EIC code displayed by LXR master/​include/​clang/​StaticAnalyzer/​Core/​BugReporter/​BugReporterVisitors.h	Source navigation Diff markup Identifier search General search
	Version: master test Revert   Change

File indexing completed on 2026-05-10 08:37:07

 //===- BugReporterVisitors.h - Generate PathDiagnostics ---------*- C++ -*-===//
 //
 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
 // See https://llvm.org/LICENSE.txt for license information.
 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
 //
 //===----------------------------------------------------------------------===//
 //
 //  This file declares BugReporterVisitors, which are used to generate enhanced
 //  diagnostic traces.
 //
 //===----------------------------------------------------------------------===//
 
 #ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
 #define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H
 
 #include "clang/Analysis/ProgramPoint.h"
 #include "clang/Basic/LLVM.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"
 #include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"
 #include "llvm/ADT/FoldingSet.h"
 #include "llvm/ADT/IntrusiveRefCntPtr.h"
 #include "llvm/ADT/STLExtras.h"
 #include "llvm/ADT/SmallPtrSet.h"
 #include "llvm/ADT/StringRef.h"
 #include <list>
 #include <memory>
 #include <optional>
 #include <utility>
 
 namespace clang {
 
 class BinaryOperator;
 class CFGBlock;
 class DeclRefExpr;
 class Expr;
 class Stmt;
 
 namespace ento {
 
 class PathSensitiveBugReport;
 class BugReporterContext;
 class ExplodedNode;
 class MemRegion;
 class PathDiagnosticPiece;
 using PathDiagnosticPieceRef = std::shared_ptr<PathDiagnosticPiece>;
 
 /// BugReporterVisitors are used to add custom diagnostics along a path.
 class BugReporterVisitor : public llvm::FoldingSetNode {
 public:
   BugReporterVisitor() = default;
   BugReporterVisitor(const BugReporterVisitor &) = default;
   BugReporterVisitor(BugReporterVisitor &&) {}
 
   // The copy and move assignment operator is defined as deleted pending further
   // motivation.
   BugReporterVisitor &operator=(const BugReporterVisitor &) = delete;
   BugReporterVisitor &operator=(BugReporterVisitor &&) = delete;
 
   virtual ~BugReporterVisitor();
 
   /// Return a diagnostic piece which should be associated with the
   /// given node.
   /// Note that this function does *not* get run on the very last node
   /// of the report, as the PathDiagnosticPiece associated with the
   /// last node should be unique.
   /// Use \ref getEndPath to customize the note associated with the report
   /// end instead.
   ///
   /// The last parameter can be used to register a new visitor with the given
   /// BugReport while processing a node.
   virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,
                                            BugReporterContext &BRC,
                                            PathSensitiveBugReport &BR) = 0;
 
   /// Last function called on the visitor, no further calls to VisitNode
   /// would follow.
   virtual void finalizeVisitor(BugReporterContext &BRC,
                                const ExplodedNode *EndPathNode,
                                PathSensitiveBugReport &BR);
 
   /// Provide custom definition for the final diagnostic piece on the
   /// path - the piece, which is displayed before the path is expanded.
   ///
   /// NOTE that this function can be implemented on at most one used visitor,
   /// and otherwise it crahes at runtime.
   virtual PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,
                                             const ExplodedNode *N,
                                             PathSensitiveBugReport &BR);
 
   virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0;
 
   /// Generates the default final diagnostic piece.
   static PathDiagnosticPieceRef
   getDefaultEndPath(const BugReporterContext &BRC, const ExplodedNode *N,
                     const PathSensitiveBugReport &BR);
 };
 
 namespace bugreporter {
 
 /// Specifies the type of tracking for an expression.
 enum class TrackingKind {
   /// Default tracking kind -- specifies that as much information should be
   /// gathered about the tracked expression value as possible.
   Thorough,
   /// Specifies that a more moderate tracking should be used for the expression
   /// value. This will essentially make sure that functions relevant to it
   /// aren't pruned, but otherwise relies on the user reading the code or
   /// following the arrows.
   Condition
 };
 
