Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / clang / f8fd82ba49827db0f6a6ba00c55a7b56b12a19fa / . / lib / Checker / BugReporter.cpp
blob: 0cf593b2600936991214d8fa48063c53160306fc [file] [log] [blame]
Shih-wei Liaof8fd82b2010-02-10 11:10:31 -0800[diff] [blame^]1// BugReporter.cpp - Generate PathDiagnostics for Bugs ------------*- C++ -*--//
2//
3// The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file defines BugReporter, a utility class for generating
11// PathDiagnostics.
12//
13//===----------------------------------------------------------------------===//
14
15#include "clang/Checker/BugReporter/BugReporter.h"
16#include "clang/Checker/PathSensitive/GRExprEngine.h"
17#include "clang/AST/ASTContext.h"
18#include "clang/Analysis/CFG.h"
19#include "clang/AST/Expr.h"
20#include "clang/AST/ParentMap.h"
21#include "clang/AST/StmtObjC.h"
22#include "clang/Basic/SourceManager.h"
23#include "clang/Analysis/ProgramPoint.h"
24#include "clang/Checker/BugReporter/PathDiagnostic.h"
25#include "llvm/Support/raw_ostream.h"
26#include "llvm/ADT/DenseMap.h"
27#include "llvm/ADT/STLExtras.h"
28#include "llvm/ADT/OwningPtr.h"
29#include <queue>
30
31using namespace clang;
32
33BugReporterVisitor::~BugReporterVisitor() {}
34BugReporterContext::~BugReporterContext() {
35 for (visitor_iterator I = visitor_begin(), E = visitor_end(); I != E; ++I)
36 if ((*I)->isOwnedByReporterContext()) delete *I;
37}
38
39//===----------------------------------------------------------------------===//
40// Helper routines for walking the ExplodedGraph and fetching statements.
41//===----------------------------------------------------------------------===//
42
43static inline const Stmt* GetStmt(ProgramPoint P) {
44 if (const StmtPoint* SP = dyn_cast<StmtPoint>(&P))
45 return SP->getStmt();
46 else if (const BlockEdge* BE = dyn_cast<BlockEdge>(&P))
47 return BE->getSrc()->getTerminator();
48
49 return 0;
50}
51
52static inline const ExplodedNode*
53GetPredecessorNode(const ExplodedNode* N) {
54 return N->pred_empty() ? NULL : *(N->pred_begin());
55}
56
57static inline const ExplodedNode*
58GetSuccessorNode(const ExplodedNode* N) {
59 return N->succ_empty() ? NULL : *(N->succ_begin());
60}
61
62static const Stmt* GetPreviousStmt(const ExplodedNode* N) {
63 for (N = GetPredecessorNode(N); N; N = GetPredecessorNode(N))
64 if (const Stmt *S = GetStmt(N->getLocation()))
65 return S;
66
67 return 0;
68}
69
70static const Stmt* GetNextStmt(const ExplodedNode* N) {
71 for (N = GetSuccessorNode(N); N; N = GetSuccessorNode(N))
72 if (const Stmt *S = GetStmt(N->getLocation())) {
73 // Check if the statement is '?' or '&&'/'||'. These are "merges",
74 // not actual statement points.
75 switch (S->getStmtClass()) {
76 case Stmt::ChooseExprClass:
77 case Stmt::ConditionalOperatorClass: continue;
78 case Stmt::BinaryOperatorClass: {
79 BinaryOperator::Opcode Op = cast<BinaryOperator>(S)->getOpcode();
80 if (Op == BinaryOperator::LAnd || Op == BinaryOperator::LOr)
81 continue;
82 break;
83 }
84 default:
85 break;
86 }
87
88 // Some expressions don't have locations.
89 if (S->getLocStart().isInvalid())
90 continue;
91
92 return S;
93 }
94
95 return 0;
96}
97
98static inline const Stmt*
99GetCurrentOrPreviousStmt(const ExplodedNode* N) {
100 if (const Stmt *S = GetStmt(N->getLocation()))
101 return S;
102
103 return GetPreviousStmt(N);
104}
105
106static inline const Stmt*
107GetCurrentOrNextStmt(const ExplodedNode* N) {
108 if (const Stmt *S = GetStmt(N->getLocation()))
109 return S;
110
111 return GetNextStmt(N);
112}
113
114//===----------------------------------------------------------------------===//
115// PathDiagnosticBuilder and its associated routines and helper objects.
116//===----------------------------------------------------------------------===//
117
118typedef llvm::DenseMap<const ExplodedNode*,
119const ExplodedNode*> NodeBackMap;
120
121namespace {
122class NodeMapClosure : public BugReport::NodeResolver {
123 NodeBackMap& M;
124public:
125 NodeMapClosure(NodeBackMap *m) : M(*m) {}
126 ~NodeMapClosure() {}
127
128 const ExplodedNode* getOriginalNode(const ExplodedNode* N) {
129 NodeBackMap::iterator I = M.find(N);
130 return I == M.end() ? 0 : I->second;
131 }
132};
133
134class PathDiagnosticBuilder : public BugReporterContext {
135 BugReport *R;
136 PathDiagnosticClient *PDC;
137 llvm::OwningPtr<ParentMap> PM;
138 NodeMapClosure NMC;
139public:
140 PathDiagnosticBuilder(GRBugReporter &br,
141 BugReport *r, NodeBackMap *Backmap,
142 PathDiagnosticClient *pdc)
143 : BugReporterContext(br),
144 R(r), PDC(pdc), NMC(Backmap) {
145 addVisitor(R);
146 }
147
148 PathDiagnosticLocation ExecutionContinues(const ExplodedNode* N);
149
150 PathDiagnosticLocation ExecutionContinues(llvm::raw_string_ostream& os,
151 const ExplodedNode* N);
152
153 Decl const &getCodeDecl() { return R->getEndNode()->getCodeDecl(); }
154
155 ParentMap& getParentMap() { return R->getEndNode()->getParentMap(); }
156
157 const Stmt *getParent(const Stmt *S) {
158 return getParentMap().getParent(S);
159 }
160
161 virtual NodeMapClosure& getNodeResolver() { return NMC; }
162 BugReport& getReport() { return *R; }
163
164 PathDiagnosticLocation getEnclosingStmtLocation(const Stmt *S);
165
166 PathDiagnosticLocation
167 getEnclosingStmtLocation(const PathDiagnosticLocation &L) {
168 if (const Stmt *S = L.asStmt())
169 return getEnclosingStmtLocation(S);
170
171 return L;
172 }
173
174 PathDiagnosticClient::PathGenerationScheme getGenerationScheme() const {
175 return PDC ? PDC->getGenerationScheme() : PathDiagnosticClient::Extensive;
176 }
177
178 bool supportsLogicalOpControlFlow() const {
179 return PDC ? PDC->supportsLogicalOpControlFlow() : true;
180 }
181};
182} // end anonymous namespace
183
184PathDiagnosticLocation
185PathDiagnosticBuilder::ExecutionContinues(const ExplodedNode* N) {
186 if (const Stmt *S = GetNextStmt(N))
187 return PathDiagnosticLocation(S, getSourceManager());
188
189 return FullSourceLoc(N->getLocationContext()->getDecl()->getBodyRBrace(),
190 getSourceManager());
191}
192
193PathDiagnosticLocation
194PathDiagnosticBuilder::ExecutionContinues(llvm::raw_string_ostream& os,
195 const ExplodedNode* N) {
196
197 // Slow, but probably doesn't matter.
