1 //===--- AnalysisConsumer.cpp - ASTConsumer for running Analyses ----------===// 2 // 3 // The LLVM Compiler Infrastructure 4 // 5 // This file is distributed under the University of Illinois Open Source 6 // License. See LICENSE.TXT for details. 7 // 8 //===----------------------------------------------------------------------===// 9 // 10 // "Meta" ASTConsumer for running different source analyses. 11 // 12 //===----------------------------------------------------------------------===// 13 14 #include "clang/StaticAnalyzer/Frontend/AnalysisConsumer.h" 15 #include "ModelInjector.h" 16 #include "clang/AST/ASTConsumer.h" 17 #include "clang/AST/DataRecursiveASTVisitor.h" 18 #include "clang/AST/Decl.h" 19 #include "clang/AST/DeclCXX.h" 20 #include "clang/AST/DeclObjC.h" 21 #include "clang/AST/ParentMap.h" 22 #include "clang/Analysis/Analyses/LiveVariables.h" 23 #include "clang/Analysis/CFG.h" 24 #include "clang/Analysis/CallGraph.h" 25 #include "clang/Analysis/CodeInjector.h" 26 #include "clang/Basic/FileManager.h" 27 #include "clang/Basic/SourceManager.h" 28 #include "clang/Frontend/CompilerInstance.h" 29 #include "clang/Lex/Preprocessor.h" 30 #include "clang/StaticAnalyzer/Checkers/LocalCheckers.h" 31 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h" 32 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h" 33 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h" 34 #include "clang/StaticAnalyzer/Core/CheckerManager.h" 35 #include "clang/StaticAnalyzer/Core/PathDiagnosticConsumers.h" 36 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h" 37 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h" 38 #include "clang/StaticAnalyzer/Frontend/CheckerRegistration.h" 39 #include "llvm/ADT/DepthFirstIterator.h" 40 #include "llvm/ADT/PostOrderIterator.h" 41 #include "llvm/ADT/SmallPtrSet.h" 42 #include "llvm/ADT/Statistic.h" 43 #include "llvm/Support/FileSystem.h" 44 #include "llvm/Support/Path.h" 45 #include "llvm/Support/Program.h" 46 #include "llvm/Support/Timer.h" 47 #include "llvm/Support/raw_ostream.h" 48 #include <memory> 49 #include <queue> 50 51 using namespace clang; 52 using namespace ento; 53 using llvm::SmallPtrSet; 54 55 #define DEBUG_TYPE "AnalysisConsumer" 56 57 static std::unique_ptr<ExplodedNode::Auditor> CreateUbiViz(); 58 59 STATISTIC(NumFunctionTopLevel, "The # of functions at top level."); 60 STATISTIC(NumFunctionsAnalyzed, 61 "The # of functions and blocks analyzed (as top level " 62 "with inlining turned on)."); 63 STATISTIC(NumBlocksInAnalyzedFunctions, 64 "The # of basic blocks in the analyzed functions."); 65 STATISTIC(PercentReachableBlocks, "The % of reachable basic blocks."); 66 STATISTIC(MaxCFGSize, "The maximum number of basic blocks in a function."); 67 68 //===----------------------------------------------------------------------===// 69 // Special PathDiagnosticConsumers. 70 //===----------------------------------------------------------------------===// 71 createPlistHTMLDiagnosticConsumer(AnalyzerOptions & AnalyzerOpts,PathDiagnosticConsumers & C,const std::string & prefix,const Preprocessor & PP)72 void ento::createPlistHTMLDiagnosticConsumer(AnalyzerOptions &AnalyzerOpts, 73 PathDiagnosticConsumers &C, 74 const std::string &prefix, 75 const Preprocessor &PP) { 76 createHTMLDiagnosticConsumer(AnalyzerOpts, C, 77 llvm::sys::path::parent_path(prefix), PP); 78 createPlistDiagnosticConsumer(AnalyzerOpts, C, prefix, PP); 79 } 80 createTextPathDiagnosticConsumer(AnalyzerOptions & AnalyzerOpts,PathDiagnosticConsumers & C,const std::string & Prefix,const clang::Preprocessor & PP)81 void ento::createTextPathDiagnosticConsumer(AnalyzerOptions &AnalyzerOpts, 82 PathDiagnosticConsumers &C, 83 const std::string &Prefix, 84 const clang::Preprocessor &PP) { 85 llvm_unreachable("'text' consumer should be enabled