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false)
775 : PathDiagnosticLocation(L), IsDead(isdead) {}
776
markDead()777 void markDead() { IsDead = true; }
isDead() const778 bool isDead() const { return IsDead; }
779 };
780
781 class EdgeBuilder {
782 std::vector<ContextLocation> CLocs;
783 typedef std::vector<ContextLocation>::iterator iterator;
784 PathDiagnostic &PD;
785 PathDiagnosticBuilder &PDB;
786 PathDiagnosticLocation PrevLoc;
787
788 bool IsConsumedExpr(const PathDiagnosticLocation &L);
789
790 bool containsLocation(const PathDiagnosticLocation &Container,
791 const PathDiagnosticLocation &Containee);
792
793 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L);
794
cleanUpLocation(PathDiagnosticLocation L,bool firstCharOnly=false)795 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L,
796 bool firstCharOnly = false) {
797 if (const Stmt *S = L.asStmt()) {
798 const Stmt *Original = S;
799 while (1) {
800 // Adjust the location for some expressions that are best referenced
801 // by one of their subexpressions.
802 switch (S->getStmtClass()) {
803 default:
804 break;
805 case Stmt::ParenExprClass:
806 case Stmt::GenericSelectionExprClass:
807 S = cast<Expr>(S)->IgnoreParens();
808 firstCharOnly = true;
809 continue;
810 case Stmt::BinaryConditionalOperatorClass:
811 case Stmt::ConditionalOperatorClass:
812 S = cast<AbstractConditionalOperator>(S)->getCond();
813 firstCharOnly = true;
814 continue;
815 case Stmt::ChooseExprClass:
816 S = cast<ChooseExpr>(S)->getCond();
817 firstCharOnly = true;
818 continue;
819 case Stmt::BinaryOperatorClass:
820 S = cast<BinaryOperator>(S)->getLHS();
821 firstCharOnly = true;
822 continue;
823 }
824
825 break;
826 }
827
828 if (S != Original)
829 L = PathDiagnosticLocation(S, L.getManager(), PDB.LC);
830 }
831
832 if (firstCharOnly)
833 L = PathDiagnosticLocation::createSingleLocation(L);
834
835 return L;
836 }
837
popLocation()838 void popLocation() {
839 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) {
840 // For contexts, we only one the first character as the range.
841 rawAddEdge(cleanUpLocation(CLocs.back(), true));
842 }
843 CLocs.pop_back();
844 }
845
846 public:
EdgeBuilder(PathDiagnostic & pd,PathDiagnosticBuilder & pdb)847 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb)
848 : PD(pd), PDB(pdb) {
849
850 // If the PathDiagnostic already has pieces, add the enclosing statement
851 // of the first piece as a context as well.
852 if (!PD.path.empty()) {
853 PrevLoc = (*PD.path.begin())->getLocation();
854
855 if (const Stmt *S = PrevLoc.asStmt())
856 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt());
857 }
858 }
859
~EdgeBuilder()860 ~EdgeBuilder() {
861 while (!CLocs.empty()) popLocation();
862
863 // Finally, add an initial edge from the start location of the first
864 // statement (if it doesn't already exist).
865 PathDiagnosticLocation L = PathDiagnosticLocation::createDeclBegin(
866 PDB.LC,
867 PDB.getSourceManager());
868 if (L.isValid())
869 rawAddEdge(L);
870 }
871
flushLocations()872 void flushLocations() {
873 while (!CLocs.empty())
874 popLocation();
875 PrevLoc = PathDiagnosticLocation();
876 }
877
878 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false);
879
880 void rawAddEdge(PathDiagnosticLocation NewLoc);
881
882 void addContext(const Stmt *S);
883 void addContext(const PathDiagnosticLocation &L);
884 void addExtendedContext(const Stmt *S);
885 };
886 } // end anonymous namespace
887
888
889 PathDiagnosticLocation
getContextLocation(const PathDiagnosticLocation & L)890 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) {
891 if (const Stmt *S = L.asStmt()) {
892 if (IsControlFlowExpr(S))
893 return L;
894
895 return PDB.getEnclosingStmtLocation(S);
896 }
897
898 return L;
899 }
900
containsLocation(const PathDiagnosticLocation & Container,const PathDiagnosticLocation & Containee)901 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container,
902 const PathDiagnosticLocation &Containee) {
903
904 if (Container == Containee)
905 return true;
906
907 if (Container.asDecl())
908 return true;
909
910 if (const Stmt *S = Containee.asStmt())
911 if (const Stmt *ContainerS = Container.asStmt()) {
912 while (S) {
913 if (S == ContainerS)
914 return true;
915 S = PDB.getParent(S);
916 }
917 return false;
918 }
919
920 // Less accurate: compare using source ranges.
921 SourceRange ContainerR = Container.asRange();
922 SourceRange ContaineeR = Containee.asRange();
923
924 SourceManager &SM = PDB.getSourceManager();
925 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin());
926 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd());
927 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin());
928 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd());
929
930 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg);
931 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd);
932 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg);
933 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd);
934
935 assert(ContainerBegLine <= ContainerEndLine);
936 assert(ContaineeBegLine <= ContaineeEndLine);
937
938 return (ContainerBegLine <= ContaineeBegLine &&
939 ContainerEndLine >= ContaineeEndLine &&
940 (ContainerBegLine != ContaineeBegLine ||
941 SM.getExpansionColumnNumber(ContainerRBeg) <=
942 SM.getExpansionColumnNumber(ContaineeRBeg)) &&
943 (ContainerEndLine != ContaineeEndLine ||
944 SM.getExpansionColumnNumber(ContainerREnd) >=
945 SM.getExpansionColumnNumber(ContaineeREnd)));
946 }
947
rawAddEdge(PathDiagnosticLocation NewLoc)948 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) {
949 if (!PrevLoc.isValid()) {
950 PrevLoc = NewLoc;
951 return;
952 }
953
954 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc);
955 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc);
956
957 if (NewLocClean.asLocation() == PrevLocClean.asLocation())
958 return;
959
960 // FIXME: Ignore intra-macro edges for now.
961 if (NewLocClean.asLocation().getExpansionLoc() ==
962 PrevLocClean.asLocation().getExpansionLoc())
963 return;
964
965 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean));
966 PrevLoc = NewLoc;
967 }
968
addEdge(PathDiagnosticLocation NewLoc,bool alwaysAdd)969 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) {
970
971 if (!alwaysAdd && NewLoc.asLocation().isMacroID())
972 return;
973
974 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc);
975
976 while (!CLocs.empty()) {
977 ContextLocation &TopContextLoc = CLocs.back();
978
979 // Is the top location context the same as the one for the new location?