198 if (os.str().empty())
199 os << ' ';
200
201 const PathDiagnosticLocation &Loc = ExecutionContinues(N);
202
203 if (Loc.asStmt())
204 os << "Execution continues on line "
205 << getSourceManager().getInstantiationLineNumber(Loc.asLocation())
206 << '.';
207 else {
208 os << "Execution jumps to the end of the ";
209 const Decl *D = N->getLocationContext()->getDecl();
210 if (isa<ObjCMethodDecl>(D))
211 os << "method";
212 else if (isa<FunctionDecl>(D))
213 os << "function";
214 else {
215 assert(isa<BlockDecl>(D));
216 os << "anonymous block";
217 }
218 os << '.';
219 }
220
221 return Loc;
222}
223
224static bool IsNested(const Stmt *S, ParentMap &PM) {
225 if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S)))
226 return true;
227
228 const Stmt *Parent = PM.getParentIgnoreParens(S);
229
230 if (Parent)
231 switch (Parent->getStmtClass()) {
232 case Stmt::ForStmtClass:
233 case Stmt::DoStmtClass:
234 case Stmt::WhileStmtClass:
235 return true;
236 default:
237 break;
238 }
239
240 return false;
241}
242
243PathDiagnosticLocation
244PathDiagnosticBuilder::getEnclosingStmtLocation(const Stmt *S) {
245 assert(S && "Null Stmt* passed to getEnclosingStmtLocation");
246 ParentMap &P = getParentMap();
247 SourceManager &SMgr = getSourceManager();
248
249 while (IsNested(S, P)) {
250 const Stmt *Parent = P.getParentIgnoreParens(S);
251
252 if (!Parent)
253 break;
254
255 switch (Parent->getStmtClass()) {
256 case Stmt::BinaryOperatorClass: {
257 const BinaryOperator *B = cast<BinaryOperator>(Parent);
258 if (B->isLogicalOp())
259 return PathDiagnosticLocation(S, SMgr);
260 break;
261 }
262 case Stmt::CompoundStmtClass:
263 case Stmt::StmtExprClass:
264 return PathDiagnosticLocation(S, SMgr);
265 case Stmt::ChooseExprClass:
266 // Similar to '?' if we are referring to condition, just have the edge
267 // point to the entire choose expression.
268 if (cast<ChooseExpr>(Parent)->getCond() == S)
269 return PathDiagnosticLocation(Parent, SMgr);
270 else
271 return PathDiagnosticLocation(S, SMgr);
272 case Stmt::ConditionalOperatorClass:
273 // For '?', if we are referring to condition, just have the edge point
274 // to the entire '?' expression.
275 if (cast<ConditionalOperator>(Parent)->getCond() == S)
276 return PathDiagnosticLocation(Parent, SMgr);
277 else
278 return PathDiagnosticLocation(S, SMgr);
279 case Stmt::DoStmtClass:
280 return PathDiagnosticLocation(S, SMgr);
281 case Stmt::ForStmtClass:
282 if (cast<ForStmt>(Parent)->getBody() == S)
283 return PathDiagnosticLocation(S, SMgr);
284 break;
285 case Stmt::IfStmtClass:
286 if (cast<IfStmt>(Parent)->getCond() != S)
287 return PathDiagnosticLocation(S, SMgr);
288 break;
289 case Stmt::ObjCForCollectionStmtClass:
290 if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S)
291 return PathDiagnosticLocation(S, SMgr);
292 break;
293 case Stmt::WhileStmtClass:
294 if (cast<WhileStmt>(Parent)->getCond() != S)
295 return PathDiagnosticLocation(S, SMgr);
296 break;
297 default:
298 break;
299 }
300
301 S = Parent;
302 }
303
304 assert(S && "Cannot have null Stmt for PathDiagnosticLocation");
305
306 // Special case: DeclStmts can appear in for statement declarations, in which
307 // case the ForStmt is the context.
308 if (isa<DeclStmt>(S)) {
309 if (const Stmt *Parent = P.getParent(S)) {
310 switch (Parent->getStmtClass()) {
311 case Stmt::ForStmtClass:
312 case Stmt::ObjCForCollectionStmtClass:
313 return PathDiagnosticLocation(Parent, SMgr);
314 default:
315 break;
316 }
317 }
318 }
319 else if (isa<BinaryOperator>(S)) {
320 // Special case: the binary operator represents the initialization
321 // code in a for statement (this can happen when the variable being
322 // initialized is an old variable.
323 if (const ForStmt *FS =
324 dyn_cast_or_null<ForStmt>(P.getParentIgnoreParens(S))) {
325 if (FS->getInit() == S)
326 return PathDiagnosticLocation(FS, SMgr);
327 }
328 }
329
330 return PathDiagnosticLocation(S, SMgr);
331}
332
333//===----------------------------------------------------------------------===//
334// ScanNotableSymbols: closure-like callback for scanning Store bindings.
335//===----------------------------------------------------------------------===//
336
337static const VarDecl*
338GetMostRecentVarDeclBinding(const ExplodedNode* N,
339 GRStateManager& VMgr, SVal X) {
340
341 for ( ; N ; N = N->pred_empty() ? 0 : *N->pred_begin()) {
342
343 ProgramPoint P = N->getLocation();
344
345 if (!isa<PostStmt>(P))
346 continue;
347
348 const DeclRefExpr* DR = dyn_cast<DeclRefExpr>(cast<PostStmt>(P).getStmt());
349
350 if (!DR)
351 continue;
352
353 SVal Y = N->getState()->getSVal(DR);
354
355 if (X != Y)
356 continue;
357
358 const VarDecl* VD = dyn_cast<VarDecl>(DR->getDecl());
359
360 if (!VD)
361 continue;
362
363 return VD;
364 }
365
366 return 0;
367}
368
369namespace {
370class NotableSymbolHandler
371: public StoreManager::BindingsHandler {
372
373 SymbolRef Sym;
374 const GRState* PrevSt;
375 const Stmt* S;
376 GRStateManager& VMgr;
377 const ExplodedNode* Pred;
378 PathDiagnostic& PD;
379 BugReporter& BR;
380
381public:
382
383 NotableSymbolHandler(SymbolRef sym, const GRState* prevst, const Stmt* s,
384 GRStateManager& vmgr, const ExplodedNode* pred,
385 PathDiagnostic& pd, BugReporter& br)
386 : Sym(sym), PrevSt(prevst), S(s), VMgr(vmgr), Pred(pred), PD(pd), BR(br) {}
387
388 bool HandleBinding(StoreManager& SMgr, Store store, const MemRegion* R,
389 SVal V) {
390
391 SymbolRef ScanSym = V.getAsSymbol();
392
393 if (ScanSym != Sym)
394 return true;
395
396 // Check if the previous state has this binding.
397 SVal X = PrevSt->getSVal(loc::MemRegionVal(R));
398
399 if (X == V) // Same binding?
400 return true;
401
402 // Different binding. Only handle assignments for now. We don't pull
403 // this check out of the loop because we will eventually handle other
404 // cases.
405
406 VarDecl *VD = 0;
407
408 if (const BinaryOperator* B = dyn_cast<BinaryOperator>(S)) {
409 if (!B->isAssignmentOp())
410 return true;
411
412 // What variable did we assign to?
413 DeclRefExpr* DR = dyn_cast<DeclRefExpr>(B->getLHS()->IgnoreParenCasts());
414
415 if (!DR)
416 return true;
417
418 VD = dyn_cast<VarDecl>(DR->getDecl());
419 }
420 else if (const DeclStmt* DS = dyn_cast<DeclStmt>(S)) {
421 // FIXME: Eventually CFGs won't have DeclStmts. Right now we
422 // assume that each DeclStmt has a single Decl. This invariant
423 // holds by contruction in the CFG.
424 VD = dyn_cast<VarDecl>(*DS->decl_begin());
425 }
426
427 if (!VD)
428 return true;
429
430 // What is the most recently referenced variable with this binding?
431 const VarDecl* MostRecent = GetMostRecentVarDeclBinding(Pred, VMgr, V);
432
433 if (!MostRecent)
434 return true;
435
436 // Create the diagnostic.
437 FullSourceLoc L(S->getLocStart(), BR.getSourceManager());
438
439 if (Loc::IsLocType(VD->getType())) {
440 std::string msg = "'" + std::string(VD->getNameAsString()) +
441 "' now aliases '" + MostRecent->getNameAsString() + "'";
442
443 PD.push_front(new PathDiagnosticEventPiece(L, msg));
444 }
445
446 return true;
447 }
448};
449}
450
451static void HandleNotableSymbol(const ExplodedNode* N,
452 const Stmt* S,
453 SymbolRef Sym, BugReporter& BR,
454 PathDiagnostic& PD) {
455
456 const ExplodedNode* Pred = N->pred_empty() ? 0 : *N->pred_begin();
457 const GRState* PrevSt = Pred ? Pred->getState() : 0;
458
459 if (!PrevSt)
460 return;
461
462 // Look at the region bindings of the current state that map to the
463 // specified symbol. Are any of them not in the previous state?
