Coverage Report

Created: 2022-07-16 07:03

/Users/buildslave/jenkins/workspace/coverage/llvm-project/clang/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h
Line
Count
Source (jump to first uncovered line)
1
//===- BugReporter.h - Generate PathDiagnostics -----------------*- C++ -*-===//
2
//
3
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4
// See https://llvm.org/LICENSE.txt for license information.
5
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6
//
7
//===----------------------------------------------------------------------===//
8
//
9
//  This file defines BugReporter, a utility class for generating
10
//  PathDiagnostics for analyses based on ProgramState.
11
//
12
//===----------------------------------------------------------------------===//
13
14
#ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTER_H
15
#define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTER_H
16
17
#include "clang/Analysis/PathDiagnostic.h"
18
#include "clang/Basic/LLVM.h"
19
#include "clang/Basic/SourceLocation.h"
20
#include "clang/Lex/Preprocessor.h"
21
#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
22
#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
23
#include "clang/StaticAnalyzer/Core/CheckerManager.h"
24
#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
25
#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
26
#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
27
#include "clang/StaticAnalyzer/Core/PathSensitive/SymExpr.h"
28
#include "llvm/ADT/ArrayRef.h"
29
#include "llvm/ADT/DenseSet.h"
30
#include "llvm/ADT/FoldingSet.h"
31
#include "llvm/ADT/ImmutableSet.h"
32
#include "llvm/ADT/None.h"
33
#include "llvm/ADT/SmallSet.h"
34
#include "llvm/ADT/SmallVector.h"
35
#include "llvm/ADT/StringMap.h"
36
#include "llvm/ADT/StringRef.h"
37
#include "llvm/ADT/ilist.h"
38
#include "llvm/ADT/ilist_node.h"
39
#include "llvm/ADT/iterator_range.h"
40
#include <cassert>
41
#include <memory>
42
#include <string>
43
#include <utility>
44
#include <vector>
45
46
namespace clang {
47
48
class AnalyzerOptions;
49
class ASTContext;
50
class Decl;
51
class LocationContext;
52
class SourceManager;
53
class Stmt;
54
55
namespace ento {
56
57
class BugType;
58
class CheckerBase;
59
class ExplodedGraph;
60
class ExplodedNode;
61
class ExprEngine;
62
class MemRegion;
63
64
//===----------------------------------------------------------------------===//
65
// Interface for individual bug reports.
66
//===----------------------------------------------------------------------===//
67
68
/// A mapping from diagnostic consumers to the diagnostics they should
69
/// consume.
70
using DiagnosticForConsumerMapTy =
71
    llvm::DenseMap<PathDiagnosticConsumer *, std::unique_ptr<PathDiagnostic>>;
72
73
/// Interface for classes constructing Stack hints.
74
///
75
/// If a PathDiagnosticEvent occurs in a different frame than the final
76
/// diagnostic the hints can be used to summarize the effect of the call.
77
class StackHintGenerator {
78
public:
79
  virtual ~StackHintGenerator() = 0;
80
81
  /// Construct the Diagnostic message for the given ExplodedNode.
82
  virtual std::string getMessage(const ExplodedNode *N) = 0;
83
};
84
85
/// Constructs a Stack hint for the given symbol.
86
///
87
/// The class knows how to construct the stack hint message based on
88
/// traversing the CallExpr associated with the call and checking if the given
89
/// symbol is returned or is one of the arguments.
90
/// The hint can be customized by redefining 'getMessageForX()' methods.
91
class StackHintGeneratorForSymbol : public StackHintGenerator {
92
private:
93
  SymbolRef Sym;
94
  std::string Msg;
95
96
public:
97
619
  StackHintGeneratorForSymbol(SymbolRef S, StringRef M) : Sym(S), Msg(M) {}
98
619
  ~StackHintGeneratorForSymbol() override = default;
99
100
  /// Search the call expression for the symbol Sym and dispatch the
101
  /// 'getMessageForX()' methods to construct a specific message.
102
  std::string getMessage(const ExplodedNode *N) override;
103
104
  /// Produces the message of the following form:
105
  ///   'Msg via Nth parameter'
106
  virtual std::string getMessageForArg(const Expr *ArgE, unsigned ArgIndex);
107
108
9
  virtual std::string getMessageForReturn(const CallExpr *CallExpr) {
109
9
    return Msg;
110
9
  }
111
112
5
  virtual std::string getMessageForSymbolNotFound() {
113
5
    return Msg;
114
5
  }
115
};
116
117
/// This class provides an interface through which checkers can create
118
/// individual bug reports.
119
class BugReport {
120
public:
121
  enum class Kind { Basic, PathSensitive };
122
123
protected:
124
  friend class BugReportEquivClass;
125
  friend class BugReporter;
126
127
  Kind K;
128
  const BugType& BT;
129
  std::string ShortDescription;
130
  std::string Description;
131
132
  SmallVector<SourceRange, 4> Ranges;
133
  SmallVector<std::shared_ptr<PathDiagnosticNotePiece>, 4> Notes;
134
  SmallVector<FixItHint, 4> Fixits;
135
136
  BugReport(Kind kind, const BugType &bt, StringRef desc)
137
1.29k
      : BugReport(kind, bt, "", desc) {}
138
139
  BugReport(Kind K, const BugType &BT, StringRef ShortDescription,
140
            StringRef Description)
141
      : K(K), BT(BT), ShortDescription(ShortDescription),
142
22.0k
        Description(Description) {}
143
144
public:
145
22.0k
  virtual ~BugReport() = default;
146
147
92.4k
  Kind getKind() const { return K; }
148
149
85.2k
  const BugType& getBugType() const { return BT; }
150
151
  /// A verbose warning message that is appropriate for displaying next to
152
  /// the source code that introduces the problem. The description should be
153
  /// at least a full sentence starting with a capital letter. The period at
154
  /// the end of the warning is traditionally omitted. If the description
155
  /// consists of multiple sentences, periods between the sentences are
156
  /// encouraged, but the period at the end of the description is still omitted.