980 if (TopContextLoc == CLoc) {
981 if (alwaysAdd) {
982 if (IsConsumedExpr(TopContextLoc) &&
983 !IsControlFlowExpr(TopContextLoc.asStmt()))
984 TopContextLoc.markDead();
985
986 rawAddEdge(NewLoc);
987 }
988
989 return;
990 }
991
992 if (containsLocation(TopContextLoc, CLoc)) {
993 if (alwaysAdd) {
994 rawAddEdge(NewLoc);
995
996 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) {
997 CLocs.push_back(ContextLocation(CLoc, true));
998 return;
999 }
1000 }
1001
1002 CLocs.push_back(CLoc);
1003 return;
1004 }
1005
1006 // Context does not contain the location. Flush it.
1007 popLocation();
1008 }
1009
1010 // If we reach here, there is no enclosing context. Just add the edge.
1011 rawAddEdge(NewLoc);
1012 }
1013
IsConsumedExpr(const PathDiagnosticLocation & L)1014 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) {
1015 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt()))
1016 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X);
1017
1018 return false;
1019 }
1020
addExtendedContext(const Stmt * S)1021 void EdgeBuilder::addExtendedContext(const Stmt *S) {
1022 if (!S)
1023 return;
1024
1025 const Stmt *Parent = PDB.getParent(S);
1026 while (Parent) {
1027 if (isa<CompoundStmt>(Parent))
1028 Parent = PDB.getParent(Parent);
1029 else
1030 break;
1031 }
1032
1033 if (Parent) {
1034 switch (Parent->getStmtClass()) {
1035 case Stmt::DoStmtClass:
1036 case Stmt::ObjCAtSynchronizedStmtClass:
1037 addContext(Parent);
1038 default:
1039 break;
1040 }
1041 }
1042
1043 addContext(S);
1044 }
1045
addContext(const Stmt * S)1046 void EdgeBuilder::addContext(const Stmt *S) {
1047 if (!S)
1048 return;
1049
1050 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.LC);
1051 addContext(L);
1052 }
1053
addContext(const PathDiagnosticLocation & L)1054 void EdgeBuilder::addContext(const PathDiagnosticLocation &L) {
1055 while (!CLocs.empty()) {
1056 const PathDiagnosticLocation &TopContextLoc = CLocs.back();
1057
1058 // Is the top location context the same as the one for the new location?
1059 if (TopContextLoc == L)
1060 return;
1061
1062 if (containsLocation(TopContextLoc, L)) {
1063 CLocs.push_back(L);
1064 return;
1065 }
1066
1067 // Context does not contain the location. Flush it.
1068 popLocation();
1069 }
1070
1071 CLocs.push_back(L);
1072 }
1073
1074 // Cone-of-influence: support the reverse propagation of "interesting" symbols
1075 // and values by tracing interesting calculations backwards through evaluated
1076 // expressions along a path. This is probably overly complicated, but the idea
1077 // is that if an expression computed an "interesting" value, the child
1078 // expressions are are also likely to be "interesting" as well (which then
1079 // propagates to the values they in turn compute). This reverse propagation
1080 // is needed to track interesting correlations across function call boundaries,
1081 // where formal arguments bind to actual arguments, etc. This is also needed
1082 // because the constraint solver sometimes simplifies certain symbolic values
1083 // into constants when appropriate, and this complicates reasoning about
1084 // interesting values.
1085 typedef llvm::DenseSet<const Expr *> InterestingExprs;
1086
reversePropagateIntererstingSymbols(BugReport & R,InterestingExprs & IE,const ProgramState * State,const Expr * Ex,const LocationContext * LCtx)1087 static void reversePropagateIntererstingSymbols(BugReport &R,
1088 InterestingExprs &IE,
1089 const ProgramState *State,
1090 const Expr *Ex,
1091 const LocationContext *LCtx) {
1092 SVal V = State->getSVal(Ex, LCtx);
1093 if (!(R.isInteresting(V) || IE.count(Ex)))
1094 return;
1095
1096 switch (Ex->getStmtClass()) {
1097 default:
1098 if (!isa<CastExpr>(Ex))
1099 break;
1100 // Fall through.
1101 case Stmt::BinaryOperatorClass:
1102 case Stmt::UnaryOperatorClass: {
1103 for (Stmt::const_child_iterator CI = Ex->child_begin(),
1104 CE = Ex->child_end();
1105 CI != CE; ++CI) {
1106 if (const Expr *child = dyn_cast_or_null<Expr>(*CI)) {
1107 IE.insert(child);
1108 SVal ChildV = State->getSVal(child, LCtx);
1109 R.markInteresting(ChildV);
1110 }
1111 break;
1112 }
1113 }
1114 }
1115
1116 R.markInteresting(V);
1117 }
1118
reversePropagateInterestingSymbols(BugReport & R,InterestingExprs & IE,const ProgramState * State,const LocationContext * CalleeCtx,const LocationContext * CallerCtx)1119 static void reversePropagateInterestingSymbols(BugReport &R,
1120 InterestingExprs &IE,
1121 const ProgramState *State,
1122 const LocationContext *CalleeCtx,
1123 const LocationContext *CallerCtx)
1124 {
1125 // FIXME: Handle non-CallExpr-based CallEvents.