464 GRStateManager& VMgr = cast<GRBugReporter>(BR).getStateManager();
465 NotableSymbolHandler H(Sym, PrevSt, S, VMgr, Pred, PD, BR);
466 cast<GRBugReporter>(BR).getStateManager().iterBindings(N->getState(), H);
467}
468
469namespace {
470class ScanNotableSymbols
471: public StoreManager::BindingsHandler {
472
473 llvm::SmallSet<SymbolRef, 10> AlreadyProcessed;
474 const ExplodedNode* N;
475 const Stmt* S;
476 GRBugReporter& BR;
477 PathDiagnostic& PD;
478
479public:
480 ScanNotableSymbols(const ExplodedNode* n, const Stmt* s,
481 GRBugReporter& br, PathDiagnostic& pd)
482 : N(n), S(s), BR(br), PD(pd) {}
483
484 bool HandleBinding(StoreManager& SMgr, Store store,
485 const MemRegion* R, SVal V) {
486
487 SymbolRef ScanSym = V.getAsSymbol();
488
489 if (!ScanSym)
490 return true;
491
492 if (!BR.isNotable(ScanSym))
493 return true;
494
495 if (AlreadyProcessed.count(ScanSym))
496 return true;
497
498 AlreadyProcessed.insert(ScanSym);
499
500 HandleNotableSymbol(N, S, ScanSym, BR, PD);
501 return true;
502 }
503};
504} // end anonymous namespace
505
506//===----------------------------------------------------------------------===//
507// "Minimal" path diagnostic generation algorithm.
508//===----------------------------------------------------------------------===//
509
510static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM);
511
512static void GenerateMinimalPathDiagnostic(PathDiagnostic& PD,
513 PathDiagnosticBuilder &PDB,
514 const ExplodedNode *N) {
515
516 SourceManager& SMgr = PDB.getSourceManager();
517 const ExplodedNode* NextNode = N->pred_empty()
518 ? NULL : *(N->pred_begin());
519 while (NextNode) {
520 N = NextNode;
521 NextNode = GetPredecessorNode(N);
522
523 ProgramPoint P = N->getLocation();
524
525 if (const BlockEdge* BE = dyn_cast<BlockEdge>(&P)) {
526 CFGBlock* Src = BE->getSrc();
527 CFGBlock* Dst = BE->getDst();
528 Stmt* T = Src->getTerminator();
529
530 if (!T)
531 continue;
532
533 FullSourceLoc Start(T->getLocStart(), SMgr);
534
535 switch (T->getStmtClass()) {
536 default:
537 break;
538
539 case Stmt::GotoStmtClass:
540 case Stmt::IndirectGotoStmtClass: {
541 const Stmt* S = GetNextStmt(N);
542
543 if (!S)
544 continue;
545
546 std::string sbuf;
547 llvm::raw_string_ostream os(sbuf);
548 const PathDiagnosticLocation &End = PDB.getEnclosingStmtLocation(S);
549
550 os << "Control jumps to line "
551 << End.asLocation().getInstantiationLineNumber();
552 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
553 os.str()));
554 break;
555 }
556
557 case Stmt::SwitchStmtClass: {
558 // Figure out what case arm we took.
559 std::string sbuf;
560 llvm::raw_string_ostream os(sbuf);
561
562 if (Stmt* S = Dst->getLabel()) {
563 PathDiagnosticLocation End(S, SMgr);
564
565 switch (S->getStmtClass()) {
566 default:
567 os << "No cases match in the switch statement. "
568 "Control jumps to line "
569 << End.asLocation().getInstantiationLineNumber();
570 break;
571 case Stmt::DefaultStmtClass:
572 os << "Control jumps to the 'default' case at line "
573 << End.asLocation().getInstantiationLineNumber();
574 break;
575
576 case Stmt::CaseStmtClass: {
577 os << "Control jumps to 'case ";
578 CaseStmt* Case = cast<CaseStmt>(S);
579 Expr* LHS = Case->getLHS()->IgnoreParenCasts();
580
581 // Determine if it is an enum.
582 bool GetRawInt = true;
583
584 if (DeclRefExpr* DR = dyn_cast<DeclRefExpr>(LHS)) {
585 // FIXME: Maybe this should be an assertion. Are there cases
586 // were it is not an EnumConstantDecl?
587 EnumConstantDecl* D =
588 dyn_cast<EnumConstantDecl>(DR->getDecl());
589
590 if (D) {
591 GetRawInt = false;
592 os << D->getNameAsString();
593 }
594 }
595
596 if (GetRawInt)
597 os << LHS->EvaluateAsInt(PDB.getASTContext());
598
599 os << ":' at line "
600 << End.asLocation().getInstantiationLineNumber();
601 break;
602 }
603 }
604 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
605 os.str()));
606 }
607 else {
608 os << "'Default' branch taken. ";
609 const PathDiagnosticLocation &End = PDB.ExecutionContinues(os, N);
610 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
611 os.str()));
612 }
613
614 break;
615 }
616
617 case Stmt::BreakStmtClass:
618 case Stmt::ContinueStmtClass: {
619 std::string sbuf;
620 llvm::raw_string_ostream os(sbuf);
621 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
622 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
623 os.str()));
624 break;
625 }
626
627 // Determine control-flow for ternary '?'.
628 case Stmt::ConditionalOperatorClass: {
629 std::string sbuf;
630 llvm::raw_string_ostream os(sbuf);
631 os << "'?' condition is ";
632
633 if (*(Src->succ_begin()+1) == Dst)
634 os << "false";
635 else
636 os << "true";
637
638 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
639
640 if (const Stmt *S = End.asStmt())
641 End = PDB.getEnclosingStmtLocation(S);
642
643 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
644 os.str()));
645 break;
646 }
647
648 // Determine control-flow for short-circuited '&&' and '||'.
649 case Stmt::BinaryOperatorClass: {
650 if (!PDB.supportsLogicalOpControlFlow())
651 break;
652
653 BinaryOperator *B = cast<BinaryOperator>(T);
654 std::string sbuf;
655 llvm::raw_string_ostream os(sbuf);
656 os << "Left side of '";
657
658 if (B->getOpcode() == BinaryOperator::LAnd) {
659 os << "&&" << "' is ";
660
661 if (*(Src->succ_begin()+1) == Dst) {
662 os << "false";
663 PathDiagnosticLocation End(B->getLHS(), SMgr);
664 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr);
665 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
666 os.str()));
667 }
668 else {
669 os << "true";
670 PathDiagnosticLocation Start(B->getLHS(), SMgr);
671 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
672 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
673 os.str()));
674 }
675 }
676 else {
677 assert(B->getOpcode() == BinaryOperator::LOr);
678 os << "||" << "' is ";
679
680 if (*(Src->succ_begin()+1) == Dst) {
681 os << "false";
682 PathDiagnosticLocation Start(B->getLHS(), SMgr);
683 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
684 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
685 os.str()));
686 }
687 else {
688 os << "true";
689 PathDiagnosticLocation End(B->getLHS(), SMgr);
690 PathDiagnosticLocation Start(B->getOperatorLoc(), SMgr);
691 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
692 os.str()));
693 }
694 }
695
696 break;
697 }
698
699 case Stmt::DoStmtClass: {
700 if (*(Src->succ_begin()) == Dst) {
701 std::string sbuf;
702 llvm::raw_string_ostream os(sbuf);
703
704 os << "Loop condition is true. ";
705 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
706
707 if (const Stmt *S = End.asStmt())
708 End = PDB.getEnclosingStmtLocation(S);
709
710 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
711 os.str()));
712 }
713 else {
714 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
715
716 if (const Stmt *S = End.asStmt())
717 End = PDB.getEnclosingStmtLocation(S);
718
719 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
720 "Loop condition is false. Exiting loop"));
721 }
722
723 break;
724 }
725
726 case Stmt::WhileStmtClass:
727 case Stmt::ForStmtClass: {
728 if (*(Src->succ_begin()+1) == Dst) {
729 std::string sbuf;
730 llvm::raw_string_ostream os(sbuf);
731
732 os << "Loop condition is false. ";
733 PathDiagnosticLocation End = PDB.ExecutionContinues(os, N);
734 if (const Stmt *S = End.asStmt())
735 End = PDB.getEnclosingStmtLocation(S);
736
737 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
738 os.str()));
739 }
740 else {
741 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
742 if (const Stmt *S = End.asStmt())
743 End = PDB.getEnclosingStmtLocation(S);
744
745 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
746 "Loop condition is true. Entering loop body"));
747 }
748
749 break;
750 }
751
752 case Stmt::IfStmtClass: {
753 PathDiagnosticLocation End = PDB.ExecutionContinues(N);
754
755 if (const Stmt *S = End.asStmt())
756 End = PDB.getEnclosingStmtLocation(S);
757
758 if (*(Src->succ_begin()+1) == Dst)
759 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
760 "Taking false branch"));
761 else
762 PD.push_front(new PathDiagnosticControlFlowPiece(Start, End,
763 "Taking true branch"));
764
765 break;
766 }
767 }
768 }
769
770 if (NextNode) {
771 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(),
772 E = PDB.visitor_end(); I!=E; ++I) {
773 if (PathDiagnosticPiece* p = (*I)->VisitNode(N, NextNode, PDB))
774 PD.push_front(p);
775 }
776 }
777
778 if (const PostStmt* PS = dyn_cast<PostStmt>(&P)) {
779 // Scan the region bindings, and see if a "notable" symbol has a new
780 // lval binding.