on ClangDiags"); 86 } 87 88 namespace { 89 class ClangDiagPathDiagConsumer : public PathDiagnosticConsumer { 90 DiagnosticsEngine &Diag; 91 bool IncludePath; 92 public: ClangDiagPathDiagConsumer(DiagnosticsEngine & Diag)93 ClangDiagPathDiagConsumer(DiagnosticsEngine &Diag) 94 : Diag(Diag), IncludePath(false) {} ~ClangDiagPathDiagConsumer()95 virtual ~ClangDiagPathDiagConsumer() {} getName() const96 StringRef getName() const override { return "ClangDiags"; } 97 supportsLogicalOpControlFlow() const98 bool supportsLogicalOpControlFlow() const override { return true; } supportsCrossFileDiagnostics() const99 bool supportsCrossFileDiagnostics() const override { return true; } 100 getGenerationScheme() const101 PathGenerationScheme getGenerationScheme() const override { 102 return IncludePath ? Minimal : None; 103 } 104 enablePaths()105 void enablePaths() { 106 IncludePath = true; 107 } 108 FlushDiagnosticsImpl(std::vector<const PathDiagnostic * > & Diags,FilesMade * filesMade)109 void FlushDiagnosticsImpl(std::vector<const PathDiagnostic *> &Diags, 110 FilesMade *filesMade) override { 111 unsigned WarnID = Diag.getCustomDiagID(DiagnosticsEngine::Warning, "%0"); 112 unsigned NoteID = Diag.getCustomDiagID(DiagnosticsEngine::Note, "%0"); 113 114 for (std::vector<const PathDiagnostic*>::iterator I = Diags.begin(), 115 E = Diags.end(); I != E; ++I) { 116 const PathDiagnostic *PD = *I; 117 SourceLocation WarnLoc = PD->getLocation().asLocation(); 118 Diag.Report(WarnLoc, WarnID) << PD->getShortDescription() 119 << PD->path.back()->getRanges(); 120 121 if (!IncludePath) 122 continue; 123 124 PathPieces FlatPath = PD->path.flatten(/*ShouldFlattenMacros=*/true); 125 for (PathPieces::const_iterator PI = FlatPath.begin(), 126 PE = FlatPath.end(); 127 PI != PE; ++PI) { 128 SourceLocation NoteLoc = (*PI)->getLocation().asLocation(); 129 Diag.Report(NoteLoc, NoteID) << (*PI)->getString() 130 << (*PI)->getRanges(); 131 } 132 } 133 } 134 }; 135 } // end anonymous namespace 136 137 //===----------------------------------------------------------------------===// 138 // AnalysisConsumer declaration. 139 //===----------------------------------------------------------------------===// 140 141 namespace { 142 143 class AnalysisConsumer : public AnalysisASTConsumer, 144 public DataRecursiveASTVisitor<AnalysisConsumer> { 145 enum { 146 AM_None = 0, 147 AM_Syntax = 0x1, 148 AM_Path = 0x2 149 }; 150 typedef unsigned AnalysisMode; 151 152 /// Mode of the analyzes while recursively visiting Decls. 153 AnalysisMode RecVisitorMode; 154 /// Bug Reporter to use while recursively visiting Decls. 155 BugReporter *RecVisitorBR; 156 157 public: 158 ASTContext *Ctx; 159 const Preprocessor &PP; 160 const std::string OutDir; 161 AnalyzerOptionsRef Opts; 162 ArrayRef<std::string> Plugins; 163 CodeInjector *Injector; 164 165 /// \brief Stores the declarations from the local translation unit. 166 /// Note, we pre-compute the local declarations at parse time as an 167 /// optimization to make sure we do not deserialize everything from disk. 168 /// The local declaration to all declarations ratio might be very small when 169 /// working with a PCH file. 170 SetOfDecls LocalTUDecls; 171 172 // Set of PathDiagnosticConsumers. Owned by AnalysisManager. 