1 // BugReporterVisitors.cpp - Helpers for reporting bugs -----------*- C++ -*--//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file defines a set of BugReporter "visitors" which can be used to
11 // enhance the diagnostics reported for a bug.
13 //===----------------------------------------------------------------------===//
14 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitor.h"
16 #include "clang/AST/Expr.h"
17 #include "clang/AST/ExprObjC.h"
18 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
19 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
20 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
21 #include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
22 #include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
23 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
24 #include "clang/StaticAnalyzer/Core/PathSensitive/CallEvent.h"
25 #include "llvm/ADT/SmallString.h"
26 #include "llvm/ADT/StringExtras.h"
28 using namespace clang;
31 //===----------------------------------------------------------------------===//
33 //===----------------------------------------------------------------------===//
35 bool bugreporter::isDeclRefExprToReference(const Expr *E) {
36 if (const DeclRefExpr *DRE = dyn_cast<DeclRefExpr>(E)) {
37 return DRE->getDecl()->getType()->isReferenceType();
42 const Stmt *bugreporter::GetDerefExpr(const ExplodedNode *N) {
43 // Pattern match for a few useful cases (do something smarter later):
45 const PostStmt *Loc = N->getLocationAs<PostStmt>();
49 const Expr *S = dyn_cast<Expr>(Loc->getStmt());
52 S = S->IgnoreParenCasts();
55 if (const BinaryOperator *B = dyn_cast<BinaryOperator>(S)) {
56 assert(B->isAssignmentOp());
57 S = B->getLHS()->IgnoreParenCasts();
60 else if (const UnaryOperator *U = dyn_cast<UnaryOperator>(S)) {
61 if (U->getOpcode() == UO_Deref)
62 return U->getSubExpr()->IgnoreParenCasts();
64 else if (const MemberExpr *ME = dyn_cast<MemberExpr>(S)) {
65 if (ME->isArrow() || isDeclRefExprToReference(ME->getBase())) {
66 return ME->getBase()->IgnoreParenCasts();
69 else if (const ObjCIvarRefExpr *IvarRef = dyn_cast<ObjCIvarRefExpr>(S)) {
70 return IvarRef->getBase()->IgnoreParenCasts();
72 else if (const ArraySubscriptExpr *AE = dyn_cast<ArraySubscriptExpr>(S)) {
81 const Stmt *bugreporter::GetDenomExpr(const ExplodedNode *N) {
82 const Stmt *S = N->getLocationAs<PreStmt>()->getStmt();
83 if (const BinaryOperator *BE = dyn_cast<BinaryOperator>(S))
88 const Stmt *bugreporter::GetRetValExpr(const ExplodedNode *N) {
89 const Stmt *S = N->getLocationAs<PostStmt>()->getStmt();
90 if (const ReturnStmt *RS = dyn_cast<ReturnStmt>(S))
91 return RS->getRetValue();
95 //===----------------------------------------------------------------------===//
96 // Definitions for bug reporter visitors.
97 //===----------------------------------------------------------------------===//
100 BugReporterVisitor::getEndPath(BugReporterContext &BRC,
101 const ExplodedNode *EndPathNode,
107 BugReporterVisitor::getDefaultEndPath(BugReporterContext &BRC,
108 const ExplodedNode *EndPathNode,
110 PathDiagnosticLocation L =
111 PathDiagnosticLocation::createEndOfPath(EndPathNode,BRC.getSourceManager());
113 BugReport::ranges_iterator Beg, End;
114 llvm::tie(Beg, End) = BR.getRanges();
116 // Only add the statement itself as a range if we didn't specify any
117 // special ranges for this report.
118 PathDiagnosticPiece *P = new PathDiagnosticEventPiece(L,
121 for (; Beg != End; ++Beg)
129 /// Emits an extra note at the return statement of an interesting stack frame.
131 /// The returned value is marked as an interesting value, and if it's null,
132 /// adds a visitor to track where it became null.
134 /// This visitor is intended to be used when another visitor discovers that an
135 /// interesting value comes from an inlined function call.
136 class ReturnVisitor : public BugReporterVisitorImpl<ReturnVisitor> {
137 const StackFrameContext *StackFrame;
145 ReturnVisitor(const StackFrameContext *Frame)
146 : StackFrame(Frame), Mode(Initial) {}
148 static void *getTag() {
150 return static_cast<void *>(&Tag);
153 virtual void Profile(llvm::FoldingSetNodeID &ID) const {
154 ID.AddPointer(ReturnVisitor::getTag());
155 ID.AddPointer(StackFrame);
158 /// Adds a ReturnVisitor if the given statement represents a call that was
161 /// This will search back through the ExplodedGraph, starting from the given
162 /// node, looking for when the given statement was processed. If it turns out
163 /// the statement is a call that was inlined, we add the visitor to the
164 /// bug report, so it can print a note later.
