1//===- BugReporterVisitors.h - Generate PathDiagnostics ---------*- C++ -*-===// 2// 3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4// See https://llvm.org/LICENSE.txt for license information. 5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6// 7//===----------------------------------------------------------------------===// 8// 9// This file declares BugReporterVisitors, which are used to generate enhanced 10// diagnostic traces. 11// 12//===----------------------------------------------------------------------===// 13 14#ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H 15#define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H 16 17#include "clang/Analysis/ProgramPoint.h" 18#include "clang/Basic/LLVM.h" 19#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h" 20#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h" 21#include "llvm/ADT/FoldingSet.h" 22#include "llvm/ADT/IntrusiveRefCntPtr.h" 23#include "llvm/ADT/STLExtras.h" 24#include "llvm/ADT/SmallPtrSet.h" 25#include "llvm/ADT/StringRef.h" 26#include <list> 27#include <memory> 28#include <optional> 29#include <utility> 30 31namespace clang { 32 33class BinaryOperator; 34class CFGBlock; 35class DeclRefExpr; 36class Expr; 37class Stmt; 38 39namespace ento { 40 41class PathSensitiveBugReport; 42class BugReporterContext; 43class ExplodedNode; 44class MemRegion; 45class PathDiagnosticPiece; 46using PathDiagnosticPieceRef = std::shared_ptr<PathDiagnosticPiece>; 47 48/// BugReporterVisitors are used to add custom diagnostics along a path. 49class BugReporterVisitor : public llvm::FoldingSetNode { 50public: 51 BugReporterVisitor() = default; 52 BugReporterVisitor(const BugReporterVisitor &) = default; 53 BugReporterVisitor(BugReporterVisitor &&) {} 54 55 // The copy and move assignment operator is defined as deleted pending further 56 // motivation. 57 BugReporterVisitor &operator=(const BugReporterVisitor &) = delete; 58 BugReporterVisitor &operator=(BugReporterVisitor &&) = delete; 59 60 virtual ~BugReporterVisitor(); 61 62 /// Return a diagnostic piece which should be associated with the 63 /// given node. 64 /// Note that this function does *not* get run on the very last node 65 /// of the report, as the PathDiagnosticPiece associated with the 66 /// last node should be unique. 67 /// Use \ref getEndPath to customize the note associated with the report 68 /// end instead. 69 /// 70 /// The last parameter can be used to register a new visitor with the given 71 /// BugReport while processing a node. 72 virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, 73 BugReporterContext &BRC, 74 PathSensitiveBugReport &BR) = 0; 75 76 /// Last function called on the visitor, no further calls to VisitNode 77 /// would follow. 78 virtual void finalizeVisitor(BugReporterContext &BRC, 79 const ExplodedNode *EndPathNode, 80 PathSensitiveBugReport &BR); 81 82 /// Provide custom definition for the final diagnostic piece on the 83 /// path - the piece, which is displayed before the path is expanded. 84 /// 85 /// NOTE that this function can be implemented on at most one used visitor, 86 /// and otherwise it crahes at runtime. 87 virtual PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC, 88 const ExplodedNode *N, 89 PathSensitiveBugReport &BR); 90 91 virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0; 92 93 /// Generates the default final diagnostic piece. 94 static PathDiagnosticPieceRef 95 getDefaultEndPath(const BugReporterContext &BRC, const ExplodedNode *N, 96 const PathSensitiveBugReport &BR); 97}; 98 99namespace bugreporter { 100 101/// Specifies the type of tracking for an expression. 102enum class TrackingKind { 103 /// Default tracking kind -- specifies that as much information should be 104 /// gathered about the tracked expression value as possible. 105 Thorough, 106 /// Specifies that a more moderate tracking should be used for the expression 107 /// value. This will essentially make sure that functions relevant to it 108 /// aren't pruned, but otherwise relies on the user reading the code or 109 /// following the arrows. 110 Condition 111}; 112 113/// Defines a set of options altering tracking behavior. 114struct TrackingOptions { 115 /// Specifies the kind of tracking. 