173 PathDiagnosticConsumers PathConsumers; 174 175 StoreManagerCreator CreateStoreMgr; 176 ConstraintManagerCreator CreateConstraintMgr; 177 178 std::unique_ptr<CheckerManager> checkerMgr; 179 std::unique_ptr<AnalysisManager> Mgr; 180 181 /// Time the analyzes time of each translation unit. 182 static llvm::Timer* TUTotalTimer; 183 184 /// The information about analyzed functions shared throughout the 185 /// translation unit. 186 FunctionSummariesTy FunctionSummaries; 187 AnalysisConsumer(const Preprocessor & pp,const std::string & outdir,AnalyzerOptionsRef opts,ArrayRef<std::string> plugins,CodeInjector * injector)188 AnalysisConsumer(const Preprocessor& pp, 189 const std::string& outdir, 190 AnalyzerOptionsRef opts, 191 ArrayRef<std::string> plugins, 192 CodeInjector *injector) 193 : RecVisitorMode(0), RecVisitorBR(nullptr), Ctx(nullptr), PP(pp), 194 OutDir(outdir), Opts(opts), Plugins(plugins), Injector(injector) { 195 DigestAnalyzerOptions(); 196 if (Opts->PrintStats) { 197 llvm::EnableStatistics(); 198 TUTotalTimer = new llvm::Timer("Analyzer Total Time"); 199 } 200 } 201 ~AnalysisConsumer()202 ~AnalysisConsumer() { 203 if (Opts->PrintStats) 204 delete TUTotalTimer; 205 } 206 DigestAnalyzerOptions()207 void DigestAnalyzerOptions() { 208 if (Opts->AnalysisDiagOpt != PD_NONE) { 209 // Create the PathDiagnosticConsumer. 210 ClangDiagPathDiagConsumer *clangDiags = 211 new ClangDiagPathDiagConsumer(PP.getDiagnostics()); 212 PathConsumers.push_back(clangDiags); 213 214 if (Opts->AnalysisDiagOpt == PD_TEXT) { 215 clangDiags->enablePaths(); 216 217 } else if (!OutDir.empty()) { 218 switch (Opts->AnalysisDiagOpt) { 219 default: 220 #define ANALYSIS_DIAGNOSTICS(NAME, CMDFLAG, DESC, CREATEFN) \ 221 case PD_##NAME: \ 222 CREATEFN(*Opts.get(), PathConsumers, OutDir, PP); \ 223 break; 224 #include "clang/StaticAnalyzer/Core/Analyses.def" 225 } 226 } 227 } 228 229 // Create the analyzer component creators. 230 switch (Opts->AnalysisStoreOpt) { 231 default: 232 llvm_unreachable("Unknown store manager."); 233 #define ANALYSIS_STORE(NAME, CMDFLAG, DESC, CREATEFN) \ 234 case NAME##Model: CreateStoreMgr = CREATEFN; break; 235 #include "clang/StaticAnalyzer/Core/Analyses.def" 236 } 237 238 switch (Opts->AnalysisConstraintsOpt) { 239 default: 240 llvm_unreachable("Unknown constraint manager."); 241 #define ANALYSIS_CONSTRAINTS(NAME, CMDFLAG, DESC, CREATEFN) \ 242 case NAME##Model: CreateConstraintMgr = CREATEFN; break; 243 #include "clang/StaticAnalyzer/Core/Analyses.def" 244 } 245 } 246 DisplayFunction(const Decl * D,AnalysisMode Mode,ExprEngine::InliningModes IMode)247 void DisplayFunction(const Decl *D, AnalysisMode Mode, 248 ExprEngine::InliningModes IMode) { 249 if (!Opts->AnalyzerDisplayProgress) 250 return; 251 252 SourceManager &SM = Mgr->getASTContext().getSourceManager(); 253 PresumedLoc Loc = SM.getPresumedLoc(D->getLocation()); 254 if (Loc.isValid()) { 255 llvm::errs() << "ANALYZE"; 256 257 if (Mode == AM_Syntax) 258 llvm::errs() << " (Syntax)"; 259 else if (Mode == AM_Path) { 260 llvm::errs() << " (Path, "; 261 switch (IMode) { 262 case ExprEngine::Inline_Minimal: 263 llvm::errs() << " Inline_Minimal"; 264 break; 265 case ExprEngine::Inline_Regular: 266 llvm::errs() << " Inline_Regular"; 267 break; 268 } 269 llvm::errs() << ")"; 270 } 271 else 272 assert(Mode == (AM_Syntax | AM_Path) && "Unexpected mode!"); 273 274 llvm::errs() << ": " << Loc.getFilename(); 275 if (isa<FunctionDecl>(D) || isa<ObjCMethodDecl>(D)) { 276 const NamedDecl *ND = cast<NamedDecl>(D); 277 llvm::errs() << ' ' << *ND << '\n'; 278 } 279 else if (isa<BlockDecl>(D)) { 280 llvm::errs() << ' ' << "block(line:" << Loc.getLine() << ",col:" 281 << Loc.getColumn() << '\n'; 282 } 283 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) { 284 Selector S = MD->getSelector(); 285 llvm::errs() << ' ' << S.getAsString(); 286 } 287 } 288 } 289 Initialize(ASTContext & Context)290 void Initialize(ASTContext &Context) override { 291 Ctx = &Context; 292 checkerMgr = createCheckerManager(*Opts, PP.getLangOpts(), Plugins, 293 PP.getDiagnostics()); 294 295 Mgr = llvm::make_unique<AnalysisManager>( 296 *Ctx, PP.getDiagnostics(), PP.getLangOpts(), PathConsumers, 297 CreateStoreMgr, CreateConstraintMgr, checkerMgr.get(), *Opts, Injector); 298 } 299 300 /// \brief Store the top level decls in the set to be processed later on. 301 /// (Doing this pre-processing avoids deserialization of data from PCH.) 302 bool HandleTopLevelDecl(DeclGroupRef D) override; 303 void HandleTopLevelDeclInObjCContainer(DeclGroupRef D) override; 304 305 void HandleTranslationUnit(ASTContext &C) override; 306 307 /// \brief Determine which inlining mode should be used when this function is 308 /// analyzed. This allows to redefine the default inlining policies when 309 /// analyzing a given function. 