This is an archive of the discontinued LLVM Phabricator instance.

Differential D65379

[analyzer][NFC] Refactoring BugReporter.cpp P2.: Clean up the construction of bug paths and finding a valid report
ClosedPublic

Authored by Szelethus on Jul 28 2019, 2:44 PM.

Details

Reviewers
NoQ
xazax.hun
Charusso
baloghadamsoftware
rnkovacs
dcoughlin
Commits
rGed9cc4079452: [analyzer][NFC] Refactoring BugReporter.cpp P2.: Clean up the construction of…
rL368694: [analyzer][NFC] Refactoring BugReporter.cpp P2.: Clean up the construction of…
rC368694: [analyzer][NFC] Refactoring BugReporter.cpp P2.: Clean up the construction of…
Summary

This patch refactors the utility functions and classes around the construction of a bug path.

At a very high level, this consists of 3 steps:

  1. For all BugReports in the same BugReportEquivClass, collect all their error nodes in a set. With that set, create a new, trimmed ExplodedGraph whose leafs are all error nodes.
  2. Until a valid report is found, construct a bug path, which is yet another ExplodedGraph, that is linear from a given error node to the root of the graph.
  3. Run all visitors on the constructed bug path. If in this process the report got invalidated, start over from step 2.

Now, to the changes within this patch:

  • Do not allow the invalidation of BugReports up to the point where the trimmed graph is constructed. Checkers shouldn't add bug reports that are known to be invalid, and should use visitors and argue about the entirety of the bug path if needed.
  • Do not calculate indices. I may be biased, but I personally find code like this the hardest to follow. I'd like to point you to one of the comments in the original code:
SmallVector<const ExplodedNode *, 32> errorNodes;
for (const auto I : bugReports) {
  if (I->isValid()) {
    HasValid = true;
    errorNodes.push_back(I->getErrorNode());
  } else {
    // Keep the errorNodes list in sync with the bugReports list.
    errorNodes.push_back(nullptr);
  }
}

Not on my watch. Instead, use a far easier to follow trick: store a pointer to the BugReport in question, not an index to it.

  • Add range iterators to ExplodedGraph's successors and predecessors, and a visitor range to BugReporter.
  • Rename TrimmedGraph to BugPathGetter. Because that is what it has always been: no sane graph type should store an iterator-like state, or have an interface not exposing a single graph-like functionalities.
  • Rename ReportGraph to BugPathInfo, because it is only a linear path with some other context.
  • Instead of having both and out and in parameter (which I think isn't ever excusable unless we use the out-param for caching), return a record object with descriptive getter methods.
  • Where descriptive names weren't sufficient, compliment the code with comments.

Diff Detail

Repository
rL LLVM

Event Timeline

Szelethus created this revision.Jul 28 2019, 2:44 PM
Herald added subscribers: gamesh411, dkrupp, donat.nagy and 6 others. · View Herald TranscriptJul 28 2019, 2:44 PM
Szelethus added reviewers: baloghadamsoftware, rnkovacs, dcoughlin.Jul 28 2019, 2:44 PM
Szelethus set the repository for this revision to rG LLVM Github Monorepo.
Szelethus added a project: Restricted Project.
Herald added a subscriber: cfe-commits. · View Herald TranscriptJul 28 2019, 2:45 PM
Szelethus added a parent revision: D65378: [analyzer][NFC] Refactoring BugReporter.cpp P1.: Store interesting symbols/regions in a simple set.Jul 28 2019, 2:46 PM
NoQ accepted this revision.Jul 29 2019, 6:13 PM

If only somebody could explain to me why do even need trimming in the first place :/

I was only keeping it around for easier exploded graph dumps reading, but these days we can trivially replace it with a flag to exploded-graph-rewriter (i.e., combine D65345 with D64110).

This revision is now accepted and ready to land.Jul 29 2019, 6:13 PM
xazax.hun accepted this revision.Jul 29 2019, 8:30 PM

Looks good, some nits inline. I agree with Artem, we should consider omitting the trimming and document how to get something similar if desired for debugging.

Just a random idea: maybe the original purpose of the trimming was to be able to reclaim parts of the exploded graph as soon as possible?

clang/lib/StaticAnalyzer/Core/BugReporter.cpp
2269 ↗(On Diff #212118)

This comment was really hard for me to understand, could you rephrase it?

2305 ↗(On Diff #212118)

Formatting might be off here?

