1	//===- BugReporter.cpp - Generate PathDiagnostics for bugs ----------------===//
2	//
3	// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4	// See https://llvm.org/LICENSE.txt for license information.
5	// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6	//
7	//===----------------------------------------------------------------------===//
8	//
9	// This file defines BugReporter, a utility class for generating
10	// PathDiagnostics.
11	//
12	//===----------------------------------------------------------------------===//
13
14	#include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
15	#include "clang/AST/Decl.h"
16	#include "clang/AST/DeclBase.h"
17	#include "clang/AST/DeclObjC.h"
18	#include "clang/AST/Expr.h"
19	#include "clang/AST/ExprCXX.h"
20	#include "clang/AST/ParentMap.h"
21	#include "clang/AST/Stmt.h"
22	#include "clang/AST/StmtCXX.h"
23	#include "clang/AST/StmtObjC.h"
24	#include "clang/Analysis/AnalysisDeclContext.h"
25	#include "clang/Analysis/CFG.h"
26	#include "clang/Analysis/CFGStmtMap.h"
27	#include "clang/Analysis/PathDiagnostic.h"
28	#include "clang/Analysis/ProgramPoint.h"
29	#include "clang/Basic/LLVM.h"
30	#include "clang/Basic/SourceLocation.h"
31	#include "clang/Basic/SourceManager.h"
32	#include "clang/StaticAnalyzer/Core/AnalyzerOptions.h"
33	#include "clang/StaticAnalyzer/Core/BugReporter/BugReporterVisitors.h"
34	#include "clang/StaticAnalyzer/Core/BugReporter/BugType.h"
35	#include "clang/StaticAnalyzer/Core/Checker.h"
36	#include "clang/StaticAnalyzer/Core/CheckerManager.h"
37	#include "clang/StaticAnalyzer/Core/CheckerRegistryData.h"
38	#include "clang/StaticAnalyzer/Core/PathSensitive/ExplodedGraph.h"
39	#include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
40	#include "clang/StaticAnalyzer/Core/PathSensitive/MemRegion.h"
41	#include "clang/StaticAnalyzer/Core/PathSensitive/ProgramState.h"
42	#include "clang/StaticAnalyzer/Core/PathSensitive/SMTConv.h"
43	#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
44	#include "clang/StaticAnalyzer/Core/PathSensitive/SymbolManager.h"
45	#include "llvm/ADT/ArrayRef.h"
46	#include "llvm/ADT/DenseMap.h"
47	#include "llvm/ADT/DenseSet.h"
48	#include "llvm/ADT/FoldingSet.h"
49	#include "llvm/ADT/None.h"
50	#include "llvm/ADT/Optional.h"
51	#include "llvm/ADT/STLExtras.h"
52	#include "llvm/ADT/SmallPtrSet.h"
53	#include "llvm/ADT/SmallString.h"
54	#include "llvm/ADT/SmallVector.h"
55	#include "llvm/ADT/Statistic.h"
56	#include "llvm/ADT/StringExtras.h"
57	#include "llvm/ADT/StringRef.h"
58	#include "llvm/ADT/iterator_range.h"
59	#include "llvm/Support/Casting.h"
60	#include "llvm/Support/Compiler.h"
61	#include "llvm/Support/ErrorHandling.h"
62	#include "llvm/Support/MemoryBuffer.h"
63	#include "llvm/Support/raw_ostream.h"
64	#include <algorithm>
65	#include <cassert>
66	#include <cstddef>
67	#include <iterator>
68	#include <memory>
69	#include <queue>
70	#include <string>
71	#include <tuple>
72	#include <utility>
73	#include <vector>
74
75	using namespace clang;
76	using namespace ento;
77	using namespace llvm;
78
79	#define DEBUG_TYPE "BugReporter"
80
81	STATISTIC(MaxBugClassSize,
82	"The maximum number of bug reports in the same equivalence class");
83	STATISTIC(MaxValidBugClassSize,
84	"The maximum number of bug reports in the same equivalence class "
85	"where at least one report is valid (not suppressed)");
86
87	BugReporterVisitor::~BugReporterVisitor() = default;
88
89	void BugReporterContext::anchor() {}
90
91	//===----------------------------------------------------------------------===//
92	// PathDiagnosticBuilder and its associated routines and helper objects.
93	//===----------------------------------------------------------------------===//
94
95	namespace {
96
97	/// A (CallPiece, node assiciated with its CallEnter) pair.
98	using CallWithEntry =
99	std::pair<PathDiagnosticCallPiece *, const ExplodedNode *>;
100	using CallWithEntryStack = SmallVector<CallWithEntry, 6>;
101
102	/// Map from each node to the diagnostic pieces visitors emit for them.
103	using VisitorsDiagnosticsTy =
104	llvm::DenseMap<const ExplodedNode *, std::vector<PathDiagnosticPieceRef>>;
105
106	/// A map from PathDiagnosticPiece to the LocationContext of the inlined
107	/// function call it represents.
108	using LocationContextMap =
109	llvm::DenseMap<const PathPieces *, const LocationContext *>;
110
111	/// A helper class that contains everything needed to construct a
112	/// PathDiagnostic object. It does no much more then providing convenient
113	/// getters and some well placed asserts for extra security.
114	class PathDiagnosticConstruct {
115	/// The consumer we're constructing the bug report for.
116	const PathDiagnosticConsumer *Consumer;
117	/// Our current position in the bug path, which is owned by
118	/// PathDiagnosticBuilder.
119	const ExplodedNode *CurrentNode;
120	/// A mapping from parts of the bug path (for example, a function call, which
121	/// would span backwards from a CallExit to a CallEnter with the nodes in
122	/// between them) with the location contexts it is associated with.
123	LocationContextMap LCM;
124	const SourceManager &SM;
125
126	public:
127	/// We keep stack of calls to functions as we're ascending the bug path.
128	/// TODO: PathDiagnostic has a stack doing the same thing, shouldn't we use
129	/// that instead?
130	CallWithEntryStack CallStack;
131	/// The bug report we're constructing. For ease of use, this field is kept
132	/// public, though some "shortcut" getters are provided for commonly used
133	/// methods of PathDiagnostic.
134	std::unique_ptr<PathDiagnostic> PD;
135
136	public:
137	PathDiagnosticConstruct(const PathDiagnosticConsumer *PDC,
138	const ExplodedNode *ErrorNode,
139	const PathSensitiveBugReport *R);
140
141	/// \returns the location context associated with the current position in the
142	/// bug path.
143	const LocationContext *getCurrLocationContext() const {
144	assert(CurrentNode && "Already reached the root!");
145	return CurrentNode->getLocationContext();
146	}
147
148	/// Same as getCurrLocationContext (they should always return the same
149	/// location context), but works after reaching the root of the bug path as
150	/// well.
151	const LocationContext *getLocationContextForActivePath() const {
152	return LCM.find(&PD->getActivePath())->getSecond();
153	}
154
155	const ExplodedNode *getCurrentNode() const { return CurrentNode; }
156
157	/// Steps the current node to its predecessor.
158	/// \returns whether we reached the root of the bug path.
159	bool ascendToPrevNode() {
160	CurrentNode = CurrentNode->getFirstPred();
161	return static_cast<bool>(CurrentNode);
162	}
163
164	const ParentMap &getParentMap() const {
165	return getCurrLocationContext()->getParentMap();
166	}
167
168	const SourceManager &getSourceManager() const { return SM; }
169
170	const Stmt *getParent(const Stmt *S) const {
171	return getParentMap().getParent(S);
172	}
173
174	void updateLocCtxMap(const PathPieces *Path, const LocationContext *LC) {
175	assert(Path && LC);
176	LCM[Path] = LC;
177	}
178
179	const LocationContext *getLocationContextFor(const PathPieces *Path) const {
180	assert(LCM.count(Path) &&
181	"Failed to find the context associated with these pieces!");
182	return LCM.find(Path)->getSecond();
183	}
184
185	bool isInLocCtxMap(const PathPieces *Path) const { return LCM.count(Path); }
186
187	PathPieces &getActivePath() { return PD->getActivePath(); }
188	PathPieces &getMutablePieces() { return PD->getMutablePieces(); }
189
190	bool shouldAddPathEdges() const { return Consumer->shouldAddPathEdges(); }
191	bool shouldAddControlNotes() const {
192	return Consumer->shouldAddControlNotes();
193	}
194	bool shouldGenerateDiagnostics() const {
195	return Consumer->shouldGenerateDiagnostics();
196	}
197	bool supportsLogicalOpControlFlow() const {
198	return Consumer->supportsLogicalOpControlFlow();
199	}
200	};
201
202	/// Contains every contextual information needed for constructing a
203	/// PathDiagnostic object for a given bug report. This class and its fields are
204	/// immutable, and passes a BugReportConstruct object around during the
205	/// construction.
206	class PathDiagnosticBuilder : public BugReporterContext {
207	/// A linear path from the error node to the root.
208	std::unique_ptr<const ExplodedGraph> BugPath;
209	/// The bug report we're describing. Visitors create their diagnostics with
210	/// them being the last entities being able to modify it (for example,
211	/// changing interestingness here would cause inconsistencies as to how this
212	/// file and visitors construct diagnostics), hence its const.
213	const PathSensitiveBugReport *R;
214	/// The leaf of the bug path. This isn't the same as the bug reports error
215	/// node, which refers to the *original* graph, not the bug path.
216	const ExplodedNode *const ErrorNode;
217	/// The diagnostic pieces visitors emitted, which is expected to be collected
218	/// by the time this builder is constructed.
219	std::unique_ptr<const VisitorsDiagnosticsTy> VisitorsDiagnostics;
220
221	public:
222	/// Find a non-invalidated report for a given equivalence class, and returns
223	/// a PathDiagnosticBuilder able to construct bug reports for different
224	/// consumers. Returns None if no valid report is found.
225	static Optional<PathDiagnosticBuilder>
226	findValidReport(ArrayRef<PathSensitiveBugReport *> &bugReports,
227	PathSensitiveBugReporter &Reporter);
228
229	PathDiagnosticBuilder(
230	BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath,
231	PathSensitiveBugReport *r, const ExplodedNode *ErrorNode,
232	std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics);
233
234	/// This function is responsible for generating diagnostic pieces that are
235	/// *not* provided by bug report visitors.
236	/// These diagnostics may differ depending on the consumer's settings,
237	/// and are therefore constructed separately for each consumer.
238	///
239	/// There are two path diagnostics generation modes: with adding edges (used
240	/// for plists) and without (used for HTML and text). When edges are added,
241	/// the path is modified to insert artificially generated edges.
242	/// Otherwise, more detailed diagnostics is emitted for block edges,
243	/// explaining the transitions in words.
244	std::unique_ptr<PathDiagnostic>
245	generate(const PathDiagnosticConsumer *PDC) const;
246
247	private:
248	void updateStackPiecesWithMessage(PathDiagnosticPieceRef P,
249	const CallWithEntryStack &CallStack) const;
250	void generatePathDiagnosticsForNode(PathDiagnosticConstruct &C,
251	PathDiagnosticLocation &PrevLoc) const;
252
253	void generateMinimalDiagForBlockEdge(PathDiagnosticConstruct &C,
254	BlockEdge BE) const;
255
256	PathDiagnosticPieceRef
257	generateDiagForGotoOP(const PathDiagnosticConstruct &C, const Stmt *S,
258	PathDiagnosticLocation &Start) const;
259
260	PathDiagnosticPieceRef
261	generateDiagForSwitchOP(const PathDiagnosticConstruct &C, const CFGBlock *Dst,
262	PathDiagnosticLocation &Start) const;
263
264	PathDiagnosticPieceRef
265	generateDiagForBinaryOP(const PathDiagnosticConstruct &C, const Stmt *T,
266	const CFGBlock *Src, const CFGBlock *DstC) const;
267
268	PathDiagnosticLocation
269	ExecutionContinues(const PathDiagnosticConstruct &C) const;
270
271	PathDiagnosticLocation
272	ExecutionContinues(llvm::raw_string_ostream &os,
273	const PathDiagnosticConstruct &C) const;
274
275	const PathSensitiveBugReport *getBugReport() const { return R; }
276	};
277
278	} // namespace
279
280	//===----------------------------------------------------------------------===//
281	// Base implementation of stack hint generators.
282	//===----------------------------------------------------------------------===//
283
284	StackHintGenerator::~StackHintGenerator() = default;
285
286	std::string StackHintGeneratorForSymbol::getMessage(const ExplodedNode *N){
287	if (!N)
288	return getMessageForSymbolNotFound();
289
290	ProgramPoint P = N->getLocation();
291	CallExitEnd CExit = P.castAs<CallExitEnd>();
292
293	// FIXME: Use CallEvent to abstract this over all calls.
294	const Stmt *CallSite = CExit.getCalleeContext()->getCallSite();
295	const auto *CE = dyn_cast_or_null<CallExpr>(CallSite);
296	if (!CE)
297	return {};
298
299	// Check if one of the parameters are set to the interesting symbol.
300	unsigned ArgIndex = 0;
301	for (CallExpr::const_arg_iterator I = CE->arg_begin(),
302	E = CE->arg_end(); I != E; ++I, ++ArgIndex){
303	SVal SV = N->getSVal(*I);
304
305	// Check if the variable corresponding to the symbol is passed by value.
306	SymbolRef AS = SV.getAsLocSymbol();
307	if (AS == Sym) {
308	return getMessageForArg(*I, ArgIndex);
309	}
310
311	// Check if the parameter is a pointer to the symbol.
312	if (Optional<loc::MemRegionVal> Reg = SV.getAs<loc::MemRegionVal>()) {
313	// Do not attempt to dereference void*.
314	if ((*I)->getType()->isVoidPointerType())
315	continue;
316	SVal PSV = N->getState()->getSVal(Reg->getRegion());
317	SymbolRef AS = PSV.getAsLocSymbol();
318	if (AS == Sym) {
319	return getMessageForArg(*I, ArgIndex);
320	}
321	}
322	}
323
324	// Check if we are returning the interesting symbol.
325	SVal SV = N->getSVal(CE);
326	SymbolRef RetSym = SV.getAsLocSymbol();
327	if (RetSym == Sym) {
328	return getMessageForReturn(CE);
329	}
330
331	return getMessageForSymbolNotFound();
332	}
333
334	std::string StackHintGeneratorForSymbol::getMessageForArg(const Expr *ArgE,
335	unsigned ArgIndex) {
336	// Printed parameters start at 1, not 0.
337	++ArgIndex;
338
339	return (llvm::Twine(Msg) + " via " + std::to_string(ArgIndex) +
340	llvm::getOrdinalSuffix(ArgIndex) + " parameter").str();
341	}
342
343	//===----------------------------------------------------------------------===//
344	// Diagnostic cleanup.
345	//===----------------------------------------------------------------------===//
346
347	static PathDiagnosticEventPiece *
348	eventsDescribeSameCondition(PathDiagnosticEventPiece *X,
349	PathDiagnosticEventPiece *Y) {
350	// Prefer diagnostics that come from ConditionBRVisitor over
351	// those that came from TrackConstraintBRVisitor,
352	// unless the one from ConditionBRVisitor is
353	// its generic fallback diagnostic.
354	const void *tagPreferred = ConditionBRVisitor::getTag();
355	const void *tagLesser = TrackConstraintBRVisitor::getTag();
356
357	if (X->getLocation() != Y->getLocation())
358	return nullptr;
359
360	if (X->getTag() == tagPreferred && Y->getTag() == tagLesser)
361	return ConditionBRVisitor::isPieceMessageGeneric(X) ? Y : X;
362
363	if (Y->getTag() == tagPreferred && X->getTag() == tagLesser)
364	return ConditionBRVisitor::isPieceMessageGeneric(Y) ? X : Y;
365
366	return nullptr;
367	}
368
369	/// An optimization pass over PathPieces that removes redundant diagnostics
370	/// generated by both ConditionBRVisitor and TrackConstraintBRVisitor. Both
371	/// BugReporterVisitors use different methods to generate diagnostics, with
372	/// one capable of emitting diagnostics in some cases but not in others. This
373	/// can lead to redundant diagnostic pieces at the same point in a path.
374	static void removeRedundantMsgs(PathPieces &path) {
375	unsigned N = path.size();
376	if (N < 2)
377	return;
378	// NOTE: this loop intentionally is not using an iterator. Instead, we
379	// are streaming the path and modifying it in place. This is done by
380	// grabbing the front, processing it, and if we decide to keep it append
381	// it to the end of the path. The entire path is processed in this way.
382	for (unsigned i = 0; i < N; ++i) {
383	auto piece = std::move(path.front());
384	path.pop_front();
385
386	switch (piece->getKind()) {
387	case PathDiagnosticPiece::Call:
388	removeRedundantMsgs(cast<PathDiagnosticCallPiece>(*piece).path);
389	break;
390	case PathDiagnosticPiece::Macro:
391	removeRedundantMsgs(cast<PathDiagnosticMacroPiece>(*piece).subPieces);
392	break;
393	case PathDiagnosticPiece::Event: {
394	if (i == N-1)
395	break;
396
397	if (auto *nextEvent =
398	dyn_cast<PathDiagnosticEventPiece>(path.front().get())) {
399	auto *event = cast<PathDiagnosticEventPiece>(piece.get());
400	// Check to see if we should keep one of the two pieces. If we
401	// come up with a preference, record which piece to keep, and consume
402	// another piece from the path.
