1 | //===- BugReporterVisitors.h - Generate PathDiagnostics ---------*- C++ -*-===// |
2 | // |
3 | // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. |
4 | // See https://llvm.org/LICENSE.txt for license information. |
5 | // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception |
6 | // |
7 | //===----------------------------------------------------------------------===// |
8 | // |
9 | // This file declares BugReporterVisitors, which are used to generate enhanced |
10 | // diagnostic traces. |
11 | // |
12 | //===----------------------------------------------------------------------===// |
13 | |
14 | #ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H |
15 | #define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H |
16 | |
17 | #include "clang/Analysis/ProgramPoint.h" |
18 | #include "clang/Basic/LLVM.h" |
19 | #include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h" |
20 | #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" |
21 | #include "llvm/ADT/FoldingSet.h" |
22 | #include "llvm/ADT/IntrusiveRefCntPtr.h" |
23 | #include "llvm/ADT/STLExtras.h" |
24 | #include "llvm/ADT/SmallPtrSet.h" |
25 | #include "llvm/ADT/StringRef.h" |
26 | #include <list> |
27 | #include <memory> |
28 | #include <optional> |
29 | #include <utility> |
30 | |
31 | namespace clang { |
32 | |
33 | class BinaryOperator; |
34 | class CFGBlock; |
35 | class DeclRefExpr; |
36 | class Expr; |
37 | class Stmt; |
38 | |
39 | namespace ento { |
40 | |
41 | class PathSensitiveBugReport; |
42 | class BugReporterContext; |
43 | class ExplodedNode; |
44 | class MemRegion; |
45 | class PathDiagnosticPiece; |
46 | using PathDiagnosticPieceRef = std::shared_ptr<PathDiagnosticPiece>; |
47 | |
48 | /// BugReporterVisitors are used to add custom diagnostics along a path. |
49 | class BugReporterVisitor : public llvm::FoldingSetNode { |
50 | public: |
51 | BugReporterVisitor() = default; |
52 | BugReporterVisitor(const BugReporterVisitor &) = default; |
53 | BugReporterVisitor(BugReporterVisitor &&) {} |
54 | |
55 | // The copy and move assignment operator is defined as deleted pending further |
56 | // motivation. |
57 | BugReporterVisitor &operator=(const BugReporterVisitor &) = delete; |
58 | BugReporterVisitor &operator=(BugReporterVisitor &&) = delete; |
59 | |
60 | virtual ~BugReporterVisitor(); |
61 | |
62 | /// Return a diagnostic piece which should be associated with the |
63 | /// given node. |
64 | /// Note that this function does *not* get run on the very last node |
65 | /// of the report, as the PathDiagnosticPiece associated with the |
66 | /// last node should be unique. |
67 | /// Use \ref getEndPath to customize the note associated with the report |
68 | /// end instead. |
69 | /// |
70 | /// The last parameter can be used to register a new visitor with the given |
71 | /// BugReport while processing a node. |
72 | virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, |
73 | BugReporterContext &BRC, |
74 | PathSensitiveBugReport &BR) = 0; |
75 | |
76 | /// Last function called on the visitor, no further calls to VisitNode |
77 | /// would follow. |
78 | virtual void finalizeVisitor(BugReporterContext &BRC, |
79 | const ExplodedNode *EndPathNode, |
80 | PathSensitiveBugReport &BR); |
81 | |
82 | /// Provide custom definition for the final diagnostic piece on the |
83 | /// path - the piece, which is displayed before the path is expanded. |
84 | /// |
85 | /// NOTE that this function can be implemented on at most one used visitor, |
86 | /// and otherwise it crahes at runtime. |
87 | virtual PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC, |
88 | const ExplodedNode *N, |
89 | PathSensitiveBugReport &BR); |
90 | |
91 | virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0; |
92 | |
93 | /// Generates the default final diagnostic piece. |
94 | static PathDiagnosticPieceRef |
95 | getDefaultEndPath(const BugReporterContext &BRC, const ExplodedNode *N, |
96 | const PathSensitiveBugReport &BR); |
97 | }; |
98 | |
99 | namespace bugreporter { |
100 | |
101 | /// Specifies the type of tracking for an expression. |