1126 const StackFrameContext *Callee = CalleeCtx->getCurrentStackFrame();
1127 const Stmt *CallSite = Callee->getCallSite();
1128 if (const CallExpr *CE = dyn_cast_or_null<CallExpr>(CallSite)) {
1129 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeCtx->getDecl())) {
1130 FunctionDecl::param_const_iterator PI = FD->param_begin(),
1131 PE = FD->param_end();
1132 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end();
1133 for (; AI != AE && PI != PE; ++AI, ++PI) {
1134 if (const Expr *ArgE = *AI) {
1135 if (const ParmVarDecl *PD = *PI) {
1136 Loc LV = State->getLValue(PD, CalleeCtx);
1137 if (R.isInteresting(LV) || R.isInteresting(State->getRawSVal(LV)))
1138 IE.insert(ArgE);
1139 }
1140 }
1141 }
1142 }
1143 }
1144 }
1145
GenerateExtensivePathDiagnostic(PathDiagnostic & PD,PathDiagnosticBuilder & PDB,const ExplodedNode * N,ArrayRef<BugReporterVisitor * > visitors)1146 static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD,
1147 PathDiagnosticBuilder &PDB,
1148 const ExplodedNode *N,
1149 ArrayRef<BugReporterVisitor *> visitors) {
1150 EdgeBuilder EB(PD, PDB);
1151 const SourceManager& SM = PDB.getSourceManager();
1152 StackDiagVector CallStack;
1153 InterestingExprs IE;
1154
1155 const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin());
1156 while (NextNode) {
1157 N = NextNode;
1158 NextNode = GetPredecessorNode(N);
1159 ProgramPoint P = N->getLocation();
1160
1161 do {
1162 if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) {
1163 if (const Expr *Ex = PS->getStmtAs<Expr>())
1164 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE,
1165 N->getState().getPtr(), Ex,
1166 N->getLocationContext());
1167 }
1168
1169 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) {
1170 const Stmt *S = CE->getCalleeContext()->getCallSite();
1171 if (const Expr *Ex = dyn_cast_or_null<Expr>(S)) {
1172 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE,
1173 N->getState().getPtr(), Ex,
1174 N->getLocationContext());
1175 }
1176
1177 PathDiagnosticCallPiece *C =
1178 PathDiagnosticCallPiece::construct(N, *CE, SM);
1179 GRBugReporter& BR = PDB.getBugReporter();
1180 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext());
1181
1182 EB.addEdge(C->callReturn, true);
1183 EB.flushLocations();
1184
1185 PD.getActivePath().push_front(C);
1186 PD.pushActivePath(&C->path);
1187 CallStack.push_back(StackDiagPair(C, N));
1188 break;
1189 }
1190
1191 // Pop the call hierarchy if we are done walking the contents
1192 // of a function call.
1193 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) {
1194 // Add an edge to the start of the function.
1195 const Decl *D = CE->getCalleeContext()->getDecl();
1196 PathDiagnosticLocation pos =
1197 PathDiagnosticLocation::createBegin(D, SM);
1198 EB.addEdge(pos);
1199
1200 // Flush all locations, and pop the active path.
1201 bool VisitedEntireCall = PD.isWithinCall();
1202 EB.flushLocations();
1203 PD.popActivePath();
1204 PDB.LC = N->getLocationContext();
1205
1206 // Either we just added a bunch of stuff to the top-level path, or
1207 // we have a previous CallExitEnd. If the former, it means that the
1208 // path terminated within a function call. We must then take the
1209 // current contents of the active path and place it within
1210 // a new PathDiagnosticCallPiece.
1211 PathDiagnosticCallPiece *C;
1212 if (VisitedEntireCall) {
1213 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front());
1214 } else {
1215 const Decl *Caller = CE->getLocationContext()->getDecl();
1216 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller);
1217 GRBugReporter& BR = PDB.getBugReporter();
1218 BR.addCallPieceLocationContextPair(C, CE->getCalleeContext());
1219 }
1220
1221 C->setCallee(*CE, SM);
1222 EB.addContext(C->getLocation());
1223
1224 if (!CallStack.empty()) {
1225 assert(CallStack.back().first == C);
1226 CallStack.pop_back();
1227 }
1228 break;
1229 }
1230
1231 // Note that is important that we update the LocationContext
1232 // after looking at CallExits. CallExit basically adds an
1233 // edge in the *caller*, so we don't want to update the LocationContext
1234 // too soon.
1235 PDB.LC = N->getLocationContext();
1236
1237 // Block edges.
1238 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) {
1239 // Does this represent entering a call? If so, look at propagating
1240 // interesting symbols across call boundaries.
1241 if (NextNode) {
1242 const LocationContext *CallerCtx = NextNode->getLocationContext();
1243 const LocationContext *CalleeCtx = PDB.LC;
1244 if (CallerCtx != CalleeCtx) {
1245 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE,
1246 N->getState().getPtr(),
1247 CalleeCtx, CallerCtx);
1248 }
1249 }
1250
1251 const CFGBlock &Blk = *BE->getSrc();
1252 const Stmt *Term = Blk.getTerminator();
1253
1254 // Are we jumping to the head of a loop? Add a special diagnostic.
1255 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) {
1256 PathDiagnosticLocation L(Loop, SM, PDB.LC);
1257 const CompoundStmt *CS = NULL;
1258
1259 if (!Term) {
1260 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop))
1261 CS = dyn_cast<CompoundStmt>(FS->getBody());
1262 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop))
1263 CS = dyn_cast<CompoundStmt>(WS->getBody());
1264 }
1265
1266 PathDiagnosticEventPiece *p =
1267 new PathDiagnosticEventPiece(L,
1268 "Looping back to the head of the loop");
1269 p->setPrunable(true);
1270
1271 EB.addEdge(p->getLocation(), true);
1272 PD.getActivePath().push_front(p);
1273
1274 if (CS) {
1275 PathDiagnosticLocation BL =
1276 PathDiagnosticLocation::createEndBrace(CS, SM);
1277 EB.addEdge(BL);
1278 }
1279 }
1280
1281 if (Term)
1282 EB.addContext(Term);
1283
1284 break;
1285 }
1286
1287 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
1288 if (const CFGStmt *S = BE->getFirstElement().getAs<CFGStmt>()) {
1289 const Stmt *stmt = S->getStmt();
1290 if (IsControlFlowExpr(stmt)) {
1291 // Add the proper context for '&&', '||', and '?'.
1292 EB.addContext(stmt);
1293 }
1294 else
1295 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt());
1296 }
1297
1298 break;
1299 }
1300
1301
1302 } while (0);
1303
1304 if (!NextNode)
1305 continue;
1306
1307 // Add pieces from custom visitors.
1308 BugReport *R = PDB.getBugReport();
1309 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(),
1310 E = visitors.end();
1311 I != E; ++I) {
1312 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) {
1313 const PathDiagnosticLocation &Loc = p->getLocation();
1314 EB.addEdge(Loc, true);
1315 PD.getActivePath().push_front(p);
1316 updateStackPiecesWithMessage(p, CallStack);
1317
1318 if (const Stmt *S = Loc.asStmt())
1319 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt());
1320 }
1321 }
1322 }
1323 }
1324
1325 //===----------------------------------------------------------------------===//
1326 // Methods for BugType and subclasses.