 /// Defines a set of options altering tracking behavior.
 struct TrackingOptions {
   /// Specifies the kind of tracking.
   TrackingKind Kind = TrackingKind::Thorough;
   /// Specifies whether we should employ false positive suppression
   /// (inlined defensive checks, returned null).
   bool EnableNullFPSuppression = true;
 };
 
 /// Describes an event when the value got stored into a memory region.
 ///
 /// As opposed to checker checkBind API, it reacts also to binds
 /// generated by the checker as well.  It can be useful when the binding
 /// happened as a result of evalCall, for example.
 struct StoreInfo {
   enum Kind {
     /// The value got stored into the region during initialization:
     ///   int x = 42;
     Initialization,
     /// The value got stored into the region during assignment:
     ///   int x;
     ///   x = 42;
     Assignment,
     /// The value got stored into the parameter region as the result
     /// of a call.
     CallArgument,
     /// The value got stored into the region as block capture.
     /// Block data is modeled as a separate region, thus whenever
     /// the analyzer sees a captured variable, its value is copied
     /// into a special block region.
     BlockCapture
   };
 
   /// The type of store operation.
   Kind StoreKind;
   /// The node where the store happened.
   const ExplodedNode *StoreSite;
   /// The expression where the value comes from.
   /// NOTE: might be null.
   const Expr *SourceOfTheValue;
   /// Symbolic value that is being stored.
   SVal Value;
   /// Memory regions involved in the store operation.
   ///   Dest <- Origin
   /// NOTE: Origin might be null, when the stored value doesn't come
   ///       from another region.
   const MemRegion *Dest, *Origin;
 };
 
 class Tracker;
 using TrackerRef = llvm::IntrusiveRefCntPtr<Tracker>;
 
 class ExpressionHandler;
 class StoreHandler;
 
 /// A generalized component for tracking expressions, values, and stores.
 ///
 /// Tracker aimes at providing a sensible set of default behaviors that can be
 /// used by any checker, while providing mechanisms to hook into any part of the
 /// tracking process and insert checker-specific logic.
 class Tracker : public llvm::RefCountedBase<Tracker> {
 private:
   using ExpressionHandlerPtr = std::unique_ptr<ExpressionHandler>;
   using StoreHandlerPtr = std::unique_ptr<StoreHandler>;
 
   PathSensitiveBugReport &Report;
   std::list<ExpressionHandlerPtr> ExpressionHandlers;
   std::list<StoreHandlerPtr> StoreHandlers;
 
 protected:
   /// \param Report The bug report to which visitors should be attached.
   Tracker(PathSensitiveBugReport &Report);
 
 public:
   virtual ~Tracker() = default;
 
   static TrackerRef create(PathSensitiveBugReport &Report) {
     return new Tracker(Report);
   }
 
   PathSensitiveBugReport &getReport() { return Report; }
 
   /// Describes a tracking result with the most basic information of what was
   /// actually done (or not done).
   struct Result {
     /// Usually it means that the tracker added visitors.
     bool FoundSomethingToTrack = false;
     /// Signifies that the tracking was interrupted at some point.
     /// Usually this information is important only for sub-trackers.
     bool WasInterrupted = false;
 
     /// Combines the current result with the given result.
     void combineWith(const Result &Other) {
       // If we found something in one of the cases, we can
       // say we found something overall.
       FoundSomethingToTrack |= Other.FoundSomethingToTrack;
       // The same goes to the interruption.
       WasInterrupted |= Other.WasInterrupted;
     }
   };
 
   /// Track expression value back to its point of origin.
   ///
   /// \param E The expression value which we are tracking
   /// \param N A node "downstream" from the evaluation of the statement.
   /// \param Opts Tracking options specifying how we want to track the value.
   virtual Result track(const Expr *E, const ExplodedNode *N,
                        TrackingOptions Opts = {});
 
   /// Track how the value got stored into the given region and where it came
   /// from.
   ///
   /// \param V We're searching for the store where \c R received this value.
   /// \param R The region we're tracking.
   /// \param Opts Tracking options specifying how we want to track the value.
   /// \param Origin Only adds notes when the last store happened in a
   ///        different stackframe to this one. Disregarded if the tracking kind
   ///        is thorough.
   ///        This is useful, because for non-tracked regions, notes about
   ///        changes to its value in a nested stackframe could be pruned, and
   ///        this visitor can prevent that without polluting the bugpath too
   ///        much.
   virtual Result track(SVal V, const MemRegion *R, TrackingOptions Opts = {},
                        const StackFrameContext *Origin = nullptr);
 
