clang  10.0.0svn
BugReporterVisitors.h
Go to the documentation of this file.
1 //===- BugReporterVisitors.h - Generate PathDiagnostics ---------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file declares BugReporterVisitors, which are used to generate enhanced
10 // diagnostic traces.
11 //
12 //===----------------------------------------------------------------------===//
13 
14 #ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
15 #define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
16 
17 #include "clang/Analysis/ProgramPoint.h"
18 #include "clang/Basic/LLVM.h"
19 #include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
21 #include "llvm/ADT/FoldingSet.h"
22 #include "llvm/ADT/STLExtras.h"
23 #include "llvm/ADT/StringRef.h"
24 #include <memory>
25 
26 namespace clang {
27 
28 class BinaryOperator;
29 class CFGBlock;
30 class DeclRefExpr;
31 class Expr;
32 class Stmt;
33 
34 namespace ento {
35 
36 class BugReport;
37 class BugReporterContext;
38 class ExplodedNode;
39 class MemRegion;
40 class PathDiagnosticPiece;
41 
42 /// BugReporterVisitors are used to add custom diagnostics along a path.
43 class BugReporterVisitor : public llvm::FoldingSetNode {
44 public:
45  BugReporterVisitor() = default;
46  BugReporterVisitor(const BugReporterVisitor &) = default;
47  BugReporterVisitor(BugReporterVisitor &&) {}
48  virtual ~BugReporterVisitor();
49 
50  /// Return a diagnostic piece which should be associated with the
51  /// given node.
52  /// Note that this function does *not* get run on the very last node
53  /// of the report, as the PathDiagnosticPiece associated with the
54  /// last node should be unique.
55  /// Use {@code getEndPath} to customize the note associated with the report
56  /// end instead.
57  ///
58  /// The last parameter can be used to register a new visitor with the given
59  /// BugReport while processing a node.
60  virtual std::shared_ptr<PathDiagnosticPiece>
61  VisitNode(const ExplodedNode *Succ,
62  BugReporterContext &BRC, BugReport &BR) = 0;
63 
64  /// Last function called on the visitor, no further calls to VisitNode
65  /// would follow.
66  virtual void finalizeVisitor(BugReporterContext &BRC,
67  const ExplodedNode *EndPathNode,
68  BugReport &BR);
69 
70  /// Provide custom definition for the final diagnostic piece on the
71  /// path - the piece, which is displayed before the path is expanded.
72  ///
73  /// NOTE that this function can be implemented on at most one used visitor,
74  /// and otherwise it crahes at runtime.
75  virtual std::shared_ptr<PathDiagnosticPiece>
76  getEndPath(BugReporterContext &BRC, const ExplodedNode *N, BugReport &BR);
77 
78  virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0;
79 
80  /// Generates the default final diagnostic piece.
81  static std::shared_ptr<PathDiagnosticPiece>
82  getDefaultEndPath(BugReporterContext &BRC, const ExplodedNode *N,
83  BugReport &BR);
84 };
85 
86 /// Finds last store into the given region,
87 /// which is different from a given symbolic value.
88 class FindLastStoreBRVisitor final : public BugReporterVisitor {
89  const MemRegion *R;
90  SVal V;
91  bool Satisfied = false;
92 
93  /// If the visitor is tracking the value directly responsible for the
94  /// bug, we are going to employ false positive suppression.
95  bool EnableNullFPSuppression;
96 
97 public:
98  /// Creates a visitor for every VarDecl inside a Stmt and registers it with
99  /// the BugReport.
100  static void registerStatementVarDecls(BugReport &BR, const Stmt *S,
101  bool EnableNullFPSuppression);
102 
103  FindLastStoreBRVisitor(KnownSVal V, const MemRegion *R,
104  bool InEnableNullFPSuppression)
105  : R(R), V(V), EnableNullFPSuppression(InEnableNullFPSuppression) {}
106 
107  void Profile(llvm::FoldingSetNodeID &ID) const override;
108 
109  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
110  BugReporterContext &BRC,
111  BugReport &BR) override;
112 };
113 
114 class TrackConstraintBRVisitor final : public BugReporterVisitor {
115  DefinedSVal Constraint;
116  bool Assumption;
117  bool IsSatisfied = false;
118  bool IsZeroCheck;
119 
120  /// We should start tracking from the last node along the path in which the
121  /// value is constrained.
122  bool IsTrackingTurnedOn = false;
123 
124 public:
125  TrackConstraintBRVisitor(DefinedSVal constraint, bool assumption)
126  : Constraint(constraint), Assumption(assumption),
127  IsZeroCheck(!Assumption && Constraint.getAs<Loc>()) {}
128 
129  void Profile(llvm::FoldingSetNodeID &ID) const override;
130 
131  /// Return the tag associated with this visitor. This tag will be used
132  /// to make all PathDiagnosticPieces created by this visitor.
