clang API Documentation
00001 // BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--// 00002 // 00003 // The LLVM Compiler Infrastructure 00004 // 00005 // This file is distributed under the University of Illinois Open Source 00006 // License. See LICENSE.TXT for details. 00007 // 00008 //===----------------------------------------------------------------------===// 00009 // 00010 // This file defines BugReporter, a utility class for generating 00011 // PathDiagnostics. 00012 // 00013 //===----------------------------------------------------------------------===// 00014 00015 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 00016 #include "clang/StaticAnalyzer/Core/BugReporter/BugType.h" 00017 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 00018 #include "clang/AST/ASTContext.h" 00019 #include "clang/Analysis/CFG.h" 00020 #include "clang/AST/DeclObjC.h" 00021 #include "clang/AST/Expr.h" 00022 #include "clang/AST/ParentMap.h" 00023 #include "clang/AST/StmtObjC.h" 00024 #include "clang/Basic/SourceManager.h" 00025 #include "clang/Analysis/ProgramPoint.h" 00026 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 00027 #include "llvm/Support/raw_ostream.h" 00028 #include "llvm/ADT/DenseMap.h" 00029 #include "llvm/ADT/SmallString.h" 00030 #include "llvm/ADT/STLExtras.h" 00031 #include "llvm/ADT/OwningPtr.h" 00032 #include "llvm/ADT/IntrusiveRefCntPtr.h" 00033 #include <queue> 00034 00035 using namespace clang; 00036 using namespace ento; 00037 00038 BugReporterVisitor::~BugReporterVisitor() {} 00039 00040 void BugReporterContext::anchor() {} 00041 00042 //===----------------------------------------------------------------------===// 00043 // Helper routines for walking the ExplodedGraph and fetching statements. 00044 //===----------------------------------------------------------------------===// 00045 00046 static inline const Stmt *GetStmt(const ProgramPoint &P) { 00047 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P)) 00048 return SP->getStmt(); 00049 else if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) 00050 return BE->getSrc()->getTerminator(); 00051 00052 return 0; 00053 } 00054 00055 static inline const ExplodedNode* 00056 GetPredecessorNode(const ExplodedNode *N) { 00057 return N->pred_empty() ? NULL : *(N->pred_begin()); 00058 } 00059 00060 static inline const ExplodedNode* 00061 GetSuccessorNode(const ExplodedNode *N) { 00062 return N->succ_empty() ? NULL : *(N->succ_begin()); 00063 } 00064 00065 static const Stmt *GetPreviousStmt(const ExplodedNode *N) { 00066 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N)) 00067 if (const Stmt *S = GetStmt(N->getLocation())) 00068 return S; 00069 00070 return 0; 00071 } 00072 00073 static const Stmt *GetNextStmt(const ExplodedNode *N) { 00074 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N)) 00075 if (const Stmt *S = GetStmt(N->getLocation())) { 00076 // Check if the statement is '?' or '&&'/'||'. These are "merges", 00077 // not actual statement points. 00078 switch (S->getStmtClass()) { 00079 case Stmt::ChooseExprClass: 00080 case Stmt::BinaryConditionalOperatorClass: continue; 00081 case Stmt::ConditionalOperatorClass: continue; 00082 case Stmt::BinaryOperatorClass: { 00083 BinaryOperatorKind Op = cast<BinaryOperator>(S)->getOpcode(); 00084 if (Op == BO_LAnd || Op == BO_LOr) 00085 continue; 00086 break; 00087 } 00088 default: 00089 break; 00090 } 00091 return S; 00092 } 00093 00094 return 0; 00095 } 00096 00097 static inline const Stmt* 00098 GetCurrentOrPreviousStmt(const ExplodedNode *N) { 00099 if (const Stmt *S = GetStmt(N->getLocation())) 00100 return S; 00101 00102 return GetPreviousStmt(N); 00103 } 00104 00105 static inline const Stmt* 00106 GetCurrentOrNextStmt(const ExplodedNode *N) { 00107 if (const Stmt *S = GetStmt(N->getLocation())) 00108 return S; 00109 00110 return GetNextStmt(N); 00111 } 00112 00113 //===----------------------------------------------------------------------===// 00114 // Diagnostic cleanup. 00115 //===----------------------------------------------------------------------===// 00116 00117 /// Recursively scan through a path and prune out calls and macros pieces 00118 /// that aren't needed. Return true if afterwards the path contains 00119 /// "interesting stuff" which means it should be pruned from the parent path. 00120 static bool RemoveUneededCalls(PathPieces &pieces) { 00121 bool containsSomethingInteresting = false; 00122 const unsigned N = pieces.size(); 00123 00124 for (unsigned i = 0 ; i < N ; ++i) { 00125 // Remove the front piece from the path. If it is still something we 00126 // want to keep once we are done, we will push it back on the end. 00127 IntrusiveRefCntPtr<PathDiagnosticPiece> piece(pieces.front()); 00128 pieces.pop_front(); 00129 00130 switch (piece->getKind()) { 00131 case PathDiagnosticPiece::Call: { 00132 PathDiagnosticCallPiece *call = cast<PathDiagnosticCallPiece>(piece); 00133 // Recursively clean out the subclass. Keep this call around if 00134 // it contains any informative diagnostics. 00135 if (!RemoveUneededCalls(call->path)) 00136 continue; 00137 containsSomethingInteresting = true; 00138 break; 00139 } 00140 case PathDiagnosticPiece::Macro: { 00141 PathDiagnosticMacroPiece *macro = cast<PathDiagnosticMacroPiece>(piece); 00142 if (!RemoveUneededCalls(macro->subPieces)) 00143 continue; 00144 containsSomethingInteresting = true; 00145 break; 00146 } 00147 case PathDiagnosticPiece::Event: { 00148 PathDiagnosticEventPiece *event = cast<PathDiagnosticEventPiece>(piece); 00149 // We never throw away an event, but we do throw it away wholesale 00150 // as part of a path if we throw the entire path away. 00151 if (event->isPrunable()) 00152 continue; 00153 containsSomethingInteresting = true; 00154 break; 00155 } 00156 case PathDiagnosticPiece::ControlFlow: 00157 break; 00158 } 00159 00160 pieces.push_back(piece); 00161 } 00162 00163 return containsSomethingInteresting; 00164 } 00165 00166 //===----------------------------------------------------------------------===// 00167 // PathDiagnosticBuilder and its associated routines and helper objects. 00168 //===----------------------------------------------------------------------===// 00169 00170 typedef llvm::DenseMap<const ExplodedNode*, 00171 const ExplodedNode*> NodeBackMap; 00172 00173 namespace { 00174 class NodeMapClosure : public BugReport::NodeResolver { 00175 NodeBackMap& M; 00176 public: 00177 NodeMapClosure(NodeBackMap *m) : M(*m) {} 00178 ~NodeMapClosure() {} 00179 00180 const ExplodedNode *getOriginalNode(const ExplodedNode *N) { 00181 NodeBackMap::iterator I = M.find(N); 00182 return I == M.end() ? 0 : I->second; 00183 } 00184 }; 00185 00186 class PathDiagnosticBuilder : public BugReporterContext { 00187 BugReport *R; 00188 PathDiagnosticConsumer *PDC; 00189 OwningPtr<ParentMap> PM; 00190 NodeMapClosure NMC; 00191 public: 00192 const LocationContext *LC; 00193 00194 PathDiagnosticBuilder(GRBugReporter &br, 00195 BugReport *r, NodeBackMap *Backmap, 00196 PathDiagnosticConsumer *pdc) 00197 : BugReporterContext(br), 00198 R(r), PDC(pdc), NMC(Backmap), LC(r->getErrorNode()->getLocationContext()) 00199 {} 00200 00201 PathDiagnosticLocation ExecutionContinues(const ExplodedNode *N); 00202 00203 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream &os, 00204 const ExplodedNode *N); 00205 00206 BugReport *getBugReport() { return R; } 00207 00208 Decl const &getCodeDecl() { return R->getErrorNode()->getCodeDecl(); } 00209 00210 ParentMap& getParentMap() { return LC->getParentMap(); } 00211 00212 const Stmt *getParent(const Stmt *S) { 00213 return getParentMap().getParent(S); 00214 } 00215 00216 virtual NodeMapClosure& getNodeResolver() { return NMC; } 00217 00218 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S); 00219 00220 PathDiagnosticConsumer::PathGenerationScheme getGenerationScheme() const { 00221 return PDC ? PDC->getGenerationScheme() : PathDiagnosticConsumer::Extensive; 00222 } 00223 00224 bool supportsLogicalOpControlFlow() const { 00225 return PDC ? PDC->supportsLogicalOpControlFlow() : true; 00226 } 00227 }; 00228 } // end anonymous namespace 00229 00230 PathDiagnosticLocation 00231 PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode *N) { 00232 if (const Stmt *S = GetNextStmt(N)) 00233 return PathDiagnosticLocation(S, getSourceManager(), LC); 00234 00235 return PathDiagnosticLocation::createDeclEnd(N->getLocationContext(), 00236 getSourceManager()); 00237 } 00238 00239 PathDiagnosticLocation 00240 PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream &os, 00241 const ExplodedNode *N) { 00242 00243 // Slow, but probably doesn't matter. 