1 //===--- AnalysisConsumer.cpp - ASTConsumer for running Analyses ----------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // "Meta" ASTConsumer for running different source analyses.
11 //
12 //===----------------------------------------------------------------------===//
13
14 #include "clang/StaticAnalyzer/Frontend/AnalysisConsumer.h"
15 #include "ModelInjector.h"
16 #include "clang/AST/ASTConsumer.h"
17 #include "clang/AST/Decl.h"
18 #include "clang/AST/DeclCXX.h"
19 #include "clang/AST/DeclObjC.h"
20 #include "clang/AST/ParentMap.h"
21 #include "clang/AST/RecursiveASTVisitor.h"
22 #include "clang/Analysis/Analyses/LiveVariables.h"
23 #include "clang/Analysis/CFG.h"
24 #include "clang/Analysis/CallGraph.h"
25 #include "clang/Analysis/CodeInjector.h"
26 #include "clang/Basic/FileManager.h"
27 #include "clang/Basic/SourceManager.h"
28 #include "clang/Frontend/CompilerInstance.h"
29 #include "clang/Lex/Preprocessor.h"
30 #include "clang/StaticAnalyzer/Checkers/LocalCheckers.h"
31 #include "clang/StaticAnalyzer/Core/AnalyzerOptions.h"
32 #include "clang/StaticAnalyzer/Core/BugReporter/BugReporter.h"
33 #include "clang/StaticAnalyzer/Core/BugReporter/PathDiagnostic.h"
34 #include "clang/StaticAnalyzer/Core/CheckerManager.h"
35 #include "clang/StaticAnalyzer/Core/PathDiagnosticConsumers.h"
36 #include "clang/StaticAnalyzer/Core/PathSensitive/AnalysisManager.h"
37 #include "clang/StaticAnalyzer/Core/PathSensitive/ExprEngine.h"
38 #include "clang/StaticAnalyzer/Frontend/CheckerRegistration.h"
39 #include "llvm/ADT/DepthFirstIterator.h"
40 #include "llvm/ADT/PostOrderIterator.h"
41 #include "llvm/ADT/SmallPtrSet.h"
42 #include "llvm/ADT/Statistic.h"
43 #include "llvm/Support/FileSystem.h"
44 #include "llvm/Support/Path.h"
45 #include "llvm/Support/Program.h"
46 #include "llvm/Support/Timer.h"
47 #include "llvm/Support/raw_ostream.h"
48 #include <memory>
49 #include <queue>
50 #include <utility>
51
52 using namespace clang;
53 using namespace ento;
54
55 #define DEBUG_TYPE "AnalysisConsumer"
56
57 static std::unique_ptr<ExplodedNode::Auditor> CreateUbiViz();
58
59 STATISTIC(NumFunctionTopLevel, "The # of functions at top level.");
60 STATISTIC(NumFunctionsAnalyzed,
61 "The # of functions and blocks analyzed (as top level "
62 "with inlining turned on).");
63 STATISTIC(NumBlocksInAnalyzedFunctions,
64 "The # of basic blocks in the analyzed functions.");
65 STATISTIC(PercentReachableBlocks, "The % of reachable basic blocks.");
66 STATISTIC(MaxCFGSize, "The maximum number of basic blocks in a function.");
67
68 //===----------------------------------------------------------------------===//
69 // Special PathDiagnosticConsumers.