Szelethus mentioned this in D65484: [analyzer][NFC] Refactoring BugReporter.cpp P5.: Compact mile long function invocations into objects.Jul 30 2019, 3:37 PM
Szelethus added a child revision: D65381: [analyzer][NFC] Refactoring BugReporter.cpp P3.: std::shared_pointer<PathDiagnosticPiece> -> PathDiagnosticPieceRef.Jul 30 2019, 3:44 PM
Szelethus updated this revision to Diff 212806.Aug 1 2019, 7:13 AM
Szelethus marked 2 inline comments as done.

clang-format, rephrase the comment.

Closed by commit rL368694: [analyzer][NFC] Refactoring BugReporter.cpp P2.: Clean up the construction of… (authored by Szelethus). · Explain WhyAug 13 2019, 6:55 AM
This revision was automatically updated to reflect the committed changes.
Herald added a project: Restricted Project. · View Herald TranscriptAug 13 2019, 6:55 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Szelethus mentioned this in rL368737: [analyzer][NFC] Refactoring BugReporter.cpp P5.: Compact mile long function….Aug 13 2019, 12:02 PM
Szelethus mentioned this in rGf9d75bede84e: [analyzer][NFC] Refactoring BugReporter.cpp P5.: Compact mile long function….
Szelethus mentioned this in D83120: [Analyzer][StreamChecker] Use BugType::SuppressOnSink at resource leak report..Jul 13 2020, 6:21 AM
Szelethus mentioned this in D102914: [analyzer] Make checker silencing work for non-pathsensitive bug reports.May 21 2021, 5:17 AM
Szelethus mentioned this in rG9cca5c1391d6: [analyzer] Make checker silencing work for non-pathsensitive bug reports.Jun 17 2021, 1:28 AM

Revision Contents

PathSize
cfe/
trunk/
include/
clang/
StaticAnalyzer/
Core/
BugReporter/
2 lines
PathSensitive/
11 lines
lib/
StaticAnalyzer/
Core/
211 lines

Diff 214827

cfe/trunk/include/clang/StaticAnalyzer/Core/BugReporter/BugReporter.h

Show First 20 LinesShow All 81 Lines▼ Show 20 Lines public:
virtual const ExplodedNode* virtual const ExplodedNode*
getOriginalNode(const ExplodedNode *N) = 0; getOriginalNode(const ExplodedNode *N) = 0;
}; };
using ranges_iterator = const SourceRange *; using ranges_iterator = const SourceRange *;
using VisitorList = SmallVector<std::unique_ptr<BugReporterVisitor>, 8>; using VisitorList = SmallVector<std::unique_ptr<BugReporterVisitor>, 8>;
using visitor_iterator = VisitorList::iterator; using visitor_iterator = VisitorList::iterator;
using visitor_range = llvm::iterator_range<visitor_iterator>;
using ExtraTextList = SmallVector<StringRef, 2>; using ExtraTextList = SmallVector<StringRef, 2>;
using NoteList = SmallVector<std::shared_ptr<PathDiagnosticNotePiece>, 4>; using NoteList = SmallVector<std::shared_ptr<PathDiagnosticNotePiece>, 4>;
protected: protected:
friend class BugReportEquivClass; friend class BugReportEquivClass;
friend class BugReporter; friend class BugReporter;
const BugType& BT; const BugType& BT;
▲ Show 20 LinesShow All 236 Lines▼ Show 20 Linespublic:
void addVisitor(std::unique_ptr<BugReporterVisitor> visitor); void addVisitor(std::unique_ptr<BugReporterVisitor> visitor);
/// Remove all visitors attached to this bug report. /// Remove all visitors attached to this bug report.
void clearVisitors(); void clearVisitors();
/// Iterators through the custom diagnostic visitors. /// Iterators through the custom diagnostic visitors.
visitor_iterator visitor_begin() { return Callbacks.begin(); } visitor_iterator visitor_begin() { return Callbacks.begin(); }
visitor_iterator visitor_end() { return Callbacks.end(); } visitor_iterator visitor_end() { return Callbacks.end(); }
visitor_range visitors() { return {visitor_begin(), visitor_end()}; }
/// Notes that the condition of the CFGBlock associated with \p Cond is /// Notes that the condition of the CFGBlock associated with \p Cond is
/// being tracked. /// being tracked.
/// \returns false if the condition is already being tracked. /// \returns false if the condition is already being tracked.
bool addTrackedCondition(const ExplodedNode *Cond) { bool addTrackedCondition(const ExplodedNode *Cond) {
return TrackedConditions.insert(Cond).second; return TrackedConditions.insert(Cond).second;
} }
▲ Show 20 LinesShow All 304 LinesShow Last 20 Lines