403	if (auto *pieceToKeep =
404	eventsDescribeSameCondition(event, nextEvent)) {
405	piece = std::move(pieceToKeep == event ? piece : path.front());
406	path.pop_front();
407	++i;
408	}
409	}
410	break;
411	}
412	case PathDiagnosticPiece::ControlFlow:
413	case PathDiagnosticPiece::Note:
414	case PathDiagnosticPiece::PopUp:
415	break;
416	}
417	path.push_back(std::move(piece));
418	}
419	}
420
421	/// Recursively scan through a path and prune out calls and macros pieces
422	/// that aren't needed. Return true if afterwards the path contains
423	/// "interesting stuff" which means it shouldn't be pruned from the parent path.
424	static bool removeUnneededCalls(const PathDiagnosticConstruct &C,
425	PathPieces &pieces,
426	const PathSensitiveBugReport *R,
427	bool IsInteresting = false) {
428	bool containsSomethingInteresting = IsInteresting;
429	const unsigned N = pieces.size();
430
431	for (unsigned i = 0 ; i < N ; ++i) {
432	// Remove the front piece from the path. If it is still something we
433	// want to keep once we are done, we will push it back on the end.
434	auto piece = std::move(pieces.front());
435	pieces.pop_front();
436
437	switch (piece->getKind()) {
438	case PathDiagnosticPiece::Call: {
439	auto &call = cast<PathDiagnosticCallPiece>(*piece);
440	// Check if the location context is interesting.
441	if (!removeUnneededCalls(
442	C, call.path, R,
443	R->isInteresting(C.getLocationContextFor(&call.path))))
444	continue;
445
446	containsSomethingInteresting = true;
447	break;
448	}
449	case PathDiagnosticPiece::Macro: {
450	auto &macro = cast<PathDiagnosticMacroPiece>(*piece);
451	if (!removeUnneededCalls(C, macro.subPieces, R, IsInteresting))
452	continue;
453	containsSomethingInteresting = true;
454	break;
455	}
456	case PathDiagnosticPiece::Event: {
457	auto &event = cast<PathDiagnosticEventPiece>(*piece);
458
459	// We never throw away an event, but we do throw it away wholesale
460	// as part of a path if we throw the entire path away.
461	containsSomethingInteresting |= !event.isPrunable();
462	break;
463	}
464	case PathDiagnosticPiece::ControlFlow:
465	case PathDiagnosticPiece::Note:
466	case PathDiagnosticPiece::PopUp:
467	break;
468	}
469
470	pieces.push_back(std::move(piece));
471	}
472
473	return containsSomethingInteresting;
474	}
475
476	/// Same logic as above to remove extra pieces.
477	static void removePopUpNotes(PathPieces &Path) {
478	for (unsigned int i = 0; i < Path.size(); ++i) {
479	auto Piece = std::move(Path.front());
480	Path.pop_front();
481	if (!isa<PathDiagnosticPopUpPiece>(*Piece))
482	Path.push_back(std::move(Piece));
483	}
484	}
485
486	/// Returns true if the given decl has been implicitly given a body, either by
487	/// the analyzer or by the compiler proper.
488	static bool hasImplicitBody(const Decl *D) {
489	assert(D);
490	return D->isImplicit() || !D->hasBody();
491	}
492
493	/// Recursively scan through a path and make sure that all call pieces have
494	/// valid locations.
495	static void
496	adjustCallLocations(PathPieces &Pieces,
497	PathDiagnosticLocation *LastCallLocation = nullptr) {
498	for (const auto &I : Pieces) {
499	auto *Call = dyn_cast<PathDiagnosticCallPiece>(I.get());
500
501	if (!Call)
502	continue;
503
504	if (LastCallLocation) {
505	bool CallerIsImplicit = hasImplicitBody(Call->getCaller());
506	if (CallerIsImplicit || !Call->callEnter.asLocation().isValid())
507	Call->callEnter = *LastCallLocation;
508	if (CallerIsImplicit || !Call->callReturn.asLocation().isValid())
509	Call->callReturn = *LastCallLocation;
510	}
511
512	// Recursively clean out the subclass. Keep this call around if
513	// it contains any informative diagnostics.
514	PathDiagnosticLocation *ThisCallLocation;
515	if (Call->callEnterWithin.asLocation().isValid() &&
516	!hasImplicitBody(Call->getCallee()))
517	ThisCallLocation = &Call->callEnterWithin;
518	else
519	ThisCallLocation = &Call->callEnter;
520
521	assert(ThisCallLocation && "Outermost call has an invalid location");
522	adjustCallLocations(Call->path, ThisCallLocation);
523	}
524	}
525
526	/// Remove edges in and out of C++ default initializer expressions. These are
527	/// for fields that have in-class initializers, as opposed to being initialized
528	/// explicitly in a constructor or braced list.
529	static void removeEdgesToDefaultInitializers(PathPieces &Pieces) {
530	for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) {
531	if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get()))
532	removeEdgesToDefaultInitializers(C->path);
533
534	if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get()))
535	removeEdgesToDefaultInitializers(M->subPieces);
536
537	if (auto *CF = dyn_cast<PathDiagnosticControlFlowPiece>(I->get())) {
538	const Stmt *Start = CF->getStartLocation().asStmt();
539	const Stmt *End = CF->getEndLocation().asStmt();
540	if (isa_and_nonnull<CXXDefaultInitExpr>(Start)) {
541	I = Pieces.erase(I);
542	continue;
543	} else if (isa_and_nonnull<CXXDefaultInitExpr>(End)) {
544	PathPieces::iterator Next = std::next(I);
545	if (Next != E) {
546	if (auto *NextCF =
547	dyn_cast<PathDiagnosticControlFlowPiece>(Next->get())) {
548	NextCF->setStartLocation(CF->getStartLocation());
549	}
550	}
551	I = Pieces.erase(I);
552	continue;
553	}
554	}
555
556	I++;
557	}
558	}
559
560	/// Remove all pieces with invalid locations as these cannot be serialized.
561	/// We might have pieces with invalid locations as a result of inlining Body
562	/// Farm generated functions.
563	static void removePiecesWithInvalidLocations(PathPieces &Pieces) {
564	for (PathPieces::iterator I = Pieces.begin(), E = Pieces.end(); I != E;) {
565	if (auto *C = dyn_cast<PathDiagnosticCallPiece>(I->get()))
566	removePiecesWithInvalidLocations(C->path);
567
568	if (auto *M = dyn_cast<PathDiagnosticMacroPiece>(I->get()))
569	removePiecesWithInvalidLocations(M->subPieces);
570
571	if (!(*I)->getLocation().isValid() ||
572	!(*I)->getLocation().asLocation().isValid()) {
573	I = Pieces.erase(I);
574	continue;
575	}
576	I++;
577	}
578	}
579
580	PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues(
581	const PathDiagnosticConstruct &C) const {
582	if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics())
583	return PathDiagnosticLocation(S, getSourceManager(),
584	C.getCurrLocationContext());
585
586	return PathDiagnosticLocation::createDeclEnd(C.getCurrLocationContext(),
587	getSourceManager());
588	}
589
590	PathDiagnosticLocation PathDiagnosticBuilder::ExecutionContinues(
591	llvm::raw_string_ostream &os, const PathDiagnosticConstruct &C) const {
592	// Slow, but probably doesn't matter.
593	if (os.str().empty())
594	os << ' ';
595
596	const PathDiagnosticLocation &Loc = ExecutionContinues(C);
597
598	if (Loc.asStmt())
599	os << "Execution continues on line "
600	<< getSourceManager().getExpansionLineNumber(Loc.asLocation())
601	<< '.';
602	else {
603	os << "Execution jumps to the end of the ";
604	const Decl *D = C.getCurrLocationContext()->getDecl();
605	if (isa<ObjCMethodDecl>(D))
606	os << "method";
607	else if (isa<FunctionDecl>(D))
608	os << "function";
609	else {
610	assert(isa<BlockDecl>(D));
611	os << "anonymous block";
612	}
613	os << '.';
614	}
615
616	return Loc;
617	}
618
619	static const Stmt *getEnclosingParent(const Stmt *S, const ParentMap &PM) {
620	if (isa<Expr>(S) && PM.isConsumedExpr(cast<Expr>(S)))
621	return PM.getParentIgnoreParens(S);
622
623	const Stmt *Parent = PM.getParentIgnoreParens(S);
624	if (!Parent)
625	return nullptr;
626
627	switch (Parent->getStmtClass()) {
628	case Stmt::ForStmtClass:
629	case Stmt::DoStmtClass:
630	case Stmt::WhileStmtClass:
631	case Stmt::ObjCForCollectionStmtClass:
632	case Stmt::CXXForRangeStmtClass:
633	return Parent;
634	default:
635	break;
636	}
637
638	return nullptr;
639	}
640
641	static PathDiagnosticLocation
642	getEnclosingStmtLocation(const Stmt *S, const LocationContext *LC,
643	bool allowNestedContexts = false) {
644	if (!S)
645	return {};
646
647	const SourceManager &SMgr = LC->getDecl()->getASTContext().getSourceManager();
648
649	while (const Stmt *Parent = getEnclosingParent(S, LC->getParentMap())) {
650	switch (Parent->getStmtClass()) {
651	case Stmt::BinaryOperatorClass: {
652	const auto *B = cast<BinaryOperator>(Parent);
653	if (B->isLogicalOp())
654	return PathDiagnosticLocation(allowNestedContexts ? B : S, SMgr, LC);
655	break;
656	}
657	case Stmt::CompoundStmtClass:
658	case Stmt::StmtExprClass:
659	return PathDiagnosticLocation(S, SMgr, LC);
660	case Stmt::ChooseExprClass:
661	// Similar to '?' if we are referring to condition, just have the edge
662	// point to the entire choose expression.
663	if (allowNestedContexts || cast<ChooseExpr>(Parent)->getCond() == S)
664	return PathDiagnosticLocation(Parent, SMgr, LC);
665	else
666	return PathDiagnosticLocation(S, SMgr, LC);
667	case Stmt::BinaryConditionalOperatorClass:
668	case Stmt::ConditionalOperatorClass:
669	// For '?', if we are referring to condition, just have the edge point
670	// to the entire '?' expression.
671	if (allowNestedContexts ||
672	cast<AbstractConditionalOperator>(Parent)->getCond() == S)
673	return PathDiagnosticLocation(Parent, SMgr, LC);
674	else
675	return PathDiagnosticLocation(S, SMgr, LC);
676	case Stmt::CXXForRangeStmtClass:
677	if (cast<CXXForRangeStmt>(Parent)->getBody() == S)
678	return PathDiagnosticLocation(S, SMgr, LC);
679	break;
680	case Stmt::DoStmtClass:
681	return PathDiagnosticLocation(S, SMgr, LC);
682	case Stmt::ForStmtClass:
683	if (cast<ForStmt>(Parent)->getBody() == S)
684	return PathDiagnosticLocation(S, SMgr, LC);
685	break;
686	case Stmt::IfStmtClass:
687	if (cast<IfStmt>(Parent)->getCond() != S)
688	return PathDiagnosticLocation(S, SMgr, LC);
689	break;
690	case Stmt::ObjCForCollectionStmtClass:
691	if (cast<ObjCForCollectionStmt>(Parent)->getBody() == S)
692	return PathDiagnosticLocation(S, SMgr, LC);
693	break;
694	case Stmt::WhileStmtClass:
695	if (cast<WhileStmt>(Parent)->getCond() != S)
696	return PathDiagnosticLocation(S, SMgr, LC);
697	break;
698	default:
699	break;
700	}
701
702	S = Parent;
703	}
704
705	assert(S && "Cannot have null Stmt for PathDiagnosticLocation");
706
707	return PathDiagnosticLocation(S, SMgr, LC);
708	}
709
710	//===----------------------------------------------------------------------===//
711	// "Minimal" path diagnostic generation algorithm.
712	//===----------------------------------------------------------------------===//
713
714	/// If the piece contains a special message, add it to all the call pieces on
715	/// the active stack. For example, my_malloc allocated memory, so MallocChecker
716	/// will construct an event at the call to malloc(), and add a stack hint that
717	/// an allocated memory was returned. We'll use this hint to construct a message
718	/// when returning from the call to my_malloc
719	///
720	/// void *my_malloc() { return malloc(sizeof(int)); }
721	/// void fishy() {
722	/// void *ptr = my_malloc(); // returned allocated memory
723	/// } // leak
724	void PathDiagnosticBuilder::updateStackPiecesWithMessage(
725	PathDiagnosticPieceRef P, const CallWithEntryStack &CallStack) const {
726	if (R->hasCallStackHint(P))
727	for (const auto &I : CallStack) {
728	PathDiagnosticCallPiece *CP = I.first;
729	const ExplodedNode *N = I.second;
730	std::string stackMsg = R->getCallStackMessage(P, N);
731
732	// The last message on the path to final bug is the most important
733	// one. Since we traverse the path backwards, do not add the message
734	// if one has been previously added.
735	if (!CP->hasCallStackMessage())
736	CP->setCallStackMessage(stackMsg);
737	}
738	}
739
740	static void CompactMacroExpandedPieces(PathPieces &path,
741	const SourceManager& SM);
742
743	PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForSwitchOP(
744	const PathDiagnosticConstruct &C, const CFGBlock *Dst,
745	PathDiagnosticLocation &Start) const {
746
747	const SourceManager &SM = getSourceManager();
748	// Figure out what case arm we took.
749	std::string sbuf;
750	llvm::raw_string_ostream os(sbuf);
751	PathDiagnosticLocation End;
752
753	if (const Stmt *S = Dst->getLabel()) {
754	End = PathDiagnosticLocation(S, SM, C.getCurrLocationContext());
755
756	switch (S->getStmtClass()) {
757	default:
758	os << "No cases match in the switch statement. "
759	"Control jumps to line "
760	<< End.asLocation().getExpansionLineNumber();
761	break;
762	case Stmt::DefaultStmtClass:
763	os << "Control jumps to the 'default' case at line "
764	<< End.asLocation().getExpansionLineNumber();
765	break;
766
767	case Stmt::CaseStmtClass: {
768	os << "Control jumps to 'case ";
769	const auto *Case = cast<CaseStmt>(S);
770	const Expr *LHS = Case->getLHS()->IgnoreParenCasts();
771
772	// Determine if it is an enum.
773	bool GetRawInt = true;
774
775	if (const auto *DR = dyn_cast<DeclRefExpr>(LHS)) {
776	// FIXME: Maybe this should be an assertion. Are there cases
777	// were it is not an EnumConstantDecl?
778	const auto *D = dyn_cast<EnumConstantDecl>(DR->getDecl());
779
780	if (D) {
781	GetRawInt = false;
782	os << *D;
783	}
784	}
785
786	if (GetRawInt)
787	os << LHS->EvaluateKnownConstInt(getASTContext());
788
789	os << ":' at line " << End.asLocation().getExpansionLineNumber();
790	break;
791	}
792	}
793	} else {
794	os << "'Default' branch taken. ";
795	End = ExecutionContinues(os, C);
796	}
797	return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End,
798	os.str());
799	}
800
801	PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForGotoOP(
802	const PathDiagnosticConstruct &C, const Stmt *S,
803	PathDiagnosticLocation &Start) const {
804	std::string sbuf;
805	llvm::raw_string_ostream os(sbuf);
806	const PathDiagnosticLocation &End =
807	getEnclosingStmtLocation(S, C.getCurrLocationContext());
808	os << "Control jumps to line " << End.asLocation().getExpansionLineNumber();
809	return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str());
810	}
811
812	PathDiagnosticPieceRef PathDiagnosticBuilder::generateDiagForBinaryOP(
813	const PathDiagnosticConstruct &C, const Stmt *T, const CFGBlock *Src,
814	const CFGBlock *Dst) const {
815
816	const SourceManager &SM = getSourceManager();
817
818	const auto *B = cast<BinaryOperator>(T);
819	std::string sbuf;
820	llvm::raw_string_ostream os(sbuf);
821	os << "Left side of '";
822	PathDiagnosticLocation Start, End;
823
824	if (B->getOpcode() == BO_LAnd) {
825	os << "&&"
826	<< "' is ";
827
828	if (*(Src->succ_begin() + 1) == Dst) {
829	os << "false";
830	End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext());
831	Start =
832	PathDiagnosticLocation::createOperatorLoc(B, SM);
833	} else {
834	os << "true";
835	Start =
836	PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext());
837	End = ExecutionContinues(C);
838	}
839	} else {
840	assert(B->getOpcode() == BO_LOr);
841	os << "||"
842	<< "' is ";
843
844	if (*(Src->succ_begin() + 1) == Dst) {
845	os << "false";
846	Start =
847	PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext());
848	End = ExecutionContinues(C);
849	} else {
850	os << "true";
851	End = PathDiagnosticLocation(B->getLHS(), SM, C.getCurrLocationContext());
852	Start =
853	PathDiagnosticLocation::createOperatorLoc(B, SM);
854	}
855	}
856	return std::make_shared<PathDiagnosticControlFlowPiece>(Start, End,
857	os.str());
858	}
859
860	void PathDiagnosticBuilder::generateMinimalDiagForBlockEdge(
861	PathDiagnosticConstruct &C, BlockEdge BE) const {
862	const SourceManager &SM = getSourceManager();
863	const LocationContext *LC = C.getCurrLocationContext();
864	const CFGBlock *Src = BE.getSrc();
865	const CFGBlock *Dst = BE.getDst();
866	const Stmt *T = Src->getTerminatorStmt();
867	if (!T)
868	return;
869
870	auto Start = PathDiagnosticLocation::createBegin(T, SM, LC);
871	switch (T->getStmtClass()) {
872	default:
873	break;
874
875	case Stmt::GotoStmtClass:
876	case Stmt::IndirectGotoStmtClass: {
877	if (const Stmt *S = C.getCurrentNode()->getNextStmtForDiagnostics())
878	C.getActivePath().push_front(generateDiagForGotoOP(C, S, Start));
879	break;
880	}
881
882	case Stmt::SwitchStmtClass: {
883	C.getActivePath().push_front(generateDiagForSwitchOP(C, Dst, Start));
884	break;
885	}
886
887	case Stmt::BreakStmtClass:
888	case Stmt::ContinueStmtClass: {
889	std::string sbuf;
890	llvm::raw_string_ostream os(sbuf);
891	PathDiagnosticLocation End = ExecutionContinues(os, C);
892	C.getActivePath().push_front(
893	std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str()));
894	break;
895	}
896
897	// Determine control-flow for ternary '?'.