102 | enum class TrackingKind { |
103 | /// Default tracking kind -- specifies that as much information should be |
104 | /// gathered about the tracked expression value as possible. |
105 | Thorough, |
106 | /// Specifies that a more moderate tracking should be used for the expression |
107 | /// value. This will essentially make sure that functions relevant to it |
108 | /// aren't pruned, but otherwise relies on the user reading the code or |
109 | /// following the arrows. |
110 | Condition |
111 | }; |
112 | |
113 | /// Defines a set of options altering tracking behavior. |
114 | struct TrackingOptions { |
115 | /// Specifies the kind of tracking. |
116 | TrackingKind Kind = TrackingKind::Thorough; |
117 | /// Specifies whether we should employ false positive suppression |
118 | /// (inlined defensive checks, returned null). |
119 | bool EnableNullFPSuppression = true; |
120 | }; |
121 | |
122 | /// Describes an event when the value got stored into a memory region. |
123 | /// |
124 | /// As opposed to checker checkBind API, it reacts also to binds |
125 | /// generated by the checker as well. It can be useful when the binding |
126 | /// happened as a result of evalCall, for example. |
127 | struct StoreInfo { |
128 | enum Kind { |
129 | /// The value got stored into the region during initialization: |
130 | /// int x = 42; |
131 | Initialization, |
132 | /// The value got stored into the region during assignment: |
133 | /// int x; |
134 | /// x = 42; |
135 | Assignment, |
136 | /// The value got stored into the parameter region as the result |
137 | /// of a call. |
138 | CallArgument, |
139 | /// The value got stored into the region as block capture. |
140 | /// Block data is modeled as a separate region, thus whenever |
141 | /// the analyzer sees a captured variable, its value is copied |
142 | /// into a special block region. |
143 | BlockCapture |
144 | }; |
145 | |
146 | /// The type of store operation. |
147 | Kind StoreKind; |
148 | /// The node where the store happened. |
149 | const ExplodedNode *StoreSite; |
150 | /// The expression where the value comes from. |
151 | /// NOTE: might be null. |
152 | const Expr *SourceOfTheValue; |
153 | /// Symbolic value that is being stored. |
154 | SVal Value; |
155 | /// Memory regions involved in the store operation. |
156 | /// Dest <- Origin |
157 | /// NOTE: Origin might be null, when the stored value doesn't come |
158 | /// from another region. |
159 | const MemRegion *Dest, *Origin; |
160 | }; |
161 | |
162 | class Tracker; |
163 | using TrackerRef = llvm::IntrusiveRefCntPtr<Tracker>; |
164 | |
165 | class ExpressionHandler; |
166 | class StoreHandler; |
167 | |
168 | /// A generalized component for tracking expressions, values, and stores. |
169 | /// |
170 | /// Tracker aimes at providing a sensible set of default behaviors that can be |
171 | /// used by any checker, while providing mechanisms to hook into any part of the |
172 | /// tracking process and insert checker-specific logic. |
173 | class Tracker : public llvm::RefCountedBase<Tracker> { |
174 | private: |
175 | using ExpressionHandlerPtr = std::unique_ptr<ExpressionHandler>; |
176 | using StoreHandlerPtr = std::unique_ptr<StoreHandler>; |
177 | |
178 | PathSensitiveBugReport &Report; |
179 | std::list<ExpressionHandlerPtr> ExpressionHandlers; |
180 | std::list<StoreHandlerPtr> StoreHandlers; |
181 | |
182 | protected: |
183 | /// \param Report The bug report to which visitors should be attached. |
184 | Tracker(PathSensitiveBugReport &Report); |
185 | |
186 | public: |
187 | virtual ~Tracker() = default; |
188 | |
189 | static TrackerRef create(PathSensitiveBugReport &Report) { |
190 | return new Tracker(Report); |
191 | } |
192 | |
193 | PathSensitiveBugReport &getReport() { return Report; } |
194 | |
195 | /// Describes a tracking result with the most basic information of what was |
196 | /// actually done (or not done). |
197 | struct Result { |
198 | /// Usually it means that the tracker added visitors. |
199 | bool FoundSomethingToTrack = false; |