70 //===----------------------------------------------------------------------===//
71
createPlistHTMLDiagnosticConsumer(AnalyzerOptions & AnalyzerOpts,PathDiagnosticConsumers & C,const std::string & prefix,const Preprocessor & PP)72 void ento::createPlistHTMLDiagnosticConsumer(AnalyzerOptions &AnalyzerOpts,
73 PathDiagnosticConsumers &C,
74 const std::string &prefix,
75 const Preprocessor &PP) {
76 createHTMLDiagnosticConsumer(AnalyzerOpts, C,
77 llvm::sys::path::parent_path(prefix), PP);
78 createPlistDiagnosticConsumer(AnalyzerOpts, C, prefix, PP);
79 }
80
createTextPathDiagnosticConsumer(AnalyzerOptions & AnalyzerOpts,PathDiagnosticConsumers & C,const std::string & Prefix,const clang::Preprocessor & PP)81 void ento::createTextPathDiagnosticConsumer(AnalyzerOptions &AnalyzerOpts,
82 PathDiagnosticConsumers &C,
83 const std::string &Prefix,
84 const clang::Preprocessor &PP) {
85 llvm_unreachable("'text' consumer should be enabled on ClangDiags");
86 }
87
88 namespace {
89 class ClangDiagPathDiagConsumer : public PathDiagnosticConsumer {
90 DiagnosticsEngine &Diag;
91 bool IncludePath;
92 public:
ClangDiagPathDiagConsumer(DiagnosticsEngine & Diag)93 ClangDiagPathDiagConsumer(DiagnosticsEngine &Diag)
94 : Diag(Diag), IncludePath(false) {}
~ClangDiagPathDiagConsumer()95 ~ClangDiagPathDiagConsumer() override {}
getName() const96 StringRef getName() const override { return "ClangDiags"; }
97
supportsLogicalOpControlFlow() const98 bool supportsLogicalOpControlFlow() const override { return true; }
supportsCrossFileDiagnostics() const99 bool supportsCrossFileDiagnostics() const override { return true; }
100
getGenerationScheme() const101 PathGenerationScheme getGenerationScheme() const override {
102 return IncludePath ? Minimal : None;
103 }
104
enablePaths()105 void enablePaths() {
106 IncludePath = true;
107 }
108
FlushDiagnosticsImpl(std::vector<const PathDiagnostic * > & Diags,FilesMade * filesMade)109 void FlushDiagnosticsImpl(std::vector<const PathDiagnostic *> &Diags,
110 FilesMade *filesMade) override {
111 unsigned WarnID = Diag.getCustomDiagID(DiagnosticsEngine::Warning, "%0");
112 unsigned NoteID = Diag.getCustomDiagID(DiagnosticsEngine::Note, "%0");
113
114 for (std::vector<const PathDiagnostic*>::iterator I = Diags.begin(),
115 E = Diags.end(); I != E; ++I) {
116 const PathDiagnostic *PD = *I;
117 SourceLocation WarnLoc = PD->getLocation().asLocation();
118 Diag.Report(WarnLoc, WarnID) << PD->getShortDescription()
119 << PD->path.back()->getRanges();
120
121 if (!IncludePath)
122 continue;
123
124 PathPieces FlatPath = PD->path.flatten(/*ShouldFlattenMacros=*/true);
125 for (PathPieces::const_iterator PI = FlatPath.begin(),
126 PE = FlatPath.end();
127 PI != PE; ++PI) {
128 SourceLocation NoteLoc = (*PI)->getLocation().asLocation();
129 Diag.Report(NoteLoc, NoteID) << (*PI)->getString()
130 << (*PI)->getRanges();
131 }
132 }
133 }
134 };
135 } // end anonymous namespace
136
137 //===----------------------------------------------------------------------===//
138 // AnalysisConsumer declaration.
139 //===----------------------------------------------------------------------===//
140
141 namespace {
142
143 class AnalysisConsumer : public AnalysisASTConsumer,
144 public RecursiveASTVisitor<AnalysisConsumer> {
145 enum {
146 AM_None = 0,
147 AM_Syntax = 0x1,
148 AM_Path = 0x2
149 };
150 typedef unsigned AnalysisMode;
151
152 /// Mode of the analyzes while recursively visiting Decls.
153 AnalysisMode RecVisitorMode;
154 /// Bug Reporter to use while recursively visiting Decls.
155 BugReporter *RecVisitorBR;
156
157 public:
158 ASTContext *Ctx;
159 const Preprocessor &PP;
160 const std::string OutDir;
161 AnalyzerOptionsRef Opts;
162 ArrayRef<std::string> Plugins;
163 CodeInjector *Injector;
164
165 /// \brief Stores the declarations from the local translation unit.
166 /// Note, we pre-compute the local declarations at parse time as an
167 /// optimization to make sure we do not deserialize everything from disk.
168 /// The local declaration to all declarations ratio might be very small when
169 /// working with a PCH file.
170 SetOfDecls LocalTUDecls;
171
172 // Set of PathDiagnosticConsumers. Owned by AnalysisManager.
173 PathDiagnosticConsumers PathConsumers;
174
175 StoreManagerCreator CreateStoreMgr;
176 ConstraintManagerCreator CreateConstraintMgr;
177
178 std::unique_ptr<CheckerManager> checkerMgr;
179 std::unique_ptr<AnalysisManager> Mgr;
180
181 /// Time the analyzes time of each translation unit.
182 static llvm::Timer* TUTotalTimer;
183
184 /// The information about analyzed functions shared throughout the
185 /// translation unit.