898	case Stmt::BinaryConditionalOperatorClass:
899	case Stmt::ConditionalOperatorClass: {
900	std::string sbuf;
901	llvm::raw_string_ostream os(sbuf);
902	os << "'?' condition is ";
903
904	if (*(Src->succ_begin() + 1) == Dst)
905	os << "false";
906	else
907	os << "true";
908
909	PathDiagnosticLocation End = ExecutionContinues(C);
910
911	if (const Stmt *S = End.asStmt())
912	End = getEnclosingStmtLocation(S, C.getCurrLocationContext());
913
914	C.getActivePath().push_front(
915	std::make_shared<PathDiagnosticControlFlowPiece>(Start, End, os.str()));
916	break;
917	}
918
919	// Determine control-flow for short-circuited '&&' and '||'.
920	case Stmt::BinaryOperatorClass: {
921	if (!C.supportsLogicalOpControlFlow())
922	break;
923
924	C.getActivePath().push_front(generateDiagForBinaryOP(C, T, Src, Dst));
925	break;
926	}
927
928	case Stmt::DoStmtClass:
929	if (*(Src->succ_begin()) == Dst) {
930	std::string sbuf;
931	llvm::raw_string_ostream os(sbuf);
932
933	os << "Loop condition is true. ";
934	PathDiagnosticLocation End = ExecutionContinues(os, C);
935
936	if (const Stmt *S = End.asStmt())
937	End = getEnclosingStmtLocation(S, C.getCurrLocationContext());
938
939	C.getActivePath().push_front(
940	std::make_shared<PathDiagnosticControlFlowPiece>(Start, End,
941	os.str()));
942	} else {
943	PathDiagnosticLocation End = ExecutionContinues(C);
944
945	if (const Stmt *S = End.asStmt())
946	End = getEnclosingStmtLocation(S, C.getCurrLocationContext());
947
948	C.getActivePath().push_front(
949	std::make_shared<PathDiagnosticControlFlowPiece>(
950	Start, End, "Loop condition is false. Exiting loop"));
951	}
952	break;
953
954	case Stmt::WhileStmtClass:
955	case Stmt::ForStmtClass:
956	if (*(Src->succ_begin() + 1) == Dst) {
957	std::string sbuf;
958	llvm::raw_string_ostream os(sbuf);
959
960	os << "Loop condition is false. ";
961	PathDiagnosticLocation End = ExecutionContinues(os, C);
962	if (const Stmt *S = End.asStmt())
963	End = getEnclosingStmtLocation(S, C.getCurrLocationContext());
964
965	C.getActivePath().push_front(
966	std::make_shared<PathDiagnosticControlFlowPiece>(Start, End,
967	os.str()));
968	} else {
969	PathDiagnosticLocation End = ExecutionContinues(C);
970	if (const Stmt *S = End.asStmt())
971	End = getEnclosingStmtLocation(S, C.getCurrLocationContext());
972
973	C.getActivePath().push_front(
974	std::make_shared<PathDiagnosticControlFlowPiece>(
975	Start, End, "Loop condition is true. Entering loop body"));
976	}
977
978	break;
979
980	case Stmt::IfStmtClass: {
981	PathDiagnosticLocation End = ExecutionContinues(C);
982
983	if (const Stmt *S = End.asStmt())
984	End = getEnclosingStmtLocation(S, C.getCurrLocationContext());
985
986	if (*(Src->succ_begin() + 1) == Dst)
987	C.getActivePath().push_front(
988	std::make_shared<PathDiagnosticControlFlowPiece>(
989	Start, End, "Taking false branch"));
990	else
991	C.getActivePath().push_front(
992	std::make_shared<PathDiagnosticControlFlowPiece>(
993	Start, End, "Taking true branch"));
994
995	break;
996	}
997	}
998	}
999
1000	//===----------------------------------------------------------------------===//
1001	// Functions for determining if a loop was executed 0 times.
1002	//===----------------------------------------------------------------------===//
1003
1004	static bool isLoop(const Stmt *Term) {
1005	switch (Term->getStmtClass()) {
1006	case Stmt::ForStmtClass:
1007	case Stmt::WhileStmtClass:
1008	case Stmt::ObjCForCollectionStmtClass:
1009	case Stmt::CXXForRangeStmtClass:
1010	return true;
1011	default:
1012	// Note that we intentionally do not include do..while here.
1013	return false;
1014	}
1015	}
1016
1017	static bool isJumpToFalseBranch(const BlockEdge *BE) {
1018	const CFGBlock *Src = BE->getSrc();
1019	assert(Src->succ_size() == 2);
1020	return (*(Src->succ_begin()+1) == BE->getDst());
1021	}
1022
1023	static bool isContainedByStmt(const ParentMap &PM, const Stmt *S,
1024	const Stmt *SubS) {
1025	while (SubS) {
1026	if (SubS == S)
1027	return true;
1028	SubS = PM.getParent(SubS);
1029	}
1030	return false;
1031	}
1032
1033	static const Stmt *getStmtBeforeCond(const ParentMap &PM, const Stmt *Term,
1034	const ExplodedNode *N) {
1035	while (N) {
1036	Optional<StmtPoint> SP = N->getLocation().getAs<StmtPoint>();
1037	if (SP) {
1038	const Stmt *S = SP->getStmt();
1039	if (!isContainedByStmt(PM, Term, S))
1040	return S;
1041	}
1042	N = N->getFirstPred();
1043	}
1044	return nullptr;
1045	}
1046
1047	static bool isInLoopBody(const ParentMap &PM, const Stmt *S, const Stmt *Term) {
1048	const Stmt *LoopBody = nullptr;
1049	switch (Term->getStmtClass()) {
1050	case Stmt::CXXForRangeStmtClass: {
1051	const auto *FR = cast<CXXForRangeStmt>(Term);
1052	if (isContainedByStmt(PM, FR->getInc(), S))
1053	return true;
1054	if (isContainedByStmt(PM, FR->getLoopVarStmt(), S))
1055	return true;
1056	LoopBody = FR->getBody();
1057	break;
1058	}
1059	case Stmt::ForStmtClass: {
1060	const auto *FS = cast<ForStmt>(Term);
1061	if (isContainedByStmt(PM, FS->getInc(), S))
1062	return true;
1063	LoopBody = FS->getBody();
1064	break;
1065	}
1066	case Stmt::ObjCForCollectionStmtClass: {
1067	const auto *FC = cast<ObjCForCollectionStmt>(Term);
1068	LoopBody = FC->getBody();
1069	break;
1070	}
1071	case Stmt::WhileStmtClass:
1072	LoopBody = cast<WhileStmt>(Term)->getBody();
1073	break;
1074	default:
1075	return false;
1076	}
1077	return isContainedByStmt(PM, LoopBody, S);
1078	}
1079
1080	/// Adds a sanitized control-flow diagnostic edge to a path.
1081	static void addEdgeToPath(PathPieces &path,
1082	PathDiagnosticLocation &PrevLoc,
1083	PathDiagnosticLocation NewLoc) {
1084	if (!NewLoc.isValid())
1085	return;
1086
1087	SourceLocation NewLocL = NewLoc.asLocation();
1088	if (NewLocL.isInvalid())
1089	return;
1090
1091	if (!PrevLoc.isValid() || !PrevLoc.asLocation().isValid()) {
1092	PrevLoc = NewLoc;
1093	return;
1094	}
1095
1096	// Ignore self-edges, which occur when there are multiple nodes at the same
1097	// statement.
1098	if (NewLoc.asStmt() && NewLoc.asStmt() == PrevLoc.asStmt())
1099	return;
1100
1101	path.push_front(
1102	std::make_shared<PathDiagnosticControlFlowPiece>(NewLoc, PrevLoc));
1103	PrevLoc = NewLoc;
1104	}
1105
1106	/// A customized wrapper for CFGBlock::getTerminatorCondition()
1107	/// which returns the element for ObjCForCollectionStmts.
1108	static const Stmt *getTerminatorCondition(const CFGBlock *B) {
1109	const Stmt *S = B->getTerminatorCondition();
1110	if (const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(S))
1111	return FS->getElement();
1112	return S;
1113	}
1114
1115	constexpr llvm::StringLiteral StrEnteringLoop = "Entering loop body";
1116	constexpr llvm::StringLiteral StrLoopBodyZero = "Loop body executed 0 times";
1117	constexpr llvm::StringLiteral StrLoopRangeEmpty =
1118	"Loop body skipped when range is empty";
1119	constexpr llvm::StringLiteral StrLoopCollectionEmpty =
1120	"Loop body skipped when collection is empty";
1121
1122	static std::unique_ptr<FilesToLineNumsMap>
1123	findExecutedLines(const SourceManager &SM, const ExplodedNode *N);
1124
1125	void PathDiagnosticBuilder::generatePathDiagnosticsForNode(
1126	PathDiagnosticConstruct &C, PathDiagnosticLocation &PrevLoc) const {
1127	ProgramPoint P = C.getCurrentNode()->getLocation();
1128	const SourceManager &SM = getSourceManager();
1129
1130	// Have we encountered an entrance to a call? It may be
1131	// the case that we have not encountered a matching
1132	// call exit before this point. This means that the path
1133	// terminated within the call itself.
1134	if (auto CE = P.getAs<CallEnter>()) {
1135
1136	if (C.shouldAddPathEdges()) {
1137	// Add an edge to the start of the function.
1138	const StackFrameContext *CalleeLC = CE->getCalleeContext();
1139	const Decl *D = CalleeLC->getDecl();
1140	// Add the edge only when the callee has body. We jump to the beginning
1141	// of the *declaration*, however we expect it to be followed by the
1142	// body. This isn't the case for autosynthesized property accessors in
1143	// Objective-C. No need for a similar extra check for CallExit points
1144	// because the exit edge comes from a statement (i.e. return),
1145	// not from declaration.
1146	if (D->hasBody())
1147	addEdgeToPath(C.getActivePath(), PrevLoc,
1148	PathDiagnosticLocation::createBegin(D, SM));
1149	}
1150
1151	// Did we visit an entire call?
1152	bool VisitedEntireCall = C.PD->isWithinCall();
1153	C.PD->popActivePath();
1154
1155	PathDiagnosticCallPiece *Call;
1156	if (VisitedEntireCall) {
1157	Call = cast<PathDiagnosticCallPiece>(C.getActivePath().front().get());
1158	} else {
1159	// The path terminated within a nested location context, create a new
1160	// call piece to encapsulate the rest of the path pieces.
1161	const Decl *Caller = CE->getLocationContext()->getDecl();
1162	Call = PathDiagnosticCallPiece::construct(C.getActivePath(), Caller);
1163	assert(C.getActivePath().size() == 1 &&
1164	C.getActivePath().front().get() == Call);
1165
1166	// Since we just transferred the path over to the call piece, reset the
1167	// mapping of the active path to the current location context.
1168	assert(C.isInLocCtxMap(&C.getActivePath()) &&
1169	"When we ascend to a previously unvisited call, the active path's "
1170	"address shouldn't change, but rather should be compacted into "
1171	"a single CallEvent!");
1172	C.updateLocCtxMap(&C.getActivePath(), C.getCurrLocationContext());
1173
1174	// Record the location context mapping for the path within the call.
1175	assert(!C.isInLocCtxMap(&Call->path) &&
1176	"When we ascend to a previously unvisited call, this must be the "
1177	"first time we encounter the caller context!");
1178	C.updateLocCtxMap(&Call->path, CE->getCalleeContext());
1179	}
1180	Call->setCallee(*CE, SM);
1181
1182	// Update the previous location in the active path.
1183	PrevLoc = Call->getLocation();
1184
1185	if (!C.CallStack.empty()) {
1186	assert(C.CallStack.back().first == Call);
1187	C.CallStack.pop_back();
1188	}
1189	return;
1190	}
1191
1192	assert(C.getCurrLocationContext() == C.getLocationContextForActivePath() &&
1193	"The current position in the bug path is out of sync with the "
1194	"location context associated with the active path!");
1195
1196	// Have we encountered an exit from a function call?
1197	if (Optional<CallExitEnd> CE = P.getAs<CallExitEnd>()) {
1198
1199	// We are descending into a call (backwards). Construct
1200	// a new call piece to contain the path pieces for that call.
1201	auto Call = PathDiagnosticCallPiece::construct(*CE, SM);
1202	// Record the mapping from call piece to LocationContext.
1203	assert(!C.isInLocCtxMap(&Call->path) &&
1204	"We just entered a call, this must've been the first time we "
1205	"encounter its context!");
1206	C.updateLocCtxMap(&Call->path, CE->getCalleeContext());
1207
1208	if (C.shouldAddPathEdges()) {
1209	// Add the edge to the return site.
1210	addEdgeToPath(C.getActivePath(), PrevLoc, Call->callReturn);
1211	PrevLoc.invalidate();
1212	}
1213
1214	auto *P = Call.get();
1215	C.getActivePath().push_front(std::move(Call));
1216
1217	// Make the contents of the call the active path for now.
1218	C.PD->pushActivePath(&P->path);
1219	C.CallStack.push_back(CallWithEntry(P, C.getCurrentNode()));
1220	return;
1221	}
1222
1223	if (auto PS = P.getAs<PostStmt>()) {
1224	if (!C.shouldAddPathEdges())
1225	return;
1226
1227	// Add an edge. If this is an ObjCForCollectionStmt do
1228	// not add an edge here as it appears in the CFG both
1229	// as a terminator and as a terminator condition.
1230	if (!isa<ObjCForCollectionStmt>(PS->getStmt())) {
1231	PathDiagnosticLocation L =
1232	PathDiagnosticLocation(PS->getStmt(), SM, C.getCurrLocationContext());
1233	addEdgeToPath(C.getActivePath(), PrevLoc, L);
1234	}
1235
1236	} else if (auto BE = P.getAs<BlockEdge>()) {
1237
1238	if (C.shouldAddControlNotes()) {
1239	generateMinimalDiagForBlockEdge(C, *BE);
1240	}
1241
1242	if (!C.shouldAddPathEdges()) {
1243	return;
1244	}
1245
1246	// Are we jumping to the head of a loop? Add a special diagnostic.
1247	if (const Stmt *Loop = BE->getSrc()->getLoopTarget()) {
1248	PathDiagnosticLocation L(Loop, SM, C.getCurrLocationContext());
1249	const Stmt *Body = nullptr;
1250
1251	if (const auto *FS = dyn_cast<ForStmt>(Loop))
1252	Body = FS->getBody();
1253	else if (const auto *WS = dyn_cast<WhileStmt>(Loop))
1254	Body = WS->getBody();
1255	else if (const auto *OFS = dyn_cast<ObjCForCollectionStmt>(Loop)) {
1256	Body = OFS->getBody();
1257	} else if (const auto *FRS = dyn_cast<CXXForRangeStmt>(Loop)) {
1258	Body = FRS->getBody();
1259	}
1260	// do-while statements are explicitly excluded here
1261
1262	auto p = std::make_shared<PathDiagnosticEventPiece>(
1263	L, "Looping back to the head of the loop");
1264	p->setPrunable(true);
1265
1266	addEdgeToPath(C.getActivePath(), PrevLoc, p->getLocation());
1267	// We might've added a very similar control node already
1268	if (!C.shouldAddControlNotes()) {
1269	C.getActivePath().push_front(std::move(p));
1270	}
1271
1272	if (const auto *CS = dyn_cast_or_null<CompoundStmt>(Body)) {
1273	addEdgeToPath(C.getActivePath(), PrevLoc,
1274	PathDiagnosticLocation::createEndBrace(CS, SM));
1275	}
1276	}
1277
1278	const CFGBlock *BSrc = BE->getSrc();
1279	const ParentMap &PM = C.getParentMap();
1280
1281	if (const Stmt *Term = BSrc->getTerminatorStmt()) {
1282	// Are we jumping past the loop body without ever executing the
1283	// loop (because the condition was false)?