200 | /// Signifies that the tracking was interrupted at some point. |
201 | /// Usually this information is important only for sub-trackers. |
202 | bool WasInterrupted = false; |
203 | |
204 | /// Combines the current result with the given result. |
205 | void combineWith(const Result &Other) { |
206 | // If we found something in one of the cases, we can |
207 | // say we found something overall. |
208 | FoundSomethingToTrack |= Other.FoundSomethingToTrack; |
209 | // The same goes to the interruption. |
210 | WasInterrupted |= Other.WasInterrupted; |
211 | } |
212 | }; |
213 | |
214 | /// Track expression value back to its point of origin. |
215 | /// |
216 | /// \param E The expression value which we are tracking |
217 | /// \param N A node "downstream" from the evaluation of the statement. |
218 | /// \param Opts Tracking options specifying how we want to track the value. |
219 | virtual Result track(const Expr *E, const ExplodedNode *N, |
220 | TrackingOptions Opts = {}); |
221 | |
222 | /// Track how the value got stored into the given region and where it came |
223 | /// from. |
224 | /// |
225 | /// \param V We're searching for the store where \c R received this value. |
226 | /// \param R The region we're tracking. |
227 | /// \param Opts Tracking options specifying how we want to track the value. |
228 | /// \param Origin Only adds notes when the last store happened in a |
229 | /// different stackframe to this one. Disregarded if the tracking kind |
230 | /// is thorough. |
231 | /// This is useful, because for non-tracked regions, notes about |
232 | /// changes to its value in a nested stackframe could be pruned, and |
233 | /// this visitor can prevent that without polluting the bugpath too |
234 | /// much. |
235 | virtual Result track(SVal V, const MemRegion *R, TrackingOptions Opts = {}, |
236 | const StackFrameContext *Origin = nullptr); |
237 | |
238 | /// Handle the store operation and produce the note. |
239 | /// |
240 | /// \param SI The information fully describing the store. |
241 | /// \param Opts Tracking options specifying how we got to it. |
242 | /// |
243 | /// NOTE: this method is designed for sub-trackers and visitors. |
244 | virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC, |
245 | TrackingOptions Opts); |
246 | |
247 | /// Add custom expression handler with the highest priority. |
248 | /// |
249 | /// It means that it will be asked for handling first, and can prevent |
250 | /// other handlers from running if decides to interrupt. |
251 | void addHighPriorityHandler(ExpressionHandlerPtr SH) { |
252 | ExpressionHandlers.push_front(x: std::move(SH)); |
253 | } |
254 | |
255 | /// Add custom expression handler with the lowest priority. |
256 | /// |
257 | /// It means that it will be asked for handling last, and other handlers can |
258 | /// prevent it from running if any of them decides to interrupt. |
259 | void addLowPriorityHandler(ExpressionHandlerPtr SH) { |
260 | ExpressionHandlers.push_back(x: std::move(SH)); |
261 | } |
262 | |
263 | /// Add custom store handler with the highest priority. |
264 | /// |
265 | /// It means that it will be asked for handling first, and will prevent |
266 | /// other handlers from running if it produces non-null note. |
267 | void addHighPriorityHandler(StoreHandlerPtr SH) { |
268 | StoreHandlers.push_front(x: std::move(SH)); |
269 | } |
270 | |
271 | /// Add custom store handler with the lowest priority. |
272 | /// |
273 | /// It means that it will be asked for handling last, only |
274 | /// if all other handlers failed to produce the note. |
275 | void addLowPriorityHandler(StoreHandlerPtr SH) { |
276 | StoreHandlers.push_back(x: std::move(SH)); |
277 | } |
278 | |
279 | /// Add custom expression/store handler with the highest priority |
280 | /// |
281 | /// See other overloads for explanation. |
282 | template <class HandlerType, class... Args> |
283 | void addHighPriorityHandler(Args &&... ConstructorArgs) { |
284 | addHighPriorityHandler(std::make_unique<HandlerType>( |
285 | *this, std::forward<Args>(ConstructorArgs)...)); |
286 | } |
287 | |
