Coverage Report

Created: 2018-09-19 20:53

/Users/buildslave/jenkins/workspace/clang-stage2-coverage-R/llvm/tools/clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h
Line
Count
Source (jump to first uncovered line)
1
//===- BugReporterVisitors.h - Generate PathDiagnostics ---------*- C++ -*-===//
2
//
3
//                     The LLVM Compiler Infrastructure
4
//
5
// This file is distributed under the University of Illinois Open Source
6
// License. See LICENSE.TXT for details.
7
//
8
//===----------------------------------------------------------------------===//
9
//
10
//  This file declares BugReporterVisitors, which are used to generate enhanced
11
//  diagnostic traces.
12
//
13
//===----------------------------------------------------------------------===//
14
15
#ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
16
#define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
17
18
#include "clang/Basic/LLVM.h"
19
#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
20
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
21
#include "llvm/ADT/FoldingSet.h"
22
#include "llvm/ADT/STLExtras.h"
23
#include "llvm/ADT/StringRef.h"
24
#include <memory>
25
26
namespace clang {
27
28
class BinaryOperator;
29
class CFGBlock;
30
class DeclRefExpr;
31
class Expr;
32
class Stmt;
33
34
namespace ento {
35
36
class BugReport;
37
class BugReporterContext;
38
class ExplodedNode;
39
class MemRegion;
40
class PathDiagnosticPiece;
41
42
/// BugReporterVisitors are used to add custom diagnostics along a path.
43
class BugReporterVisitor : public llvm::FoldingSetNode {
44
public:
45
0
  BugReporterVisitor() = default;
46
  BugReporterVisitor(const BugReporterVisitor &) = default;
47
  BugReporterVisitor(BugReporterVisitor &&) {}
48
  virtual ~BugReporterVisitor();
49
50
  /// Return a diagnostic piece which should be associated with the
51
  /// given node.
52
  /// Note that this function does *not* get run on the very last node
53
  /// of the report, as the PathDiagnosticPiece associated with the
54
  /// last node should be unique.
55
  /// Use {@code getEndPath} to customize the note associated with the report
56
  /// end instead.
57
  ///
58
  /// The last parameter can be used to register a new visitor with the given
59
  /// BugReport while processing a node.
60
  virtual std::shared_ptr<PathDiagnosticPiece>
61
  VisitNode(const ExplodedNode *Succ, const ExplodedNode *Pred,
62
            BugReporterContext &BRC, BugReport &BR) = 0;
63
64
  /// Last function called on the visitor, no further calls to VisitNode
65
  /// would follow.
66
  virtual void finalizeVisitor(BugReporterContext &BRC,
67
                               const ExplodedNode *EndPathNode,
68
                               BugReport &BR);
69
70
  /// Provide custom definition for the final diagnostic piece on the
71
  /// path - the piece, which is displayed before the path is expanded.
72
  ///
73
  /// NOTE that this function can be implemented on at most one used visitor,
74
  /// and otherwise it crahes at runtime.
75
  virtual std::shared_ptr<PathDiagnosticPiece>
76
  getEndPath(BugReporterContext &BRC, const ExplodedNode *N, BugReport &BR);
77
78
  virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0;
79
80
  /// Generates the default final diagnostic piece.
81
  static std::shared_ptr<PathDiagnosticPiece>
82
  getDefaultEndPath(BugReporterContext &BRC, const ExplodedNode *N,
83
                    BugReport &BR);
84
};
85
86
class FindLastStoreBRVisitor final : public BugReporterVisitor {
87
  const MemRegion *R;
88
  SVal V;
89
  bool Satisfied = false;
90
91
  /// If the visitor is tracking the value directly responsible for the
92
  /// bug, we are going to employ false positive suppression.
93
  bool EnableNullFPSuppression;
94
95
public:
96
  /// Creates a visitor for every VarDecl inside a Stmt and registers it with
97
  /// the BugReport.
98
  static void registerStatementVarDecls(BugReport &BR, const Stmt *S,
99
                                        bool EnableNullFPSuppression);
100
101
  FindLastStoreBRVisitor(KnownSVal V, const MemRegion *R,
102
                         bool InEnableNullFPSuppression)
103
0
      : R(R), V(V), EnableNullFPSuppression(InEnableNullFPSuppression) {}
104
105
  void Profile(llvm::FoldingSetNodeID &ID) const override;
106
107
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
108
                                                 const ExplodedNode *PrevN,
109
                                                 BugReporterContext &BRC,
110
                                                 BugReport &BR) override;
111
};
112
113
class TrackConstraintBRVisitor final : public BugReporterVisitor {
114
  DefinedSVal Constraint;
115
  bool Assumption;
116
  bool IsSatisfied = false;
117
  bool IsZeroCheck;
118
119
  /// We should start tracking from the last node along the path in which the
120
  /// value is constrained.
121
  bool IsTrackingTurnedOn = false;
122
123
public:
124
  TrackConstraintBRVisitor(DefinedSVal constraint, bool assumption)
125
      : Constraint(constraint), Assumption(assumption),
126
0
        IsZeroCheck(!Assumption && Constraint.getAs<Loc>()) {}
127
128
  void Profile(llvm::FoldingSetNodeID &ID) const override;
129
130
  /// Return the tag associated with this visitor.  This tag will be used
131
  /// to make all PathDiagnosticPieces created by this visitor.