165 static void addVisitorIfNecessary(const ExplodedNode *Node, const Stmt *S,
167 if (!CallEvent::isCallStmt(S))
170 // First, find when we processed the statement.
172 if (const CallExitEnd *CEE = Node->getLocationAs<CallExitEnd>())
173 if (CEE->getCalleeContext()->getCallSite() == S)
175 if (const StmtPoint *SP = Node->getLocationAs<StmtPoint>())
176 if (SP->getStmt() == S)
179 Node = Node->getFirstPred();
182 // Next, step over any post-statement checks.
183 while (Node && isa<PostStmt>(Node->getLocation()))
184 Node = Node->getFirstPred();
186 // Finally, see if we inlined the call.
188 if (const CallExitEnd *CEE = Node->getLocationAs<CallExitEnd>()) {
189 const StackFrameContext *CalleeContext = CEE->getCalleeContext();
190 if (CalleeContext->getCallSite() == S) {
191 BR.markInteresting(CalleeContext);
192 BR.addVisitor(new ReturnVisitor(CalleeContext));
198 /// Returns true if any counter-suppression heuristics are enabled for
200 static bool hasCounterSuppression(AnalyzerOptions &Options) {
201 return Options.shouldAvoidSuppressingNullArgumentPaths();
204 PathDiagnosticPiece *visitNodeInitial(const ExplodedNode *N,
205 const ExplodedNode *PrevN,
206 BugReporterContext &BRC,
208 // Only print a message at the interesting return statement.
209 if (N->getLocationContext() != StackFrame)
212 const StmtPoint *SP = N->getLocationAs<StmtPoint>();
216 const ReturnStmt *Ret = dyn_cast<ReturnStmt>(SP->getStmt());
220 // Okay, we're at the right return statement, but do we have the return
222 ProgramStateRef State = N->getState();
223 SVal V = State->getSVal(Ret, StackFrame);
224 if (V.isUnknownOrUndef())
227 // Don't print any more notes after this one.
230 const Expr *RetE = Ret->getRetValue();
231 assert(RetE && "Tracking a return value for a void function");
232 RetE = RetE->IgnoreParenCasts();
234 // If we can't prove the return value is 0, just mark it interesting, and
235 // make sure to track it into any further inner functions.
236 if (State->assume(cast<DefinedSVal>(V), true)) {
237 BR.markInteresting(V);
238 ReturnVisitor::addVisitorIfNecessary(N, RetE, BR);
242 // If we're returning 0, we should track where that 0 came from.
243 bugreporter::trackNullOrUndefValue(N, RetE, BR);
245 // Build an appropriate message based on the return value.
247 llvm::raw_svector_ostream Out(Msg);
250 // If we are pruning null-return paths as unlikely error paths, mark the
251 // report invalid. We still want to emit a path note, however, in case
252 // the report is resurrected as valid later on.
253 ExprEngine &Eng = BRC.getBugReporter().getEngine();
254 AnalyzerOptions &Options = Eng.getAnalysisManager().options;
255 if (Options.shouldPruneNullReturnPaths()) {
256 if (hasCounterSuppression(Options))
257 Mode = MaybeSuppress;
259 BR.markInvalid(ReturnVisitor::getTag(), StackFrame);
262 if (RetE->getType()->isObjCObjectPointerType())
263 Out << "Returning nil";
265 Out << "Returning null pointer";
267 Out << "Returning zero";
270 // FIXME: We should have a more generalized location printing mechanism.
271 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(RetE))
272 if (const DeclaratorDecl *DD = dyn_cast<DeclaratorDecl>(DR->getDecl()))
273 Out << " (loaded from '" << *DD << "')";
275 PathDiagnosticLocation L(Ret, BRC.getSourceManager(), StackFrame);
276 return new PathDiagnosticEventPiece(L, Out.str());
279 PathDiagnosticPiece *visitNodeMaybeSuppress(const ExplodedNode *N,
280 const ExplodedNode *PrevN,
281 BugReporterContext &BRC,
283 // Are we at the entry node for this call?
284 const CallEnter *CE = N->getLocationAs<CallEnter>();
288 if (CE->getCalleeContext() != StackFrame)
293 ExprEngine &Eng = BRC.getBugReporter().getEngine();
294 AnalyzerOptions &Options = Eng.getAnalysisManager().options;
295 if (Options.shouldAvoidSuppressingNullArgumentPaths()) {
296 // Don't automatically suppress a report if one of the arguments is
297 // known to be a null pointer. Instead, start tracking /that/ null
298 // value back to its origin.