310 ExprEngine::InliningModes 311 getInliningModeForFunction(const Decl *D, const SetOfConstDecls &Visited); 312 313 /// \brief Build the call graph for all the top level decls of this TU and 314 /// use it to define the order in which the functions should be visited. 315 void HandleDeclsCallGraph(const unsigned LocalTUDeclsSize); 316 317 /// \brief Run analyzes(syntax or path sensitive) on the given function. 318 /// \param Mode - determines if we are requesting syntax only or path 319 /// sensitive only analysis. 320 /// \param VisitedCallees - The output parameter, which is populated with the 321 /// set of functions which should be considered analyzed after analyzing the 322 /// given root function. 323 void HandleCode(Decl *D, AnalysisMode Mode, 324 ExprEngine::InliningModes IMode = ExprEngine::Inline_Minimal, 325 SetOfConstDecls *VisitedCallees = nullptr); 326 327 void RunPathSensitiveChecks(Decl *D, 328 ExprEngine::InliningModes IMode, 329 SetOfConstDecls *VisitedCallees); 330 void ActionExprEngine(Decl *D, bool ObjCGCEnabled, 331 ExprEngine::InliningModes IMode, 332 SetOfConstDecls *VisitedCallees); 333 334 /// Visitors for the RecursiveASTVisitor. shouldWalkTypesOfTypeLocs() const335 bool shouldWalkTypesOfTypeLocs() const { return false; } 336 337 /// Handle callbacks for arbitrary Decls. VisitDecl(Decl * D)338 bool VisitDecl(Decl *D) { 339 AnalysisMode Mode = getModeForDecl(D, RecVisitorMode); 340 if (Mode & AM_Syntax) 341 checkerMgr->runCheckersOnASTDecl(D, *Mgr, *RecVisitorBR); 342 return true; 343 } 344 VisitFunctionDecl(FunctionDecl * FD)345 bool VisitFunctionDecl(FunctionDecl *FD) { 346 IdentifierInfo *II = FD->getIdentifier(); 347 if (II && II->getName().startswith("__inline")) 348 return true; 349 350 // We skip function template definitions, as their semantics is 351 // only determined when they are instantiated. 352 if (FD->isThisDeclarationADefinition() && 353 !FD->isDependentContext()) { 354 assert(RecVisitorMode == AM_Syntax || Mgr->shouldInlineCall() == false); 355 HandleCode(FD, RecVisitorMode); 356 } 357 return true; 358 } 359 VisitObjCMethodDecl(ObjCMethodDecl * MD)360 bool VisitObjCMethodDecl(ObjCMethodDecl *MD) { 361 if (MD->isThisDeclarationADefinition()) { 362 assert(RecVisitorMode == AM_Syntax || Mgr->shouldInlineCall() == false); 363 HandleCode(MD, RecVisitorMode); 364 } 365 return true; 366 } 367 VisitBlockDecl(BlockDecl * BD)368 bool VisitBlockDecl(BlockDecl *BD) { 369 if (BD->hasBody()) { 370 assert(RecVisitorMode == AM_Syntax || Mgr->shouldInlineCall() == false); 371 HandleCode(BD, RecVisitorMode); 372 } 373 return true; 374 } 375 376 virtual void AddDiagnosticConsumer(PathDiagnosticConsumer * Consumer)377 AddDiagnosticConsumer(PathDiagnosticConsumer *Consumer) override { 378 PathConsumers.push_back(Consumer); 379 } 380 381 private: 382 void storeTopLevelDecls(DeclGroupRef DG); 383 384 /// \brief Check if we should skip (not analyze) the given function. 385 AnalysisMode getModeForDecl(Decl *D, AnalysisMode Mode); 386 387 }; 388 } // end anonymous namespace 389 390 391 //===----------------------------------------------------------------------===// 392 // AnalysisConsumer implementation. 