157
60.3k
  StringRef getDescription() const { return Description; }
158
159
  /// A short general warning message that is appropriate for displaying in
160
  /// the list of all reported bugs. It should describe what kind of bug is found
161
  /// but does not need to try to go into details of that specific bug.
162
  /// Grammatical conventions of getDescription() apply here as well.
163
39.0k
  StringRef getShortDescription(bool UseFallback = true) const {
164
39.0k
    if (ShortDescription.empty() && 
UseFallback2.19k
)
165
0
      return Description;
166
39.0k
    return ShortDescription;
167
39.0k
  }
168
169
  /// The primary location of the bug report that points at the undesirable
170
  /// behavior in the code. UIs should attach the warning description to this
171
  /// location. The warning description should describe the bad behavior
172
  /// at this location.
173
  virtual PathDiagnosticLocation getLocation() const = 0;
174
175
  /// The smallest declaration that contains the bug location.
176
  /// This is purely cosmetic; the declaration can be displayed to the user
177
  /// but it does not affect whether the report is emitted.
178
  virtual const Decl *getDeclWithIssue() const = 0;
179
180
  /// Get the location on which the report should be uniqued. Two warnings are
181
  /// considered to be equivalent whenever they have the same bug types,
182
  /// descriptions, and uniqueing locations. Out of a class of equivalent
183
  /// warnings only one gets displayed to the user. For most warnings the
184
  /// uniqueing location coincides with their location, but sometimes
185
  /// it makes sense to use different locations. For example, a leak
186
  /// checker can place the warning at the location where the last reference
187
  /// to the leaking resource is dropped but at the same time unique the warning
188
  /// by where that resource is acquired (allocated).
189
  virtual PathDiagnosticLocation getUniqueingLocation() const = 0;
190
191
  /// Get the declaration that corresponds to (usually contains) the uniqueing
192
  /// location. This is not actively used for uniqueing, i.e. otherwise
193
  /// identical reports that have different uniqueing decls will be considered
194
  /// equivalent.
195
  virtual const Decl *getUniqueingDecl() const = 0;
196
197
  /// Add new item to the list of additional notes that need to be attached to
198
  /// this report. If the report is path-sensitive, these notes will not be
199
  /// displayed as part of the execution path explanation, but will be displayed
200
  /// separately. Use bug visitors if you need to add an extra path note.
201
  void addNote(StringRef Msg, const PathDiagnosticLocation &Pos,
202
227
               ArrayRef<SourceRange> Ranges = {}) {
203
227
    auto P = std::make_shared<PathDiagnosticNotePiece>(Pos, Msg);
204
205
227
    for (const auto &R : Ranges)
206
66
      P->addRange(R);
207
208
227
    Notes.push_back(std::move(P));
209
227
  }
210
211
42.4k
  ArrayRef<std::shared_ptr<PathDiagnosticNotePiece>> getNotes() {
212
42.4k
    return Notes;
213
42.4k
  }
214
215
  /// Add a range to a bug report.
216
  ///
217
  /// Ranges are used to highlight regions of interest in the source code.
218
  /// They should be at the same source code line as the BugReport location.
219
  /// By default, the source range of the statement corresponding to the error
220
  /// node will be used; add a single invalid range to specify absence of
221
  /// ranges.
222
4.82k
  void addRange(SourceRange R) {
223
4.82k
    assert((R.isValid() || Ranges.empty()) && "Invalid range can only be used "
224
4.82k
                           "to specify that the report does not have a range.");
225
0
    Ranges.push_back(R);
226
4.82k
  }
227
228
  /// Get the SourceRanges associated with the report.
229
1.28k
  virtual ArrayRef<SourceRange> getRanges() const {
230
1.28k
    return Ranges;
231
1.28k
  }
232
233
  /// Add a fix-it hint to the bug report.
234
  ///
235
  /// Fix-it hints are the suggested edits to the code that would resolve
236
  /// the problem explained by the bug report. Fix-it hints should be
237
  /// as conservative as possible because it is not uncommon for the user
238
  /// to blindly apply all fixits to their project. Note that it is very hard
239
  /// to produce a good fix-it hint for most path-sensitive warnings.
240
12
  void addFixItHint(const FixItHint &F) {
241
12
    Fixits.push_back(F);
242
12
  }
243
244
21.2k
  llvm::ArrayRef<FixItHint> getFixits() const { return Fixits; }
245
246
  /// Reports are uniqued to ensure that we do not emit multiple diagnostics
247
  /// for each bug.
248
  virtual void Profile(llvm::FoldingSetNodeID& hash) const = 0;
249
};
250
251
class BasicBugReport : public BugReport {
252
  PathDiagnosticLocation Location;
253
  const Decl *DeclWithIssue = nullptr;
254
255
public:
256
  BasicBugReport(const BugType &bt, StringRef desc, PathDiagnosticLocation l)
257
1.29k
      : BugReport(Kind::Basic, bt, desc), Location(l) {}
258
259
20.6k
  static bool classof(const BugReport *R) {
260
20.6k
    return R->getKind() == Kind::Basic;
261
20.6k
  }
262
263
3.86k
  PathDiagnosticLocation getLocation() const override {
264
3.86k
    assert(Location.isValid());
265
0
    return Location;
266
3.86k
  }
267
268
2.57k
  const Decl *getDeclWithIssue() const override {
269
2.57k
    return DeclWithIssue;
270
2.57k
  }
271
272
1.28k
  PathDiagnosticLocation getUniqueingLocation() const override {
273
1.28k
    return getLocation();
274
1.28k
  }
275
276
1.28k
  const Decl *getUniqueingDecl() const override {
277
1.28k
    return getDeclWithIssue();
278
1.28k
  }
279
280
  /// Specifically set the Decl where an issue occurred. This isn't necessary
281
  /// for BugReports that cover a path as it will be automatically inferred.