781 ScanNotableSymbols SNS(N, PS->getStmt(), PDB.getBugReporter(), PD);
782 PDB.getStateManager().iterBindings(N->getState(), SNS);
783 }
784 }
785
786 // After constructing the full PathDiagnostic, do a pass over it to compact
787 // PathDiagnosticPieces that occur within a macro.
788 CompactPathDiagnostic(PD, PDB.getSourceManager());
789}
790
791//===----------------------------------------------------------------------===//
792// "Extensive" PathDiagnostic generation.
793//===----------------------------------------------------------------------===//
794
795static bool IsControlFlowExpr(const Stmt *S) {
796 const Expr *E = dyn_cast<Expr>(S);
797
798 if (!E)
799 return false;
800
801 E = E->IgnoreParenCasts();
802
803 if (isa<ConditionalOperator>(E))
804 return true;
805
806 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(E))
807 if (B->isLogicalOp())
808 return true;
809
810 return false;
811}
812
813namespace {
814class ContextLocation : public PathDiagnosticLocation {
815 bool IsDead;
816public:
817 ContextLocation(const PathDiagnosticLocation &L, bool isdead = false)
818 : PathDiagnosticLocation(L), IsDead(isdead) {}
819
820 void markDead() { IsDead = true; }
821 bool isDead() const { return IsDead; }
822};
823
824class EdgeBuilder {
825 std::vector<ContextLocation> CLocs;
826 typedef std::vector<ContextLocation>::iterator iterator;
827 PathDiagnostic &PD;
828 PathDiagnosticBuilder &PDB;
829 PathDiagnosticLocation PrevLoc;
830
831 bool IsConsumedExpr(const PathDiagnosticLocation &L);
832
833 bool containsLocation(const PathDiagnosticLocation &Container,
834 const PathDiagnosticLocation &Containee);
835
836 PathDiagnosticLocation getContextLocation(const PathDiagnosticLocation &L);
837
838 PathDiagnosticLocation cleanUpLocation(PathDiagnosticLocation L,
839 bool firstCharOnly = false) {
840 if (const Stmt *S = L.asStmt()) {
841 const Stmt *Original = S;
842 while (1) {
843 // Adjust the location for some expressions that are best referenced
844 // by one of their subexpressions.
845 switch (S->getStmtClass()) {
846 default:
847 break;
848 case Stmt::ParenExprClass:
849 S = cast<ParenExpr>(S)->IgnoreParens();
850 firstCharOnly = true;
851 continue;
852 case Stmt::ConditionalOperatorClass:
853 S = cast<ConditionalOperator>(S)->getCond();
854 firstCharOnly = true;
855 continue;
856 case Stmt::ChooseExprClass:
857 S = cast<ChooseExpr>(S)->getCond();
858 firstCharOnly = true;
859 continue;
860 case Stmt::BinaryOperatorClass:
861 S = cast<BinaryOperator>(S)->getLHS();
862 firstCharOnly = true;
863 continue;
864 }
865
866 break;
867 }
868
869 if (S != Original)
870 L = PathDiagnosticLocation(S, L.getManager());
871 }
872
873 if (firstCharOnly)
874 L = PathDiagnosticLocation(L.asLocation());
875
876 return L;
877 }
878
879 void popLocation() {
880 if (!CLocs.back().isDead() && CLocs.back().asLocation().isFileID()) {
881 // For contexts, we only one the first character as the range.
882 rawAddEdge(cleanUpLocation(CLocs.back(), true));
883 }
884 CLocs.pop_back();
885 }
886
887 PathDiagnosticLocation IgnoreParens(const PathDiagnosticLocation &L);
888
889public:
890 EdgeBuilder(PathDiagnostic &pd, PathDiagnosticBuilder &pdb)
891 : PD(pd), PDB(pdb) {
892
893 // If the PathDiagnostic already has pieces, add the enclosing statement
894 // of the first piece as a context as well.
895 if (!PD.empty()) {
896 PrevLoc = PD.begin()->getLocation();
897
898 if (const Stmt *S = PrevLoc.asStmt())
899 addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt());
900 }
901 }
902
903 ~EdgeBuilder() {
904 while (!CLocs.empty()) popLocation();
905
906 // Finally, add an initial edge from the start location of the first
907 // statement (if it doesn't already exist).
908 // FIXME: Should handle CXXTryStmt if analyser starts supporting C++.
909 if (const CompoundStmt *CS =
910 PDB.getCodeDecl().getCompoundBody())
911 if (!CS->body_empty()) {
912 SourceLocation Loc = (*CS->body_begin())->getLocStart();
913 rawAddEdge(PathDiagnosticLocation(Loc, PDB.getSourceManager()));
914 }
915
916 }
917
918 void addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd = false);
919
920 void addEdge(const Stmt *S, bool alwaysAdd = false) {
921 addEdge(PathDiagnosticLocation(S, PDB.getSourceManager()), alwaysAdd);
922 }
923
924 void rawAddEdge(PathDiagnosticLocation NewLoc);
925
926 void addContext(const Stmt *S);
927 void addExtendedContext(const Stmt *S);
928};
929} // end anonymous namespace
930
931
932PathDiagnosticLocation
933EdgeBuilder::getContextLocation(const PathDiagnosticLocation &L) {
934 if (const Stmt *S = L.asStmt()) {
935 if (IsControlFlowExpr(S))
936 return L;
937
938 return PDB.getEnclosingStmtLocation(S);
939 }
940
941 return L;
942}
943
944bool EdgeBuilder::containsLocation(const PathDiagnosticLocation &Container,
945 const PathDiagnosticLocation &Containee) {
946
947 if (Container == Containee)
948 return true;
949
950 if (Container.asDecl())
951 return true;
952
953 if (const Stmt *S = Containee.asStmt())
954 if (const Stmt *ContainerS = Container.asStmt()) {
955 while (S) {
956 if (S == ContainerS)
957 return true;
958 S = PDB.getParent(S);
959 }
960 return false;
961 }
962
963 // Less accurate: compare using source ranges.
964 SourceRange ContainerR = Container.asRange();
965 SourceRange ContaineeR = Containee.asRange();
966
967 SourceManager &SM = PDB.getSourceManager();
968 SourceLocation ContainerRBeg = SM.getInstantiationLoc(ContainerR.getBegin());
969 SourceLocation ContainerREnd = SM.getInstantiationLoc(ContainerR.getEnd());
970 SourceLocation ContaineeRBeg = SM.getInstantiationLoc(ContaineeR.getBegin());
971 SourceLocation ContaineeREnd = SM.getInstantiationLoc(ContaineeR.getEnd());
972
973 unsigned ContainerBegLine = SM.getInstantiationLineNumber(ContainerRBeg);
974 unsigned ContainerEndLine = SM.getInstantiationLineNumber(ContainerREnd);
975 unsigned ContaineeBegLine = SM.getInstantiationLineNumber(ContaineeRBeg);
976 unsigned ContaineeEndLine = SM.getInstantiationLineNumber(ContaineeREnd);
977
978 assert(ContainerBegLine <= ContainerEndLine);
979 assert(ContaineeBegLine <= ContaineeEndLine);
980
981 return (ContainerBegLine <= ContaineeBegLine &&
982 ContainerEndLine >= ContaineeEndLine &&
983 (ContainerBegLine != ContaineeBegLine ||
984 SM.getInstantiationColumnNumber(ContainerRBeg) <=
985 SM.getInstantiationColumnNumber(ContaineeRBeg)) &&
986 (ContainerEndLine != ContaineeEndLine ||
987 SM.getInstantiationColumnNumber(ContainerREnd) >=
988 SM.getInstantiationColumnNumber(ContainerREnd)));
989}
990
991PathDiagnosticLocation
992EdgeBuilder::IgnoreParens(const PathDiagnosticLocation &L) {
993 if (const Expr* E = dyn_cast_or_null<Expr>(L.asStmt()))
994 return PathDiagnosticLocation(E->IgnoreParenCasts(),
995 PDB.getSourceManager());
996 return L;
997}
998
999void EdgeBuilder::rawAddEdge(PathDiagnosticLocation NewLoc) {
1000 if (!PrevLoc.isValid()) {
1001 PrevLoc = NewLoc;
1002 return;
1003 }
1004
1005 const PathDiagnosticLocation &NewLocClean = cleanUpLocation(NewLoc);
1006 const PathDiagnosticLocation &PrevLocClean = cleanUpLocation(PrevLoc);
1007
1008 if (NewLocClean.asLocation() == PrevLocClean.asLocation())
1009 return;
1010
1011 // FIXME: Ignore intra-macro edges for now.