133  static const char *getTag();
134 
135  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
136  BugReporterContext &BRC,
137  BugReport &BR) override;
138 
139 private:
140  /// Checks if the constraint is valid in the current state.
141  bool isUnderconstrained(const ExplodedNode *N) const;
142 };
143 
144 /// \class NilReceiverBRVisitor
145 /// Prints path notes when a message is sent to a nil receiver.
146 class NilReceiverBRVisitor final : public BugReporterVisitor {
147 public:
148  void Profile(llvm::FoldingSetNodeID &ID) const override {
149  static int x = 0;
150  ID.AddPointer(&x);
151  }
152 
153  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
154  BugReporterContext &BRC,
155  BugReport &BR) override;
156 
157  /// If the statement is a message send expression with nil receiver, returns
158  /// the receiver expression. Returns NULL otherwise.
159  static const Expr *getNilReceiver(const Stmt *S, const ExplodedNode *N);
160 };
161 
162 /// Visitor that tries to report interesting diagnostics from conditions.
163 class ConditionBRVisitor final : public BugReporterVisitor {
164  // FIXME: constexpr initialization isn't supported by MSVC2013.
165  static const char *const GenericTrueMessage;
166  static const char *const GenericFalseMessage;
167 
168 public:
169  void Profile(llvm::FoldingSetNodeID &ID) const override {
170  static int x = 0;
171  ID.AddPointer(&x);
172  }
173 
174  /// Return the tag associated with this visitor. This tag will be used
175  /// to make all PathDiagnosticPieces created by this visitor.
176  static const char *getTag();
177 
178  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
179  BugReporterContext &BRC,
180  BugReport &BR) override;
181 
182  std::shared_ptr<PathDiagnosticPiece> VisitNodeImpl(const ExplodedNode *N,
183  BugReporterContext &BRC,
184  BugReport &BR);
185 
186  std::shared_ptr<PathDiagnosticPiece>
187  VisitTerminator(const Stmt *Term, const ExplodedNode *N,
188  const CFGBlock *srcBlk, const CFGBlock *dstBlk, BugReport &R,
189  BugReporterContext &BRC);
190 
191  std::shared_ptr<PathDiagnosticPiece>
192  VisitTrueTest(const Expr *Cond, BugReporterContext &BRC, BugReport &R,
193  const ExplodedNode *N, bool TookTrue);
194 
195  std::shared_ptr<PathDiagnosticPiece>
196  VisitTrueTest(const Expr *Cond, const DeclRefExpr *DR,
197  BugReporterContext &BRC, BugReport &R, const ExplodedNode *N,
198  bool TookTrue, bool IsAssuming);
199 
200  std::shared_ptr<PathDiagnosticPiece>
201  VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr,
202  BugReporterContext &BRC, BugReport &R, const ExplodedNode *N,
203  bool TookTrue, bool IsAssuming);
204 
205  std::shared_ptr<PathDiagnosticPiece>
206  VisitTrueTest(const Expr *Cond, const MemberExpr *ME, BugReporterContext &BRC,
207  BugReport &R, const ExplodedNode *N, bool TookTrue,
208  bool IsAssuming);
209 
210  std::shared_ptr<PathDiagnosticPiece>
211  VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr,
212  BugReporterContext &BRC, BugReport &R,
213  const ExplodedNode *N, bool TookTrue);
214 
215  /// Tries to print the value of the given expression.
216  ///
217  /// \param CondVarExpr The expression to print its value.
218  /// \param Out The stream to print.
219  /// \param N The node where we encountered the condition.
220  /// \param TookTrue Whether we took the \c true branch of the condition.
221  ///
222  /// \return Whether the print was successful. (The printing is successful if
223  /// we model the value and we could obtain it.)
224  bool printValue(const Expr *CondVarExpr, raw_ostream &Out,
225  const ExplodedNode *N, bool TookTrue, bool IsAssuming);
226 
227  bool patternMatch(const Expr *Ex,
228  const Expr *ParentEx,
229  raw_ostream &Out,
230  BugReporterContext &BRC,
231  BugReport &R,
232  const ExplodedNode *N,
233  Optional<bool> &prunable,
234  bool IsSameFieldName);
235 
236  static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece);
237 };
238 
239 /// Suppress reports that might lead to known false positives.
240 ///
241 /// Currently this suppresses reports based on locations of bugs.