00244 if (os.str().empty()) 00245 os << ' '; 00246 00247 const PathDiagnosticLocation &Loc = ExecutionContinues(N); 00248 00249 if (Loc.asStmt()) 00250 os << "Execution continues on line " 00251 << getSourceManager().getExpansionLineNumber(Loc.asLocation()) 00252 << '.'; 00253 else { 00254 os << "Execution jumps to the end of the "; 00255 const Decl *D = N->getLocationContext()->getDecl(); 00256 if (isa<ObjCMethodDecl>(D)) 00257 os << "method"; 00258 else if (isa<FunctionDecl>(D)) 00259 os << "function"; 00260 else { 00261 assert(isa<BlockDecl>(D)); 00262 os << "anonymous block"; 00263 } 00264 os << '.'; 00265 } 00266 00267 return Loc; 00268 } 00269 00270 static bool IsNested(const Stmt *S, ParentMap &PM) { 00271 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S))) 00272 return true; 00273 00274 const Stmt *Parent = PM.getParentIgnoreParens(S); 00275 00276 if (Parent) 00277 switch (Parent->getStmtClass()) { 00278 case Stmt::ForStmtClass: 00279 case Stmt::DoStmtClass: 00280 case Stmt::WhileStmtClass: 00281 return true; 00282 default: 00283 break; 00284 } 00285 00286 return false; 00287 } 00288 00289 PathDiagnosticLocation 00290 PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) { 00291 assert(S && "Null Stmt *passed to getEnclosingStmtLocation"); 00292 ParentMap &P = getParentMap(); 00293 SourceManager &SMgr = getSourceManager(); 00294 00295 while (IsNested(S, P)) { 00296 const Stmt *Parent = P.getParentIgnoreParens(S); 00297 00298 if (!Parent) 00299 break; 00300 00301 switch (Parent->getStmtClass()) { 00302 case Stmt::BinaryOperatorClass: { 00303 const BinaryOperator *B = cast<BinaryOperator>(Parent); 00304 if (B->isLogicalOp()) 00305 return PathDiagnosticLocation(S, SMgr, LC); 00306 break; 00307 } 00308 case Stmt::CompoundStmtClass: 00309 case Stmt::StmtExprClass: 00310 return PathDiagnosticLocation(S, SMgr, LC); 00311 case Stmt::ChooseExprClass: 00312 // Similar to '?' if we are referring to condition, just have the edge 00313 // point to the entire choose expression. 00314 if (cast<ChooseExpr>(Parent)->getCond() == S) 00315 return PathDiagnosticLocation(Parent, SMgr, LC); 00316 else 00317 return PathDiagnosticLocation(S, SMgr, LC); 00318 case Stmt::BinaryConditionalOperatorClass: 00319 case Stmt::ConditionalOperatorClass: 00320 // For '?', if we are referring to condition, just have the edge point 00321 // to the entire '?' expression. 00322 if (cast<AbstractConditionalOperator>(Parent)->getCond() == S) 00323 return PathDiagnosticLocation(Parent, SMgr, LC); 00324 else 00325 return PathDiagnosticLocation(S, SMgr, LC); 00326 case Stmt::DoStmtClass: 00327 return PathDiagnosticLocation(S, SMgr, LC); 00328 case Stmt::ForStmtClass: 00329 if (cast<ForStmt>(Parent)->getBody() == S) 00330 return PathDiagnosticLocation(S, SMgr, LC); 00331 break; 00332 case Stmt::IfStmtClass: 00333 if (cast<IfStmt>(Parent)->getCond() != S) 00334 return PathDiagnosticLocation(S, SMgr, LC); 00335 break; 00336 case Stmt::ObjCForCollectionStmtClass: 00337 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S) 00338 return PathDiagnosticLocation(S, SMgr, LC); 00339 break; 00340 case Stmt::WhileStmtClass: 00341 if (cast<WhileStmt>(Parent)->getCond() != S) 00342 return PathDiagnosticLocation(S, SMgr, LC); 00343 break; 00344 default: 00345 break; 00346 } 00347 00348 S = Parent; 00349 } 00350 00351 assert(S && "Cannot have null Stmt for PathDiagnosticLocation"); 00352 00353 // Special case: DeclStmts can appear in for statement declarations, in which 00354 // case the ForStmt is the context. 00355 if (isa<DeclStmt>(S)) { 00356 if (const Stmt *Parent = P.getParent(S)) { 00357 switch (Parent->getStmtClass()) { 00358 case Stmt::ForStmtClass: 00359 case Stmt::ObjCForCollectionStmtClass: 00360 return PathDiagnosticLocation(Parent, SMgr, LC); 00361 default: 00362 break; 00363 } 00364 } 00365 } 00366 else if (isa<BinaryOperator>(S)) { 00367 // Special case: the binary operator represents the initialization 00368 // code in a for statement (this can happen when the variable being 00369 // initialized is an old variable. 00370 if (const ForStmt *FS = 00371 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) { 00372 if (FS->getInit() == S) 00373 return PathDiagnosticLocation(FS, SMgr, LC); 00374 } 00375 } 00376 00377 return PathDiagnosticLocation(S, SMgr, LC); 00378 } 00379 00380 //===----------------------------------------------------------------------===// 00381 // "Minimal" path diagnostic generation algorithm. 00382 //===----------------------------------------------------------------------===// 00383 typedef std::pair<PathDiagnosticCallPiece*, const ExplodedNode*> StackDiagPair; 00384 typedef SmallVector<StackDiagPair, 6> StackDiagVector; 00385 00386 static void updateStackPiecesWithMessage(PathDiagnosticPiece *P, 00387 StackDiagVector &CallStack) { 00388 // If the piece contains a special message, add it to all the call 00389 // pieces on the active stack. 00390 if (PathDiagnosticEventPiece *ep = 00391 dyn_cast<PathDiagnosticEventPiece>(P)) { 00392 00393 if (ep->hasCallStackHint()) 00394 for (StackDiagVector::iterator I = CallStack.begin(), 00395 E = CallStack.end(); I != E; ++I) { 00396 PathDiagnosticCallPiece *CP = I->first; 00397 const ExplodedNode *N = I->second; 00398 std::string stackMsg = ep->getCallStackMessage(N); 00399 00400 // The last message on the path to final bug is the most important 00401 // one. Since we traverse the path backwards, do not add the message 00402 // if one has been previously added. 00403 if (!CP->hasCallStackMessage()) 00404 CP->setCallStackMessage(stackMsg); 00405 } 00406 } 00407 } 00408 00409 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM); 00410 00411 static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD, 00412 PathDiagnosticBuilder &PDB, 00413 const ExplodedNode *N, 00414 ArrayRef<BugReporterVisitor *> visitors) { 00415 00416 SourceManager& SMgr = PDB.getSourceManager(); 00417 const LocationContext *LC = PDB.LC; 00418 const ExplodedNode *NextNode = N->pred_empty() 00419 ? NULL : *(N->pred_begin()); 00420 00421 StackDiagVector CallStack; 00422 00423 while (NextNode) { 00424 N = NextNode; 00425 PDB.LC = N->getLocationContext(); 00426 NextNode = GetPredecessorNode(N); 00427 00428 ProgramPoint P = N->getLocation(); 00429 00430 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) { 00431 PathDiagnosticCallPiece *C = 00432 PathDiagnosticCallPiece::construct(N, *CE, SMgr); 00433 PD.getActivePath().push_front(C); 00434 PD.pushActivePath(&C->path); 00435 CallStack.push_back(StackDiagPair(C, N)); 00436 continue; 00437 } 00438 00439 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) { 00440 PD.popActivePath(); 00441 // The current active path should never be empty. Either we 00442 // just added a bunch of stuff to the top-level path, or 00443 // we have a previous CallExitEnd. If the front of the active 00444 // path is not a PathDiagnosticCallPiece, it means that the 00445 // path terminated within a function call. We must then take the 00446 // current contents of the active path and place it within 00447 // a new PathDiagnosticCallPiece. 00448 assert(!PD.getActivePath().empty()); 00449 PathDiagnosticCallPiece *C = 00450 dyn_cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 00451 if (!C) { 00452 const Decl *Caller = CE->getLocationContext()->getDecl(); 00453 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 00454 } 00455 C->setCallee(*CE, SMgr); 00456 if (!CallStack.empty()) { 00457 assert(CallStack.back().first == C); 00458 CallStack.pop_back(); 00459 } 00460 continue; 00461 } 00462 00463 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 00464 const CFGBlock *Src = BE->getSrc(); 00465 const CFGBlock *Dst = BE->getDst(); 00466 const Stmt *T = Src->getTerminator(); 00467 00468 if (!T) 00469 continue; 00470 00471 PathDiagnosticLocation Start = 00472 PathDiagnosticLocation::createBegin(T, SMgr, 00473 N->getLocationContext()); 00474 00475 switch (T->getStmtClass()) { 00476 default: 00477 break; 00478 00479 case Stmt::GotoStmtClass: 00480 case Stmt::IndirectGotoStmtClass: { 00481 const Stmt *S = GetNextStmt(N); 00482 00483 if (!S) 00484 continue; 00485 00486 std::string sbuf; 00487 llvm::raw_string_ostream os(sbuf); 00488 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S); 00489 00490 os << "Control jumps to line " 00491 << End.asLocation().getExpansionLineNumber(); 00492 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00493 os.str())); 00494 break; 00495 } 00496 00497 case Stmt::SwitchStmtClass: { 00498 // Figure out what case arm we took. 00499 std::string sbuf; 00500 llvm::raw_string_ostream os(sbuf); 00501 00502 if (const Stmt *S = Dst->getLabel()) { 00503 PathDiagnosticLocation End(S, SMgr, LC); 00504 00505 switch (S->getStmtClass()) { 00506 default: 00507 os << "No cases match in the switch statement. " 00508 "Control jumps to line " 00509 << End.asLocation().getExpansionLineNumber(); 00510 break; 00511 case Stmt::DefaultStmtClass: 00512 os << "Control jumps to the 'default' case at line " 00513 << End.asLocation().getExpansionLineNumber(); 00514 break; 00515 00516 case Stmt::CaseStmtClass: { 00517 os << "Control jumps to 'case "; 00518 const CaseStmt *Case = cast<CaseStmt>(S); 00519 const Expr *LHS = Case->getLHS()->IgnoreParenCasts(); 00520 00521 // Determine if it is an enum. 00522 bool GetRawInt = true; 00523 00524 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(LHS)) { 00525 // FIXME: Maybe this should be an assertion. Are there cases 00526 // were it is not an EnumConstantDecl? 