1 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file defines BugReporter, a utility class for generating
11 // PathDiagnostics.
12 //
13 //===----------------------------------------------------------------------===//
14
15 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
16 #include "clang/AST/ASTContext.h"
17 #include "clang/AST/DeclObjC.h"
18 #include "clang/AST/Expr.h"
19 #include "clang/AST/ExprCXX.h"
20 #include "clang/AST/ParentMap.h"
21 #include "clang/AST/StmtCXX.h"
22 #include "clang/AST/StmtObjC.h"
23 #include "clang/Analysis/CFG.h"
24 #include "clang/Analysis/ProgramPoint.h"
25 #include "clang/Basic/SourceManager.h"
26 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
27 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
28 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
29 #include "llvm/ADT/DenseMap.h"
30 #include "llvm/ADT/IntrusiveRefCntPtr.h"
31 #include "llvm/ADT/STLExtras.h"
32 #include "llvm/ADT/SmallString.h"
33 #include "llvm/ADT/Statistic.h"
34 #include "llvm/Support/raw_ostream.h"
35 #include <memory>
36 #include <queue>
37
38 using namespace clang;
39 using namespace ento;
40
41 #define DEBUG_TYPE "BugReporter"
42
43 STATISTIC(MaxBugClassSize,
44 "The maximum number of bug reports in the same equivalence class");
45 STATISTIC(MaxValidBugClassSize,
46 "The maximum number of bug reports in the same equivalence class "
47 "where at least one report is valid (not suppressed)");
48
~BugReporterVisitor()49 BugReporterVisitor::~BugReporterVisitor() {}
50
anchor()51 void BugReporterContext::anchor() {}
52
53 //===----------------------------------------------------------------------===//
54 // Helper routines for walking the ExplodedGraph and fetching statements.
55 //===----------------------------------------------------------------------===//
56
GetPreviousStmt(const ExplodedNode * N)57 static const Stmt *GetPreviousStmt(const ExplodedNode *N) {
58 for (N = N->getFirstPred(); N; N = N->getFirstPred())
59 if (const Stmt *S = PathDiagnosticLocation::getStmt(N))
60 return S;
61
62 return nullptr;
63 }
64
65 static inline const Stmt*
GetCurrentOrPreviousStmt(const ExplodedNode * N)66 GetCurrentOrPreviousStmt(const ExplodedNode *N) {
67 if (const Stmt *S = PathDiagnosticLocation::getStmt(N))
68 return S;
69
70 return GetPreviousStmt(N);
71 }
72
73 //===----------------------------------------------------------------------===//
74 // Diagnostic cleanup.
75 //===----------------------------------------------------------------------===//
76
77 static PathDiagnosticEventPiece *
eventsDescribeSameCondition(PathDiagnosticEventPiece * X,PathDiagnosticEventPiece * Y)78 eventsDescribeSameCondition(PathDiagnosticEventPiece *X,
79 PathDiagnosticEventPiece *Y) {
80 // Prefer diagnostics that come from ConditionBRVisitor over
81 // those that came from TrackConstraintBRVisitor.
82 const void *tagPreferred = ConditionBRVisitor::getTag();
83 const void *tagLesser = TrackConstraintBRVisitor::getTag();
84
85 if (X->getLocation() != Y->getLocation())
86 return nullptr;
87
88 if (X->getTag() == tagPreferred && Y->getTag() == tagLesser)
89 return X;
90
91 if (Y->getTag() == tagPreferred && X->getTag() == tagLesser)
92 return Y;
93
94 return nullptr;
95 }
96
97 /// An optimization pass over PathPieces that removes redundant diagnostics
98 /// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both
99 /// BugReporterVisitors use different methods to generate diagnostics, with
100 /// one capable of emitting diagnostics in some cases but not in others. This
101 /// can lead to redundant diagnostic pieces at the same point in a path.
removeRedundantMsgs(PathPieces & path)102 static void removeRedundantMsgs(PathPieces &path) {
103 unsigned N = path.size();
104 if (N < 2)
105 return;
106 // NOTE: this loop intentionally is not using an iterator. Instead, we
107 // are streaming the path and modifying it in place. This is done by
108 // grabbing the front, processing it, and if we decide to keep it append
109 // it to the end of the path. The entire path is processed in this way.
110 for (unsigned i = 0; i < N; ++i) {
111 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(path.front());
112 path.pop_front();
113
114 switch (piece->getKind()) {
115 case clang::ento::PathDiagnosticPiece::Call:
116 removeRedundantMsgs(cast<PathDiagnosticCallPiece>(piece)->path);
117 break;
118 case clang::ento::PathDiagnosticPiece::Macro:
119 removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(piece)->subPieces);
120 break;
121 case clang::ento::PathDiagnosticPiece::ControlFlow:
122 break;
123 case clang::ento::PathDiagnosticPiece::Event: {
124 if (i == N-1)
125 break;
126
127 if (PathDiagnosticEventPiece *nextEvent =
128 dyn_cast<PathDiagnosticEventPiece>(path.front().get())) {
129 PathDiagnosticEventPiece *event =
130 cast<PathDiagnosticEventPiece>(piece);
131 // Check to see if we should keep one of the two pieces. If we
132 // come up with a preference, record which piece to keep, and consume
133 // another piece from the path.
134 if (PathDiagnosticEventPiece *pieceToKeep =
135 eventsDescribeSameCondition(event, nextEvent)) {
136 piece = pieceToKeep;
137 path.pop_front();
138 ++i;
139 }
140 }
141 break;
142 }
143 }
144 path.push_back(piece);
145 }
146 }
147
148 /// A map from PathDiagnosticPiece to the LocationContext of the inlined
149 /// function call it represents.
150 typedef llvm::DenseMap<const PathPieces *, const LocationContext *>
151 LocationContextMap;
152
153 /// Recursively scan through a path and prune out calls and macros pieces
154 /// that aren't needed. Return true if afterwards the path contains
155 /// "interesting stuff" which means it shouldn't be pruned from the parent path.
removeUnneededCalls(PathPieces & pieces,BugReport * R,LocationContextMap & LCM)156 static bool removeUnneededCalls(PathPieces &pieces, BugReport *R,
157 LocationContextMap &LCM) {
158 bool containsSomethingInteresting = false;
159 const unsigned N = pieces.size();
160
161 for (unsigned i = 0 ; i < N ; ++i) {
162 // Remove the front piece from the path. If it is still something we
163 // want to keep once we are done, we will push it back on the end.
164 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(pieces.front());
165 pieces.pop_front();
166
167 switch (piece->getKind()) {
168 case PathDiagnosticPiece::Call: {
169 PathDiagnosticCallPiece *call = cast<PathDiagnosticCallPiece>(piece);
170 // Check if the location context is interesting.
171 assert(LCM.count(&call->path));
172 if (R->isInteresting(LCM[&call->path])) {
173 containsSomethingInteresting = true;
174 break;
175 }
176
177 if (!removeUnneededCalls(call->path, R, LCM))
178 continue;
179
180 containsSomethingInteresting = true;
181 break;
182 }
183 case PathDiagnosticPiece::Macro: {
184 PathDiagnosticMacroPiece *macro = cast<PathDiagnosticMacroPiece>(piece);
185 if (!removeUnneededCalls(macro->subPieces, R, LCM))
186 continue;
187 containsSomethingInteresting = true;
188 break;
189 }
190 case PathDiagnosticPiece::Event: {
191 PathDiagnosticEventPiece *event = cast<PathDiagnosticEventPiece>(piece);
192
193 // We never throw away an event, but we do throw it away wholesale
194 // as part of a path if we throw the entire path away.
195 containsSomethingInteresting |= !event->isPrunable();
196 break;
197 }
198 case PathDiagnosticPiece::ControlFlow:
199 break;
200 }
201
202 pieces.push_back(piece);
203 }
204
205 return containsSomethingInteresting;
206 }
207
208 /// Returns true if the given decl has been implicitly given a body, either by
209 /// the analyzer or by the compiler proper.
hasImplicitBody(const Decl * D)210 static bool hasImplicitBody(const Decl *D) {
211 assert(D);
212 return D->isImplicit() || !D->hasBody();
213 }
214
215 /// Recursively scan through a path and make sure that all call pieces have
216 /// valid locations.
217 static void
adjustCallLocations(PathPieces & Pieces,PathDiagnosticLocation * LastCallLocation=nullptr)218 adjustCallLocations(PathPieces &Pieces,
219 PathDiagnosticLocation *LastCallLocation = nullptr) {
220 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E; ++I) {
221 PathDiagnosticCallPiece *Call = dyn_cast<PathDiagnosticCallPiece>(*I);
222
223 if (!Call) {
224 assert((*I)->getLocation().asLocation().isValid());
225 continue;
226 }
227
228 if (LastCallLocation) {
229 bool CallerIsImplicit = hasImplicitBody(Call->getCaller());
230 if (CallerIsImplicit || !Call->callEnter.asLocation().isValid())
231 Call->callEnter = *LastCallLocation;
232 if (CallerIsImplicit || !Call->callReturn.asLocation().isValid())
233 Call->callReturn = *LastCallLocation;
234 }
235
236 // Recursively clean out the subclass. Keep this call around if
237 // it contains any informative diagnostics.
238 PathDiagnosticLocation *ThisCallLocation;
239 if (Call->callEnterWithin.asLocation().isValid() &&
240 !hasImplicitBody(Call->getCallee()))
241 ThisCallLocation = &Call->callEnterWithin;
242 else
243 ThisCallLocation = &Call->callEnter;
244
245 assert(ThisCallLocation && "Outermost call has an invalid location");
246 adjustCallLocations(Call->path, ThisCallLocation);
247 }
248 }
249
250 /// Remove edges in and out of C++ default initializer expressions. These are
251 /// for fields that have in-class initializers, as opposed to being initialized
252 /// explicitly in a constructor or braced list.
removeEdgesToDefaultInitializers(PathPieces & Pieces)253 static void removeEdgesToDefaultInitializers(PathPieces &Pieces) {
254 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) {
255 if (PathDiagnosticCallPiece *C = dyn_cast<PathDiagnosticCallPiece>(*I))
256 removeEdgesToDefaultInitializers(C->path);
257
258 if (PathDiagnosticMacroPiece *M = dyn_cast<PathDiagnosticMacroPiece>(*I))
259 removeEdgesToDefaultInitializers(M->subPieces);
260
261 if (PathDiagnosticControlFlowPiece *CF =
262 dyn_cast<PathDiagnosticControlFlowPiece>(*I)) {
263 const Stmt *Start = CF->getStartLocation().asStmt();
264 const Stmt *End = CF->getEndLocation().asStmt();
265 if (Start && isa<CXXDefaultInitExpr>(Start)) {
266 I = Pieces.erase(I);
267 continue;
268 } else if (End && isa<CXXDefaultInitExpr>(End)) {
269 PathPieces::iterator Next = std::next(I);
270 if (Next != E) {
271 if (PathDiagnosticControlFlowPiece *NextCF =
272 dyn_cast<PathDiagnosticControlFlowPiece>(*Next)) {
273 NextCF->setStartLocation(CF->getStartLocation());
274 }
275 }
276 I = Pieces.erase(I);
277 continue;
278 }
279 }
280
281 I++;
282 }
283 }
284
285 /// Remove all pieces with invalid locations as these cannot be serialized.
286 /// We might have pieces with invalid locations as a result of inlining Body
287 /// Farm generated functions.
removePiecesWithInvalidLocations(PathPieces & Pieces)288 static void removePiecesWithInvalidLocations(PathPieces &Pieces) {
289 for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) {
290 if (PathDiagnosticCallPiece *C = dyn_cast<PathDiagnosticCallPiece>(*I))
291 removePiecesWithInvalidLocations(C->path);
292
293 if (PathDiagnosticMacroPiece *M = dyn_cast<PathDiagnosticMacroPiece>(*I))
294 removePiecesWithInvalidLocations(M->subPieces);
295
296 if (!(*I)->getLocation().isValid() ||
297 !(*I)->getLocation().asLocation().isValid()) {
298 I = Pieces.erase(I);
299 continue;
300 }
301 I++;
302 }
303 }
304
305 //===----------------------------------------------------------------------===//
306 // PathDiagnosticBuilder and its associated routines and helper objects.
307 //===----------------------------------------------------------------------===//
308
309 namespace {
310 class NodeMapClosure : public BugReport::NodeResolver {
311 InterExplodedGraphMap &M;
312 public:
NodeMapClosure(InterExplodedGraphMap & m)313 NodeMapClosure(InterExplodedGraphMap &m) : M(m) {}
314
getOriginalNode(const ExplodedNode * N)315 const ExplodedNode *getOriginalNode(const ExplodedNode *N) override {
316 return M.lookup(N);
317 }
318 };
319
320 class PathDiagnosticBuilder : public BugReporterContext {
321 BugReport *R;
322 PathDiagnosticConsumer *PDC;
323 NodeMapClosure NMC;
324 public:
325 const LocationContext *LC;
326
PathDiagnosticBuilder(GRBugReporter & br,BugReport * r,InterExplodedGraphMap & Backmap,PathDiagnosticConsumer * pdc)327 PathDiagnosticBuilder(GRBugReporter &br,
328 BugReport *r, InterExplodedGraphMap &Backmap,
329 PathDiagnosticConsumer *pdc)
330 : BugReporterContext(br),
331 R(r), PDC(pdc), NMC(Backmap), LC(r->getErrorNode()->getLocationContext())
332 {}
333
334 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N);
335
336 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os,
337 const ExplodedNode *N);
338
getBugReport()339 BugReport *getBugReport() { return R; }
340
getCodeDecl()341 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); }
342
getParentMap()343 ParentMap& getParentMap() { return LC->getParentMap(); }
344
getParent(const Stmt * S)345 const Stmt *getParent(const Stmt *S) {
346 return getParentMap().getParent(S);
347 }
348
getNodeResolver()349 NodeMapClosure& getNodeResolver() override { return NMC; }
350
351 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S);
352
getGenerationScheme() const353 PathDiagnosticConsumer::PathGenerationScheme getGenerationScheme() const {
354 return PDC ? PDC->getGenerationScheme() : PathDiagnosticConsumer::Extensive;
355 }
356
supportsLogicalOpControlFlow() const357 bool supportsLogicalOpControlFlow() const {
358 return PDC ? PDC->supportsLogicalOpControlFlow() : true;
359 }
360 };
361 } // end anonymous namespace
362
363 PathDiagnosticLocation
ExecutionContinues(const ExplodedNode * N)364 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) {
365 if (const Stmt *S = PathDiagnosticLocation::getNextStmt(N))
366 return PathDiagnosticLocation(S, getSourceManager(), LC);
367
368 return PathDiagnosticLocation::createDeclEnd(N->getLocationContext(),
369 getSourceManager());
370 }
371
372 PathDiagnosticLocation
ExecutionContinues(llvm::raw_string_ostream & os,const ExplodedNode * N)373 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os,
374 const ExplodedNode *N) {
375
376 // Slow, but probably doesn't matter.
377 if (os.str().empty())
378 os << ' ';
379
380 const PathDiagnosticLocation &Loc = ExecutionContinues(N);
381
382 if (Loc.asStmt())
383 os << "Execution continues on line "
384 << getSourceManager().getExpansionLineNumber(Loc.asLocation())
385 << '.';
386 else {
387 os << "Execution jumps to the end of the ";
388 const Decl *D = N->getLocationContext()->getDecl();
389 if (isa<ObjCMethodDecl>(D))
390 os << "method";
391 else if (isa<FunctionDecl>(D))
392 os << "function";
393 else {
394 assert(isa<BlockDecl>(D));
395 os << "anonymous block";
396 }
397 os << '.';
398 }
399
400 return Loc;
401 }
402
getEnclosingParent(const Stmt * S,const ParentMap & PM)403 static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) {
404 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S)))
405 return PM.getParentIgnoreParens(S);
406
407 const Stmt *Parent = PM.getParentIgnoreParens(S);
408 if (!Parent)
409 return nullptr;
410
411 switch (Parent->getStmtClass()) {
412 case Stmt::ForStmtClass:
413 case Stmt::DoStmtClass:
414 case Stmt::WhileStmtClass:
415 case Stmt::ObjCForCollectionStmtClass:
416 case Stmt::CXXForRangeStmtClass:
417 return Parent;
418 default:
419 break;
420 }
421
422 return nullptr;
423 }
424
425 static PathDiagnosticLocation
getEnclosingStmtLocation(const Stmt * S,SourceManager & SMgr,const ParentMap & P,const LocationContext * LC,bool allowNestedContexts)426 getEnclosingStmtLocation(const Stmt *S, SourceManager &SMgr, const ParentMap &P,
427 const LocationContext *LC, bool allowNestedContexts) {
428 if (!S)
429 return PathDiagnosticLocation();
430
431 while (const Stmt *Parent = getEnclosingParent(S, P)) {
432 switch (Parent->getStmtClass()) {
433 case Stmt::BinaryOperatorClass: {
434 const BinaryOperator *B = cast<BinaryOperator>(Parent);
435 if (B->isLogicalOp())
436 return PathDiagnosticLocation(allowNestedContexts ? B : S, SMgr, LC);
437 break;
438 }
439 case Stmt::CompoundStmtClass:
440 case Stmt::StmtExprClass:
441 return PathDiagnosticLocation(S, SMgr, LC);
442 case Stmt::ChooseExprClass:
443 // Similar to '?' if we are referring to condition, just have the edge
444 // point to the entire choose expression.