116 TrackingKind Kind = TrackingKind::Thorough; 117 /// Specifies whether we should employ false positive suppression 118 /// (inlined defensive checks, returned null). 119 bool EnableNullFPSuppression = true; 120}; 121 122/// Describes an event when the value got stored into a memory region. 123/// 124/// As opposed to checker checkBind API, it reacts also to binds 125/// generated by the checker as well. It can be useful when the binding 126/// happened as a result of evalCall, for example. 127struct StoreInfo { 128 enum Kind { 129 /// The value got stored into the region during initialization: 130 /// int x = 42; 131 Initialization, 132 /// The value got stored into the region during assignment: 133 /// int x; 134 /// x = 42; 135 Assignment, 136 /// The value got stored into the parameter region as the result 137 /// of a call. 138 CallArgument, 139 /// The value got stored into the region as block capture. 140 /// Block data is modeled as a separate region, thus whenever 141 /// the analyzer sees a captured variable, its value is copied 142 /// into a special block region. 143 BlockCapture 144 }; 145 146 /// The type of store operation. 147 Kind StoreKind; 148 /// The node where the store happened. 149 const ExplodedNode *StoreSite; 150 /// The expression where the value comes from. 151 /// NOTE: might be null. 152 const Expr *SourceOfTheValue; 153 /// Symbolic value that is being stored. 154 SVal Value; 155 /// Memory regions involved in the store operation. 156 /// Dest <- Origin 157 /// NOTE: Origin might be null, when the stored value doesn't come 158 /// from another region. 159 const MemRegion *Dest, *Origin; 160}; 161 162class Tracker; 163using TrackerRef = llvm::IntrusiveRefCntPtr<Tracker>; 164 165class ExpressionHandler; 166class StoreHandler; 167 168/// A generalized component for tracking expressions, values, and stores. 169/// 170/// Tracker aimes at providing a sensible set of default behaviors that can be 171/// used by any checker, while providing mechanisms to hook into any part of the 172/// tracking process and insert checker-specific logic. 173class Tracker : public llvm::RefCountedBase<Tracker> { 174private: 175 using ExpressionHandlerPtr = std::unique_ptr<ExpressionHandler>; 176 using StoreHandlerPtr = std::unique_ptr<StoreHandler>; 177 178 PathSensitiveBugReport &Report; 179 std::list<ExpressionHandlerPtr> ExpressionHandlers; 180 std::list<StoreHandlerPtr> StoreHandlers; 181 182protected: 183 /// \param Report The bug report to which visitors should be attached. 184 Tracker(PathSensitiveBugReport &Report); 185 186public: 187 virtual ~Tracker() = default; 188 189 static TrackerRef create(PathSensitiveBugReport &Report) { 190 return new Tracker(Report); 191 } 192 193 PathSensitiveBugReport &getReport() { return Report; } 194 195 /// Describes a tracking result with the most basic information of what was 196 /// actually done (or not done). 197 struct Result { 198 /// Usually it means that the tracker added visitors. 199 bool FoundSomethingToTrack = false; 200 /// Signifies that the tracking was interrupted at some point. 201 /// Usually this information is important only for sub-trackers. 202 bool WasInterrupted = false; 203 204 /// Combines the current result with the given result. 205 void combineWith(const Result &Other) { 206 // If we found something in one of the cases, we can 207 // say we found something overall. 208 FoundSomethingToTrack |= Other.FoundSomethingToTrack; 209 // The same goes to the interruption. 210 WasInterrupted |= Other.WasInterrupted; 211 } 212 }; 213 214 /// Track expression value back to its point of origin. 215 /// 216 /// \param E The expression value which we are tracking 217 /// \param N A node "downstream" from the evaluation of the statement. 218 /// \param Opts Tracking options specifying how we want to track the value. 219 virtual Result track(const Expr *E, const ExplodedNode *N, 220 TrackingOptions Opts = {}); 221 222 /// Track how the value got stored into the given region and where it came 223 /// from. 224 /// 225 /// \param V We're searching for the store where \c R received this value. 226 /// \param R The region we're tracking. 