282
1.22k
  void setDeclWithIssue(const Decl *declWithIssue) {
283
1.22k
    DeclWithIssue = declWithIssue;
284
1.22k
  }
285
286
  void Profile(llvm::FoldingSetNodeID& hash) const override;
287
};
288
289
class PathSensitiveBugReport : public BugReport {
290
public:
291
  using VisitorList = SmallVector<std::unique_ptr<BugReporterVisitor>, 8>;
292
  using visitor_iterator = VisitorList::iterator;
293
  using visitor_range = llvm::iterator_range<visitor_iterator>;
294
295
protected:
296
  /// The ExplodedGraph node against which the report was thrown. It corresponds
297
  /// to the end of the execution path that demonstrates the bug.
298
  const ExplodedNode *ErrorNode = nullptr;
299
300
  /// The range that corresponds to ErrorNode's program point. It is usually
301
  /// highlighted in the report.
302
  const SourceRange ErrorNodeRange;
303
304
  /// Profile to identify equivalent bug reports for error report coalescing.
305
306
  /// A (stack of) a set of symbols that are registered with this
307
  /// report as being "interesting", and thus used to help decide which
308
  /// diagnostics to include when constructing the final path diagnostic.
309
  /// The stack is largely used by BugReporter when generating PathDiagnostics
310
  /// for multiple PathDiagnosticConsumers.
311
  llvm::DenseMap<SymbolRef, bugreporter::TrackingKind> InterestingSymbols;
312
313
  /// A (stack of) set of regions that are registered with this report as being
314
  /// "interesting", and thus used to help decide which diagnostics
315
  /// to include when constructing the final path diagnostic.
316
  /// The stack is largely used by BugReporter when generating PathDiagnostics
317
  /// for multiple PathDiagnosticConsumers.
318
  llvm::DenseMap<const MemRegion *, bugreporter::TrackingKind>
319
      InterestingRegions;
320
321
  /// A set of location contexts that correspoind to call sites which should be
322
  /// considered "interesting".
323
  llvm::SmallSet<const LocationContext *, 2> InterestingLocationContexts;
324
325
  /// A set of custom visitors which generate "event" diagnostics at
326
  /// interesting points in the path.
327
  VisitorList Callbacks;
328
329
  /// Used for ensuring the visitors are only added once.
330
  llvm::FoldingSet<BugReporterVisitor> CallbacksSet;
331
332
  /// When set, this flag disables all callstack pruning from a diagnostic
333
  /// path.  This is useful for some reports that want maximum fidelty
334
  /// when reporting an issue.
335
  bool DoNotPrunePath = false;
336
337
  /// Used to track unique reasons why a bug report might be invalid.
338
  ///
339
  /// \sa markInvalid
340
  /// \sa removeInvalidation
341
  using InvalidationRecord = std::pair<const void *, const void *>;
342
343
  /// If non-empty, this bug report is likely a false positive and should not be
344
  /// shown to the user.
345
  ///
346
  /// \sa markInvalid
347
  /// \sa removeInvalidation
348
  llvm::SmallSet<InvalidationRecord, 4> Invalidations;
349
350
  /// Conditions we're already tracking.
351
  llvm::SmallSet<const ExplodedNode *, 4> TrackedConditions;
352
353
  /// Reports with different uniqueing locations are considered to be different
354
  /// for the purposes of deduplication.
355
  PathDiagnosticLocation UniqueingLocation;
356
  const Decl *UniqueingDecl;
357
358
  const Stmt *getStmt() const;
359
360
  /// If an event occurs in a different frame than the final diagnostic,
361
  /// supply a message that will be used to construct an extra hint on the
362
  /// returns from all the calls on the stack from this event to the final
363
  /// diagnostic.
364
  // FIXME: Allow shared_ptr keys in DenseMap?
365
  std::map<PathDiagnosticPieceRef, std::unique_ptr<StackHintGenerator>>
366
      StackHints;
367
368
public:
369
  PathSensitiveBugReport(const BugType &bt, StringRef desc,
370
                         const ExplodedNode *errorNode)
371
20.0k
      : PathSensitiveBugReport(bt, desc, desc, errorNode) {}
clang::ento::PathSensitiveBugReport::PathSensitiveBugReport(clang::ento::BugType const&, llvm::StringRef, clang::ento::ExplodedNode const*)
Line
Count
Source
371
574
      : PathSensitiveBugReport(bt, desc, desc, errorNode) {}
clang::ento::PathSensitiveBugReport::PathSensitiveBugReport(clang::ento::BugType const&, llvm::StringRef, clang::ento::ExplodedNode const*)
Line
Count
Source
371
19.4k
      : PathSensitiveBugReport(bt, desc, desc, errorNode) {}
372
373
  PathSensitiveBugReport(const BugType &bt, StringRef shortDesc, StringRef desc,
374
                         const ExplodedNode *errorNode)
375
      : PathSensitiveBugReport(bt, shortDesc, desc, errorNode,
376
                               /*LocationToUnique*/ {},
377
20.0k
                               /*DeclToUnique*/ nullptr) {}
clang::ento::PathSensitiveBugReport::PathSensitiveBugReport(clang::ento::BugType const&, llvm::StringRef, llvm::StringRef, clang::ento::ExplodedNode const*)
Line
Count
Source
377
606
                               /*DeclToUnique*/ nullptr) {}
clang::ento::PathSensitiveBugReport::PathSensitiveBugReport(clang::ento::BugType const&, llvm::StringRef, llvm::StringRef, clang::ento::ExplodedNode const*)
Line
Count
Source
377
19.4k
                               /*DeclToUnique*/ nullptr) {}
378
379
  /// Create a PathSensitiveBugReport with a custom uniqueing location.