00527 const EnumConstantDecl *D = 00528 dyn_cast<EnumConstantDecl>(DR->getDecl()); 00529 00530 if (D) { 00531 GetRawInt = false; 00532 os << *D; 00533 } 00534 } 00535 00536 if (GetRawInt) 00537 os << LHS->EvaluateKnownConstInt(PDB.getASTContext()); 00538 00539 os << ":' at line " 00540 << End.asLocation().getExpansionLineNumber(); 00541 break; 00542 } 00543 } 00544 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00545 os.str())); 00546 } 00547 else { 00548 os << "'Default' branch taken. "; 00549 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N); 00550 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00551 os.str())); 00552 } 00553 00554 break; 00555 } 00556 00557 case Stmt::BreakStmtClass: 00558 case Stmt::ContinueStmtClass: { 00559 std::string sbuf; 00560 llvm::raw_string_ostream os(sbuf); 00561 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 00562 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00563 os.str())); 00564 break; 00565 } 00566 00567 // Determine control-flow for ternary '?'. 00568 case Stmt::BinaryConditionalOperatorClass: 00569 case Stmt::ConditionalOperatorClass: { 00570 std::string sbuf; 00571 llvm::raw_string_ostream os(sbuf); 00572 os << "'?' condition is "; 00573 00574 if (*(Src->succ_begin()+1) == Dst) 00575 os << "false"; 00576 else 00577 os << "true"; 00578 00579 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 00580 00581 if (const Stmt *S = End.asStmt()) 00582 End = PDB.getEnclosingStmtLocation(S); 00583 00584 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00585 os.str())); 00586 break; 00587 } 00588 00589 // Determine control-flow for short-circuited '&&' and '||'. 00590 case Stmt::BinaryOperatorClass: { 00591 if (!PDB.supportsLogicalOpControlFlow()) 00592 break; 00593 00594 const BinaryOperator *B = cast<BinaryOperator>(T); 00595 std::string sbuf; 00596 llvm::raw_string_ostream os(sbuf); 00597 os << "Left side of '"; 00598 00599 if (B->getOpcode() == BO_LAnd) { 00600 os << "&&" << "' is "; 00601 00602 if (*(Src->succ_begin()+1) == Dst) { 00603 os << "false"; 00604 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 00605 PathDiagnosticLocation Start = 00606 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 00607 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00608 os.str())); 00609 } 00610 else { 00611 os << "true"; 00612 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 00613 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 00614 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00615 os.str())); 00616 } 00617 } 00618 else { 00619 assert(B->getOpcode() == BO_LOr); 00620 os << "||" << "' is "; 00621 00622 if (*(Src->succ_begin()+1) == Dst) { 00623 os << "false"; 00624 PathDiagnosticLocation Start(B->getLHS(), SMgr, LC); 00625 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 00626 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00627 os.str())); 00628 } 00629 else { 00630 os << "true"; 00631 PathDiagnosticLocation End(B->getLHS(), SMgr, LC); 00632 PathDiagnosticLocation Start = 00633 PathDiagnosticLocation::createOperatorLoc(B, SMgr); 00634 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00635 os.str())); 00636 } 00637 } 00638 00639 break; 00640 } 00641 00642 case Stmt::DoStmtClass: { 00643 if (*(Src->succ_begin()) == Dst) { 00644 std::string sbuf; 00645 llvm::raw_string_ostream os(sbuf); 00646 00647 os << "Loop condition is true. "; 00648 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 00649 00650 if (const Stmt *S = End.asStmt()) 00651 End = PDB.getEnclosingStmtLocation(S); 00652 00653 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00654 os.str())); 00655 } 00656 else { 00657 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 00658 00659 if (const Stmt *S = End.asStmt()) 00660 End = PDB.getEnclosingStmtLocation(S); 00661 00662 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00663 "Loop condition is false. Exiting loop")); 00664 } 00665 00666 break; 00667 } 00668 00669 case Stmt::WhileStmtClass: 00670 case Stmt::ForStmtClass: { 00671 if (*(Src->succ_begin()+1) == Dst) { 00672 std::string sbuf; 00673 llvm::raw_string_ostream os(sbuf); 00674 00675 os << "Loop condition is false. "; 00676 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N); 00677 if (const Stmt *S = End.asStmt()) 00678 End = PDB.getEnclosingStmtLocation(S); 00679 00680 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00681 os.str())); 00682 } 00683 else { 00684 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 00685 if (const Stmt *S = End.asStmt()) 00686 End = PDB.getEnclosingStmtLocation(S); 00687 00688 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00689 "Loop condition is true. Entering loop body")); 00690 } 00691 00692 break; 00693 } 00694 00695 case Stmt::IfStmtClass: { 00696 PathDiagnosticLocation End = PDB.ExecutionContinues(N); 00697 00698 if (const Stmt *S = End.asStmt()) 00699 End = PDB.getEnclosingStmtLocation(S); 00700 00701 if (*(Src->succ_begin()+1) == Dst) 00702 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00703 "Taking false branch")); 00704 else 00705 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(Start, End, 00706 "Taking true branch")); 00707 00708 break; 00709 } 00710 } 00711 } 00712 00713 if (NextNode) { 00714 // Add diagnostic pieces from custom visitors. 00715 BugReport *R = PDB.getBugReport(); 00716 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 00717 E = visitors.end(); 00718 I != E; ++I) { 00719 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 00720 PD.getActivePath().push_front(p); 00721 updateStackPiecesWithMessage(p, CallStack); 00722 } 00723 } 00724 } 00725 } 00726 00727 // After constructing the full PathDiagnostic, do a pass over it to compact 00728 // PathDiagnosticPieces that occur within a macro. 00729 CompactPathDiagnostic(PD.getMutablePieces(), PDB.getSourceManager()); 00730 } 00731 00732 //===----------------------------------------------------------------------===// 00733 // "Extensive" PathDiagnostic generation. 00734 //===----------------------------------------------------------------------===// 00735 00736 static bool IsControlFlowExpr(const Stmt *S) { 00737 const Expr *E = dyn_cast<Expr>(S); 00738 00739 if (!E) 00740 return false; 00741 00742 E = E->IgnoreParenCasts(); 00743 00744 if (isa<AbstractConditionalOperator>(E)) 00745 return true; 00746 00747 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E)) 00748 if (B->isLogicalOp()) 00749 return true; 00750 00751 return false; 00752 } 00753 00754 namespace { 00755 class ContextLocation : public PathDiagnosticLocation { 00756 bool IsDead; 00757 public: 00758 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false) 00759 : PathDiagnosticLocation(L), IsDead(isdead) {} 00760 00761 void markDead() { IsDead = true; } 00762 bool isDead() const { return IsDead; } 00763 }; 00764 00765 class EdgeBuilder { 00766 std::vector<ContextLocation> CLocs; 00767 typedef std::vector<ContextLocation>::iterator iterator; 00768 PathDiagnostic &PD; 00769 PathDiagnosticBuilder &PDB; 00770 PathDiagnosticLocation PrevLoc; 00771 00772 bool IsConsumedExpr(const PathDiagnosticLocation &L); 00773 00774 bool containsLocation(const PathDiagnosticLocation &Container, 00775 const PathDiagnosticLocation &Containee); 00776 00777 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L); 00778 00779 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L, 00780 bool firstCharOnly = false) { 00781 if (const Stmt *S = L.asStmt()) { 00782 const Stmt *Original = S; 00783 while (1) { 00784 // Adjust the location for some expressions that are best referenced 00785 // by one of their subexpressions. 00786 switch (S->getStmtClass()) { 00787 default: 00788 break; 00789 case Stmt::ParenExprClass: 00790 case Stmt::GenericSelectionExprClass: 00791 S = cast<Expr>(S)->IgnoreParens(); 00792 firstCharOnly = true; 00793 continue; 00794 case Stmt::BinaryConditionalOperatorClass: 00795 case Stmt::ConditionalOperatorClass: 00796 S = cast<AbstractConditionalOperator>(S)->getCond(); 00797 firstCharOnly = true; 00798 continue; 00799 case Stmt::ChooseExprClass: 00800 S = cast<ChooseExpr>(S)->getCond(); 00801 firstCharOnly = true; 00802 continue; 00803 case Stmt::BinaryOperatorClass: 00804 S = cast<BinaryOperator>(S)->getLHS(); 00805 firstCharOnly = true; 00806 continue; 00807 } 00808 00809 break; 00810 } 00811 00812 if (S != Original) 00813 L = PathDiagnosticLocation(S, L.getManager(), PDB.LC); 00814 } 00815 00816 if (firstCharOnly) 00817 L = PathDiagnosticLocation::createSingleLocation(L); 00818 00819 return L; 00820 } 00821 00822 void popLocation() { 00823 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) { 00824 // For contexts, we only one the first character as the range. 