288 | /// Add custom expression/store handler with the lowest priority |
289 | /// |
290 | /// See other overloads for explanation. |
291 | template <class HandlerType, class... Args> |
292 | void addLowPriorityHandler(Args &&... ConstructorArgs) { |
293 | addLowPriorityHandler(std::make_unique<HandlerType>( |
294 | *this, std::forward<Args>(ConstructorArgs)...)); |
295 | } |
296 | }; |
297 | |
298 | /// Handles expressions during the tracking. |
299 | class ExpressionHandler { |
300 | private: |
301 | Tracker &ParentTracker; |
302 | |
303 | public: |
304 | ExpressionHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {} |
305 | virtual ~ExpressionHandler() {} |
306 | |
307 | /// Handle the given expression from the given node. |
308 | /// |
309 | /// \param E The expression value which we are tracking |
310 | /// \param Original A node "downstream" where the tracking started. |
311 | /// \param ExprNode A node where the evaluation of \c E actually happens. |
312 | /// \param Opts Tracking options specifying how we are tracking the value. |
313 | virtual Tracker::Result handle(const Expr *E, const ExplodedNode *Original, |
314 | const ExplodedNode *ExprNode, |
315 | TrackingOptions Opts) = 0; |
316 | |
317 | /// \Return the tracker that initiated the process. |
318 | Tracker &getParentTracker() { return ParentTracker; } |
319 | }; |
320 | |
321 | /// Handles stores during the tracking. |
322 | class StoreHandler { |
323 | private: |
324 | Tracker &ParentTracker; |
325 | |
326 | public: |
327 | StoreHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {} |
328 | virtual ~StoreHandler() {} |
329 | |
330 | /// Handle the given store and produce the node. |
331 | /// |
332 | /// \param SI The information fully describing the store. |
333 | /// \param Opts Tracking options specifying how we are tracking the value. |
334 | /// |
335 | /// \return the produced note, null if the handler doesn't support this kind |
336 | /// of stores. |
337 | virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC, |
338 | TrackingOptions Opts) = 0; |
339 | |
340 | Tracker &getParentTracker() { return ParentTracker; } |
341 | |
342 | protected: |
343 | PathDiagnosticPieceRef constructNote(StoreInfo SI, BugReporterContext &BRC, |
344 | StringRef NodeText); |
345 | }; |
346 | |
347 | /// Visitor that tracks expressions and values. |
348 | class TrackingBugReporterVisitor : public BugReporterVisitor { |
349 | private: |
350 | TrackerRef ParentTracker; |
351 | |
352 | public: |
353 | TrackingBugReporterVisitor(TrackerRef ParentTracker) |
354 | : ParentTracker(ParentTracker) {} |
355 | |
356 | Tracker &getParentTracker() { return *ParentTracker; } |
357 | }; |
358 | |
359 | /// Attempts to add visitors to track expression value back to its point of |
360 | /// origin. |
361 | /// |
362 | /// \param N A node "downstream" from the evaluation of the statement. |
363 | /// \param E The expression value which we are tracking |
364 | /// \param R The bug report to which visitors should be attached. |
365 | /// \param Opts Tracking options specifying how we are tracking the value. |
366 | /// |
367 | /// \return Whether or not the function was able to add visitors for this |
368 | /// statement. Note that returning \c true does not actually imply |
369 | /// that any visitors were added. |
370 | bool trackExpressionValue(const ExplodedNode *N, const Expr *E, |
371 | PathSensitiveBugReport &R, TrackingOptions Opts = {}); |
372 | |
373 | /// Track how the value got stored into the given region and where it came |
374 | /// from. |
375 | /// |
376 | /// \param V We're searching for the store where \c R received this value. |
377 | /// \param R The region we're tracking. |
378 | /// \param Opts Tracking options specifying how we want to track the value. |
379 | /// \param Origin Only adds notes when the last store happened in a |
380 | /// different stackframe to this one. Disregarded if the tracking kind |
381 | /// is thorough. |
382 | /// This is useful, because for non-tracked regions, notes about |
383 | /// changes to its value in a nested stackframe could be pruned, and |