1284	if (isLoop(Term)) {
1285	const Stmt *TermCond = getTerminatorCondition(BSrc);
1286	bool IsInLoopBody = isInLoopBody(
1287	PM, getStmtBeforeCond(PM, TermCond, C.getCurrentNode()), Term);
1288
1289	StringRef str;
1290
1291	if (isJumpToFalseBranch(&*BE)) {
1292	if (!IsInLoopBody) {
1293	if (isa<ObjCForCollectionStmt>(Term)) {
1294	str = StrLoopCollectionEmpty;
1295	} else if (isa<CXXForRangeStmt>(Term)) {
1296	str = StrLoopRangeEmpty;
1297	} else {
1298	str = StrLoopBodyZero;
1299	}
1300	}
1301	} else {
1302	str = StrEnteringLoop;
1303	}
1304
1305	if (!str.empty()) {
1306	PathDiagnosticLocation L(TermCond ? TermCond : Term, SM,
1307	C.getCurrLocationContext());
1308	auto PE = std::make_shared<PathDiagnosticEventPiece>(L, str);
1309	PE->setPrunable(true);
1310	addEdgeToPath(C.getActivePath(), PrevLoc, PE->getLocation());
1311
1312	// We might've added a very similar control node already
1313	if (!C.shouldAddControlNotes()) {
1314	C.getActivePath().push_front(std::move(PE));
1315	}
1316	}
1317	} else if (isa<BreakStmt, ContinueStmt, GotoStmt>(Term)) {
1318	PathDiagnosticLocation L(Term, SM, C.getCurrLocationContext());
1319	addEdgeToPath(C.getActivePath(), PrevLoc, L);
1320	}
1321	}
1322	}
1323	}
1324
1325	static std::unique_ptr<PathDiagnostic>
1326	generateDiagnosticForBasicReport(const BasicBugReport *R) {
1327	const BugType &BT = R->getBugType();
1328	return std::make_unique<PathDiagnostic>(
1329	BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(),
1330	R->getDescription(), R->getShortDescription(/*UseFallback=*/false),
1331	BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(),
1332	std::make_unique<FilesToLineNumsMap>());
1333	}
1334
1335	static std::unique_ptr<PathDiagnostic>
1336	generateEmptyDiagnosticForReport(const PathSensitiveBugReport *R,
1337	const SourceManager &SM) {
1338	const BugType &BT = R->getBugType();
1339	return std::make_unique<PathDiagnostic>(
1340	BT.getCheckerName(), R->getDeclWithIssue(), BT.getDescription(),
1341	R->getDescription(), R->getShortDescription(/*UseFallback=*/false),
1342	BT.getCategory(), R->getUniqueingLocation(), R->getUniqueingDecl(),
1343	findExecutedLines(SM, R->getErrorNode()));
1344	}
1345
1346	static const Stmt *getStmtParent(const Stmt *S, const ParentMap &PM) {
1347	if (!S)
1348	return nullptr;
1349
1350	while (true) {
1351	S = PM.getParentIgnoreParens(S);
1352
1353	if (!S)
1354	break;
1355
1356	if (isa<FullExpr, CXXBindTemporaryExpr, SubstNonTypeTemplateParmExpr>(S))
1357	continue;
1358
1359	break;
1360	}
1361
1362	return S;
1363	}
1364
1365	static bool isConditionForTerminator(const Stmt *S, const Stmt *Cond) {
1366	switch (S->getStmtClass()) {
1367	case Stmt::BinaryOperatorClass: {
1368	const auto *BO = cast<BinaryOperator>(S);
1369	if (!BO->isLogicalOp())
1370	return false;
1371	return BO->getLHS() == Cond || BO->getRHS() == Cond;
1372	}
1373	case Stmt::IfStmtClass:
1374	return cast<IfStmt>(S)->getCond() == Cond;
1375	case Stmt::ForStmtClass:
1376	return cast<ForStmt>(S)->getCond() == Cond;
1377	case Stmt::WhileStmtClass:
1378	return cast<WhileStmt>(S)->getCond() == Cond;
1379	case Stmt::DoStmtClass:
1380	return cast<DoStmt>(S)->getCond() == Cond;
1381	case Stmt::ChooseExprClass:
1382	return cast<ChooseExpr>(S)->getCond() == Cond;
1383	case Stmt::IndirectGotoStmtClass:
1384	return cast<IndirectGotoStmt>(S)->getTarget() == Cond;
1385	case Stmt::SwitchStmtClass:
1386	return cast<SwitchStmt>(S)->getCond() == Cond;
1387	case Stmt::BinaryConditionalOperatorClass:
1388	return cast<BinaryConditionalOperator>(S)->getCond() == Cond;
1389	case Stmt::ConditionalOperatorClass: {
1390	const auto *CO = cast<ConditionalOperator>(S);
1391	return CO->getCond() == Cond ||
1392	CO->getLHS() == Cond ||
1393	CO->getRHS() == Cond;
1394	}
1395	case Stmt::ObjCForCollectionStmtClass:
1396	return cast<ObjCForCollectionStmt>(S)->getElement() == Cond;
1397	case Stmt::CXXForRangeStmtClass: {
1398	const auto *FRS = cast<CXXForRangeStmt>(S);
1399	return FRS->getCond() == Cond || FRS->getRangeInit() == Cond;
1400	}
1401	default:
1402	return false;
1403	}
1404	}
1405
1406	static bool isIncrementOrInitInForLoop(const Stmt *S, const Stmt *FL) {
1407	if (const auto *FS = dyn_cast<ForStmt>(FL))
1408	return FS->getInc() == S || FS->getInit() == S;
1409	if (const auto *FRS = dyn_cast<CXXForRangeStmt>(FL))
1410	return FRS->getInc() == S || FRS->getRangeStmt() == S ||
1411	FRS->getLoopVarStmt() || FRS->getRangeInit() == S;
1412	return false;
1413	}
1414
1415	using OptimizedCallsSet = llvm::DenseSet<const PathDiagnosticCallPiece *>;
1416
1417	/// Adds synthetic edges from top-level statements to their subexpressions.
1418	///
1419	/// This avoids a "swoosh" effect, where an edge from a top-level statement A
1420	/// points to a sub-expression B.1 that's not at the start of B. In these cases,
1421	/// we'd like to see an edge from A to B, then another one from B to B.1.
1422	static void addContextEdges(PathPieces &pieces, const LocationContext *LC) {
1423	const ParentMap &PM = LC->getParentMap();
1424	PathPieces::iterator Prev = pieces.end();
1425	for (PathPieces::iterator I = pieces.begin(), E = Prev; I != E;
1426	Prev = I, ++I) {
1427	auto *Piece = dyn_cast<PathDiagnosticControlFlowPiece>(I->get());
1428
1429	if (!Piece)
1430	continue;
1431
1432	PathDiagnosticLocation SrcLoc = Piece->getStartLocation();
1433	SmallVector<PathDiagnosticLocation, 4> SrcContexts;
1434
1435	PathDiagnosticLocation NextSrcContext = SrcLoc;
1436	const Stmt *InnerStmt = nullptr;
1437	while (NextSrcContext.isValid() && NextSrcContext.asStmt() != InnerStmt) {
1438	SrcContexts.push_back(NextSrcContext);
1439	InnerStmt = NextSrcContext.asStmt();
1440	NextSrcContext = getEnclosingStmtLocation(InnerStmt, LC,
1441	/*allowNested=*/true);
1442	}
1443
1444	// Repeatedly split the edge as necessary.
1445	// This is important for nested logical expressions (||, &&, ?:) where we
1446	// want to show all the levels of context.
1447	while (true) {
1448	const Stmt *Dst = Piece->getEndLocation().getStmtOrNull();
1449
1450	// We are looking at an edge. Is the destination within a larger
1451	// expression?
1452	PathDiagnosticLocation DstContext =
1453	getEnclosingStmtLocation(Dst, LC, /*allowNested=*/true);
1454	if (!DstContext.isValid() || DstContext.asStmt() == Dst)
1455	break;
1456
1457	// If the source is in the same context, we're already good.
1458	if (llvm::is_contained(SrcContexts, DstContext))
1459	break;
1460
1461	// Update the subexpression node to point to the context edge.
1462	Piece->setStartLocation(DstContext);
1463
1464	// Try to extend the previous edge if it's at the same level as the source
1465	// context.
1466	if (Prev != E) {
1467	auto *PrevPiece = dyn_cast<PathDiagnosticControlFlowPiece>(Prev->get());
1468
1469	if (PrevPiece) {
1470	if (const Stmt *PrevSrc =
1471	PrevPiece->getStartLocation().getStmtOrNull()) {
1472	const Stmt *PrevSrcParent = getStmtParent(PrevSrc, PM);
1473	if (PrevSrcParent ==
1474	getStmtParent(DstContext.getStmtOrNull(), PM)) {
1475	PrevPiece->setEndLocation(DstContext);
1476	break;
1477	}
1478	}
1479	}
1480	}
1481
1482	// Otherwise, split the current edge into a context edge and a
1483	// subexpression edge. Note that the context statement may itself have
1484	// context.
1485	auto P =
1486	std::make_shared<PathDiagnosticControlFlowPiece>(SrcLoc, DstContext);
1487	Piece = P.get();
1488	I = pieces.insert(I, std::move(P));
1489	}
1490	}
1491	}
1492
1493	/// Move edges from a branch condition to a branch target
1494	/// when the condition is simple.
1495	///
1496	/// This restructures some of the work of addContextEdges. That function
1497	/// creates edges this may destroy, but they work together to create a more
1498	/// aesthetically set of edges around branches. After the call to
1499	/// addContextEdges, we may have (1) an edge to the branch, (2) an edge from
1500	/// the branch to the branch condition, and (3) an edge from the branch
1501	/// condition to the branch target. We keep (1), but may wish to remove (2)
1502	/// and move the source of (3) to the branch if the branch condition is simple.
1503	static void simplifySimpleBranches(PathPieces &pieces) {
1504	for (PathPieces::iterator I = pieces.begin(), E = pieces.end(); I != E; ++I) {
1505	const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get());
1506
1507	if (!PieceI)
1508	continue;
1509
1510	const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull();
1511	const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull();
1512
1513	if (!s1Start || !s1End)
1514	continue;
1515
1516	PathPieces::iterator NextI = I; ++NextI;
1517	if (NextI == E)
1518	break;
1519
1520	PathDiagnosticControlFlowPiece *PieceNextI = nullptr;
1521
1522	while (true) {
1523	if (NextI == E)
1524	break;
1525
1526	const auto *EV = dyn_cast<PathDiagnosticEventPiece>(NextI->get());
1527	if (EV) {
1528	StringRef S = EV->getString();
1529	if (S == StrEnteringLoop || S == StrLoopBodyZero ||
1530	S == StrLoopCollectionEmpty || S == StrLoopRangeEmpty) {
1531	++NextI;
1532	continue;
1533	}
1534	break;
1535	}
1536
1537	PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get());
1538	break;
1539	}
1540
1541	if (!PieceNextI)
1542	continue;
1543
1544	const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull();
1545	const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull();
1546
1547	if (!s2Start || !s2End || s1End != s2Start)
1548	continue;
1549
1550	// We only perform this transformation for specific branch kinds.
1551	// We don't want to do this for do..while, for example.
1552	if (!isa<ForStmt, WhileStmt, IfStmt, ObjCForCollectionStmt,
1553	CXXForRangeStmt>(s1Start))
1554	continue;
1555
1556	// Is s1End the branch condition?
1557	if (!isConditionForTerminator(s1Start, s1End))
1558	continue;
1559
1560	// Perform the hoisting by eliminating (2) and changing the start
1561	// location of (3).
1562	PieceNextI->setStartLocation(PieceI->getStartLocation());
1563	I = pieces.erase(I);
1564	}
1565	}
1566
1567	/// Returns the number of bytes in the given (character-based) SourceRange.
1568	///
1569	/// If the locations in the range are not on the same line, returns None.
1570	///
1571	/// Note that this does not do a precise user-visible character or column count.
1572	static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM,
1573	SourceRange Range) {
1574	SourceRange ExpansionRange(SM.getExpansionLoc(Range.getBegin()),
1575	SM.getExpansionRange(Range.getEnd()).getEnd());
1576
1577	FileID FID = SM.getFileID(ExpansionRange.getBegin());
1578	if (FID != SM.getFileID(ExpansionRange.getEnd()))
1579	return None;
1580
1581	Optional<MemoryBufferRef> Buffer = SM.getBufferOrNone(FID);
1582	if (!Buffer)
1583	return None;
1584
1585	unsigned BeginOffset = SM.getFileOffset(ExpansionRange.getBegin());
1586	unsigned EndOffset = SM.getFileOffset(ExpansionRange.getEnd());
1587	StringRef Snippet = Buffer->getBuffer().slice(BeginOffset, EndOffset);
1588
1589	// We're searching the raw bytes of the buffer here, which might include
1590	// escaped newlines and such. That's okay; we're trying to decide whether the
1591	// SourceRange is covering a large or small amount of space in the user's
1592	// editor.
1593	if (Snippet.find_first_of("\r\n") != StringRef::npos)
1594	return None;
1595
1596	// This isn't Unicode-aware, but it doesn't need to be.
1597	return Snippet.size();
1598	}
1599
1600	/// \sa getLengthOnSingleLine(SourceManager, SourceRange)
1601	static Optional<size_t> getLengthOnSingleLine(const SourceManager &SM,
1602	const Stmt *S) {
1603	return getLengthOnSingleLine(SM, S->getSourceRange());
1604	}
1605
1606	/// Eliminate two-edge cycles created by addContextEdges().
1607	///
1608	/// Once all the context edges are in place, there are plenty of cases where
1609	/// there's a single edge from a top-level statement to a subexpression,
1610	/// followed by a single path note, and then a reverse edge to get back out to
1611	/// the top level. If the statement is simple enough, the subexpression edges
1612	/// just add noise and make it harder to understand what's going on.
1613	///
1614	/// This function only removes edges in pairs, because removing only one edge
1615	/// might leave other edges dangling.
1616	///
1617	/// This will not remove edges in more complicated situations:
1618	/// - if there is more than one "hop" leading to or from a subexpression.
1619	/// - if there is an inlined call between the edges instead of a single event.
1620	/// - if the whole statement is large enough that having subexpression arrows
1621	/// might be helpful.
1622	static void removeContextCycles(PathPieces &Path, const SourceManager &SM) {
1623	for (PathPieces::iterator I = Path.begin(), E = Path.end(); I != E; ) {
1624	// Pattern match the current piece and its successor.
1625	const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get());
1626
1627	if (!PieceI) {
1628	++I;
1629	continue;
1630	}
1631
1632	const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull();
1633	const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull();
1634
1635	PathPieces::iterator NextI = I; ++NextI;
1636	if (NextI == E)
1637	break;
1638
1639	const auto *PieceNextI =
1640	dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get());
1641
1642	if (!PieceNextI) {
1643	if (isa<PathDiagnosticEventPiece>(NextI->get())) {
1644	++NextI;
1645	if (NextI == E)
1646	break;
1647	PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get());
1648	}
1649
1650	if (!PieceNextI) {
1651	++I;
1652	continue;
1653	}
1654	}
1655
1656	const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull();
1657	const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull();
1658
1659	if (s1Start && s2Start && s1Start == s2End && s2Start == s1End) {
1660	const size_t MAX_SHORT_LINE_LENGTH = 80;
1661	Optional<size_t> s1Length = getLengthOnSingleLine(SM, s1Start);
1662	if (s1Length && *s1Length <= MAX_SHORT_LINE_LENGTH) {
1663	Optional<size_t> s2Length = getLengthOnSingleLine(SM, s2Start);
1664	if (s2Length && *s2Length <= MAX_SHORT_LINE_LENGTH) {
1665	Path.erase(I);
1666	I = Path.erase(NextI);
1667	continue;
1668	}
1669	}
1670	}
1671
1672	++I;
1673	}
1674	}
1675
1676	/// Return true if X is contained by Y.
1677	static bool lexicalContains(const ParentMap &PM, const Stmt *X, const Stmt *Y) {
1678	while (X) {
1679	if (X == Y)
1680	return true;
1681	X = PM.getParent(X);
1682	}
1683	return false;
1684	}
1685
1686	// Remove short edges on the same line less than 3 columns in difference.