445 if (allowNestedContexts || cast<ChooseExpr>(Parent)->getCond() == S)
446 return PathDiagnosticLocation(Parent, SMgr, LC);
447 else
448 return PathDiagnosticLocation(S, SMgr, LC);
449 case Stmt::BinaryConditionalOperatorClass:
450 case Stmt::ConditionalOperatorClass:
451 // For '?', if we are referring to condition, just have the edge point
452 // to the entire '?' expression.
453 if (allowNestedContexts ||
454 cast<AbstractConditionalOperator>(Parent)->getCond() == S)
455 return PathDiagnosticLocation(Parent, SMgr, LC);
456 else
457 return PathDiagnosticLocation(S, SMgr, LC);
458 case Stmt::CXXForRangeStmtClass:
459 if (cast<CXXForRangeStmt>(Parent)->getBody() == S)
460 return PathDiagnosticLocation(S, SMgr, LC);
461 break;
462 case Stmt::DoStmtClass:
463 return PathDiagnosticLocation(S, SMgr, LC);
464 case Stmt::ForStmtClass:
465 if (cast<ForStmt>(Parent)->getBody() == S)
466 return PathDiagnosticLocation(S, SMgr, LC);
467 break;
468 case Stmt::IfStmtClass:
469 if (cast<IfStmt>(Parent)->getCond() != S)
470 return PathDiagnosticLocation(S, SMgr, LC);
471 break;
472 case Stmt::ObjCForCollectionStmtClass:
473 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S)
474 return PathDiagnosticLocation(S, SMgr, LC);
475 break;
476 case Stmt::WhileStmtClass:
477 if (cast<WhileStmt>(Parent)->getCond() != S)
478 return PathDiagnosticLocation(S, SMgr, LC);
479 break;
480 default:
481 break;
482 }
483
484 S = Parent;
485 }
486
487 assert(S && "Cannot have null Stmt for PathDiagnosticLocation");
488
489 return PathDiagnosticLocation(S, SMgr, LC);
490 }
491
492 PathDiagnosticLocation
getEnclosingStmtLocation(const Stmt * S)493 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) {
494 assert(S && "Null Stmt passed to getEnclosingStmtLocation");
495 return ::getEnclosingStmtLocation(S, getSourceManager(), getParentMap(), LC,
496 /*allowNestedContexts=*/false);
497 }
498
499 //===----------------------------------------------------------------------===//
500 // "Visitors only" path diagnostic generation algorithm.
501 //===----------------------------------------------------------------------===//
GenerateVisitorsOnlyPathDiagnostic(PathDiagnostic & PD,PathDiagnosticBuilder & PDB,const ExplodedNode * N,ArrayRef<BugReporterVisitor * > visitors)502 static bool GenerateVisitorsOnlyPathDiagnostic(PathDiagnostic &PD,
503 PathDiagnosticBuilder &PDB,
504 const ExplodedNode *N,
505 ArrayRef<BugReporterVisitor *> visitors) {
506 // All path generation skips the very first node (the error node).
507 // This is because there is special handling for the end-of-path note.
508 N = N->getFirstPred();
509 if (!N)
510 return true;
511
512 BugReport *R = PDB.getBugReport();
513 while (const ExplodedNode *Pred = N->getFirstPred()) {
514 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(),
515 E = visitors.end();
516 I != E; ++I) {
517 // Visit all the node pairs, but throw the path pieces away.
518 PathDiagnosticPiece *Piece = (*I)->VisitNode(N, Pred, PDB, *R);
519 delete Piece;
520 }
521
522 N = Pred;
523 }
524
525 return R->isValid();
526 }
527
528 //===----------------------------------------------------------------------===//
529 // "Minimal" path diagnostic generation algorithm.
530 //===----------------------------------------------------------------------===//
531 typedef std::pair<PathDiagnosticCallPiece*, const ExplodedNode*> StackDiagPair;
532 typedef SmallVector<StackDiagPair, 6> StackDiagVector;
533
updateStackPiecesWithMessage(PathDiagnosticPiece * P,StackDiagVector & CallStack)534 static void updateStackPiecesWithMessage(PathDiagnosticPiece *P,
535 StackDiagVector &CallStack) {
536 // If the piece contains a special message, add it to all the call
537 // pieces on the active stack.
538 if (PathDiagnosticEventPiece *ep =
539 dyn_cast<PathDiagnosticEventPiece>(P)) {
540
541 if (ep->hasCallStackHint())
542 for (StackDiagVector::iterator I = CallStack.begin(),
543 E = CallStack.end(); I != E; ++I) {
544 PathDiagnosticCallPiece *CP = I->first;
545 const ExplodedNode *N = I->second;
546 std::string stackMsg = ep->getCallStackMessage(N);
547
548 // The last message on the path to final bug is the most important
549 // one. Since we traverse the path backwards, do not add the message
550 // if one has been previously added.
551 if (!CP->hasCallStackMessage())
552 CP->setCallStackMessage(stackMsg);
553 }
554 }
555 }
556
557 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM);
558
GenerateMinimalPathDiagnostic(PathDiagnostic & PD,PathDiagnosticBuilder & PDB,const ExplodedNode * N,LocationContextMap & LCM,ArrayRef<BugReporterVisitor * > visitors)559 static bool GenerateMinimalPathDiagnostic(PathDiagnostic& PD,
560 PathDiagnosticBuilder &PDB,
561 const ExplodedNode *N,
562 LocationContextMap &LCM,
563 ArrayRef<BugReporterVisitor *> visitors) {
564
565 SourceManager& SMgr = PDB.getSourceManager();
566 const LocationContext *LC = PDB.LC;
567 const ExplodedNode *NextNode = N->pred_empty()
568 ? nullptr : *(N->pred_begin());
569
570 StackDiagVector CallStack;
571
572 while (NextNode) {
573 N = NextNode;
574 PDB.LC = N->getLocationContext();
575 NextNode = N->getFirstPred();
576
577 ProgramPoint P = N->getLocation();
578
579 do {
580 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) {
581 PathDiagnosticCallPiece *C =
582 PathDiagnosticCallPiece::construct(N, *CE, SMgr);
583 // Record the mapping from call piece to LocationContext.
584 LCM[&C->path] = CE->getCalleeContext();
585 PD.getActivePath().push_front(C);
586 PD.pushActivePath(&C->path);
587 CallStack.push_back(StackDiagPair(C, N));
588 break;
589 }
590
591 if (Optional<CallEnter> CE = P.getAs<CallEnter>()) {
592 // Flush all locations, and pop the active path.
593 bool VisitedEntireCall = PD.isWithinCall();
594 PD.popActivePath();
595
596 // Either we just added a bunch of stuff to the top-level path, or
597 // we have a previous CallExitEnd. If the former, it means that the
598 // path terminated within a function call. We must then take the
599 // current contents of the active path and place it within
600 // a new PathDiagnosticCallPiece.
601 PathDiagnosticCallPiece *C;
602 if (VisitedEntireCall) {
603 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front());
604 } else {
605 const Decl *Caller = CE->getLocationContext()->getDecl();
606 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller);
607 // Record the mapping from call piece to LocationContext.
608 LCM[&C->path] = CE->getCalleeContext();
609 }
610
611 C->setCallee(*CE, SMgr);
612 if (!CallStack.empty()) {
613 assert(CallStack.back().first == C);
614 CallStack.pop_back();
615 }
616 break;
617 }
618
619 if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) {
620 const CFGBlock *Src = BE->getSrc();
621 const CFGBlock *Dst = BE->getDst();
622 const Stmt *T = Src->getTerminator();
623
624 if (!T)
625 break;
626
627 PathDiagnosticLocation Start =
628 PathDiagnosticLocation::createBegin(T, SMgr,
629 N->getLocationContext());
630
631 switch (T->getStmtClass()) {
632 default:
633 break;
634
635 case Stmt::GotoStmtClass:
636 case Stmt::IndirectGotoStmtClass: {
637 const Stmt *S = PathDiagnosticLocation::getNextStmt(N);
638
639 if (!S)
640 break;
641
642 std::string sbuf;
643 llvm::raw_string_ostream os(sbuf);
644 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S);
645
646 os << "Control jumps to line "
647 << End.asLocation().getExpansionLineNumber();
648 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
649 Start, End, os.str()));
650 break;
651 }
652
653 case Stmt::SwitchStmtClass: {
654 // Figure out what case arm we took.
655 std::string sbuf;
656 llvm::raw_string_ostream os(sbuf);
657
658 if (const Stmt *S = Dst->getLabel()) {
659 PathDiagnosticLocation End(S, SMgr, LC);
660
661 switch (S->getStmtClass()) {
662 default:
663 os << "No cases match in the switch statement. "
664 "Control jumps to line "
665 << End.asLocation().getExpansionLineNumber();
666 break;
667 case Stmt::DefaultStmtClass:
668 os << "Control jumps to the 'default' case at line "
669 << End.asLocation().getExpansionLineNumber();
670 break;
671
672 case Stmt::CaseStmtClass: {
673 os << "Control jumps to 'case ";
674 const CaseStmt *Case = cast<CaseStmt>(S);
675 const Expr *LHS = Case->getLHS()->IgnoreParenCasts();
676
677 // Determine if it is an enum.
678 bool GetRawInt = true;
679
680 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) {
681 // FIXME: Maybe this should be an assertion. Are there cases
682 // were it is not an EnumConstantDecl?
683 const EnumConstantDecl *D =
684 dyn_cast<EnumConstantDecl>(DR->getDecl());
685
686 if (D) {
687 GetRawInt = false;
688 os << *D;
689 }
690 }
691
692 if (GetRawInt)
693 os << LHS->EvaluateKnownConstInt(PDB.getASTContext());
694
695 os << ":' at line "
696 << End.asLocation().getExpansionLineNumber();
697 break;
698 }
699 }
700 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
701 Start, End, os.str()));
702 }
703 else {
704 os << "'Default' branch taken. ";
705 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N);
706 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
707 Start, End, os.str()));
708 }
709
710 break;
711 }
712
713 case Stmt::BreakStmtClass:
714 case Stmt::ContinueStmtClass: {
715 std::string sbuf;
716 llvm::raw_string_ostream os(sbuf);
717 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
718 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
719 Start, End, os.str()));
720 break;
721 }
722
723 // Determine control-flow for ternary '?'.
724 case Stmt::BinaryConditionalOperatorClass:
725 case Stmt::ConditionalOperatorClass: {
726 std::string sbuf;
727 llvm::raw_string_ostream os(sbuf);
728 os << "'?' condition is ";
729
730 if (*(Src->succ_begin()+1) == Dst)
731 os << "false";
732 else
733 os << "true";
734
735 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
736
737 if (const Stmt *S = End.asStmt())
738 End = PDB.getEnclosingStmtLocation(S);
739
740 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
741 Start, End, os.str()));
742 break;
743 }
744
745 // Determine control-flow for short-circuited '&&' and '||'.
746 case Stmt::BinaryOperatorClass: {
747 if (!PDB.supportsLogicalOpControlFlow())
748 break;
749
750 const BinaryOperator *B = cast<BinaryOperator>(T);
751 std::string sbuf;
752 llvm::raw_string_ostream os(sbuf);
753 os << "Left side of '";
754
755 if (B->getOpcode() == BO_LAnd) {
756 os << "&&" << "' is ";
757
758 if (*(Src->succ_begin()+1) == Dst) {
759 os << "false";
760 PathDiagnosticLocation End(B->getLHS(), SMgr, LC);
761 PathDiagnosticLocation Start =
762 PathDiagnosticLocation::createOperatorLoc(B, SMgr);
763 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
764 Start, End, os.str()));
765 }
766 else {
767 os << "true";
768 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC);
769 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
770 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
771 Start, End, os.str()));
772 }
773 }
774 else {
775 assert(B->getOpcode() == BO_LOr);
776 os << "||" << "' is ";
777
778 if (*(Src->succ_begin()+1) == Dst) {
779 os << "false";
780 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC);
781 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
782 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
783 Start, End, os.str()));
784 }
785 else {
786 os << "true";
787 PathDiagnosticLocation End(B->getLHS(), SMgr, LC);
788 PathDiagnosticLocation Start =
789 PathDiagnosticLocation::createOperatorLoc(B, SMgr);
790 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
791 Start, End, os.str()));
792 }
793 }
794
795 break;
796 }
797
798 case Stmt::DoStmtClass: {
799 if (*(Src->succ_begin()) == Dst) {
800 std::string sbuf;
801 llvm::raw_string_ostream os(sbuf);
802
803 os << "Loop condition is true. ";
804 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
805
806 if (const Stmt *S = End.asStmt())
807 End = PDB.getEnclosingStmtLocation(S);
808
809 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
810 Start, End, os.str()));
811 }
812 else {
813 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
814
815 if (const Stmt *S = End.asStmt())
816 End = PDB.getEnclosingStmtLocation(S);
817
818 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
819 Start, End, "Loop condition is false. Exiting loop"));
820 }
821
822 break;
823 }
824
825 case Stmt::WhileStmtClass:
826 case Stmt::ForStmtClass: {
827 if (*(Src->succ_begin()+1) == Dst) {
828 std::string sbuf;
829 llvm::raw_string_ostream os(sbuf);
830
831 os << "Loop condition is false. ";
832 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
833 if (const Stmt *S = End.asStmt())
834 End = PDB.getEnclosingStmtLocation(S);
835
836 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
837 Start, End, os.str()));
838 }
839 else {
840 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
841 if (const Stmt *S = End.asStmt())
842 End = PDB.getEnclosingStmtLocation(S);
843
844 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
845 Start, End, "Loop condition is true. Entering loop body"));
846 }
847
848 break;
849 }
850
851 case Stmt::IfStmtClass: {
852 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
853
854 if (const Stmt *S = End.asStmt())
855 End = PDB.getEnclosingStmtLocation(S);
856
857 if (*(Src->succ_begin()+1) == Dst)
858 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
859 Start, End, "Taking false branch"));
860 else
861 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(
862 Start, End, "Taking true branch"));
863
864 break;
865 }
866 }
867 }
868 } while(0);
869
870 if (NextNode) {
871 // Add diagnostic pieces from custom visitors.
872 BugReport *R = PDB.getBugReport();
873 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(),
874 E = visitors.end();
875 I != E; ++I) {
876 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) {
877 PD.getActivePath().push_front(p);
878 updateStackPiecesWithMessage(p, CallStack);
879 }
880 }
881 }
882 }
883
884 if (!PDB.getBugReport()->isValid())
885 return false;
886
887 // After constructing the full PathDiagnostic, do a pass over it to compact
888 // PathDiagnosticPieces that occur within a macro.
889 CompactPathDiagnostic(PD.getMutablePieces(), PDB.getSourceManager());
890 return true;
891 }
892
893 //===----------------------------------------------------------------------===//
894 // "Extensive" PathDiagnostic generation.
895 //===----------------------------------------------------------------------===//
896
IsControlFlowExpr(const Stmt * S)897 static bool IsControlFlowExpr(const Stmt *S) {
898 const Expr *E = dyn_cast<Expr>(S);
899
900 if (!E)
901 return false;
902
903 E = E->IgnoreParenCasts();
904
905 if (isa<AbstractConditionalOperator>(E))
906 return true;
907
908 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E))
909 if (B->isLogicalOp())
910 return true;
911
912 return false;
913 }
914
915 namespace {
916 class ContextLocation : public PathDiagnosticLocation {
917 bool IsDead;
918 public:
ContextLocation(const PathDiagnosticLocation & L,bool isdead=false)919 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false)
920 : PathDiagnosticLocation(L), IsDead(isdead) {}
921
markDead()922 void markDead() { IsDead = true; }
isDead() const923 bool isDead() const { return IsDead; }
924 };
925
cleanUpLocation(PathDiagnosticLocation L,const LocationContext * LC,bool firstCharOnly=false)926 static PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L,
927 const LocationContext *LC,
928 bool firstCharOnly = false) {
929 if (const Stmt *S = L.asStmt()) {
930 const Stmt *Original = S;
931 while (1) {
932 // Adjust the location for some expressions that are best referenced
933 // by one of their subexpressions.
934 switch (S->getStmtClass()) {
935 default:
936 break;
937 case Stmt::ParenExprClass:
938 case Stmt::GenericSelectionExprClass:
939 S = cast<Expr>(S)->IgnoreParens();
940 firstCharOnly = true;
941 continue;
942 case Stmt::BinaryConditionalOperatorClass:
943 case Stmt::ConditionalOperatorClass:
944 S = cast<AbstractConditionalOperator>(S)->getCond();
945 firstCharOnly = true;
946 continue;
947 case Stmt::ChooseExprClass:
948 S = cast<ChooseExpr>(S)->getCond();
949 firstCharOnly = true;
950 continue;
951 case Stmt::BinaryOperatorClass:
952 S = cast<BinaryOperator>(S)->getLHS();
953 firstCharOnly = true;
954 continue;
955 }
956
957 break;
958 }
959
960 if (S != Original)
961 L = PathDiagnosticLocation(S, L.getManager(), LC);
962 }
963
964 if (firstCharOnly)
965 L = PathDiagnosticLocation::createSingleLocation(L);
966
967 return L;
968 }
969
970 class EdgeBuilder {
971 std::vector<ContextLocation> CLocs;
972 typedef std::vector<ContextLocation>::iterator iterator;
973 PathDiagnostic &PD;
974 PathDiagnosticBuilder &PDB;
975 PathDiagnosticLocation PrevLoc;
976
977 bool IsConsumedExpr(const PathDiagnosticLocation &L);
978
979 bool containsLocation(const PathDiagnosticLocation &Container,
980 const PathDiagnosticLocation &Containee);
981
982 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L);
983
984
985
popLocation()986 void popLocation() {
987 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) {
988 // For contexts, we only one the first character as the range.