384 | /// this visitor can prevent that without polluting the bugpath too |
385 | /// much. |
386 | void trackStoredValue(KnownSVal V, const MemRegion *R, |
387 | PathSensitiveBugReport &Report, TrackingOptions Opts = {}, |
388 | const StackFrameContext *Origin = nullptr); |
389 | |
390 | const Expr *getDerefExpr(const Stmt *S); |
391 | |
392 | } // namespace bugreporter |
393 | |
394 | class TrackConstraintBRVisitor final : public BugReporterVisitor { |
395 | const SmallString<64> Message; |
396 | const DefinedSVal Constraint; |
397 | const bool Assumption; |
398 | bool IsSatisfied = false; |
399 | |
400 | /// We should start tracking from the last node along the path in which the |
401 | /// value is constrained. |
402 | bool IsTrackingTurnedOn = false; |
403 | |
404 | public: |
405 | TrackConstraintBRVisitor(DefinedSVal constraint, bool assumption, |
406 | StringRef Message) |
407 | : Message(Message), Constraint(constraint), Assumption(assumption) {} |
408 | |
409 | void Profile(llvm::FoldingSetNodeID &ID) const override; |
410 | |
411 | /// Return the tag associated with this visitor. This tag will be used |
412 | /// to make all PathDiagnosticPieces created by this visitor. |
413 | static const char *getTag(); |
414 | |
415 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
416 | BugReporterContext &BRC, |
417 | PathSensitiveBugReport &BR) override; |
418 | |
419 | private: |
420 | /// Checks if the constraint refers to a null-location. |
421 | bool isZeroCheck() const; |
422 | |
423 | /// Checks if the constraint is valid in the current state. |
424 | bool isUnderconstrained(const ExplodedNode *N) const; |
425 | }; |
426 | |
427 | /// \class NilReceiverBRVisitor |
428 | /// Prints path notes when a message is sent to a nil receiver. |
429 | class NilReceiverBRVisitor final : public BugReporterVisitor { |
430 | public: |
431 | void Profile(llvm::FoldingSetNodeID &ID) const override { |
432 | static int x = 0; |
433 | ID.AddPointer(Ptr: &x); |
434 | } |
435 | |
436 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
437 | BugReporterContext &BRC, |
438 | PathSensitiveBugReport &BR) override; |
439 | |
440 | /// If the statement is a message send expression with nil receiver, returns |
441 | /// the receiver expression. Returns NULL otherwise. |
442 | static const Expr *getNilReceiver(const Stmt *S, const ExplodedNode *N); |
443 | }; |
444 | |
445 | /// Visitor that tries to report interesting diagnostics from conditions. |
446 | class ConditionBRVisitor final : public BugReporterVisitor { |
447 | // FIXME: constexpr initialization isn't supported by MSVC2013. |
448 | constexpr static llvm::StringLiteral GenericTrueMessage = |
449 | "Assuming the condition is true" ; |
450 | constexpr static llvm::StringLiteral GenericFalseMessage = |
451 | "Assuming the condition is false" ; |
452 | |
453 | public: |
454 | void Profile(llvm::FoldingSetNodeID &ID) const override { |
455 | static int x = 0; |
456 | ID.AddPointer(Ptr: &x); |
457 | } |
458 | |
459 | /// Return the tag associated with this visitor. This tag will be used |
460 | /// to make all PathDiagnosticPieces created by this visitor. |
461 | static const char *getTag(); |
462 | |
463 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
464 | BugReporterContext &BRC, |
465 | PathSensitiveBugReport &BR) override; |
466 | |
467 | PathDiagnosticPieceRef VisitNodeImpl(const ExplodedNode *N, |
468 | BugReporterContext &BRC, |
469 | PathSensitiveBugReport &BR); |
470 | |
471 | PathDiagnosticPieceRef |
472 | VisitTerminator(const Stmt *Term, const ExplodedNode *N, |
473 | const CFGBlock *SrcBlk, const CFGBlock *DstBlk, |
474 | PathSensitiveBugReport &R, BugReporterContext &BRC); |
475 | |
476 | PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, |
477 | BugReporterContext &BRC, |
478 | PathSensitiveBugReport &R, |
479 | const ExplodedNode *N, bool TookTrue); |
480 | |
481 | PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const DeclRefExpr *DR, |
482 | BugReporterContext &BRC, |
483 | PathSensitiveBugReport &R, |