1012 if (NewLocClean.asLocation().getInstantiationLoc() ==
1013 PrevLocClean.asLocation().getInstantiationLoc())
1014 return;
1015
1016 PD.push_front(new PathDiagnosticControlFlowPiece(NewLocClean, PrevLocClean));
1017 PrevLoc = NewLoc;
1018}
1019
1020void EdgeBuilder::addEdge(PathDiagnosticLocation NewLoc, bool alwaysAdd) {
1021
1022 if (!alwaysAdd && NewLoc.asLocation().isMacroID())
1023 return;
1024
1025 const PathDiagnosticLocation &CLoc = getContextLocation(NewLoc);
1026
1027 while (!CLocs.empty()) {
1028 ContextLocation &TopContextLoc = CLocs.back();
1029
1030 // Is the top location context the same as the one for the new location?
1031 if (TopContextLoc == CLoc) {
1032 if (alwaysAdd) {
1033 if (IsConsumedExpr(TopContextLoc) &&
1034 !IsControlFlowExpr(TopContextLoc.asStmt()))
1035 TopContextLoc.markDead();
1036
1037 rawAddEdge(NewLoc);
1038 }
1039
1040 return;
1041 }
1042
1043 if (containsLocation(TopContextLoc, CLoc)) {
1044 if (alwaysAdd) {
1045 rawAddEdge(NewLoc);
1046
1047 if (IsConsumedExpr(CLoc) && !IsControlFlowExpr(CLoc.asStmt())) {
1048 CLocs.push_back(ContextLocation(CLoc, true));
1049 return;
1050 }
1051 }
1052
1053 CLocs.push_back(CLoc);
1054 return;
1055 }
1056
1057 // Context does not contain the location. Flush it.
1058 popLocation();
1059 }
1060
1061 // If we reach here, there is no enclosing context. Just add the edge.
1062 rawAddEdge(NewLoc);
1063}
1064
1065bool EdgeBuilder::IsConsumedExpr(const PathDiagnosticLocation &L) {
1066 if (const Expr *X = dyn_cast_or_null<Expr>(L.asStmt()))
1067 return PDB.getParentMap().isConsumedExpr(X) && !IsControlFlowExpr(X);
1068
1069 return false;
1070}
1071
1072void EdgeBuilder::addExtendedContext(const Stmt *S) {
1073 if (!S)
1074 return;
1075
1076 const Stmt *Parent = PDB.getParent(S);
1077 while (Parent) {
1078 if (isa<CompoundStmt>(Parent))
1079 Parent = PDB.getParent(Parent);
1080 else
1081 break;
1082 }
1083
1084 if (Parent) {
1085 switch (Parent->getStmtClass()) {
1086 case Stmt::DoStmtClass:
1087 case Stmt::ObjCAtSynchronizedStmtClass:
1088 addContext(Parent);
1089 default:
1090 break;
1091 }
1092 }
1093
1094 addContext(S);
1095}
1096
1097void EdgeBuilder::addContext(const Stmt *S) {
1098 if (!S)
1099 return;
1100
1101 PathDiagnosticLocation L(S, PDB.getSourceManager());
1102
1103 while (!CLocs.empty()) {
1104 const PathDiagnosticLocation &TopContextLoc = CLocs.back();
1105
1106 // Is the top location context the same as the one for the new location?
1107 if (TopContextLoc == L)
1108 return;
1109
1110 if (containsLocation(TopContextLoc, L)) {
1111 CLocs.push_back(L);
1112 return;
1113 }
1114
1115 // Context does not contain the location. Flush it.
1116 popLocation();
1117 }
1118
1119 CLocs.push_back(L);
1120}
1121
1122static void GenerateExtensivePathDiagnostic(PathDiagnostic& PD,
1123 PathDiagnosticBuilder &PDB,
1124 const ExplodedNode *N) {
1125
1126
1127 EdgeBuilder EB(PD, PDB);
1128
1129 const ExplodedNode* NextNode = N->pred_empty()
1130 ? NULL : *(N->pred_begin());
1131 while (NextNode) {
1132 N = NextNode;
1133 NextNode = GetPredecessorNode(N);
1134 ProgramPoint P = N->getLocation();
1135
1136 do {
1137 // Block edges.
1138 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&P)) {
1139 const CFGBlock &Blk = *BE->getSrc();
1140 const Stmt *Term = Blk.getTerminator();
1141
1142 // Are we jumping to the head of a loop? Add a special diagnostic.
1143 if (const Stmt *Loop = BE->getDst()->getLoopTarget()) {
1144 PathDiagnosticLocation L(Loop, PDB.getSourceManager());
1145 const CompoundStmt *CS = NULL;
1146
1147 if (!Term) {
1148 if (const ForStmt *FS = dyn_cast<ForStmt>(Loop))
1149 CS = dyn_cast<CompoundStmt>(FS->getBody());
1150 else if (const WhileStmt *WS = dyn_cast<WhileStmt>(Loop))
1151 CS = dyn_cast<CompoundStmt>(WS->getBody());
1152 }
1153
1154 PathDiagnosticEventPiece *p =
1155 new PathDiagnosticEventPiece(L,
1156 "Looping back to the head of the loop");
1157
1158 EB.addEdge(p->getLocation(), true);
1159 PD.push_front(p);
1160
1161 if (CS) {
1162 PathDiagnosticLocation BL(CS->getRBracLoc(),
1163 PDB.getSourceManager());
1164 BL = PathDiagnosticLocation(BL.asLocation());
1165 EB.addEdge(BL);
1166 }
1167 }
1168
1169 if (Term)
1170 EB.addContext(Term);
1171
1172 break;
1173 }
1174
1175 if (const BlockEntrance *BE = dyn_cast<BlockEntrance>(&P)) {
1176 if (const Stmt* S = BE->getFirstStmt()) {
1177 if (IsControlFlowExpr(S)) {
1178 // Add the proper context for '&&', '||', and '?'.
1179 EB.addContext(S);
1180 }
1181 else
1182 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt());
1183 }
1184
1185 break;
1186 }
1187 } while (0);
1188
1189 if (!NextNode)
1190 continue;
1191
1192 for (BugReporterContext::visitor_iterator I = PDB.visitor_begin(),
1193 E = PDB.visitor_end(); I!=E; ++I) {
1194 if (PathDiagnosticPiece* p = (*I)->VisitNode(N, NextNode, PDB)) {
1195 const PathDiagnosticLocation &Loc = p->getLocation();
1196 EB.addEdge(Loc, true);
1197 PD.push_front(p);
1198 if (const Stmt *S = Loc.asStmt())
1199 EB.addExtendedContext(PDB.getEnclosingStmtLocation(S).asStmt());
1200 }
1201 }
1202 }
1203}
1204
1205//===----------------------------------------------------------------------===//
1206// Methods for BugType and subclasses.
1207//===----------------------------------------------------------------------===//
1208BugType::~BugType() {
1209 // Free up the equivalence class objects. Observe that we get a pointer to
1210 // the object first before incrementing the iterator, as destroying the
1211 // node before doing so means we will read from freed memory.
1212 for (iterator I = begin(), E = end(); I !=E; ) {
1213 BugReportEquivClass *EQ = &*I;
1214 ++I;
1215 delete EQ;
1216 }
1217}
1218void BugType::FlushReports(BugReporter &BR) {}
1219
1220//===----------------------------------------------------------------------===//
1221// Methods for BugReport and subclasses.