380
  ///
381
  /// The reports that have the same report location, description, bug type, and
382
  /// ranges are uniqued - only one of the equivalent reports will be presented
383
  /// to the user. This method allows to rest the location which should be used
384
  /// for uniquing reports. For example, memory leaks checker, could set this to
385
  /// the allocation site, rather then the location where the bug is reported.
386
  PathSensitiveBugReport(const BugType &bt, StringRef desc,
387
                         const ExplodedNode *errorNode,
388
                         PathDiagnosticLocation LocationToUnique,
389
                         const Decl *DeclToUnique)
390
      : PathSensitiveBugReport(bt, desc, desc, errorNode, LocationToUnique,
391
712
                               DeclToUnique) {}
Unexecuted instantiation: clang::ento::PathSensitiveBugReport::PathSensitiveBugReport(clang::ento::BugType const&, llvm::StringRef, clang::ento::ExplodedNode const*, clang::ento::PathDiagnosticLocation, clang::Decl const*)
clang::ento::PathSensitiveBugReport::PathSensitiveBugReport(clang::ento::BugType const&, llvm::StringRef, clang::ento::ExplodedNode const*, clang::ento::PathDiagnosticLocation, clang::Decl const*)
Line
Count
Source
391
712
                               DeclToUnique) {}
392
393
  PathSensitiveBugReport(const BugType &bt, StringRef shortDesc, StringRef desc,
394
                         const ExplodedNode *errorNode,
395
                         PathDiagnosticLocation LocationToUnique,
396
                         const Decl *DeclToUnique);
397
398
42.0k
  static bool classof(const BugReport *R) {
399
42.0k
    return R->getKind() == Kind::PathSensitive;
400
42.0k
  }
401
402
166k
  const ExplodedNode *getErrorNode() const { return ErrorNode; }
403
404
  /// Indicates whether or not any path pruning should take place
405
  /// when generating a PathDiagnostic from this BugReport.
406
2.16k
  bool shouldPrunePath() const { return !DoNotPrunePath; }
407
408
  /// Disable all path pruning when generating a PathDiagnostic.
409
6
  void disablePathPruning() { DoNotPrunePath = true; }
410
411
  /// Get the location on which the report should be uniqued.
412
66.0k
  PathDiagnosticLocation getUniqueingLocation() const override {
413
66.0k
    return UniqueingLocation;
414
66.0k
  }
415
416
  /// Get the declaration containing the uniqueing location.
417
37.7k
  const Decl *getUniqueingDecl() const override {
418
37.7k
    return UniqueingDecl;
419
37.7k
  }
420
421
  const Decl *getDeclWithIssue() const override;
422
423
  ArrayRef<SourceRange> getRanges() const override;
424
425
  PathDiagnosticLocation getLocation() const override;
426
427
  /// Marks a symbol as interesting. Different kinds of interestingness will
428
  /// be processed differently by visitors (e.g. if the tracking kind is
429
  /// condition, will append "will be used as a condition" to the message).
430
  void markInteresting(SymbolRef sym, bugreporter::TrackingKind TKind =
431
                                          bugreporter::TrackingKind::Thorough);
432
433
  void markNotInteresting(SymbolRef sym);
434
435
  /// Marks a region as interesting. Different kinds of interestingness will
436
  /// be processed differently by visitors (e.g. if the tracking kind is
437
  /// condition, will append "will be used as a condition" to the message).
438
  void markInteresting(
439
      const MemRegion *R,
440
      bugreporter::TrackingKind TKind = bugreporter::TrackingKind::Thorough);
441
442
  void markNotInteresting(const MemRegion *R);
443
444
  /// Marks a symbolic value as interesting. Different kinds of interestingness
445
  /// will be processed differently by visitors (e.g. if the tracking kind is
446
  /// condition, will append "will be used as a condition" to the message).
447
  void markInteresting(SVal V, bugreporter::TrackingKind TKind =
448
                                   bugreporter::TrackingKind::Thorough);
449
  void markInteresting(const LocationContext *LC);
450
451
  bool isInteresting(SymbolRef sym) const;
452
  bool isInteresting(const MemRegion *R) const;
453
  bool isInteresting(SVal V) const;
454
  bool isInteresting(const LocationContext *LC) const;
455
456
  Optional<bugreporter::TrackingKind>
457
  getInterestingnessKind(SymbolRef sym) const;
458
459
  Optional<bugreporter::TrackingKind>
460
  getInterestingnessKind(const MemRegion *R) const;
461
462
  Optional<bugreporter::TrackingKind> getInterestingnessKind(SVal V) const;
463
464
  /// Returns whether or not this report should be considered valid.
465
  ///
466
  /// Invalid reports are those that have been classified as likely false
467
  /// positives after the fact.
468
3.30M
  bool isValid() const {
469
3.30M
    return Invalidations.empty();
470
3.30M
  }
471
472
  /// Marks the current report as invalid, meaning that it is probably a false
473
  /// positive and should not be reported to the user.