484 | const ExplodedNode *N, bool TookTrue, |
485 | bool IsAssuming); |
486 | |
487 | PathDiagnosticPieceRef |
488 | VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr, |
489 | BugReporterContext &BRC, PathSensitiveBugReport &R, |
490 | const ExplodedNode *N, bool TookTrue, bool IsAssuming); |
491 | |
492 | PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const MemberExpr *ME, |
493 | BugReporterContext &BRC, |
494 | PathSensitiveBugReport &R, |
495 | const ExplodedNode *N, bool TookTrue, |
496 | bool IsAssuming); |
497 | |
498 | PathDiagnosticPieceRef |
499 | VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr, |
500 | BugReporterContext &BRC, PathSensitiveBugReport &R, |
501 | const ExplodedNode *N, bool TookTrue); |
502 | |
503 | /// Tries to print the value of the given expression. |
504 | /// |
505 | /// \param CondVarExpr The expression to print its value. |
506 | /// \param Out The stream to print. |
507 | /// \param N The node where we encountered the condition. |
508 | /// \param TookTrue Whether we took the \c true branch of the condition. |
509 | /// |
510 | /// \return Whether the print was successful. (The printing is successful if |
511 | /// we model the value and we could obtain it.) |
512 | bool printValue(const Expr *CondVarExpr, raw_ostream &Out, |
513 | const ExplodedNode *N, bool TookTrue, bool IsAssuming); |
514 | |
515 | bool patternMatch(const Expr *Ex, const Expr *ParentEx, raw_ostream &Out, |
516 | BugReporterContext &BRC, PathSensitiveBugReport &R, |
517 | const ExplodedNode *N, std::optional<bool> &prunable, |
518 | bool IsSameFieldName); |
519 | |
520 | static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece); |
521 | }; |
522 | |
523 | /// Suppress reports that might lead to known false positives. |
524 | /// |
525 | /// Currently this suppresses reports based on locations of bugs. |
526 | class LikelyFalsePositiveSuppressionBRVisitor final |
527 | : public BugReporterVisitor { |
528 | public: |
529 | static void *getTag() { |
530 | static int Tag = 0; |
531 | return static_cast<void *>(&Tag); |
532 | } |
533 | |
534 | void Profile(llvm::FoldingSetNodeID &ID) const override { |
535 | ID.AddPointer(Ptr: getTag()); |
536 | } |
537 | |
538 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *, BugReporterContext &, |
539 | PathSensitiveBugReport &) override { |
540 | return nullptr; |
541 | } |
542 | |
543 | void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *N, |
544 | PathSensitiveBugReport &BR) override; |
545 | }; |
546 | |
547 | /// When a region containing undefined value or '0' value is passed |
548 | /// as an argument in a call, marks the call as interesting. |
549 | /// |
550 | /// As a result, BugReporter will not prune the path through the function even |
551 | /// if the region's contents are not modified/accessed by the call. |
552 | class UndefOrNullArgVisitor final : public BugReporterVisitor { |
553 | /// The interesting memory region this visitor is tracking. |
554 | const MemRegion *R; |
555 | |
556 | public: |
557 | UndefOrNullArgVisitor(const MemRegion *InR) : R(InR) {} |
558 | |
559 | void Profile(llvm::FoldingSetNodeID &ID) const override { |
560 | static int Tag = 0; |
561 | ID.AddPointer(Ptr: &Tag); |
562 | ID.AddPointer(Ptr: R); |
563 | } |
564 | |
565 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
566 | BugReporterContext &BRC, |
567 | PathSensitiveBugReport &BR) override; |
568 | }; |
569 | |
570 | class SuppressInlineDefensiveChecksVisitor final : public BugReporterVisitor { |
571 | /// The symbolic value for which we are tracking constraints. |
572 | /// This value is constrained to null in the end of path. |
573 | DefinedSVal V; |
574 | |
575 | /// Track if we found the node where the constraint was first added. |
576 | bool IsSatisfied = false; |
577 | |
578 | /// Since the visitors can be registered on nodes previous to the last |
579 | /// node in the BugReport, but the path traversal always starts with the last |
580 | /// node, the visitor invariant (that we start with a node in which V is null) |