00825 rawAddEdge(cleanUpLocation(CLocs.back(), true)); 00826 } 00827 CLocs.pop_back(); 00828 } 00829 00830 public: 00831 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb) 00832 : PD(pd), PDB(pdb) { 00833 00834 // If the PathDiagnostic already has pieces, add the enclosing statement 00835 // of the first piece as a context as well. 00836 if (!PD.path.empty()) { 00837 PrevLoc = (*PD.path.begin())->getLocation(); 00838 00839 if (const Stmt *S = PrevLoc.asStmt()) 00840 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 00841 } 00842 } 00843 00844 ~EdgeBuilder() { 00845 while (!CLocs.empty()) popLocation(); 00846 00847 // Finally, add an initial edge from the start location of the first 00848 // statement (if it doesn't already exist). 00849 PathDiagnosticLocation L = PathDiagnosticLocation::createDeclBegin( 00850 PDB.LC, 00851 PDB.getSourceManager()); 00852 if (L.isValid()) 00853 rawAddEdge(L); 00854 } 00855 00856 void flushLocations() { 00857 while (!CLocs.empty()) 00858 popLocation(); 00859 PrevLoc = PathDiagnosticLocation(); 00860 } 00861 00862 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false); 00863 00864 void rawAddEdge(PathDiagnosticLocation NewLoc); 00865 00866 void addContext(const Stmt *S); 00867 void addExtendedContext(const Stmt *S); 00868 }; 00869 } // end anonymous namespace 00870 00871 00872 PathDiagnosticLocation 00873 EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) { 00874 if (const Stmt *S = L.asStmt()) { 00875 if (IsControlFlowExpr(S)) 00876 return L; 00877 00878 return PDB.getEnclosingStmtLocation(S); 00879 } 00880 00881 return L; 00882 } 00883 00884 bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container, 00885 const PathDiagnosticLocation &Containee) { 00886 00887 if (Container == Containee) 00888 return true; 00889 00890 if (Container.asDecl()) 00891 return true; 00892 00893 if (const Stmt *S = Containee.asStmt()) 00894 if (const Stmt *ContainerS = Container.asStmt()) { 00895 while (S) { 00896 if (S == ContainerS) 00897 return true; 00898 S = PDB.getParent(S); 00899 } 00900 return false; 00901 } 00902 00903 // Less accurate: compare using source ranges. 00904 SourceRange ContainerR = Container.asRange(); 00905 SourceRange ContaineeR = Containee.asRange(); 00906 00907 SourceManager &SM = PDB.getSourceManager(); 00908 SourceLocation ContainerRBeg = SM.getExpansionLoc(ContainerR.getBegin()); 00909 SourceLocation ContainerREnd = SM.getExpansionLoc(ContainerR.getEnd()); 00910 SourceLocation ContaineeRBeg = SM.getExpansionLoc(ContaineeR.getBegin()); 00911 SourceLocation ContaineeREnd = SM.getExpansionLoc(ContaineeR.getEnd()); 00912 00913 unsigned ContainerBegLine = SM.getExpansionLineNumber(ContainerRBeg); 00914 unsigned ContainerEndLine = SM.getExpansionLineNumber(ContainerREnd); 00915 unsigned ContaineeBegLine = SM.getExpansionLineNumber(ContaineeRBeg); 00916 unsigned ContaineeEndLine = SM.getExpansionLineNumber(ContaineeREnd); 00917 00918 assert(ContainerBegLine <= ContainerEndLine); 00919 assert(ContaineeBegLine <= ContaineeEndLine); 00920 00921 return (ContainerBegLine <= ContaineeBegLine && 00922 ContainerEndLine >= ContaineeEndLine && 00923 (ContainerBegLine != ContaineeBegLine || 00924 SM.getExpansionColumnNumber(ContainerRBeg) <= 00925 SM.getExpansionColumnNumber(ContaineeRBeg)) && 00926 (ContainerEndLine != ContaineeEndLine || 00927 SM.getExpansionColumnNumber(ContainerREnd) >= 00928 SM.getExpansionColumnNumber(ContaineeREnd))); 00929 } 00930 00931 void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) { 00932 if (!PrevLoc.isValid()) { 00933 PrevLoc = NewLoc; 00934 return; 00935 } 00936 00937 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc); 00938 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc); 00939 00940 if (NewLocClean.asLocation() == PrevLocClean.asLocation()) 00941 return; 00942 00943 // FIXME: Ignore intra-macro edges for now. 00944 if (NewLocClean.asLocation().getExpansionLoc() == 00945 PrevLocClean.asLocation().getExpansionLoc()) 00946 return; 00947 00948 PD.getActivePath().push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean)); 00949 PrevLoc = NewLoc; 00950 } 00951 00952 void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) { 00953 00954 if (!alwaysAdd && NewLoc.asLocation().isMacroID()) 00955 return; 00956 00957 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc); 00958 00959 while (!CLocs.empty()) { 00960 ContextLocation &TopContextLoc = CLocs.back(); 00961 00962 // Is the top location context the same as the one for the new location? 00963 if (TopContextLoc == CLoc) { 00964 if (alwaysAdd) { 00965 if (IsConsumedExpr(TopContextLoc) && 00966 !IsControlFlowExpr(TopContextLoc.asStmt())) 00967 TopContextLoc.markDead(); 00968 00969 rawAddEdge(NewLoc); 00970 } 00971 00972 return; 00973 } 00974 00975 if (containsLocation(TopContextLoc, CLoc)) { 00976 if (alwaysAdd) { 00977 rawAddEdge(NewLoc); 00978 00979 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) { 00980 CLocs.push_back(ContextLocation(CLoc, true)); 00981 return; 00982 } 00983 } 00984 00985 CLocs.push_back(CLoc); 00986 return; 00987 } 00988 00989 // Context does not contain the location. Flush it. 00990 popLocation(); 00991 } 00992 00993 // If we reach here, there is no enclosing context. Just add the edge. 00994 rawAddEdge(NewLoc); 00995 } 00996 00997 bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) { 00998 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt())) 00999 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X); 01000 01001 return false; 01002 } 01003 01004 void EdgeBuilder::addExtendedContext(const Stmt *S) { 01005 if (!S) 01006 return; 01007 01008 const Stmt *Parent = PDB.getParent(S); 01009 while (Parent) { 01010 if (isa<CompoundStmt>(Parent)) 01011 Parent = PDB.getParent(Parent); 01012 else 01013 break; 01014 } 01015 01016 if (Parent) { 01017 switch (Parent->getStmtClass()) { 01018 case Stmt::DoStmtClass: 01019 case Stmt::ObjCAtSynchronizedStmtClass: 01020 addContext(Parent); 01021 default: 01022 break; 01023 } 01024 } 01025 01026 addContext(S); 01027 } 01028 01029 void EdgeBuilder::addContext(const Stmt *S) { 01030 if (!S) 01031 return; 01032 01033 PathDiagnosticLocation L(S, PDB.getSourceManager(), PDB.LC); 01034 01035 while (!CLocs.empty()) { 01036 const PathDiagnosticLocation &TopContextLoc = CLocs.back(); 01037 01038 // Is the top location context the same as the one for the new location? 01039 if (TopContextLoc == L) 01040 return; 01041 01042 if (containsLocation(TopContextLoc, L)) { 01043 CLocs.push_back(L); 01044 return; 01045 } 01046 01047 // Context does not contain the location. Flush it. 01048 popLocation(); 01049 } 01050 01051 CLocs.push_back(L); 01052 } 01053 01054 // Cone-of-influence: support the reverse propagation of "interesting" symbols 01055 // and values by tracing interesting calculations backwards through evaluated 01056 // expressions along a path. This is probably overly complicated, but the idea 01057 // is that if an expression computed an "interesting" value, the child 01058 // expressions are are also likely to be "interesting" as well (which then 01059 // propagates to the values they in turn compute). This reverse propagation 01060 // is needed to track interesting correlations across function call boundaries, 01061 // where formal arguments bind to actual arguments, etc. This is also needed 01062 // because the constraint solver sometimes simplifies certain symbolic values 01063 // into constants when appropriate, and this complicates reasoning about 01064 // interesting values. 01065 typedef llvm::DenseSet<const Expr *> InterestingExprs; 01066 01067 static void reversePropagateIntererstingSymbols(BugReport &R, 01068 InterestingExprs &IE, 01069 const ProgramState *State, 01070 const Expr *Ex, 01071 const LocationContext *LCtx) { 01072 SVal V = State->getSVal(Ex, LCtx); 01073 if (!(R.isInteresting(V) || IE.count(Ex))) 01074 return; 01075 01076 switch (Ex->getStmtClass()) { 01077 default: 01078 if (!isa<CastExpr>(Ex)) 01079 break; 01080 // Fall through. 01081 case Stmt::BinaryOperatorClass: 01082 case Stmt::UnaryOperatorClass: { 01083 for (Stmt::const_child_iterator CI = Ex->child_begin(), 01084 CE = Ex->child_end(); 01085 CI != CE; ++CI) { 01086 if (const Expr *child = dyn_cast_or_null<Expr>(*CI)) { 01087 IE.insert(child); 01088 SVal ChildV = State->getSVal(child, LCtx); 01089 R.markInteresting(ChildV); 01090 } 01091 break; 01092 } 01093 } 01094 } 01095 01096 R.markInteresting(V); 01097 } 01098 01099 static void reversePropagateInterestingSymbols(BugReport &R, 01100 InterestingExprs &IE, 01101 const ProgramState *State, 01102 const LocationContext *CalleeCtx, 01103 const LocationContext *CallerCtx) 01104 { 01105 // FIXME: Handle CXXConstructExpr. 01106 // FIXME: Handle calls to blocks. 