1687	static void removePunyEdges(PathPieces &path, const SourceManager &SM,
1688	const ParentMap &PM) {
1689	bool erased = false;
1690
1691	for (PathPieces::iterator I = path.begin(), E = path.end(); I != E;
1692	erased ? I : ++I) {
1693	erased = false;
1694
1695	const auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get());
1696
1697	if (!PieceI)
1698	continue;
1699
1700	const Stmt *start = PieceI->getStartLocation().getStmtOrNull();
1701	const Stmt *end = PieceI->getEndLocation().getStmtOrNull();
1702
1703	if (!start || !end)
1704	continue;
1705
1706	const Stmt *endParent = PM.getParent(end);
1707	if (!endParent)
1708	continue;
1709
1710	if (isConditionForTerminator(end, endParent))
1711	continue;
1712
1713	SourceLocation FirstLoc = start->getBeginLoc();
1714	SourceLocation SecondLoc = end->getBeginLoc();
1715
1716	if (!SM.isWrittenInSameFile(FirstLoc, SecondLoc))
1717	continue;
1718	if (SM.isBeforeInTranslationUnit(SecondLoc, FirstLoc))
1719	std::swap(SecondLoc, FirstLoc);
1720
1721	SourceRange EdgeRange(FirstLoc, SecondLoc);
1722	Optional<size_t> ByteWidth = getLengthOnSingleLine(SM, EdgeRange);
1723
1724	// If the statements are on different lines, continue.
1725	if (!ByteWidth)
1726	continue;
1727
1728	const size_t MAX_PUNY_EDGE_LENGTH = 2;
1729	if (*ByteWidth <= MAX_PUNY_EDGE_LENGTH) {
1730	// FIXME: There are enough /bytes/ between the endpoints of the edge, but
1731	// there might not be enough /columns/. A proper user-visible column count
1732	// is probably too expensive, though.
1733	I = path.erase(I);
1734	erased = true;
1735	continue;
1736	}
1737	}
1738	}
1739
1740	static void removeIdenticalEvents(PathPieces &path) {
1741	for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ++I) {
1742	const auto *PieceI = dyn_cast<PathDiagnosticEventPiece>(I->get());
1743
1744	if (!PieceI)
1745	continue;
1746
1747	PathPieces::iterator NextI = I; ++NextI;
1748	if (NextI == E)
1749	return;
1750
1751	const auto *PieceNextI = dyn_cast<PathDiagnosticEventPiece>(NextI->get());
1752
1753	if (!PieceNextI)
1754	continue;
1755
1756	// Erase the second piece if it has the same exact message text.
1757	if (PieceI->getString() == PieceNextI->getString()) {
1758	path.erase(NextI);
1759	}
1760	}
1761	}
1762
1763	static bool optimizeEdges(const PathDiagnosticConstruct &C, PathPieces &path,
1764	OptimizedCallsSet &OCS) {
1765	bool hasChanges = false;
1766	const LocationContext *LC = C.getLocationContextFor(&path);
1767	assert(LC);
1768	const ParentMap &PM = LC->getParentMap();
1769	const SourceManager &SM = C.getSourceManager();
1770
1771	for (PathPieces::iterator I = path.begin(), E = path.end(); I != E; ) {
1772	// Optimize subpaths.
1773	if (auto *CallI = dyn_cast<PathDiagnosticCallPiece>(I->get())) {
1774	// Record the fact that a call has been optimized so we only do the
1775	// effort once.
1776	if (!OCS.count(CallI)) {
1777	while (optimizeEdges(C, CallI->path, OCS)) {
1778	}
1779	OCS.insert(CallI);
1780	}
1781	++I;
1782	continue;
1783	}
1784
1785	// Pattern match the current piece and its successor.
1786	auto *PieceI = dyn_cast<PathDiagnosticControlFlowPiece>(I->get());
1787
1788	if (!PieceI) {
1789	++I;
1790	continue;
1791	}
1792
1793	const Stmt *s1Start = PieceI->getStartLocation().getStmtOrNull();
1794	const Stmt *s1End = PieceI->getEndLocation().getStmtOrNull();
1795	const Stmt *level1 = getStmtParent(s1Start, PM);
1796	const Stmt *level2 = getStmtParent(s1End, PM);
1797
1798	PathPieces::iterator NextI = I; ++NextI;
1799	if (NextI == E)
1800	break;
1801
1802	const auto *PieceNextI = dyn_cast<PathDiagnosticControlFlowPiece>(NextI->get());
1803
1804	if (!PieceNextI) {
1805	++I;
1806	continue;
1807	}
1808
1809	const Stmt *s2Start = PieceNextI->getStartLocation().getStmtOrNull();
1810	const Stmt *s2End = PieceNextI->getEndLocation().getStmtOrNull();
1811	const Stmt *level3 = getStmtParent(s2Start, PM);
1812	const Stmt *level4 = getStmtParent(s2End, PM);
1813
1814	// Rule I.
1815	//
1816	// If we have two consecutive control edges whose end/begin locations
1817	// are at the same level (e.g. statements or top-level expressions within
1818	// a compound statement, or siblings share a single ancestor expression),
1819	// then merge them if they have no interesting intermediate event.
1820	//
1821	// For example:
1822	//
1823	// (1.1 -> 1.2) -> (1.2 -> 1.3) becomes (1.1 -> 1.3) because the common
1824	// parent is '1'. Here 'x.y.z' represents the hierarchy of statements.
1825	//
1826	// NOTE: this will be limited later in cases where we add barriers
1827	// to prevent this optimization.
1828	if (level1 && level1 == level2 && level1 == level3 && level1 == level4) {
1829	PieceI->setEndLocation(PieceNextI->getEndLocation());
1830	path.erase(NextI);
1831	hasChanges = true;
1832	continue;
1833	}
1834
1835	// Rule II.
1836	//
1837	// Eliminate edges between subexpressions and parent expressions
1838	// when the subexpression is consumed.
1839	//
1840	// NOTE: this will be limited later in cases where we add barriers
1841	// to prevent this optimization.
1842	if (s1End && s1End == s2Start && level2) {
1843	bool removeEdge = false;
1844	// Remove edges into the increment or initialization of a
1845	// loop that have no interleaving event. This means that
1846	// they aren't interesting.
1847	if (isIncrementOrInitInForLoop(s1End, level2))
1848	removeEdge = true;
1849	// Next only consider edges that are not anchored on
1850	// the condition of a terminator. This are intermediate edges
1851	// that we might want to trim.
1852	else if (!isConditionForTerminator(level2, s1End)) {
1853	// Trim edges on expressions that are consumed by
1854	// the parent expression.
1855	if (isa<Expr>(s1End) && PM.isConsumedExpr(cast<Expr>(s1End))) {
1856	removeEdge = true;
1857	}
1858	// Trim edges where a lexical containment doesn't exist.
1859	// For example:
1860	//
1861	// X -> Y -> Z
1862	//
1863	// If 'Z' lexically contains Y (it is an ancestor) and
1864	// 'X' does not lexically contain Y (it is a descendant OR
1865	// it has no lexical relationship at all) then trim.
1866	//
1867	// This can eliminate edges where we dive into a subexpression
1868	// and then pop back out, etc.
1869	else if (s1Start && s2End &&
1870	lexicalContains(PM, s2Start, s2End) &&
1871	!lexicalContains(PM, s1End, s1Start)) {
1872	removeEdge = true;
1873	}
1874	// Trim edges from a subexpression back to the top level if the
1875	// subexpression is on a different line.
1876	//
1877	// A.1 -> A -> B
1878	// becomes
1879	// A.1 -> B
1880	//
1881	// These edges just look ugly and don't usually add anything.
1882	else if (s1Start && s2End &&
1883	lexicalContains(PM, s1Start, s1End)) {
1884	SourceRange EdgeRange(PieceI->getEndLocation().asLocation(),
1885	PieceI->getStartLocation().asLocation());
1886	if (!getLengthOnSingleLine(SM, EdgeRange))
1887	removeEdge = true;
1888	}
1889	}
1890
1891	if (removeEdge) {
1892	PieceI->setEndLocation(PieceNextI->getEndLocation());
1893	path.erase(NextI);
1894	hasChanges = true;
1895	continue;
1896	}
1897	}
1898
1899	// Optimize edges for ObjC fast-enumeration loops.
1900	//
1901	// (X -> collection) -> (collection -> element)
1902	//
1903	// becomes:
1904	//
1905	// (X -> element)
1906	if (s1End == s2Start) {
1907	const auto *FS = dyn_cast_or_null<ObjCForCollectionStmt>(level3);
1908	if (FS && FS->getCollection()->IgnoreParens() == s2Start &&
1909	s2End == FS->getElement()) {
1910	PieceI->setEndLocation(PieceNextI->getEndLocation());
1911	path.erase(NextI);
1912	hasChanges = true;
1913	continue;
1914	}
1915	}
1916
1917	// No changes at this index? Move to the next one.
1918	++I;
1919	}
1920
1921	if (!hasChanges) {
1922	// Adjust edges into subexpressions to make them more uniform
1923	// and aesthetically pleasing.
1924	addContextEdges(path, LC);
1925	// Remove "cyclical" edges that include one or more context edges.
1926	removeContextCycles(path, SM);
1927	// Hoist edges originating from branch conditions to branches
1928	// for simple branches.
1929	simplifySimpleBranches(path);
1930	// Remove any puny edges left over after primary optimization pass.
1931	removePunyEdges(path, SM, PM);
1932	// Remove identical events.
1933	removeIdenticalEvents(path);
1934	}
1935
1936	return hasChanges;
1937	}
1938
1939	/// Drop the very first edge in a path, which should be a function entry edge.
1940	///
1941	/// If the first edge is not a function entry edge (say, because the first
1942	/// statement had an invalid source location), this function does nothing.
1943	// FIXME: We should just generate invalid edges anyway and have the optimizer
1944	// deal with them.
1945	static void dropFunctionEntryEdge(const PathDiagnosticConstruct &C,
1946	PathPieces &Path) {
1947	const auto *FirstEdge =
1948	dyn_cast<PathDiagnosticControlFlowPiece>(Path.front().get());
1949	if (!FirstEdge)
1950	return;
1951
1952	const Decl *D = C.getLocationContextFor(&Path)->getDecl();
1953	PathDiagnosticLocation EntryLoc =
1954	PathDiagnosticLocation::createBegin(D, C.getSourceManager());
1955	if (FirstEdge->getStartLocation() != EntryLoc)
1956	return;
1957
1958	Path.pop_front();
1959	}
1960
1961	/// Populate executes lines with lines containing at least one diagnostics.
1962	static void updateExecutedLinesWithDiagnosticPieces(PathDiagnostic &PD) {
1963
1964	PathPieces path = PD.path.flatten(/*ShouldFlattenMacros=*/true);
1965	FilesToLineNumsMap &ExecutedLines = PD.getExecutedLines();
1966
1967	for (const auto &P : path) {
1968	FullSourceLoc Loc = P->getLocation().asLocation().getExpansionLoc();
1969	FileID FID = Loc.getFileID();
1970	unsigned LineNo = Loc.getLineNumber();
1971	assert(FID.isValid());
1972	ExecutedLines[FID].insert(LineNo);
1973	}
1974	}
1975
1976	PathDiagnosticConstruct::PathDiagnosticConstruct(
1977	const PathDiagnosticConsumer *PDC, const ExplodedNode *ErrorNode,
1978	const PathSensitiveBugReport *R)
1979	: Consumer(PDC), CurrentNode(ErrorNode),
1980	SM(CurrentNode->getCodeDecl().getASTContext().getSourceManager()),
1981	PD(generateEmptyDiagnosticForReport(R, getSourceManager())) {
1982	LCM[&PD->getActivePath()] = ErrorNode->getLocationContext();
1983	}
1984
1985	PathDiagnosticBuilder::PathDiagnosticBuilder(
1986	BugReporterContext BRC, std::unique_ptr<ExplodedGraph> BugPath,
1987	PathSensitiveBugReport *r, const ExplodedNode *ErrorNode,
1988	std::unique_ptr<VisitorsDiagnosticsTy> VisitorsDiagnostics)
1989	: BugReporterContext(BRC), BugPath(std::move(BugPath)), R(r),
1990	ErrorNode(ErrorNode),
1991	VisitorsDiagnostics(std::move(VisitorsDiagnostics)) {}
1992
1993	std::unique_ptr<PathDiagnostic>
1994	PathDiagnosticBuilder::generate(const PathDiagnosticConsumer *PDC) const {
1995	PathDiagnosticConstruct Construct(PDC, ErrorNode, R);
1996
1997	const SourceManager &SM = getSourceManager();
1998	const AnalyzerOptions &Opts = getAnalyzerOptions();
1999
2000	if (!PDC->shouldGenerateDiagnostics())
2001	return generateEmptyDiagnosticForReport(R, getSourceManager());
2002
2003	// Construct the final (warning) event for the bug report.
2004	auto EndNotes = VisitorsDiagnostics->find(ErrorNode);
2005	PathDiagnosticPieceRef LastPiece;
2006	if (EndNotes != VisitorsDiagnostics->end()) {
2007	assert(!EndNotes->second.empty());
2008	LastPiece = EndNotes->second[0];
2009	} else {
2010	LastPiece = BugReporterVisitor::getDefaultEndPath(*this, ErrorNode,
2011	*getBugReport());
2012	}
2013	Construct.PD->setEndOfPath(LastPiece);
2014
2015	PathDiagnosticLocation PrevLoc = Construct.PD->getLocation();
2016	// From the error node to the root, ascend the bug path and construct the bug
2017	// report.
2018	while (Construct.ascendToPrevNode()) {
2019	generatePathDiagnosticsForNode(Construct, PrevLoc);
2020
2021	auto VisitorNotes = VisitorsDiagnostics->find(Construct.getCurrentNode());
2022	if (VisitorNotes == VisitorsDiagnostics->end())
2023	continue;
2024
2025	// This is a workaround due to inability to put shared PathDiagnosticPiece
2026	// into a FoldingSet.
2027	std::set<llvm::FoldingSetNodeID> DeduplicationSet;
2028
2029	// Add pieces from custom visitors.
2030	for (const PathDiagnosticPieceRef &Note : VisitorNotes->second) {
2031	llvm::FoldingSetNodeID ID;
2032	Note->Profile(ID);
2033	if (!DeduplicationSet.insert(ID).second)
2034	continue;
2035
2036	if (PDC->shouldAddPathEdges())
2037	addEdgeToPath(Construct.getActivePath(), PrevLoc, Note->getLocation());
2038	updateStackPiecesWithMessage(Note, Construct.CallStack);
2039	Construct.getActivePath().push_front(Note);
2040	}
2041	}
2042
2043	if (PDC->shouldAddPathEdges()) {
2044	// Add an edge to the start of the function.
2045	// We'll prune it out later, but it helps make diagnostics more uniform.
2046	const StackFrameContext *CalleeLC =
2047	Construct.getLocationContextForActivePath()->getStackFrame();
2048	const Decl *D = CalleeLC->getDecl();
2049	addEdgeToPath(Construct.getActivePath(), PrevLoc,
2050	PathDiagnosticLocation::createBegin(D, SM));
2051	}
2052
2053
2054	// Finally, prune the diagnostic path of uninteresting stuff.
2055	if (!Construct.PD->path.empty()) {
2056	if (R->shouldPrunePath() && Opts.ShouldPrunePaths) {
2057	bool stillHasNotes =
2058	removeUnneededCalls(Construct, Construct.getMutablePieces(), R);
2059	assert(stillHasNotes);
2060	(void)stillHasNotes;
2061	}
2062
2063	// Remove pop-up notes if needed.
2064	if (!Opts.ShouldAddPopUpNotes)
2065	removePopUpNotes(Construct.getMutablePieces());
2066
2067	// Redirect all call pieces to have valid locations.
2068	adjustCallLocations(Construct.getMutablePieces());
2069	removePiecesWithInvalidLocations(Construct.getMutablePieces());
2070
2071	if (PDC->shouldAddPathEdges()) {
2072
2073	// Reduce the number of edges from a very conservative set
2074	// to an aesthetically pleasing subset that conveys the
2075	// necessary information.
2076	OptimizedCallsSet OCS;
2077	while (optimizeEdges(Construct, Construct.getMutablePieces(), OCS)) {
2078	}
2079
2080	// Drop the very first function-entry edge. It's not really necessary
2081	// for top-level functions.
2082	dropFunctionEntryEdge(Construct, Construct.getMutablePieces());
2083	}
2084
2085	// Remove messages that are basically the same, and edges that may not
2086	// make sense.
2087	// We have to do this after edge optimization in the Extensive mode.
2088	removeRedundantMsgs(Construct.getMutablePieces());
2089	removeEdgesToDefaultInitializers(Construct.getMutablePieces());
2090	}
2091
2092	if (Opts.ShouldDisplayMacroExpansions)
2093	CompactMacroExpandedPieces(Construct.getMutablePieces(), SM);
2094
2095	return std::move(Construct.PD);
2096	}
2097
2098	//===----------------------------------------------------------------------===//
2099	// Methods for BugType and subclasses.
2100	//===----------------------------------------------------------------------===//
2101
2102	void BugType::anchor() {}
2103
2104	void BuiltinBug::anchor() {}
2105
2106	//===----------------------------------------------------------------------===//
2107	// Methods for BugReport and subclasses.