393 //===----------------------------------------------------------------------===// 394 llvm::Timer* AnalysisConsumer::TUTotalTimer = nullptr; 395 HandleTopLevelDecl(DeclGroupRef DG)396 bool AnalysisConsumer::HandleTopLevelDecl(DeclGroupRef DG) { 397 storeTopLevelDecls(DG); 398 return true; 399 } 400 HandleTopLevelDeclInObjCContainer(DeclGroupRef DG)401 void AnalysisConsumer::HandleTopLevelDeclInObjCContainer(DeclGroupRef DG) { 402 storeTopLevelDecls(DG); 403 } 404 storeTopLevelDecls(DeclGroupRef DG)405 void AnalysisConsumer::storeTopLevelDecls(DeclGroupRef DG) { 406 for (DeclGroupRef::iterator I = DG.begin(), E = DG.end(); I != E; ++I) { 407 408 // Skip ObjCMethodDecl, wait for the objc container to avoid 409 // analyzing twice. 410 if (isa<ObjCMethodDecl>(*I)) 411 continue; 412 413 LocalTUDecls.push_back(*I); 414 } 415 } 416 shouldSkipFunction(const Decl * D,const SetOfConstDecls & Visited,const SetOfConstDecls & VisitedAsTopLevel)417 static bool shouldSkipFunction(const Decl *D, 418 const SetOfConstDecls &Visited, 419 const SetOfConstDecls &VisitedAsTopLevel) { 420 if (VisitedAsTopLevel.count(D)) 421 return true; 422 423 // We want to re-analyse the functions as top level in the following cases: 424 // - The 'init' methods should be reanalyzed because 425 // ObjCNonNilReturnValueChecker assumes that '[super init]' never returns 426 // 'nil' and unless we analyze the 'init' functions as top level, we will 427 // not catch errors within defensive code. 428 // - We want to reanalyze all ObjC methods as top level to report Retain 429 // Count naming convention errors more aggressively. 430 if (isa<ObjCMethodDecl>(D)) 431 return false; 432 433 // Otherwise, if we visited the function before, do not reanalyze it. 434 return Visited.count(D); 435 } 436 437 ExprEngine::InliningModes getInliningModeForFunction(const Decl * D,const SetOfConstDecls & Visited)438 AnalysisConsumer::getInliningModeForFunction(const Decl *D, 439 const SetOfConstDecls &Visited) { 440 // We want to reanalyze all ObjC methods as top level to report Retain 441 // Count naming convention errors more aggressively. But we should tune down 442 // inlining when reanalyzing an already inlined function. 443 if (Visited.count(D)) { 444 assert(isa<ObjCMethodDecl>(D) && 445 "We are only reanalyzing ObjCMethods."); 446 const ObjCMethodDecl *ObjCM = cast<ObjCMethodDecl>(D); 447 if (ObjCM->getMethodFamily() != OMF_init) 448 return ExprEngine::Inline_Minimal; 449 } 450 451 return ExprEngine::Inline_Regular; 452 } 453 HandleDeclsCallGraph(const unsigned LocalTUDeclsSize)454 void AnalysisConsumer::HandleDeclsCallGraph(const unsigned LocalTUDeclsSize) { 455 // Build the Call Graph by adding all the top level declarations to the graph. 456 // Note: CallGraph can trigger deserialization of more items from a pch 457 // (though HandleInterestingDecl); triggering additions to LocalTUDecls. 458 // We rely on random access to add the initially processed Decls to CG. 459 CallGraph CG; 460 for (unsigned i = 0 ; i < LocalTUDeclsSize ; ++i) { 461 CG.addToCallGraph(LocalTUDecls[i]); 462 } 463 464 // Walk over all of the call graph nodes in topological order, so that we 465 // analyze parents before the children. Skip the functions inlined into 466 // the previously processed functions. Use external Visited set to identify 467 // inlined functions. The topological order allows the "do not reanalyze 468 // previously inlined function" performance heuristic to be triggered more 469 // often. 470 SetOfConstDecls Visited; 471 SetOfConstDecls VisitedAsTopLevel; 472 llvm::ReversePostOrderTraversal<clang::CallGraph*> RPOT(&CG); 473 for (llvm::ReversePostOrderTraversal<clang::CallGraph*>::rpo_iterator 474 I = RPOT.begin(), E = RPOT.end(); I != E; ++I) { 475 NumFunctionTopLevel++; 476 477 CallGraphNode *N = *I; 478 Decl *D = N->getDecl(); 479 480 // Skip the abstract root node. 481 if (!D) 482 continue; 483 484 // Skip the functions which have been processed already or previously 485 // inlined. 