1222//===----------------------------------------------------------------------===//
1223BugReport::~BugReport() {}
1224RangedBugReport::~RangedBugReport() {}
1225
1226const Stmt* BugReport::getStmt() const {
1227 ProgramPoint ProgP = EndNode->getLocation();
1228 const Stmt *S = NULL;
1229
1230 if (BlockEntrance* BE = dyn_cast<BlockEntrance>(&ProgP)) {
1231 CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit();
1232 if (BE->getBlock() == &Exit)
1233 S = GetPreviousStmt(EndNode);
1234 }
1235 if (!S)
1236 S = GetStmt(ProgP);
1237
1238 return S;
1239}
1240
1241PathDiagnosticPiece*
1242BugReport::getEndPath(BugReporterContext& BRC,
1243 const ExplodedNode* EndPathNode) {
1244
1245 const Stmt* S = getStmt();
1246
1247 if (!S)
1248 return NULL;
1249
1250 const SourceRange *Beg, *End;
1251 getRanges(Beg, End);
1252 PathDiagnosticLocation L(S, BRC.getSourceManager());
1253
1254 // Only add the statement itself as a range if we didn't specify any
1255 // special ranges for this report.
1256 PathDiagnosticPiece* P = new PathDiagnosticEventPiece(L, getDescription(),
1257 Beg == End);
1258
1259 for (; Beg != End; ++Beg)
1260 P->addRange(*Beg);
1261
1262 return P;
1263}
1264
1265void BugReport::getRanges(const SourceRange*& beg, const SourceRange*& end) {
1266 if (const Expr* E = dyn_cast_or_null<Expr>(getStmt())) {
1267 R = E->getSourceRange();
1268 assert(R.isValid());
1269 beg = &R;
1270 end = beg+1;
1271 }
1272 else
1273 beg = end = 0;
1274}
1275
1276SourceLocation BugReport::getLocation() const {
1277 if (EndNode)
1278 if (const Stmt* S = GetCurrentOrPreviousStmt(EndNode)) {
1279 // For member expressions, return the location of the '.' or '->'.
1280 if (const MemberExpr *ME = dyn_cast<MemberExpr>(S))
1281 return ME->getMemberLoc();
1282 // For binary operators, return the location of the operator.
1283 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S))
1284 return B->getOperatorLoc();
1285
1286 return S->getLocStart();
1287 }
1288
1289 return FullSourceLoc();
1290}
1291
1292PathDiagnosticPiece* BugReport::VisitNode(const ExplodedNode* N,
1293 const ExplodedNode* PrevN,
1294 BugReporterContext &BRC) {
1295 return NULL;
1296}
1297
1298//===----------------------------------------------------------------------===//
1299// Methods for BugReporter and subclasses.
1300//===----------------------------------------------------------------------===//
1301
1302BugReportEquivClass::~BugReportEquivClass() {
1303 for (iterator I=begin(), E=end(); I!=E; ++I) delete *I;
1304}
1305
1306GRBugReporter::~GRBugReporter() { }
1307BugReporterData::~BugReporterData() {}
1308
1309ExplodedGraph &GRBugReporter::getGraph() { return Eng.getGraph(); }
1310
1311GRStateManager&
1312GRBugReporter::getStateManager() { return Eng.getStateManager(); }
1313
1314BugReporter::~BugReporter() { FlushReports(); }
1315
1316void BugReporter::FlushReports() {
1317 if (BugTypes.isEmpty())
1318 return;
1319
1320 // First flush the warnings for each BugType. This may end up creating new
1321 // warnings and new BugTypes. Because ImmutableSet is a functional data
1322 // structure, we do not need to worry about the iterators being invalidated.
1323 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I)
1324 const_cast<BugType*>(*I)->FlushReports(*this);
1325
1326 // Iterate through BugTypes a second time. BugTypes may have been updated
1327 // with new BugType objects and new warnings.
1328 for (BugTypesTy::iterator I=BugTypes.begin(), E=BugTypes.end(); I!=E; ++I) {
1329 BugType *BT = const_cast<BugType*>(*I);
1330
1331 typedef llvm::FoldingSet<BugReportEquivClass> SetTy;
1332 SetTy& EQClasses = BT->EQClasses;
1333
1334 for (SetTy::iterator EI=EQClasses.begin(), EE=EQClasses.end(); EI!=EE;++EI){
1335 BugReportEquivClass& EQ = *EI;
1336 FlushReport(EQ);
1337 }
1338
1339 // Delete the BugType object.
1340 delete BT;
1341 }
1342
1343 // Remove all references to the BugType objects.
1344 BugTypes = F.GetEmptySet();
1345}
1346
1347//===----------------------------------------------------------------------===//
1348// PathDiagnostics generation.
1349//===----------------------------------------------------------------------===//
1350
1351static std::pair<std::pair<ExplodedGraph*, NodeBackMap*>,
1352 std::pair<ExplodedNode*, unsigned> >
1353MakeReportGraph(const ExplodedGraph* G,
1354 const ExplodedNode** NStart,
1355 const ExplodedNode** NEnd) {
1356
1357 // Create the trimmed graph. It will contain the shortest paths from the
1358 // error nodes to the root. In the new graph we should only have one
1359 // error node unless there are two or more error nodes with the same minimum
1360 // path length.
1361 ExplodedGraph* GTrim;
1362 InterExplodedGraphMap* NMap;
1363
1364 llvm::DenseMap<const void*, const void*> InverseMap;
1365 llvm::tie(GTrim, NMap) = G->Trim(NStart, NEnd, &InverseMap);
1366
1367 // Create owning pointers for GTrim and NMap just to ensure that they are
1368 // released when this function exists.
1369 llvm::OwningPtr<ExplodedGraph> AutoReleaseGTrim(GTrim);
1370 llvm::OwningPtr<InterExplodedGraphMap> AutoReleaseNMap(NMap);
1371
1372 // Find the (first) error node in the trimmed graph. We just need to consult
1373 // the node map (NMap) which maps from nodes in the original graph to nodes
1374 // in the new graph.
1375
1376 std::queue<const ExplodedNode*> WS;
1377 typedef llvm::DenseMap<const ExplodedNode*, unsigned> IndexMapTy;
1378 IndexMapTy IndexMap;
1379
1380 for (const ExplodedNode** I = NStart; I != NEnd; ++I)
1381 if (const ExplodedNode *N = NMap->getMappedNode(*I)) {
1382 unsigned NodeIndex = (I - NStart) / sizeof(*I);
1383 WS.push(N);
1384 IndexMap[*I] = NodeIndex;
1385 }
1386
1387 assert(!WS.empty() && "No error node found in the trimmed graph.");
1388
1389 // Create a new (third!) graph with a single path. This is the graph
1390 // that will be returned to the caller.
1391 ExplodedGraph *GNew = new ExplodedGraph(GTrim->getContext());
1392
1393 // Sometimes the trimmed graph can contain a cycle. Perform a reverse BFS
1394 // to the root node, and then construct a new graph that contains only
1395 // a single path.
1396 llvm::DenseMap<const void*,unsigned> Visited;
1397
1398 unsigned cnt = 0;
1399 const ExplodedNode* Root = 0;
1400
1401 while (!WS.empty()) {
1402 const ExplodedNode* Node = WS.front();
1403 WS.pop();
1404
1405 if (Visited.find(Node) != Visited.end())
1406 continue;
1407
1408 Visited[Node] = cnt++;
1409
1410 if (Node->pred_empty()) {
1411 Root = Node;
1412 break;
1413 }
1414
1415 for (ExplodedNode::const_pred_iterator I=Node->pred_begin(),
1416 E=Node->pred_end(); I!=E; ++I)
1417 WS.push(*I);
1418 }
1419
1420 assert(Root);
1421
1422 // Now walk from the root down the BFS path, always taking the successor
1423 // with the lowest number.
1424 ExplodedNode *Last = 0, *First = 0;
1425 NodeBackMap *BM = new NodeBackMap();
1426 unsigned NodeIndex = 0;
1427
1428 for ( const ExplodedNode *N = Root ;;) {
1429 // Lookup the number associated with the current node.
1430 llvm::DenseMap<const void*,unsigned>::iterator I = Visited.find(N);
1431 assert(I != Visited.end());
1432
1433 // Create the equivalent node in the new graph with the same state
1434 // and location.
1435 ExplodedNode* NewN = GNew->getNode(N->getLocation(), N->getState());
1436
1437 // Store the mapping to the original node.