186 FunctionSummariesTy FunctionSummaries;
187
AnalysisConsumer(const Preprocessor & pp,const std::string & outdir,AnalyzerOptionsRef opts,ArrayRef<std::string> plugins,CodeInjector * injector)188 AnalysisConsumer(const Preprocessor &pp, const std::string &outdir,
189 AnalyzerOptionsRef opts, ArrayRef<std::string> plugins,
190 CodeInjector *injector)
191 : RecVisitorMode(0), RecVisitorBR(nullptr), Ctx(nullptr), PP(pp),
192 OutDir(outdir), Opts(std::move(opts)), Plugins(plugins),
193 Injector(injector) {
194 DigestAnalyzerOptions();
195 if (Opts->PrintStats) {
196 llvm::EnableStatistics();
197 TUTotalTimer = new llvm::Timer("Analyzer Total Time");
198 }
199 }
200
~AnalysisConsumer()201 ~AnalysisConsumer() override {
202 if (Opts->PrintStats)
203 delete TUTotalTimer;
204 }
205
DigestAnalyzerOptions()206 void DigestAnalyzerOptions() {
207 if (Opts->AnalysisDiagOpt != PD_NONE) {
208 // Create the PathDiagnosticConsumer.
209 ClangDiagPathDiagConsumer *clangDiags =
210 new ClangDiagPathDiagConsumer(PP.getDiagnostics());
211 PathConsumers.push_back(clangDiags);
212
213 if (Opts->AnalysisDiagOpt == PD_TEXT) {
214 clangDiags->enablePaths();
215
216 } else if (!OutDir.empty()) {
217 switch (Opts->AnalysisDiagOpt) {
218 default:
219 #define ANALYSIS_DIAGNOSTICS(NAME, CMDFLAG, DESC, CREATEFN) \
220 case PD_##NAME: \
221 CREATEFN(*Opts.get(), PathConsumers, OutDir, PP); \
222 break;
223 #include "clang/StaticAnalyzer/Core/Analyses.def"
224 }
225 }
226 }
227
228 // Create the analyzer component creators.
229 switch (Opts->AnalysisStoreOpt) {
230 default:
231 llvm_unreachable("Unknown store manager.");
232 #define ANALYSIS_STORE(NAME, CMDFLAG, DESC, CREATEFN) \
233 case NAME##Model: CreateStoreMgr = CREATEFN; break;
234 #include "clang/StaticAnalyzer/Core/Analyses.def"
235 }
236
237 switch (Opts->AnalysisConstraintsOpt) {
238 default:
239 llvm_unreachable("Unknown constraint manager.");
240 #define ANALYSIS_CONSTRAINTS(NAME, CMDFLAG, DESC, CREATEFN) \
241 case NAME##Model: CreateConstraintMgr = CREATEFN; break;
242 #include "clang/StaticAnalyzer/Core/Analyses.def"
243 }
244 }
245
DisplayFunction(const Decl * D,AnalysisMode Mode,ExprEngine::InliningModes IMode)246 void DisplayFunction(const Decl *D, AnalysisMode Mode,
247 ExprEngine::InliningModes IMode) {
248 if (!Opts->AnalyzerDisplayProgress)
249 return;
250
251 SourceManager &SM = Mgr->getASTContext().getSourceManager();
252 PresumedLoc Loc = SM.getPresumedLoc(D->getLocation());
253 if (Loc.isValid()) {
254 llvm::errs() << "ANALYZE";
255
256 if (Mode == AM_Syntax)
257 llvm::errs() << " (Syntax)";
258 else if (Mode == AM_Path) {
259 llvm::errs() << " (Path, ";
260 switch (IMode) {
261 case ExprEngine::Inline_Minimal:
262 llvm::errs() << " Inline_Minimal";
263 break;
264 case ExprEngine::Inline_Regular:
265 llvm::errs() << " Inline_Regular";
266 break;
267 }
268 llvm::errs() << ")";
269 }
270 else
271 assert(Mode == (AM_Syntax | AM_Path) && "Unexpected mode!");
272
273 llvm::errs() << ": " << Loc.getFilename();
274 if (isa<FunctionDecl>(D) || isa<ObjCMethodDecl>(D)) {
275 const NamedDecl *ND = cast<NamedDecl>(D);
276 llvm::errs() << ' ' << ND->getQualifiedNameAsString() << '\n';
277 }
278 else if (isa<BlockDecl>(D)) {
279 llvm::errs() << ' ' << "block(line:" << Loc.getLine() << ",col:"
280 << Loc.getColumn() << '\n';
281 }
282 else if (const ObjCMethodDecl *MD = dyn_cast<ObjCMethodDecl>(D)) {
283 Selector S = MD->getSelector();
284 llvm::errs() << ' ' << S.getAsString();
285 }
286 }
287 }
288
Initialize(ASTContext & Context)289 void Initialize(ASTContext &Context) override {
290 Ctx = &Context;
291 checkerMgr = createCheckerManager(*Opts, PP.getLangOpts(), Plugins,
292 PP.getDiagnostics());
293
294 Mgr = llvm::make_unique<AnalysisManager>(
295 *Ctx, PP.getDiagnostics(), PP.getLangOpts(), PathConsumers,
296 CreateStoreMgr, CreateConstraintMgr, checkerMgr.get(), *Opts, Injector);
297 }
298
299 /// \brief Store the top level decls in the set to be processed later on.