486 if (shouldSkipFunction(D, Visited, VisitedAsTopLevel)) 487 continue; 488 489 // Analyze the function. 490 SetOfConstDecls VisitedCallees; 491 492 HandleCode(D, AM_Path, getInliningModeForFunction(D, Visited), 493 (Mgr->options.InliningMode == All ? nullptr : &VisitedCallees)); 494 495 // Add the visited callees to the global visited set. 496 for (SetOfConstDecls::iterator I = VisitedCallees.begin(), 497 E = VisitedCallees.end(); I != E; ++I) { 498 Visited.insert(*I); 499 } 500 VisitedAsTopLevel.insert(D); 501 } 502 } 503 HandleTranslationUnit(ASTContext & C)504 void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) { 505 // Don't run the actions if an error has occurred with parsing the file. 506 DiagnosticsEngine &Diags = PP.getDiagnostics(); 507 if (Diags.hasErrorOccurred() || Diags.hasFatalErrorOccurred()) 508 return; 509 510 // Don't analyze if the user explicitly asked for no checks to be performed 511 // on this file. 512 if (Opts->DisableAllChecks) 513 return; 514 515 { 516 if (TUTotalTimer) TUTotalTimer->startTimer(); 517 518 // Introduce a scope to destroy BR before Mgr. 519 BugReporter BR(*Mgr); 520 TranslationUnitDecl *TU = C.getTranslationUnitDecl(); 521 checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR); 522 523 // Run the AST-only checks using the order in which functions are defined. 524 // If inlining is not turned on, use the simplest function order for path 525 // sensitive analyzes as well. 526 RecVisitorMode = AM_Syntax; 527 if (!Mgr->shouldInlineCall()) 528 RecVisitorMode |= AM_Path; 529 RecVisitorBR = &BR; 530 531 // Process all the top level declarations. 532 // 533 // Note: TraverseDecl may modify LocalTUDecls, but only by appending more 534 // entries. Thus we don't use an iterator, but rely on LocalTUDecls 535 // random access. By doing so, we automatically compensate for iterators 536 // possibly being invalidated, although this is a bit slower. 537 const unsigned LocalTUDeclsSize = LocalTUDecls.size(); 538 for (unsigned i = 0 ; i < LocalTUDeclsSize ; ++i) { 539 TraverseDecl(LocalTUDecls[i]); 540 } 541 542 if (Mgr->shouldInlineCall()) 543 HandleDeclsCallGraph(LocalTUDeclsSize); 544 545 // After all decls handled, run checkers on the entire TranslationUnit. 546 checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR); 547 548 RecVisitorBR = nullptr; 549 } 550 551 // Explicitly destroy the PathDiagnosticConsumer. This will flush its output. 552 // FIXME: This should be replaced with something that doesn't rely on 553 // side-effects in PathDiagnosticConsumer's destructor. This is required when 554 // used with option -disable-free. 555 Mgr.reset(); 556 557 if (TUTotalTimer) TUTotalTimer->stopTimer(); 558 559 // Count how many basic blocks we have not covered. 560 NumBlocksInAnalyzedFunctions = FunctionSummaries.getTotalNumBasicBlocks(); 561 if (NumBlocksInAnalyzedFunctions > 0) 562 PercentReachableBlocks = 563 (FunctionSummaries.getTotalNumVisitedBasicBlocks() * 100) / 564 NumBlocksInAnalyzedFunctions; 565 566 } 567 getFunctionName(const Decl * D)568 static std::string getFunctionName(const Decl *D) { 569 if (const ObjCMethodDecl *ID = dyn_cast<ObjCMethodDecl>(D)) { 570 return ID->getSelector().getAsString(); 571 } 572 if (const FunctionDecl *ND = dyn_cast<FunctionDecl>(D)) { 573 IdentifierInfo *II = ND->getIdentifier(); 574 if (II) 575 return II->getName(); 576 } 577 return ""; 578 } 579 580 AnalysisConsumer::AnalysisMode getModeForDecl(Decl * D,AnalysisMode Mode)581 AnalysisConsumer::getModeForDecl(Decl *D, AnalysisMode Mode) { 582 if (!Opts->AnalyzeSpecificFunction.empty() && 583 getFunctionName(D) != Opts->AnalyzeSpecificFunction) 584 return AM_None; 585 586 // Unless -analyze-all is specified, treat decls differently depending on 587 // where they came from: 588 // - Main source file: run both path-sensitive and non-path-sensitive checks. 