227 /// \param Opts Tracking options specifying how we want to track the value. 228 /// \param Origin Only adds notes when the last store happened in a 229 /// different stackframe to this one. Disregarded if the tracking kind 230 /// is thorough. 231 /// This is useful, because for non-tracked regions, notes about 232 /// changes to its value in a nested stackframe could be pruned, and 233 /// this visitor can prevent that without polluting the bugpath too 234 /// much. 235 virtual Result track(SVal V, const MemRegion *R, TrackingOptions Opts = {}, 236 const StackFrameContext *Origin = nullptr); 237 238 /// Handle the store operation and produce the note. 239 /// 240 /// \param SI The information fully describing the store. 241 /// \param Opts Tracking options specifying how we got to it. 242 /// 243 /// NOTE: this method is designed for sub-trackers and visitors. 244 virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC, 245 TrackingOptions Opts); 246 247 /// Add custom expression handler with the highest priority. 248 /// 249 /// It means that it will be asked for handling first, and can prevent 250 /// other handlers from running if decides to interrupt. 251 void addHighPriorityHandler(ExpressionHandlerPtr SH) { 252 ExpressionHandlers.push_front(std::move(SH)); 253 } 254 255 /// Add custom expression handler with the lowest priority. 256 /// 257 /// It means that it will be asked for handling last, and other handlers can 258 /// prevent it from running if any of them decides to interrupt. 259 void addLowPriorityHandler(ExpressionHandlerPtr SH) { 260 ExpressionHandlers.push_back(std::move(SH)); 261 } 262 263 /// Add custom store handler with the highest priority. 264 /// 265 /// It means that it will be asked for handling first, and will prevent 266 /// other handlers from running if it produces non-null note. 267 void addHighPriorityHandler(StoreHandlerPtr SH) { 268 StoreHandlers.push_front(std::move(SH)); 269 } 270 271 /// Add custom store handler with the lowest priority. 272 /// 273 /// It means that it will be asked for handling last, only 274 /// if all other handlers failed to produce the note. 275 void addLowPriorityHandler(StoreHandlerPtr SH) { 276 StoreHandlers.push_back(std::move(SH)); 277 } 278 279 /// Add custom expression/store handler with the highest priority 280 /// 281 /// See other overloads for explanation. 282 template <class HandlerType, class... Args> 283 void addHighPriorityHandler(Args &&... ConstructorArgs) { 284 addHighPriorityHandler(std::make_unique<HandlerType>( 285 *this, std::forward<Args>(ConstructorArgs)...)); 286 } 287 288 /// Add custom expression/store handler with the lowest priority 289 /// 290 /// See other overloads for explanation. 291 template <class HandlerType, class... Args> 292 void addLowPriorityHandler(Args &&... ConstructorArgs) { 293 addLowPriorityHandler(std::make_unique<HandlerType>( 294 *this, std::forward<Args>(ConstructorArgs)...)); 295 } 296}; 297 298/// Handles expressions during the tracking. 299class ExpressionHandler { 300private: 301 Tracker &ParentTracker; 302 303public: 304 ExpressionHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {} 305 virtual ~ExpressionHandler() {} 306 307 /// Handle the given expression from the given node. 308 /// 309 /// \param E The expression value which we are tracking 310 /// \param Original A node "downstream" where the tracking started. 311 /// \param ExprNode A node where the evaluation of \c E actually happens. 312 /// \param Opts Tracking options specifying how we are tracking the value. 313 virtual Tracker::Result handle(const Expr *E, const ExplodedNode *Original, 314 const ExplodedNode *ExprNode, 315 TrackingOptions Opts) = 0; 316 317 /// \Return the tracker that initiated the process. 318 Tracker &getParentTracker() { return ParentTracker; } 319}; 320 321/// Handles stores during the tracking. 322class StoreHandler { 323private: 324 Tracker &ParentTracker; 325 326public: 327 StoreHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {} 328 virtual ~StoreHandler() {} 329 330 /// Handle the given store and produce the node. 331 /// 332 /// \param SI The information fully describing the store. 333 /// \param Opts Tracking options specifying how we are tracking the value. 