989 rawAddEdge(cleanUpLocation(CLocs.back(), PDB.LC, true));
990 }
991 CLocs.pop_back();
992 }
993
994 public:
EdgeBuilder(PathDiagnostic & pd,PathDiagnosticBuilder & pdb)995 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb)
996 : PD(pd), PDB(pdb) {
997
998 // If the PathDiagnostic already has pieces, add the enclosing statement
999 // of the first piece as a context as well.
1000 if (!PD.path.empty()) {
1001 PrevLoc = (*PD.path.begin())->getLocation();
1002
1003 if (const Stmt *S = PrevLoc.asStmt())
1004 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt());
1005 }
1006 }
1007
~EdgeBuilder()1008 ~EdgeBuilder() {
1009 while (!CLocs.empty()) popLocation();
1010
1011 // Finally, add an initial edge from the start location of the first
1012 // statement (if it doesn't already exist).
1013 PathDiagnosticLocation L = PathDiagnosticLocation::createDeclBegin(
1014 PDB.LC,
1015 PDB.getSourceManager());
1016 if (L.isValid())
1017 rawAddEdge(L);
1018 }
1019
flushLocations()1020 void flushLocations() {
1021 while (!CLocs.empty())
1022 popLocation();
1023 PrevLoc = PathDiagnosticLocation();
1024 }
1025
1026 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false,
1027 bool IsPostJump = false);
1028
1029 void rawAddEdge(PathDiagnosticLocation NewLoc);
1030
1031 void addContext(const Stmt *S);
1032 void addContext(const PathDiagnosticLocation &L);
1033 void addExtendedContext(const Stmt *S);
1034 };
1035 } // end anonymous namespace
1036
1037
1038 PathDiagnosticLocation
getContextLocation(const PathDiagnosticLocation & L)1039 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) {
1040 if (const Stmt *S = L.asStmt()) {
1041 if (IsControlFlowExpr(S))
1042 return L;
1043
1044 return PDB.getEnclosingStmtLocation(S);
1045 }
1046
1047 return L;
1048 }
1049
containsLocation(const PathDiagnosticLocation & Container,const PathDiagnosticLocation & Containee)1050 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container,
1051 const PathDiagnosticLocation &Containee) {
1052
1053 if (Container == Containee)
1054 return true;
1055
1056 if (Container.asDecl())
1057 return true;
1058
1059 if (const Stmt *S = Containee.asStmt())
1060 if (const Stmt *ContainerS = Container.asStmt()) {
1061 while (S) {
1062 if (S == ContainerS)
1063 return true;
1064 S = PDB.getParent(S);
1065 }
1066 return false;
1067 }
1068
1069 // Less accurate: compare using source ranges.
1070 SourceRange ContainerR = Container.asRange();
1071 SourceRange ContaineeR = Containee.asRange();
1072
1073 SourceManager &SM = PDB.getSourceManager();
1074 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin());
1075 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd());
1076 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin());
1077 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd());
1078
1079 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg);
1080 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd);
1081 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg);
1082 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd);
1083
1084 assert(ContainerBegLine <= ContainerEndLine);
1085 assert(ContaineeBegLine <= ContaineeEndLine);
1086
1087 return (ContainerBegLine <= ContaineeBegLine &&
1088 ContainerEndLine >= ContaineeEndLine &&
1089 (ContainerBegLine != ContaineeBegLine ||
1090 SM.getExpansionColumnNumber(ContainerRBeg) <=
1091 SM.getExpansionColumnNumber(ContaineeRBeg)) &&
1092 (ContainerEndLine != ContaineeEndLine ||
1093 SM.getExpansionColumnNumber(ContainerREnd) >=
1094 SM.getExpansionColumnNumber(ContaineeREnd)));
1095 }
1096
rawAddEdge(PathDiagnosticLocation NewLoc)1097 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) {
1098 if (!PrevLoc.isValid()) {
1099 PrevLoc = NewLoc;
1100 return;
1101 }
1102
1103 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc, PDB.LC);
1104 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc, PDB.LC);
1105
1106 if (PrevLocClean.asLocation().isInvalid()) {
1107 PrevLoc = NewLoc;
1108 return;
1109 }
1110
1111 if (NewLocClean.asLocation() == PrevLocClean.asLocation())
1112 return;
1113
1114 // FIXME: Ignore intra-macro edges for now.
1115 if (NewLocClean.asLocation().getExpansionLoc() ==
1116 PrevLocClean.asLocation().getExpansionLoc())
1117 return;
1118
1119 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean));
1120 PrevLoc = NewLoc;
1121 }
1122
addEdge(PathDiagnosticLocation NewLoc,bool alwaysAdd,bool IsPostJump)1123 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd,
1124 bool IsPostJump) {
1125
1126 if (!alwaysAdd && NewLoc.asLocation().isMacroID())
1127 return;
1128
1129 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc);
1130
1131 while (!CLocs.empty()) {
1132 ContextLocation &TopContextLoc = CLocs.back();
1133
1134 // Is the top location context the same as the one for the new location?
1135 if (TopContextLoc == CLoc) {
1136 if (alwaysAdd) {
1137 if (IsConsumedExpr(TopContextLoc))
1138 TopContextLoc.markDead();
1139
1140 rawAddEdge(NewLoc);
1141 }
1142
1143 if (IsPostJump)
1144 TopContextLoc.markDead();
1145 return;
1146 }
1147
1148 if (containsLocation(TopContextLoc, CLoc)) {
1149 if (alwaysAdd) {
1150 rawAddEdge(NewLoc);
1151
1152 if (IsConsumedExpr(CLoc)) {
1153 CLocs.push_back(ContextLocation(CLoc, /*IsDead=*/true));
1154 return;
1155 }
1156 }
1157
1158 CLocs.push_back(ContextLocation(CLoc, /*IsDead=*/IsPostJump));
1159 return;
1160 }
1161
1162 // Context does not contain the location. Flush it.
1163 popLocation();
1164 }
1165
1166 // If we reach here, there is no enclosing context. Just add the edge.
1167 rawAddEdge(NewLoc);
1168 }
1169
IsConsumedExpr(const PathDiagnosticLocation & L)1170 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) {
1171 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt()))
1172 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X);
1173
1174 return false;
1175 }
1176
addExtendedContext(const Stmt * S)1177 void EdgeBuilder::addExtendedContext(const Stmt *S) {
1178 if (!S)
1179 return;
1180
1181 const Stmt *Parent = PDB.getParent(S);
1182 while (Parent) {
1183 if (isa<CompoundStmt>(Parent))
1184 Parent = PDB.getParent(Parent);
1185 else
1186 break;
1187 }
1188
1189 if (Parent) {
1190 switch (Parent->getStmtClass()) {
1191 case Stmt::DoStmtClass:
1192 case Stmt::ObjCAtSynchronizedStmtClass:
1193 addContext(Parent);
1194 default:
1195 break;
1196 }
1197 }
1198
1199 addContext(S);
1200 }
1201
addContext(const Stmt * S)1202 void EdgeBuilder::addContext(const Stmt *S) {
1203 if (!S)
1204 return;
1205
1206 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.LC);
1207 addContext(L);
1208 }
1209
addContext(const PathDiagnosticLocation & L)1210 void EdgeBuilder::addContext(const PathDiagnosticLocation &L) {
1211 while (!CLocs.empty()) {
1212 const PathDiagnosticLocation &TopContextLoc = CLocs.back();
1213
1214 // Is the top location context the same as the one for the new location?
1215 if (TopContextLoc == L)
1216 return;
1217
1218 if (containsLocation(TopContextLoc, L)) {
1219 CLocs.push_back(L);
1220 return;
1221 }
1222
1223 // Context does not contain the location. Flush it.
1224 popLocation();
1225 }
1226
1227 CLocs.push_back(L);
1228 }
1229
1230 // Cone-of-influence: support the reverse propagation of "interesting" symbols
1231 // and values by tracing interesting calculations backwards through evaluated
1232 // expressions along a path. This is probably overly complicated, but the idea
1233 // is that if an expression computed an "interesting" value, the child
1234 // expressions are are also likely to be "interesting" as well (which then
1235 // propagates to the values they in turn compute). This reverse propagation
1236 // is needed to track interesting correlations across function call boundaries,
1237 // where formal arguments bind to actual arguments, etc. This is also needed
1238 // because the constraint solver sometimes simplifies certain symbolic values
1239 // into constants when appropriate, and this complicates reasoning about
1240 // interesting values.
1241 typedef llvm::DenseSet<const Expr *> InterestingExprs;
1242
reversePropagateIntererstingSymbols(BugReport & R,InterestingExprs & IE,const ProgramState * State,const Expr * Ex,const LocationContext * LCtx)1243 static void reversePropagateIntererstingSymbols(BugReport &R,
1244 InterestingExprs &IE,
1245 const ProgramState *State,
1246 const Expr *Ex,
1247 const LocationContext *LCtx) {
1248 SVal V = State->getSVal(Ex, LCtx);
1249 if (!(R.isInteresting(V) || IE.count(Ex)))
1250 return;
1251
1252 switch (Ex->getStmtClass()) {
1253 default:
1254 if (!isa<CastExpr>(Ex))
1255 break;
1256 // Fall through.
1257 case Stmt::BinaryOperatorClass:
1258 case Stmt::UnaryOperatorClass: {
1259 for (Stmt::const_child_iterator CI = Ex->child_begin(),
1260 CE = Ex->child_end();
1261 CI != CE; ++CI) {
1262 if (const Expr *child = dyn_cast_or_null<Expr>(*CI)) {
1263 IE.insert(child);
1264 SVal ChildV = State->getSVal(child, LCtx);
1265 R.markInteresting(ChildV);
1266 }
1267 }
1268 break;
1269 }
1270 }
1271
1272 R.markInteresting(V);
1273 }
1274
reversePropagateInterestingSymbols(BugReport & R,InterestingExprs & IE,const ProgramState * State,const LocationContext * CalleeCtx,const LocationContext * CallerCtx)1275 static void reversePropagateInterestingSymbols(BugReport &R,
1276 InterestingExprs &IE,
1277 const ProgramState *State,
1278 const LocationContext *CalleeCtx,
1279 const LocationContext *CallerCtx)
1280 {
1281 // FIXME: Handle non-CallExpr-based CallEvents.
1282 const StackFrameContext *Callee = CalleeCtx->getCurrentStackFrame();
1283 const Stmt *CallSite = Callee->getCallSite();
1284 if (const CallExpr *CE = dyn_cast_or_null<CallExpr>(CallSite)) {
1285 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeCtx->getDecl())) {
1286 FunctionDecl::param_const_iterator PI = FD->param_begin(),
1287 PE = FD->param_end();
1288 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end();
1289 for (; AI != AE && PI != PE; ++AI, ++PI) {
1290 if (const Expr *ArgE = *AI) {
1291 if (const ParmVarDecl *PD = *PI) {
1292 Loc LV = State->getLValue(PD, CalleeCtx);
1293 if (R.isInteresting(LV) || R.isInteresting(State->getRawSVal(LV)))
1294 IE.insert(ArgE);
1295 }
1296 }
1297 }
1298 }
1299 }
1300 }
1301
1302 //===----------------------------------------------------------------------===//
1303 // Functions for determining if a loop was executed 0 times.
1304 //===----------------------------------------------------------------------===//
1305
isLoop(const Stmt * Term)1306 static bool isLoop(const Stmt *Term) {
1307 switch (Term->getStmtClass()) {
1308 case Stmt::ForStmtClass:
1309 case Stmt::WhileStmtClass:
1310 case Stmt::ObjCForCollectionStmtClass:
1311 case Stmt::CXXForRangeStmtClass:
1312 return true;
1313 default:
1314 // Note that we intentionally do not include do..while here.
1315 return false;
1316 }
1317 }
1318
isJumpToFalseBranch(const BlockEdge * BE)1319 static bool isJumpToFalseBranch(const BlockEdge *BE) {
1320 const CFGBlock *Src = BE->getSrc();
1321 assert(Src->succ_size() == 2);
1322 return (*(Src->succ_begin()+1) == BE->getDst());
1323 }
1324
1325 /// Return true if the terminator is a loop and the destination is the
1326 /// false branch.
isLoopJumpPastBody(const Stmt * Term,const BlockEdge * BE)1327 static bool isLoopJumpPastBody(const Stmt *Term, const BlockEdge *BE) {
1328 if (!isLoop(Term))
1329 return false;
1330
1331 // Did we take the false branch?
1332 return isJumpToFalseBranch(BE);
1333 }
1334
isContainedByStmt(ParentMap & PM,const Stmt * S,const Stmt * SubS)1335 static bool isContainedByStmt(ParentMap &PM, const Stmt *S, const Stmt *SubS) {
1336 while (SubS) {
1337 if (SubS == S)
1338 return true;
1339 SubS = PM.getParent(SubS);
1340 }
1341 return false;
1342 }
1343
getStmtBeforeCond(ParentMap & PM,const Stmt * Term,const ExplodedNode * N)1344 static const Stmt *getStmtBeforeCond(ParentMap &PM, const Stmt *Term,
1345 const ExplodedNode *N) {
1346 while (N) {
1347 Optional<StmtPoint> SP = N->getLocation().getAs<StmtPoint>();
1348 if (SP) {
1349 const Stmt *S = SP->getStmt();
1350 if (!isContainedByStmt(PM, Term, S))
1351 return S;
1352 }
1353 N = N->getFirstPred();
1354 }
1355 return nullptr;
1356 }
1357
isInLoopBody(ParentMap & PM,const Stmt * S,const Stmt * Term)1358 static bool isInLoopBody(ParentMap &PM, const Stmt *S, const Stmt *Term) {
1359 const Stmt *LoopBody = nullptr;
1360 switch (Term->getStmtClass()) {
1361 case Stmt::CXXForRangeStmtClass: {
1362 const CXXForRangeStmt *FR = cast<CXXForRangeStmt>(Term);
1363 if (isContainedByStmt(PM, FR->getInc(), S))
1364 return true;
1365 if (isContainedByStmt(PM, FR->getLoopVarStmt(), S))
1366 return true;
1367 LoopBody = FR->getBody();
1368 break;
1369 }
1370 case Stmt::ForStmtClass: {
1371 const ForStmt *FS = cast<ForStmt>(Term);
1372 if (isContainedByStmt(PM, FS->getInc(), S))
1373 return true;
1374 LoopBody = FS->getBody();
1375 break;
1376 }
1377 case Stmt::ObjCForCollectionStmtClass: {
1378 const ObjCForCollectionStmt *FC = cast<ObjCForCollectionStmt>(Term);
1379 LoopBody = FC->getBody();
1380 break;
1381 }
1382 case Stmt::WhileStmtClass:
1383 LoopBody = cast<WhileStmt>(Term)->getBody();
1384 break;
1385 default:
1386 return false;
1387 }
1388 return isContainedByStmt(PM, LoopBody, S);
1389 }
1390
1391 //===----------------------------------------------------------------------===//
1392 // Top-level logic for generating extensive path diagnostics.
1393 //===----------------------------------------------------------------------===//
1394
GenerateExtensivePathDiagnostic(PathDiagnostic & PD,PathDiagnosticBuilder & PDB,const ExplodedNode * N,LocationContextMap & LCM,ArrayRef<BugReporterVisitor * > visitors)1395 static bool GenerateExtensivePathDiagnostic(PathDiagnostic& PD,
1396 PathDiagnosticBuilder &PDB,
1397 const ExplodedNode *N,
1398 LocationContextMap &LCM,
1399 ArrayRef<BugReporterVisitor *> visitors) {
1400 EdgeBuilder EB(PD, PDB);
1401 const SourceManager& SM = PDB.getSourceManager();
1402 StackDiagVector CallStack;
1403 InterestingExprs IE;
1404
1405 const ExplodedNode *NextNode = N->pred_empty() ? nullptr : *(N->pred_begin());
1406 while (NextNode) {
1407 N = NextNode;
1408 NextNode = N->getFirstPred();
1409 ProgramPoint P = N->getLocation();
1410
1411 do {
1412 if (Optional<PostStmt> PS = P.getAs<PostStmt>()) {
1413 if (const Expr *Ex = PS->getStmtAs<Expr>())
1414 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE,
1415 N->getState().get(), Ex,
1416 N->getLocationContext());
1417 }
1418
1419 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) {
1420 const Stmt *S = CE->getCalleeContext()->getCallSite();
1421 if (const Expr *Ex = dyn_cast_or_null<Expr>(S)) {
1422 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE,
1423 N->getState().get(), Ex,
1424 N->getLocationContext());
1425 }
1426
1427 PathDiagnosticCallPiece *C =
1428 PathDiagnosticCallPiece::construct(N, *CE, SM);
1429 LCM[&C->path] = CE->getCalleeContext();
1430
1431 EB.addEdge(C->callReturn, /*AlwaysAdd=*/true, /*IsPostJump=*/true);
1432 EB.flushLocations();
1433
1434 PD.getActivePath().push_front(C);
1435 PD.pushActivePath(&C->path);
1436 CallStack.push_back(StackDiagPair(C, N));
1437 break;
1438 }
1439
1440 // Pop the call hierarchy if we are done walking the contents
1441 // of a function call.