300 /// (Doing this pre-processing avoids deserialization of data from PCH.)
301 bool HandleTopLevelDecl(DeclGroupRef D) override;
302 void HandleTopLevelDeclInObjCContainer(DeclGroupRef D) override;
303
304 void HandleTranslationUnit(ASTContext &C) override;
305
306 /// \brief Determine which inlining mode should be used when this function is
307 /// analyzed. This allows to redefine the default inlining policies when
308 /// analyzing a given function.
309 ExprEngine::InliningModes
310 getInliningModeForFunction(const Decl *D, const SetOfConstDecls &Visited);
311
312 /// \brief Build the call graph for all the top level decls of this TU and
313 /// use it to define the order in which the functions should be visited.
314 void HandleDeclsCallGraph(const unsigned LocalTUDeclsSize);
315
316 /// \brief Run analyzes(syntax or path sensitive) on the given function.
317 /// \param Mode - determines if we are requesting syntax only or path
318 /// sensitive only analysis.
319 /// \param VisitedCallees - The output parameter, which is populated with the
320 /// set of functions which should be considered analyzed after analyzing the
321 /// given root function.
322 void HandleCode(Decl *D, AnalysisMode Mode,
323 ExprEngine::InliningModes IMode = ExprEngine::Inline_Minimal,
324 SetOfConstDecls *VisitedCallees = nullptr);
325
326 void RunPathSensitiveChecks(Decl *D,
327 ExprEngine::InliningModes IMode,
328 SetOfConstDecls *VisitedCallees);
329 void ActionExprEngine(Decl *D, bool ObjCGCEnabled,
330 ExprEngine::InliningModes IMode,
331 SetOfConstDecls *VisitedCallees);
332
333 /// Visitors for the RecursiveASTVisitor.
shouldWalkTypesOfTypeLocs() const334 bool shouldWalkTypesOfTypeLocs() const { return false; }
335
336 /// Handle callbacks for arbitrary Decls.
VisitDecl(Decl * D)337 bool VisitDecl(Decl *D) {
338 AnalysisMode Mode = getModeForDecl(D, RecVisitorMode);
339 if (Mode & AM_Syntax)
340 checkerMgr->runCheckersOnASTDecl(D, *Mgr, *RecVisitorBR);
341 return true;
342 }
343
VisitFunctionDecl(FunctionDecl * FD)344 bool VisitFunctionDecl(FunctionDecl *FD) {
345 IdentifierInfo *II = FD->getIdentifier();
346 if (II && II->getName().startswith("__inline"))
347 return true;
348
349 // We skip function template definitions, as their semantics is
350 // only determined when they are instantiated.
351 if (FD->isThisDeclarationADefinition() &&
352 !FD->isDependentContext()) {
353 assert(RecVisitorMode == AM_Syntax || Mgr->shouldInlineCall() == false);
354 HandleCode(FD, RecVisitorMode);
355 }
356 return true;
357 }
358
VisitObjCMethodDecl(ObjCMethodDecl * MD)359 bool VisitObjCMethodDecl(ObjCMethodDecl *MD) {
360 if (MD->isThisDeclarationADefinition()) {
361 assert(RecVisitorMode == AM_Syntax || Mgr->shouldInlineCall() == false);
362 HandleCode(MD, RecVisitorMode);
363 }
364 return true;
365 }
366
VisitBlockDecl(BlockDecl * BD)367 bool VisitBlockDecl(BlockDecl *BD) {
368 if (BD->hasBody()) {
369 assert(RecVisitorMode == AM_Syntax || Mgr->shouldInlineCall() == false);
370 // Since we skip function template definitions, we should skip blocks
371 // declared in those functions as well.
372 if (!BD->isDependentContext()) {
373 HandleCode(BD, RecVisitorMode);
374 }
375 }
376 return true;
377 }
378
AddDiagnosticConsumer(PathDiagnosticConsumer * Consumer)379 void AddDiagnosticConsumer(PathDiagnosticConsumer *Consumer) override {
380 PathConsumers.push_back(Consumer);
381 }
382
383 private:
384 void storeTopLevelDecls(DeclGroupRef DG);
385
386 /// \brief Check if we should skip (not analyze) the given function.
387 AnalysisMode getModeForDecl(Decl *D, AnalysisMode Mode);
388
389 };
390 } // end anonymous namespace
391
392
393 //===----------------------------------------------------------------------===//
394 // AnalysisConsumer implementation.