589 // - Header files: run non-path-sensitive checks only. 590 // - System headers: don't run any checks. 591 SourceManager &SM = Ctx->getSourceManager(); 592 SourceLocation SL = SM.getExpansionLoc(D->getLocation()); 593 if (!Opts->AnalyzeAll && !SM.isInMainFile(SL)) { 594 if (SL.isInvalid() || SM.isInSystemHeader(SL)) 595 return AM_None; 596 return Mode & ~AM_Path; 597 } 598 599 return Mode; 600 } 601 HandleCode(Decl * D,AnalysisMode Mode,ExprEngine::InliningModes IMode,SetOfConstDecls * VisitedCallees)602 void AnalysisConsumer::HandleCode(Decl *D, AnalysisMode Mode, 603 ExprEngine::InliningModes IMode, 604 SetOfConstDecls *VisitedCallees) { 605 if (!D->hasBody()) 606 return; 607 Mode = getModeForDecl(D, Mode); 608 if (Mode == AM_None) 609 return; 610 611 DisplayFunction(D, Mode, IMode); 612 CFG *DeclCFG = Mgr->getCFG(D); 613 if (DeclCFG) { 614 unsigned CFGSize = DeclCFG->size(); 615 MaxCFGSize = MaxCFGSize < CFGSize ? CFGSize : MaxCFGSize; 616 } 617 618 // Clear the AnalysisManager of old AnalysisDeclContexts. 619 Mgr->ClearContexts(); 620 BugReporter BR(*Mgr); 621 622 if (Mode & AM_Syntax) 623 checkerMgr->runCheckersOnASTBody(D, *Mgr, BR); 624 if ((Mode & AM_Path) && checkerMgr->hasPathSensitiveCheckers()) { 625 RunPathSensitiveChecks(D, IMode, VisitedCallees); 626 if (IMode != ExprEngine::Inline_Minimal) 627 NumFunctionsAnalyzed++; 628 } 629 } 630 631 //===----------------------------------------------------------------------===// 632 // Path-sensitive checking. 633 //===----------------------------------------------------------------------===// 634 ActionExprEngine(Decl * D,bool ObjCGCEnabled,ExprEngine::InliningModes IMode,SetOfConstDecls * VisitedCallees)635 void AnalysisConsumer::ActionExprEngine(Decl *D, bool ObjCGCEnabled, 636 ExprEngine::InliningModes IMode, 637 SetOfConstDecls *VisitedCallees) { 638 // Construct the analysis engine. First check if the CFG is valid. 639 // FIXME: Inter-procedural analysis will need to handle invalid CFGs. 640 if (!Mgr->getCFG(D)) 641 return; 642 643 // See if the LiveVariables analysis scales. 644 if (!Mgr->getAnalysisDeclContext(D)->getAnalysis<RelaxedLiveVariables>()) 645 return; 646 647 ExprEngine Eng(*Mgr, ObjCGCEnabled, VisitedCallees, &FunctionSummaries,IMode); 648 649 // Set the graph auditor. 650 std::unique_ptr<ExplodedNode::Auditor> Auditor; 651 if (Mgr->options.visualizeExplodedGraphWithUbiGraph) { 652 Auditor = CreateUbiViz(); 653 ExplodedNode::SetAuditor(Auditor.get()); 654 } 655 656 // Execute the worklist algorithm. 657 Eng.ExecuteWorkList(Mgr->getAnalysisDeclContextManager().getStackFrame(D), 658 Mgr->options.getMaxNodesPerTopLevelFunction()); 659 660 // Release the auditor (if any) so that it doesn't monitor the graph 661 // created BugReporter. 662 ExplodedNode::SetAuditor(nullptr); 663 664 // Visualize the exploded graph. 665 if (Mgr->options.visualizeExplodedGraphWithGraphViz) 666 Eng.ViewGraph(Mgr->options.TrimGraph); 667 668 // Display warnings. 669 Eng.getBugReporter().FlushReports(); 670 } 671 RunPathSensitiveChecks(Decl * D,ExprEngine::InliningModes IMode,SetOfConstDecls * Visited)672 void AnalysisConsumer::RunPathSensitiveChecks(Decl *D, 673 ExprEngine::InliningModes IMode, 674 SetOfConstDecls *Visited) { 675 676 switch (Mgr->getLangOpts().getGC()) { 677 case LangOptions::NonGC: 678 ActionExprEngine(D, false, IMode, Visited); 679 break; 680 681 case LangOptions::GCOnly: 682 ActionExprEngine(D, true, IMode, Visited); 683 break; 684 685 case LangOptions::HybridGC: 686 ActionExprEngine(D, false, IMode, Visited); 687 ActionExprEngine(D, true, IMode, Visited); 688 break; 689 } 690 } 691 692 //===----------------------------------------------------------------------===// 693 // AnalysisConsumer creation. 