cfe/trunk/include/clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h

Show First 20 LinesShow All 213 Lines▼ Show 20 Linespublic:
} }
const ExplodedNode *getFirstSucc() const { const ExplodedNode *getFirstSucc() const {
return const_cast<ExplodedNode*>(this)->getFirstSucc(); return const_cast<ExplodedNode*>(this)->getFirstSucc();
} }
// Iterators over successor and predecessor vertices. // Iterators over successor and predecessor vertices.
using succ_iterator = ExplodedNode * const *; using succ_iterator = ExplodedNode * const *;
using succ_range = llvm::iterator_range<succ_iterator>;
using const_succ_iterator = const ExplodedNode * const *; using const_succ_iterator = const ExplodedNode * const *;
using const_succ_range = llvm::iterator_range<const_succ_iterator>;
using pred_iterator = ExplodedNode * const *; using pred_iterator = ExplodedNode * const *;
using pred_range = llvm::iterator_range<pred_iterator>;
using const_pred_iterator = const ExplodedNode * const *; using const_pred_iterator = const ExplodedNode * const *;
using const_pred_range = llvm::iterator_range<const_pred_iterator>;
pred_iterator pred_begin() { return Preds.begin(); } pred_iterator pred_begin() { return Preds.begin(); }
pred_iterator pred_end() { return Preds.end(); } pred_iterator pred_end() { return Preds.end(); }
pred_range preds() { return {Preds.begin(), Preds.end()}; }
const_pred_iterator pred_begin() const { const_pred_iterator pred_begin() const {
return const_cast<ExplodedNode*>(this)->pred_begin(); return const_cast<ExplodedNode*>(this)->pred_begin();
} }
const_pred_iterator pred_end() const { const_pred_iterator pred_end() const {
return const_cast<ExplodedNode*>(this)->pred_end(); return const_cast<ExplodedNode*>(this)->pred_end();
} }
const_pred_range preds() const { return {Preds.begin(), Preds.end()}; }
succ_iterator succ_begin() { return Succs.begin(); } succ_iterator succ_begin() { return Succs.begin(); }
succ_iterator succ_end() { return Succs.end(); } succ_iterator succ_end() { return Succs.end(); }
succ_range succs() { return {Succs.begin(), Succs.end()}; }
const_succ_iterator succ_begin() const { const_succ_iterator succ_begin() const {
return const_cast<ExplodedNode*>(this)->succ_begin(); return const_cast<ExplodedNode*>(this)->succ_begin();
} }
const_succ_iterator succ_end() const { const_succ_iterator succ_end() const {
return const_cast<ExplodedNode*>(this)->succ_end(); return const_cast<ExplodedNode*>(this)->succ_end();
} }
const_succ_range succs() const { return {Succs.begin(), Succs.end()}; }
int64_t getID(ExplodedGraph *G) const; int64_t getID(ExplodedGraph *G) const;
/// The node is trivial if it has only one successor, only one predecessor, /// The node is trivial if it has only one successor, only one predecessor,
/// it's predecessor has only one successor, /// it's predecessor has only one successor,
/// and its program state is the same as the program state of the previous /// and its program state is the same as the program state of the previous
/// node. /// node.
/// Trivial nodes may be skipped while printing exploded graph. /// Trivial nodes may be skipped while printing exploded graph.
▲ Show 20 LinesShow All 252 LinesShow Last 20 Lines