   /// Handle the store operation and produce the note.
   ///
   /// \param SI The information fully describing the store.
   /// \param Opts Tracking options specifying how we got to it.
   ///
   /// NOTE: this method is designed for sub-trackers and visitors.
   virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC,
                                         TrackingOptions Opts);
 
   /// Add custom expression handler with the highest priority.
   ///
   /// It means that it will be asked for handling first, and can prevent
   /// other handlers from running if decides to interrupt.
   void addHighPriorityHandler(ExpressionHandlerPtr SH) {
     ExpressionHandlers.push_front(std::move(SH));
   }
 
   /// Add custom expression handler with the lowest priority.
   ///
   /// It means that it will be asked for handling last, and other handlers can
   /// prevent it from running if any of them decides to interrupt.
   void addLowPriorityHandler(ExpressionHandlerPtr SH) {
     ExpressionHandlers.push_back(std::move(SH));
   }
 
   /// Add custom store handler with the highest priority.
   ///
   /// It means that it will be asked for handling first, and will prevent
   /// other handlers from running if it produces non-null note.
   void addHighPriorityHandler(StoreHandlerPtr SH) {
     StoreHandlers.push_front(std::move(SH));
   }
 
   /// Add custom store handler with the lowest priority.
   ///
   /// It means that it will be asked for handling last, only
   /// if all other handlers failed to produce the note.
   void addLowPriorityHandler(StoreHandlerPtr SH) {
     StoreHandlers.push_back(std::move(SH));
   }
 
   /// Add custom expression/store handler with the highest priority
   ///
   /// See other overloads for explanation.
   template <class HandlerType, class... Args>
   void addHighPriorityHandler(Args &&... ConstructorArgs) {
     addHighPriorityHandler(std::make_unique<HandlerType>(
         *this, std::forward<Args>(ConstructorArgs)...));
   }
 
   /// Add custom expression/store handler with the lowest priority
   ///
   /// See other overloads for explanation.
   template <class HandlerType, class... Args>
   void addLowPriorityHandler(Args &&... ConstructorArgs) {
     addLowPriorityHandler(std::make_unique<HandlerType>(
         *this, std::forward<Args>(ConstructorArgs)...));
   }
 };
 
 /// Handles expressions during the tracking.
 class ExpressionHandler {
 private:
   Tracker &ParentTracker;
 
 public:
   ExpressionHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {}
   virtual ~ExpressionHandler() {}
 
   /// Handle the given expression from the given node.
   ///
   /// \param E The expression value which we are tracking
   /// \param Original A node "downstream" where the tracking started.
   /// \param ExprNode A node where the evaluation of \c E actually happens.
   /// \param Opts Tracking options specifying how we are tracking the value.
   virtual Tracker::Result handle(const Expr *E, const ExplodedNode *Original,
                                  const ExplodedNode *ExprNode,
                                  TrackingOptions Opts) = 0;
 
   /// \Return the tracker that initiated the process.
   Tracker &getParentTracker() { return ParentTracker; }
 };
 
 /// Handles stores during the tracking.
 class StoreHandler {
 private:
   Tracker &ParentTracker;
 
 public:
   StoreHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {}
   virtual ~StoreHandler() {}
 
   /// Handle the given store and produce the node.
   ///
   /// \param SI The information fully describing the store.
   /// \param Opts Tracking options specifying how we are tracking the value.
   ///
   /// \return the produced note, null if the handler doesn't support this kind
   ///         of stores.
   virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC,
                                         TrackingOptions Opts) = 0;
 
   Tracker &getParentTracker() { return ParentTracker; }
 
 protected:
   PathDiagnosticPieceRef constructNote(StoreInfo SI, BugReporterContext &BRC,
                                        StringRef NodeText);
 };
 