694 //===----------------------------------------------------------------------===// 695 696 std::unique_ptr<AnalysisASTConsumer> CreateAnalysisConsumer(CompilerInstance & CI)697 ento::CreateAnalysisConsumer(CompilerInstance &CI) { 698 // Disable the effects of '-Werror' when using the AnalysisConsumer. 699 CI.getPreprocessor().getDiagnostics().setWarningsAsErrors(false); 700 701 AnalyzerOptionsRef analyzerOpts = CI.getAnalyzerOpts(); 702 bool hasModelPath = analyzerOpts->Config.count("model-path") > 0; 703 704 return llvm::make_unique<AnalysisConsumer>( 705 CI.getPreprocessor(), CI.getFrontendOpts().OutputFile, analyzerOpts, 706 CI.getFrontendOpts().Plugins, 707 hasModelPath ? new ModelInjector(CI) : nullptr); 708 } 709 710 //===----------------------------------------------------------------------===// 711 // Ubigraph Visualization. FIXME: Move to separate file. 712 //===----------------------------------------------------------------------===// 713 714 namespace { 715 716 class UbigraphViz : public ExplodedNode::Auditor { 717 std::unique_ptr<raw_ostream> Out; 718 std::string Filename; 719 unsigned Cntr; 720 721 typedef llvm::DenseMap<void*,unsigned> VMap; 722 VMap M; 723 724 public: 725 UbigraphViz(std::unique_ptr<raw_ostream> Out, StringRef Filename); 726 727 ~UbigraphViz(); 728 729 void AddEdge(ExplodedNode *Src, ExplodedNode *Dst) override; 730 }; 731 732 } // end anonymous namespace 733 CreateUbiViz()734 static std::unique_ptr<ExplodedNode::Auditor> CreateUbiViz() { 735 SmallString<128> P; 736 int FD; 737 llvm::sys::fs::createTemporaryFile("llvm_ubi", "", FD, P); 738 llvm::errs() << "Writing '" << P.str() << "'.\n"; 739 740 auto Stream = llvm::make_unique<llvm::raw_fd_ostream>(FD, true); 741 742 return llvm::make_unique<UbigraphViz>(std::move(Stream), P); 743 } 744 AddEdge(ExplodedNode * Src,ExplodedNode * Dst)745 void UbigraphViz::AddEdge(ExplodedNode *Src, ExplodedNode *Dst) { 746 747 assert (Src != Dst && "Self-edges are not allowed."); 748 749 // Lookup the Src. If it is a new node, it's a root. 750 VMap::iterator SrcI= M.find(Src); 751 unsigned SrcID; 752 753 if (SrcI == M.end()) { 754 M[Src] = SrcID = Cntr++; 755 *Out << "('vertex', " << SrcID << ", ('color','#00ff00'))\n"; 756 } 757 else 758 SrcID = SrcI->second; 759 760 // Lookup the Dst. 761 VMap::iterator DstI= M.find(Dst); 762 unsigned DstID; 763 764 if (DstI == M.end()) { 765 M[Dst] = DstID = Cntr++; 766 *Out << "('vertex', " << DstID << ")\n"; 767 } 768 else { 769 // We have hit DstID before. Change its style to reflect a cache hit. 770 DstID = DstI->second; 771 *Out << "('change_vertex_style', " << DstID << ", 1)\n"; 772 } 773 774 // Add the edge. 775 *Out << "('edge', " << SrcID << ", " << DstID 776 << ", ('arrow','true'), ('oriented', 'true'))\n"; 777 } 778 UbigraphViz(std::unique_ptr<raw_ostream> Out,StringRef Filename)779 UbigraphViz::UbigraphViz(std::unique_ptr<raw_ostream> Out, StringRef Filename) 780 : Out(std::move(Out)), Filename(Filename), Cntr(0) { 781 782 *Out << "('vertex_style_attribute', 0, ('shape', 'icosahedron'))\n"; 783 *Out << "('vertex_style', 1, 0, ('shape', 'sphere'), ('color', '#ffcc66')," 784 " ('size', '1.5'))\n"; 785 } 786 ~UbigraphViz()787 UbigraphViz::~UbigraphViz() { 788 Out.reset(); 789 llvm::errs() << "Running 'ubiviz' program... "; 790 std::string ErrMsg; 791 std::string Ubiviz; 792 if (auto Path = llvm::sys::findProgramByName("ubiviz")) 793 Ubiviz = *Path; 794 std::vector<const char*> args; 795 args.push_back(Ubiviz.c_str()); 796 args.push_back(Filename.c_str()); 797 args.push_back(nullptr); 798 799 if (llvm::sys::ExecuteAndWait(Ubiviz, &args[0], nullptr, nullptr, 0, 0, 800 &ErrMsg)) { 801 llvm::errs() << "Error viewing graph: " << ErrMsg << "\n"; 802 } 803 804 // Delete the file. 805 llvm::sys::fs::remove(Filename); 806 } 807