581 | /// might not hold when node visitation starts. We are going to start tracking |
582 | /// from the last node in which the value is null. |
583 | bool IsTrackingTurnedOn = false; |
584 | |
585 | public: |
586 | SuppressInlineDefensiveChecksVisitor(DefinedSVal Val, const ExplodedNode *N); |
587 | |
588 | void Profile(llvm::FoldingSetNodeID &ID) const override; |
589 | |
590 | /// Return the tag associated with this visitor. This tag will be used |
591 | /// to make all PathDiagnosticPieces created by this visitor. |
592 | static const char *getTag(); |
593 | |
594 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, |
595 | BugReporterContext &BRC, |
596 | PathSensitiveBugReport &BR) override; |
597 | }; |
598 | |
599 | /// The bug visitor will walk all the nodes in a path and collect all the |
600 | /// constraints. When it reaches the root node, will create a refutation |
601 | /// manager and check if the constraints are satisfiable |
602 | class FalsePositiveRefutationBRVisitor final : public BugReporterVisitor { |
603 | private: |
604 | /// Holds the constraints in a given path |
605 | ConstraintMap Constraints; |
606 | |
607 | public: |
608 | FalsePositiveRefutationBRVisitor(); |
609 | |
610 | void Profile(llvm::FoldingSetNodeID &ID) const override; |
611 | |
612 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
613 | BugReporterContext &BRC, |
614 | PathSensitiveBugReport &BR) override; |
615 | |
616 | void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode, |
617 | PathSensitiveBugReport &BR) override; |
618 | void addConstraints(const ExplodedNode *N, |
619 | bool OverwriteConstraintsOnExistingSyms); |
620 | }; |
621 | |
622 | /// The visitor detects NoteTags and displays the event notes they contain. |
623 | class TagVisitor : public BugReporterVisitor { |
624 | public: |
625 | void Profile(llvm::FoldingSetNodeID &ID) const override; |
626 | |
627 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
628 | BugReporterContext &BRC, |
629 | PathSensitiveBugReport &R) override; |
630 | }; |
631 | |
632 | class ObjCMethodCall; |
633 | class CXXConstructorCall; |
634 | |
635 | /// Put a diagnostic on return statement (or on } in its absence) of all inlined |
636 | /// functions for which some property remained unchanged. |
637 | /// Resulting diagnostics may read such as "Returning without writing to X". |
638 | /// |
639 | /// Descendants can define what a "state change is", like a change of value |
640 | /// to a memory region, liveness, etc. For function calls where the state did |
641 | /// not change as defined, a custom note may be constructed. |
642 | /// |
643 | /// For a minimal example, check out |
644 | /// clang/unittests/StaticAnalyzer/NoStateChangeFuncVisitorTest.cpp. |
645 | class NoStateChangeFuncVisitor : public BugReporterVisitor { |
646 | private: |
647 | /// Frames modifying the state as defined in \c wasModifiedBeforeCallExit. |
648 | /// This visitor generates a note only if a function does *not* change the |
649 | /// state that way. This information is not immediately available |
650 | /// by looking at the node associated with the exit from the function |
651 | /// (usually the return statement). To avoid recomputing the same information |
652 | /// many times (going up the path for each node and checking whether the |
653 | /// region was written into) we instead lazily compute the stack frames |
654 | /// along the path. |
655 | // TODO: Can't we just use a map instead? This is likely not as cheap as it |
656 | // makes the code difficult to read. |
657 | llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifying; |
658 | llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated; |
659 | |
660 | /// Check and lazily calculate whether the state is modified in the stack |
661 | /// frame to which \p CallExitBeginN belongs. |
662 | /// The calculation is cached in FramesModifying. |
663 | bool isModifiedInFrame(const ExplodedNode *CallExitBeginN); |
664 | |
665 | void markFrameAsModifying(const StackFrameContext *SCtx); |
666 | |
667 | /// Write to \c FramesModifying all stack frames along the path in the current |