474
  ///
475
  /// The \p Tag and \p Data arguments are intended to be opaque identifiers for
476
  /// this particular invalidation, where \p Tag represents the visitor
477
  /// responsible for invalidation, and \p Data represents the reason this
478
  /// visitor decided to invalidate the bug report.
479
  ///
480
  /// \sa removeInvalidation
481
215
  void markInvalid(const void *Tag, const void *Data) {
482
215
    Invalidations.insert(std::make_pair(Tag, Data));
483
215
  }
484
485
  /// Profile to identify equivalent bug reports for error report coalescing.
486
  /// Reports are uniqued to ensure that we do not emit multiple diagnostics
487
  /// for each bug.
488
  void Profile(llvm::FoldingSetNodeID &hash) const override;
489
490
  /// Add custom or predefined bug report visitors to this report.
491
  ///
492
  /// The visitors should be used when the default trace is not sufficient.
493
  /// For example, they allow constructing a more elaborate trace.
494
  /// @{
495
  void addVisitor(std::unique_ptr<BugReporterVisitor> visitor);
496
497
  template <class VisitorType, class... Args>
498
95.6k
  void addVisitor(Args &&... ConstructorArgs) {
499
95.6k
    addVisitor(
500
95.6k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
95.6k
  }
MallocChecker.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::MallocBugVisitor, clang::ento::SymExpr const*&>(clang::ento::SymExpr const*&)
Line
Count
Source
498
264
  void addVisitor(Args &&... ConstructorArgs) {
499
264
    addVisitor(
500
264
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
264
  }
MallocChecker.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::MallocBugVisitor, clang::ento::SymExpr const*&, bool>(clang::ento::SymExpr const*&, bool&&)
Line
Count
Source
498
273
  void addVisitor(Args &&... ConstructorArgs) {
499
273
    addVisitor(
500
273
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
273
  }
MallocChecker.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::NoOwnershipChangeVisitor, clang::ento::SymExpr const*&, (anonymous namespace)::MallocChecker const*>(clang::ento::SymExpr const*&, (anonymous namespace)::MallocChecker const*&&)
Line
Count
Source
498
262
  void addVisitor(Args &&... ConstructorArgs) {
499
262
    addVisitor(
500
262
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
262
  }
NullabilityChecker.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::NullabilityChecker::NullabilityBugVisitor, clang::ento::MemRegion const*&>(clang::ento::MemRegion const*&)
Line
Count
Source
498
80
  void addVisitor(Args &&... ConstructorArgs) {
499
80
    addVisitor(
500
80
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
80
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::retaincountchecker::RefCountReportVisitor, clang::ento::SymExpr const*&>(clang::ento::SymExpr const*&)
Line
Count
Source
498
168
  void addVisitor(Args &&... ConstructorArgs) {
499
168
    addVisitor(
500
168
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
168
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::retaincountchecker::RefLeakReportVisitor, clang::ento::SymExpr const*&, clang::ento::MemRegion const*&>(clang::ento::SymExpr const*&, clang::ento::MemRegion const*&)
Line
Count
Source
498
438
  void addVisitor(Args &&... ConstructorArgs) {
499
438
    addVisitor(
500
438
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
438
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::LikelyFalsePositiveSuppressionBRVisitor>()
Line
Count
Source
498
19.4k
  void addVisitor(Args &&... ConstructorArgs) {
499
19.4k
    addVisitor(
500
19.4k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
19.4k
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::NilReceiverBRVisitor>()
Line
Count
Source
498
19.4k
  void addVisitor(Args &&... ConstructorArgs) {
499
19.4k
    addVisitor(
500
19.4k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
19.4k
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::ConditionBRVisitor>()
Line
Count
Source
498
19.4k
  void addVisitor(Args &&... ConstructorArgs) {
499
19.4k
    addVisitor(
500
19.4k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
19.4k
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::TagVisitor>()
Line
Count
Source
498
19.4k
  void addVisitor(Args &&... ConstructorArgs) {
499
19.4k
    addVisitor(
500
19.4k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
19.4k
  }
Unexecuted instantiation: void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::FalsePositiveRefutationBRVisitor>()
BugReporterVisitors.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::TrackControlDependencyCondBRVisitor, clang::ento::bugreporter::Tracker*, clang::ento::ExplodedNode const*&>(clang::ento::bugreporter::Tracker*&&, clang::ento::ExplodedNode const*&)
Line
Count
Source
498
5.10k
  void addVisitor(Args &&... ConstructorArgs) {
499
5.10k
    addVisitor(
500
5.10k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
5.10k
  }
BugReporterVisitors.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::NoStoreFuncVisitor, clang::ento::SubRegion const*, clang::ento::bugreporter::TrackingKind&>(clang::ento::SubRegion const*&&, clang::ento::bugreporter::TrackingKind&)
Line
Count
Source
498
2.81k
  void addVisitor(Args &&... ConstructorArgs) {
499
2.81k
    addVisitor(
500
2.81k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
2.81k
  }
BugReporterVisitors.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::MacroNullReturnSuppressionVisitor, clang::ento::SubRegion const*, clang::ento::SVal const&>(clang::ento::SubRegion const*&&, clang::ento::SVal const&)