395 //===----------------------------------------------------------------------===//
396 llvm::Timer* AnalysisConsumer::TUTotalTimer = nullptr;
397
HandleTopLevelDecl(DeclGroupRef DG)398 bool AnalysisConsumer::HandleTopLevelDecl(DeclGroupRef DG) {
399 storeTopLevelDecls(DG);
400 return true;
401 }
402
HandleTopLevelDeclInObjCContainer(DeclGroupRef DG)403 void AnalysisConsumer::HandleTopLevelDeclInObjCContainer(DeclGroupRef DG) {
404 storeTopLevelDecls(DG);
405 }
406
storeTopLevelDecls(DeclGroupRef DG)407 void AnalysisConsumer::storeTopLevelDecls(DeclGroupRef DG) {
408 for (DeclGroupRef::iterator I = DG.begin(), E = DG.end(); I != E; ++I) {
409
410 // Skip ObjCMethodDecl, wait for the objc container to avoid
411 // analyzing twice.
412 if (isa<ObjCMethodDecl>(*I))
413 continue;
414
415 LocalTUDecls.push_back(*I);
416 }
417 }
418
shouldSkipFunction(const Decl * D,const SetOfConstDecls & Visited,const SetOfConstDecls & VisitedAsTopLevel)419 static bool shouldSkipFunction(const Decl *D,
420 const SetOfConstDecls &Visited,
421 const SetOfConstDecls &VisitedAsTopLevel) {
422 if (VisitedAsTopLevel.count(D))
423 return true;
424
425 // We want to re-analyse the functions as top level in the following cases:
426 // - The 'init' methods should be reanalyzed because
427 // ObjCNonNilReturnValueChecker assumes that '[super init]' never returns
428 // 'nil' and unless we analyze the 'init' functions as top level, we will
429 // not catch errors within defensive code.
430 // - We want to reanalyze all ObjC methods as top level to report Retain
431 // Count naming convention errors more aggressively.
432 if (isa<ObjCMethodDecl>(D))
433 return false;
434
435 // Otherwise, if we visited the function before, do not reanalyze it.
436 return Visited.count(D);
437 }
438
439 ExprEngine::InliningModes
getInliningModeForFunction(const Decl * D,const SetOfConstDecls & Visited)440 AnalysisConsumer::getInliningModeForFunction(const Decl *D,
441 const SetOfConstDecls &Visited) {
442 // We want to reanalyze all ObjC methods as top level to report Retain
443 // Count naming convention errors more aggressively. But we should tune down
444 // inlining when reanalyzing an already inlined function.
445 if (Visited.count(D)) {
446 assert(isa<ObjCMethodDecl>(D) &&
447 "We are only reanalyzing ObjCMethods.");
448 const ObjCMethodDecl *ObjCM = cast<ObjCMethodDecl>(D);
449 if (ObjCM->getMethodFamily() != OMF_init)
450 return ExprEngine::Inline_Minimal;
451 }
452
453 return ExprEngine::Inline_Regular;
454 }
455
HandleDeclsCallGraph(const unsigned LocalTUDeclsSize)456 void AnalysisConsumer::HandleDeclsCallGraph(const unsigned LocalTUDeclsSize) {
457 // Build the Call Graph by adding all the top level declarations to the graph.
458 // Note: CallGraph can trigger deserialization of more items from a pch
459 // (though HandleInterestingDecl); triggering additions to LocalTUDecls.
460 // We rely on random access to add the initially processed Decls to CG.
461 CallGraph CG;
462 for (unsigned i = 0 ; i < LocalTUDeclsSize ; ++i) {
463 CG.addToCallGraph(LocalTUDecls[i]);
464 }
465
466 // Walk over all of the call graph nodes in topological order, so that we
467 // analyze parents before the children. Skip the functions inlined into
468 // the previously processed functions. Use external Visited set to identify
469 // inlined functions. The topological order allows the "do not reanalyze
470 // previously inlined function" performance heuristic to be triggered more
471 // often.
472 SetOfConstDecls Visited;
473 SetOfConstDecls VisitedAsTopLevel;
474 llvm::ReversePostOrderTraversal<clang::CallGraph*> RPOT(&CG);
475 for (llvm::ReversePostOrderTraversal<clang::CallGraph*>::rpo_iterator
476 I = RPOT.begin(), E = RPOT.end(); I != E; ++I) {
477 NumFunctionTopLevel++;
478
479 CallGraphNode *N = *I;
480 Decl *D = N->getDecl();
481
482 // Skip the abstract root node.
483 if (!D)
484 continue;
485
486 // Skip the functions which have been processed already or previously
487 // inlined.
488 if (shouldSkipFunction(D, Visited, VisitedAsTopLevel))
489 continue;
490
491 // Analyze the function.
492 SetOfConstDecls VisitedCallees;
493
494 HandleCode(D, AM_Path, getInliningModeForFunction(D, Visited),
495 (Mgr->options.InliningMode == All ? nullptr : &VisitedCallees));
496
497 // Add the visited callees to the global visited set.