1327 //===----------------------------------------------------------------------===//
~BugType()1328 BugType::~BugType() { }
1329
FlushReports(BugReporter & BR)1330 void BugType::FlushReports(BugReporter &BR) {}
1331
anchor()1332 void BuiltinBug::anchor() {}
1333
1334 //===----------------------------------------------------------------------===//
1335 // Methods for BugReport and subclasses.
1336 //===----------------------------------------------------------------------===//
1337
anchor()1338 void BugReport::NodeResolver::anchor() {}
1339
addVisitor(BugReporterVisitor * visitor)1340 void BugReport::addVisitor(BugReporterVisitor* visitor) {
1341 if (!visitor)
1342 return;
1343
1344 llvm::FoldingSetNodeID ID;
1345 visitor->Profile(ID);
1346 void *InsertPos;
1347
1348 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) {
1349 delete visitor;
1350 return;
1351 }
1352
1353 CallbacksSet.InsertNode(visitor, InsertPos);
1354 Callbacks.push_back(visitor);
1355 ++ConfigurationChangeToken;
1356 }
1357
~BugReport()1358 BugReport::~BugReport() {
1359 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) {
1360 delete *I;
1361 }
1362 while (!interestingSymbols.empty()) {
1363 popInterestingSymbolsAndRegions();
1364 }
1365 }
1366
getDeclWithIssue() const1367 const Decl *BugReport::getDeclWithIssue() const {
1368 if (DeclWithIssue)
1369 return DeclWithIssue;
1370
1371 const ExplodedNode *N = getErrorNode();
1372 if (!N)
1373 return 0;
1374
1375 const LocationContext *LC = N->getLocationContext();
1376 return LC->getCurrentStackFrame()->getDecl();
1377 }
1378
Profile(llvm::FoldingSetNodeID & hash) const1379 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const {
1380 hash.AddPointer(&BT);
1381 hash.AddString(Description);
1382 if (UniqueingLocation.isValid()) {
1383 UniqueingLocation.Profile(hash);
1384 } else if (Location.isValid()) {
1385 Location.Profile(hash);
1386 } else {
1387 assert(ErrorNode);
1388 hash.AddPointer(GetCurrentOrPreviousStmt(ErrorNode));
1389 }
1390
1391 for (SmallVectorImpl<SourceRange>::const_iterator I =
1392 Ranges.begin(), E = Ranges.end(); I != E; ++I) {
1393 const SourceRange range = *I;
1394 if (!range.isValid())
1395 continue;
1396 hash.AddInteger(range.getBegin().getRawEncoding());
1397 hash.AddInteger(range.getEnd().getRawEncoding());
1398 }
1399 }
1400
markInteresting(SymbolRef sym)1401 void BugReport::markInteresting(SymbolRef sym) {
1402 if (!sym)
1403 return;
1404
1405 // If the symbol wasn't already in our set, note a configuration change.
1406 if (getInterestingSymbols().insert(sym).second)
1407 ++ConfigurationChangeToken;
1408
1409 if (const SymbolMetadata *meta = dyn_cast<SymbolMetadata>(sym))
1410 getInterestingRegions().insert(meta->getRegion());
1411 }
1412
markInteresting(const MemRegion * R)1413 void BugReport::markInteresting(const MemRegion *R) {
1414 if (!R)
1415 return;
1416
1417 // If the base region wasn't already in our set, note a configuration change.
1418 R = R->getBaseRegion();
1419 if (getInterestingRegions().insert(R).second)
1420 ++ConfigurationChangeToken;
1421
1422 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
1423 getInterestingSymbols().insert(SR->getSymbol());
1424 }
1425
markInteresting(SVal V)1426 void BugReport::markInteresting(SVal V) {
1427 markInteresting(V.getAsRegion());
1428 markInteresting(V.getAsSymbol());
1429 }
1430
markInteresting(const LocationContext * LC)1431 void BugReport::markInteresting(const LocationContext *LC) {
1432 if (!LC)
1433 return;
1434 InterestingLocationContexts.insert(LC);
1435 }
1436
isInteresting(SVal V)1437 bool BugReport::isInteresting(SVal V) {
1438 return isInteresting(V.getAsRegion()) || isInteresting(V.getAsSymbol());
1439 }
1440
isInteresting(SymbolRef sym)1441 bool BugReport::isInteresting(SymbolRef sym) {
1442 if (!sym)
1443 return false;
1444 // We don't currently consider metadata symbols to be interesting
1445 // even if we know their region is interesting. Is that correct behavior?
1446 return getInterestingSymbols().count(sym);
1447 }
1448
isInteresting(const MemRegion * R)1449 bool BugReport::isInteresting(const MemRegion *R) {
1450 if (!R)
1451 return false;
1452 R = R->getBaseRegion();
1453 bool b = getInterestingRegions().count(R);
1454 if (b)
1455 return true;
1456 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
1457 return getInterestingSymbols().count(SR->getSymbol());
1458 return false;
1459 }
1460
isInteresting(const LocationContext * LC)1461 bool BugReport::isInteresting(const LocationContext *LC) {
1462 if (!LC)
1463 return false;
1464 return InterestingLocationContexts.count(LC);
1465 }
1466
lazyInitializeInterestingSets()1467 void BugReport::lazyInitializeInterestingSets() {
1468 if (interestingSymbols.empty()) {
1469 interestingSymbols.push_back(new Symbols());
1470 interestingRegions.push_back(new Regions());
1471 }
1472 }
1473
getInterestingSymbols()1474 BugReport::Symbols &BugReport::getInterestingSymbols() {
1475 lazyInitializeInterestingSets();
1476 return *interestingSymbols.back();
1477 }
1478
getInterestingRegions()1479 BugReport::Regions &BugReport::getInterestingRegions() {
1480 lazyInitializeInterestingSets();
1481 return *interestingRegions.back();
1482 }
1483
pushInterestingSymbolsAndRegions()1484 void BugReport::pushInterestingSymbolsAndRegions() {
1485 interestingSymbols.push_back(new Symbols(getInterestingSymbols()));
1486 interestingRegions.push_back(new Regions(getInterestingRegions()));
1487 }
1488
popInterestingSymbolsAndRegions()1489 void BugReport::popInterestingSymbolsAndRegions() {
1490 delete interestingSymbols.back();
1491 interestingSymbols.pop_back();
1492 delete interestingRegions.back();
1493 interestingRegions.pop_back();
1494 }
1495
getStmt() const1496 const Stmt *BugReport::getStmt() const {
1497 if (!ErrorNode)
1498 return 0;
1499
1500 ProgramPoint ProgP = ErrorNode->getLocation();
1501 const Stmt *S = NULL;
1502
1503 if (BlockEntrance *BE = dyn_cast<BlockEntrance>(&ProgP)) {
1504 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit();
1505 if (BE->getBlock() == &Exit)
1506 S = GetPreviousStmt(ErrorNode);
1507 }
1508 if (!S)
1509 S = GetStmt(ProgP);
1510
1511 return S;
1512 }
1513
1514 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator>
getRanges()1515 BugReport::getRanges() {
1516 // If no custom ranges, add the range of the statement corresponding to
1517 // the error node.