299 ProgramStateManager &StateMgr = BRC.getStateManager();
300 CallEventManager &CallMgr = StateMgr.getCallEventManager();
302 ProgramStateRef State = N->getState();
303 CallEventRef<> Call = CallMgr.getCaller(StackFrame, State);
304 for (unsigned I = 0, E = Call->getNumArgs(); I != E; ++I) {
305 SVal ArgV = Call->getArgSVal(I);
309 const Expr *ArgE = Call->getArgExpr(I);
313 // Is it possible for this argument to be non-null?
314 if (State->assume(cast<Loc>(ArgV), true))
317 if (bugreporter::trackNullOrUndefValue(N, ArgE, BR, /*IsArg=*/true))
320 // If we /can't/ track the null pointer, we should err on the side of
321 // false negatives, and continue towards marking this report invalid.
322 // (We will still look at the other arguments, though.)
326 // There is no reason not to suppress this report; go ahead and do it.
327 BR.markInvalid(ReturnVisitor::getTag(), StackFrame);
331 PathDiagnosticPiece *VisitNode(const ExplodedNode *N,
332 const ExplodedNode *PrevN,
333 BugReporterContext &BRC,
337 return visitNodeInitial(N, PrevN, BRC, BR);
339 return visitNodeMaybeSuppress(N, PrevN, BRC, BR);
344 llvm_unreachable("Invalid visit mode!");
347 } // end anonymous namespace
350 void FindLastStoreBRVisitor ::Profile(llvm::FoldingSetNodeID &ID) const {
357 PathDiagnosticPiece *FindLastStoreBRVisitor::VisitNode(const ExplodedNode *Succ,
358 const ExplodedNode *Pred,
359 BugReporterContext &BRC,
365 const ExplodedNode *StoreSite = 0;
366 const Expr *InitE = 0;
367 bool IsParam = false;
369 // First see if we reached the declaration of the region.
370 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
371 if (const PostStmt *P = Pred->getLocationAs<PostStmt>()) {
372 if (const DeclStmt *DS = P->getStmtAs<DeclStmt>()) {
373 if (DS->getSingleDecl() == VR->getDecl()) {
375 InitE = VR->getDecl()->getInit();
381 // Otherwise, check that Succ has this binding and Pred does not, i.e. this is
382 // where the binding first occurred.
384 if (Succ->getState()->getSVal(R) != V)
386 if (Pred->getState()->getSVal(R) == V)
391 // If this is an assignment expression, we can track the value
393 if (const PostStmt *P = Succ->getLocationAs<PostStmt>())
394 if (const BinaryOperator *BO = P->getStmtAs<BinaryOperator>())
395 if (BO->isAssignmentOp())
396 InitE = BO->getRHS();
398 // If this is a call entry, the variable should be a parameter.
399 // FIXME: Handle CXXThisRegion as well. (This is not a priority because
400 // 'this' should never be NULL, but this visitor isn't just for NULL and
402 if (const CallEnter *CE = Succ->getLocationAs<CallEnter>()) {
403 const VarRegion *VR = cast<VarRegion>(R);
404 const ParmVarDecl *Param = cast<ParmVarDecl>(VR->getDecl());
406 ProgramStateManager &StateMgr = BRC.getStateManager();
407 CallEventManager &CallMgr = StateMgr.getCallEventManager();
409 CallEventRef<> Call = CallMgr.getCaller(CE->getCalleeContext(),
411 InitE = Call->getArgExpr(Param->getFunctionScopeIndex());
420 // If we have an expression that provided the value, try to track where it
423 if (V.isUndef() || isa<loc::ConcreteInt>(V)) {
425 InitE = InitE->IgnoreParenCasts();
426 bugreporter::trackNullOrUndefValue(StoreSite, InitE, BR, IsParam);
428 ReturnVisitor::addVisitorIfNecessary(StoreSite, InitE->IgnoreParenCasts(),
433 if (!R->canPrintPretty())
436 // Okay, we've found the binding. Emit an appropriate message.
437 SmallString<256> sbuf;
438 llvm::raw_svector_ostream os(sbuf);
440 if (const PostStmt *PS = StoreSite->getLocationAs<PostStmt>()) {
441 if (const DeclStmt *DS = PS->getStmtAs<DeclStmt>()) {
443 if (const VarRegion *VR = dyn_cast<VarRegion>(R)) {
444 os << "Variable '" << *VR->getDecl() << "' ";
449 if (isa<loc::ConcreteInt>(V)) {
451 if (R->isBoundable()) {
452 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {
453 if (TR->getValueType()->isObjCObjectPointerType()) {
454 os << "initialized to nil";
461 os << "initialized to a null pointer value";
463 else if (isa<nonloc::ConcreteInt>(V)) {
464 os << "initialized to " << cast<nonloc::ConcreteInt>(V).getValue();
466 else if (V.isUndef()) {
467 if (isa<VarRegion>(R)) {
468 const VarDecl *VD = cast<VarDecl>(DS->getSingleDecl());
470 os << "initialized to a garbage value";
472 os << "declared without an initial value";
476 os << "initialized here";
479 } else if (isa<CallEnter>(StoreSite->getLocation())) {
480 const ParmVarDecl *Param = cast<ParmVarDecl>(cast<VarRegion>(R)->getDecl());
484 if (isa<loc::ConcreteInt>(V)) {
485 if (Param->getType()->isObjCObjectPointerType())
486 os << "nil object reference";
488 os << "null pointer value";
489 } else if (V.isUndef()) {
490 os << "uninitialized value";
491 } else if (isa<nonloc::ConcreteInt>(V)) {
492 os << "the value " << cast<nonloc::ConcreteInt>(V).getValue();
497 // Printed parameter indexes are 1-based, not 0-based.