 /// Visitor that tracks expressions and values.
 class TrackingBugReporterVisitor : public BugReporterVisitor {
 private:
   TrackerRef ParentTracker;
 
 public:
   TrackingBugReporterVisitor(TrackerRef ParentTracker)
       : ParentTracker(ParentTracker) {}
 
   Tracker &getParentTracker() { return *ParentTracker; }
 };
 
 /// Attempts to add visitors to track expression value back to its point of
 /// origin.
 ///
 /// \param N A node "downstream" from the evaluation of the statement.
 /// \param E The expression value which we are tracking
 /// \param R The bug report to which visitors should be attached.
 /// \param Opts Tracking options specifying how we are tracking the value.
 ///
 /// \return Whether or not the function was able to add visitors for this
 ///         statement. Note that returning \c true does not actually imply
 ///         that any visitors were added.
 bool trackExpressionValue(const ExplodedNode *N, const Expr *E,
                           PathSensitiveBugReport &R, TrackingOptions Opts = {});
 
 /// Track how the value got stored into the given region and where it came
 /// from.
 ///
 /// \param V We're searching for the store where \c R received this value.
 ///        It may be either defined or undefined, but should not be unknown.
 /// \param R The region we're tracking.
 /// \param Opts Tracking options specifying how we want to track the value.
 /// \param Origin Only adds notes when the last store happened in a
 ///        different stackframe to this one. Disregarded if the tracking kind
 ///        is thorough.
 ///        This is useful, because for non-tracked regions, notes about
 ///        changes to its value in a nested stackframe could be pruned, and
 ///        this visitor can prevent that without polluting the bugpath too
 ///        much.
 void trackStoredValue(SVal V, const MemRegion *R,
                       PathSensitiveBugReport &Report, TrackingOptions Opts = {},
                       const StackFrameContext *Origin = nullptr);
 
 const Expr *getDerefExpr(const Stmt *S);
 
 } // namespace bugreporter
 
 class TrackConstraintBRVisitor final : public BugReporterVisitor {
   const SmallString<64> Message;
   const DefinedSVal Constraint;
   const bool Assumption;
   bool IsSatisfied = false;
 
   /// We should start tracking from the last node along the path in which the
   /// value is constrained.
   bool IsTrackingTurnedOn = false;
 
 public:
   TrackConstraintBRVisitor(DefinedSVal constraint, bool assumption,
                            StringRef Message)
       : Message(Message), Constraint(constraint), Assumption(assumption) {}
 
   void Profile(llvm::FoldingSetNodeID &ID) const override;
 
   /// Return the tag associated with this visitor.  This tag will be used
   /// to make all PathDiagnosticPieces created by this visitor.
   static const char *getTag();
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                    BugReporterContext &BRC,
                                    PathSensitiveBugReport &BR) override;
 
 private:
   /// Checks if the constraint refers to a null-location.
   bool isZeroCheck() const;
 
   /// Checks if the constraint is valid in the current state.
   bool isUnderconstrained(const ExplodedNode *N) const;
 };
 
 /// \class NilReceiverBRVisitor
 /// Prints path notes when a message is sent to a nil receiver.
 class NilReceiverBRVisitor final : public BugReporterVisitor {
 public:
   void Profile(llvm::FoldingSetNodeID &ID) const override {
     static int x = 0;
     ID.AddPointer(&x);
   }
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                    BugReporterContext &BRC,
                                    PathSensitiveBugReport &BR) override;
 
   /// If the statement is a message send expression with nil receiver, returns
   /// the receiver expression. Returns NULL otherwise.
   static const Expr *getNilReceiver(const Stmt *S, const ExplodedNode *N);
 };
 
 /// Visitor that tries to report interesting diagnostics from conditions.
 class ConditionBRVisitor final : public BugReporterVisitor {
   // FIXME: constexpr initialization isn't supported by MSVC2013.
   constexpr static llvm::StringLiteral GenericTrueMessage =
       "Assuming the condition is true";
   constexpr static llvm::StringLiteral GenericFalseMessage =
       "Assuming the condition is false";
 
 public:
   void Profile(llvm::FoldingSetNodeID &ID) const override {
     static int x = 0;
     ID.AddPointer(&x);
   }
 