cfe/trunk/lib/StaticAnalyzer/Core/BugReporter.cpp

Show First 20 LinesShow All 2,235 Lines▼ Show 20 Lines
} }
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// PathDiagnostics generation. // PathDiagnostics generation.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
namespace { namespace {
/// A wrapper around a report graph, which contains only a single path, and its /// A wrapper around an ExplodedGraph that contains a single path from the root
/// node maps. /// to the error node, and a map that maps the nodes in this path to the ones in
class ReportGraph { /// the original ExplodedGraph.
class BugPathInfo {
public: public:
InterExplodedGraphMap BackMap; InterExplodedGraphMap MapToOriginNodes;
std::unique_ptr<ExplodedGraph> Graph; std::unique_ptr<ExplodedGraph> Path;
BugReport *Report;
const ExplodedNode *ErrorNode; const ExplodedNode *ErrorNode;
size_t Index;
}; };
/// A wrapper around a trimmed graph and its node maps. /// A wrapper around an ExplodedGraph whose leafs are all error nodes. Can
class TrimmedGraph { /// conveniently retrieve bug paths from a single error node to the root.
class BugPathGetter {
std::unique_ptr<ExplodedGraph> TrimmedGraph;
/// Map from the trimmed graph to the original.
InterExplodedGraphMap InverseMap; InterExplodedGraphMap InverseMap;
using PriorityMapTy = llvm::DenseMap<const ExplodedNode *, unsigned>; using PriorityMapTy = llvm::DenseMap<const ExplodedNode *, unsigned>;
/// Assign each node with its distance from the root.
PriorityMapTy PriorityMap; PriorityMapTy PriorityMap;
using NodeIndexPair = std::pair<const ExplodedNode *, size_t>; /// Since the getErrorNode() or BugReport refers to the original ExplodedGraph,
/// we need to pair it to the error node of the constructed trimmed graph.
SmallVector<NodeIndexPair, 32> ReportNodes; using ReportNewNodePair = std::pair<BugReport *, const ExplodedNode *>;
SmallVector<ReportNewNodePair, 32> ReportNodes;
std::unique_ptr<ExplodedGraph> G; BugPathInfo CurrentBugPath;
/// A helper class for sorting ExplodedNodes by priority. /// A helper class for sorting ExplodedNodes by priority.
template <bool Descending> template <bool Descending>
class PriorityCompare { class PriorityCompare {
const PriorityMapTy &PriorityMap; const PriorityMapTy &PriorityMap;
public: public:
PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {} PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {}
bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const { bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const {
PriorityMapTy::const_iterator LI = PriorityMap.find(LHS); PriorityMapTy::const_iterator LI = PriorityMap.find(LHS);
PriorityMapTy::const_iterator RI = PriorityMap.find(RHS); PriorityMapTy::const_iterator RI = PriorityMap.find(RHS);
PriorityMapTy::const_iterator E = PriorityMap.end(); PriorityMapTy::const_iterator E = PriorityMap.end();
if (LI == E) if (LI == E)
return Descending; return Descending;
if (RI == E) if (RI == E)
return !Descending; return !Descending;
return Descending ? LI->second > RI->second return Descending ? LI->second > RI->second
: LI->second < RI->second; : LI->second < RI->second;
} }
bool operator()(const NodeIndexPair &LHS, const NodeIndexPair &RHS) const { bool operator()(const ReportNewNodePair &LHS,
return (*this)(LHS.first, RHS.first); const ReportNewNodePair &RHS) const {
return (*this)(LHS.second, RHS.second);
} }
}; };
public: public:
TrimmedGraph(const ExplodedGraph *OriginalGraph, BugPathGetter(const ExplodedGraph *OriginalGraph,
ArrayRef<const ExplodedNode *> Nodes); ArrayRef<BugReport *> &bugReports);
bool popNextReportGraph(ReportGraph &GraphWrapper); BugPathInfo *getNextBugPath();
}; };
} // namespace } // namespace
TrimmedGraph::TrimmedGraph(const ExplodedGraph *OriginalGraph, BugPathGetter::BugPathGetter(const ExplodedGraph *OriginalGraph,
ArrayRef<const ExplodedNode *> Nodes) { ArrayRef<BugReport *> &bugReports) {
SmallVector<const ExplodedNode *, 32> Nodes;
for (const auto I : bugReports) {