1442 if (Optional<CallEnter> CE = P.getAs<CallEnter>()) {
1443 // Add an edge to the start of the function.
1444 const Decl *D = CE->getCalleeContext()->getDecl();
1445 PathDiagnosticLocation pos =
1446 PathDiagnosticLocation::createBegin(D, SM);
1447 EB.addEdge(pos);
1448
1449 // Flush all locations, and pop the active path.
1450 bool VisitedEntireCall = PD.isWithinCall();
1451 EB.flushLocations();
1452 PD.popActivePath();
1453 PDB.LC = N->getLocationContext();
1454
1455 // Either we just added a bunch of stuff to the top-level path, or
1456 // we have a previous CallExitEnd. If the former, it means that the
1457 // path terminated within a function call. We must then take the
1458 // current contents of the active path and place it within
1459 // a new PathDiagnosticCallPiece.
1460 PathDiagnosticCallPiece *C;
1461 if (VisitedEntireCall) {
1462 C = cast<PathDiagnosticCallPiece>(PD.getActivePath().front());
1463 } else {
1464 const Decl *Caller = CE->getLocationContext()->getDecl();
1465 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller);
1466 LCM[&C->path] = CE->getCalleeContext();
1467 }
1468
1469 C->setCallee(*CE, SM);
1470 EB.addContext(C->getLocation());
1471
1472 if (!CallStack.empty()) {
1473 assert(CallStack.back().first == C);
1474 CallStack.pop_back();
1475 }
1476 break;
1477 }
1478
1479 // Note that is important that we update the LocationContext
1480 // after looking at CallExits. CallExit basically adds an
1481 // edge in the *caller*, so we don't want to update the LocationContext
1482 // too soon.
1483 PDB.LC = N->getLocationContext();
1484
1485 // Block edges.
1486 if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) {
1487 // Does this represent entering a call? If so, look at propagating
1488 // interesting symbols across call boundaries.
1489 if (NextNode) {
1490 const LocationContext *CallerCtx = NextNode->getLocationContext();
1491 const LocationContext *CalleeCtx = PDB.LC;
1492 if (CallerCtx != CalleeCtx) {
1493 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE,
1494 N->getState().get(),
1495 CalleeCtx, CallerCtx);
1496 }
1497 }
1498
1499 // Are we jumping to the head of a loop? Add a special diagnostic.
1500 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) {
1501 PathDiagnosticLocation L(Loop, SM, PDB.LC);
1502 const CompoundStmt *CS = nullptr;
1503
1504 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop))
1505 CS = dyn_cast<CompoundStmt>(FS->getBody());
1506 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop))
1507 CS = dyn_cast<CompoundStmt>(WS->getBody());
1508
1509 PathDiagnosticEventPiece *p =
1510 new PathDiagnosticEventPiece(L,
1511 "Looping back to the head of the loop");
1512 p->setPrunable(true);
1513
1514 EB.addEdge(p->getLocation(), true);
1515 PD.getActivePath().push_front(p);
1516
1517 if (CS) {
1518 PathDiagnosticLocation BL =
1519 PathDiagnosticLocation::createEndBrace(CS, SM);
1520 EB.addEdge(BL);
1521 }
1522 }
1523
1524 const CFGBlock *BSrc = BE->getSrc();
1525 ParentMap &PM = PDB.getParentMap();
1526
1527 if (const Stmt *Term = BSrc->getTerminator()) {
1528 // Are we jumping past the loop body without ever executing the
1529 // loop (because the condition was false)?
1530 if (isLoopJumpPastBody(Term, &*BE) &&
1531 !isInLoopBody(PM,
1532 getStmtBeforeCond(PM,
1533 BSrc->getTerminatorCondition(),
1534 N),
1535 Term)) {
1536 PathDiagnosticLocation L(Term, SM, PDB.LC);
1537 PathDiagnosticEventPiece *PE =
1538 new PathDiagnosticEventPiece(L, "Loop body executed 0 times");
1539 PE->setPrunable(true);
1540
1541 EB.addEdge(PE->getLocation(), true);
1542 PD.getActivePath().push_front(PE);
1543 }
1544
1545 // In any case, add the terminator as the current statement
1546 // context for control edges.
1547 EB.addContext(Term);
1548 }
1549
1550 break;
1551 }
1552
1553 if (Optional<BlockEntrance> BE = P.getAs<BlockEntrance>()) {
1554 Optional<CFGElement> First = BE->getFirstElement();
1555 if (Optional<CFGStmt> S = First ? First->getAs<CFGStmt>() : None) {
1556 const Stmt *stmt = S->getStmt();
1557 if (IsControlFlowExpr(stmt)) {
1558 // Add the proper context for '&&', '||', and '?'.
1559 EB.addContext(stmt);
1560 }
1561 else
1562 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt());
1563 }
1564
1565 break;
1566 }
1567
1568
1569 } while (0);
1570
1571 if (!NextNode)
1572 continue;
1573
1574 // Add pieces from custom visitors.
1575 BugReport *R = PDB.getBugReport();
1576 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(),
1577 E = visitors.end();
1578 I != E; ++I) {
1579 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) {
1580 const PathDiagnosticLocation &Loc = p->getLocation();
1581 EB.addEdge(Loc, true);
1582 PD.getActivePath().push_front(p);
1583 updateStackPiecesWithMessage(p, CallStack);
1584
1585 if (const Stmt *S = Loc.asStmt())
1586 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt());
1587 }
1588 }
1589 }
1590
1591 return PDB.getBugReport()->isValid();
1592 }
1593
1594 /// \brief Adds a sanitized control-flow diagnostic edge to a path.
addEdgeToPath(PathPieces & path,PathDiagnosticLocation & PrevLoc,PathDiagnosticLocation NewLoc,const LocationContext * LC)1595 static void addEdgeToPath(PathPieces &path,
1596 PathDiagnosticLocation &PrevLoc,
1597 PathDiagnosticLocation NewLoc,
1598 const LocationContext *LC) {
1599 if (!NewLoc.isValid())
1600 return;
1601
1602 SourceLocation NewLocL = NewLoc.asLocation();
1603 if (NewLocL.isInvalid())
1604 return;
1605
1606 if (!PrevLoc.isValid() || !PrevLoc.asLocation().isValid()) {
1607 PrevLoc = NewLoc;
1608 return;
1609 }
1610
1611 // Ignore self-edges, which occur when there are multiple nodes at the same
1612 // statement.
1613 if (NewLoc.asStmt() && NewLoc.asStmt() == PrevLoc.asStmt())
1614 return;
1615
1616 path.push_front(new PathDiagnosticControlFlowPiece(NewLoc,
1617 PrevLoc));
1618 PrevLoc = NewLoc;
1619 }
1620
1621 /// A customized wrapper for CFGBlock::getTerminatorCondition()
1622 /// which returns the element for ObjCForCollectionStmts.
getTerminatorCondition(const CFGBlock * B)1623 static const Stmt *getTerminatorCondition(const CFGBlock *B) {
1624 const Stmt *S = B->getTerminatorCondition();
1625 if (const ObjCForCollectionStmt *FS =
1626 dyn_cast_or_null<ObjCForCollectionStmt>(S))
1627 return FS->getElement();
1628 return S;
1629 }
1630
1631 static const char StrEnteringLoop[] = "Entering loop body";
1632 static const char StrLoopBodyZero[] = "Loop body executed 0 times";
1633 static const char StrLoopRangeEmpty[] =
1634 "Loop body skipped when range is empty";
1635 static const char StrLoopCollectionEmpty[] =
1636 "Loop body skipped when collection is empty";
1637
1638 static bool
GenerateAlternateExtensivePathDiagnostic(PathDiagnostic & PD,PathDiagnosticBuilder & PDB,const ExplodedNode * N,LocationContextMap & LCM,ArrayRef<BugReporterVisitor * > visitors)1639 GenerateAlternateExtensivePathDiagnostic(PathDiagnostic& PD,
1640 PathDiagnosticBuilder &PDB,
1641 const ExplodedNode *N,
1642 LocationContextMap &LCM,
1643 ArrayRef<BugReporterVisitor *> visitors) {
1644
1645 BugReport *report = PDB.getBugReport();
1646 const SourceManager& SM = PDB.getSourceManager();
1647 StackDiagVector CallStack;
1648 InterestingExprs IE;
1649
1650 PathDiagnosticLocation PrevLoc = PD.getLocation();
1651
1652 const ExplodedNode *NextNode = N->getFirstPred();
1653 while (NextNode) {
1654 N = NextNode;
1655 NextNode = N->getFirstPred();
1656 ProgramPoint P = N->getLocation();
1657
1658 do {
1659 // Have we encountered an entrance to a call? It may be
1660 // the case that we have not encountered a matching
1661 // call exit before this point. This means that the path
1662 // terminated within the call itself.
1663 if (Optional<CallEnter> CE = P.getAs<CallEnter>()) {
1664 // Add an edge to the start of the function.
1665 const StackFrameContext *CalleeLC = CE->getCalleeContext();
1666 const Decl *D = CalleeLC->getDecl();
1667 addEdgeToPath(PD.getActivePath(), PrevLoc,
1668 PathDiagnosticLocation::createBegin(D, SM),
1669 CalleeLC);
1670
1671 // Did we visit an entire call?
1672 bool VisitedEntireCall = PD.isWithinCall();
1673 PD.popActivePath();
1674
1675 PathDiagnosticCallPiece *C;
1676 if (VisitedEntireCall) {
1677 PathDiagnosticPiece *P = PD.getActivePath().front().get();
1678 C = cast<PathDiagnosticCallPiece>(P);
1679 } else {
1680 const Decl *Caller = CE->getLocationContext()->getDecl();
1681 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller);
1682
1683 // Since we just transferred the path over to the call piece,
1684 // reset the mapping from active to location context.
1685 assert(PD.getActivePath().size() == 1 &&
1686 PD.getActivePath().front() == C);
1687 LCM[&PD.getActivePath()] = nullptr;
1688
1689 // Record the location context mapping for the path within
1690 // the call.
1691 assert(LCM[&C->path] == nullptr ||
1692 LCM[&C->path] == CE->getCalleeContext());
1693 LCM[&C->path] = CE->getCalleeContext();
1694
1695 // If this is the first item in the active path, record
1696 // the new mapping from active path to location context.
1697 const LocationContext *&NewLC = LCM[&PD.getActivePath()];
1698 if (!NewLC)
1699 NewLC = N->getLocationContext();
1700
1701 PDB.LC = NewLC;
1702 }
1703 C->setCallee(*CE, SM);
1704
1705 // Update the previous location in the active path.
1706 PrevLoc = C->getLocation();
1707
1708 if (!CallStack.empty()) {
1709 assert(CallStack.back().first == C);
1710 CallStack.pop_back();
1711 }
1712 break;
1713 }
1714
1715 // Query the location context here and the previous location
1716 // as processing CallEnter may change the active path.
1717 PDB.LC = N->getLocationContext();
1718
1719 // Record the mapping from the active path to the location
1720 // context.
1721 assert(!LCM[&PD.getActivePath()] ||
1722 LCM[&PD.getActivePath()] == PDB.LC);
1723 LCM[&PD.getActivePath()] = PDB.LC;
1724
1725 // Have we encountered an exit from a function call?
1726 if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) {
1727 const Stmt *S = CE->getCalleeContext()->getCallSite();
1728 // Propagate the interesting symbols accordingly.
1729 if (const Expr *Ex = dyn_cast_or_null<Expr>(S)) {
1730 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE,
1731 N->getState().get(), Ex,
1732 N->getLocationContext());
1733 }
1734
1735 // We are descending into a call (backwards). Construct
1736 // a new call piece to contain the path pieces for that call.
1737 PathDiagnosticCallPiece *C =
1738 PathDiagnosticCallPiece::construct(N, *CE, SM);
1739
1740 // Record the location context for this call piece.
1741 LCM[&C->path] = CE->getCalleeContext();
1742
1743 // Add the edge to the return site.
1744 addEdgeToPath(PD.getActivePath(), PrevLoc, C->callReturn, PDB.LC);
1745 PD.getActivePath().push_front(C);
1746 PrevLoc.invalidate();
1747
1748 // Make the contents of the call the active path for now.
1749 PD.pushActivePath(&C->path);
1750 CallStack.push_back(StackDiagPair(C, N));
1751 break;
1752 }
1753
1754 if (Optional<PostStmt> PS = P.getAs<PostStmt>()) {
1755 // For expressions, make sure we propagate the
1756 // interesting symbols correctly.
1757 if (const Expr *Ex = PS->getStmtAs<Expr>())
1758 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE,
1759 N->getState().get(), Ex,
1760 N->getLocationContext());
1761
1762 // Add an edge. If this is an ObjCForCollectionStmt do
1763 // not add an edge here as it appears in the CFG both
1764 // as a terminator and as a terminator condition.
1765 if (!isa<ObjCForCollectionStmt>(PS->getStmt())) {
1766 PathDiagnosticLocation L =
1767 PathDiagnosticLocation(PS->getStmt(), SM, PDB.LC);
1768 addEdgeToPath(PD.getActivePath(), PrevLoc, L, PDB.LC);
1769 }
1770 break;
1771 }
1772
1773 // Block edges.
1774 if (Optional<BlockEdge> BE = P.getAs<BlockEdge>()) {
1775 // Does this represent entering a call? If so, look at propagating
1776 // interesting symbols across call boundaries.
1777 if (NextNode) {
1778 const LocationContext *CallerCtx = NextNode->getLocationContext();
1779 const LocationContext *CalleeCtx = PDB.LC;
1780 if (CallerCtx != CalleeCtx) {
1781 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE,
1782 N->getState().get(),
1783 CalleeCtx, CallerCtx);
1784 }
1785 }
1786
1787 // Are we jumping to the head of a loop? Add a special diagnostic.
1788 if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) {
1789 PathDiagnosticLocation L(Loop, SM, PDB.LC);
1790 const Stmt *Body = nullptr;
1791
1792 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop))
1793 Body = FS->getBody();
1794 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop))
1795 Body = WS->getBody();
1796 else if (const ObjCForCollectionStmt *OFS =
1797 dyn_cast<ObjCForCollectionStmt>(Loop)) {
1798 Body = OFS->getBody();
1799 } else if (const CXXForRangeStmt *FRS =
1800 dyn_cast<CXXForRangeStmt>(Loop)) {
1801 Body = FRS->getBody();
1802 }
1803 // do-while statements are explicitly excluded here
1804
1805 PathDiagnosticEventPiece *p =
1806 new PathDiagnosticEventPiece(L, "Looping back to the head "
1807 "of the loop");
1808 p->setPrunable(true);
1809
1810 addEdgeToPath(PD.getActivePath(), PrevLoc, p->getLocation(), PDB.LC);
1811 PD.getActivePath().push_front(p);
1812
1813 if (const CompoundStmt *CS = dyn_cast_or_null<CompoundStmt>(Body)) {
1814 addEdgeToPath(PD.getActivePath(), PrevLoc,
1815 PathDiagnosticLocation::createEndBrace(CS, SM),
1816 PDB.LC);
1817 }
1818 }
1819
1820 const CFGBlock *BSrc = BE->getSrc();
1821 ParentMap &PM = PDB.getParentMap();
1822
1823 if (const Stmt *Term = BSrc->getTerminator()) {
1824 // Are we jumping past the loop body without ever executing the
1825 // loop (because the condition was false)?
1826 if (isLoop(Term)) {
1827 const Stmt *TermCond = getTerminatorCondition(BSrc);
1828 bool IsInLoopBody =
1829 isInLoopBody(PM, getStmtBeforeCond(PM, TermCond, N), Term);
1830
1831 const char *str = nullptr;
1832
1833 if (isJumpToFalseBranch(&*BE)) {
1834 if (!IsInLoopBody) {
1835 if (isa<ObjCForCollectionStmt>(Term)) {
1836 str = StrLoopCollectionEmpty;
1837 } else if (isa<CXXForRangeStmt>(Term)) {
1838 str = StrLoopRangeEmpty;
1839 } else {
1840 str = StrLoopBodyZero;
1841 }
1842 }
1843 } else {
1844 str = StrEnteringLoop;
1845 }
1846
1847 if (str) {
1848 PathDiagnosticLocation L(TermCond ? TermCond : Term, SM, PDB.LC);
1849 PathDiagnosticEventPiece *PE =
1850 new PathDiagnosticEventPiece(L, str);
1851 PE->setPrunable(true);
1852 addEdgeToPath(PD.getActivePath(), PrevLoc,
1853 PE->getLocation(), PDB.LC);
1854 PD.getActivePath().push_front(PE);
1855 }
1856 } else if (isa<BreakStmt>(Term) || isa<ContinueStmt>(Term) ||
1857 isa<GotoStmt>(Term)) {
1858 PathDiagnosticLocation L(Term, SM, PDB.LC);
1859 addEdgeToPath(PD.getActivePath(), PrevLoc, L, PDB.LC);
1860 }
1861 }
1862 break;
1863 }
1864 } while (0);
1865
1866 if (!NextNode)
1867 continue;
1868
1869 // Add pieces from custom visitors.