Line
Count
Source
498
1.24k
  void addVisitor(Args &&... ConstructorArgs) {
499
1.24k
    addVisitor(
500
1.24k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
1.24k
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::UndefOrNullArgVisitor, clang::ento::MemRegion const*&>(clang::ento::MemRegion const*&)
Line
Count
Source
498
2.81k
  void addVisitor(Args &&... ConstructorArgs) {
499
2.81k
    addVisitor(
500
2.81k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
2.81k
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::TrackConstraintBRVisitor, clang::ento::DefinedSVal, bool>(clang::ento::DefinedSVal&&, bool&&)
Line
Count
Source
498
336
  void addVisitor(Args &&... ConstructorArgs) {
499
336
    addVisitor(
500
336
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
336
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::SuppressInlineDefensiveChecksVisitor, clang::ento::DefinedSVal&, clang::ento::ExplodedNode const*&>(clang::ento::DefinedSVal&, clang::ento::ExplodedNode const*&)
Line
Count
Source
498
612
  void addVisitor(Args &&... ConstructorArgs) {
499
612
    addVisitor(
500
612
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
612
  }
BugReporterVisitors.cpp:void clang::ento::PathSensitiveBugReport::addVisitor<(anonymous namespace)::ReturnVisitor, clang::ento::bugreporter::Tracker*, clang::StackFrameContext const*&, bool&, clang::AnalyzerOptions&, clang::ento::bugreporter::TrackingKind&>(clang::ento::bugreporter::Tracker*&&, clang::StackFrameContext const*&, bool&, clang::AnalyzerOptions&, clang::ento::bugreporter::TrackingKind&)
Line
Count
Source
498
307
  void addVisitor(Args &&... ConstructorArgs) {
499
307
    addVisitor(
500
307
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
307
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::UndefOrNullArgVisitor, clang::ento::MemRegion const*>(clang::ento::MemRegion const*&&)
Line
Count
Source
498
234
  void addVisitor(Args &&... ConstructorArgs) {
499
234
    addVisitor(
500
234
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
234
  }
void clang::ento::PathSensitiveBugReport::addVisitor<clang::ento::TrackConstraintBRVisitor, clang::ento::loc::MemRegionVal, bool>(clang::ento::loc::MemRegionVal&&, bool&&)
Line
Count
Source
498
21
  void addVisitor(Args &&... ConstructorArgs) {
499
21
    addVisitor(
500
21
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
21
  }
void clang::ento::PathSensitiveBugReport::addVisitor<StoreSiteFinder, clang::ento::bugreporter::Tracker*, clang::ento::KnownSVal&, clang::ento::MemRegion const*&, clang::ento::bugreporter::TrackingOptions&, clang::StackFrameContext const*&>(clang::ento::bugreporter::Tracker*&&, clang::ento::KnownSVal&, clang::ento::MemRegion const*&, clang::ento::bugreporter::TrackingOptions&, clang::StackFrameContext const*&)
Line
Count
Source
498
3.02k
  void addVisitor(Args &&... ConstructorArgs) {
499
3.02k
    addVisitor(
500
3.02k
        std::make_unique<VisitorType>(std::forward<Args>(ConstructorArgs)...));
501
3.02k
  }
502
  /// @}
503
504
  /// Remove all visitors attached to this bug report.
505
  void clearVisitors();
506
507
  /// Iterators through the custom diagnostic visitors.
508
3.24M
  visitor_iterator visitor_begin() { return Callbacks.begin(); }
509
3.24M
  visitor_iterator visitor_end() { return Callbacks.end(); }
510
3.24M
  visitor_range visitors() { return {visitor_begin(), visitor_end()}; }
511
512
  /// Notes that the condition of the CFGBlock associated with \p Cond is
513
  /// being tracked.
514
  /// \returns false if the condition is already being tracked.
515
985
  bool addTrackedCondition(const ExplodedNode *Cond) {
516
985
    return TrackedConditions.insert(Cond).second;
517
985
  }
518
519
  void addCallStackHint(PathDiagnosticPieceRef Piece,
520
619
                        std::unique_ptr<StackHintGenerator> StackHint) {
521
619
    StackHints[Piece] = std::move(StackHint);
522
619
  }
523
524
3.53k
  bool hasCallStackHint(PathDiagnosticPieceRef Piece) const {
525
3.53k
    return StackHints.count(Piece) > 0;
526
3.53k
  }
527
528
  /// Produce the hint for the given node. The node contains
529
  /// information about the call for which the diagnostic can be generated.
530
  std::string
531
  getCallStackMessage(PathDiagnosticPieceRef Piece,
532
21
                      const ExplodedNode *N) const {
533
21
    auto I = StackHints.find(Piece);
534
21
    if (I != StackHints.end())
535
21
      return I->second->getMessage(N);
536
0
    return "";
537
21
  }
538
};
539
540
//===----------------------------------------------------------------------===//
541
// BugTypes (collections of related reports).
542
//===----------------------------------------------------------------------===//
543
544
class BugReportEquivClass : public llvm::FoldingSetNode {
545
  friend class BugReporter;
546
547
  /// List of *owned* BugReport objects.
548
  llvm::SmallVector<std::unique_ptr<BugReport>, 4> Reports;
549
550
22.0k
  void AddReport(std::unique_ptr<BugReport> &&R) {
551
22.0k
    Reports.push_back(std::move(R));
552
22.0k
  }
553
554
public:
555
20.7k
  BugReportEquivClass(std::unique_ptr<BugReport> R) { AddReport(std::move(R)); }
556
557
78.3k
  ArrayRef<std::unique_ptr<BugReport>> getReports() const { return Reports; }
558
559
7.63k
  void Profile(llvm::FoldingSetNodeID& ID) const {
560
7.63k
    assert(!Reports.empty());
561
0
    Reports.front()->Profile(ID);
562
7.63k
  }
563
};
564
565
//===----------------------------------------------------------------------===//
566
// BugReporter and friends.