assert(I->isValid() &&
"We only allow BugReporterVisitors and BugReporter itself to "
"invalidate reports!");
Nodes.emplace_back(I->getErrorNode());
}
// The trimmed graph is created in the body of the constructor to ensure // The trimmed graph is created in the body of the constructor to ensure
// that the DenseMaps have been initialized already. // that the DenseMaps have been initialized already.
InterExplodedGraphMap ForwardMap; InterExplodedGraphMap ForwardMap;
G = OriginalGraph->trim(Nodes, &ForwardMap, &InverseMap); TrimmedGraph = OriginalGraph->trim(Nodes, &ForwardMap, &InverseMap);
// Find the (first) error node in the trimmed graph. We just need to consult // Find the (first) error node in the trimmed graph. We just need to consult
// the node map which maps from nodes in the original graph to nodes // the node map which maps from nodes in the original graph to nodes
// in the new graph. // in the new graph.
llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes; llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes;
for (unsigned i = 0, count = Nodes.size(); i < count; ++i) { for (BugReport *Report : bugReports) {
if (const ExplodedNode *NewNode = ForwardMap.lookup(Nodes[i])) { const ExplodedNode *NewNode = ForwardMap.lookup(Report->getErrorNode());
ReportNodes.push_back(std::make_pair(NewNode, i)); assert(NewNode &&
"Failed to construct a trimmed graph that contains this error "
"node!");
ReportNodes.emplace_back(Report, NewNode);
RemainingNodes.insert(NewNode); RemainingNodes.insert(NewNode);
} }
}
assert(!RemainingNodes.empty() && "No error node found in the trimmed graph"); assert(!RemainingNodes.empty() && "No error node found in the trimmed graph");
// Perform a forward BFS to find all the shortest paths. // Perform a forward BFS to find all the shortest paths.
std::queue<const ExplodedNode *> WS; std::queue<const ExplodedNode *> WS;
assert(G->num_roots() == 1); assert(TrimmedGraph->num_roots() == 1);
WS.push(*G->roots_begin()); WS.push(*TrimmedGraph->roots_begin());
unsigned Priority = 0; unsigned Priority = 0;
while (!WS.empty()) { while (!WS.empty()) {
const ExplodedNode *Node = WS.front(); const ExplodedNode *Node = WS.front();
WS.pop(); WS.pop();
PriorityMapTy::iterator PriorityEntry; PriorityMapTy::iterator PriorityEntry;
bool IsNew; bool IsNew;
std::tie(PriorityEntry, IsNew) = std::tie(PriorityEntry, IsNew) = PriorityMap.insert({Node, Priority});
PriorityMap.insert(std::make_pair(Node, Priority));
++Priority; ++Priority;
if (!IsNew) { if (!IsNew) {
assert(PriorityEntry->second <= Priority); assert(PriorityEntry->second <= Priority);
continue; continue;
} }
if (RemainingNodes.erase(Node)) if (RemainingNodes.erase(Node))
if (RemainingNodes.empty()) if (RemainingNodes.empty())
break; break;
for (ExplodedNode::const_pred_iterator I = Node->succ_begin(), for (const ExplodedNode *Succ : Node->succs())
E = Node->succ_end(); WS.push(Succ);
I != E; ++I)
WS.push(*I);
} }
// Sort the error paths from longest to shortest. // Sort the error paths from longest to shortest.
llvm::sort(ReportNodes, PriorityCompare<true>(PriorityMap)); llvm::sort(ReportNodes, PriorityCompare<true>(PriorityMap));
} }
bool TrimmedGraph::popNextReportGraph(ReportGraph &GraphWrapper) { BugPathInfo *BugPathGetter::getNextBugPath() {
if (ReportNodes.empty()) if (ReportNodes.empty())
return false; return nullptr;
const ExplodedNode *OrigN; const ExplodedNode *OrigN;
std::tie(OrigN, GraphWrapper.Index) = ReportNodes.pop_back_val(); std::tie(CurrentBugPath.Report, OrigN) = ReportNodes.pop_back_val();
assert(PriorityMap.find(OrigN) != PriorityMap.end() && assert(PriorityMap.find(OrigN) != PriorityMap.end() &&
"error node not accessible from root"); "error node not accessible from root");
// Create a new graph with a single path. This is the graph // Create a new graph with a single path. This is the graph that will be
// that will be returned to the caller. // returned to the caller.
auto GNew = llvm::make_unique<ExplodedGraph>(); auto GNew = llvm::make_unique<ExplodedGraph>();