1518 if (Ranges.empty()) {
1519 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt()))
1520 addRange(E->getSourceRange());
1521 else
1522 return std::make_pair(ranges_iterator(), ranges_iterator());
1523 }
1524
1525 // User-specified absence of range info.
1526 if (Ranges.size() == 1 && !Ranges.begin()->isValid())
1527 return std::make_pair(ranges_iterator(), ranges_iterator());
1528
1529 return std::make_pair(Ranges.begin(), Ranges.end());
1530 }
1531
getLocation(const SourceManager & SM) const1532 PathDiagnosticLocation BugReport::getLocation(const SourceManager &SM) const {
1533 if (ErrorNode) {
1534 assert(!Location.isValid() &&
1535 "Either Location or ErrorNode should be specified but not both.");
1536
1537 if (const Stmt *S = GetCurrentOrPreviousStmt(ErrorNode)) {
1538 const LocationContext *LC = ErrorNode->getLocationContext();
1539
1540 // For member expressions, return the location of the '.' or '->'.
1541 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S))
1542 return PathDiagnosticLocation::createMemberLoc(ME, SM);
1543 // For binary operators, return the location of the operator.
1544 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S))
1545 return PathDiagnosticLocation::createOperatorLoc(B, SM);
1546
1547 return PathDiagnosticLocation::createBegin(S, SM, LC);
1548 }
1549 } else {
1550 assert(Location.isValid());
1551 return Location;
1552 }
1553
1554 return PathDiagnosticLocation();
1555 }
1556
1557 //===----------------------------------------------------------------------===//
1558 // Methods for BugReporter and subclasses.
1559 //===----------------------------------------------------------------------===//
1560
~BugReportEquivClass()1561 BugReportEquivClass::~BugReportEquivClass() { }
~GRBugReporter()1562 GRBugReporter::~GRBugReporter() { }
~BugReporterData()1563 BugReporterData::~BugReporterData() {}
1564
getGraph()1565 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); }
1566
1567 ProgramStateManager&
getStateManager()1568 GRBugReporter::getStateManager() { return Eng.getStateManager(); }
1569
~BugReporter()1570 BugReporter::~BugReporter() {
1571 FlushReports();
1572
1573 // Free the bug reports we are tracking.
1574 typedef std::vector<BugReportEquivClass *> ContTy;
1575 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end();
1576 I != E; ++I) {
1577 delete *I;
1578 }
1579 }
1580
FlushReports()1581 void BugReporter::FlushReports() {
1582 if (BugTypes.isEmpty())
1583 return;
1584
1585 // First flush the warnings for each BugType. This may end up creating new
1586 // warnings and new BugTypes.
1587 // FIXME: Only NSErrorChecker needs BugType's FlushReports.
1588 // Turn NSErrorChecker into a proper checker and remove this.
1589 SmallVector<const BugType*, 16> bugTypes;
1590 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I)
1591 bugTypes.push_back(*I);
1592 for (SmallVector<const BugType*, 16>::iterator
1593 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I)
1594 const_cast<BugType*>(*I)->FlushReports(*this);
1595
1596 // We need to flush reports in deterministic order to ensure the order
1597 // of the reports is consistent between runs.
1598 typedef std::vector<BugReportEquivClass *> ContVecTy;
1599 for (ContVecTy::iterator EI=EQClassesVector.begin(), EE=EQClassesVector.end();
1600 EI != EE; ++EI){
1601 BugReportEquivClass& EQ = **EI;
1602 FlushReport(EQ);
1603 }
1604
1605 // BugReporter owns and deletes only BugTypes created implicitly through
1606 // EmitBasicReport.
1607 // FIXME: There are leaks from checkers that assume that the BugTypes they
1608 // create will be destroyed by the BugReporter.
1609 for (llvm::StringMap<BugType*>::iterator
1610 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I)
1611 delete I->second;
1612
1613 // Remove all references to the BugType objects.
1614 BugTypes = F.getEmptySet();
1615 }
1616
1617 //===----------------------------------------------------------------------===//
1618 // PathDiagnostics generation.
1619 //===----------------------------------------------------------------------===//
1620
1621 static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>,
1622 std::pair<ExplodedNode*, unsigned> >
MakeReportGraph(const ExplodedGraph * G,SmallVectorImpl<const ExplodedNode * > & nodes)1623 MakeReportGraph(const ExplodedGraph* G,
1624 SmallVectorImpl<const ExplodedNode*> &nodes) {
1625
1626 // Create the trimmed graph. It will contain the shortest paths from the
1627 // error nodes to the root. In the new graph we should only have one
1628 // error node unless there are two or more error nodes with the same minimum
1629 // path length.
1630 ExplodedGraph* GTrim;
1631 InterExplodedGraphMap* NMap;
1632
1633 llvm::DenseMap<const void*, const void*> InverseMap;
1634 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(),
1635 &InverseMap);
1636
1637 // Create owning pointers for GTrim and NMap just to ensure that they are
1638 // released when this function exists.
1639 OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim);
1640 OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap);
1641
1642 // Find the (first) error node in the trimmed graph. We just need to consult
1643 // the node map (NMap) which maps from nodes in the original graph to nodes
1644 // in the new graph.
1645
1646 std::queue<const ExplodedNode*> WS;
1647 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy;
1648 IndexMapTy IndexMap;
1649
1650 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) {
1651 const ExplodedNode *originalNode = nodes[nodeIndex];
1652 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) {
1653 WS.push(N);
1654 IndexMap[originalNode] = nodeIndex;
1655 }
1656 }
1657
1658 assert(!WS.empty() && "No error node found in the trimmed graph.");
1659
1660 // Create a new (third!) graph with a single path. This is the graph
1661 // that will be returned to the caller.
1662 ExplodedGraph *GNew = new ExplodedGraph();
1663
1664 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS
1665 // to the root node, and then construct a new graph that contains only
1666 // a single path.