   /// Return the tag associated with this visitor.  This tag will be used
   /// to make all PathDiagnosticPieces created by this visitor.
   static const char *getTag();
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                    BugReporterContext &BRC,
                                    PathSensitiveBugReport &BR) override;
 
   PathDiagnosticPieceRef VisitNodeImpl(const ExplodedNode *N,
                                        BugReporterContext &BRC,
                                        PathSensitiveBugReport &BR);
 
   PathDiagnosticPieceRef
   VisitTerminator(const Stmt *Term, const ExplodedNode *N,
                   const CFGBlock *SrcBlk, const CFGBlock *DstBlk,
                   PathSensitiveBugReport &R, BugReporterContext &BRC);
 
   PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond,
                                        BugReporterContext &BRC,
                                        PathSensitiveBugReport &R,
                                        const ExplodedNode *N, bool TookTrue);
 
   PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const DeclRefExpr *DR,
                                        BugReporterContext &BRC,
                                        PathSensitiveBugReport &R,
                                        const ExplodedNode *N, bool TookTrue,
                                        bool IsAssuming);
 
   PathDiagnosticPieceRef
   VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr,
                 BugReporterContext &BRC, PathSensitiveBugReport &R,
                 const ExplodedNode *N, bool TookTrue, bool IsAssuming);
 
   PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const MemberExpr *ME,
                                        BugReporterContext &BRC,
                                        PathSensitiveBugReport &R,
                                        const ExplodedNode *N, bool TookTrue,
                                        bool IsAssuming);
 
   PathDiagnosticPieceRef
   VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr,
                          BugReporterContext &BRC, PathSensitiveBugReport &R,
                          const ExplodedNode *N, bool TookTrue);
 
   /// Tries to print the value of the given expression.
   ///
   /// \param CondVarExpr The expression to print its value.
   /// \param Out The stream to print.
   /// \param N The node where we encountered the condition.
   /// \param TookTrue Whether we took the \c true branch of the condition.
   ///
   /// \return Whether the print was successful. (The printing is successful if
   ///         we model the value and we could obtain it.)
   bool printValue(const Expr *CondVarExpr, raw_ostream &Out,
                   const ExplodedNode *N, bool TookTrue, bool IsAssuming);
 
   bool patternMatch(const Expr *Ex, const Expr *ParentEx, raw_ostream &Out,
                     BugReporterContext &BRC, PathSensitiveBugReport &R,
                     const ExplodedNode *N, std::optional<bool> &prunable,
                     bool IsSameFieldName);
 
   static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece);
 };
 
 /// Suppress reports that might lead to known false positives.
 ///
 /// Currently this suppresses reports based on locations of bugs.
 class LikelyFalsePositiveSuppressionBRVisitor final
     : public BugReporterVisitor {
 public:
   static void *getTag() {
     static int Tag = 0;
     return static_cast<void *>(&Tag);
   }
 
   void Profile(llvm::FoldingSetNodeID &ID) const override {
     ID.AddPointer(getTag());
   }
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *, BugReporterContext &,
                                    PathSensitiveBugReport &) override {
     return nullptr;
   }
 
   void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *N,
                        PathSensitiveBugReport &BR) override;
 };
 
 /// When a region containing undefined value or '0' value is passed
 /// as an argument in a call, marks the call as interesting.
 ///
 /// As a result, BugReporter will not prune the path through the function even
 /// if the region's contents are not modified/accessed by the call.
 class UndefOrNullArgVisitor final : public BugReporterVisitor {
   /// The interesting memory region this visitor is tracking.
   const MemRegion *R;
 
 public:
   UndefOrNullArgVisitor(const MemRegion *InR) : R(InR) {}
 
   void Profile(llvm::FoldingSetNodeID &ID) const override {
     static int Tag = 0;
     ID.AddPointer(&Tag);
     ID.AddPointer(R);
   }
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                    BugReporterContext &BRC,
                                    PathSensitiveBugReport &BR) override;
 };
 
 class SuppressInlineDefensiveChecksVisitor final : public BugReporterVisitor {
   /// The symbolic value for which we are tracking constraints.
   /// This value is constrained to null in the end of path.
   DefinedSVal V;
 