2108	//===----------------------------------------------------------------------===//
2109
2110	LLVM_ATTRIBUTE_USED static bool
2111	isDependency(const CheckerRegistryData &Registry, StringRef CheckerName) {
2112	for (const std::pair<StringRef, StringRef> &Pair : Registry.Dependencies) {
2113	if (Pair.second == CheckerName)
2114	return true;
2115	}
2116	return false;
2117	}
2118
2119	LLVM_ATTRIBUTE_USED static bool isHidden(const CheckerRegistryData &Registry,
2120	StringRef CheckerName) {
2121	for (const CheckerInfo &Checker : Registry.Checkers) {
2122	if (Checker.FullName == CheckerName)
2123	return Checker.IsHidden;
2124	}
2125	llvm_unreachable(
2126	"Checker name not found in CheckerRegistry -- did you retrieve it "
2127	"correctly from CheckerManager::getCurrentCheckerName?");
2128	}
2129
2130	PathSensitiveBugReport::PathSensitiveBugReport(
2131	const BugType &bt, StringRef shortDesc, StringRef desc,
2132	const ExplodedNode *errorNode, PathDiagnosticLocation LocationToUnique,
2133	const Decl *DeclToUnique)
2134	: BugReport(Kind::PathSensitive, bt, shortDesc, desc), ErrorNode(errorNode),
2135	ErrorNodeRange(getStmt() ? getStmt()->getSourceRange() : SourceRange()),
2136	UniqueingLocation(LocationToUnique), UniqueingDecl(DeclToUnique) {
2137	assert(!isDependency(ErrorNode->getState()
2138	->getAnalysisManager()
2139	.getCheckerManager()
2140	->getCheckerRegistryData(),
2141	bt.getCheckerName()) &&
2142	"Some checkers depend on this one! We don't allow dependency "
2143	"checkers to emit warnings, because checkers should depend on "
2144	"*modeling*, not *diagnostics*.");
2145
2146	assert(
2147	(bt.getCheckerName().startswith("debug") ||
2148	!isHidden(ErrorNode->getState()
2149	->getAnalysisManager()
2150	.getCheckerManager()
2151	->getCheckerRegistryData(),
2152	bt.getCheckerName())) &&
2153	"Hidden checkers musn't emit diagnostics as they are by definition "
2154	"non-user facing!");
2155	}
2156
2157	void PathSensitiveBugReport::addVisitor(
2158	std::unique_ptr<BugReporterVisitor> visitor) {
2159	if (!visitor)
2160	return;
2161
2162	llvm::FoldingSetNodeID ID;
2163	visitor->Profile(ID);
2164
2165	void *InsertPos = nullptr;
2166	if (CallbacksSet.FindNodeOrInsertPos(ID, InsertPos)) {
2167	return;
2168	}
2169
2170	Callbacks.push_back(std::move(visitor));
2171	}
2172
2173	void PathSensitiveBugReport::clearVisitors() {
2174	Callbacks.clear();
2175	}
2176
2177	const Decl *PathSensitiveBugReport::getDeclWithIssue() const {
2178	const ExplodedNode *N = getErrorNode();
2179	if (!N)
2180	return nullptr;
2181
2182	const LocationContext *LC = N->getLocationContext();
2183	return LC->getStackFrame()->getDecl();
2184	}
2185
2186	void BasicBugReport::Profile(llvm::FoldingSetNodeID& hash) const {
2187	hash.AddInteger(static_cast<int>(getKind()));
2188	hash.AddPointer(&BT);
2189	hash.AddString(Description);
2190	assert(Location.isValid());
2191	Location.Profile(hash);
2192
2193	for (SourceRange range : Ranges) {
2194	if (!range.isValid())
2195	continue;
2196	hash.Add(range.getBegin());
2197	hash.Add(range.getEnd());
2198	}
2199	}
2200
2201	void PathSensitiveBugReport::Profile(llvm::FoldingSetNodeID &hash) const {
2202	hash.AddInteger(static_cast<int>(getKind()));
2203	hash.AddPointer(&BT);
2204	hash.AddString(Description);
2205	PathDiagnosticLocation UL = getUniqueingLocation();
2206	if (UL.isValid()) {
2207	UL.Profile(hash);
2208	} else {
2209	// TODO: The statement may be null if the report was emitted before any
2210	// statements were executed. In particular, some checkers by design
2211	// occasionally emit their reports in empty functions (that have no
2212	// statements in their body). Do we profile correctly in this case?
2213	hash.AddPointer(ErrorNode->getCurrentOrPreviousStmtForDiagnostics());
2214	}
2215
2216	for (SourceRange range : Ranges) {
2217	if (!range.isValid())
2218	continue;
2219	hash.Add(range.getBegin());
2220	hash.Add(range.getEnd());
2221	}
2222	}
2223
2224	template <class T>
2225	static void insertToInterestingnessMap(
2226	llvm::DenseMap<T, bugreporter::TrackingKind> &InterestingnessMap, T Val,
2227	bugreporter::TrackingKind TKind) {
2228	auto Result = InterestingnessMap.insert({Val, TKind});
2229
2230	if (Result.second)
2231	return;
2232
2233	// Even if this symbol/region was already marked as interesting as a
2234	// condition, if we later mark it as interesting again but with
2235	// thorough tracking, overwrite it. Entities marked with thorough
2236	// interestiness are the most important (or most interesting, if you will),
2237	// and we wouldn't like to downplay their importance.
2238
2239	switch (TKind) {
2240	case bugreporter::TrackingKind::Thorough:
2241	Result.first->getSecond() = bugreporter::TrackingKind::Thorough;
2242	return;
2243	case bugreporter::TrackingKind::Condition:
2244	return;
2245	}
2246
2247	llvm_unreachable(
2248	"BugReport::markInteresting currently can only handle 2 different "
2249	"tracking kinds! Please define what tracking kind should this entitiy"
2250	"have, if it was already marked as interesting with a different kind!");
2251	}
2252
2253	void PathSensitiveBugReport::markInteresting(SymbolRef sym,
2254	bugreporter::TrackingKind TKind) {
2255	if (!sym)
2256	return;
2257
2258	insertToInterestingnessMap(InterestingSymbols, sym, TKind);
2259
2260	// FIXME: No tests exist for this code and it is questionable:
2261	// How to handle multiple metadata for the same region?
2262	if (const auto *meta = dyn_cast<SymbolMetadata>(sym))
2263	markInteresting(meta->getRegion(), TKind);
2264	}
2265
2266	void PathSensitiveBugReport::markNotInteresting(SymbolRef sym) {
2267	if (!sym)
2268	return;
2269	InterestingSymbols.erase(sym);
2270
2271	// The metadata part of markInteresting is not reversed here.
2272	// Just making the same region not interesting is incorrect
2273	// in specific cases.
2274	if (const auto *meta = dyn_cast<SymbolMetadata>(sym))
2275	markNotInteresting(meta->getRegion());
2276	}
2277
2278	void PathSensitiveBugReport::markInteresting(const MemRegion *R,
2279	bugreporter::TrackingKind TKind) {
2280	if (!R)
2281	return;
2282
2283	R = R->getBaseRegion();
2284	insertToInterestingnessMap(InterestingRegions, R, TKind);
2285
2286	if (const auto *SR = dyn_cast<SymbolicRegion>(R))
2287	markInteresting(SR->getSymbol(), TKind);
2288	}
2289
2290	void PathSensitiveBugReport::markNotInteresting(const MemRegion *R) {
2291	if (!R)
2292	return;
2293
2294	R = R->getBaseRegion();
2295	InterestingRegions.erase(R);
2296
2297	if (const auto *SR = dyn_cast<SymbolicRegion>(R))
2298	markNotInteresting(SR->getSymbol());
2299	}
2300
2301	void PathSensitiveBugReport::markInteresting(SVal V,
2302	bugreporter::TrackingKind TKind) {
2303	markInteresting(V.getAsRegion(), TKind);
2304	markInteresting(V.getAsSymbol(), TKind);
2305	}
2306
2307	void PathSensitiveBugReport::markInteresting(const LocationContext *LC) {
2308	if (!LC)
2309	return;
2310	InterestingLocationContexts.insert(LC);
2311	}
2312
2313	Optional<bugreporter::TrackingKind>
2314	PathSensitiveBugReport::getInterestingnessKind(SVal V) const {
2315	auto RKind = getInterestingnessKind(V.getAsRegion());
2316	auto SKind = getInterestingnessKind(V.getAsSymbol());
2317	if (!RKind)
2318	return SKind;
2319	if (!SKind)
2320	return RKind;
2321
2322	// If either is marked with throrough tracking, return that, we wouldn't like
2323	// to downplay a note's importance by 'only' mentioning it as a condition.
2324	switch(*RKind) {
2325	case bugreporter::TrackingKind::Thorough:
2326	return RKind;
2327	case bugreporter::TrackingKind::Condition:
2328	return SKind;
2329	}
2330
2331	llvm_unreachable(
2332	"BugReport::getInterestingnessKind currently can only handle 2 different "
2333	"tracking kinds! Please define what tracking kind should we return here "
2334	"when the kind of getAsRegion() and getAsSymbol() is different!");
2335	return None;
2336	}
2337
2338	Optional<bugreporter::TrackingKind>
2339	PathSensitiveBugReport::getInterestingnessKind(SymbolRef sym) const {
2340	if (!sym)
2341	return None;
2342	// We don't currently consider metadata symbols to be interesting
2343	// even if we know their region is interesting. Is that correct behavior?
2344	auto It = InterestingSymbols.find(sym);
2345	if (It == InterestingSymbols.end())
2346	return None;
2347	return It->getSecond();
2348	}
2349
2350	Optional<bugreporter::TrackingKind>
2351	PathSensitiveBugReport::getInterestingnessKind(const MemRegion *R) const {
2352	if (!R)
2353	return None;
2354
2355	R = R->getBaseRegion();
2356	auto It = InterestingRegions.find(R);
2357	if (It != InterestingRegions.end())
2358	return It->getSecond();
2359
2360	if (const auto *SR = dyn_cast<SymbolicRegion>(R))
2361	return getInterestingnessKind(SR->getSymbol());
2362	return None;
2363	}
2364
2365	bool PathSensitiveBugReport::isInteresting(SVal V) const {
2366	return getInterestingnessKind(V).has_value();
2367	}
2368
2369	bool PathSensitiveBugReport::isInteresting(SymbolRef sym) const {
2370	return getInterestingnessKind(sym).has_value();
2371	}
2372
2373	bool PathSensitiveBugReport::isInteresting(const MemRegion *R) const {
2374	return getInterestingnessKind(R).has_value();
2375	}
2376
2377	bool PathSensitiveBugReport::isInteresting(const LocationContext *LC) const {
2378	if (!LC)
2379	return false;
2380	return InterestingLocationContexts.count(LC);
2381	}
2382
2383	const Stmt *PathSensitiveBugReport::getStmt() const {
2384	if (!ErrorNode)
2385	return nullptr;
2386
2387	ProgramPoint ProgP = ErrorNode->getLocation();
2388	const Stmt *S = nullptr;
2389
2390	if (Optional<BlockEntrance> BE = ProgP.getAs<BlockEntrance>()) {
2391	CFGBlock &Exit = ProgP.getLocationContext()->getCFG()->getExit();
2392	if (BE->getBlock() == &Exit)
2393	S = ErrorNode->getPreviousStmtForDiagnostics();
2394	}
2395	if (!S)
2396	S = ErrorNode->getStmtForDiagnostics();
2397
2398	return S;
2399	}
2400
2401	ArrayRef<SourceRange>
2402	PathSensitiveBugReport::getRanges() const {
2403	// If no custom ranges, add the range of the statement corresponding to
2404	// the error node.
2405	if (Ranges.empty() && isa_and_nonnull<Expr>(getStmt()))
2406	return ErrorNodeRange;
2407
2408	return Ranges;
2409	}
2410
2411	PathDiagnosticLocation
2412	PathSensitiveBugReport::getLocation() const {
2413	assert(ErrorNode && "Cannot create a location with a null node.");
2414	const Stmt *S = ErrorNode->getStmtForDiagnostics();
2415	ProgramPoint P = ErrorNode->getLocation();
2416	const LocationContext *LC = P.getLocationContext();
2417	SourceManager &SM =
2418	ErrorNode->getState()->getStateManager().getContext().getSourceManager();
2419
2420	if (!S) {
2421	// If this is an implicit call, return the implicit call point location.
2422	if (Optional<PreImplicitCall> PIE = P.getAs<PreImplicitCall>())
2423	return PathDiagnosticLocation(PIE->getLocation(), SM);
2424	if (auto FE = P.getAs<FunctionExitPoint>()) {
2425	if (const ReturnStmt *RS = FE->getStmt())
2426	return PathDiagnosticLocation::createBegin(RS, SM, LC);
2427	}
2428	S = ErrorNode->getNextStmtForDiagnostics();
2429	}
2430
2431	if (S) {
2432	// For member expressions, return the location of the '.' or '->'.
2433	if (const auto *ME = dyn_cast<MemberExpr>(S))
2434	return PathDiagnosticLocation::createMemberLoc(ME, SM);
2435
2436	// For binary operators, return the location of the operator.
2437	if (const auto *B = dyn_cast<BinaryOperator>(S))
2438	return PathDiagnosticLocation::createOperatorLoc(B, SM);
2439
2440	if (P.getAs<PostStmtPurgeDeadSymbols>())
2441	return PathDiagnosticLocation::createEnd(S, SM, LC);
2442
2443	if (S->getBeginLoc().isValid())
2444	return PathDiagnosticLocation(S, SM, LC);
2445
2446	return PathDiagnosticLocation(
2447	PathDiagnosticLocation::getValidSourceLocation(S, LC), SM);
2448	}
2449
2450	return PathDiagnosticLocation::createDeclEnd(ErrorNode->getLocationContext(),
2451	SM);
2452	}
2453
2454	//===----------------------------------------------------------------------===//
2455	// Methods for BugReporter and subclasses.
2456	//===----------------------------------------------------------------------===//
2457
2458	const ExplodedGraph &PathSensitiveBugReporter::getGraph() const {
2459	return Eng.getGraph();
2460	}
2461
2462	ProgramStateManager &PathSensitiveBugReporter::getStateManager() const {
2463	return Eng.getStateManager();
2464	}
2465
2466	BugReporter::BugReporter(BugReporterData &d) : D(d) {}
2467	BugReporter::~BugReporter() {
2468	// Make sure reports are flushed.
2469	assert(StrBugTypes.empty() &&
2470	"Destroying BugReporter before diagnostics are emitted!");
2471
2472	// Free the bug reports we are tracking.
2473	for (const auto I : EQClassesVector)
2474	delete I;
2475	}
2476
2477	void BugReporter::FlushReports() {
2478	// We need to flush reports in deterministic order to ensure the order
2479	// of the reports is consistent between runs.
2480	for (const auto EQ : EQClassesVector)
2481	FlushReport(*EQ);
2482
2483	// BugReporter owns and deletes only BugTypes created implicitly through
2484	// EmitBasicReport.
2485	// FIXME: There are leaks from checkers that assume that the BugTypes they
2486	// create will be destroyed by the BugReporter.
2487	StrBugTypes.clear();
2488	}
2489
2490	//===----------------------------------------------------------------------===//
2491	// PathDiagnostics generation.
2492	//===----------------------------------------------------------------------===//
2493
2494	namespace {
2495
2496	/// A wrapper around an ExplodedGraph that contains a single path from the root
2497	/// to the error node.
2498	class BugPathInfo {
2499	public:
2500	std::unique_ptr<ExplodedGraph> BugPath;
2501	PathSensitiveBugReport *Report;
2502	const ExplodedNode *ErrorNode;
2503	};
2504
2505	/// A wrapper around an ExplodedGraph whose leafs are all error nodes. Can
2506	/// conveniently retrieve bug paths from a single error node to the root.
2507	class BugPathGetter {
2508	std::unique_ptr<ExplodedGraph> TrimmedGraph;
2509
2510	using PriorityMapTy = llvm::DenseMap<const ExplodedNode *, unsigned>;
2511
2512	/// Assign each node with its distance from the root.
2513	PriorityMapTy PriorityMap;
2514
2515	/// Since the getErrorNode() or BugReport refers to the original ExplodedGraph,
2516	/// we need to pair it to the error node of the constructed trimmed graph.
2517	using ReportNewNodePair =
2518	std::pair<PathSensitiveBugReport *, const ExplodedNode *>;
2519	SmallVector<ReportNewNodePair, 32> ReportNodes;
2520
2521	BugPathInfo CurrentBugPath;
2522
2523	/// A helper class for sorting ExplodedNodes by priority.