1870 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(),
1871 E = visitors.end();
1872 I != E; ++I) {
1873 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *report)) {
1874 addEdgeToPath(PD.getActivePath(), PrevLoc, p->getLocation(), PDB.LC);
1875 PD.getActivePath().push_front(p);
1876 updateStackPiecesWithMessage(p, CallStack);
1877 }
1878 }
1879 }
1880
1881 // Add an edge to the start of the function.
1882 // We'll prune it out later, but it helps make diagnostics more uniform.
1883 const StackFrameContext *CalleeLC = PDB.LC->getCurrentStackFrame();
1884 const Decl *D = CalleeLC->getDecl();
1885 addEdgeToPath(PD.getActivePath(), PrevLoc,
1886 PathDiagnosticLocation::createBegin(D, SM),
1887 CalleeLC);
1888
1889 return report->isValid();
1890 }
1891
getLocStmt(PathDiagnosticLocation L)1892 static const Stmt *getLocStmt(PathDiagnosticLocation L) {
1893 if (!L.isValid())
1894 return nullptr;
1895 return L.asStmt();
1896 }
1897
getStmtParent(const Stmt * S,const ParentMap & PM)1898 static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) {
1899 if (!S)
1900 return nullptr;
1901
1902 while (true) {
1903 S = PM.getParentIgnoreParens(S);
1904
1905 if (!S)
1906 break;
1907
1908 if (isa<ExprWithCleanups>(S) ||
1909 isa<CXXBindTemporaryExpr>(S) ||
1910 isa<SubstNonTypeTemplateParmExpr>(S))
1911 continue;
1912
1913 break;
1914 }
1915
1916 return S;
1917 }
1918
isConditionForTerminator(const Stmt * S,const Stmt * Cond)1919 static bool isConditionForTerminator(const Stmt *S, const Stmt *Cond) {
1920 switch (S->getStmtClass()) {
1921 case Stmt::BinaryOperatorClass: {
1922 const BinaryOperator *BO = cast<BinaryOperator>(S);
1923 if (!BO->isLogicalOp())
1924 return false;
1925 return BO->getLHS() == Cond || BO->getRHS() == Cond;
1926 }
1927 case Stmt::IfStmtClass:
1928 return cast<IfStmt>(S)->getCond() == Cond;
1929 case Stmt::ForStmtClass:
1930 return cast<ForStmt>(S)->getCond() == Cond;
1931 case Stmt::WhileStmtClass:
1932 return cast<WhileStmt>(S)->getCond() == Cond;
1933 case Stmt::DoStmtClass:
1934 return cast<DoStmt>(S)->getCond() == Cond;
1935 case Stmt::ChooseExprClass:
1936 return cast<ChooseExpr>(S)->getCond() == Cond;
1937 case Stmt::IndirectGotoStmtClass:
1938 return cast<IndirectGotoStmt>(S)->getTarget() == Cond;
1939 case Stmt::SwitchStmtClass:
1940 return cast<SwitchStmt>(S)->getCond() == Cond;
1941 case Stmt::BinaryConditionalOperatorClass:
1942 return cast<BinaryConditionalOperator>(S)->getCond() == Cond;
1943 case Stmt::ConditionalOperatorClass: {
1944 const ConditionalOperator *CO = cast<ConditionalOperator>(S);
1945 return CO->getCond() == Cond ||
1946 CO->getLHS() == Cond ||
1947 CO->getRHS() == Cond;
1948 }
1949 case Stmt::ObjCForCollectionStmtClass:
1950 return cast<ObjCForCollectionStmt>(S)->getElement() == Cond;
1951 case Stmt::CXXForRangeStmtClass: {
1952 const CXXForRangeStmt *FRS = cast<CXXForRangeStmt>(S);
1953 return FRS->getCond() == Cond || FRS->getRangeInit() == Cond;
1954 }
1955 default:
1956 return false;
1957 }
1958 }
1959
isIncrementOrInitInForLoop(const Stmt * S,const Stmt * FL)1960 static bool isIncrementOrInitInForLoop(const Stmt *S, const Stmt *FL) {
1961 if (const ForStmt *FS = dyn_cast<ForStmt>(FL))
1962 return FS->getInc() == S || FS->getInit() == S;
1963 if (const CXXForRangeStmt *FRS = dyn_cast<CXXForRangeStmt>(FL))
1964 return FRS->getInc() == S || FRS->getRangeStmt() == S ||
1965 FRS->getLoopVarStmt() || FRS->getRangeInit() == S;
1966 return false;
1967 }
1968
1969 typedef llvm::DenseSet<const PathDiagnosticCallPiece *>
1970 OptimizedCallsSet;
1971
1972 /// Adds synthetic edges from top-level statements to their subexpressions.
1973 ///
1974 /// This avoids a "swoosh" effect, where an edge from a top-level statement A
1975 /// points to a sub-expression B.1 that's not at the start of B. In these cases,
1976 /// we'd like to see an edge from A to B, then another one from B to B.1.
addContextEdges(PathPieces & pieces,SourceManager & SM,const ParentMap & PM,const LocationContext * LCtx)1977 static void addContextEdges(PathPieces &pieces, SourceManager &SM,
1978 const ParentMap &PM, const LocationContext *LCtx) {
1979 PathPieces::iterator Prev = pieces.end();
1980 for (PathPieces::iterator I = pieces.begin(), E = Prev; I != E;
1981 Prev = I, ++I) {
1982 PathDiagnosticControlFlowPiece *Piece =
1983 dyn_cast<PathDiagnosticControlFlowPiece>(*I);
1984
1985 if (!Piece)
1986 continue;
1987
1988 PathDiagnosticLocation SrcLoc = Piece->getStartLocation();
1989 SmallVector<PathDiagnosticLocation, 4> SrcContexts;
1990
1991 PathDiagnosticLocation NextSrcContext = SrcLoc;
1992 const Stmt *InnerStmt = nullptr;
1993 while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) {
1994 SrcContexts.push_back(NextSrcContext);
1995 InnerStmt = NextSrcContext.asStmt();
1996 NextSrcContext = getEnclosingStmtLocation(InnerStmt, SM, PM, LCtx,
1997 /*allowNested=*/true);
1998 }
1999
2000 // Repeatedly split the edge as necessary.
2001 // This is important for nested logical expressions (||, &&, ?:) where we
2002 // want to show all the levels of context.
2003 while (true) {
2004 const Stmt *Dst = getLocStmt(Piece->getEndLocation());
2005
2006 // We are looking at an edge. Is the destination within a larger
2007 // expression?
2008 PathDiagnosticLocation DstContext =
2009 getEnclosingStmtLocation(Dst, SM, PM, LCtx, /*allowNested=*/true);
2010 if (!DstContext.isValid() || DstContext.asStmt() == Dst)
2011 break;
2012
2013 // If the source is in the same context, we're already good.
2014 if (std::find(SrcContexts.begin(), SrcContexts.end(), DstContext) !=
2015 SrcContexts.end())
2016 break;
2017
2018 // Update the subexpression node to point to the context edge.
2019 Piece->setStartLocation(DstContext);
2020
2021 // Try to extend the previous edge if it's at the same level as the source
2022 // context.
2023 if (Prev != E) {
2024 PathDiagnosticControlFlowPiece *PrevPiece =
2025 dyn_cast<PathDiagnosticControlFlowPiece>(*Prev);
2026
2027 if (PrevPiece) {
2028 if (const Stmt *PrevSrc = getLocStmt(PrevPiece->getStartLocation())) {
2029 const Stmt *PrevSrcParent = getStmtParent(PrevSrc, PM);
2030 if (PrevSrcParent == getStmtParent(getLocStmt(DstContext), PM)) {
2031 PrevPiece->setEndLocation(DstContext);
2032 break;
2033 }
2034 }
2035 }
2036 }
2037
2038 // Otherwise, split the current edge into a context edge and a
2039 // subexpression edge. Note that the context statement may itself have
2040 // context.
2041 Piece = new PathDiagnosticControlFlowPiece(SrcLoc, DstContext);
2042 I = pieces.insert(I, Piece);
2043 }
2044 }
2045 }
2046
2047 /// \brief Move edges from a branch condition to a branch target
2048 /// when the condition is simple.
2049 ///
2050 /// This restructures some of the work of addContextEdges. That function
2051 /// creates edges this may destroy, but they work together to create a more
2052 /// aesthetically set of edges around branches. After the call to
2053 /// addContextEdges, we may have (1) an edge to the branch, (2) an edge from
2054 /// the branch to the branch condition, and (3) an edge from the branch
2055 /// condition to the branch target. We keep (1), but may wish to remove (2)
2056 /// and move the source of (3) to the branch if the branch condition is simple.
2057 ///
simplifySimpleBranches(PathPieces & pieces)2058 static void simplifySimpleBranches(PathPieces &pieces) {
2059 for (PathPieces::iterator I = pieces.begin(), E = pieces.end(); I != E; ++I) {
2060
2061 PathDiagnosticControlFlowPiece *PieceI =
2062 dyn_cast<PathDiagnosticControlFlowPiece>(*I);
2063
2064 if (!PieceI)
2065 continue;
2066
2067 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation());
2068 const Stmt *s1End = getLocStmt(PieceI->getEndLocation());
2069
2070 if (!s1Start || !s1End)
2071 continue;
2072
2073 PathPieces::iterator NextI = I; ++NextI;
2074 if (NextI == E)
2075 break;
2076
2077 PathDiagnosticControlFlowPiece *PieceNextI = nullptr;
2078
2079 while (true) {
2080 if (NextI == E)
2081 break;
2082
2083 PathDiagnosticEventPiece *EV = dyn_cast<PathDiagnosticEventPiece>(*NextI);
2084 if (EV) {
2085 StringRef S = EV->getString();
2086 if (S == StrEnteringLoop || S == StrLoopBodyZero ||
2087 S == StrLoopCollectionEmpty || S == StrLoopRangeEmpty) {
2088 ++NextI;
2089 continue;
2090 }
2091 break;
2092 }
2093
2094 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(*NextI);
2095 break;
2096 }
2097
2098 if (!PieceNextI)
2099 continue;
2100
2101 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation());
2102 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation());
2103
2104 if (!s2Start || !s2End || s1End != s2Start)
2105 continue;
2106
2107 // We only perform this transformation for specific branch kinds.
2108 // We don't want to do this for do..while, for example.
2109 if (!(isa<ForStmt>(s1Start) || isa<WhileStmt>(s1Start) ||
2110 isa<IfStmt>(s1Start) || isa<ObjCForCollectionStmt>(s1Start) ||
2111 isa<CXXForRangeStmt>(s1Start)))
2112 continue;
2113
2114 // Is s1End the branch condition?
2115 if (!isConditionForTerminator(s1Start, s1End))
2116 continue;
2117
2118 // Perform the hoisting by eliminating (2) and changing the start
2119 // location of (3).
2120 PieceNextI->setStartLocation(PieceI->getStartLocation());
2121 I = pieces.erase(I);
2122 }
2123 }
2124
2125 /// Returns the number of bytes in the given (character-based) SourceRange.
2126 ///
2127 /// If the locations in the range are not on the same line, returns None.
2128 ///
2129 /// Note that this does not do a precise user-visible character or column count.
getLengthOnSingleLine(SourceManager & SM,SourceRange Range)2130 static Optional<size_t> getLengthOnSingleLine(SourceManager &SM,
2131 SourceRange Range) {
2132 SourceRange ExpansionRange(SM.getExpansionLoc(Range.getBegin()),
2133 SM.getExpansionRange(Range.getEnd()).second);
2134
2135 FileID FID = SM.getFileID(ExpansionRange.getBegin());
2136 if (FID != SM.getFileID(ExpansionRange.getEnd()))
2137 return None;
2138
2139 bool Invalid;
2140 const llvm::MemoryBuffer *Buffer = SM.getBuffer(FID, &Invalid);
2141 if (Invalid)
2142 return None;
2143
2144 unsigned BeginOffset = SM.getFileOffset(ExpansionRange.getBegin());
2145 unsigned EndOffset = SM.getFileOffset(ExpansionRange.getEnd());
2146 StringRef Snippet = Buffer->getBuffer().slice(BeginOffset, EndOffset);
2147
2148 // We're searching the raw bytes of the buffer here, which might include
2149 // escaped newlines and such. That's okay; we're trying to decide whether the
2150 // SourceRange is covering a large or small amount of space in the user's
2151 // editor.
2152 if (Snippet.find_first_of("\r\n") != StringRef::npos)
2153 return None;
2154
2155 // This isn't Unicode-aware, but it doesn't need to be.
2156 return Snippet.size();
2157 }
2158
2159 /// \sa getLengthOnSingleLine(SourceManager, SourceRange)
getLengthOnSingleLine(SourceManager & SM,const Stmt * S)2160 static Optional<size_t> getLengthOnSingleLine(SourceManager &SM,
2161 const Stmt *S) {
2162 return getLengthOnSingleLine(SM, S->getSourceRange());
2163 }
2164
2165 /// Eliminate two-edge cycles created by addContextEdges().
2166 ///
2167 /// Once all the context edges are in place, there are plenty of cases where
2168 /// there's a single edge from a top-level statement to a subexpression,
2169 /// followed by a single path note, and then a reverse edge to get back out to
2170 /// the top level. If the statement is simple enough, the subexpression edges
2171 /// just add noise and make it harder to understand what's going on.
2172 ///
2173 /// This function only removes edges in pairs, because removing only one edge
2174 /// might leave other edges dangling.
2175 ///
2176 /// This will not remove edges in more complicated situations:
2177 /// - if there is more than one "hop" leading to or from a subexpression.
2178 /// - if there is an inlined call between the edges instead of a single event.
2179 /// - if the whole statement is large enough that having subexpression arrows
2180 /// might be helpful.
removeContextCycles(PathPieces & Path,SourceManager & SM,ParentMap & PM)2181 static void removeContextCycles(PathPieces &Path, SourceManager &SM,
2182 ParentMap &PM) {
2183 for (PathPieces::iterator I = Path.begin(), E = Path.end(); I != E; ) {
2184 // Pattern match the current piece and its successor.
2185 PathDiagnosticControlFlowPiece *PieceI =
2186 dyn_cast<PathDiagnosticControlFlowPiece>(*I);
2187
2188 if (!PieceI) {
2189 ++I;
2190 continue;
2191 }
2192
2193 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation());
2194 const Stmt *s1End = getLocStmt(PieceI->getEndLocation());
2195
2196 PathPieces::iterator NextI = I; ++NextI;
2197 if (NextI == E)
2198 break;
2199
2200 PathDiagnosticControlFlowPiece *PieceNextI =
2201 dyn_cast<PathDiagnosticControlFlowPiece>(*NextI);
2202
2203 if (!PieceNextI) {
2204 if (isa<PathDiagnosticEventPiece>(*NextI)) {
2205 ++NextI;
2206 if (NextI == E)
2207 break;
2208 PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(*NextI);
2209 }
2210
2211 if (!PieceNextI) {
2212 ++I;
2213 continue;
2214 }
2215 }
2216
2217 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation());
2218 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation());
2219
2220 if (s1Start && s2Start && s1Start == s2End && s2Start == s1End) {
2221 const size_t MAX_SHORT_LINE_LENGTH = 80;
2222 Optional<size_t> s1Length = getLengthOnSingleLine(SM, s1Start);
2223 if (s1Length && *s1Length <= MAX_SHORT_LINE_LENGTH) {
2224 Optional<size_t> s2Length = getLengthOnSingleLine(SM, s2Start);
2225 if (s2Length && *s2Length <= MAX_SHORT_LINE_LENGTH) {
2226 Path.erase(I);
2227 I = Path.erase(NextI);
2228 continue;
2229 }
2230 }
2231 }
2232
2233 ++I;
2234 }
2235 }
2236
2237 /// \brief Return true if X is contained by Y.
lexicalContains(ParentMap & PM,const Stmt * X,const Stmt * Y)2238 static bool lexicalContains(ParentMap &PM,
2239 const Stmt *X,
2240 const Stmt *Y) {
2241 while (X) {
2242 if (X == Y)
2243 return true;
2244 X = PM.getParent(X);
2245 }
2246 return false;
2247 }
2248
2249 // Remove short edges on the same line less than 3 columns in difference.
removePunyEdges(PathPieces & path,SourceManager & SM,ParentMap & PM)2250 static void removePunyEdges(PathPieces &path,
2251 SourceManager &SM,
2252 ParentMap &PM) {
2253
2254 bool erased = false;
2255
2256 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E;
2257 erased ? I : ++I) {
2258
2259 erased = false;
2260
2261 PathDiagnosticControlFlowPiece *PieceI =
2262 dyn_cast<PathDiagnosticControlFlowPiece>(*I);
2263
2264 if (!PieceI)
2265 continue;
2266
2267 const Stmt *start = getLocStmt(PieceI->getStartLocation());
2268 const Stmt *end = getLocStmt(PieceI->getEndLocation());
2269
2270 if (!start || !end)
2271 continue;
2272
2273 const Stmt *endParent = PM.getParent(end);
2274 if (!endParent)
2275 continue;
2276
2277 if (isConditionForTerminator(end, endParent))
2278 continue;
2279
2280 SourceLocation FirstLoc = start->getLocStart();
2281 SourceLocation SecondLoc = end->getLocStart();
2282
2283 if (!SM.isWrittenInSameFile(FirstLoc, SecondLoc))
2284 continue;
2285 if (SM.isBeforeInTranslationUnit(SecondLoc, FirstLoc))
2286 std::swap(SecondLoc, FirstLoc);
2287
2288 SourceRange EdgeRange(FirstLoc, SecondLoc);
2289 Optional<size_t> ByteWidth = getLengthOnSingleLine(SM, EdgeRange);
2290
2291 // If the statements are on different lines, continue.