498 for (const Decl *Callee : VisitedCallees)
499 // Decls from CallGraph are already canonical. But Decls coming from
500 // CallExprs may be not. We should canonicalize them manually.
501 Visited.insert(isa<ObjCMethodDecl>(Callee) ? Callee
502 : Callee->getCanonicalDecl());
503 VisitedAsTopLevel.insert(D);
504 }
505 }
506
HandleTranslationUnit(ASTContext & C)507 void AnalysisConsumer::HandleTranslationUnit(ASTContext &C) {
508 // Don't run the actions if an error has occurred with parsing the file.
509 DiagnosticsEngine &Diags = PP.getDiagnostics();
510 if (Diags.hasErrorOccurred() || Diags.hasFatalErrorOccurred())
511 return;
512
513 // Don't analyze if the user explicitly asked for no checks to be performed
514 // on this file.
515 if (Opts->DisableAllChecks)
516 return;
517
518 {
519 if (TUTotalTimer) TUTotalTimer->startTimer();
520
521 // Introduce a scope to destroy BR before Mgr.
522 BugReporter BR(*Mgr);
523 TranslationUnitDecl *TU = C.getTranslationUnitDecl();
524 checkerMgr->runCheckersOnASTDecl(TU, *Mgr, BR);
525
526 // Run the AST-only checks using the order in which functions are defined.
527 // If inlining is not turned on, use the simplest function order for path
528 // sensitive analyzes as well.
529 RecVisitorMode = AM_Syntax;
530 if (!Mgr->shouldInlineCall())
531 RecVisitorMode |= AM_Path;
532 RecVisitorBR = &BR;
533
534 // Process all the top level declarations.
535 //
536 // Note: TraverseDecl may modify LocalTUDecls, but only by appending more
537 // entries. Thus we don't use an iterator, but rely on LocalTUDecls
538 // random access. By doing so, we automatically compensate for iterators
539 // possibly being invalidated, although this is a bit slower.
540 const unsigned LocalTUDeclsSize = LocalTUDecls.size();
541 for (unsigned i = 0 ; i < LocalTUDeclsSize ; ++i) {
542 TraverseDecl(LocalTUDecls[i]);
543 }
544
545 if (Mgr->shouldInlineCall())
546 HandleDeclsCallGraph(LocalTUDeclsSize);
547
548 // After all decls handled, run checkers on the entire TranslationUnit.
549 checkerMgr->runCheckersOnEndOfTranslationUnit(TU, *Mgr, BR);
550
551 RecVisitorBR = nullptr;
552 }
553
554 // Explicitly destroy the PathDiagnosticConsumer. This will flush its output.
555 // FIXME: This should be replaced with something that doesn't rely on
556 // side-effects in PathDiagnosticConsumer's destructor. This is required when
557 // used with option -disable-free.
558 Mgr.reset();
559
560 if (TUTotalTimer) TUTotalTimer->stopTimer();
561
562 // Count how many basic blocks we have not covered.
563 NumBlocksInAnalyzedFunctions = FunctionSummaries.getTotalNumBasicBlocks();
564 if (NumBlocksInAnalyzedFunctions > 0)
565 PercentReachableBlocks =
566 (FunctionSummaries.getTotalNumVisitedBasicBlocks() * 100) /
567 NumBlocksInAnalyzedFunctions;
568
569 }
570
getFunctionName(const Decl * D)571 static std::string getFunctionName(const Decl *D) {
572 if (const ObjCMethodDecl *ID = dyn_cast<ObjCMethodDecl>(D)) {
573 return ID->getSelector().getAsString();
574 }
575 if (const FunctionDecl *ND = dyn_cast<FunctionDecl>(D)) {
576 IdentifierInfo *II = ND->getIdentifier();
577 if (II)
578 return II->getName();
579 }
580 return "";
581 }
582
583 AnalysisConsumer::AnalysisMode
getModeForDecl(Decl * D,AnalysisMode Mode)584 AnalysisConsumer::getModeForDecl(Decl *D, AnalysisMode Mode) {
585 if (!Opts->AnalyzeSpecificFunction.empty() &&
586 getFunctionName(D) != Opts->AnalyzeSpecificFunction)
587 return AM_None;
588
589 // Unless -analyze-all is specified, treat decls differently depending on
590 // where they came from:
591 // - Main source file: run both path-sensitive and non-path-sensitive checks.
592 // - Header files: run non-path-sensitive checks only.
593 // - System headers: don't run any checks.