GraphWrapper.BackMap.clear(); CurrentBugPath.MapToOriginNodes.clear();
// Now walk from the error node up the BFS path, always taking the // Now walk from the error node up the BFS path, always taking the
// predeccessor with the lowest number. // predeccessor with the lowest number.
ExplodedNode *Succ = nullptr; ExplodedNode *Succ = nullptr;
while (true) { while (true) {
// Create the equivalent node in the new graph with the same state // Create the equivalent node in the new graph with the same state
// and location. // and location.
ExplodedNode *NewN = GNew->createUncachedNode(OrigN->getLocation(), OrigN->getState(), ExplodedNode *NewN = GNew->createUncachedNode(
OrigN->isSink()); OrigN->getLocation(), OrigN->getState(), OrigN->isSink());
// Store the mapping to the original node. // Store the mapping to the original node.
InterExplodedGraphMap::const_iterator IMitr = InverseMap.find(OrigN); InterExplodedGraphMap::const_iterator IMitr = InverseMap.find(OrigN);
assert(IMitr != InverseMap.end() && "No mapping to original node."); assert(IMitr != InverseMap.end() && "No mapping to original node.");
GraphWrapper.BackMap[NewN] = IMitr->second; CurrentBugPath.MapToOriginNodes[NewN] = IMitr->second;
// Link up the new node with the previous node. // Link up the new node with the previous node.
if (Succ) if (Succ)
Succ->addPredecessor(NewN, *GNew); Succ->addPredecessor(NewN, *GNew);
else else
GraphWrapper.ErrorNode = NewN; CurrentBugPath.ErrorNode = NewN;
Succ = NewN; Succ = NewN;
// Are we at the final node? // Are we at the final node?
if (OrigN->pred_empty()) { if (OrigN->pred_empty()) {
GNew->addRoot(NewN); GNew->addRoot(NewN);
break; break;
} }
// Find the next predeccessor node. We choose the node that is marked // Find the next predeccessor node. We choose the node that is marked
// with the lowest BFS number. // with the lowest BFS number.
OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(), OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(),
PriorityCompare<false>(PriorityMap)); PriorityCompare<false>(PriorityMap));
} }
GraphWrapper.Graph = std::move(GNew); CurrentBugPath.Path = std::move(GNew);
return true; return &CurrentBugPath;
} }
/// CompactMacroExpandedPieces - This function postprocesses a PathDiagnostic /// CompactMacroExpandedPieces - This function postprocesses a PathDiagnostic
/// object and collapses PathDiagosticPieces that are expanded by macros. /// object and collapses PathDiagosticPieces that are expanded by macros.
static void CompactMacroExpandedPieces(PathPieces &path, static void CompactMacroExpandedPieces(PathPieces &path,
const SourceManager& SM) { const SourceManager& SM) {
using MacroStackTy = using MacroStackTy =
std::vector< std::vector<
▲ Show 20 LinesShow All 94 Lines▼ Show 20 LinesgenerateVisitorsDiagnostics(BugReport *R, const ExplodedNode *ErrorNode,
auto Notes = llvm::make_unique<VisitorsDiagnosticsTy>(); auto Notes = llvm::make_unique<VisitorsDiagnosticsTy>();
BugReport::VisitorList visitors; BugReport::VisitorList visitors;
// Run visitors on all nodes starting from the node *before* the last one. // Run visitors on all nodes starting from the node *before* the last one.
// The last node is reserved for notes generated with {@code getEndPath}. // The last node is reserved for notes generated with {@code getEndPath}.
const ExplodedNode *NextNode = ErrorNode->getFirstPred(); const ExplodedNode *NextNode = ErrorNode->getFirstPred();
while (NextNode) { while (NextNode) {
// At each iteration, move all visitors from report to visitor list. // At each iteration, move all visitors from report to visitor list. This is
for (BugReport::visitor_iterator I = R->visitor_begin(), // important, because the Profile() functions of the visitors make sure that
E = R->visitor_end(); // a visitor isn't added multiple times for the same node, but it's fine
I != E; ++I) { // to add the a visitor with Profile() for different nodes (e.g. tracking