498 unsigned Idx = Param->getFunctionScopeIndex() + 1;
499 os << " via " << Idx << llvm::getOrdinalSuffix(Idx) << " parameter '";
505 if (os.str().empty()) {
506 if (isa<loc::ConcreteInt>(V)) {
508 if (R->isBoundable()) {
509 if (const TypedValueRegion *TR = dyn_cast<TypedValueRegion>(R)) {
510 if (TR->getValueType()->isObjCObjectPointerType()) {
511 os << "nil object reference stored to ";
518 os << "Null pointer value stored to ";
520 else if (V.isUndef()) {
521 os << "Uninitialized value stored to ";
523 else if (isa<nonloc::ConcreteInt>(V)) {
524 os << "The value " << cast<nonloc::ConcreteInt>(V).getValue()
525 << " is assigned to ";
528 os << "Value assigned to ";
535 // Construct a new PathDiagnosticPiece.
536 ProgramPoint P = StoreSite->getLocation();
537 PathDiagnosticLocation L;
538 if (isa<CallEnter>(P))
539 L = PathDiagnosticLocation(InitE, BRC.getSourceManager(),
540 P.getLocationContext());
542 L = PathDiagnosticLocation::create(P, BRC.getSourceManager());
545 return new PathDiagnosticEventPiece(L, os.str());
548 void TrackConstraintBRVisitor::Profile(llvm::FoldingSetNodeID &ID) const {
551 ID.AddBoolean(Assumption);
555 /// Return the tag associated with this visitor. This tag will be used
556 /// to make all PathDiagnosticPieces created by this visitor.
557 const char *TrackConstraintBRVisitor::getTag() {
558 return "TrackConstraintBRVisitor";
561 PathDiagnosticPiece *
562 TrackConstraintBRVisitor::VisitNode(const ExplodedNode *N,
563 const ExplodedNode *PrevN,
564 BugReporterContext &BRC,
569 // Check if in the previous state it was feasible for this constraint
571 if (PrevN->getState()->assume(Constraint, !Assumption)) {
575 // As a sanity check, make sure that the negation of the constraint
576 // was infeasible in the current state. If it is feasible, we somehow
577 // missed the transition point.
578 if (N->getState()->assume(Constraint, !Assumption))
581 // We found the transition point for the constraint. We now need to
582 // pretty-print the constraint. (work-in-progress)
584 llvm::raw_string_ostream os(sbuf);
586 if (isa<Loc>(Constraint)) {
587 os << "Assuming pointer value is ";
588 os << (Assumption ? "non-null" : "null");
591 if (os.str().empty())
594 // Construct a new PathDiagnosticPiece.
595 ProgramPoint P = N->getLocation();
596 PathDiagnosticLocation L =
597 PathDiagnosticLocation::create(P, BRC.getSourceManager());
601 PathDiagnosticEventPiece *X = new PathDiagnosticEventPiece(L, os.str());
609 bool bugreporter::trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S,
610 BugReport &report, bool IsArg) {
614 if (const OpaqueValueExpr *OVE = dyn_cast<OpaqueValueExpr>(S))
615 S = OVE->getSourceExpr();
618 assert(isa<CallEnter>(N->getLocation()) && "Tracking arg but not at call");
620 // Walk through nodes until we get one that matches the statement exactly.
622 const ProgramPoint &pp = N->getLocation();
623 if (const PostStmt *ps = dyn_cast<PostStmt>(&pp)) {
624 if (ps->getStmt() == S)
626 } else if (const CallExitEnd *CEE = dyn_cast<CallExitEnd>(&pp)) {
627 if (CEE->getCalleeContext()->getCallSite() == S)
630 N = N->getFirstPred();
637 ProgramStateRef state = N->getState();
639 // See if the expression we're interested refers to a variable.
640 // If so, we can track both its contents and constraints on its value.
641 if (const Expr *Ex = dyn_cast<Expr>(S)) {
642 // Strip off parens and casts. Note that this will never have issues with
643 // C++ user-defined implicit conversions, because those have a constructor
644 // or function call inside.