132
  static const char *getTag();
133
134
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
135
                                                 const ExplodedNode *PrevN,
136
                                                 BugReporterContext &BRC,
137
                                                 BugReport &BR) override;
138
139
private:
140
  /// Checks if the constraint is valid in the current state.
141
  bool isUnderconstrained(const ExplodedNode *N) const;
142
};
143
144
/// \class NilReceiverBRVisitor
145
/// Prints path notes when a message is sent to a nil receiver.
146
class NilReceiverBRVisitor final : public BugReporterVisitor {
147
public:
148
0
  void Profile(llvm::FoldingSetNodeID &ID) const override {
149
0
    static int x = 0;
150
0
    ID.AddPointer(&x);
151
0
  }
152
153
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
154
                                                 const ExplodedNode *PrevN,
155
                                                 BugReporterContext &BRC,
156
                                                 BugReport &BR) override;
157
158
  /// If the statement is a message send expression with nil receiver, returns
159
  /// the receiver expression. Returns NULL otherwise.
160
  static const Expr *getNilReceiver(const Stmt *S, const ExplodedNode *N);
161
};
162
163
/// Visitor that tries to report interesting diagnostics from conditions.
164
class ConditionBRVisitor final : public BugReporterVisitor {
165
  // FIXME: constexpr initialization isn't supported by MSVC2013.
166
  static const char *const GenericTrueMessage;
167
  static const char *const GenericFalseMessage;
168
169
public:
170
0
  void Profile(llvm::FoldingSetNodeID &ID) const override {
171
0
    static int x = 0;
172
0
    ID.AddPointer(&x);
173
0
  }
174
175
  /// Return the tag associated with this visitor.  This tag will be used
176
  /// to make all PathDiagnosticPieces created by this visitor.
177
  static const char *getTag();
178
179
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
180
                                                 const ExplodedNode *Prev,
181
                                                 BugReporterContext &BRC,
182
                                                 BugReport &BR) override;
183
184
  std::shared_ptr<PathDiagnosticPiece> VisitNodeImpl(const ExplodedNode *N,
185
                                                     const ExplodedNode *Prev,
186
                                                     BugReporterContext &BRC,
187
                                                     BugReport &BR);
188
189
  std::shared_ptr<PathDiagnosticPiece>
190
  VisitTerminator(const Stmt *Term, const ExplodedNode *N,
191
                  const CFGBlock *srcBlk, const CFGBlock *dstBlk, BugReport &R,
192
                  BugReporterContext &BRC);
193
194
  std::shared_ptr<PathDiagnosticPiece>
195
  VisitTrueTest(const Expr *Cond, bool tookTrue, BugReporterContext &BRC,
196
                BugReport &R, const ExplodedNode *N);
197
198
  std::shared_ptr<PathDiagnosticPiece>
199
  VisitTrueTest(const Expr *Cond, const DeclRefExpr *DR, const bool tookTrue,
200
                BugReporterContext &BRC, BugReport &R, const ExplodedNode *N);
201
202
  std::shared_ptr<PathDiagnosticPiece>
203
  VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr,
204
                const bool tookTrue, BugReporterContext &BRC, BugReport &R,
205
                const ExplodedNode *N);
206
207
  std::shared_ptr<PathDiagnosticPiece>
208
  VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr,
209
                         const bool tookTrue, BugReporterContext &BRC,
210
                         BugReport &R, const ExplodedNode *N);
211
212
  bool patternMatch(const Expr *Ex,
213
                    const Expr *ParentEx,
214
                    raw_ostream &Out,
215
                    BugReporterContext &BRC,
216
                    BugReport &R,
217
                    const ExplodedNode *N,
218
                    Optional<bool> &prunable);
219
220
  static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece);
221
};
222
223
/// Suppress reports that might lead to known false positives.
224
///
225
/// Currently this suppresses reports based on locations of bugs.
226
class LikelyFalsePositiveSuppressionBRVisitor final
227
    : public BugReporterVisitor {
228
public:
229
0
  static void *getTag() {
230
0
    static int Tag = 0;
231
0
    return static_cast<void *>(&Tag);
232
0
  }
233
234
0
  void Profile(llvm::FoldingSetNodeID &ID) const override {
235
0
    ID.AddPointer(getTag());
236
0
  }
237
238
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
239
                                                 const ExplodedNode *Prev,
240
                                                 BugReporterContext &BRC,
241
0
                                                 BugReport &BR) override {
242
0
    return nullptr;
243
0
  }
244
245
  void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *N,
246
                       BugReport &BR) override;
247
};
248
249
/// When a region containing undefined value or '0' value is passed
250
/// as an argument in a call, marks the call as interesting.
251
///
252
/// As a result, BugReporter will not prune the path through the function even
253
/// if the region's contents are not modified/accessed by the call.
254
class UndefOrNullArgVisitor final : public BugReporterVisitor {
255
  /// The interesting memory region this visitor is tracking.