01107 const StackFrameContext *Callee = CalleeCtx->getCurrentStackFrame(); 01108 const Stmt *CallSite = Callee->getCallSite(); 01109 if (const CallExpr *CE = dyn_cast<CallExpr>(CallSite)) { 01110 if (const FunctionDecl *FD = dyn_cast<FunctionDecl>(CalleeCtx->getDecl())) { 01111 FunctionDecl::param_const_iterator PI = FD->param_begin(), 01112 PE = FD->param_end(); 01113 CallExpr::const_arg_iterator AI = CE->arg_begin(), AE = CE->arg_end(); 01114 for (; AI != AE && PI != PE; ++AI, ++PI) { 01115 if (const Expr *ArgE = *AI) { 01116 if (const ParmVarDecl *PD = *PI) { 01117 Loc LV = State->getLValue(PD, CalleeCtx); 01118 if (R.isInteresting(LV) || R.isInteresting(State->getRawSVal(LV))) 01119 IE.insert(ArgE); 01120 } 01121 } 01122 } 01123 } 01124 } 01125 } 01126 01127 static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD, 01128 PathDiagnosticBuilder &PDB, 01129 const ExplodedNode *N, 01130 ArrayRef<BugReporterVisitor *> visitors) { 01131 EdgeBuilder EB(PD, PDB); 01132 const SourceManager& SM = PDB.getSourceManager(); 01133 StackDiagVector CallStack; 01134 InterestingExprs IE; 01135 01136 const ExplodedNode *NextNode = N->pred_empty() ? NULL : *(N->pred_begin()); 01137 while (NextNode) { 01138 N = NextNode; 01139 NextNode = GetPredecessorNode(N); 01140 ProgramPoint P = N->getLocation(); 01141 01142 do { 01143 if (const PostStmt *PS = dyn_cast<PostStmt>(&P)) { 01144 if (const Expr *Ex = PS->getStmtAs<Expr>()) 01145 reversePropagateIntererstingSymbols(*PDB.getBugReport(), IE, 01146 N->getState().getPtr(), Ex, 01147 N->getLocationContext()); 01148 } 01149 01150 if (const CallExitEnd *CE = dyn_cast<CallExitEnd>(&P)) { 01151 const StackFrameContext *LCtx = 01152 CE->getLocationContext()->getCurrentStackFrame(); 01153 PathDiagnosticLocation Loc(CE->getStmt(), 01154 PDB.getSourceManager(), 01155 LCtx); 01156 EB.addEdge(Loc, true); 01157 EB.flushLocations(); 01158 PathDiagnosticCallPiece *C = 01159 PathDiagnosticCallPiece::construct(N, *CE, SM); 01160 PD.getActivePath().push_front(C); 01161 PD.pushActivePath(&C->path); 01162 CallStack.push_back(StackDiagPair(C, N)); 01163 break; 01164 } 01165 01166 // Pop the call hierarchy if we are done walking the contents 01167 // of a function call. 01168 if (const CallEnter *CE = dyn_cast<CallEnter>(&P)) { 01169 // Add an edge to the start of the function. 01170 const Decl *D = CE->getCalleeContext()->getDecl(); 01171 PathDiagnosticLocation pos = 01172 PathDiagnosticLocation::createBegin(D, SM); 01173 EB.addEdge(pos); 01174 01175 // Flush all locations, and pop the active path. 01176 EB.flushLocations(); 01177 PD.popActivePath(); 01178 assert(!PD.getActivePath().empty()); 01179 PDB.LC = N->getLocationContext(); 01180 01181 // The current active path should never be empty. Either we 01182 // just added a bunch of stuff to the top-level path, or 01183 // we have a previous CallExitEnd. If the front of the active 01184 // path is not a PathDiagnosticCallPiece, it means that the 01185 // path terminated within a function call. We must then take the 01186 // current contents of the active path and place it within 01187 // a new PathDiagnosticCallPiece. 01188 PathDiagnosticCallPiece *C = 01189 dyn_cast<PathDiagnosticCallPiece>(PD.getActivePath().front()); 01190 if (!C) { 01191 const Decl * Caller = CE->getLocationContext()->getDecl(); 01192 C = PathDiagnosticCallPiece::construct(PD.getActivePath(), Caller); 01193 } 01194 C->setCallee(*CE, SM); 01195 EB.addContext(CE->getCallExpr()); 01196 01197 if (!CallStack.empty()) { 01198 assert(CallStack.back().first == C); 01199 CallStack.pop_back(); 01200 } 01201 break; 01202 } 01203 01204 // Note that is important that we update the LocationContext 01205 // after looking at CallExits. CallExit basically adds an 01206 // edge in the *caller*, so we don't want to update the LocationContext 01207 // too soon. 01208 PDB.LC = N->getLocationContext(); 01209 01210 // Block edges. 01211 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) { 01212 // Does this represent entering a call? If so, look at propagating 01213 // interesting symbols across call boundaries. 01214 if (NextNode) { 01215 const LocationContext *CallerCtx = NextNode->getLocationContext(); 01216 const LocationContext *CalleeCtx = PDB.LC; 01217 if (CallerCtx != CalleeCtx) { 01218 reversePropagateInterestingSymbols(*PDB.getBugReport(), IE, 01219 N->getState().getPtr(), 01220 CalleeCtx, CallerCtx); 01221 } 01222 } 01223 01224 const CFGBlock &Blk = *BE->getSrc(); 01225 const Stmt *Term = Blk.getTerminator(); 01226 01227 // Are we jumping to the head of a loop? Add a special diagnostic. 01228 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) { 01229 PathDiagnosticLocation L(Loop, SM, PDB.LC); 01230 const CompoundStmt *CS = NULL; 01231 01232 if (!Term) { 01233 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop)) 01234 CS = dyn_cast<CompoundStmt>(FS->getBody()); 01235 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop)) 01236 CS = dyn_cast<CompoundStmt>(WS->getBody()); 01237 } 01238 01239 PathDiagnosticEventPiece *p = 01240 new PathDiagnosticEventPiece(L, 01241 "Looping back to the head of the loop"); 01242 p->setPrunable(true); 01243 01244 EB.addEdge(p->getLocation(), true); 01245 PD.getActivePath().push_front(p); 01246 01247 if (CS) { 01248 PathDiagnosticLocation BL = 01249 PathDiagnosticLocation::createEndBrace(CS, SM); 01250 EB.addEdge(BL); 01251 } 01252 } 01253 01254 if (Term) 01255 EB.addContext(Term); 01256 01257 break; 01258 } 01259 01260 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) { 01261 if (const CFGStmt *S = BE->getFirstElement().getAs<CFGStmt>()) { 01262 const Stmt *stmt = S->getStmt(); 01263 if (IsControlFlowExpr(stmt)) { 01264 // Add the proper context for '&&', '||', and '?'. 01265 EB.addContext(stmt); 01266 } 01267 else 01268 EB.addExtendedContext(PDB.getEnclosingStmtLocation(stmt).asStmt()); 01269 } 01270 01271 break; 01272 } 01273 01274 01275 } while (0); 01276 01277 if (!NextNode) 01278 continue; 01279 01280 // Add pieces from custom visitors. 01281 BugReport *R = PDB.getBugReport(); 01282 for (ArrayRef<BugReporterVisitor *>::iterator I = visitors.begin(), 01283 E = visitors.end(); 01284 I != E; ++I) { 01285 if (PathDiagnosticPiece *p = (*I)->VisitNode(N, NextNode, PDB, *R)) { 01286 const PathDiagnosticLocation &Loc = p->getLocation(); 01287 EB.addEdge(Loc, true); 01288 PD.getActivePath().push_front(p); 01289 updateStackPiecesWithMessage(p, CallStack); 01290 01291 if (const Stmt *S = Loc.asStmt()) 01292 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt()); 01293 } 01294 } 01295 } 01296 } 01297 01298 //===----------------------------------------------------------------------===// 01299 // Methods for BugType and subclasses. 01300 //===----------------------------------------------------------------------===// 01301 BugType::~BugType() { } 01302 01303 void BugType::FlushReports(BugReporter &BR) {} 01304 01305 void BuiltinBug::anchor() {} 01306 01307 //===----------------------------------------------------------------------===// 01308 // Methods for BugReport and subclasses. 01309 //===----------------------------------------------------------------------===// 01310 01311 void BugReport::NodeResolver::anchor() {} 01312 01313 void BugReport::addVisitor(BugReporterVisitor* visitor) { 01314 if (!visitor) 01315 return; 01316 01317 llvm::FoldingSetNodeID ID; 01318 visitor->Profile(ID); 01319 void *InsertPos; 01320 01321 if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) { 01322 delete visitor; 01323 return; 01324 } 01325 01326 CallbacksSet.InsertNode(visitor, InsertPos); 01327 Callbacks.push_back(visitor); 01328 ++ConfigurationChangeToken; 01329 } 01330 01331 BugReport::~BugReport() { 01332 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I) { 01333 delete *I; 01334 } 01335 } 01336 01337 const Decl *BugReport::getDeclWithIssue() const { 01338 if (DeclWithIssue) 01339 return DeclWithIssue; 01340 01341 const ExplodedNode *N = getErrorNode(); 01342 if (!N) 01343 return 0; 01344 01345 const LocationContext *LC = N->getLocationContext(); 01346 return LC->getCurrentStackFrame()->getDecl(); 01347 } 01348 01349 void BugReport::Profile(llvm::FoldingSetNodeID& hash) const { 01350 hash.AddPointer(&BT); 01351 hash.AddString(Description); 01352 if (UniqueingLocation.isValid()) { 01353 UniqueingLocation.Profile(hash); 01354 } else if (Location.isValid()) { 01355 Location.Profile(hash); 01356 } else { 01357 assert(ErrorNode); 01358 hash.AddPointer(GetCurrentOrPreviousStmt(ErrorNode)); 01359 } 01360 01361 for (SmallVectorImpl<SourceRange>::const_iterator I = 01362 Ranges.begin(), E = Ranges.end(); I != E; ++I) { 01363 const SourceRange range = *I; 01364 if (!range.isValid()) 01365 continue; 01366 hash.AddInteger(range.getBegin().getRawEncoding()); 01367 hash.AddInteger(range.getEnd().getRawEncoding()); 01368 } 01369 } 01370 01371 void BugReport::markInteresting(SymbolRef sym) { 01372 if (!sym) 01373 return; 01374 01375 // If the symbol wasn't already in our set, note a configuration change. 