   /// Track if we found the node where the constraint was first added.
   bool IsSatisfied = false;
 
   /// Since the visitors can be registered on nodes previous to the last
   /// node in the BugReport, but the path traversal always starts with the last
   /// node, the visitor invariant (that we start with a node in which V is null)
   /// might not hold when node visitation starts. We are going to start tracking
   /// from the last node in which the value is null.
   bool IsTrackingTurnedOn = false;
 
 public:
   SuppressInlineDefensiveChecksVisitor(DefinedSVal Val, const ExplodedNode *N);
 
   void Profile(llvm::FoldingSetNodeID &ID) const override;
 
   /// Return the tag associated with this visitor.  This tag will be used
   /// to make all PathDiagnosticPieces created by this visitor.
   static const char *getTag();
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,
                                    BugReporterContext &BRC,
                                    PathSensitiveBugReport &BR) override;
 };
 
 /// The visitor detects NoteTags and displays the event notes they contain.
 class TagVisitor : public BugReporterVisitor {
 public:
   void Profile(llvm::FoldingSetNodeID &ID) const override;
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                    BugReporterContext &BRC,
                                    PathSensitiveBugReport &R) override;
 };
 
 class ObjCMethodCall;
 class CXXConstructorCall;
 
 /// Put a diagnostic on return statement (or on } in its absence) of all inlined
 /// functions for which some property remained unchanged.
 /// Resulting diagnostics may read such as "Returning without writing to X".
 ///
 /// Descendants can define what a "state change is", like a change of value
 /// to a memory region, liveness, etc. For function calls where the state did
 /// not change as defined, a custom note may be constructed.
 ///
 /// For a minimal example, check out
 /// clang/unittests/StaticAnalyzer/NoStateChangeFuncVisitorTest.cpp.
 class NoStateChangeFuncVisitor : public BugReporterVisitor {
 private:
   /// Frames modifying the state as defined in \c wasModifiedBeforeCallExit.
   /// This visitor generates a note only if a function does *not* change the
   /// state that way. This information is not immediately available
   /// by looking at the node associated with the exit from the function
   /// (usually the return statement). To avoid recomputing the same information
   /// many times (going up the path for each node and checking whether the
   /// region was written into) we instead lazily compute the stack frames
   /// along the path.
   // TODO: Can't we just use a map instead? This is likely not as cheap as it
   // makes the code difficult to read.
   llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifying;
   llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;
 
   /// Check and lazily calculate whether the state is modified in the stack
   /// frame to which \p CallExitBeginN belongs.
   /// The calculation is cached in FramesModifying.
   bool isModifiedInFrame(const ExplodedNode *CallExitBeginN);
 
   void markFrameAsModifying(const StackFrameContext *SCtx);
 
   /// Write to \c FramesModifying all stack frames along the path in the current
   /// stack frame which modifies the state.
   void findModifyingFrames(const ExplodedNode *const CallExitBeginN);
 
 protected:
   bugreporter::TrackingKind TKind;
 
   /// \return Whether the state was modified from the current node, \p CurrN, to
   /// the end of the stack frame, at \p CallExitBeginN. \p CurrN and
   /// \p CallExitBeginN are always in the same stack frame.
   /// Clients should override this callback when a state change is important
   /// not only on the entire function call, but inside of it as well.
   /// Example: we may want to leave a note about the lack of locking/unlocking
   /// on a particular mutex, but not if inside the function its state was
   /// changed, but also restored. wasModifiedInFunction() wouldn't know of this
   /// change.
   virtual bool wasModifiedBeforeCallExit(const ExplodedNode *CurrN,
                                          const ExplodedNode *CallExitBeginN) {
     return false;
   }
 