2292 if (!ByteWidth)
2293 continue;
2294
2295 const size_t MAX_PUNY_EDGE_LENGTH = 2;
2296 if (*ByteWidth <= MAX_PUNY_EDGE_LENGTH) {
2297 // FIXME: There are enough /bytes/ between the endpoints of the edge, but
2298 // there might not be enough /columns/. A proper user-visible column count
2299 // is probably too expensive, though.
2300 I = path.erase(I);
2301 erased = true;
2302 continue;
2303 }
2304 }
2305 }
2306
removeIdenticalEvents(PathPieces & path)2307 static void removeIdenticalEvents(PathPieces &path) {
2308 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ++I) {
2309 PathDiagnosticEventPiece *PieceI =
2310 dyn_cast<PathDiagnosticEventPiece>(*I);
2311
2312 if (!PieceI)
2313 continue;
2314
2315 PathPieces::iterator NextI = I; ++NextI;
2316 if (NextI == E)
2317 return;
2318
2319 PathDiagnosticEventPiece *PieceNextI =
2320 dyn_cast<PathDiagnosticEventPiece>(*NextI);
2321
2322 if (!PieceNextI)
2323 continue;
2324
2325 // Erase the second piece if it has the same exact message text.
2326 if (PieceI->getString() == PieceNextI->getString()) {
2327 path.erase(NextI);
2328 }
2329 }
2330 }
2331
optimizeEdges(PathPieces & path,SourceManager & SM,OptimizedCallsSet & OCS,LocationContextMap & LCM)2332 static bool optimizeEdges(PathPieces &path, SourceManager &SM,
2333 OptimizedCallsSet &OCS,
2334 LocationContextMap &LCM) {
2335 bool hasChanges = false;
2336 const LocationContext *LC = LCM[&path];
2337 assert(LC);
2338 ParentMap &PM = LC->getParentMap();
2339
2340 for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ) {
2341 // Optimize subpaths.
2342 if (PathDiagnosticCallPiece *CallI = dyn_cast<PathDiagnosticCallPiece>(*I)){
2343 // Record the fact that a call has been optimized so we only do the
2344 // effort once.
2345 if (!OCS.count(CallI)) {
2346 while (optimizeEdges(CallI->path, SM, OCS, LCM)) {}
2347 OCS.insert(CallI);
2348 }
2349 ++I;
2350 continue;
2351 }
2352
2353 // Pattern match the current piece and its successor.
2354 PathDiagnosticControlFlowPiece *PieceI =
2355 dyn_cast<PathDiagnosticControlFlowPiece>(*I);
2356
2357 if (!PieceI) {
2358 ++I;
2359 continue;
2360 }
2361
2362 const Stmt *s1Start = getLocStmt(PieceI->getStartLocation());
2363 const Stmt *s1End = getLocStmt(PieceI->getEndLocation());
2364 const Stmt *level1 = getStmtParent(s1Start, PM);
2365 const Stmt *level2 = getStmtParent(s1End, PM);
2366
2367 PathPieces::iterator NextI = I; ++NextI;
2368 if (NextI == E)
2369 break;
2370
2371 PathDiagnosticControlFlowPiece *PieceNextI =
2372 dyn_cast<PathDiagnosticControlFlowPiece>(*NextI);
2373
2374 if (!PieceNextI) {
2375 ++I;
2376 continue;
2377 }
2378
2379 const Stmt *s2Start = getLocStmt(PieceNextI->getStartLocation());
2380 const Stmt *s2End = getLocStmt(PieceNextI->getEndLocation());
2381 const Stmt *level3 = getStmtParent(s2Start, PM);
2382 const Stmt *level4 = getStmtParent(s2End, PM);
2383
2384 // Rule I.
2385 //
2386 // If we have two consecutive control edges whose end/begin locations
2387 // are at the same level (e.g. statements or top-level expressions within
2388 // a compound statement, or siblings share a single ancestor expression),
2389 // then merge them if they have no interesting intermediate event.
2390 //
2391 // For example:
2392 //
2393 // (1.1 -> 1.2) -> (1.2 -> 1.3) becomes (1.1 -> 1.3) because the common
2394 // parent is '1'. Here 'x.y.z' represents the hierarchy of statements.
2395 //
2396 // NOTE: this will be limited later in cases where we add barriers
2397 // to prevent this optimization.
2398 //
2399 if (level1 && level1 == level2 && level1 == level3 && level1 == level4) {
2400 PieceI->setEndLocation(PieceNextI->getEndLocation());
2401 path.erase(NextI);
2402 hasChanges = true;
2403 continue;
2404 }
2405
2406 // Rule II.
2407 //
2408 // Eliminate edges between subexpressions and parent expressions
2409 // when the subexpression is consumed.
2410 //
2411 // NOTE: this will be limited later in cases where we add barriers
2412 // to prevent this optimization.
2413 //
2414 if (s1End && s1End == s2Start && level2) {
2415 bool removeEdge = false;
2416 // Remove edges into the increment or initialization of a
2417 // loop that have no interleaving event. This means that
2418 // they aren't interesting.
2419 if (isIncrementOrInitInForLoop(s1End, level2))
2420 removeEdge = true;
2421 // Next only consider edges that are not anchored on
2422 // the condition of a terminator. This are intermediate edges
2423 // that we might want to trim.
2424 else if (!isConditionForTerminator(level2, s1End)) {
2425 // Trim edges on expressions that are consumed by
2426 // the parent expression.
2427 if (isa<Expr>(s1End) && PM.isConsumedExpr(cast<Expr>(s1End))) {
2428 removeEdge = true;
2429 }
2430 // Trim edges where a lexical containment doesn't exist.
2431 // For example:
2432 //
2433 // X -> Y -> Z
2434 //
2435 // If 'Z' lexically contains Y (it is an ancestor) and
2436 // 'X' does not lexically contain Y (it is a descendant OR
2437 // it has no lexical relationship at all) then trim.
2438 //
2439 // This can eliminate edges where we dive into a subexpression
2440 // and then pop back out, etc.
2441 else if (s1Start && s2End &&
2442 lexicalContains(PM, s2Start, s2End) &&
2443 !lexicalContains(PM, s1End, s1Start)) {
2444 removeEdge = true;
2445 }
2446 // Trim edges from a subexpression back to the top level if the
2447 // subexpression is on a different line.
2448 //
2449 // A.1 -> A -> B
2450 // becomes
2451 // A.1 -> B
2452 //
2453 // These edges just look ugly and don't usually add anything.
2454 else if (s1Start && s2End &&
2455 lexicalContains(PM, s1Start, s1End)) {
2456 SourceRange EdgeRange(PieceI->getEndLocation().asLocation(),
2457 PieceI->getStartLocation().asLocation());
2458 if (!getLengthOnSingleLine(SM, EdgeRange).hasValue())
2459 removeEdge = true;
2460 }
2461 }
2462
2463 if (removeEdge) {
2464 PieceI->setEndLocation(PieceNextI->getEndLocation());
2465 path.erase(NextI);
2466 hasChanges = true;
2467 continue;
2468 }
2469 }
2470
2471 // Optimize edges for ObjC fast-enumeration loops.
2472 //
2473 // (X -> collection) -> (collection -> element)
2474 //
2475 // becomes:
2476 //
2477 // (X -> element)
2478 if (s1End == s2Start) {
2479 const ObjCForCollectionStmt *FS =
2480 dyn_cast_or_null<ObjCForCollectionStmt>(level3);
2481 if (FS && FS->getCollection()->IgnoreParens() == s2Start &&
2482 s2End == FS->getElement()) {
2483 PieceI->setEndLocation(PieceNextI->getEndLocation());
2484 path.erase(NextI);
2485 hasChanges = true;
2486 continue;
2487 }
2488 }
2489
2490 // No changes at this index? Move to the next one.
2491 ++I;
2492 }
2493
2494 if (!hasChanges) {
2495 // Adjust edges into subexpressions to make them more uniform
2496 // and aesthetically pleasing.
2497 addContextEdges(path, SM, PM, LC);
2498 // Remove "cyclical" edges that include one or more context edges.
2499 removeContextCycles(path, SM, PM);
2500 // Hoist edges originating from branch conditions to branches
2501 // for simple branches.
2502 simplifySimpleBranches(path);
2503 // Remove any puny edges left over after primary optimization pass.
2504 removePunyEdges(path, SM, PM);
2505 // Remove identical events.
2506 removeIdenticalEvents(path);
2507 }
2508
2509 return hasChanges;
2510 }
2511
2512 /// Drop the very first edge in a path, which should be a function entry edge.
2513 ///
2514 /// If the first edge is not a function entry edge (say, because the first
2515 /// statement had an invalid source location), this function does nothing.
2516 // FIXME: We should just generate invalid edges anyway and have the optimizer
2517 // deal with them.
dropFunctionEntryEdge(PathPieces & Path,LocationContextMap & LCM,SourceManager & SM)2518 static void dropFunctionEntryEdge(PathPieces &Path,
2519 LocationContextMap &LCM,
2520 SourceManager &SM) {
2521 const PathDiagnosticControlFlowPiece *FirstEdge =
2522 dyn_cast<PathDiagnosticControlFlowPiece>(Path.front());
2523 if (!FirstEdge)
2524 return;
2525
2526 const Decl *D = LCM[&Path]->getDecl();
2527 PathDiagnosticLocation EntryLoc = PathDiagnosticLocation::createBegin(D, SM);
2528 if (FirstEdge->getStartLocation() != EntryLoc)
2529 return;
2530
2531 Path.pop_front();
2532 }
2533
2534
2535 //===----------------------------------------------------------------------===//
2536 // Methods for BugType and subclasses.
2537 //===----------------------------------------------------------------------===//
anchor()2538 void BugType::anchor() { }
2539
FlushReports(BugReporter & BR)2540 void BugType::FlushReports(BugReporter &BR) {}
2541
anchor()2542 void BuiltinBug::anchor() {}
2543
2544 //===----------------------------------------------------------------------===//
2545 // Methods for BugReport and subclasses.
2546 //===----------------------------------------------------------------------===//
2547
anchor()2548 void BugReport::NodeResolver::anchor() {}
2549
addVisitor(BugReporterVisitor * visitor)2550 void BugReport::addVisitor(BugReporterVisitor* visitor) {
2551 if (!visitor)
2552 return;
2553
2554 llvm::FoldingSetNodeID ID;
2555 visitor->Profile(ID);
2556 void *InsertPos;
2557
2558 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) {
2559 delete visitor;
2560 return;
2561 }
2562
2563 CallbacksSet.InsertNode(visitor, InsertPos);
2564 Callbacks.push_back(visitor);
2565 ++ConfigurationChangeToken;
2566 }
2567
~BugReport()2568 BugReport::~BugReport() {
2569 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) {
2570 delete *I;
2571 }
2572 while (!interestingSymbols.empty()) {
2573 popInterestingSymbolsAndRegions();
2574 }
2575 }
2576
getDeclWithIssue() const2577 const Decl *BugReport::getDeclWithIssue() const {
2578 if (DeclWithIssue)
2579 return DeclWithIssue;
2580
2581 const ExplodedNode *N = getErrorNode();
2582 if (!N)
2583 return nullptr;
2584
2585 const LocationContext *LC = N->getLocationContext();
2586 return LC->getCurrentStackFrame()->getDecl();
2587 }
2588
Profile(llvm::FoldingSetNodeID & hash) const2589 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const {
2590 hash.AddPointer(&BT);
2591 hash.AddString(Description);
2592 PathDiagnosticLocation UL = getUniqueingLocation();
2593 if (UL.isValid()) {
2594 UL.Profile(hash);
2595 } else if (Location.isValid()) {
2596 Location.Profile(hash);
2597 } else {
2598 assert(ErrorNode);
2599 hash.AddPointer(GetCurrentOrPreviousStmt(ErrorNode));
2600 }
2601
2602 for (SmallVectorImpl<SourceRange>::const_iterator I =
2603 Ranges.begin(), E = Ranges.end(); I != E; ++I) {
2604 const SourceRange range = *I;
2605 if (!range.isValid())
2606 continue;
2607 hash.AddInteger(range.getBegin().getRawEncoding());
2608 hash.AddInteger(range.getEnd().getRawEncoding());
2609 }
2610 }
2611
markInteresting(SymbolRef sym)2612 void BugReport::markInteresting(SymbolRef sym) {
2613 if (!sym)
2614 return;
2615
2616 // If the symbol wasn't already in our set, note a configuration change.
2617 if (getInterestingSymbols().insert(sym).second)
2618 ++ConfigurationChangeToken;
2619
2620 if (const SymbolMetadata *meta = dyn_cast<SymbolMetadata>(sym))
2621 getInterestingRegions().insert(meta->getRegion());
2622 }
2623
markInteresting(const MemRegion * R)2624 void BugReport::markInteresting(const MemRegion *R) {
2625 if (!R)
2626 return;
2627
2628 // If the base region wasn't already in our set, note a configuration change.
2629 R = R->getBaseRegion();
2630 if (getInterestingRegions().insert(R).second)
2631 ++ConfigurationChangeToken;
2632
2633 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
2634 getInterestingSymbols().insert(SR->getSymbol());
2635 }
2636
markInteresting(SVal V)2637 void BugReport::markInteresting(SVal V) {
2638 markInteresting(V.getAsRegion());
2639 markInteresting(V.getAsSymbol());
2640 }
2641
markInteresting(const LocationContext * LC)2642 void BugReport::markInteresting(const LocationContext *LC) {
2643 if (!LC)
2644 return;
2645 InterestingLocationContexts.insert(LC);
2646 }
2647
isInteresting(SVal V)2648 bool BugReport::isInteresting(SVal V) {
2649 return isInteresting(V.getAsRegion()) || isInteresting(V.getAsSymbol());
2650 }
2651
isInteresting(SymbolRef sym)2652 bool BugReport::isInteresting(SymbolRef sym) {
2653 if (!sym)
2654 return false;
2655 // We don't currently consider metadata symbols to be interesting
2656 // even if we know their region is interesting. Is that correct behavior?
2657 return getInterestingSymbols().count(sym);
2658 }
2659
isInteresting(const MemRegion * R)2660 bool BugReport::isInteresting(const MemRegion *R) {
2661 if (!R)
2662 return false;
2663 R = R->getBaseRegion();
2664 bool b = getInterestingRegions().count(R);
2665 if (b)
2666 return true;
2667 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R))
2668 return getInterestingSymbols().count(SR->getSymbol());
2669 return false;
2670 }
2671
isInteresting(const LocationContext * LC)2672 bool BugReport::isInteresting(const LocationContext *LC) {
2673 if (!LC)
2674 return false;
2675 return InterestingLocationContexts.count(LC);
2676 }
2677
lazyInitializeInterestingSets()2678 void BugReport::lazyInitializeInterestingSets() {
2679 if (interestingSymbols.empty()) {
2680 interestingSymbols.push_back(new Symbols());
2681 interestingRegions.push_back(new Regions());
2682 }
2683 }
2684
getInterestingSymbols()2685 BugReport::Symbols &BugReport::getInterestingSymbols() {
2686 lazyInitializeInterestingSets();
2687 return *interestingSymbols.back();
2688 }
2689
getInterestingRegions()2690 BugReport::Regions &BugReport::getInterestingRegions() {
2691 lazyInitializeInterestingSets();
2692 return *interestingRegions.back();
2693 }
2694
pushInterestingSymbolsAndRegions()2695 void BugReport::pushInterestingSymbolsAndRegions() {
2696 interestingSymbols.push_back(new Symbols(getInterestingSymbols()));
2697 interestingRegions.push_back(new Regions(getInterestingRegions()));
2698 }
2699
popInterestingSymbolsAndRegions()2700 void BugReport::popInterestingSymbolsAndRegions() {
2701 delete interestingSymbols.pop_back_val();
2702 delete interestingRegions.pop_back_val();
2703 }
2704
getStmt() const2705 const Stmt *BugReport::getStmt() const {
2706 if (!ErrorNode)
2707 return nullptr;
2708
2709 ProgramPoint ProgP = ErrorNode->getLocation();
2710 const Stmt *S = nullptr;
2711
2712 if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) {
2713 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit();
2714 if (BE->getBlock() == &Exit)
2715 S = GetPreviousStmt(ErrorNode);
2716 }
2717 if (!S)
2718 S = PathDiagnosticLocation::getStmt(ErrorNode);
2719
2720 return S;
2721 }
2722
2723 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator>
getRanges()2724 BugReport::getRanges() {
2725 // If no custom ranges, add the range of the statement corresponding to
2726 // the error node.
2727 if (Ranges.empty()) {
2728 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt()))
2729 addRange(E->getSourceRange());
2730 else
2731 return std::make_pair(ranges_iterator(), ranges_iterator());
2732 }
2733
2734 // User-specified absence of range info.