1438 llvm::DenseMap<const void*, const void*>::iterator IMitr=InverseMap.find(N);
1439 assert(IMitr != InverseMap.end() && "No mapping to original node.");
1440 (*BM)[NewN] = (const ExplodedNode*) IMitr->second;
1441
1442 // Link up the new node with the previous node.
1443 if (Last)
1444 NewN->addPredecessor(Last, *GNew);
1445
1446 Last = NewN;
1447
1448 // Are we at the final node?
1449 IndexMapTy::iterator IMI =
1450 IndexMap.find((const ExplodedNode*)(IMitr->second));
1451 if (IMI != IndexMap.end()) {
1452 First = NewN;
1453 NodeIndex = IMI->second;
1454 break;
1455 }
1456
1457 // Find the next successor node. We choose the node that is marked
1458 // with the lowest DFS number.
1459 ExplodedNode::const_succ_iterator SI = N->succ_begin();
1460 ExplodedNode::const_succ_iterator SE = N->succ_end();
1461 N = 0;
1462
1463 for (unsigned MinVal = 0; SI != SE; ++SI) {
1464
1465 I = Visited.find(*SI);
1466
1467 if (I == Visited.end())
1468 continue;
1469
1470 if (!N || I->second < MinVal) {
1471 N = *SI;
1472 MinVal = I->second;
1473 }
1474 }
1475
1476 assert(N);
1477 }
1478
1479 assert(First);
1480
1481 return std::make_pair(std::make_pair(GNew, BM),
1482 std::make_pair(First, NodeIndex));
1483}
1484
1485/// CompactPathDiagnostic - This function postprocesses a PathDiagnostic object
1486/// and collapses PathDiagosticPieces that are expanded by macros.
1487static void CompactPathDiagnostic(PathDiagnostic &PD, const SourceManager& SM) {
1488 typedef std::vector<std::pair<PathDiagnosticMacroPiece*, SourceLocation> >
1489 MacroStackTy;
1490
1491 typedef std::vector<PathDiagnosticPiece*>
1492 PiecesTy;
1493
1494 MacroStackTy MacroStack;
1495 PiecesTy Pieces;
1496
1497 for (PathDiagnostic::iterator I = PD.begin(), E = PD.end(); I!=E; ++I) {
1498 // Get the location of the PathDiagnosticPiece.
1499 const FullSourceLoc Loc = I->getLocation().asLocation();
1500
1501 // Determine the instantiation location, which is the location we group
1502 // related PathDiagnosticPieces.
1503 SourceLocation InstantiationLoc = Loc.isMacroID() ?
1504 SM.getInstantiationLoc(Loc) :
1505 SourceLocation();
1506
1507 if (Loc.isFileID()) {
1508 MacroStack.clear();
1509 Pieces.push_back(&*I);
1510 continue;
1511 }
1512
1513 assert(Loc.isMacroID());
1514
1515 // Is the PathDiagnosticPiece within the same macro group?
1516 if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) {
1517 MacroStack.back().first->push_back(&*I);
1518 continue;
1519 }
1520
1521 // We aren't in the same group. Are we descending into a new macro
1522 // or are part of an old one?
1523 PathDiagnosticMacroPiece *MacroGroup = 0;
1524
1525 SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ?
1526 SM.getInstantiationLoc(Loc) :
1527 SourceLocation();
1528
1529 // Walk the entire macro stack.
1530 while (!MacroStack.empty()) {
1531 if (InstantiationLoc == MacroStack.back().second) {
1532 MacroGroup = MacroStack.back().first;
1533 break;
1534 }
1535
1536 if (ParentInstantiationLoc == MacroStack.back().second) {
1537 MacroGroup = MacroStack.back().first;
1538 break;
1539 }
1540
1541 MacroStack.pop_back();
1542 }
1543
1544 if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) {
1545 // Create a new macro group and add it to the stack.
1546 PathDiagnosticMacroPiece *NewGroup = new PathDiagnosticMacroPiece(Loc);
1547
1548 if (MacroGroup)
1549 MacroGroup->push_back(NewGroup);
1550 else {
1551 assert(InstantiationLoc.isFileID());
1552 Pieces.push_back(NewGroup);
1553 }
1554
1555 MacroGroup = NewGroup;
1556 MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc));
1557 }
1558
1559 // Finally, add the PathDiagnosticPiece to the group.
1560 MacroGroup->push_back(&*I);
1561 }
1562
1563 // Now take the pieces and construct a new PathDiagnostic.
1564 PD.resetPath(false);
1565
1566 for (PiecesTy::iterator I=Pieces.begin(), E=Pieces.end(); I!=E; ++I) {
1567 if (PathDiagnosticMacroPiece *MP=dyn_cast<PathDiagnosticMacroPiece>(*I))
1568 if (!MP->containsEvent()) {
1569 delete MP;
1570 continue;
1571 }
1572
1573 PD.push_back(*I);
1574 }
1575}
1576
1577void GRBugReporter::GeneratePathDiagnostic(PathDiagnostic& PD,
1578 BugReportEquivClass& EQ) {
1579
1580 std::vector<const ExplodedNode*> Nodes;
1581
1582 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I) {
1583 const ExplodedNode* N = I->getEndNode();
1584 if (N) Nodes.push_back(N);
1585 }
1586
1587 if (Nodes.empty())
1588 return;
1589
1590 // Construct a new graph that contains only a single path from the error
1591 // node to a root.
1592 const std::pair<std::pair<ExplodedGraph*, NodeBackMap*>,
1593 std::pair<ExplodedNode*, unsigned> >&
1594 GPair = MakeReportGraph(&getGraph(), &Nodes[0], &Nodes[0] + Nodes.size());
1595
1596 // Find the BugReport with the original location.
1597 BugReport *R = 0;
1598 unsigned i = 0;
1599 for (BugReportEquivClass::iterator I=EQ.begin(), E=EQ.end(); I!=E; ++I, ++i)
1600 if (i == GPair.second.second) { R = *I; break; }
1601
1602 assert(R && "No original report found for sliced graph.");
1603
1604 llvm::OwningPtr<ExplodedGraph> ReportGraph(GPair.first.first);
1605 llvm::OwningPtr<NodeBackMap> BackMap(GPair.first.second);
1606 const ExplodedNode *N = GPair.second.first;
1607
1608 // Start building the path diagnostic...
1609 PathDiagnosticBuilder PDB(*this, R, BackMap.get(), getPathDiagnosticClient());
1610
1611 if (PathDiagnosticPiece* Piece = R->getEndPath(PDB, N))
1612 PD.push_back(Piece);
1613 else
1614 return;
1615
1616 R->registerInitialVisitors(PDB, N);
1617
1618 switch (PDB.getGenerationScheme()) {
1619 case PathDiagnosticClient::Extensive:
1620 GenerateExtensivePathDiagnostic(PD, PDB, N);
1621 break;
1622 case PathDiagnosticClient::Minimal:
1623 GenerateMinimalPathDiagnostic(PD, PDB, N);
1624 break;
1625 }
1626}
1627
1628void BugReporter::Register(BugType *BT) {
1629 BugTypes = F.Add(BugTypes, BT);
1630}
1631
1632void BugReporter::EmitReport(BugReport* R) {
1633 // Compute the bug report's hash to determine its equivalence class.
1634 llvm::FoldingSetNodeID ID;
1635 R->Profile(ID);
1636
1637 // Lookup the equivance class. If there isn't one, create it.
1638 BugType& BT = R->getBugType();
1639 Register(&BT);
1640 void *InsertPos;
1641 BugReportEquivClass* EQ = BT.EQClasses.FindNodeOrInsertPos(ID, InsertPos);
1642
1643 if (!EQ) {
1644 EQ = new BugReportEquivClass(R);
1645 BT.EQClasses.InsertNode(EQ, InsertPos);
1646 }
1647 else
1648 EQ->AddReport(R);
1649}
1650
1651
1652//===----------------------------------------------------------------------===//
1653// Emitting reports in equivalence classes.