334 /// 335 /// \return the produced note, null if the handler doesn't support this kind 336 /// of stores. 337 virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC, 338 TrackingOptions Opts) = 0; 339 340 Tracker &getParentTracker() { return ParentTracker; } 341 342protected: 343 PathDiagnosticPieceRef constructNote(StoreInfo SI, BugReporterContext &BRC, 344 StringRef NodeText); 345}; 346 347/// Visitor that tracks expressions and values. 348class TrackingBugReporterVisitor : public BugReporterVisitor { 349private: 350 TrackerRef ParentTracker; 351 352public: 353 TrackingBugReporterVisitor(TrackerRef ParentTracker) 354 : ParentTracker(ParentTracker) {} 355 356 Tracker &getParentTracker() { return *ParentTracker; } 357}; 358 359/// Attempts to add visitors to track expression value back to its point of 360/// origin. 361/// 362/// \param N A node "downstream" from the evaluation of the statement. 363/// \param E The expression value which we are tracking 364/// \param R The bug report to which visitors should be attached. 365/// \param Opts Tracking options specifying how we are tracking the value. 366/// 367/// \return Whether or not the function was able to add visitors for this 368/// statement. Note that returning \c true does not actually imply 369/// that any visitors were added. 370bool trackExpressionValue(const ExplodedNode *N, const Expr *E, 371 PathSensitiveBugReport &R, TrackingOptions Opts = {}); 372 373/// Track how the value got stored into the given region and where it came 374/// from. 375/// 376/// \param V We're searching for the store where \c R received this value. 377/// \param R The region we're tracking. 378/// \param Opts Tracking options specifying how we want to track the value. 379/// \param Origin Only adds notes when the last store happened in a 380/// different stackframe to this one. Disregarded if the tracking kind 381/// is thorough. 382/// This is useful, because for non-tracked regions, notes about 383/// changes to its value in a nested stackframe could be pruned, and 384/// this visitor can prevent that without polluting the bugpath too 385/// much. 386void trackStoredValue(KnownSVal V, const MemRegion *R, 387 PathSensitiveBugReport &Report, TrackingOptions Opts = {}, 388 const StackFrameContext *Origin = nullptr); 389 390const Expr *getDerefExpr(const Stmt *S); 391 392} // namespace bugreporter 393 394class TrackConstraintBRVisitor final : public BugReporterVisitor { 395 const SmallString<64> Message; 396 const DefinedSVal Constraint; 397 const bool Assumption; 398 bool IsSatisfied = false; 399 400 /// We should start tracking from the last node along the path in which the 401 /// value is constrained. 402 bool IsTrackingTurnedOn = false; 403 404public: 405 TrackConstraintBRVisitor(DefinedSVal constraint, bool assumption, 406 StringRef Message) 407 : Message(Message), Constraint(constraint), Assumption(assumption) {} 408 409 void Profile(llvm::FoldingSetNodeID &ID) const override; 410 411 /// Return the tag associated with this visitor. This tag will be used 412 /// to make all PathDiagnosticPieces created by this visitor. 413 static const char *getTag(); 414 415 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 416 BugReporterContext &BRC, 417 PathSensitiveBugReport &BR) override; 418 419private: 420 /// Checks if the constraint refers to a null-location. 421 bool isZeroCheck() const; 422 423 /// Checks if the constraint is valid in the current state. 424 bool isUnderconstrained(const ExplodedNode *N) const; 425}; 426 427/// \class NilReceiverBRVisitor 428/// Prints path notes when a message is sent to a nil receiver. 429class NilReceiverBRVisitor final : public BugReporterVisitor { 430public: 431 void Profile(llvm::FoldingSetNodeID &ID) const override { 432 static int x = 0; 433 ID.AddPointer(&x); 434 } 435 436 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 437 BugReporterContext &BRC, 438 PathSensitiveBugReport &BR) override; 439 440 /// If the statement is a message send expression with nil receiver, returns 441 /// the receiver expression. Returns NULL otherwise. 442 static const Expr *getNilReceiver(const Stmt *S, const ExplodedNode *N); 443}; 444 445/// Visitor that tries to report interesting diagnostics from conditions. 