2735 if (Ranges.size() == 1 && !Ranges.begin()->isValid())
2736 return std::make_pair(ranges_iterator(), ranges_iterator());
2737
2738 return std::make_pair(Ranges.begin(), Ranges.end());
2739 }
2740
getLocation(const SourceManager & SM) const2741 PathDiagnosticLocation BugReport::getLocation(const SourceManager &SM) const {
2742 if (ErrorNode) {
2743 assert(!Location.isValid() &&
2744 "Either Location or ErrorNode should be specified but not both.");
2745 return PathDiagnosticLocation::createEndOfPath(ErrorNode, SM);
2746 }
2747
2748 assert(Location.isValid());
2749 return Location;
2750 }
2751
2752 //===----------------------------------------------------------------------===//
2753 // Methods for BugReporter and subclasses.
2754 //===----------------------------------------------------------------------===//
2755
~BugReportEquivClass()2756 BugReportEquivClass::~BugReportEquivClass() { }
~GRBugReporter()2757 GRBugReporter::~GRBugReporter() { }
~BugReporterData()2758 BugReporterData::~BugReporterData() {}
2759
getGraph()2760 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); }
2761
2762 ProgramStateManager&
getStateManager()2763 GRBugReporter::getStateManager() { return Eng.getStateManager(); }
2764
~BugReporter()2765 BugReporter::~BugReporter() {
2766 FlushReports();
2767
2768 // Free the bug reports we are tracking.
2769 typedef std::vector<BugReportEquivClass *> ContTy;
2770 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end();
2771 I != E; ++I) {
2772 delete *I;
2773 }
2774 }
2775
FlushReports()2776 void BugReporter::FlushReports() {
2777 if (BugTypes.isEmpty())
2778 return;
2779
2780 // First flush the warnings for each BugType. This may end up creating new
2781 // warnings and new BugTypes.
2782 // FIXME: Only NSErrorChecker needs BugType's FlushReports.
2783 // Turn NSErrorChecker into a proper checker and remove this.
2784 SmallVector<const BugType*, 16> bugTypes;
2785 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I)
2786 bugTypes.push_back(*I);
2787 for (SmallVectorImpl<const BugType *>::iterator
2788 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I)
2789 const_cast<BugType*>(*I)->FlushReports(*this);
2790
2791 // We need to flush reports in deterministic order to ensure the order
2792 // of the reports is consistent between runs.
2793 typedef std::vector<BugReportEquivClass *> ContVecTy;
2794 for (ContVecTy::iterator EI=EQClassesVector.begin(), EE=EQClassesVector.end();
2795 EI != EE; ++EI){
2796 BugReportEquivClass& EQ = **EI;
2797 FlushReport(EQ);
2798 }
2799
2800 // BugReporter owns and deletes only BugTypes created implicitly through
2801 // EmitBasicReport.
2802 // FIXME: There are leaks from checkers that assume that the BugTypes they
2803 // create will be destroyed by the BugReporter.
2804 llvm::DeleteContainerSeconds(StrBugTypes);
2805
2806 // Remove all references to the BugType objects.
2807 BugTypes = F.getEmptySet();
2808 }
2809
2810 //===----------------------------------------------------------------------===//
2811 // PathDiagnostics generation.
2812 //===----------------------------------------------------------------------===//
2813
2814 namespace {
2815 /// A wrapper around a report graph, which contains only a single path, and its
2816 /// node maps.
2817 class ReportGraph {
2818 public:
2819 InterExplodedGraphMap BackMap;
2820 std::unique_ptr<ExplodedGraph> Graph;
2821 const ExplodedNode *ErrorNode;
2822 size_t Index;
2823 };
2824
2825 /// A wrapper around a trimmed graph and its node maps.
2826 class TrimmedGraph {
2827 InterExplodedGraphMap InverseMap;
2828
2829 typedef llvm::DenseMap<const ExplodedNode *, unsigned> PriorityMapTy;
2830 PriorityMapTy PriorityMap;
2831
2832 typedef std::pair<const ExplodedNode *, size_t> NodeIndexPair;
2833 SmallVector<NodeIndexPair, 32> ReportNodes;
2834
2835 std::unique_ptr<ExplodedGraph> G;
2836
2837 /// A helper class for sorting ExplodedNodes by priority.
2838 template <bool Descending>
2839 class PriorityCompare {
2840 const PriorityMapTy &PriorityMap;
2841
2842 public:
PriorityCompare(const PriorityMapTy & M)2843 PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {}
2844
operator ()(const ExplodedNode * LHS,const ExplodedNode * RHS) const2845 bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const {
2846 PriorityMapTy::const_iterator LI = PriorityMap.find(LHS);
2847 PriorityMapTy::const_iterator RI = PriorityMap.find(RHS);
2848 PriorityMapTy::const_iterator E = PriorityMap.end();
2849
2850 if (LI == E)
2851 return Descending;
2852 if (RI == E)
2853 return !Descending;
2854
2855 return Descending ? LI->second > RI->second
2856 : LI->second < RI->second;
2857 }
2858
operator ()(const NodeIndexPair & LHS,const NodeIndexPair & RHS) const2859 bool operator()(const NodeIndexPair &LHS, const NodeIndexPair &RHS) const {
2860 return (*this)(LHS.first, RHS.first);
2861 }
2862 };
2863
2864 public:
2865 TrimmedGraph(const ExplodedGraph *OriginalGraph,
2866 ArrayRef<const ExplodedNode *> Nodes);
2867
2868 bool popNextReportGraph(ReportGraph &GraphWrapper);
2869 };
2870 }
2871
TrimmedGraph(const ExplodedGraph * OriginalGraph,ArrayRef<const ExplodedNode * > Nodes)2872 TrimmedGraph::TrimmedGraph(const ExplodedGraph *OriginalGraph,
2873 ArrayRef<const ExplodedNode *> Nodes) {
2874 // The trimmed graph is created in the body of the constructor to ensure
2875 // that the DenseMaps have been initialized already.
2876 InterExplodedGraphMap ForwardMap;
2877 G.reset(OriginalGraph->trim(Nodes, &ForwardMap, &InverseMap));
2878
2879 // Find the (first) error node in the trimmed graph. We just need to consult
2880 // the node map which maps from nodes in the original graph to nodes
2881 // in the new graph.
2882 llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes;
2883
2884 for (unsigned i = 0, count = Nodes.size(); i < count; ++i) {
2885 if (const ExplodedNode *NewNode = ForwardMap.lookup(Nodes[i])) {
2886 ReportNodes.push_back(std::make_pair(NewNode, i));
2887 RemainingNodes.insert(NewNode);
2888 }
2889 }
2890
2891 assert(!RemainingNodes.empty() && "No error node found in the trimmed graph");
2892
2893 // Perform a forward BFS to find all the shortest paths.
2894 std::queue<const ExplodedNode *> WS;
2895
2896 assert(G->num_roots() == 1);
2897 WS.push(*G->roots_begin());
2898 unsigned Priority = 0;
2899
2900 while (!WS.empty()) {
2901 const ExplodedNode *Node = WS.front();
2902 WS.pop();
2903
2904 PriorityMapTy::iterator PriorityEntry;
2905 bool IsNew;
2906 std::tie(PriorityEntry, IsNew) =
2907 PriorityMap.insert(std::make_pair(Node, Priority));
2908 ++Priority;
2909
2910 if (!IsNew) {
2911 assert(PriorityEntry->second <= Priority);
2912 continue;
2913 }
2914
2915 if (RemainingNodes.erase(Node))
2916 if (RemainingNodes.empty())
2917 break;
2918
2919 for (ExplodedNode::const_pred_iterator I = Node->succ_begin(),
2920 E = Node->succ_end();
2921 I != E; ++I)
2922 WS.push(*I);
2923 }
2924
2925 // Sort the error paths from longest to shortest.
2926 std::sort(ReportNodes.begin(), ReportNodes.end(),
2927 PriorityCompare<true>(PriorityMap));
2928 }
2929
popNextReportGraph(ReportGraph & GraphWrapper)2930 bool TrimmedGraph::popNextReportGraph(ReportGraph &GraphWrapper) {
2931 if (ReportNodes.empty())
2932 return false;
2933
2934 const ExplodedNode *OrigN;
2935 std::tie(OrigN, GraphWrapper.Index) = ReportNodes.pop_back_val();
2936 assert(PriorityMap.find(OrigN) != PriorityMap.end() &&
2937 "error node not accessible from root");
2938
2939 // Create a new graph with a single path. This is the graph
2940 // that will be returned to the caller.
2941 ExplodedGraph *GNew = new ExplodedGraph();
2942 GraphWrapper.Graph.reset(GNew);
2943 GraphWrapper.BackMap.clear();
2944
2945 // Now walk from the error node up the BFS path, always taking the
2946 // predeccessor with the lowest number.
2947 ExplodedNode *Succ = nullptr;
2948 while (true) {
2949 // Create the equivalent node in the new graph with the same state
2950 // and location.
2951 ExplodedNode *NewN = GNew->getNode(OrigN->getLocation(), OrigN->getState(),
2952 OrigN->isSink());
2953
2954 // Store the mapping to the original node.
2955 InterExplodedGraphMap::const_iterator IMitr = InverseMap.find(OrigN);
2956 assert(IMitr != InverseMap.end() && "No mapping to original node.");
2957 GraphWrapper.BackMap[NewN] = IMitr->second;
2958
2959 // Link up the new node with the previous node.
2960 if (Succ)
2961 Succ->addPredecessor(NewN, *GNew);
2962 else
2963 GraphWrapper.ErrorNode = NewN;
2964
2965 Succ = NewN;
2966
2967 // Are we at the final node?
2968 if (OrigN->pred_empty()) {
2969 GNew->addRoot(NewN);
2970 break;
2971 }
2972
2973 // Find the next predeccessor node. We choose the node that is marked
2974 // with the lowest BFS number.
2975 OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(),
2976 PriorityCompare<false>(PriorityMap));
2977 }
2978
2979 return true;
2980 }
2981
2982
2983 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object
2984 /// and collapses PathDiagosticPieces that are expanded by macros.
CompactPathDiagnostic(PathPieces & path,const SourceManager & SM)2985 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM) {
2986 typedef std::vector<std::pair<IntrusiveRefCntPtr<PathDiagnosticMacroPiece>,
2987 SourceLocation> > MacroStackTy;
2988
2989 typedef std::vector<IntrusiveRefCntPtr<PathDiagnosticPiece> >
2990 PiecesTy;
2991
2992 MacroStackTy MacroStack;
2993 PiecesTy Pieces;
2994
2995 for (PathPieces::const_iterator I = path.begin(), E = path.end();
2996 I!=E; ++I) {
2997
2998 PathDiagnosticPiece *piece = I->get();
2999
3000 // Recursively compact calls.
3001 if (PathDiagnosticCallPiece *call=dyn_cast<PathDiagnosticCallPiece>(piece)){
3002 CompactPathDiagnostic(call->path, SM);
3003 }
3004
3005 // Get the location of the PathDiagnosticPiece.
3006 const FullSourceLoc Loc = piece->getLocation().asLocation();
3007
3008 // Determine the instantiation location, which is the location we group
3009 // related PathDiagnosticPieces.
3010 SourceLocation InstantiationLoc = Loc.isMacroID() ?
3011 SM.getExpansionLoc(Loc) :
3012 SourceLocation();
3013
3014 if (Loc.isFileID()) {
3015 MacroStack.clear();
3016 Pieces.push_back(piece);
3017 continue;
3018 }
3019
3020 assert(Loc.isMacroID());
3021
3022 // Is the PathDiagnosticPiece within the same macro group?
3023 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) {
3024 MacroStack.back().first->subPieces.push_back(piece);
3025 continue;
3026 }
3027
3028 // We aren't in the same group. Are we descending into a new macro
3029 // or are part of an old one?
3030 IntrusiveRefCntPtr<PathDiagnosticMacroPiece> MacroGroup;
3031
3032 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ?
3033 SM.getExpansionLoc(Loc) :
3034 SourceLocation();
3035
3036 // Walk the entire macro stack.
3037 while (!MacroStack.empty()) {
3038 if (InstantiationLoc == MacroStack.back().second) {
3039 MacroGroup = MacroStack.back().first;
3040 break;
3041 }
3042
3043 if (ParentInstantiationLoc == MacroStack.back().second) {
3044 MacroGroup = MacroStack.back().first;
3045 break;
3046 }
3047
3048 MacroStack.pop_back();
3049 }
3050
3051 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) {
3052 // Create a new macro group and add it to the stack.
3053 PathDiagnosticMacroPiece *NewGroup =
3054 new PathDiagnosticMacroPiece(
3055 PathDiagnosticLocation::createSingleLocation(piece->getLocation()));
3056
3057 if (MacroGroup)
3058 MacroGroup->subPieces.push_back(NewGroup);
3059 else {
3060 assert(InstantiationLoc.isFileID());
3061 Pieces.push_back(NewGroup);
3062 }
3063
3064 MacroGroup = NewGroup;
3065 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc));
3066 }
3067
3068 // Finally, add the PathDiagnosticPiece to the group.
3069 MacroGroup->subPieces.push_back(piece);
3070 }
3071
3072 // Now take the pieces and construct a new PathDiagnostic.
3073 path.clear();
3074
3075 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I)
3076 path.push_back(*I);
3077 }
3078
generatePathDiagnostic(PathDiagnostic & PD,PathDiagnosticConsumer & PC,ArrayRef<BugReport * > & bugReports)3079 bool GRBugReporter::generatePathDiagnostic(PathDiagnostic& PD,
3080 PathDiagnosticConsumer &PC,
3081 ArrayRef<BugReport *> &bugReports) {
3082 assert(!bugReports.empty());
3083
3084 bool HasValid = false;
3085 bool HasInvalid = false;
3086 SmallVector<const ExplodedNode *, 32> errorNodes;
3087 for (ArrayRef<BugReport*>::iterator I = bugReports.begin(),
3088 E = bugReports.end(); I != E; ++I) {
3089 if ((*I)->isValid()) {
3090 HasValid = true;
3091 errorNodes.push_back((*I)->getErrorNode());
3092 } else {
3093 // Keep the errorNodes list in sync with the bugReports list.
3094 HasInvalid = true;
3095 errorNodes.push_back(nullptr);
3096 }
3097 }
3098
3099 // If all the reports have been marked invalid by a previous path generation,
3100 // we're done.
3101 if (!HasValid)
3102 return false;
3103
3104 typedef PathDiagnosticConsumer::PathGenerationScheme PathGenerationScheme;
3105 PathGenerationScheme ActiveScheme = PC.getGenerationScheme();
3106
3107 if (ActiveScheme == PathDiagnosticConsumer::Extensive) {
3108 AnalyzerOptions &options = getAnalyzerOptions();
3109 if (options.getBooleanOption("path-diagnostics-alternate", true)) {
3110 ActiveScheme = PathDiagnosticConsumer::AlternateExtensive;
3111 }
3112 }
3113
3114 TrimmedGraph TrimG(&getGraph(), errorNodes);
3115 ReportGraph ErrorGraph;
3116
3117 while (TrimG.popNextReportGraph(ErrorGraph)) {
3118 // Find the BugReport with the original location.
3119 assert(ErrorGraph.Index < bugReports.size());
3120 BugReport *R = bugReports[ErrorGraph.Index];
3121 assert(R && "No original report found for sliced graph.");
3122 assert(R->isValid() && "Report selected by trimmed graph marked invalid.");
3123
3124 // Start building the path diagnostic...
3125 PathDiagnosticBuilder PDB(*this, R, ErrorGraph.BackMap, &PC);
3126 const ExplodedNode *N = ErrorGraph.ErrorNode;
3127
3128 // Register additional node visitors.
3129 R->addVisitor(new NilReceiverBRVisitor());
3130 R->addVisitor(new ConditionBRVisitor());
3131 R->addVisitor(new LikelyFalsePositiveSuppressionBRVisitor());
3132
3133 BugReport::VisitorList visitors;
3134 unsigned origReportConfigToken, finalReportConfigToken;
3135 LocationContextMap LCM;
3136
3137 // While generating diagnostics, it's possible the visitors will decide
3138 // new symbols and regions are interesting, or add other visitors based on
3139 // the information they find. If they do, we need to regenerate the path
3140 // based on our new report configuration.
3141 do {
3142 // Get a clean copy of all the visitors.
3143 for (BugReport::visitor_iterator I = R->visitor_begin(),
3144 E = R->visitor_end(); I != E; ++I)
3145 visitors.push_back((*I)->clone());
3146
3147 // Clear out the active path from any previous work.
3148 PD.resetPath();
3149 origReportConfigToken = R->getConfigurationChangeToken();
3150
3151 // Generate the very last diagnostic piece - the piece is visible before
3152 // the trace is expanded.
3153 std::unique_ptr<PathDiagnosticPiece> LastPiece;
3154 for (BugReport::visitor_iterator I = visitors.begin(), E = visitors.end();
3155 I != E; ++I) {
3156 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) {
3157 assert (!LastPiece &&
3158 "There can only be one final piece in a diagnostic.");
3159 LastPiece.reset(Piece);
3160 }
3161 }
3162
3163 if (ActiveScheme != PathDiagnosticConsumer::None) {
3164 if (!LastPiece)
3165 LastPiece.reset(BugReporterVisitor::getDefaultEndPath(PDB, N, *R));
3166 assert(LastPiece);
3167 PD.setEndOfPath(LastPiece.release());
3168 }
3169
3170 // Make sure we get a clean location context map so we don't
3171 // hold onto old mappings.