visitors.push_back(std::move(*I)); // a region at different points of the symbolic execution).
} for (std::unique_ptr<BugReporterVisitor> &Visitor : R->visitors())
visitors.push_back(std::move(Visitor));
R->clearVisitors(); R->clearVisitors();
const ExplodedNode *Pred = NextNode->getFirstPred(); const ExplodedNode *Pred = NextNode->getFirstPred();
if (!Pred) { if (!Pred) {
std::shared_ptr<PathDiagnosticPiece> LastPiece; std::shared_ptr<PathDiagnosticPiece> LastPiece;
for (auto &V : visitors) { for (auto &V : visitors) {
V->finalizeVisitor(BRC, ErrorNode, *R); V->finalizeVisitor(BRC, ErrorNode, *R);
if (auto Piece = V->getEndPath(BRC, ErrorNode, *R)) { if (auto Piece = V->getEndPath(BRC, ErrorNode, *R)) {
assert(!LastPiece && assert(!LastPiece &&
"There can only be one final piece in a diagnostic."); "There can only be one final piece in a diagnostic.");
assert(Piece->getKind() == PathDiagnosticPiece::Kind::Event &&
"The final piece must contain a message!");
LastPiece = std::move(Piece); LastPiece = std::move(Piece);
(*Notes)[ErrorNode].push_back(LastPiece); (*Notes)[ErrorNode].push_back(LastPiece);
} }
} }
break; break;
} }
for (auto &V : visitors) { for (auto &V : visitors) {
auto P = V->VisitNode(NextNode, BRC, *R); auto P = V->VisitNode(NextNode, BRC, *R);
if (P) if (P)
(*Notes)[NextNode].push_back(std::move(P)); (*Notes)[NextNode].push_back(std::move(P));
} }
if (!R->isValid()) if (!R->isValid())
break; break;
NextNode = Pred; NextNode = Pred;
} }
return Notes; return Notes;
} }
/// Find a non-invalidated report for a given equivalence class, class ReportInfo {
/// and return together with a cache of visitors notes. BugPathInfo BugPath;
/// If none found, return a nullptr paired with an empty cache. std::unique_ptr<VisitorsDiagnosticsTy> VisitorDiagnostics;
static
std::pair<BugReport*, std::unique_ptr<VisitorsDiagnosticsTy>> findValidReport( public:
TrimmedGraph &TrimG, ReportInfo(BugPathInfo &&BugPath, std::unique_ptr<VisitorsDiagnosticsTy> V)
ReportGraph &ErrorGraph, : BugPath(std::move(BugPath)), VisitorDiagnostics(std::move(V)) {}
ArrayRef<BugReport *> &bugReports,
AnalyzerOptions &Opts, ReportInfo() = default;
bool isValid() { return static_cast<bool>(VisitorDiagnostics); }
BugReport *getBugReport() { return BugPath.Report; }
const ExplodedNode *getErrorNode() { return BugPath.ErrorNode; }
InterExplodedGraphMap &getMapToOriginNodes() {
return BugPath.MapToOriginNodes;
}
VisitorsDiagnosticsTy &getVisitorsDiagnostics() {
return *VisitorDiagnostics;
}
};
/// Find a non-invalidated report for a given equivalence class, and returns
/// the bug path associated with it together with a cache of visitors notes.
/// If none found, returns an isInvalid() object.
static ReportInfo findValidReport(ArrayRef<BugReport *> &bugReports,
GRBugReporter &Reporter) { GRBugReporter &Reporter) {
BugPathGetter BugGraph(&Reporter.getGraph(), bugReports);
while (TrimG.popNextReportGraph(ErrorGraph)) { while (BugPathInfo *BugPath = BugGraph.getNextBugPath()) {
// Find the BugReport with the original location. // Find the BugReport with the original location.
assert(ErrorGraph.Index < bugReports.size()); BugReport *R = BugPath->Report;
BugReport *R = bugReports[ErrorGraph.Index];
assert(R && "No original report found for sliced graph."); assert(R && "No original report found for sliced graph.");
assert(R->isValid() && "Report selected by trimmed graph marked invalid."); assert(R->isValid() && "Report selected by trimmed graph marked invalid.");
const ExplodedNode *ErrorNode = ErrorGraph.ErrorNode; const ExplodedNode *ErrorNode = BugPath->ErrorNode;
// Register refutation visitors first, if they mark the bug invalid no // Register refutation visitors first, if they mark the bug invalid no
// further analysis is required // further analysis is required
R->addVisitor(llvm::make_unique<LikelyFalsePositiveSuppressionBRVisitor>()); R->addVisitor(llvm::make_unique<LikelyFalsePositiveSuppressionBRVisitor>());
// Register additional node visitors. // Register additional node visitors.