645 Ex = Ex->IgnoreParenCasts();
646 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Ex)) {
647 // FIXME: Right now we only track VarDecls because it's non-trivial to
648 // get a MemRegion for any other DeclRefExprs. <rdar://problem/12114812>
649 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
650 ProgramStateManager &StateMgr = state->getStateManager();
651 MemRegionManager &MRMgr = StateMgr.getRegionManager();
652 const VarRegion *R = MRMgr.getVarRegion(VD, N->getLocationContext());
654 // Mark both the variable region and its contents as interesting.
655 SVal V = state->getRawSVal(loc::MemRegionVal(R));
657 // If the value matches the default for the variable region, that
658 // might mean that it's been cleared out of the state. Fall back to
659 // the full argument expression (with casts and such intact).
661 bool UseArgValue = V.isUnknownOrUndef() || V.isZeroConstant();
663 const SymbolRegionValue *SRV =
664 dyn_cast_or_null<SymbolRegionValue>(V.getAsLocSymbol());
666 UseArgValue = (SRV->getRegion() == R);
669 V = state->getSValAsScalarOrLoc(S, N->getLocationContext());
672 report.markInteresting(R);
673 report.markInteresting(V);
674 report.addVisitor(new UndefOrNullArgVisitor(R));
676 // If the contents are symbolic, find out when they became null.
677 if (V.getAsLocSymbol()) {
678 BugReporterVisitor *ConstraintTracker
679 = new TrackConstraintBRVisitor(cast<DefinedSVal>(V), false);
680 report.addVisitor(ConstraintTracker);
683 report.addVisitor(new FindLastStoreBRVisitor(V, R));
689 // If the expression does NOT refer to a variable, we can still track
690 // constraints on its contents.
691 SVal V = state->getSValAsScalarOrLoc(S, N->getLocationContext());
693 // Uncomment this to find cases where we aren't properly getting the
694 // base value that was dereferenced.
695 // assert(!V.isUnknownOrUndef());
697 // Is it a symbolic value?
698 if (loc::MemRegionVal *L = dyn_cast<loc::MemRegionVal>(&V)) {
699 // At this point we are dealing with the region's LValue.
700 // However, if the rvalue is a symbolic region, we should track it as well.
701 SVal RVal = state->getSVal(L->getRegion());
702 const MemRegion *RegionRVal = RVal.getAsRegion();
703 report.addVisitor(new UndefOrNullArgVisitor(L->getRegion()));
706 if (RegionRVal && isa<SymbolicRegion>(RegionRVal)) {
707 report.markInteresting(RegionRVal);
708 report.addVisitor(new TrackConstraintBRVisitor(
709 loc::MemRegionVal(RegionRVal), false));
712 // Otherwise, if the value came from an inlined function call,
713 // we should at least make sure that function isn't pruned in our output.
714 if (const Expr *E = dyn_cast<Expr>(S))
715 S = E->IgnoreParenCasts();
716 ReturnVisitor::addVisitorIfNecessary(N, S, report);
723 FindLastStoreBRVisitor::createVisitorObject(const ExplodedNode *N,
724 const MemRegion *R) {
725 assert(R && "The memory region is null.");
727 ProgramStateRef state = N->getState();
728 SVal V = state->getSVal(R);
732 return new FindLastStoreBRVisitor(V, R);
736 PathDiagnosticPiece *NilReceiverBRVisitor::VisitNode(const ExplodedNode *N,
737 const ExplodedNode *PrevN,
738 BugReporterContext &BRC,
740 const PostStmt *P = N->getLocationAs<PostStmt>();
743 const ObjCMessageExpr *ME = P->getStmtAs<ObjCMessageExpr>();
746 const Expr *Receiver = ME->getInstanceReceiver();
749 ProgramStateRef state = N->getState();
750 const SVal &V = state->getSVal(Receiver, N->getLocationContext());
751 const DefinedOrUnknownSVal *DV = dyn_cast<DefinedOrUnknownSVal>(&V);
754 state = state->assume(*DV, true);
758 // The receiver was nil, and hence the method was skipped.
759 // Register a BugReporterVisitor to issue a message telling us how
760 // the receiver was null.
761 bugreporter::trackNullOrUndefValue(N, Receiver, BR);
762 // Issue a message saying that the method was skipped.
763 PathDiagnosticLocation L(Receiver, BRC.getSourceManager(),
764 N->getLocationContext());
765 return new PathDiagnosticEventPiece(L, "No method is called "
766 "because the receiver is nil");
769 // Registers every VarDecl inside a Stmt with a last store visitor.