256
  const MemRegion *R;
257
258
public:
259
0
  UndefOrNullArgVisitor(const MemRegion *InR) : R(InR) {}
260
261
0
  void Profile(llvm::FoldingSetNodeID &ID) const override {
262
0
    static int Tag = 0;
263
0
    ID.AddPointer(&Tag);
264
0
    ID.AddPointer(R);
265
0
  }
266
267
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
268
                                                 const ExplodedNode *PrevN,
269
                                                 BugReporterContext &BRC,
270
                                                 BugReport &BR) override;
271
};
272
273
class SuppressInlineDefensiveChecksVisitor final : public BugReporterVisitor {
274
  /// The symbolic value for which we are tracking constraints.
275
  /// This value is constrained to null in the end of path.
276
  DefinedSVal V;
277
278
  /// Track if we found the node where the constraint was first added.
279
  bool IsSatisfied = false;
280
281
  /// Since the visitors can be registered on nodes previous to the last
282
  /// node in the BugReport, but the path traversal always starts with the last
283
  /// node, the visitor invariant (that we start with a node in which V is null)
284
  /// might not hold when node visitation starts. We are going to start tracking
285
  /// from the last node in which the value is null.
286
  bool IsTrackingTurnedOn = false;
287
288
public:
289
  SuppressInlineDefensiveChecksVisitor(DefinedSVal Val, const ExplodedNode *N);
290
291
  void Profile(llvm::FoldingSetNodeID &ID) const override;
292
293
  /// Return the tag associated with this visitor.  This tag will be used
294
  /// to make all PathDiagnosticPieces created by this visitor.
295
  static const char *getTag();
296
297
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *Succ,
298
                                                 const ExplodedNode *Pred,
299
                                                 BugReporterContext &BRC,
300
                                                 BugReport &BR) override;
301
};
302
303
class CXXSelfAssignmentBRVisitor final : public BugReporterVisitor {
304
  bool Satisfied = false;
305
306
public:
307
0
  CXXSelfAssignmentBRVisitor() = default;
308
309
0
  void Profile(llvm::FoldingSetNodeID &ID) const override {}
310
311
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *Succ,
312
                                                 const ExplodedNode *Pred,
313
                                                 BugReporterContext &BRC,
314
                                                 BugReport &BR) override;
315
};
316
317
/// The bug visitor prints a diagnostic message at the location where a given
318
/// variable was tainted.
319
class TaintBugVisitor final : public BugReporterVisitor {
320
private:
321
  const SVal V;
322
323
public:
324
0
  TaintBugVisitor(const SVal V) : V(V) {}
325
0
  void Profile(llvm::FoldingSetNodeID &ID) const override { ID.Add(V); }
326
327
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
328
                                                 const ExplodedNode *PrevN,
329
                                                 BugReporterContext &BRC,
330
                                                 BugReport &BR) override;
331
};
332
333
/// The bug visitor will walk all the nodes in a path and collect all the
334
/// constraints. When it reaches the root node, will create a refutation
335
/// manager and check if the constraints are satisfiable
336
class FalsePositiveRefutationBRVisitor final : public BugReporterVisitor {
337
private:
338
  /// Holds the constraints in a given path
339
  ConstraintRangeTy Constraints;
340
341
public:
342
  FalsePositiveRefutationBRVisitor();
343
344
  void Profile(llvm::FoldingSetNodeID &ID) const override;
345
346
  std::shared_ptr<PathDiagnosticPiece> VisitNode(const ExplodedNode *N,
347
                                                 const ExplodedNode *PrevN,
348
                                                 BugReporterContext &BRC,
349
                                                 BugReport &BR) override;
350
351
  void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode,
352
                       BugReport &BR) override;
353
};
354
355
namespace bugreporter {
356
357
/// Attempts to add visitors to trace a null or undefined value back to its
358
/// point of origin, whether it is a symbol constrained to null or an explicit
359
/// assignment.
360
///
361
/// \param N A node "downstream" from the evaluation of the statement.
362
/// \param S The statement whose value is null or undefined.
363
/// \param R The bug report to which visitors should be attached.
364
/// \param IsArg Whether the statement is an argument to an inlined function.
365
///              If this is the case, \p N \em must be the CallEnter node for
366
///              the function.
367
/// \param EnableNullFPSuppression Whether we should employ false positive
368
///         suppression (inlined defensive checks, returned null).
369
///
370
/// \return Whether or not the function was able to add visitors for this
371
///         statement. Note that returning \c true does not actually imply
372
///         that any visitors were added.
373
bool trackNullOrUndefValue(const ExplodedNode *N, const Stmt *S, BugReport &R,
374
                           bool IsArg = false,
375
                           bool EnableNullFPSuppression = true);
376
377
const Expr *getDerefExpr(const Stmt *S);
378
const Stmt *GetDenomExpr(const ExplodedNode *N);
379
const Stmt *GetRetValExpr(const ExplodedNode *N);
380
bool isDeclRefExprToReference(const Expr *E);
381
382
} // namespace bugreporter
383
384
} // namespace ento
385
386
} // namespace clang
387
388
#endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H