1667 llvm::DenseMap<const void*,unsigned> Visited;
1668
1669 unsigned cnt = 0;
1670 const ExplodedNode *Root = 0;
1671
1672 while (!WS.empty()) {
1673 const ExplodedNode *Node = WS.front();
1674 WS.pop();
1675
1676 if (Visited.find(Node) != Visited.end())
1677 continue;
1678
1679 Visited[Node] = cnt++;
1680
1681 if (Node->pred_empty()) {
1682 Root = Node;
1683 break;
1684 }
1685
1686 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(),
1687 E=Node->pred_end(); I!=E; ++I)
1688 WS.push(*I);
1689 }
1690
1691 assert(Root);
1692
1693 // Now walk from the root down the BFS path, always taking the successor
1694 // with the lowest number.
1695 ExplodedNode *Last = 0, *First = 0;
1696 NodeBackMap *BM = new NodeBackMap();
1697 unsigned NodeIndex = 0;
1698
1699 for ( const ExplodedNode *N = Root ;;) {
1700 // Lookup the number associated with the current node.
1701 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N);
1702 assert(I != Visited.end());
1703
1704 // Create the equivalent node in the new graph with the same state
1705 // and location.
1706 ExplodedNode *NewN = GNew->getNode(N->getLocation(), N->getState());
1707
1708 // Store the mapping to the original node.
1709 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N);
1710 assert(IMitr != InverseMap.end() && "No mapping to original node.");
1711 (*BM)[NewN] = (const ExplodedNode*) IMitr->second;
1712
1713 // Link up the new node with the previous node.
1714 if (Last)
1715 NewN->addPredecessor(Last, *GNew);
1716
1717 Last = NewN;
1718
1719 // Are we at the final node?
1720 IndexMapTy::iterator IMI =
1721 IndexMap.find((const ExplodedNode*)(IMitr->second));
1722 if (IMI != IndexMap.end()) {
1723 First = NewN;
1724 NodeIndex = IMI->second;
1725 break;
1726 }
1727
1728 // Find the next successor node. We choose the node that is marked
1729 // with the lowest DFS number.
1730 ExplodedNode::const_succ_iterator SI = N->succ_begin();
1731 ExplodedNode::const_succ_iterator SE = N->succ_end();
1732 N = 0;
1733
1734 for (unsigned MinVal = 0; SI != SE; ++SI) {
1735
1736 I = Visited.find(*SI);
1737
1738 if (I == Visited.end())
1739 continue;
1740
1741 if (!N || I->second < MinVal) {
1742 N = *SI;
1743 MinVal = I->second;
1744 }
1745 }
1746
1747 assert(N);
1748 }
1749
1750 assert(First);
1751
1752 return std::make_pair(std::make_pair(GNew, BM),
1753 std::make_pair(First, NodeIndex));
1754 }
1755
1756 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object
1757 /// and collapses PathDiagosticPieces that are expanded by macros.
CompactPathDiagnostic(PathPieces & path,const SourceManager & SM)1758 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM) {
1759 typedef std::vector<std::pair<IntrusiveRefCntPtr<PathDiagnosticMacroPiece>,
1760 SourceLocation> > MacroStackTy;
1761
1762 typedef std::vector<IntrusiveRefCntPtr<PathDiagnosticPiece> >
1763 PiecesTy;
1764
1765 MacroStackTy MacroStack;
1766 PiecesTy Pieces;
1767
1768 for (PathPieces::const_iterator I = path.begin(), E = path.end();
1769 I!=E; ++I) {
1770
1771 PathDiagnosticPiece *piece = I->getPtr();
1772
1773 // Recursively compact calls.
1774 if (PathDiagnosticCallPiece *call=dyn_cast<PathDiagnosticCallPiece>(piece)){
1775 CompactPathDiagnostic(call->path, SM);
1776 }
1777
1778 // Get the location of the PathDiagnosticPiece.
1779 const FullSourceLoc Loc = piece->getLocation().asLocation();
1780
1781 // Determine the instantiation location, which is the location we group
1782 // related PathDiagnosticPieces.
1783 SourceLocation InstantiationLoc = Loc.isMacroID() ?
1784 SM.getExpansionLoc(Loc) :
1785 SourceLocation();
1786
1787 if (Loc.isFileID()) {
1788 MacroStack.clear();
1789 Pieces.push_back(piece);
1790 continue;
1791 }
1792
1793 assert(Loc.isMacroID());
1794
1795 // Is the PathDiagnosticPiece within the same macro group?
1796 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) {
1797 MacroStack.back().first->subPieces.push_back(piece);
1798 continue;
1799 }
1800
1801 // We aren't in the same group. Are we descending into a new macro
1802 // or are part of an old one?
1803 IntrusiveRefCntPtr<PathDiagnosticMacroPiece> MacroGroup;
1804
1805 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ?
1806 SM.getExpansionLoc(Loc) :
1807 SourceLocation();
1808
1809 // Walk the entire macro stack.
1810 while (!MacroStack.empty()) {
1811 if (InstantiationLoc == MacroStack.back().second) {
1812 MacroGroup = MacroStack.back().first;
1813 break;
1814 }
1815
1816 if (ParentInstantiationLoc == MacroStack.back().second) {
1817 MacroGroup = MacroStack.back().first;
1818 break;
1819 }
1820
1821 MacroStack.pop_back();
1822 }
1823
1824 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) {
1825 // Create a new macro group and add it to the stack.
1826 PathDiagnosticMacroPiece *NewGroup =
1827 new PathDiagnosticMacroPiece(
1828 PathDiagnosticLocation::createSingleLocation(piece->getLocation()));
1829
1830 if (MacroGroup)
1831 MacroGroup->subPieces.push_back(NewGroup);
1832 else {
1833 assert(InstantiationLoc.isFileID());
1834 Pieces.push_back(NewGroup);
1835 }
1836
1837 MacroGroup = NewGroup;
1838 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc));
1839 }
1840
1841 // Finally, add the PathDiagnosticPiece to the group.
1842 MacroGroup->subPieces.push_back(piece);
1843 }
1844
1845 // Now take the pieces and construct a new PathDiagnostic.