567
//===----------------------------------------------------------------------===//
568
569
class BugReporterData {
570
public:
571
1.74k
  virtual ~BugReporterData() = default;
572
573
  virtual ArrayRef<PathDiagnosticConsumer*> getPathDiagnosticConsumers() = 0;
574
  virtual ASTContext &getASTContext() = 0;
575
  virtual SourceManager &getSourceManager() = 0;
576
  virtual AnalyzerOptions &getAnalyzerOptions() = 0;
577
  virtual Preprocessor &getPreprocessor() = 0;
578
};
579
580
/// BugReporter is a utility class for generating PathDiagnostics for analysis.
581
/// It collects the BugReports and BugTypes and knows how to generate
582
/// and flush the corresponding diagnostics.
583
///
584
/// The base class is used for generating path-insensitive
585
class BugReporter {
586
private:
587
  BugReporterData& D;
588
589
  /// Generate and flush the diagnostics for the given bug report.
590
  void FlushReport(BugReportEquivClass& EQ);
591
592
  /// The set of bug reports tracked by the BugReporter.
593
  llvm::FoldingSet<BugReportEquivClass> EQClasses;
594
595
  /// A vector of BugReports for tracking the allocated pointers and cleanup.
596
  std::vector<BugReportEquivClass *> EQClassesVector;
597
598
public:
599
  BugReporter(BugReporterData &d);
600
  virtual ~BugReporter();
601
602
  /// Generate and flush diagnostics for all bug reports.
603
  void FlushReports();
604
605
20.6k
  ArrayRef<PathDiagnosticConsumer*> getPathDiagnosticConsumers() {
606
20.6k
    return D.getPathDiagnosticConsumers();
607
20.6k
  }
608
609
  /// Iterator over the set of BugReports tracked by the BugReporter.
610
  using EQClasses_iterator = llvm::FoldingSet<BugReportEquivClass>::iterator;
611
217
  EQClasses_iterator EQClasses_begin() { return EQClasses.begin(); }
612
217
  EQClasses_iterator EQClasses_end() { return EQClasses.end(); }
613
614
12.6k
  ASTContext &getContext() { return D.getASTContext(); }
615
616
364k
  const SourceManager &getSourceManager() { return D.getSourceManager(); }
617
618
121k
  const AnalyzerOptions &getAnalyzerOptions() { return D.getAnalyzerOptions(); }
619
620
62
  Preprocessor &getPreprocessor() { return D.getPreprocessor(); }
621
622
  /// Add the given report to the set of reports tracked by BugReporter.
623
  ///
624
  /// The reports are usually generated by the checkers. Further, they are
625
  /// folded based on the profile value, which is done to coalesce similar
626
  /// reports.
627
  virtual void emitReport(std::unique_ptr<BugReport> R);
628
629
  void EmitBasicReport(const Decl *DeclWithIssue, const CheckerBase *Checker,
630
                       StringRef BugName, StringRef BugCategory,
631
                       StringRef BugStr, PathDiagnosticLocation Loc,
632
                       ArrayRef<SourceRange> Ranges = None,
633
                       ArrayRef<FixItHint> Fixits = None);
634
635
  void EmitBasicReport(const Decl *DeclWithIssue, CheckerNameRef CheckerName,
636
                       StringRef BugName, StringRef BugCategory,
637
                       StringRef BugStr, PathDiagnosticLocation Loc,
638
                       ArrayRef<SourceRange> Ranges = None,
639
                       ArrayRef<FixItHint> Fixits = None);
640
641
private:
642
  llvm::StringMap<std::unique_ptr<BugType>> StrBugTypes;
643
644
  /// Returns a BugType that is associated with the given name and
645
  /// category.
646
  BugType *getBugTypeForName(CheckerNameRef CheckerName, StringRef name,
647
                             StringRef category);
648
649
  virtual BugReport *
650
  findReportInEquivalenceClass(BugReportEquivClass &eqClass,
651
1.24k
                               SmallVectorImpl<BugReport *> &bugReports) {
652
1.24k
    return eqClass.getReports()[0].get();
653
1.24k
  }
654
655
protected:
656
  /// Generate the diagnostics for the given bug report.
657
  virtual std::unique_ptr<DiagnosticForConsumerMapTy>
658
  generateDiagnosticForConsumerMap(BugReport *exampleReport,
659
                                   ArrayRef<PathDiagnosticConsumer *> consumers,
660
                                   ArrayRef<BugReport *> bugReports);
661
};
662
663
/// GRBugReporter is used for generating path-sensitive reports.
664
class PathSensitiveBugReporter final : public BugReporter {
665
  ExprEngine& Eng;
666
667
  BugReport *findReportInEquivalenceClass(
668
      BugReportEquivClass &eqClass,
669
      SmallVectorImpl<BugReport *> &bugReports) override;
670
671
  /// Generate the diagnostics for the given bug report.
672
  std::unique_ptr<DiagnosticForConsumerMapTy>
673
  generateDiagnosticForConsumerMap(BugReport *exampleReport,
674
                                   ArrayRef<PathDiagnosticConsumer *> consumers,
675
                                   ArrayRef<BugReport *> bugReports) override;
676
public:
677
  PathSensitiveBugReporter(BugReporterData& d, ExprEngine& eng)
678
15.6k
      : BugReporter(d), Eng(eng) {}
679
680
  /// getGraph - Get the exploded graph created by the analysis engine
681
  ///  for the analyzed method or function.
682
  const ExplodedGraph &getGraph() const;
683
684
  /// getStateManager - Return the state manager used by the analysis
685
  ///  engine.
686
  ProgramStateManager &getStateManager() const;
687
688
  /// \p bugReports A set of bug reports within a *single* equivalence class
689
  ///
690
  /// \return A mapping from consumers to the corresponding diagnostics.
691
  /// Iterates through the bug reports within a single equivalence class,
692
  /// stops at a first non-invalidated report.