2524	template <bool Descending>
2525	class PriorityCompare {
2526	const PriorityMapTy &PriorityMap;
2527
2528	public:
2529	PriorityCompare(const PriorityMapTy &M) : PriorityMap(M) {}
2530
2531	bool operator()(const ExplodedNode *LHS, const ExplodedNode *RHS) const {
2532	PriorityMapTy::const_iterator LI = PriorityMap.find(LHS);
2533	PriorityMapTy::const_iterator RI = PriorityMap.find(RHS);
2534	PriorityMapTy::const_iterator E = PriorityMap.end();
2535
2536	if (LI == E)
2537	return Descending;
2538	if (RI == E)
2539	return !Descending;
2540
2541	return Descending ? LI->second > RI->second
2542	: LI->second < RI->second;
2543	}
2544
2545	bool operator()(const ReportNewNodePair &LHS,
2546	const ReportNewNodePair &RHS) const {
2547	return (*this)(LHS.second, RHS.second);
2548	}
2549	};
2550
2551	public:
2552	BugPathGetter(const ExplodedGraph *OriginalGraph,
2553	ArrayRef<PathSensitiveBugReport *> &bugReports);
2554
2555	BugPathInfo *getNextBugPath();
2556	};
2557
2558	} // namespace
2559
2560	BugPathGetter::BugPathGetter(const ExplodedGraph *OriginalGraph,
2561	ArrayRef<PathSensitiveBugReport *> &bugReports) {
2562	SmallVector<const ExplodedNode *, 32> Nodes;
2563	for (const auto I : bugReports) {
2564	assert(I->isValid() &&
2565	"We only allow BugReporterVisitors and BugReporter itself to "
2566	"invalidate reports!");
2567	Nodes.emplace_back(I->getErrorNode());
2568	}
2569
2570	// The trimmed graph is created in the body of the constructor to ensure
2571	// that the DenseMaps have been initialized already.
2572	InterExplodedGraphMap ForwardMap;
2573	TrimmedGraph = OriginalGraph->trim(Nodes, &ForwardMap);
2574
2575	// Find the (first) error node in the trimmed graph. We just need to consult
2576	// the node map which maps from nodes in the original graph to nodes
2577	// in the new graph.
2578	llvm::SmallPtrSet<const ExplodedNode *, 32> RemainingNodes;
2579
2580	for (PathSensitiveBugReport *Report : bugReports) {
2581	const ExplodedNode *NewNode = ForwardMap.lookup(Report->getErrorNode());
2582	assert(NewNode &&
2583	"Failed to construct a trimmed graph that contains this error "
2584	"node!");
2585	ReportNodes.emplace_back(Report, NewNode);
2586	RemainingNodes.insert(NewNode);
2587	}
2588
2589	assert(!RemainingNodes.empty() && "No error node found in the trimmed graph");
2590
2591	// Perform a forward BFS to find all the shortest paths.
2592	std::queue<const ExplodedNode *> WS;
2593
2594	assert(TrimmedGraph->num_roots() == 1);
2595	WS.push(*TrimmedGraph->roots_begin());
2596	unsigned Priority = 0;
2597
2598	while (!WS.empty()) {
2599	const ExplodedNode *Node = WS.front();
2600	WS.pop();
2601
2602	PriorityMapTy::iterator PriorityEntry;
2603	bool IsNew;
2604	std::tie(PriorityEntry, IsNew) = PriorityMap.insert({Node, Priority});
2605	++Priority;
2606
2607	if (!IsNew) {
2608	assert(PriorityEntry->second <= Priority);
2609	continue;
2610	}
2611
2612	if (RemainingNodes.erase(Node))
2613	if (RemainingNodes.empty())
2614	break;
2615
2616	for (const ExplodedNode *Succ : Node->succs())
2617	WS.push(Succ);
2618	}
2619
2620	// Sort the error paths from longest to shortest.
2621	llvm::sort(ReportNodes, PriorityCompare<true>(PriorityMap));
2622	}
2623
2624	BugPathInfo *BugPathGetter::getNextBugPath() {
2625	if (ReportNodes.empty())
2626	return nullptr;
2627
2628	const ExplodedNode *OrigN;
2629	std::tie(CurrentBugPath.Report, OrigN) = ReportNodes.pop_back_val();
2630	assert(PriorityMap.find(OrigN) != PriorityMap.end() &&
2631	"error node not accessible from root");
2632
2633	// Create a new graph with a single path. This is the graph that will be
2634	// returned to the caller.
2635	auto GNew = std::make_unique<ExplodedGraph>();
2636
2637	// Now walk from the error node up the BFS path, always taking the
2638	// predeccessor with the lowest number.
2639	ExplodedNode *Succ = nullptr;
2640	while (true) {
2641	// Create the equivalent node in the new graph with the same state
2642	// and location.
2643	ExplodedNode *NewN = GNew->createUncachedNode(
2644	OrigN->getLocation(), OrigN->getState(),
2645	OrigN->getID(), OrigN->isSink());
2646
2647	// Link up the new node with the previous node.
2648	if (Succ)
2649	Succ->addPredecessor(NewN, *GNew);
2650	else
2651	CurrentBugPath.ErrorNode = NewN;
2652
2653	Succ = NewN;
2654
2655	// Are we at the final node?
2656	if (OrigN->pred_empty()) {
2657	GNew->addRoot(NewN);
2658	break;
2659	}
2660
2661	// Find the next predeccessor node. We choose the node that is marked
2662	// with the lowest BFS number.
2663	OrigN = *std::min_element(OrigN->pred_begin(), OrigN->pred_end(),
2664	PriorityCompare<false>(PriorityMap));
2665	}
2666
2667	CurrentBugPath.BugPath = std::move(GNew);
2668
2669	return &CurrentBugPath;
2670	}
2671
2672	/// CompactMacroExpandedPieces - This function postprocesses a PathDiagnostic
2673	/// object and collapses PathDiagosticPieces that are expanded by macros.
2674	static void CompactMacroExpandedPieces(PathPieces &path,
2675	const SourceManager& SM) {
2676	using MacroStackTy = std::vector<
2677	std::pair<std::shared_ptr<PathDiagnosticMacroPiece>, SourceLocation>>;
2678
2679	using PiecesTy = std::vector<PathDiagnosticPieceRef>;
2680
2681	MacroStackTy MacroStack;
2682	PiecesTy Pieces;
2683
2684	for (PathPieces::const_iterator I = path.begin(), E = path.end();
2685	I != E; ++I) {
2686	const auto &piece = *I;
2687
2688	// Recursively compact calls.
2689	if (auto *call = dyn_cast<PathDiagnosticCallPiece>(&*piece)) {
2690	CompactMacroExpandedPieces(call->path, SM);
2691	}
2692
2693	// Get the location of the PathDiagnosticPiece.
2694	const FullSourceLoc Loc = piece->getLocation().asLocation();
2695
2696	// Determine the instantiation location, which is the location we group
2697	// related PathDiagnosticPieces.
2698	SourceLocation InstantiationLoc = Loc.isMacroID() ?
2699	SM.getExpansionLoc(Loc) :
2700	SourceLocation();
2701
2702	if (Loc.isFileID()) {
2703	MacroStack.clear();
2704	Pieces.push_back(piece);
2705	continue;
2706	}
2707
2708	assert(Loc.isMacroID());
2709
2710	// Is the PathDiagnosticPiece within the same macro group?
2711	if (!MacroStack.empty() && InstantiationLoc == MacroStack.back().second) {
2712	MacroStack.back().first->subPieces.push_back(piece);
2713	continue;
2714	}
2715
2716	// We aren't in the same group. Are we descending into a new macro
2717	// or are part of an old one?
2718	std::shared_ptr<PathDiagnosticMacroPiece> MacroGroup;
2719
2720	SourceLocation ParentInstantiationLoc = InstantiationLoc.isMacroID() ?
2721	SM.getExpansionLoc(Loc) :
2722	SourceLocation();
2723
2724	// Walk the entire macro stack.
2725	while (!MacroStack.empty()) {
2726	if (InstantiationLoc == MacroStack.back().second) {
2727	MacroGroup = MacroStack.back().first;
2728	break;
2729	}
2730
2731	if (ParentInstantiationLoc == MacroStack.back().second) {
2732	MacroGroup = MacroStack.back().first;
2733	break;
2734	}
2735
2736	MacroStack.pop_back();
2737	}
2738
2739	if (!MacroGroup || ParentInstantiationLoc == MacroStack.back().second) {
2740	// Create a new macro group and add it to the stack.
2741	auto NewGroup = std::make_shared<PathDiagnosticMacroPiece>(
2742	PathDiagnosticLocation::createSingleLocation(piece->getLocation()));
2743
2744	if (MacroGroup)
2745	MacroGroup->subPieces.push_back(NewGroup);
2746	else {
2747	assert(InstantiationLoc.isFileID());
2748	Pieces.push_back(NewGroup);
2749	}
2750
2751	MacroGroup = NewGroup;
2752	MacroStack.push_back(std::make_pair(MacroGroup, InstantiationLoc));
2753	}
2754
2755	// Finally, add the PathDiagnosticPiece to the group.
2756	MacroGroup->subPieces.push_back(piece);
2757	}
2758
2759	// Now take the pieces and construct a new PathDiagnostic.
2760	path.clear();
2761
2762	path.insert(path.end(), Pieces.begin(), Pieces.end());
2763	}
2764
2765	/// Generate notes from all visitors.
2766	/// Notes associated with @c ErrorNode are generated using
2767	/// @c getEndPath, and the rest are generated with @c VisitNode.
2768	static std::unique_ptr<VisitorsDiagnosticsTy>
2769	generateVisitorsDiagnostics(PathSensitiveBugReport *R,
2770	const ExplodedNode *ErrorNode,
2771	BugReporterContext &BRC) {
2772	std::unique_ptr<VisitorsDiagnosticsTy> Notes =
2773	std::make_unique<VisitorsDiagnosticsTy>();
2774	PathSensitiveBugReport::VisitorList visitors;
2775
2776	// Run visitors on all nodes starting from the node *before* the last one.
2777	// The last node is reserved for notes generated with @c getEndPath.
2778	const ExplodedNode *NextNode = ErrorNode->getFirstPred();
2779	while (NextNode) {
2780
2781	// At each iteration, move all visitors from report to visitor list. This is
2782	// important, because the Profile() functions of the visitors make sure that
2783	// a visitor isn't added multiple times for the same node, but it's fine
2784	// to add the a visitor with Profile() for different nodes (e.g. tracking
2785	// a region at different points of the symbolic execution).
2786	for (std::unique_ptr<BugReporterVisitor> &Visitor : R->visitors())
2787	visitors.push_back(std::move(Visitor));
2788
2789	R->clearVisitors();
2790
2791	const ExplodedNode *Pred = NextNode->getFirstPred();
2792	if (!Pred) {
2793	PathDiagnosticPieceRef LastPiece;
2794	for (auto &V : visitors) {
2795	V->finalizeVisitor(BRC, ErrorNode, *R);
2796
2797	if (auto Piece = V->getEndPath(BRC, ErrorNode, *R)) {
2798	assert(!LastPiece &&
2799	"There can only be one final piece in a diagnostic.");
2800	assert(Piece->getKind() == PathDiagnosticPiece::Kind::Event &&
2801	"The final piece must contain a message!");
2802	LastPiece = std::move(Piece);
2803	(*Notes)[ErrorNode].push_back(LastPiece);
2804	}
2805	}
2806	break;
2807	}
2808
2809	for (auto &V : visitors) {
2810	auto P = V->VisitNode(NextNode, BRC, *R);
2811	if (P)
2812	(*Notes)[NextNode].push_back(std::move(P));
2813	}
2814
2815	if (!R->isValid())
2816	break;
2817
2818	NextNode = Pred;
2819	}
2820
2821	return Notes;
2822	}
2823
2824	Optional<PathDiagnosticBuilder> PathDiagnosticBuilder::findValidReport(
2825	ArrayRef<PathSensitiveBugReport *> &bugReports,
2826	PathSensitiveBugReporter &Reporter) {
2827
2828	BugPathGetter BugGraph(&Reporter.getGraph(), bugReports);
2829
2830	while (BugPathInfo *BugPath = BugGraph.getNextBugPath()) {
2831	// Find the BugReport with the original location.
2832	PathSensitiveBugReport *R = BugPath->Report;
2833	assert(R && "No original report found for sliced graph.");
2834	assert(R->isValid() && "Report selected by trimmed graph marked invalid.");
2835	const ExplodedNode *ErrorNode = BugPath->ErrorNode;
2836
2837	// Register refutation visitors first, if they mark the bug invalid no
2838	// further analysis is required
2839	R->addVisitor<LikelyFalsePositiveSuppressionBRVisitor>();
2840
2841	// Register additional node visitors.
2842	R->addVisitor<NilReceiverBRVisitor>();
2843	R->addVisitor<ConditionBRVisitor>();
2844	R->addVisitor<TagVisitor>();
2845
2846	BugReporterContext BRC(Reporter);
2847
2848	// Run all visitors on a given graph, once.
2849	std::unique_ptr<VisitorsDiagnosticsTy> visitorNotes =
2850	generateVisitorsDiagnostics(R, ErrorNode, BRC);
2851
2852	if (R->isValid()) {
2853	if (Reporter.getAnalyzerOptions().ShouldCrosscheckWithZ3) {
2854	// If crosscheck is enabled, remove all visitors, add the refutation
2855	// visitor and check again
2856	R->clearVisitors();
2857	R->addVisitor<FalsePositiveRefutationBRVisitor>();
2858
2859	// We don't overwrite the notes inserted by other visitors because the
2860	// refutation manager does not add any new note to the path
2861	generateVisitorsDiagnostics(R, BugPath->ErrorNode, BRC);
2862	}
2863
2864	// Check if the bug is still valid
2865	if (R->isValid())
2866	return PathDiagnosticBuilder(
2867	std::move(BRC), std::move(BugPath->BugPath), BugPath->Report,
2868	BugPath->ErrorNode, std::move(visitorNotes));
2869	}
2870	}
2871
2872	return {};
2873	}
2874
2875	std::unique_ptr<DiagnosticForConsumerMapTy>
2876	PathSensitiveBugReporter::generatePathDiagnostics(
2877	ArrayRef<PathDiagnosticConsumer *> consumers,
2878	ArrayRef<PathSensitiveBugReport *> &bugReports) {
2879	assert(!bugReports.empty());
2880
2881	auto Out = std::make_unique<DiagnosticForConsumerMapTy>();
2882
2883	Optional<PathDiagnosticBuilder> PDB =
2884	PathDiagnosticBuilder::findValidReport(bugReports, *this);
2885
2886	if (PDB) {
2887	for (PathDiagnosticConsumer *PC : consumers) {
2888	if (std::unique_ptr<PathDiagnostic> PD = PDB->generate(PC)) {
2889	(*Out)[PC] = std::move(PD);
2890	}
2891	}
2892	}
2893
2894	return Out;
2895	}
2896
2897	void BugReporter::emitReport(std::unique_ptr<BugReport> R) {
2898	bool ValidSourceLoc = R->getLocation().isValid();
2899	assert(ValidSourceLoc);
2900	// If we mess up in a release build, we'd still prefer to just drop the bug
2901	// instead of trying to go on.
2902	if (!ValidSourceLoc)
2903	return;
2904
2905	// Compute the bug report's hash to determine its equivalence class.
2906	llvm::FoldingSetNodeID ID;
2907	R->Profile(ID);
2908
2909	// Lookup the equivance class. If there isn't one, create it.
2910	void *InsertPos;
2911	BugReportEquivClass* EQ = EQClasses.FindNodeOrInsertPos(ID, InsertPos);
2912
2913	if (!EQ) {
2914	EQ = new BugReportEquivClass(std::move(R));
2915	EQClasses.InsertNode(EQ, InsertPos);
2916	EQClassesVector.push_back(EQ);
2917	} else
2918	EQ->AddReport(std::move(R));
2919	}
2920
2921	void PathSensitiveBugReporter::emitReport(std::unique_ptr<BugReport> R) {
2922	if (auto PR = dyn_cast<PathSensitiveBugReport>(R.get()))
2923	if (const ExplodedNode *E = PR->getErrorNode()) {
2924	// An error node must either be a sink or have a tag, otherwise
2925	// it could get reclaimed before the path diagnostic is created.
2926	assert((E->isSink() || E->getLocation().getTag()) &&
2927	"Error node must either be a sink or have a tag");
2928
2929	const AnalysisDeclContext *DeclCtx =
2930	E->getLocationContext()->getAnalysisDeclContext();
2931	// The source of autosynthesized body can be handcrafted AST or a model
2932	// file. The locations from handcrafted ASTs have no valid source
2933	// locations and have to be discarded. Locations from model files should
2934	// be preserved for processing and reporting.
2935	if (DeclCtx->isBodyAutosynthesized() &&
2936	!DeclCtx->isBodyAutosynthesizedFromModelFile())
2937	return;
2938	}
2939
2940	BugReporter::emitReport(std::move(R));
2941	}
2942
2943	//===----------------------------------------------------------------------===//
2944	// Emitting reports in equivalence classes.
2945	//===----------------------------------------------------------------------===//
2946
2947	namespace {
2948
2949	struct FRIEC_WLItem {
2950	const ExplodedNode *N;
2951	ExplodedNode::const_succ_iterator I, E;
2952
2953	FRIEC_WLItem(const ExplodedNode *n)
2954	: N(n), I(N->succ_begin()), E(N->succ_end()) {}
2955	};
2956
2957	} // namespace
2958
2959	BugReport *PathSensitiveBugReporter::findReportInEquivalenceClass(
2960	BugReportEquivClass &EQ, SmallVectorImpl<BugReport *> &bugReports) {
2961	// If we don't need to suppress any of the nodes because they are
2962	// post-dominated by a sink, simply add all the nodes in the equivalence class
2963	// to 'Nodes'. Any of the reports will serve as a "representative" report.