1846 path.clear();
1847
1848 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I)
1849 path.push_back(*I);
1850 }
1851
GeneratePathDiagnostic(PathDiagnostic & PD,PathDiagnosticConsumer & PC,ArrayRef<BugReport * > & bugReports)1852 void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD,
1853 PathDiagnosticConsumer &PC,
1854 ArrayRef<BugReport *> &bugReports) {
1855
1856 assert(!bugReports.empty());
1857 SmallVector<const ExplodedNode *, 10> errorNodes;
1858 for (ArrayRef<BugReport*>::iterator I = bugReports.begin(),
1859 E = bugReports.end(); I != E; ++I) {
1860 errorNodes.push_back((*I)->getErrorNode());
1861 }
1862
1863 // Construct a new graph that contains only a single path from the error
1864 // node to a root.
1865 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>,
1866 std::pair<ExplodedNode*, unsigned> >&
1867 GPair = MakeReportGraph(&getGraph(), errorNodes);
1868
1869 // Find the BugReport with the original location.
1870 assert(GPair.second.second < bugReports.size());
1871 BugReport *R = bugReports[GPair.second.second];
1872 assert(R && "No original report found for sliced graph.");
1873
1874 OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first);
1875 OwningPtr<NodeBackMap> BackMap(GPair.first.second);
1876 const ExplodedNode *N = GPair.second.first;
1877
1878 // Start building the path diagnostic...
1879 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), &PC);
1880
1881 // Register additional node visitors.
1882 R->addVisitor(new NilReceiverBRVisitor());
1883 R->addVisitor(new ConditionBRVisitor());
1884
1885 BugReport::VisitorList visitors;
1886 unsigned originalReportConfigToken, finalReportConfigToken;
1887
1888 // While generating diagnostics, it's possible the visitors will decide
1889 // new symbols and regions are interesting, or add other visitors based on
1890 // the information they find. If they do, we need to regenerate the path
1891 // based on our new report configuration.
1892 do {
1893 // Get a clean copy of all the visitors.
1894 for (BugReport::visitor_iterator I = R->visitor_begin(),
1895 E = R->visitor_end(); I != E; ++I)
1896 visitors.push_back((*I)->clone());
1897
1898 // Clear out the active path from any previous work.
1899 PD.resetPath();
1900 originalReportConfigToken = R->getConfigurationChangeToken();
1901
1902 // Generate the very last diagnostic piece - the piece is visible before
1903 // the trace is expanded.
1904 PathDiagnosticPiece *LastPiece = 0;
1905 for (BugReport::visitor_iterator I = visitors.begin(), E = visitors.end();
1906 I != E; ++I) {
1907 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) {
1908 assert (!LastPiece &&
1909 "There can only be one final piece in a diagnostic.");
1910 LastPiece = Piece;
1911 }
1912 }
1913 if (!LastPiece)
1914 LastPiece = BugReporterVisitor::getDefaultEndPath(PDB, N, *R);
1915 if (LastPiece)
1916 PD.setEndOfPath(LastPiece);
1917 else
1918 return;
1919
1920 switch (PDB.getGenerationScheme()) {
1921 case PathDiagnosticConsumer::Extensive:
1922 GenerateExtensivePathDiagnostic(PD, PDB, N, visitors);
1923 break;
1924 case PathDiagnosticConsumer::Minimal:
1925 GenerateMinimalPathDiagnostic(PD, PDB, N, visitors);
1926 break;
1927 case PathDiagnosticConsumer::None:
1928 llvm_unreachable("PathDiagnosticConsumer::None should never appear here");
1929 }
1930
1931 // Clean up the visitors we used.
1932 llvm::DeleteContainerPointers(visitors);
1933
1934 // Did anything change while generating this path?
1935 finalReportConfigToken = R->getConfigurationChangeToken();
1936 } while(finalReportConfigToken != originalReportConfigToken);
1937
1938 // Finally, prune the diagnostic path of uninteresting stuff.
1939 if (R->shouldPrunePath()) {
1940 bool hasSomethingInteresting = RemoveUneededCalls(PD.getMutablePieces(), R);
1941 assert(hasSomethingInteresting);
1942 (void) hasSomethingInteresting;
1943 }
1944 }
1945
Register(BugType * BT)1946 void BugReporter::Register(BugType *BT) {
1947 BugTypes = F.add(BugTypes, BT);
1948 }
1949
EmitReport(BugReport * R)1950 void BugReporter::EmitReport(BugReport* R) {
1951 // Compute the bug report's hash to determine its equivalence class.
1952 llvm::FoldingSetNodeID ID;
1953 R->Profile(ID);
1954
1955 // Lookup the equivance class. If there isn't one, create it.
1956 BugType& BT = R->getBugType();
1957 Register(&BT);
1958 void *InsertPos;
1959 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos);
1960
1961 if (!EQ) {
1962 EQ = new BugReportEquivClass(R);
1963 EQClasses.InsertNode(EQ, InsertPos);
1964 EQClassesVector.push_back(EQ);
1965 }
1966 else
1967 EQ->AddReport(R);
1968 }
1969
1970
1971 //===----------------------------------------------------------------------===//
1972 // Emitting reports in equivalence classes.
1973 //===----------------------------------------------------------------------===//
1974
1975 namespace {
1976 struct FRIEC_WLItem {
1977 const ExplodedNode *N;
1978 ExplodedNode::const_succ_iterator I, E;
1979
FRIEC_WLItem__anondf3e59880311::FRIEC_WLItem1980 FRIEC_WLItem(const ExplodedNode *n)
1981 : N(n), I(N->succ_begin()), E(N->succ_end()) {}
1982 };
1983 }
1984
1985 static BugReport *
FindReportInEquivalenceClass(BugReportEquivClass & EQ,SmallVectorImpl<BugReport * > & bugReports)1986 FindReportInEquivalenceClass(BugReportEquivClass& EQ,
1987 SmallVectorImpl<BugReport*> &bugReports) {
1988
1989 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end();
1990 assert(I != E);
1991 BugType& BT = I->getBugType();
1992
1993 // If we don't need to suppress any of the nodes because they are
1994 // post-dominated by a sink, simply add all the nodes in the equivalence class
1995 // to 'Nodes'. Any of the reports will serve as a "representative" report.
1996 if (!BT.isSuppressOnSink()) {
1997 BugReport *R = I;
1998 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) {
1999 const ExplodedNode *N = I->getErrorNode();
2000 if (N) {
2001 R = I;
2002 bugReports.push_back(R);
2003 }
2004 }
2005 return R;
2006 }
2007
2008 // For bug reports that should be suppressed when all paths are post-dominated
2009 // by a sink node, iterate through the reports in the equivalence class
2010 // until we find one that isn't post-dominated (if one exists). We use a
2011 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write
2012 // this as a recursive function, but we don't want to risk blowing out the
2013 // stack for very long paths.