01376 if (interestingSymbols.insert(sym).second) 01377 ++ConfigurationChangeToken; 01378 01379 if (const SymbolMetadata *meta = dyn_cast<SymbolMetadata>(sym)) 01380 interestingRegions.insert(meta->getRegion()); 01381 } 01382 01383 void BugReport::markInteresting(const MemRegion *R) { 01384 if (!R) 01385 return; 01386 01387 // If the base region wasn't already in our set, note a configuration change. 01388 R = R->getBaseRegion(); 01389 if (interestingRegions.insert(R).second) 01390 ++ConfigurationChangeToken; 01391 01392 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 01393 interestingSymbols.insert(SR->getSymbol()); 01394 } 01395 01396 void BugReport::markInteresting(SVal V) { 01397 markInteresting(V.getAsRegion()); 01398 markInteresting(V.getAsSymbol()); 01399 } 01400 01401 bool BugReport::isInteresting(SVal V) const { 01402 return isInteresting(V.getAsRegion()) || isInteresting(V.getAsSymbol()); 01403 } 01404 01405 bool BugReport::isInteresting(SymbolRef sym) const { 01406 if (!sym) 01407 return false; 01408 // We don't currently consider metadata symbols to be interesting 01409 // even if we know their region is interesting. Is that correct behavior? 01410 return interestingSymbols.count(sym); 01411 } 01412 01413 bool BugReport::isInteresting(const MemRegion *R) const { 01414 if (!R) 01415 return false; 01416 R = R->getBaseRegion(); 01417 bool b = interestingRegions.count(R); 01418 if (b) 01419 return true; 01420 if (const SymbolicRegion *SR = dyn_cast<SymbolicRegion>(R)) 01421 return interestingSymbols.count(SR->getSymbol()); 01422 return false; 01423 } 01424 01425 01426 const Stmt *BugReport::getStmt() const { 01427 if (!ErrorNode) 01428 return 0; 01429 01430 ProgramPoint ProgP = ErrorNode->getLocation(); 01431 const Stmt *S = NULL; 01432 01433 if (BlockEntrance *BE = dyn_cast<BlockEntrance>(&ProgP)) { 01434 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit(); 01435 if (BE->getBlock() == &Exit) 01436 S = GetPreviousStmt(ErrorNode); 01437 } 01438 if (!S) 01439 S = GetStmt(ProgP); 01440 01441 return S; 01442 } 01443 01444 std::pair<BugReport::ranges_iterator, BugReport::ranges_iterator> 01445 BugReport::getRanges() { 01446 // If no custom ranges, add the range of the statement corresponding to 01447 // the error node. 01448 if (Ranges.empty()) { 01449 if (const Expr *E = dyn_cast_or_null<Expr>(getStmt())) 01450 addRange(E->getSourceRange()); 01451 else 01452 return std::make_pair(ranges_iterator(), ranges_iterator()); 01453 } 01454 01455 // User-specified absence of range info. 01456 if (Ranges.size() == 1 && !Ranges.begin()->isValid()) 01457 return std::make_pair(ranges_iterator(), ranges_iterator()); 01458 01459 return std::make_pair(Ranges.begin(), Ranges.end()); 01460 } 01461 01462 PathDiagnosticLocation BugReport::getLocation(const SourceManager &SM) const { 01463 if (ErrorNode) { 01464 assert(!Location.isValid() && 01465 "Either Location or ErrorNode should be specified but not both."); 01466 01467 if (const Stmt *S = GetCurrentOrPreviousStmt(ErrorNode)) { 01468 const LocationContext *LC = ErrorNode->getLocationContext(); 01469 01470 // For member expressions, return the location of the '.' or '->'. 01471 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) 01472 return PathDiagnosticLocation::createMemberLoc(ME, SM); 01473 // For binary operators, return the location of the operator. 01474 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) 01475 return PathDiagnosticLocation::createOperatorLoc(B, SM); 01476 01477 return PathDiagnosticLocation::createBegin(S, SM, LC); 01478 } 01479 } else { 01480 assert(Location.isValid()); 01481 return Location; 01482 } 01483 01484 return PathDiagnosticLocation(); 01485 } 01486 01487 //===----------------------------------------------------------------------===// 01488 // Methods for BugReporter and subclasses. 01489 //===----------------------------------------------------------------------===// 01490 01491 BugReportEquivClass::~BugReportEquivClass() { } 01492 GRBugReporter::~GRBugReporter() { } 01493 BugReporterData::~BugReporterData() {} 01494 01495 ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); } 01496 01497 ProgramStateManager& 01498 GRBugReporter::getStateManager() { return Eng.getStateManager(); } 01499 01500 BugReporter::~BugReporter() { 01501 FlushReports(); 01502 01503 // Free the bug reports we are tracking. 01504 typedef std::vector<BugReportEquivClass *> ContTy; 01505 for (ContTy::iterator I = EQClassesVector.begin(), E = EQClassesVector.end(); 01506 I != E; ++I) { 01507 delete *I; 01508 } 01509 } 01510 01511 void BugReporter::FlushReports() { 01512 if (BugTypes.isEmpty()) 01513 return; 01514 01515 // First flush the warnings for each BugType. This may end up creating new 01516 // warnings and new BugTypes. 01517 // FIXME: Only NSErrorChecker needs BugType's FlushReports. 01518 // Turn NSErrorChecker into a proper checker and remove this. 01519 SmallVector<const BugType*, 16> bugTypes; 01520 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) 01521 bugTypes.push_back(*I); 01522 for (SmallVector<const BugType*, 16>::iterator 01523 I = bugTypes.begin(), E = bugTypes.end(); I != E; ++I) 01524 const_cast<BugType*>(*I)->FlushReports(*this); 01525 01526 typedef llvm::FoldingSet<BugReportEquivClass> SetTy; 01527 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){ 01528 BugReportEquivClass& EQ = *EI; 01529 FlushReport(EQ); 01530 } 01531 01532 // BugReporter owns and deletes only BugTypes created implicitly through 01533 // EmitBasicReport. 01534 // FIXME: There are leaks from checkers that assume that the BugTypes they 01535 // create will be destroyed by the BugReporter. 01536 for (llvm::StringMap<BugType*>::iterator 01537 I = StrBugTypes.begin(), E = StrBugTypes.end(); I != E; ++I) 01538 delete I->second; 01539 01540 // Remove all references to the BugType objects. 01541 BugTypes = F.getEmptySet(); 01542 } 01543 01544 //===----------------------------------------------------------------------===// 01545 // PathDiagnostics generation. 01546 //===----------------------------------------------------------------------===// 01547 01548 static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 01549 std::pair<ExplodedNode*, unsigned> > 01550 MakeReportGraph(const ExplodedGraph* G, 01551 SmallVectorImpl<const ExplodedNode*> &nodes) { 01552 01553 // Create the trimmed graph. It will contain the shortest paths from the 01554 // error nodes to the root. In the new graph we should only have one 01555 // error node unless there are two or more error nodes with the same minimum 01556 // path length. 01557 ExplodedGraph* GTrim; 01558 InterExplodedGraphMap* NMap; 01559 01560 llvm::DenseMap<const void*, const void*> InverseMap; 01561 llvm::tie(GTrim, NMap) = G->Trim(nodes.data(), nodes.data() + nodes.size(), 01562 &InverseMap); 01563 01564 // Create owning pointers for GTrim and NMap just to ensure that they are 01565 // released when this function exists. 01566 OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim); 01567 OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap); 01568 01569 // Find the (first) error node in the trimmed graph. We just need to consult 01570 // the node map (NMap) which maps from nodes in the original graph to nodes 01571 // in the new graph. 01572 01573 std::queue<const ExplodedNode*> WS; 01574 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy; 01575 IndexMapTy IndexMap; 01576 01577 for (unsigned nodeIndex = 0 ; nodeIndex < nodes.size(); ++nodeIndex) { 01578 const ExplodedNode *originalNode = nodes[nodeIndex]; 01579 if (const ExplodedNode *N = NMap->getMappedNode(originalNode)) { 01580 WS.push(N); 01581 IndexMap[originalNode] = nodeIndex; 01582 } 01583 } 01584 01585 assert(!WS.empty() && "No error node found in the trimmed graph."); 01586 01587 // Create a new (third!) graph with a single path. This is the graph 01588 // that will be returned to the caller. 01589 ExplodedGraph *GNew = new ExplodedGraph(); 01590 01591 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS 01592 // to the root node, and then construct a new graph that contains only 01593 // a single path. 01594 llvm::DenseMap<const void*,unsigned> Visited; 01595 01596 unsigned cnt = 0; 01597 const ExplodedNode *Root = 0; 01598 01599 while (!WS.empty()) { 01600 const ExplodedNode *Node = WS.front(); 01601 WS.pop(); 01602 01603 if (Visited.find(Node) != Visited.end()) 01604 continue; 01605 01606 Visited[Node] = cnt++; 01607 01608 if (Node->pred_empty()) { 01609 Root = Node; 01610 break; 01611 } 01612 01613 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(), 01614 E=Node->pred_end(); I!=E; ++I) 01615 WS.push(*I); 01616 } 01617 01618 assert(Root); 01619 01620 // Now walk from the root down the BFS path, always taking the successor 01621 // with the lowest number. 