3172 LCM.clear();
3173
3174 switch (ActiveScheme) {
3175 case PathDiagnosticConsumer::AlternateExtensive:
3176 GenerateAlternateExtensivePathDiagnostic(PD, PDB, N, LCM, visitors);
3177 break;
3178 case PathDiagnosticConsumer::Extensive:
3179 GenerateExtensivePathDiagnostic(PD, PDB, N, LCM, visitors);
3180 break;
3181 case PathDiagnosticConsumer::Minimal:
3182 GenerateMinimalPathDiagnostic(PD, PDB, N, LCM, visitors);
3183 break;
3184 case PathDiagnosticConsumer::None:
3185 GenerateVisitorsOnlyPathDiagnostic(PD, PDB, N, visitors);
3186 break;
3187 }
3188
3189 // Clean up the visitors we used.
3190 llvm::DeleteContainerPointers(visitors);
3191
3192 // Did anything change while generating this path?
3193 finalReportConfigToken = R->getConfigurationChangeToken();
3194 } while (finalReportConfigToken != origReportConfigToken);
3195
3196 if (!R->isValid())
3197 continue;
3198
3199 // Finally, prune the diagnostic path of uninteresting stuff.
3200 if (!PD.path.empty()) {
3201 if (R->shouldPrunePath() && getAnalyzerOptions().shouldPrunePaths()) {
3202 bool stillHasNotes = removeUnneededCalls(PD.getMutablePieces(), R, LCM);
3203 assert(stillHasNotes);
3204 (void)stillHasNotes;
3205 }
3206
3207 // Redirect all call pieces to have valid locations.
3208 adjustCallLocations(PD.getMutablePieces());
3209 removePiecesWithInvalidLocations(PD.getMutablePieces());
3210
3211 if (ActiveScheme == PathDiagnosticConsumer::AlternateExtensive) {
3212 SourceManager &SM = getSourceManager();
3213
3214 // Reduce the number of edges from a very conservative set
3215 // to an aesthetically pleasing subset that conveys the
3216 // necessary information.
3217 OptimizedCallsSet OCS;
3218 while (optimizeEdges(PD.getMutablePieces(), SM, OCS, LCM)) {}
3219
3220 // Drop the very first function-entry edge. It's not really necessary
3221 // for top-level functions.
3222 dropFunctionEntryEdge(PD.getMutablePieces(), LCM, SM);
3223 }
3224
3225 // Remove messages that are basically the same, and edges that may not
3226 // make sense.
3227 // We have to do this after edge optimization in the Extensive mode.
3228 removeRedundantMsgs(PD.getMutablePieces());
3229 removeEdgesToDefaultInitializers(PD.getMutablePieces());
3230 }
3231
3232 // We found a report and didn't suppress it.
3233 return true;
3234 }
3235
3236 // We suppressed all the reports in this equivalence class.
3237 assert(!HasInvalid && "Inconsistent suppression");
3238 (void)HasInvalid;
3239 return false;
3240 }
3241
Register(BugType * BT)3242 void BugReporter::Register(BugType *BT) {
3243 BugTypes = F.add(BugTypes, BT);
3244 }
3245
emitReport(BugReport * R)3246 void BugReporter::emitReport(BugReport* R) {
3247 // To guarantee memory release.
3248 std::unique_ptr<BugReport> UniqueR(R);
3249
3250 // Defensive checking: throw the bug away if it comes from a BodyFarm-
3251 // generated body. We do this very early because report processing relies
3252 // on the report's location being valid.
3253 // FIXME: Valid bugs can occur in BodyFarm-generated bodies, so really we
3254 // need to just find a reasonable location like we do later on with the path
3255 // pieces.
3256 if (const ExplodedNode *E = R->getErrorNode()) {
3257 const LocationContext *LCtx = E->getLocationContext();
3258 if (LCtx->getAnalysisDeclContext()->isBodyAutosynthesized())
3259 return;
3260 }
3261
3262 bool ValidSourceLoc = R->getLocation(getSourceManager()).isValid();
3263 assert(ValidSourceLoc);
3264 // If we mess up in a release build, we'd still prefer to just drop the bug
3265 // instead of trying to go on.
3266 if (!ValidSourceLoc)
3267 return;
3268
3269 // Compute the bug report's hash to determine its equivalence class.
3270 llvm::FoldingSetNodeID ID;
3271 R->Profile(ID);
3272
3273 // Lookup the equivance class. If there isn't one, create it.
3274 BugType& BT = R->getBugType();
3275 Register(&BT);
3276 void *InsertPos;
3277 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos);
3278
3279 if (!EQ) {
3280 EQ = new BugReportEquivClass(UniqueR.release());
3281 EQClasses.InsertNode(EQ, InsertPos);
3282 EQClassesVector.push_back(EQ);
3283 }
3284 else
3285 EQ->AddReport(UniqueR.release());
3286 }
3287
3288
3289 //===----------------------------------------------------------------------===//
3290 // Emitting reports in equivalence classes.
3291 //===----------------------------------------------------------------------===//
3292
3293 namespace {
3294 struct FRIEC_WLItem {
3295 const ExplodedNode *N;
3296 ExplodedNode::const_succ_iterator I, E;
3297
FRIEC_WLItem__anonf508b3060411::FRIEC_WLItem3298 FRIEC_WLItem(const ExplodedNode *n)
3299 : N(n), I(N->succ_begin()), E(N->succ_end()) {}
3300 };
3301 }
3302
3303 static BugReport *
FindReportInEquivalenceClass(BugReportEquivClass & EQ,SmallVectorImpl<BugReport * > & bugReports)3304 FindReportInEquivalenceClass(BugReportEquivClass& EQ,
3305 SmallVectorImpl<BugReport*> &bugReports) {
3306
3307 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end();
3308 assert(I != E);
3309 BugType& BT = I->getBugType();
3310
3311 // If we don't need to suppress any of the nodes because they are
3312 // post-dominated by a sink, simply add all the nodes in the equivalence class
3313 // to 'Nodes'. Any of the reports will serve as a "representative" report.
3314 if (!BT.isSuppressOnSink()) {
3315 BugReport *R = I;
3316 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) {
3317 const ExplodedNode *N = I->getErrorNode();
3318 if (N) {
3319 R = I;
3320 bugReports.push_back(R);
3321 }
3322 }
3323 return R;
3324 }
3325
3326 // For bug reports that should be suppressed when all paths are post-dominated
3327 // by a sink node, iterate through the reports in the equivalence class
3328 // until we find one that isn't post-dominated (if one exists). We use a
3329 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write
3330 // this as a recursive function, but we don't want to risk blowing out the
3331 // stack for very long paths.
3332 BugReport *exampleReport = nullptr;
3333
3334 for (; I != E; ++I) {
3335 const ExplodedNode *errorNode = I->getErrorNode();
3336
3337 if (!errorNode)
3338 continue;
3339 if (errorNode->isSink()) {
3340 llvm_unreachable(
3341 "BugType::isSuppressSink() should not be 'true' for sink end nodes");
3342 }
3343 // No successors? By definition this nodes isn't post-dominated by a sink.
3344 if (errorNode->succ_empty()) {
3345 bugReports.push_back(I);
3346 if (!exampleReport)
3347 exampleReport = I;
3348 continue;
3349 }
3350
3351 // At this point we know that 'N' is not a sink and it has at least one
3352 // successor. Use a DFS worklist to find a non-sink end-of-path node.
3353 typedef FRIEC_WLItem WLItem;
3354 typedef SmallVector<WLItem, 10> DFSWorkList;
3355 llvm::DenseMap<const ExplodedNode *, unsigned> Visited;
3356
3357 DFSWorkList WL;
3358 WL.push_back(errorNode);
3359 Visited[errorNode] = 1;
3360
3361 while (!WL.empty()) {
3362 WLItem &WI = WL.back();
3363 assert(!WI.N->succ_empty());
3364
3365 for (; WI.I != WI.E; ++WI.I) {
3366 const ExplodedNode *Succ = *WI.I;
3367 // End-of-path node?
3368 if (Succ->succ_empty()) {
3369 // If we found an end-of-path node that is not a sink.
3370 if (!Succ->isSink()) {
3371 bugReports.push_back(I);
3372 if (!exampleReport)
3373 exampleReport = I;
3374 WL.clear();
3375 break;
3376 }
3377 // Found a sink? Continue on to the next successor.
3378 continue;
3379 }
3380 // Mark the successor as visited. If it hasn't been explored,
3381 // enqueue it to the DFS worklist.
3382 unsigned &mark = Visited[Succ];
3383 if (!mark) {
3384 mark = 1;
3385 WL.push_back(Succ);
3386 break;
3387 }
3388 }
3389
3390 // The worklist may have been cleared at this point. First
3391 // check if it is empty before checking the last item.
3392 if (!WL.empty() && &WL.back() == &WI)
3393 WL.pop_back();
3394 }
3395 }
3396
3397 // ExampleReport will be NULL if all the nodes in the equivalence class
3398 // were post-dominated by sinks.
3399 return exampleReport;
3400 }
3401
FlushReport(BugReportEquivClass & EQ)3402 void BugReporter::FlushReport(BugReportEquivClass& EQ) {
3403 SmallVector<BugReport*, 10> bugReports;
3404 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports);
3405 if (exampleReport) {
3406 for (PathDiagnosticConsumer *PDC : getPathDiagnosticConsumers()) {
3407 FlushReport(exampleReport, *PDC, bugReports);
3408 }
3409 }
3410 }
3411
FlushReport(BugReport * exampleReport,PathDiagnosticConsumer & PD,ArrayRef<BugReport * > bugReports)3412 void BugReporter::FlushReport(BugReport *exampleReport,
3413 PathDiagnosticConsumer &PD,
3414 ArrayRef<BugReport*> bugReports) {
3415
3416 // FIXME: Make sure we use the 'R' for the path that was actually used.
3417 // Probably doesn't make a difference in practice.
3418 BugType& BT = exampleReport->getBugType();
3419
3420 std::unique_ptr<PathDiagnostic> D(new PathDiagnostic(
3421 exampleReport->getBugType().getCheckName(),
3422 exampleReport->getDeclWithIssue(), exampleReport->getBugType().getName(),
3423 exampleReport->getDescription(),
3424 exampleReport->getShortDescription(/*Fallback=*/false), BT.getCategory(),
3425 exampleReport->getUniqueingLocation(),
3426 exampleReport->getUniqueingDecl()));
3427
3428 MaxBugClassSize = std::max(bugReports.size(),
3429 static_cast<size_t>(MaxBugClassSize));
3430
3431 // Generate the full path diagnostic, using the generation scheme
3432 // specified by the PathDiagnosticConsumer. Note that we have to generate
3433 // path diagnostics even for consumers which do not support paths, because
3434 // the BugReporterVisitors may mark this bug as a false positive.
3435 if (!bugReports.empty())
3436 if (!generatePathDiagnostic(*D.get(), PD, bugReports))
3437 return;
3438
3439 MaxValidBugClassSize = std::max(bugReports.size(),
3440 static_cast<size_t>(MaxValidBugClassSize));
3441
3442 // Examine the report and see if the last piece is in a header. Reset the
3443 // report location to the last piece in the main source file.
3444 AnalyzerOptions& Opts = getAnalyzerOptions();
3445 if (Opts.shouldReportIssuesInMainSourceFile() && !Opts.AnalyzeAll)
3446 D->resetDiagnosticLocationToMainFile();
3447
3448 // If the path is empty, generate a single step path with the location
3449 // of the issue.
3450 if (D->path.empty()) {
3451 PathDiagnosticLocation L = exampleReport->getLocation(getSourceManager());
3452 PathDiagnosticPiece *piece =
3453 new PathDiagnosticEventPiece(L, exampleReport->getDescription());
3454 BugReport::ranges_iterator Beg, End;
3455 std::tie(Beg, End) = exampleReport->getRanges();
3456 for ( ; Beg != End; ++Beg)
3457 piece->addRange(*Beg);
3458 D->setEndOfPath(piece);
3459 }
3460
3461 // Get the meta data.
3462 const BugReport::ExtraTextList &Meta = exampleReport->getExtraText();
3463 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(),
3464 e = Meta.end(); i != e; ++i) {
3465 D->addMeta(*i);
3466 }
3467
3468 PD.HandlePathDiagnostic(D.release());
3469 }
3470
EmitBasicReport(const Decl * DeclWithIssue,const CheckerBase * Checker,StringRef Name,StringRef Category,StringRef Str,PathDiagnosticLocation Loc,ArrayRef<SourceRange> Ranges)3471 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue,
3472 const CheckerBase *Checker,
3473 StringRef Name, StringRef Category,
3474 StringRef Str, PathDiagnosticLocation Loc,
3475 ArrayRef<SourceRange> Ranges) {
3476 EmitBasicReport(DeclWithIssue, Checker->getCheckName(), Name, Category, Str,
3477 Loc, Ranges);
3478 }
EmitBasicReport(const Decl * DeclWithIssue,CheckName CheckName,StringRef name,StringRef category,StringRef str,PathDiagnosticLocation Loc,ArrayRef<SourceRange> Ranges)3479 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue,
3480 CheckName CheckName,
3481 StringRef name, StringRef category,
3482 StringRef str, PathDiagnosticLocation Loc,
3483 ArrayRef<SourceRange> Ranges) {
3484
3485 // 'BT' is owned by BugReporter.
3486 BugType *BT = getBugTypeForName(CheckName, name, category);
3487 BugReport *R = new BugReport(*BT, str, Loc);
3488 R->setDeclWithIssue(DeclWithIssue);
3489 for (ArrayRef<SourceRange>::iterator I = Ranges.begin(), E = Ranges.end();
3490 I != E; ++I)
3491 R->addRange(*I);
3492 emitReport(R);
3493 }
3494
getBugTypeForName(CheckName CheckName,StringRef name,StringRef category)3495 BugType *BugReporter::getBugTypeForName(CheckName CheckName, StringRef name,
3496 StringRef category) {
3497 SmallString<136> fullDesc;
3498 llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name
3499 << ":" << category;
3500 llvm::StringMapEntry<BugType *> &
3501 entry = StrBugTypes.GetOrCreateValue(fullDesc);
3502 BugType *BT = entry.getValue();
3503 if (!BT) {
3504 BT = new BugType(CheckName, name, category);
3505 entry.setValue(BT);
3506 }
3507 return BT;
3508 }
3509
dump() const3510 LLVM_DUMP_METHOD void PathPieces::dump() const {
3511 unsigned index = 0;
3512 for (PathPieces::const_iterator I = begin(), E = end(); I != E; ++I) {
3513 llvm::errs() << "[" << index++ << "] ";
3514 (*I)->dump();
3515 llvm::errs() << "\n";
3516 }
3517 }
3518
dump() const3519 void PathDiagnosticCallPiece::dump() const {
3520 llvm::errs() << "CALL\n--------------\n";
3521
3522 if (const Stmt *SLoc = getLocStmt(getLocation()))
3523 SLoc->dump();
3524 else if (const NamedDecl *ND = dyn_cast<NamedDecl>(getCallee()))
3525 llvm::errs() << *ND << "\n";
3526 else
3527 getLocation().dump();
3528 }
3529
dump() const3530 void PathDiagnosticEventPiece::dump() const {
3531 llvm::errs() << "EVENT\n--------------\n";
3532 llvm::errs() << getString() << "\n";
3533 llvm::errs() << " ---- at ----\n";
3534 getLocation().dump();
3535 }
3536
dump() const3537 void PathDiagnosticControlFlowPiece::dump() const {
3538 llvm::errs() << "CONTROL\n--------------\n";
3539 getStartLocation().dump();
3540 llvm::errs() << " ---- to ----\n";
3541 getEndLocation().dump();
3542 }
3543
dump() const3544 void PathDiagnosticMacroPiece::dump() const {
3545 llvm::errs() << "MACRO\n--------------\n";
3546 // FIXME: Print which macro is being invoked.
3547 }
3548
dump() const3549 void PathDiagnosticLocation::dump() const {
3550 if (!isValid()) {
3551 llvm::errs() << "<INVALID>\n";
3552 return;
3553 }
3554
3555 switch (K) {
3556 case RangeK:
3557 // FIXME: actually print the range.
3558 llvm::errs() << "<range>\n";
3559 break;
3560 case SingleLocK:
3561 asLocation().dump();
3562 llvm::errs() << "\n";
3563 break;
3564 case StmtK:
3565 if (S)
3566 S->dump();
3567 else
3568 llvm::errs() << "<NULL STMT>\n";
3569 break;
3570 case DeclK:
3571 if (const NamedDecl *ND = dyn_cast_or_null<NamedDecl>(D))
3572 llvm::errs() << *ND << "\n";
3573 else if (isa<BlockDecl>(D))
3574 // FIXME: Make this nicer.
3575 llvm::errs() << "<block>\n";
3576 else if (D)
3577 llvm::errs() << "<unknown decl>\n";
3578 else
3579 llvm::errs() << "<NULL DECL>\n";
3580 break;
3581 }
3582 }
3583