446class ConditionBRVisitor final : public BugReporterVisitor { 447 // FIXME: constexpr initialization isn't supported by MSVC2013. 448 constexpr static llvm::StringLiteral GenericTrueMessage = 449 "Assuming the condition is true"; 450 constexpr static llvm::StringLiteral GenericFalseMessage = 451 "Assuming the condition is false"; 452 453public: 454 void Profile(llvm::FoldingSetNodeID &ID) const override { 455 static int x = 0; 456 ID.AddPointer(&x); 457 } 458 459 /// Return the tag associated with this visitor. This tag will be used 460 /// to make all PathDiagnosticPieces created by this visitor. 461 static const char *getTag(); 462 463 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 464 BugReporterContext &BRC, 465 PathSensitiveBugReport &BR) override; 466 467 PathDiagnosticPieceRef VisitNodeImpl(const ExplodedNode *N, 468 BugReporterContext &BRC, 469 PathSensitiveBugReport &BR); 470 471 PathDiagnosticPieceRef 472 VisitTerminator(const Stmt *Term, const ExplodedNode *N, 473 const CFGBlock *SrcBlk, const CFGBlock *DstBlk, 474 PathSensitiveBugReport &R, BugReporterContext &BRC); 475 476 PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, 477 BugReporterContext &BRC, 478 PathSensitiveBugReport &R, 479 const ExplodedNode *N, bool TookTrue); 480 481 PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const DeclRefExpr *DR, 482 BugReporterContext &BRC, 483 PathSensitiveBugReport &R, 484 const ExplodedNode *N, bool TookTrue, 485 bool IsAssuming); 486 487 PathDiagnosticPieceRef 488 VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr, 489 BugReporterContext &BRC, PathSensitiveBugReport &R, 490 const ExplodedNode *N, bool TookTrue, bool IsAssuming); 491 492 PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const MemberExpr *ME, 493 BugReporterContext &BRC, 494 PathSensitiveBugReport &R, 495 const ExplodedNode *N, bool TookTrue, 496 bool IsAssuming); 497 498 PathDiagnosticPieceRef 499 VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr, 500 BugReporterContext &BRC, PathSensitiveBugReport &R, 501 const ExplodedNode *N, bool TookTrue); 502 503 /// Tries to print the value of the given expression. 504 /// 505 /// \param CondVarExpr The expression to print its value. 506 /// \param Out The stream to print. 507 /// \param N The node where we encountered the condition. 508 /// \param TookTrue Whether we took the \c true branch of the condition. 509 /// 510 /// \return Whether the print was successful. (The printing is successful if 511 /// we model the value and we could obtain it.) 512 bool printValue(const Expr *CondVarExpr, raw_ostream &Out, 513 const ExplodedNode *N, bool TookTrue, bool IsAssuming); 514 515 bool patternMatch(const Expr *Ex, const Expr *ParentEx, raw_ostream &Out, 516 BugReporterContext &BRC, PathSensitiveBugReport &R, 517 const ExplodedNode *N, std::optional<bool> &prunable, 518 bool IsSameFieldName); 519 520 static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece); 521}; 522 523/// Suppress reports that might lead to known false positives. 524/// 525/// Currently this suppresses reports based on locations of bugs. 526class LikelyFalsePositiveSuppressionBRVisitor final 527 : public BugReporterVisitor { 528public: 529 static void *getTag() { 530 static int Tag = 0; 531 return static_cast<void *>(&Tag); 532 } 533 534 void Profile(llvm::FoldingSetNodeID &ID) const override { 535 ID.AddPointer(getTag()); 536 } 537 538 PathDiagnosticPieceRef VisitNode(const ExplodedNode *, BugReporterContext &, 539 PathSensitiveBugReport &) override { 540 return nullptr; 541 } 542 543 void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *N, 544 PathSensitiveBugReport &BR) override; 545}; 546 547/// When a region containing undefined value or '0' value is passed 548/// as an argument in a call, marks the call as interesting. 549/// 550/// As a result, BugReporter will not prune the path through the function even 551/// if the region's contents are not modified/accessed by the call. 552class UndefOrNullArgVisitor final : public BugReporterVisitor { 553 /// The interesting memory region this visitor is tracking. 