668 | /// stack frame which modifies the state. |
669 | void findModifyingFrames(const ExplodedNode *const CallExitBeginN); |
670 | |
671 | protected: |
672 | bugreporter::TrackingKind TKind; |
673 | |
674 | /// \return Whether the state was modified from the current node, \p CurrN, to |
675 | /// the end of the stack frame, at \p CallExitBeginN. \p CurrN and |
676 | /// \p CallExitBeginN are always in the same stack frame. |
677 | /// Clients should override this callback when a state change is important |
678 | /// not only on the entire function call, but inside of it as well. |
679 | /// Example: we may want to leave a note about the lack of locking/unlocking |
680 | /// on a particular mutex, but not if inside the function its state was |
681 | /// changed, but also restored. wasModifiedInFunction() wouldn't know of this |
682 | /// change. |
683 | virtual bool wasModifiedBeforeCallExit(const ExplodedNode *CurrN, |
684 | const ExplodedNode *CallExitBeginN) { |
685 | return false; |
686 | } |
687 | |
688 | /// \return Whether the state was modified in the inlined function call in |
689 | /// between \p CallEnterN and \p CallExitEndN. Mind that the stack frame |
690 | /// retrieved from a CallEnterN and CallExitEndN is the *caller's* stack |
691 | /// frame! The inlined function's stack should be retrieved from either the |
692 | /// immediate successor to \p CallEnterN or immediate predecessor to |
693 | /// \p CallExitEndN. |
694 | /// Clients should override this function if a state changes local to the |
695 | /// inlined function are not interesting, only the change occuring as a |
696 | /// result of it. |
697 | /// Example: we want to leave a not about a leaked resource object not being |
698 | /// deallocated / its ownership changed inside a function, and we don't care |
699 | /// if it was assigned to a local variable (its change in ownership is |
700 | /// inconsequential). |
701 | virtual bool wasModifiedInFunction(const ExplodedNode *CallEnterN, |
702 | const ExplodedNode *CallExitEndN) { |
703 | return false; |
704 | } |
705 | |
706 | /// Consume the information on the non-modifying stack frame in order to |
707 | /// either emit a note or not. May suppress the report entirely. |
708 | /// \return Diagnostics piece for the unmodified state in the current |
709 | /// function, if it decides to emit one. A good description might start with |
710 | /// "Returning without...". |
711 | virtual PathDiagnosticPieceRef |
712 | maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R, |
713 | const ObjCMethodCall &Call, |
714 | const ExplodedNode *N) = 0; |
715 | |
716 | /// Consume the information on the non-modifying stack frame in order to |
717 | /// either emit a note or not. May suppress the report entirely. |
718 | /// \return Diagnostics piece for the unmodified state in the current |
719 | /// function, if it decides to emit one. A good description might start with |
720 | /// "Returning without...". |
721 | virtual PathDiagnosticPieceRef |
722 | maybeEmitNoteForCXXThis(PathSensitiveBugReport &R, |
723 | const CXXConstructorCall &Call, |
724 | const ExplodedNode *N) = 0; |
725 | |
726 | /// Consume the information on the non-modifying stack frame in order to |
727 | /// either emit a note or not. May suppress the report entirely. |
728 | /// \return Diagnostics piece for the unmodified state in the current |
729 | /// function, if it decides to emit one. A good description might start with |
730 | /// "Returning without...". |
731 | virtual PathDiagnosticPieceRef |
732 | maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call, |
733 | const ExplodedNode *N) = 0; |
734 | |
735 | public: |
736 | NoStateChangeFuncVisitor(bugreporter::TrackingKind TKind) : TKind(TKind) {} |
737 | |
738 | PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, |
739 | BugReporterContext &BR, |
740 | PathSensitiveBugReport &R) final; |
741 | }; |
742 | |
743 | } // namespace ento |
744 | } // namespace clang |
745 | |
746 | #endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H |
747 | |