594 SourceManager &SM = Ctx->getSourceManager();
595 const Stmt *Body = D->getBody();
596 SourceLocation SL = Body ? Body->getLocStart() : D->getLocation();
597 SL = SM.getExpansionLoc(SL);
598
599 if (!Opts->AnalyzeAll && !SM.isWrittenInMainFile(SL)) {
600 if (SL.isInvalid() || SM.isInSystemHeader(SL))
601 return AM_None;
602 return Mode & ~AM_Path;
603 }
604
605 return Mode;
606 }
607
HandleCode(Decl * D,AnalysisMode Mode,ExprEngine::InliningModes IMode,SetOfConstDecls * VisitedCallees)608 void AnalysisConsumer::HandleCode(Decl *D, AnalysisMode Mode,
609 ExprEngine::InliningModes IMode,
610 SetOfConstDecls *VisitedCallees) {
611 if (!D->hasBody())
612 return;
613 Mode = getModeForDecl(D, Mode);
614 if (Mode == AM_None)
615 return;
616
617 DisplayFunction(D, Mode, IMode);
618 CFG *DeclCFG = Mgr->getCFG(D);
619 if (DeclCFG) {
620 unsigned CFGSize = DeclCFG->size();
621 MaxCFGSize = MaxCFGSize < CFGSize ? CFGSize : MaxCFGSize;
622 }
623
624 // Clear the AnalysisManager of old AnalysisDeclContexts.
625 Mgr->ClearContexts();
626 BugReporter BR(*Mgr);
627
628 if (Mode & AM_Syntax)
629 checkerMgr->runCheckersOnASTBody(D, *Mgr, BR);
630 if ((Mode & AM_Path) && checkerMgr->hasPathSensitiveCheckers()) {
631 RunPathSensitiveChecks(D, IMode, VisitedCallees);
632 if (IMode != ExprEngine::Inline_Minimal)
633 NumFunctionsAnalyzed++;
634 }
635 }
636
637 //===----------------------------------------------------------------------===//
638 // Path-sensitive checking.
639 //===----------------------------------------------------------------------===//
640
ActionExprEngine(Decl * D,bool ObjCGCEnabled,ExprEngine::InliningModes IMode,SetOfConstDecls * VisitedCallees)641 void AnalysisConsumer::ActionExprEngine(Decl *D, bool ObjCGCEnabled,
642 ExprEngine::InliningModes IMode,
643 SetOfConstDecls *VisitedCallees) {
644 // Construct the analysis engine. First check if the CFG is valid.
645 // FIXME: Inter-procedural analysis will need to handle invalid CFGs.
646 if (!Mgr->getCFG(D))
647 return;
648
649 // See if the LiveVariables analysis scales.
650 if (!Mgr->getAnalysisDeclContext(D)->getAnalysis<RelaxedLiveVariables>())
651 return;
652
653 ExprEngine Eng(*Mgr, ObjCGCEnabled, VisitedCallees, &FunctionSummaries,IMode);
654
655 // Set the graph auditor.
656 std::unique_ptr<ExplodedNode::Auditor> Auditor;
657 if (Mgr->options.visualizeExplodedGraphWithUbiGraph) {
658 Auditor = CreateUbiViz();
659 ExplodedNode::SetAuditor(Auditor.get());
660 }
661
662 // Execute the worklist algorithm.
663 Eng.ExecuteWorkList(Mgr->getAnalysisDeclContextManager().getStackFrame(D),
664 Mgr->options.getMaxNodesPerTopLevelFunction());
665
666 // Release the auditor (if any) so that it doesn't monitor the graph
667 // created BugReporter.
668 ExplodedNode::SetAuditor(nullptr);
669
670 // Visualize the exploded graph.
671 if (Mgr->options.visualizeExplodedGraphWithGraphViz)
672 Eng.ViewGraph(Mgr->options.TrimGraph);
673
674 // Display warnings.
675 Eng.getBugReporter().FlushReports();
676 }
677
RunPathSensitiveChecks(Decl * D,ExprEngine::InliningModes IMode,SetOfConstDecls * Visited)678 void AnalysisConsumer::RunPathSensitiveChecks(Decl *D,
679 ExprEngine::InliningModes IMode,
680 SetOfConstDecls *Visited) {
681
682 switch (Mgr->getLangOpts().getGC()) {
683 case LangOptions::NonGC:
684 ActionExprEngine(D, false, IMode, Visited);
685 break;
686
687 case LangOptions::GCOnly:
688 ActionExprEngine(D, true, IMode, Visited);
689 break;
690
691 case LangOptions::HybridGC:
692 ActionExprEngine(D, false, IMode, Visited);
693 ActionExprEngine(D, true, IMode, Visited);
694 break;
695 }
696 }
697
698 //===----------------------------------------------------------------------===//
699 // AnalysisConsumer creation.