554 const MemRegion *R; 555 556public: 557 UndefOrNullArgVisitor(const MemRegion *InR) : R(InR) {} 558 559 void Profile(llvm::FoldingSetNodeID &ID) const override { 560 static int Tag = 0; 561 ID.AddPointer(&Tag); 562 ID.AddPointer(R); 563 } 564 565 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 566 BugReporterContext &BRC, 567 PathSensitiveBugReport &BR) override; 568}; 569 570class SuppressInlineDefensiveChecksVisitor final : public BugReporterVisitor { 571 /// The symbolic value for which we are tracking constraints. 572 /// This value is constrained to null in the end of path. 573 DefinedSVal V; 574 575 /// Track if we found the node where the constraint was first added. 576 bool IsSatisfied = false; 577 578 /// Since the visitors can be registered on nodes previous to the last 579 /// node in the BugReport, but the path traversal always starts with the last 580 /// node, the visitor invariant (that we start with a node in which V is null) 581 /// might not hold when node visitation starts. We are going to start tracking 582 /// from the last node in which the value is null. 583 bool IsTrackingTurnedOn = false; 584 585public: 586 SuppressInlineDefensiveChecksVisitor(DefinedSVal Val, const ExplodedNode *N); 587 588 void Profile(llvm::FoldingSetNodeID &ID) const override; 589 590 /// Return the tag associated with this visitor. This tag will be used 591 /// to make all PathDiagnosticPieces created by this visitor. 592 static const char *getTag(); 593 594 PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ, 595 BugReporterContext &BRC, 596 PathSensitiveBugReport &BR) override; 597}; 598 599/// The bug visitor will walk all the nodes in a path and collect all the 600/// constraints. When it reaches the root node, will create a refutation 601/// manager and check if the constraints are satisfiable 602class FalsePositiveRefutationBRVisitor final : public BugReporterVisitor { 603private: 604 /// Holds the constraints in a given path 605 ConstraintMap Constraints; 606 607public: 608 FalsePositiveRefutationBRVisitor(); 609 610 void Profile(llvm::FoldingSetNodeID &ID) const override; 611 612 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 613 BugReporterContext &BRC, 614 PathSensitiveBugReport &BR) override; 615 616 void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode, 617 PathSensitiveBugReport &BR) override; 618 void addConstraints(const ExplodedNode *N, 619 bool OverwriteConstraintsOnExistingSyms); 620}; 621 622/// The visitor detects NoteTags and displays the event notes they contain. 623class TagVisitor : public BugReporterVisitor { 624public: 625 void Profile(llvm::FoldingSetNodeID &ID) const override; 626 627 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 628 BugReporterContext &BRC, 629 PathSensitiveBugReport &R) override; 630}; 631 632class ObjCMethodCall; 633class CXXConstructorCall; 634 635/// Put a diagnostic on return statement (or on } in its absence) of all inlined 636/// functions for which some property remained unchanged. 637/// Resulting diagnostics may read such as "Returning without writing to X". 638/// 639/// Descendants can define what a "state change is", like a change of value 640/// to a memory region, liveness, etc. For function calls where the state did 641/// not change as defined, a custom note may be constructed. 642/// 643/// For a minimal example, check out 644/// clang/unittests/StaticAnalyzer/NoStateChangeFuncVisitorTest.cpp. 645class NoStateChangeFuncVisitor : public BugReporterVisitor { 646private: 647 /// Frames modifying the state as defined in \c wasModifiedBeforeCallExit. 648 /// This visitor generates a note only if a function does *not* change the 649 /// state that way. This information is not immediately available 650 /// by looking at the node associated with the exit from the function 651 /// (usually the return statement). To avoid recomputing the same information 652 /// many times (going up the path for each node and checking whether the 653 /// region was written into) we instead lazily compute the stack frames 654 /// along the path. 655 // TODO: Can't we just use a map instead? This is likely not as cheap as it 656 // makes the code difficult to read. 657 llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifying; 658 llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated; 659 660 /// Check and lazily calculate whether the state is modified in the stack 661 /// frame to which \p CallExitBeginN belongs. 