693
  std::unique_ptr<DiagnosticForConsumerMapTy> generatePathDiagnostics(
694
      ArrayRef<PathDiagnosticConsumer *> consumers,
695
      ArrayRef<PathSensitiveBugReport *> &bugReports);
696
697
  void emitReport(std::unique_ptr<BugReport> R) override;
698
};
699
700
701
class BugReporterContext {
702
  PathSensitiveBugReporter &BR;
703
704
  virtual void anchor();
705
706
public:
707
19.4k
  BugReporterContext(PathSensitiveBugReporter &br) : BR(br) {}
708
709
77.0k
  virtual ~BugReporterContext() = default;
710
711
0
  PathSensitiveBugReporter& getBugReporter() { return BR; }
712
713
40.6k
  ProgramStateManager& getStateManager() const {
714
40.6k
    return BR.getStateManager();
715
40.6k
  }
716
717
9.86k
  ASTContext &getASTContext() const {
718
9.86k
    return BR.getContext();
719
9.86k
  }
720
721
360k
  const SourceManager& getSourceManager() const {
722
360k
    return BR.getSourceManager();
723
360k
  }
724
725
40.7k
  const AnalyzerOptions &getAnalyzerOptions() const {
726
40.7k
    return BR.getAnalyzerOptions();
727
40.7k
  }
728
};
729
730
/// The tag that carries some information with it.
731
///
732
/// It can be valuable to produce tags with some bits of information and later
733
/// reuse them for a better diagnostic.
734
///
735
/// Please make sure that derived class' constuctor is private and that the user
736
/// can only create objects using DataTag::Factory.  This also means that
737
/// DataTag::Factory should be friend for every derived class.
738
class DataTag : public ProgramPointTag {
739
public:
740
0
  StringRef getTagDescription() const override { return "Data Tag"; }
741
742
  // Manage memory for DataTag objects.
743
  class Factory {
744
    std::vector<std::unique_ptr<DataTag>> Tags;
745
746
  public:
747
    template <class DataTagType, class... Args>
748
2.94k
    const DataTagType *make(Args &&... ConstructorArgs) {
749
      // We cannot use std::make_unique because we cannot access the private
750
      // constructor from inside it.
751
2.94k
      Tags.emplace_back(
752
2.94k
          new DataTagType(std::forward<Args>(ConstructorArgs)...));
753
2.94k
      return static_cast<DataTagType *>(Tags.back().get());
754
2.94k
    }
clang::ento::NoteTag const* clang::ento::DataTag::Factory::make<clang::ento::NoteTag, std::__1::function<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > (clang::ento::BugReporterContext&, clang::ento::PathSensitiveBugReport&)>, bool&>(std::__1::function<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > (clang::ento::BugReporterContext&, clang::ento::PathSensitiveBugReport&)>&&, bool&)
Line
Count
Source
748
2.87k
    const DataTagType *make(Args &&... ConstructorArgs) {
749
      // We cannot use std::make_unique because we cannot access the private
750
      // constructor from inside it.
751
2.87k
      Tags.emplace_back(
752
2.87k
          new DataTagType(std::forward<Args>(ConstructorArgs)...));
753
2.87k
      return static_cast<DataTagType *>(Tags.back().get());
754
2.87k
    }
CoreEngine.cpp:clang::ento::NoteTag const* clang::ento::DataTag::Factory::make<clang::ento::NoteTag, clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*)::$_1, bool>(clang::ento::CoreEngine::HandleBlockEdge(clang::BlockEdge const&, clang::ento::ExplodedNode*)::$_1&&, bool&&)
Line
Count
Source
748
71
    const DataTagType *make(Args &&... ConstructorArgs) {
749
      // We cannot use std::make_unique because we cannot access the private
750
      // constructor from inside it.
751
71
      Tags.emplace_back(
752
71
          new DataTagType(std::forward<Args>(ConstructorArgs)...));
753
71
      return static_cast<DataTagType *>(Tags.back().get());
754
71
    }
755
  };
756
757
protected:
758
2.94k
  DataTag(void *TagKind) : ProgramPointTag(TagKind) {}
759
};
760
761
/// The tag upon which the TagVisitor reacts. Add these in order to display
762
/// additional PathDiagnosticEventPieces along the path.
763
class NoteTag : public DataTag {
764
public:
765
  using Callback = std::function<std::string(BugReporterContext &,
766
                                             PathSensitiveBugReport &)>;
767
768
private:
769
  static int Kind;
770
771
  const Callback Cb;
772
  const bool IsPrunable;
773
774
  NoteTag(Callback &&Cb, bool IsPrunable)
775
2.94k
      : DataTag(&Kind), Cb(std::move(Cb)), IsPrunable(IsPrunable) {}
776
777
public:
778
849k
  static bool classof(const ProgramPointTag *T) {
779
849k
    return T->getTagKind() == &Kind;
780
849k
  }
781
782
  Optional<std::string> generateMessage(BugReporterContext &BRC,
783
5.60k
                                        PathSensitiveBugReport &R) const {
784
5.60k
    std::string Msg = Cb(BRC, R);
785
5.60k
    if (Msg.empty())
786
4.72k
      return None;
787
788
885
    return std::move(Msg);
789
5.60k
  }
790
791
0
  StringRef getTagDescription() const override {
792
    // TODO: Remember a few examples of generated messages
793
    // and display them in the ExplodedGraph dump by
794
    // returning them from this function.
795
0
    return "Note Tag";
796
0
  }
797
798
885
  bool isPrunable() const { return IsPrunable; }
799
800
  friend class Factory;
801
  friend class TagVisitor;
802
};
803
804
} // namespace ento
805
806
} // namespace clang
807
808
#endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTER_H