01622 ExplodedNode *Last = 0, *First = 0; 01623 NodeBackMap *BM = new NodeBackMap(); 01624 unsigned NodeIndex = 0; 01625 01626 for ( const ExplodedNode *N = Root ;;) { 01627 // Lookup the number associated with the current node. 01628 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N); 01629 assert(I != Visited.end()); 01630 01631 // Create the equivalent node in the new graph with the same state 01632 // and location. 01633 ExplodedNode *NewN = GNew->getNode(N->getLocation(), N->getState()); 01634 01635 // Store the mapping to the original node. 01636 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N); 01637 assert(IMitr != InverseMap.end() && "No mapping to original node."); 01638 (*BM)[NewN] = (const ExplodedNode*) IMitr->second; 01639 01640 // Link up the new node with the previous node. 01641 if (Last) 01642 NewN->addPredecessor(Last, *GNew); 01643 01644 Last = NewN; 01645 01646 // Are we at the final node? 01647 IndexMapTy::iterator IMI = 01648 IndexMap.find((const ExplodedNode*)(IMitr->second)); 01649 if (IMI != IndexMap.end()) { 01650 First = NewN; 01651 NodeIndex = IMI->second; 01652 break; 01653 } 01654 01655 // Find the next successor node. We choose the node that is marked 01656 // with the lowest DFS number. 01657 ExplodedNode::const_succ_iterator SI = N->succ_begin(); 01658 ExplodedNode::const_succ_iterator SE = N->succ_end(); 01659 N = 0; 01660 01661 for (unsigned MinVal = 0; SI != SE; ++SI) { 01662 01663 I = Visited.find(*SI); 01664 01665 if (I == Visited.end()) 01666 continue; 01667 01668 if (!N || I->second < MinVal) { 01669 N = *SI; 01670 MinVal = I->second; 01671 } 01672 } 01673 01674 assert(N); 01675 } 01676 01677 assert(First); 01678 01679 return std::make_pair(std::make_pair(GNew, BM), 01680 std::make_pair(First, NodeIndex)); 01681 } 01682 01683 /// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object 01684 /// and collapses PathDiagosticPieces that are expanded by macros. 01685 static void CompactPathDiagnostic(PathPieces &path, const SourceManager& SM) { 01686 typedef std::vector<std::pair<IntrusiveRefCntPtr<PathDiagnosticMacroPiece>, 01687 SourceLocation> > MacroStackTy; 01688 01689 typedef std::vector<IntrusiveRefCntPtr<PathDiagnosticPiece> > 01690 PiecesTy; 01691 01692 MacroStackTy MacroStack; 01693 PiecesTy Pieces; 01694 01695 for (PathPieces::const_iterator I = path.begin(), E = path.end(); 01696 I!=E; ++I) { 01697 01698 PathDiagnosticPiece *piece = I->getPtr(); 01699 01700 // Recursively compact calls. 01701 if (PathDiagnosticCallPiece *call=dyn_cast<PathDiagnosticCallPiece>(piece)){ 01702 CompactPathDiagnostic(call->path, SM); 01703 } 01704 01705 // Get the location of the PathDiagnosticPiece. 01706 const FullSourceLoc Loc = piece->getLocation().asLocation(); 01707 01708 // Determine the instantiation location, which is the location we group 01709 // related PathDiagnosticPieces. 01710 SourceLocation InstantiationLoc = Loc.isMacroID() ? 01711 SM.getExpansionLoc(Loc) : 01712 SourceLocation(); 01713 01714 if (Loc.isFileID()) { 01715 MacroStack.clear(); 01716 Pieces.push_back(piece); 01717 continue; 01718 } 01719 01720 assert(Loc.isMacroID()); 01721 01722 // Is the PathDiagnosticPiece within the same macro group? 01723 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) { 01724 MacroStack.back().first->subPieces.push_back(piece); 01725 continue; 01726 } 01727 01728 // We aren't in the same group. Are we descending into a new macro 01729 // or are part of an old one? 01730 IntrusiveRefCntPtr<PathDiagnosticMacroPiece> MacroGroup; 01731 01732 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ? 01733 SM.getExpansionLoc(Loc) : 01734 SourceLocation(); 01735 01736 // Walk the entire macro stack. 01737 while (!MacroStack.empty()) { 01738 if (InstantiationLoc == MacroStack.back().second) { 01739 MacroGroup = MacroStack.back().first; 01740 break; 01741 } 01742 01743 if (ParentInstantiationLoc == MacroStack.back().second) { 01744 MacroGroup = MacroStack.back().first; 01745 break; 01746 } 01747 01748 MacroStack.pop_back(); 01749 } 01750 01751 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) { 01752 // Create a new macro group and add it to the stack. 01753 PathDiagnosticMacroPiece *NewGroup = 01754 new PathDiagnosticMacroPiece( 01755 PathDiagnosticLocation::createSingleLocation(piece->getLocation())); 01756 01757 if (MacroGroup) 01758 MacroGroup->subPieces.push_back(NewGroup); 01759 else { 01760 assert(InstantiationLoc.isFileID()); 01761 Pieces.push_back(NewGroup); 01762 } 01763 01764 MacroGroup = NewGroup; 01765 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc)); 01766 } 01767 01768 // Finally, add the PathDiagnosticPiece to the group. 01769 MacroGroup->subPieces.push_back(piece); 01770 } 01771 01772 // Now take the pieces and construct a new PathDiagnostic. 01773 path.clear(); 01774 01775 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) 01776 path.push_back(*I); 01777 } 01778 01779 void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD, 01780 SmallVectorImpl<BugReport *> &bugReports) { 01781 01782 assert(!bugReports.empty()); 01783 SmallVector<const ExplodedNode *, 10> errorNodes; 01784 for (SmallVectorImpl<BugReport*>::iterator I = bugReports.begin(), 01785 E = bugReports.end(); I != E; ++I) { 01786 errorNodes.push_back((*I)->getErrorNode()); 01787 } 01788 01789 // Construct a new graph that contains only a single path from the error 01790 // node to a root. 01791 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>, 01792 std::pair<ExplodedNode*, unsigned> >& 01793 GPair = MakeReportGraph(&getGraph(), errorNodes); 01794 01795 // Find the BugReport with the original location. 01796 assert(GPair.second.second < bugReports.size()); 01797 BugReport *R = bugReports[GPair.second.second]; 01798 assert(R && "No original report found for sliced graph."); 01799 01800 OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first); 01801 OwningPtr<NodeBackMap> BackMap(GPair.first.second); 01802 const ExplodedNode *N = GPair.second.first; 01803 01804 // Start building the path diagnostic... 01805 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), 01806 getPathDiagnosticConsumer()); 01807 01808 // Register additional node visitors. 01809 R->addVisitor(new NilReceiverBRVisitor()); 01810 R->addVisitor(new ConditionBRVisitor()); 01811 01812 BugReport::VisitorList visitors; 01813 unsigned originalReportConfigToken, finalReportConfigToken; 01814 01815 // While generating diagnostics, it's possible the visitors will decide 01816 // new symbols and regions are interesting, or add other visitors based on 01817 // the information they find. If they do, we need to regenerate the path 01818 // based on our new report configuration. 01819 do { 01820 // Get a clean copy of all the visitors. 01821 for (BugReport::visitor_iterator I = R->visitor_begin(), 01822 E = R->visitor_end(); I != E; ++I) 01823 visitors.push_back((*I)->clone()); 01824 01825 // Clear out the active path from any previous work. 01826 PD.getActivePath().clear(); 01827 originalReportConfigToken = R->getConfigurationChangeToken(); 01828 01829 // Generate the very last diagnostic piece - the piece is visible before 01830 // the trace is expanded. 01831 PathDiagnosticPiece *LastPiece = 0; 01832 for (BugReport::visitor_iterator I = visitors.begin(), E = visitors.end(); 01833 I != E; ++I) { 01834 if (PathDiagnosticPiece *Piece = (*I)->getEndPath(PDB, N, *R)) { 01835 assert (!LastPiece && 01836 "There can only be one final piece in a diagnostic."); 01837 LastPiece = Piece; 01838 } 01839 } 01840 if (!LastPiece) 01841 LastPiece = BugReporterVisitor::getDefaultEndPath(PDB, N, *R); 01842 if (LastPiece) 01843 PD.getActivePath().push_back(LastPiece); 01844 else 01845 return; 01846 01847 switch (PDB.getGenerationScheme()) { 01848 case PathDiagnosticConsumer::Extensive: 01849 GenerateExtensivePathDiagnostic(PD, PDB, N, visitors); 01850 break; 01851 case PathDiagnosticConsumer::Minimal: 01852 GenerateMinimalPathDiagnostic(PD, PDB, N, visitors); 01853 break; 01854 } 01855 01856 // Clean up the visitors we used. 01857 llvm::DeleteContainerPointers(visitors); 01858 01859 // Did anything change while generating this path? 01860 finalReportConfigToken = R->getConfigurationChangeToken(); 01861 } while(finalReportConfigToken != originalReportConfigToken); 01862 01863 // Finally, prune the diagnostic path of uninteresting stuff. 01864 bool hasSomethingInteresting = RemoveUneededCalls(PD.getMutablePieces()); 01865 assert(hasSomethingInteresting); 01866 (void) hasSomethingInteresting; 01867 } 01868 01869 void BugReporter::Register(BugType *BT) { 01870 BugTypes = F.add(BugTypes, BT); 01871 } 01872 01873 void BugReporter::EmitReport(BugReport* R) { 01874 // Compute the bug report's hash to determine its equivalence class. 