1654//===----------------------------------------------------------------------===//
1655
1656namespace {
1657struct FRIEC_WLItem {
1658 const ExplodedNode *N;
1659 ExplodedNode::const_succ_iterator I, E;
1660
1661 FRIEC_WLItem(const ExplodedNode *n)
1662 : N(n), I(N->succ_begin()), E(N->succ_end()) {}
1663};
1664}
1665
1666static BugReport *FindReportInEquivalenceClass(BugReportEquivClass& EQ) {
1667 BugReportEquivClass::iterator I = EQ.begin(), E = EQ.end();
1668 assert(I != E);
1669 BugReport *R = *I;
1670 BugType& BT = R->getBugType();
1671
1672 if (!BT.isSuppressOnSink())
1673 return R;
1674
1675 // For bug reports that should be suppressed when all paths are post-dominated
1676 // by a sink node, iterate through the reports in the equivalence class
1677 // until we find one that isn't post-dominated (if one exists). We use a
1678 // DFS traversal of the ExplodedGraph to find a non-sink node. We could write
1679 // this as a recursive function, but we don't want to risk blowing out the
1680 // stack for very long paths.
1681 for (; I != E; ++I) {
1682 R = *I;
1683 const ExplodedNode *N = R->getEndNode();
1684
1685 if (!N)
1686 continue;
1687
1688 if (N->isSink()) {
1689 assert(false &&
1690 "BugType::isSuppressSink() should not be 'true' for sink end nodes");
1691 return R;
1692 }
1693
1694 if (N->succ_empty())
1695 return R;
1696
1697 // At this point we know that 'N' is not a sink and it has at least one
1698 // successor. Use a DFS worklist to find a non-sink end-of-path node.
1699 typedef FRIEC_WLItem WLItem;
1700 typedef llvm::SmallVector<WLItem, 10> DFSWorkList;
1701 llvm::DenseMap<const ExplodedNode *, unsigned> Visited;
1702
1703 DFSWorkList WL;
1704 WL.push_back(N);
1705 Visited[N] = 1;
1706
1707 while (!WL.empty()) {
1708 WLItem &WI = WL.back();
1709 assert(!WI.N->succ_empty());
1710
1711 for (; WI.I != WI.E; ++WI.I) {
1712 const ExplodedNode *Succ = *WI.I;
1713 // End-of-path node?
1714 if (Succ->succ_empty()) {
1715 // If we found an end-of-path node that is not a sink, then return
1716 // this report.
1717 if (!Succ->isSink())
1718 return R;
1719
1720 // Found a sink? Continue on to the next successor.
1721 continue;
1722 }
1723
1724 // Mark the successor as visited. If it hasn't been explored,
1725 // enqueue it to the DFS worklist.
1726 unsigned &mark = Visited[Succ];
1727 if (!mark) {
1728 mark = 1;
1729 WL.push_back(Succ);
1730 break;
1731 }
1732 }
1733
1734 if (&WL.back() == &WI)
1735 WL.pop_back();
1736 }
1737 }
1738
1739 // If we reach here, the end nodes for all reports in the equivalence
1740 // class are post-dominated by a sink node.
1741 return NULL;
1742}
1743
1744
1745//===----------------------------------------------------------------------===//
1746// DiagnosticCache. This is a hack to cache analyzer diagnostics. It
1747// uses global state, which eventually should go elsewhere.
1748//===----------------------------------------------------------------------===//
1749namespace {
1750class DiagCacheItem : public llvm::FoldingSetNode {
1751 llvm::FoldingSetNodeID ID;
1752public:
1753 DiagCacheItem(BugReport *R, PathDiagnostic *PD) {
1754 ID.AddString(R->getBugType().getName());
1755 ID.AddString(R->getBugType().getCategory());
1756 ID.AddString(R->getDescription());
1757 ID.AddInteger(R->getLocation().getRawEncoding());
1758 PD->Profile(ID);
1759 }
1760
1761 void Profile(llvm::FoldingSetNodeID &id) {
1762 id = ID;
1763 }
1764
1765 llvm::FoldingSetNodeID &getID() { return ID; }
1766};
1767}
1768
1769static bool IsCachedDiagnostic(BugReport *R, PathDiagnostic *PD) {
1770 // FIXME: Eventually this diagnostic cache should reside in something
1771 // like AnalysisManager instead of being a static variable. This is
1772 // really unsafe in the long term.
1773 typedef llvm::FoldingSet<DiagCacheItem> DiagnosticCache;
1774 static DiagnosticCache DC;
1775
1776 void *InsertPos;
1777 DiagCacheItem *Item = new DiagCacheItem(R, PD);
1778
1779 if (DC.FindNodeOrInsertPos(Item->getID(), InsertPos)) {
1780 delete Item;
1781 return true;
1782 }
1783
1784 DC.InsertNode(Item, InsertPos);
1785 return false;
1786}
1787
1788void BugReporter::FlushReport(BugReportEquivClass& EQ) {
1789 BugReport *R = FindReportInEquivalenceClass(EQ);
1790
1791 if (!R)
1792 return;
1793
1794 PathDiagnosticClient* PD = getPathDiagnosticClient();
1795
1796 // FIXME: Make sure we use the 'R' for the path that was actually used.
1797 // Probably doesn't make a difference in practice.
1798 BugType& BT = R->getBugType();
1799
1800 llvm::OwningPtr<PathDiagnostic>
1801 D(new PathDiagnostic(R->getBugType().getName(),
1802 !PD || PD->useVerboseDescription()
1803 ? R->getDescription() : R->getShortDescription(),
1804 BT.getCategory()));
1805
1806 GeneratePathDiagnostic(*D.get(), EQ);
1807
1808 if (IsCachedDiagnostic(R, D.get()))
1809 return;
1810
1811 // Get the meta data.
1812 std::pair<const char**, const char**> Meta = R->getExtraDescriptiveText();
1813 for (const char** s = Meta.first; s != Meta.second; ++s)
1814 D->addMeta(*s);
1815
1816 // Emit a summary diagnostic to the regular Diagnostics engine.
1817 const SourceRange *Beg = 0, *End = 0;
1818 R->getRanges(Beg, End);
1819 Diagnostic& Diag = getDiagnostic();
1820 FullSourceLoc L(R->getLocation(), getSourceManager());
1821
1822 // Search the description for '%', as that will be interpretted as a
1823 // format character by FormatDiagnostics.
1824 llvm::StringRef desc = R->getShortDescription();
1825 unsigned ErrorDiag;
1826 {
1827 llvm::SmallString<512> TmpStr;
1828 llvm::raw_svector_ostream Out(TmpStr);
1829 for (llvm::StringRef::iterator I=desc.begin(), E=desc.end(); I!=E; ++I)
1830 if (*I == '%')
1831 Out << "%%";
1832 else
1833 Out << *I;
1834
1835 Out.flush();
1836 ErrorDiag = Diag.getCustomDiagID(Diagnostic::Warning, TmpStr);
1837 }
1838
1839 switch (End-Beg) {
1840 default: assert(0 && "Don't handle this many ranges yet!");
1841 case 0: Diag.Report(L, ErrorDiag); break;
1842 case 1: Diag.Report(L, ErrorDiag) << Beg[0]; break;
1843 case 2: Diag.Report(L, ErrorDiag) << Beg[0] << Beg[1]; break;
1844 case 3: Diag.Report(L, ErrorDiag) << Beg[0] << Beg[1] << Beg[2]; break;
1845 }
1846
1847 // Emit a full diagnostic for the path if we have a PathDiagnosticClient.
1848 if (!PD)
1849 return;
1850
1851 if (D->empty()) {
1852 PathDiagnosticPiece* piece =
1853 new PathDiagnosticEventPiece(L, R->getDescription());
1854
1855 for ( ; Beg != End; ++Beg) piece->addRange(*Beg);
1856 D->push_back(piece);
1857 }
1858
1859 PD->HandlePathDiagnostic(D.take());
1860}
1861
1862void BugReporter::EmitBasicReport(llvm::StringRef name, llvm::StringRef str,
1863 SourceLocation Loc,
1864 SourceRange* RBeg, unsigned NumRanges) {
1865 EmitBasicReport(name, "", str, Loc, RBeg, NumRanges);
1866}
1867
1868void BugReporter::EmitBasicReport(llvm::StringRef name,
1869 llvm::StringRef category,
1870 llvm::StringRef str, SourceLocation Loc,
1871 SourceRange* RBeg, unsigned NumRanges) {
1872
1873 // 'BT' will be owned by BugReporter as soon as we call 'EmitReport'.
1874 BugType *BT = new BugType(name, category);
1875 FullSourceLoc L = getContext().getFullLoc(Loc);
1876 RangedBugReport *R = new DiagBugReport(*BT, str, L);
1877 for ( ; NumRanges > 0 ; --NumRanges, ++RBeg) R->addRange(*RBeg);
1878 EmitReport(R);
1879}