700 //===----------------------------------------------------------------------===//
701
702 std::unique_ptr<AnalysisASTConsumer>
CreateAnalysisConsumer(CompilerInstance & CI)703 ento::CreateAnalysisConsumer(CompilerInstance &CI) {
704 // Disable the effects of '-Werror' when using the AnalysisConsumer.
705 CI.getPreprocessor().getDiagnostics().setWarningsAsErrors(false);
706
707 AnalyzerOptionsRef analyzerOpts = CI.getAnalyzerOpts();
708 bool hasModelPath = analyzerOpts->Config.count("model-path") > 0;
709
710 return llvm::make_unique<AnalysisConsumer>(
711 CI.getPreprocessor(), CI.getFrontendOpts().OutputFile, analyzerOpts,
712 CI.getFrontendOpts().Plugins,
713 hasModelPath ? new ModelInjector(CI) : nullptr);
714 }
715
716 //===----------------------------------------------------------------------===//
717 // Ubigraph Visualization. FIXME: Move to separate file.
718 //===----------------------------------------------------------------------===//
719
720 namespace {
721
722 class UbigraphViz : public ExplodedNode::Auditor {
723 std::unique_ptr<raw_ostream> Out;
724 std::string Filename;
725 unsigned Cntr;
726
727 typedef llvm::DenseMap<void*,unsigned> VMap;
728 VMap M;
729
730 public:
731 UbigraphViz(std::unique_ptr<raw_ostream> Out, StringRef Filename);
732
733 ~UbigraphViz() override;
734
735 void AddEdge(ExplodedNode *Src, ExplodedNode *Dst) override;
736 };
737
738 } // end anonymous namespace
739
CreateUbiViz()740 static std::unique_ptr<ExplodedNode::Auditor> CreateUbiViz() {
741 SmallString<128> P;
742 int FD;
743 llvm::sys::fs::createTemporaryFile("llvm_ubi", "", FD, P);
744 llvm::errs() << "Writing '" << P << "'.\n";
745
746 auto Stream = llvm::make_unique<llvm::raw_fd_ostream>(FD, true);
747
748 return llvm::make_unique<UbigraphViz>(std::move(Stream), P);
749 }
750
AddEdge(ExplodedNode * Src,ExplodedNode * Dst)751 void UbigraphViz::AddEdge(ExplodedNode *Src, ExplodedNode *Dst) {
752
753 assert (Src != Dst && "Self-edges are not allowed.");
754
755 // Lookup the Src. If it is a new node, it's a root.
756 VMap::iterator SrcI= M.find(Src);
757 unsigned SrcID;
758
759 if (SrcI == M.end()) {
760 M[Src] = SrcID = Cntr++;
761 *Out << "('vertex', " << SrcID << ", ('color','#00ff00'))\n";
762 }
763 else
764 SrcID = SrcI->second;
765
766 // Lookup the Dst.
767 VMap::iterator DstI= M.find(Dst);
768 unsigned DstID;
769
770 if (DstI == M.end()) {
771 M[Dst] = DstID = Cntr++;
772 *Out << "('vertex', " << DstID << ")\n";
773 }
774 else {
775 // We have hit DstID before. Change its style to reflect a cache hit.
776 DstID = DstI->second;
777 *Out << "('change_vertex_style', " << DstID << ", 1)\n";
778 }
779
780 // Add the edge.
781 *Out << "('edge', " << SrcID << ", " << DstID
782 << ", ('arrow','true'), ('oriented', 'true'))\n";
783 }
784
UbigraphViz(std::unique_ptr<raw_ostream> OutStream,StringRef Filename)785 UbigraphViz::UbigraphViz(std::unique_ptr<raw_ostream> OutStream,
786 StringRef Filename)
787 : Out(std::move(OutStream)), Filename(Filename), Cntr(0) {
788
789 *Out << "('vertex_style_attribute', 0, ('shape', 'icosahedron'))\n";
790 *Out << "('vertex_style', 1, 0, ('shape', 'sphere'), ('color', '#ffcc66'),"
791 " ('size', '1.5'))\n";
792 }
793
~UbigraphViz()794 UbigraphViz::~UbigraphViz() {
795 Out.reset();
796 llvm::errs() << "Running 'ubiviz' program... ";
797 std::string ErrMsg;
798 std::string Ubiviz;
799 if (auto Path = llvm::sys::findProgramByName("ubiviz"))
800 Ubiviz = *Path;
801 const char *args[] = {Ubiviz.c_str(), Filename.c_str(), nullptr};
802
803 if (llvm::sys::ExecuteAndWait(Ubiviz, &args[0], nullptr, nullptr, 0, 0,
804 &ErrMsg)) {
805 llvm::errs() << "Error viewing graph: " << ErrMsg << "\n";
806 }
807
808 // Delete the file.
809 llvm::sys::fs::remove(Filename);
810 }
811