2964	assert(EQ.getReports().size() > 0);
2965	const BugType& BT = EQ.getReports()[0]->getBugType();
2966	if (!BT.isSuppressOnSink()) {
2967	BugReport *R = EQ.getReports()[0].get();
2968	for (auto &J : EQ.getReports()) {
2969	if (auto *PR = dyn_cast<PathSensitiveBugReport>(J.get())) {
2970	R = PR;
2971	bugReports.push_back(PR);
2972	}
2973	}
2974	return R;
2975	}
2976
2977	// For bug reports that should be suppressed when all paths are post-dominated
2978	// by a sink node, iterate through the reports in the equivalence class
2979	// until we find one that isn't post-dominated (if one exists). We use a
2980	// DFS traversal of the ExplodedGraph to find a non-sink node. We could write
2981	// this as a recursive function, but we don't want to risk blowing out the
2982	// stack for very long paths.
2983	BugReport *exampleReport = nullptr;
2984
2985	for (const auto &I: EQ.getReports()) {
2986	auto *R = dyn_cast<PathSensitiveBugReport>(I.get());
2987	if (!R)
2988	continue;
2989
2990	const ExplodedNode *errorNode = R->getErrorNode();
2991	if (errorNode->isSink()) {
2992	llvm_unreachable(
2993	"BugType::isSuppressSink() should not be 'true' for sink end nodes");
2994	}
2995	// No successors? By definition this nodes isn't post-dominated by a sink.
2996	if (errorNode->succ_empty()) {
2997	bugReports.push_back(R);
2998	if (!exampleReport)
2999	exampleReport = R;
3000	continue;
3001	}
3002
3003	// See if we are in a no-return CFG block. If so, treat this similarly
3004	// to being post-dominated by a sink. This works better when the analysis
3005	// is incomplete and we have never reached the no-return function call(s)
3006	// that we'd inevitably bump into on this path.
3007	if (const CFGBlock *ErrorB = errorNode->getCFGBlock())
3008	if (ErrorB->isInevitablySinking())
3009	continue;
3010
3011	// At this point we know that 'N' is not a sink and it has at least one
3012	// successor. Use a DFS worklist to find a non-sink end-of-path node.
3013	using WLItem = FRIEC_WLItem;
3014	using DFSWorkList = SmallVector<WLItem, 10>;
3015
3016	llvm::DenseMap<const ExplodedNode *, unsigned> Visited;
3017
3018	DFSWorkList WL;
3019	WL.push_back(errorNode);
3020	Visited[errorNode] = 1;
3021
3022	while (!WL.empty()) {
3023	WLItem &WI = WL.back();
3024	assert(!WI.N->succ_empty());
3025
3026	for (; WI.I != WI.E; ++WI.I) {
3027	const ExplodedNode *Succ = *WI.I;
3028	// End-of-path node?
3029	if (Succ->succ_empty()) {
3030	// If we found an end-of-path node that is not a sink.
3031	if (!Succ->isSink()) {
3032	bugReports.push_back(R);
3033	if (!exampleReport)
3034	exampleReport = R;
3035	WL.clear();
3036	break;
3037	}
3038	// Found a sink? Continue on to the next successor.
3039	continue;
3040	}
3041	// Mark the successor as visited. If it hasn't been explored,
3042	// enqueue it to the DFS worklist.
3043	unsigned &mark = Visited[Succ];
3044	if (!mark) {
3045	mark = 1;
3046	WL.push_back(Succ);
3047	break;
3048	}
3049	}
3050
3051	// The worklist may have been cleared at this point. First
3052	// check if it is empty before checking the last item.
3053	if (!WL.empty() && &WL.back() == &WI)
3054	WL.pop_back();
3055	}
3056	}
3057
3058	// ExampleReport will be NULL if all the nodes in the equivalence class
3059	// were post-dominated by sinks.
3060	return exampleReport;
3061	}
3062
3063	void BugReporter::FlushReport(BugReportEquivClass& EQ) {
3064	SmallVector<BugReport*, 10> bugReports;
3065	BugReport *report = findReportInEquivalenceClass(EQ, bugReports);
3066	if (!report)
3067	return;
3068
3069	// See whether we need to silence the checker/package.
3070	for (const std::string &CheckerOrPackage :
3071	getAnalyzerOptions().SilencedCheckersAndPackages) {
3072	if (report->getBugType().getCheckerName().startswith(
3073	CheckerOrPackage))
3074	return;
3075	}
3076
3077	ArrayRef<PathDiagnosticConsumer*> Consumers = getPathDiagnosticConsumers();
3078	std::unique_ptr<DiagnosticForConsumerMapTy> Diagnostics =
3079	generateDiagnosticForConsumerMap(report, Consumers, bugReports);
3080
3081	for (auto &P : *Diagnostics) {
3082	PathDiagnosticConsumer *Consumer = P.first;
3083	std::unique_ptr<PathDiagnostic> &PD = P.second;
3084
3085	// If the path is empty, generate a single step path with the location
3086	// of the issue.
3087	if (PD->path.empty()) {
3088	PathDiagnosticLocation L = report->getLocation();
3089	auto piece = std::make_unique<PathDiagnosticEventPiece>(
3090	L, report->getDescription());
3091	for (SourceRange Range : report->getRanges())
3092	piece->addRange(Range);
3093	PD->setEndOfPath(std::move(piece));
3094	}
3095
3096	PathPieces &Pieces = PD->getMutablePieces();
3097	if (getAnalyzerOptions().ShouldDisplayNotesAsEvents) {
3098	// For path diagnostic consumers that don't support extra notes,
3099	// we may optionally convert those to path notes.
3100	for (auto I = report->getNotes().rbegin(),
3101	E = report->getNotes().rend(); I != E; ++I) {
3102	PathDiagnosticNotePiece *Piece = I->get();
3103	auto ConvertedPiece = std::make_shared<PathDiagnosticEventPiece>(
3104	Piece->getLocation(), Piece->getString());
3105	for (const auto &R: Piece->getRanges())
3106	ConvertedPiece->addRange(R);
3107
3108	Pieces.push_front(std::move(ConvertedPiece));
3109	}
3110	} else {
3111	for (auto I = report->getNotes().rbegin(),
3112	E = report->getNotes().rend(); I != E; ++I)
3113	Pieces.push_front(*I);
3114	}
3115
3116	for (const auto &I : report->getFixits())
3117	Pieces.back()->addFixit(I);
3118
3119	updateExecutedLinesWithDiagnosticPieces(*PD);
3120	Consumer->HandlePathDiagnostic(std::move(PD));
3121	}
3122	}
3123
3124	/// Insert all lines participating in the function signature \p Signature
3125	/// into \p ExecutedLines.
3126	static void populateExecutedLinesWithFunctionSignature(
3127	const Decl *Signature, const SourceManager &SM,
3128	FilesToLineNumsMap &ExecutedLines) {
3129	SourceRange SignatureSourceRange;
3130	const Stmt* Body = Signature->getBody();
3131	if (const auto FD = dyn_cast<FunctionDecl>(Signature)) {
3132	SignatureSourceRange = FD->getSourceRange();
3133	} else if (const auto OD = dyn_cast<ObjCMethodDecl>(Signature)) {
3134	SignatureSourceRange = OD->getSourceRange();
3135	} else {
3136	return;
3137	}
3138	SourceLocation Start = SignatureSourceRange.getBegin();
3139	SourceLocation End = Body ? Body->getSourceRange().getBegin()
3140	: SignatureSourceRange.getEnd();
3141	if (!Start.isValid() || !End.isValid())
3142	return;
3143	unsigned StartLine = SM.getExpansionLineNumber(Start);
3144	unsigned EndLine = SM.getExpansionLineNumber(End);
3145
3146	FileID FID = SM.getFileID(SM.getExpansionLoc(Start));
3147	for (unsigned Line = StartLine; Line <= EndLine; Line++)
3148	ExecutedLines[FID].insert(Line);
3149	}
3150
3151	static void populateExecutedLinesWithStmt(
3152	const Stmt *S, const SourceManager &SM,
3153	FilesToLineNumsMap &ExecutedLines) {
3154	SourceLocation Loc = S->getSourceRange().getBegin();
3155	if (!Loc.isValid())
3156	return;
3157	SourceLocation ExpansionLoc = SM.getExpansionLoc(Loc);
3158	FileID FID = SM.getFileID(ExpansionLoc);
3159	unsigned LineNo = SM.getExpansionLineNumber(ExpansionLoc);
3160	ExecutedLines[FID].insert(LineNo);
3161	}
3162
3163	/// \return all executed lines including function signatures on the path
3164	/// starting from \p N.
3165	static std::unique_ptr<FilesToLineNumsMap>
3166	findExecutedLines(const SourceManager &SM, const ExplodedNode *N) {
3167	auto ExecutedLines = std::make_unique<FilesToLineNumsMap>();
3168
3169	while (N) {
3170	if (N->getFirstPred() == nullptr) {
3171	// First node: show signature of the entrance point.
3172	const Decl *D = N->getLocationContext()->getDecl();
3173	populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines);
3174	} else if (auto CE = N->getLocationAs<CallEnter>()) {
3175	// Inlined function: show signature.
3176	const Decl* D = CE->getCalleeContext()->getDecl();
3177	populateExecutedLinesWithFunctionSignature(D, SM, *ExecutedLines);
3178	} else if (const Stmt *S = N->getStmtForDiagnostics()) {
3179	populateExecutedLinesWithStmt(S, SM, *ExecutedLines);
3180
3181	// Show extra context for some parent kinds.
3182	const Stmt *P = N->getParentMap().getParent(S);
3183
3184	// The path exploration can die before the node with the associated
3185	// return statement is generated, but we do want to show the whole
3186	// return.
3187	if (const auto *RS = dyn_cast_or_null<ReturnStmt>(P)) {
3188	populateExecutedLinesWithStmt(RS, SM, *ExecutedLines);
3189	P = N->getParentMap().getParent(RS);
3190	}
3191
3192	if (isa_and_nonnull<SwitchCase, LabelStmt>(P))
3193	populateExecutedLinesWithStmt(P, SM, *ExecutedLines);
3194	}
3195
3196	N = N->getFirstPred();
3197	}
3198	return ExecutedLines;
3199	}
3200
3201	std::unique_ptr<DiagnosticForConsumerMapTy>
3202	BugReporter::generateDiagnosticForConsumerMap(
3203	BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers,
3204	ArrayRef<BugReport *> bugReports) {
3205	auto *basicReport = cast<BasicBugReport>(exampleReport);
3206	auto Out = std::make_unique<DiagnosticForConsumerMapTy>();
3207	for (auto *Consumer : consumers)
3208	(*Out)[Consumer] = generateDiagnosticForBasicReport(basicReport);
3209	return Out;
3210	}
3211
3212	static PathDiagnosticCallPiece *
3213	getFirstStackedCallToHeaderFile(PathDiagnosticCallPiece *CP,
3214	const SourceManager &SMgr) {
3215	SourceLocation CallLoc = CP->callEnter.asLocation();
3216
3217	// If the call is within a macro, don't do anything (for now).
3218	if (CallLoc.isMacroID())
3219	return nullptr;
3220
3221	assert(AnalysisManager::isInCodeFile(CallLoc, SMgr) &&
3222	"The call piece should not be in a header file.");
3223
3224	// Check if CP represents a path through a function outside of the main file.
3225	if (!AnalysisManager::isInCodeFile(CP->callEnterWithin.asLocation(), SMgr))
3226	return CP;
3227
3228	const PathPieces &Path = CP->path;
3229	if (Path.empty())
3230	return nullptr;
3231
3232	// Check if the last piece in the callee path is a call to a function outside
3233	// of the main file.
3234	if (auto *CPInner = dyn_cast<PathDiagnosticCallPiece>(Path.back().get()))
3235	return getFirstStackedCallToHeaderFile(CPInner, SMgr);
3236
3237	// Otherwise, the last piece is in the main file.
3238	return nullptr;
3239	}
3240
3241	static void resetDiagnosticLocationToMainFile(PathDiagnostic &PD) {
3242	if (PD.path.empty())
3243	return;
3244
3245	PathDiagnosticPiece *LastP = PD.path.back().get();
3246	assert(LastP);
3247	const SourceManager &SMgr = LastP->getLocation().getManager();
3248
3249	// We only need to check if the report ends inside headers, if the last piece
3250	// is a call piece.
3251	if (auto *CP = dyn_cast<PathDiagnosticCallPiece>(LastP)) {
3252	CP = getFirstStackedCallToHeaderFile(CP, SMgr);
3253	if (CP) {
3254	// Mark the piece.
3255	CP->setAsLastInMainSourceFile();
3256
3257	// Update the path diagnostic message.
3258	const auto *ND = dyn_cast<NamedDecl>(CP->getCallee());
3259	if (ND) {
3260	SmallString<200> buf;
3261	llvm::raw_svector_ostream os(buf);
3262	os << " (within a call to '" << ND->getDeclName() << "')";
3263	PD.appendToDesc(os.str());
3264	}
3265
3266	// Reset the report containing declaration and location.
3267	PD.setDeclWithIssue(CP->getCaller());
3268	PD.setLocation(CP->getLocation());
3269
3270	return;
3271	}
3272	}
3273	}
3274
3275
3276
3277	std::unique_ptr<DiagnosticForConsumerMapTy>
3278	PathSensitiveBugReporter::generateDiagnosticForConsumerMap(
3279	BugReport *exampleReport, ArrayRef<PathDiagnosticConsumer *> consumers,
3280	ArrayRef<BugReport *> bugReports) {
3281	std::vector<BasicBugReport *> BasicBugReports;
3282	std::vector<PathSensitiveBugReport *> PathSensitiveBugReports;
3283	if (isa<BasicBugReport>(exampleReport))
3284	return BugReporter::generateDiagnosticForConsumerMap(exampleReport,
3285	consumers, bugReports);
3286
3287	// Generate the full path sensitive diagnostic, using the generation scheme
3288	// specified by the PathDiagnosticConsumer. Note that we have to generate
3289	// path diagnostics even for consumers which do not support paths, because
3290	// the BugReporterVisitors may mark this bug as a false positive.
3291	assert(!bugReports.empty());
3292	MaxBugClassSize.updateMax(bugReports.size());
3293
3294	// Avoid copying the whole array because there may be a lot of reports.
3295	ArrayRef<PathSensitiveBugReport *> convertedArrayOfReports(
3296	reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.begin()),
3297	reinterpret_cast<PathSensitiveBugReport *const *>(&*bugReports.end()));
3298	std::unique_ptr<DiagnosticForConsumerMapTy> Out = generatePathDiagnostics(
3299	consumers, convertedArrayOfReports);
3300
3301	if (Out->empty())
3302	return Out;
3303
3304	MaxValidBugClassSize.updateMax(bugReports.size());
3305
3306	// Examine the report and see if the last piece is in a header. Reset the
3307	// report location to the last piece in the main source file.
3308	const AnalyzerOptions &Opts = getAnalyzerOptions();
3309	for (auto const &P : *Out)
3310	if (Opts.ShouldReportIssuesInMainSourceFile && !Opts.AnalyzeAll)
3311	resetDiagnosticLocationToMainFile(*P.second);
3312
3313	return Out;
3314	}
3315
3316	void BugReporter::EmitBasicReport(const Decl *DeclWithIssue,
3317	const CheckerBase *Checker, StringRef Name,
3318	StringRef Category, StringRef Str,
3319	PathDiagnosticLocation Loc,
3320	ArrayRef<SourceRange> Ranges,
3321	ArrayRef<FixItHint> Fixits) {
3322	EmitBasicReport(DeclWithIssue, Checker->getCheckerName(), Name, Category, Str,
3323	Loc, Ranges, Fixits);
3324	}
3325
3326	void BugReporter::EmitBasicReport(const Decl *DeclWithIssue,
3327	CheckerNameRef CheckName,
3328	StringRef name, StringRef category,
3329	StringRef str, PathDiagnosticLocation Loc,
3330	ArrayRef<SourceRange> Ranges,
3331	ArrayRef<FixItHint> Fixits) {
3332	// 'BT' is owned by BugReporter.
3333	BugType *BT = getBugTypeForName(CheckName, name, category);
3334	auto R = std::make_unique<BasicBugReport>(*BT, str, Loc);
3335	R->setDeclWithIssue(DeclWithIssue);
3336	for (const auto &SR : Ranges)
3337	R->addRange(SR);
3338	for (const auto &FH : Fixits)
3339	R->addFixItHint(FH);
3340	emitReport(std::move(R));
3341	}
3342
3343	BugType *BugReporter::getBugTypeForName(CheckerNameRef CheckName,
3344	StringRef name, StringRef category) {
3345	SmallString<136> fullDesc;
3346	llvm::raw_svector_ostream(fullDesc) << CheckName.getName() << ":" << name
3347	<< ":" << category;
3348	std::unique_ptr<BugType> &BT = StrBugTypes[fullDesc];
3349	if (!BT)
3350	BT = std::make_unique<BugType>(CheckName, name, category);
3351	return BT.get();
3352	}
3353