242 class LikelyFalsePositiveSuppressionBRVisitor final
243  : public BugReporterVisitor {
244 public:
245  static void *getTag() {
246  static int Tag = 0;
247  return static_cast<void *>(&Tag);
248  }
249 
250  void Profile(llvm::FoldingSetNodeID &ID) const override {
251  ID.AddPointer(getTag());
252  }
253 
254  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *,
255  BugReporterContext &,
256  BugReport &) override {
257  return nullptr;
258  }
259 
260  void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *N,
261  BugReport &BR) override;
262 };
263 
264 /// When a region containing undefined value or '0' value is passed
265 /// as an argument in a call, marks the call as interesting.
266 ///
267 /// As a result, BugReporter will not prune the path through the function even
268 /// if the region's contents are not modified/accessed by the call.
269 class UndefOrNullArgVisitor final : public BugReporterVisitor {
270  /// The interesting memory region this visitor is tracking.
271  const MemRegion *R;
272 
273 public:
274  UndefOrNullArgVisitor(const MemRegion *InR) : R(InR) {}
275 
276  void Profile(llvm::FoldingSetNodeID &ID) const override {
277  static int Tag = 0;
278  ID.AddPointer(&Tag);
279  ID.AddPointer(R);
280  }
281 
282  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
283  BugReporterContext &BRC,
284  BugReport &BR) override;
285 };
286 
287 class SuppressInlineDefensiveChecksVisitor final : public BugReporterVisitor {
288  /// The symbolic value for which we are tracking constraints.
289  /// This value is constrained to null in the end of path.
290  DefinedSVal V;
291 
292  /// Track if we found the node where the constraint was first added.
293  bool IsSatisfied = false;
294 
295  /// Since the visitors can be registered on nodes previous to the last
296  /// node in the BugReport, but the path traversal always starts with the last
297  /// node, the visitor invariant (that we start with a node in which V is null)
298  /// might not hold when node visitation starts. We are going to start tracking
299  /// from the last node in which the value is null.
300  bool IsTrackingTurnedOn = false;
301 
302 public:
303  SuppressInlineDefensiveChecksVisitor(DefinedSVal Val, const ExplodedNode *N);
304 
305  void Profile(llvm::FoldingSetNodeID &ID) const override;
306 
307  /// Return the tag associated with this visitor. This tag will be used
308  /// to make all PathDiagnosticPieces created by this visitor.
309  static const char *getTag();
310 
311  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *Succ,
312  BugReporterContext &BRC,
313  BugReport &BR) override;
314 };
315 
316 /// The bug visitor will walk all the nodes in a path and collect all the
317 /// constraints. When it reaches the root node, will create a refutation
318 /// manager and check if the constraints are satisfiable
319 class FalsePositiveRefutationBRVisitor final : public BugReporterVisitor {
320 private:
321  /// Holds the constraints in a given path
322  ConstraintRangeTy Constraints;
323 
324 public:
325  FalsePositiveRefutationBRVisitor();
326 
327  void Profile(llvm::FoldingSetNodeID &ID) const override;
328 
329  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
330  BugReporterContext &BRC,
331  BugReport &BR) override;
332 
333  void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
334  BugReport &BR) override;
335 };
336 
337 
338 /// The visitor detects NoteTags and displays the event notes they contain.
339 class TagVisitor : public BugReporterVisitor {
340 public:
341  void Profile(llvm::FoldingSetNodeID &ID) const override;
342 
343  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
344  BugReporterContext &BRC,
345  BugReport &R) override;
346 };
347 
348 namespace bugreporter {
349 
350 /// Attempts to add visitors to track expression value back to its point of
351 /// origin.
352 ///
353 /// \param N A node "downstream" from the evaluation of the statement.
354 /// \param E The expression value which we are tracking
355 /// \param R The bug report to which visitors should be attached.
356 /// \param EnableNullFPSuppression Whether we should employ false positive
357 /// suppression (inlined defensive checks, returned null).
358 ///
359 /// \return Whether or not the function was able to add visitors for this
360 /// statement. Note that returning \c true does not actually imply
361 /// that any visitors were added.
362 bool trackExpressionValue(const ExplodedNode *N, const Expr *E, BugReport &R,
363  bool EnableNullFPSuppression = true);
364 
365 const Expr *getDerefExpr(const Stmt *S);
366 
367 } // namespace bugreporter
368 
369 } // namespace ento
370 
371 } // namespace clang
372 
373 #endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
clang::ento::ConstraintRangeTy
llvm::ImmutableMap< SymbolRef, RangeSet > ConstraintRangeTy
Definition: RangedConstraintManager.h:129
LLVM.h
Forward-declares and imports various common LLVM datatypes that clang wants to use unqualified...
V
#define V(N, I)
Definition: ASTContext.h:2907
clang
Dataflow Directional Tag Classes.
Definition: CFGReachabilityAnalysis.h:21
Generated on Tue Jul 23 2019 00:55:02 for clang by   doxygen 1.8.13