2014 BugReport *exampleReport = 0;
2015
2016 for (; I != E; ++I) {
2017 const ExplodedNode *errorNode = I->getErrorNode();
2018
2019 if (!errorNode)
2020 continue;
2021 if (errorNode->isSink()) {
2022 llvm_unreachable(
2023 "BugType::isSuppressSink() should not be 'true' for sink end nodes");
2024 }
2025 // No successors? By definition this nodes isn't post-dominated by a sink.
2026 if (errorNode->succ_empty()) {
2027 bugReports.push_back(I);
2028 if (!exampleReport)
2029 exampleReport = I;
2030 continue;
2031 }
2032
2033 // At this point we know that 'N' is not a sink and it has at least one
2034 // successor. Use a DFS worklist to find a non-sink end-of-path node.
2035 typedef FRIEC_WLItem WLItem;
2036 typedef SmallVector<WLItem, 10> DFSWorkList;
2037 llvm::DenseMap<const ExplodedNode *, unsigned> Visited;
2038
2039 DFSWorkList WL;
2040 WL.push_back(errorNode);
2041 Visited[errorNode] = 1;
2042
2043 while (!WL.empty()) {
2044 WLItem &WI = WL.back();
2045 assert(!WI.N->succ_empty());
2046
2047 for (; WI.I != WI.E; ++WI.I) {
2048 const ExplodedNode *Succ = *WI.I;
2049 // End-of-path node?
2050 if (Succ->succ_empty()) {
2051 // If we found an end-of-path node that is not a sink.
2052 if (!Succ->isSink()) {
2053 bugReports.push_back(I);
2054 if (!exampleReport)
2055 exampleReport = I;
2056 WL.clear();
2057 break;
2058 }
2059 // Found a sink? Continue on to the next successor.
2060 continue;
2061 }
2062 // Mark the successor as visited. If it hasn't been explored,
2063 // enqueue it to the DFS worklist.
2064 unsigned &mark = Visited[Succ];
2065 if (!mark) {
2066 mark = 1;
2067 WL.push_back(Succ);
2068 break;
2069 }
2070 }
2071
2072 // The worklist may have been cleared at this point. First
2073 // check if it is empty before checking the last item.
2074 if (!WL.empty() && &WL.back() == &WI)
2075 WL.pop_back();
2076 }
2077 }
2078
2079 // ExampleReport will be NULL if all the nodes in the equivalence class
2080 // were post-dominated by sinks.
2081 return exampleReport;
2082 }
2083
FlushReport(BugReportEquivClass & EQ)2084 void BugReporter::FlushReport(BugReportEquivClass& EQ) {
2085 SmallVector<BugReport*, 10> bugReports;
2086 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports);
2087 if (exampleReport) {
2088 const PathDiagnosticConsumers &C = getPathDiagnosticConsumers();
2089 for (PathDiagnosticConsumers::const_iterator I=C.begin(),
2090 E=C.end(); I != E; ++I) {
2091 FlushReport(exampleReport, **I, bugReports);
2092 }
2093 }
2094 }
2095
FlushReport(BugReport * exampleReport,PathDiagnosticConsumer & PD,ArrayRef<BugReport * > bugReports)2096 void BugReporter::FlushReport(BugReport *exampleReport,
2097 PathDiagnosticConsumer &PD,
2098 ArrayRef<BugReport*> bugReports) {
2099
2100 // FIXME: Make sure we use the 'R' for the path that was actually used.
2101 // Probably doesn't make a difference in practice.
2102 BugType& BT = exampleReport->getBugType();
2103
2104 OwningPtr<PathDiagnostic>
2105 D(new PathDiagnostic(exampleReport->getDeclWithIssue(),
2106 exampleReport->getBugType().getName(),
2107 exampleReport->getDescription(),
2108 exampleReport->getShortDescription(/*Fallback=*/false),
2109 BT.getCategory()));
2110
2111 // Generate the full path diagnostic, using the generation scheme
2112 // specified by the PathDiagnosticConsumer.
2113 if (PD.getGenerationScheme() != PathDiagnosticConsumer::None) {
2114 if (!bugReports.empty())
2115 GeneratePathDiagnostic(*D.get(), PD, bugReports);
2116 }
2117
2118 // If the path is empty, generate a single step path with the location
2119 // of the issue.
2120 if (D->path.empty()) {
2121 PathDiagnosticLocation L = exampleReport->getLocation(getSourceManager());
2122 PathDiagnosticPiece *piece =
2123 new PathDiagnosticEventPiece(L, exampleReport->getDescription());
2124 BugReport::ranges_iterator Beg, End;
2125 llvm::tie(Beg, End) = exampleReport->getRanges();
2126 for ( ; Beg != End; ++Beg)
2127 piece->addRange(*Beg);
2128 D->setEndOfPath(piece);
2129 }
2130
2131 // Get the meta data.
2132 const BugReport::ExtraTextList &Meta = exampleReport->getExtraText();
2133 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(),
2134 e = Meta.end(); i != e; ++i) {
2135 D->addMeta(*i);
2136 }
2137
2138 PD.HandlePathDiagnostic(D.take());
2139 }
2140
EmitBasicReport(const Decl * DeclWithIssue,StringRef name,StringRef category,StringRef str,PathDiagnosticLocation Loc,SourceRange * RBeg,unsigned NumRanges)2141 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue,
2142 StringRef name,
2143 StringRef category,
2144 StringRef str, PathDiagnosticLocation Loc,
2145 SourceRange* RBeg, unsigned NumRanges) {
2146
2147 // 'BT' is owned by BugReporter.
2148 BugType *BT = getBugTypeForName(name, category);
2149 BugReport *R = new BugReport(*BT, str, Loc);
2150 R->setDeclWithIssue(DeclWithIssue);
2151 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg);
2152 EmitReport(R);
2153 }
2154
getBugTypeForName(StringRef name,StringRef category)2155 BugType *BugReporter::getBugTypeForName(StringRef name,
2156 StringRef category) {
2157 SmallString<136> fullDesc;
2158 llvm::raw_svector_ostream(fullDesc) << name << ":" << category;
2159 llvm::StringMapEntry<BugType *> &
2160 entry = StrBugTypes.GetOrCreateValue(fullDesc);
2161 BugType *BT = entry.getValue();
2162 if (!BT) {
2163 BT = new BugType(name, category);
2164 entry.setValue(BT);
2165 }
2166 return BT;
2167 }
2168