770 void FindLastStoreBRVisitor::registerStatementVarDecls(BugReport &BR,
772 const ExplodedNode *N = BR.getErrorNode();
773 std::deque<const Stmt *> WorkList;
774 WorkList.push_back(S);
776 while (!WorkList.empty()) {
777 const Stmt *Head = WorkList.front();
778 WorkList.pop_front();
780 ProgramStateRef state = N->getState();
781 ProgramStateManager &StateMgr = state->getStateManager();
783 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Head)) {
784 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
786 StateMgr.getRegionManager().getVarRegion(VD, N->getLocationContext());
789 SVal V = state->getSVal(S, N->getLocationContext());
791 if (isa<loc::ConcreteInt>(V) || isa<nonloc::ConcreteInt>(V)) {
792 // Register a new visitor with the BugReport.
793 BR.addVisitor(new FindLastStoreBRVisitor(V, R));
798 for (Stmt::const_child_iterator I = Head->child_begin();
799 I != Head->child_end(); ++I)
800 WorkList.push_back(*I);
804 //===----------------------------------------------------------------------===//
805 // Visitor that tries to report interesting diagnostics from conditions.
806 //===----------------------------------------------------------------------===//
808 /// Return the tag associated with this visitor. This tag will be used
809 /// to make all PathDiagnosticPieces created by this visitor.
810 const char *ConditionBRVisitor::getTag() {
811 return "ConditionBRVisitor";
814 PathDiagnosticPiece *ConditionBRVisitor::VisitNode(const ExplodedNode *N,
815 const ExplodedNode *Prev,
816 BugReporterContext &BRC,
818 PathDiagnosticPiece *piece = VisitNodeImpl(N, Prev, BRC, BR);
820 piece->setTag(getTag());
821 if (PathDiagnosticEventPiece *ev=dyn_cast<PathDiagnosticEventPiece>(piece))
822 ev->setPrunable(true, /* override */ false);
827 PathDiagnosticPiece *ConditionBRVisitor::VisitNodeImpl(const ExplodedNode *N,
828 const ExplodedNode *Prev,
829 BugReporterContext &BRC,
832 ProgramPoint progPoint = N->getLocation();
833 ProgramStateRef CurrentState = N->getState();
834 ProgramStateRef PrevState = Prev->getState();
836 // Compare the GDMs of the state, because that is where constraints
837 // are managed. Note that ensure that we only look at nodes that
838 // were generated by the analyzer engine proper, not checkers.
839 if (CurrentState->getGDM().getRoot() ==
840 PrevState->getGDM().getRoot())
843 // If an assumption was made on a branch, it should be caught
844 // here by looking at the state transition.
845 if (const BlockEdge *BE = dyn_cast<BlockEdge>(&progPoint)) {
846 const CFGBlock *srcBlk = BE->getSrc();
847 if (const Stmt *term = srcBlk->getTerminator())
848 return VisitTerminator(term, N, srcBlk, BE->getDst(), BR, BRC);
852 if (const PostStmt *PS = dyn_cast<PostStmt>(&progPoint)) {
853 // FIXME: Assuming that BugReporter is a GRBugReporter is a layering
855 const std::pair<const ProgramPointTag *, const ProgramPointTag *> &tags =
856 cast<GRBugReporter>(BRC.getBugReporter()).
857 getEngine().geteagerlyAssumeBinOpBifurcationTags();
859 const ProgramPointTag *tag = PS->getTag();
860 if (tag == tags.first)
861 return VisitTrueTest(cast<Expr>(PS->getStmt()), true,
863 if (tag == tags.second)
864 return VisitTrueTest(cast<Expr>(PS->getStmt()), false,
873 PathDiagnosticPiece *
874 ConditionBRVisitor::VisitTerminator(const Stmt *Term,
875 const ExplodedNode *N,
876 const CFGBlock *srcBlk,
877 const CFGBlock *dstBlk,
879 BugReporterContext &BRC) {
880 const Expr *Cond = 0;
882 switch (Term->getStmtClass()) {
885 case Stmt::IfStmtClass:
886 Cond = cast<IfStmt>(Term)->getCond();
888 case Stmt::ConditionalOperatorClass:
889 Cond = cast<ConditionalOperator>(Term)->getCond();
894 assert(srcBlk->succ_size() == 2);
895 const bool tookTrue = *(srcBlk->succ_begin()) == dstBlk;
896 return VisitTrueTest(Cond, tookTrue, BRC, R, N);
899 PathDiagnosticPiece *
900 ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
902 BugReporterContext &BRC,
904 const ExplodedNode *N) {
906 const Expr *Ex = Cond;