01875 llvm::FoldingSetNodeID ID; 01876 R->Profile(ID); 01877 01878 // Lookup the equivance class. If there isn't one, create it. 01879 BugType& BT = R->getBugType(); 01880 Register(&BT); 01881 void *InsertPos; 01882 BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos); 01883 01884 if (!EQ) { 01885 EQ = new BugReportEquivClass(R); 01886 EQClasses.InsertNode(EQ, InsertPos); 01887 EQClassesVector.push_back(EQ); 01888 } 01889 else 01890 EQ->AddReport(R); 01891 } 01892 01893 01894 //===----------------------------------------------------------------------===// 01895 // Emitting reports in equivalence classes. 01896 //===----------------------------------------------------------------------===// 01897 01898 namespace { 01899 struct FRIEC_WLItem { 01900 const ExplodedNode *N; 01901 ExplodedNode::const_succ_iterator I, E; 01902 01903 FRIEC_WLItem(const ExplodedNode *n) 01904 : N(n), I(N->succ_begin()), E(N->succ_end()) {} 01905 }; 01906 } 01907 01908 static BugReport * 01909 FindReportInEquivalenceClass(BugReportEquivClass& EQ, 01910 SmallVectorImpl<BugReport*> &bugReports) { 01911 01912 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end(); 01913 assert(I != E); 01914 BugType& BT = I->getBugType(); 01915 01916 // If we don't need to suppress any of the nodes because they are 01917 // post-dominated by a sink, simply add all the nodes in the equivalence class 01918 // to 'Nodes'. Any of the reports will serve as a "representative" report. 01919 if (!BT.isSuppressOnSink()) { 01920 BugReport *R = I; 01921 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) { 01922 const ExplodedNode *N = I->getErrorNode(); 01923 if (N) { 01924 R = I; 01925 bugReports.push_back(R); 01926 } 01927 } 01928 return R; 01929 } 01930 01931 // For bug reports that should be suppressed when all paths are post-dominated 01932 // by a sink node, iterate through the reports in the equivalence class 01933 // until we find one that isn't post-dominated (if one exists). We use a 01934 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write 01935 // this as a recursive function, but we don't want to risk blowing out the 01936 // stack for very long paths. 01937 BugReport *exampleReport = 0; 01938 01939 for (; I != E; ++I) { 01940 const ExplodedNode *errorNode = I->getErrorNode(); 01941 01942 if (!errorNode) 01943 continue; 01944 if (errorNode->isSink()) { 01945 llvm_unreachable( 01946 "BugType::isSuppressSink() should not be 'true' for sink end nodes"); 01947 } 01948 // No successors? By definition this nodes isn't post-dominated by a sink. 01949 if (errorNode->succ_empty()) { 01950 bugReports.push_back(I); 01951 if (!exampleReport) 01952 exampleReport = I; 01953 continue; 01954 } 01955 01956 // At this point we know that 'N' is not a sink and it has at least one 01957 // successor. Use a DFS worklist to find a non-sink end-of-path node. 01958 typedef FRIEC_WLItem WLItem; 01959 typedef SmallVector<WLItem, 10> DFSWorkList; 01960 llvm::DenseMap<const ExplodedNode *, unsigned> Visited; 01961 01962 DFSWorkList WL; 01963 WL.push_back(errorNode); 01964 Visited[errorNode] = 1; 01965 01966 while (!WL.empty()) { 01967 WLItem &WI = WL.back(); 01968 assert(!WI.N->succ_empty()); 01969 01970 for (; WI.I != WI.E; ++WI.I) { 01971 const ExplodedNode *Succ = *WI.I; 01972 // End-of-path node? 01973 if (Succ->succ_empty()) { 01974 // If we found an end-of-path node that is not a sink. 01975 if (!Succ->isSink()) { 01976 bugReports.push_back(I); 01977 if (!exampleReport) 01978 exampleReport = I; 01979 WL.clear(); 01980 break; 01981 } 01982 // Found a sink? Continue on to the next successor. 01983 continue; 01984 } 01985 // Mark the successor as visited. If it hasn't been explored, 01986 // enqueue it to the DFS worklist. 01987 unsigned &mark = Visited[Succ]; 01988 if (!mark) { 01989 mark = 1; 01990 WL.push_back(Succ); 01991 break; 01992 } 01993 } 01994 01995 // The worklist may have been cleared at this point. First 01996 // check if it is empty before checking the last item. 01997 if (!WL.empty() && &WL.back() == &WI) 01998 WL.pop_back(); 01999 } 02000 } 02001 02002 // ExampleReport will be NULL if all the nodes in the equivalence class 02003 // were post-dominated by sinks. 02004 return exampleReport; 02005 } 02006 02007 //===----------------------------------------------------------------------===// 02008 // DiagnosticCache. This is a hack to cache analyzer diagnostics. It 02009 // uses global state, which eventually should go elsewhere. 02010 //===----------------------------------------------------------------------===// 02011 namespace { 02012 class DiagCacheItem : public llvm::FoldingSetNode { 02013 llvm::FoldingSetNodeID ID; 02014 public: 02015 DiagCacheItem(BugReport *R, PathDiagnostic *PD) { 02016 R->Profile(ID); 02017 PD->Profile(ID); 02018 } 02019 02020 void Profile(llvm::FoldingSetNodeID &id) { 02021 id = ID; 02022 } 02023 02024 llvm::FoldingSetNodeID &getID() { return ID; } 02025 }; 02026 } 02027 02028 static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) { 02029 // FIXME: Eventually this diagnostic cache should reside in something 02030 // like AnalysisManager instead of being a static variable. This is 02031 // really unsafe in the long term. 02032 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache; 02033 static DiagnosticCache DC; 02034 02035 void *InsertPos; 02036 DiagCacheItem *Item = new DiagCacheItem(R, PD); 02037 02038 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) { 02039 delete Item; 02040 return true; 02041 } 02042 02043 DC.InsertNode(Item, InsertPos); 02044 return false; 02045 } 02046 02047 void BugReporter::FlushReport(BugReportEquivClass& EQ) { 02048 SmallVector<BugReport*, 10> bugReports; 02049 BugReport *exampleReport = FindReportInEquivalenceClass(EQ, bugReports); 02050 if (!exampleReport) 02051 return; 02052 02053 PathDiagnosticConsumer* PD = getPathDiagnosticConsumer(); 02054 02055 // FIXME: Make sure we use the 'R' for the path that was actually used. 02056 // Probably doesn't make a difference in practice. 02057 BugType& BT = exampleReport->getBugType(); 02058 02059 OwningPtr<PathDiagnostic> 02060 D(new PathDiagnostic(exampleReport->getDeclWithIssue(), 02061 exampleReport->getBugType().getName(), 02062 !PD || PD->useVerboseDescription() 02063 ? exampleReport->getDescription() 02064 : exampleReport->getShortDescription(), 02065 BT.getCategory())); 02066 02067 if (!bugReports.empty()) 02068 GeneratePathDiagnostic(*D.get(), bugReports); 02069 02070 // Get the meta data. 02071 const BugReport::ExtraTextList &Meta = 02072 exampleReport->getExtraText(); 02073 for (BugReport::ExtraTextList::const_iterator i = Meta.begin(), 02074 e = Meta.end(); i != e; ++i) { 02075 D->addMeta(*i); 02076 } 02077 02078 // Emit a summary diagnostic to the regular Diagnostics engine. 02079 BugReport::ranges_iterator Beg, End; 02080 llvm::tie(Beg, End) = exampleReport->getRanges(); 02081 DiagnosticsEngine &Diag = getDiagnostic(); 02082 02083 if (!IsCachedDiagnostic(exampleReport, D.get())) { 02084 // Search the description for '%', as that will be interpretted as a 02085 // format character by FormatDiagnostics. 02086 StringRef desc = exampleReport->getShortDescription(); 02087 02088 SmallString<512> TmpStr; 02089 llvm::raw_svector_ostream Out(TmpStr); 02090 for (StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I) { 02091 if (*I == '%') 02092 Out << "%%"; 02093 else 02094 Out << *I; 02095 } 02096 02097 Out.flush(); 02098 unsigned ErrorDiag = Diag.getCustomDiagID(DiagnosticsEngine::Warning, TmpStr); 02099 02100 DiagnosticBuilder diagBuilder = Diag.Report( 02101 exampleReport->getLocation(getSourceManager()).asLocation(), ErrorDiag); 02102 for (BugReport::ranges_iterator I = Beg; I != End; ++I) 02103 diagBuilder << *I; 02104 } 02105 02106 // Emit a full diagnostic for the path if we have a PathDiagnosticConsumer. 02107 if (!PD) 02108 return; 02109 02110 if (D->path.empty()) { 02111 PathDiagnosticPiece *piece = new PathDiagnosticEventPiece( 02112 exampleReport->getLocation(getSourceManager()), 02113 exampleReport->getDescription()); 02114 for ( ; Beg != End; ++Beg) 02115 piece->addRange(*Beg); 02116 02117 D->getActivePath().push_back(piece); 02118 } 02119 02120 PD->HandlePathDiagnostic(D.take()); 02121 } 02122 02123 void BugReporter::EmitBasicReport(const Decl *DeclWithIssue, 02124 StringRef name, 02125 StringRef category, 02126 StringRef str, PathDiagnosticLocation Loc, 02127 SourceRange* RBeg, unsigned NumRanges) { 02128 02129 // 'BT' is owned by BugReporter. 02130 BugType *BT = getBugTypeForName(name, category); 02131 BugReport *R = new BugReport(*BT, str, Loc); 02132 R->setDeclWithIssue(DeclWithIssue); 02133 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg); 02134 EmitReport(R); 02135 } 02136 02137 BugType *BugReporter::getBugTypeForName(StringRef name, 02138 StringRef category) { 02139 SmallString<136> fullDesc; 02140 llvm::raw_svector_ostream(fullDesc) << name << ":" << category; 02141 llvm::StringMapEntry<BugType *> & 02142 entry = StrBugTypes.GetOrCreateValue(fullDesc); 02143 BugType *BT = entry.getValue(); 02144 if (!BT) { 02145 BT = new BugType(name, category); 02146 entry.setValue(BT); 02147 } 02148 return BT; 02149 }