R->addVisitor(llvm::make_unique<NilReceiverBRVisitor>()); R->addVisitor(llvm::make_unique<NilReceiverBRVisitor>());
R->addVisitor(llvm::make_unique<ConditionBRVisitor>()); R->addVisitor(llvm::make_unique<ConditionBRVisitor>());
R->addVisitor(llvm::make_unique<TagVisitor>()); R->addVisitor(llvm::make_unique<TagVisitor>());
BugReporterContext BRC(Reporter, ErrorGraph.BackMap); BugReporterContext BRC(Reporter, BugPath->MapToOriginNodes);
// Run all visitors on a given graph, once. // Run all visitors on a given graph, once.
std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes = std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes =
generateVisitorsDiagnostics(R, ErrorNode, BRC); generateVisitorsDiagnostics(R, ErrorNode, BRC);
if (R->isValid()) { if (R->isValid()) {
if (Opts.ShouldCrosscheckWithZ3) { if (Reporter.getAnalyzerOptions().ShouldCrosscheckWithZ3) {
// If crosscheck is enabled, remove all visitors, add the refutation // If crosscheck is enabled, remove all visitors, add the refutation
// visitor and check again // visitor and check again
R->clearVisitors(); R->clearVisitors();
R->addVisitor(llvm::make_unique<FalsePositiveRefutationBRVisitor>()); R->addVisitor(llvm::make_unique<FalsePositiveRefutationBRVisitor>());
// We don't overrite the notes inserted by other visitors because the // We don't overrite the notes inserted by other visitors because the
// refutation manager does not add any new note to the path // refutation manager does not add any new note to the path
generateVisitorsDiagnostics(R, ErrorGraph.ErrorNode, BRC); generateVisitorsDiagnostics(R, BugPath->ErrorNode, BRC);
} }
// Check if the bug is still valid // Check if the bug is still valid
if (R->isValid()) if (R->isValid())
return std::make_pair(R, std::move(visitorNotes)); return {std::move(*BugPath), std::move(visitorNotes)};
} }
} }
return std::make_pair(nullptr, llvm::make_unique<VisitorsDiagnosticsTy>()); return {};
} }
std::unique_ptr<DiagnosticForConsumerMapTy> std::unique_ptr<DiagnosticForConsumerMapTy>
GRBugReporter::generatePathDiagnostics( GRBugReporter::generatePathDiagnostics(
ArrayRef<PathDiagnosticConsumer *> consumers, ArrayRef<PathDiagnosticConsumer *> consumers,
ArrayRef<BugReport *> &bugReports) { ArrayRef<BugReport *> &bugReports) {
assert(!bugReports.empty()); assert(!bugReports.empty());
auto Out = llvm::make_unique<DiagnosticForConsumerMapTy>(); auto Out = llvm::make_unique<DiagnosticForConsumerMapTy>();
bool HasValid = false;
SmallVector<const ExplodedNode *, 32> errorNodes;
for (const auto I : bugReports) {
if (I->isValid()) {
HasValid = true;
errorNodes.push_back(I->getErrorNode());
} else {
// Keep the errorNodes list in sync with the bugReports list.
errorNodes.push_back(nullptr);
}
}
// If all the reports have been marked invalid by a previous path generation,
// we're done.
if (!HasValid)
return Out;
TrimmedGraph TrimG(&getGraph(), errorNodes); ReportInfo Info = findValidReport(bugReports, *this);
ReportGraph ErrorGraph;
auto ReportInfo = findValidReport(TrimG, ErrorGraph, bugReports,
getAnalyzerOptions(), *this);
BugReport *R = ReportInfo.first;
if (R && R->isValid()) { if (Info.isValid()) {
const ExplodedNode *ErrorNode = ErrorGraph.ErrorNode;
for (PathDiagnosticConsumer *PC : consumers) { for (PathDiagnosticConsumer *PC : consumers) {
PathDiagnosticBuilder PDB(*this, R, ErrorGraph.BackMap, PC); PathDiagnosticBuilder PDB(*this, Info.getBugReport(),
Info.getMapToOriginNodes(), PC);
std::unique_ptr<PathDiagnostic> PD = generatePathDiagnosticForConsumer( std::unique_ptr<PathDiagnostic> PD = generatePathDiagnosticForConsumer(
PC->getGenerationScheme(), PDB, ErrorNode, *ReportInfo.second); PC->getGenerationScheme(), PDB, Info.getErrorNode(),
Info.getVisitorsDiagnostics());
(*Out)[PC] = std::move(PD); (*Out)[PC] = std::move(PD);
} }
} }
return Out; return Out;
} }
void BugReporter::Register(const BugType *BT) { void BugReporter::Register(const BugType *BT) {
▲ Show 20 LinesShow All 455 LinesShow Last 20 Lines