909 Ex = Ex->IgnoreParenCasts();
910 switch (Ex->getStmtClass()) {
913 case Stmt::BinaryOperatorClass:
914 return VisitTrueTest(Cond, cast<BinaryOperator>(Ex), tookTrue, BRC,
916 case Stmt::DeclRefExprClass:
917 return VisitTrueTest(Cond, cast<DeclRefExpr>(Ex), tookTrue, BRC,
919 case Stmt::UnaryOperatorClass: {
920 const UnaryOperator *UO = cast<UnaryOperator>(Ex);
921 if (UO->getOpcode() == UO_LNot) {
922 tookTrue = !tookTrue;
923 Ex = UO->getSubExpr();
932 bool ConditionBRVisitor::patternMatch(const Expr *Ex, llvm::raw_ostream &Out,
933 BugReporterContext &BRC,
935 const ExplodedNode *N,
936 llvm::Optional<bool> &prunable) {
937 const Expr *OriginalExpr = Ex;
938 Ex = Ex->IgnoreParenCasts();
940 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(Ex)) {
941 const bool quotes = isa<VarDecl>(DR->getDecl());
944 const LocationContext *LCtx = N->getLocationContext();
945 const ProgramState *state = N->getState().getPtr();
946 if (const MemRegion *R = state->getLValue(cast<VarDecl>(DR->getDecl()),
947 LCtx).getAsRegion()) {
948 if (report.isInteresting(R))
951 const ProgramState *state = N->getState().getPtr();
952 SVal V = state->getSVal(R);
953 if (report.isInteresting(V))
958 Out << DR->getDecl()->getDeclName().getAsString();
964 if (const IntegerLiteral *IL = dyn_cast<IntegerLiteral>(Ex)) {
965 QualType OriginalTy = OriginalExpr->getType();
966 if (OriginalTy->isPointerType()) {
967 if (IL->getValue() == 0) {
972 else if (OriginalTy->isObjCObjectPointerType()) {
973 if (IL->getValue() == 0) {
979 Out << IL->getValue();
986 PathDiagnosticPiece *
987 ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
988 const BinaryOperator *BExpr,
990 BugReporterContext &BRC,
992 const ExplodedNode *N) {
994 bool shouldInvert = false;
995 llvm::Optional<bool> shouldPrune;
997 SmallString<128> LhsString, RhsString;
999 llvm::raw_svector_ostream OutLHS(LhsString), OutRHS(RhsString);
1000 const bool isVarLHS = patternMatch(BExpr->getLHS(), OutLHS, BRC, R, N,
1002 const bool isVarRHS = patternMatch(BExpr->getRHS(), OutRHS, BRC, R, N,
1005 shouldInvert = !isVarLHS && isVarRHS;
1008 BinaryOperator::Opcode Op = BExpr->getOpcode();
1010 if (BinaryOperator::isAssignmentOp(Op)) {
1011 // For assignment operators, all that we care about is that the LHS
1012 // evaluates to "true" or "false".
1013 return VisitConditionVariable(LhsString, BExpr->getLHS(), tookTrue,
1017 // For non-assignment operations, we require that we can understand
1018 // both the LHS and RHS.
1019 if (LhsString.empty() || RhsString.empty())
1022 // Should we invert the strings if the LHS is not a variable name?
1023 SmallString<256> buf;
1024 llvm::raw_svector_ostream Out(buf);
1025 Out << "Assuming " << (shouldInvert ? RhsString : LhsString) << " is ";
1027 // Do we need to invert the opcode?
1031 case BO_LT: Op = BO_GT; break;
1032 case BO_GT: Op = BO_LT; break;
1033 case BO_LE: Op = BO_GE; break;
1034 case BO_GE: Op = BO_LE; break;
1039 case BO_EQ: Op = BO_NE; break;
1040 case BO_NE: Op = BO_EQ; break;
1041 case BO_LT: Op = BO_GE; break;
1042 case BO_GT: Op = BO_LE; break;
1043 case BO_LE: Op = BO_GT; break;
1044 case BO_GE: Op = BO_LT; break;
1054 Out << "not equal to ";
1057 Out << BinaryOperator::getOpcodeStr(Op) << ' ';
1061 Out << (shouldInvert ? LhsString : RhsString);
1062 const LocationContext *LCtx = N->getLocationContext();
1063 PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx);
1064 PathDiagnosticEventPiece *event =
1065 new PathDiagnosticEventPiece(Loc, Out.str());
1066 if (shouldPrune.hasValue())
1067 event->setPrunable(shouldPrune.getValue());
1071 PathDiagnosticPiece *
1072 ConditionBRVisitor::VisitConditionVariable(StringRef LhsString,
1073 const Expr *CondVarExpr,
1074 const bool tookTrue,
1075 BugReporterContext &BRC,
1077 const ExplodedNode *N) {
1078 // FIXME: If there's already a constraint tracker for this variable,
1079 // we shouldn't emit anything here (c.f. the double note in