662 /// The calculation is cached in FramesModifying. 663 bool isModifiedInFrame(const ExplodedNode *CallExitBeginN); 664 665 void markFrameAsModifying(const StackFrameContext *SCtx); 666 667 /// Write to \c FramesModifying all stack frames along the path in the current 668 /// stack frame which modifies the state. 669 void findModifyingFrames(const ExplodedNode *const CallExitBeginN); 670 671protected: 672 bugreporter::TrackingKind TKind; 673 674 /// \return Whether the state was modified from the current node, \p CurrN, to 675 /// the end of the stack frame, at \p CallExitBeginN. \p CurrN and 676 /// \p CallExitBeginN are always in the same stack frame. 677 /// Clients should override this callback when a state change is important 678 /// not only on the entire function call, but inside of it as well. 679 /// Example: we may want to leave a note about the lack of locking/unlocking 680 /// on a particular mutex, but not if inside the function its state was 681 /// changed, but also restored. wasModifiedInFunction() wouldn't know of this 682 /// change. 683 virtual bool wasModifiedBeforeCallExit(const ExplodedNode *CurrN, 684 const ExplodedNode *CallExitBeginN) { 685 return false; 686 } 687 688 /// \return Whether the state was modified in the inlined function call in 689 /// between \p CallEnterN and \p CallExitEndN. Mind that the stack frame 690 /// retrieved from a CallEnterN and CallExitEndN is the *caller's* stack 691 /// frame! The inlined function's stack should be retrieved from either the 692 /// immediate successor to \p CallEnterN or immediate predecessor to 693 /// \p CallExitEndN. 694 /// Clients should override this function if a state changes local to the 695 /// inlined function are not interesting, only the change occuring as a 696 /// result of it. 697 /// Example: we want to leave a not about a leaked resource object not being 698 /// deallocated / its ownership changed inside a function, and we don't care 699 /// if it was assigned to a local variable (its change in ownership is 700 /// inconsequential). 701 virtual bool wasModifiedInFunction(const ExplodedNode *CallEnterN, 702 const ExplodedNode *CallExitEndN) { 703 return false; 704 } 705 706 /// Consume the information on the non-modifying stack frame in order to 707 /// either emit a note or not. May suppress the report entirely. 708 /// \return Diagnostics piece for the unmodified state in the current 709 /// function, if it decides to emit one. A good description might start with 710 /// "Returning without...". 711 virtual PathDiagnosticPieceRef 712 maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R, 713 const ObjCMethodCall &Call, 714 const ExplodedNode *N) = 0; 715 716 /// Consume the information on the non-modifying stack frame in order to 717 /// either emit a note or not. May suppress the report entirely. 718 /// \return Diagnostics piece for the unmodified state in the current 719 /// function, if it decides to emit one. A good description might start with 720 /// "Returning without...". 721 virtual PathDiagnosticPieceRef 722 maybeEmitNoteForCXXThis(PathSensitiveBugReport &R, 723 const CXXConstructorCall &Call, 724 const ExplodedNode *N) = 0; 725 726 /// Consume the information on the non-modifying stack frame in order to 727 /// either emit a note or not. May suppress the report entirely. 728 /// \return Diagnostics piece for the unmodified state in the current 729 /// function, if it decides to emit one. A good description might start with 730 /// "Returning without...". 731 virtual PathDiagnosticPieceRef 732 maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call, 733 const ExplodedNode *N) = 0; 734 735public: 736 NoStateChangeFuncVisitor(bugreporter::TrackingKind TKind) : TKind(TKind) {} 737 738 PathDiagnosticPieceRef VisitNode(const ExplodedNode *N, 739 BugReporterContext &BR, 740 PathSensitiveBugReport &R) final; 741}; 742 743} // namespace ento 744} // namespace clang 745 746#endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H 747