1080 // test/Analysis/inlining/path-notes.c)
1081 SmallString<256> buf;
1082 llvm::raw_svector_ostream Out(buf);
1083 Out << "Assuming " << LhsString << " is ";
1085 QualType Ty = CondVarExpr->getType();
1087 if (Ty->isPointerType())
1088 Out << (tookTrue ? "not null" : "null");
1089 else if (Ty->isObjCObjectPointerType())
1090 Out << (tookTrue ? "not nil" : "nil");
1091 else if (Ty->isBooleanType())
1092 Out << (tookTrue ? "true" : "false");
1093 else if (Ty->isIntegerType())
1094 Out << (tookTrue ? "non-zero" : "zero");
1098 const LocationContext *LCtx = N->getLocationContext();
1099 PathDiagnosticLocation Loc(CondVarExpr, BRC.getSourceManager(), LCtx);
1100 PathDiagnosticEventPiece *event =
1101 new PathDiagnosticEventPiece(Loc, Out.str());
1103 if (const DeclRefExpr *DR = dyn_cast<DeclRefExpr>(CondVarExpr)) {
1104 if (const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl())) {
1105 const ProgramState *state = N->getState().getPtr();
1106 if (const MemRegion *R = state->getLValue(VD, LCtx).getAsRegion()) {
1107 if (report.isInteresting(R))
1108 event->setPrunable(false);
1116 PathDiagnosticPiece *
1117 ConditionBRVisitor::VisitTrueTest(const Expr *Cond,
1118 const DeclRefExpr *DR,
1119 const bool tookTrue,
1120 BugReporterContext &BRC,
1122 const ExplodedNode *N) {
1124 const VarDecl *VD = dyn_cast<VarDecl>(DR->getDecl());
1128 SmallString<256> Buf;
1129 llvm::raw_svector_ostream Out(Buf);
1131 Out << "Assuming '";
1132 VD->getDeclName().printName(Out);
1135 QualType VDTy = VD->getType();
1137 if (VDTy->isPointerType())
1138 Out << (tookTrue ? "non-null" : "null");
1139 else if (VDTy->isObjCObjectPointerType())
1140 Out << (tookTrue ? "non-nil" : "nil");
1141 else if (VDTy->isScalarType())
1142 Out << (tookTrue ? "not equal to 0" : "0");
1146 const LocationContext *LCtx = N->getLocationContext();
1147 PathDiagnosticLocation Loc(Cond, BRC.getSourceManager(), LCtx);
1148 PathDiagnosticEventPiece *event =
1149 new PathDiagnosticEventPiece(Loc, Out.str());
1151 const ProgramState *state = N->getState().getPtr();
1152 if (const MemRegion *R = state->getLValue(VD, LCtx).getAsRegion()) {
1153 if (report.isInteresting(R))
1154 event->setPrunable(false);
1156 SVal V = state->getSVal(R);
1157 if (report.isInteresting(V))
1158 event->setPrunable(false);
1164 PathDiagnosticPiece *
1165 UndefOrNullArgVisitor::VisitNode(const ExplodedNode *N,
1166 const ExplodedNode *PrevN,
1167 BugReporterContext &BRC,
1170 ProgramStateRef State = N->getState();
1171 ProgramPoint ProgLoc = N->getLocation();
1173 // We are only interested in visiting CallEnter nodes.
1174 CallEnter *CEnter = dyn_cast<CallEnter>(&ProgLoc);
1178 // Check if one of the arguments is the region the visitor is tracking.
1179 CallEventManager &CEMgr = BRC.getStateManager().getCallEventManager();
1180 CallEventRef<> Call = CEMgr.getCaller(CEnter->getCalleeContext(), State);
1182 for (CallEvent::param_iterator I = Call->param_begin(),
1183 E = Call->param_end(); I != E; ++I, ++Idx) {
1184 const MemRegion *ArgReg = Call->getArgSVal(Idx).getAsRegion();
1186 // Are we tracking the argument or its subregion?
1187 if ( !ArgReg || (ArgReg != R && !R->isSubRegionOf(ArgReg->StripCasts())))
1190 // Check the function parameter type.
1191 const ParmVarDecl *ParamDecl = *I;
1192 assert(ParamDecl && "Formal parameter has no decl?");
1193 QualType T = ParamDecl->getType();
1195 if (!(T->isAnyPointerType() || T->isReferenceType())) {
1196 // Function can only change the value passed in by address.
1200 // If it is a const pointer value, the function does not intend to
1201 // change the value.
1202 if (T->getPointeeType().isConstQualified())
1205 // Mark the call site (LocationContext) as interesting if the value of the
1206 // argument is undefined or '0'/'NULL'.
1207 SVal BoundVal = State->getSVal(R);
1208 if (BoundVal.isUndef() || BoundVal.isZeroConstant()) {
1209 BR.markInteresting(CEnter->getCalleeContext());
projects / FreeBSD / stable / 9.git / blob