   /// \return Whether the state was modified in the inlined function call in
   /// between \p CallEnterN and \p CallExitEndN. Mind that the stack frame
   /// retrieved from a CallEnterN and CallExitEndN is the *caller's* stack
   /// frame! The inlined function's stack should be retrieved from either the
   /// immediate successor to \p CallEnterN or immediate predecessor to
   /// \p CallExitEndN.
   /// Clients should override this function if a state changes local to the
   /// inlined function are not interesting, only the change occuring as a
   /// result of it.
   /// Example: we want to leave a not about a leaked resource object not being
   /// deallocated / its ownership changed inside a function, and we don't care
   /// if it was assigned to a local variable (its change in ownership is
   /// inconsequential).
   virtual bool wasModifiedInFunction(const ExplodedNode *CallEnterN,
                                      const ExplodedNode *CallExitEndN) {
     return false;
   }
 
   /// Consume the information on the non-modifying stack frame in order to
   /// either emit a note or not. May suppress the report entirely.
   /// \return Diagnostics piece for the unmodified state in the current
   /// function, if it decides to emit one. A good description might start with
   /// "Returning without...".
   virtual PathDiagnosticPieceRef
   maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
                            const ObjCMethodCall &Call,
                            const ExplodedNode *N) = 0;
 
   /// Consume the information on the non-modifying stack frame in order to
   /// either emit a note or not. May suppress the report entirely.
   /// \return Diagnostics piece for the unmodified state in the current
   /// function, if it decides to emit one. A good description might start with
   /// "Returning without...".
   virtual PathDiagnosticPieceRef
   maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
                           const CXXConstructorCall &Call,
                           const ExplodedNode *N) = 0;
 
   /// Consume the information on the non-modifying stack frame in order to
   /// either emit a note or not. May suppress the report entirely.
   /// \return Diagnostics piece for the unmodified state in the current
   /// function, if it decides to emit one. A good description might start with
   /// "Returning without...".
   virtual PathDiagnosticPieceRef
   maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
                              const ExplodedNode *N) = 0;
 
 public:
   NoStateChangeFuncVisitor(bugreporter::TrackingKind TKind) : TKind(TKind) {}
 
   PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,
                                    BugReporterContext &BR,
                                    PathSensitiveBugReport &R) final;
 };
 
 /// Put a diagnostic on return statement of all inlined functions
 /// for which  the region of interest \p RegionOfInterest was passed into,
 /// but not written inside, and it has caused an undefined read or a null
 /// pointer dereference outside.
 class NoStoreFuncVisitor final : public NoStateChangeFuncVisitor {
   const SubRegion *RegionOfInterest;
   MemRegionManager &MmrMgr;
   const SourceManager &SM;
   const PrintingPolicy &PP;
 
   /// Recursion limit for dereferencing fields when looking for the
   /// region of interest.
   /// The limit of two indicates that we will dereference fields only once.
   static const unsigned DEREFERENCE_LIMIT = 2;
 
   using RegionVector = SmallVector<const MemRegion *, 5>;
 
 public:
   NoStoreFuncVisitor(
       const SubRegion *R,
       bugreporter::TrackingKind TKind = bugreporter::TrackingKind::Thorough)
       : NoStateChangeFuncVisitor(TKind), RegionOfInterest(R),
         MmrMgr(R->getMemRegionManager()),
         SM(MmrMgr.getContext().getSourceManager()),
         PP(MmrMgr.getContext().getPrintingPolicy()) {}
 
   void Profile(llvm::FoldingSetNodeID &ID) const override {
     static int Tag = 0;
     ID.AddPointer(&Tag);
     ID.AddPointer(RegionOfInterest);
   }
 
 private:
   /// \return Whether \c RegionOfInterest was modified at \p CurrN compared to
   /// the value it holds in \p CallExitBeginN.
   bool wasModifiedBeforeCallExit(const ExplodedNode *CurrN,
                                  const ExplodedNode *CallExitBeginN) override;
 
   /// Attempts to find the region of interest in a given record decl,
   /// by either following the base classes or fields.
   /// Dereferences fields up to a given recursion limit.
   /// Note that \p Vec is passed by value, leading to quadratic copying cost,
   /// but it's OK in practice since its length is limited to DEREFERENCE_LIMIT.
   /// \return A chain fields leading to the region of interest or std::nullopt.
   const std::optional<RegionVector>
   findRegionOfInterestInRecord(const RecordDecl *RD, ProgramStateRef State,
                                const MemRegion *R, const RegionVector &Vec = {},
                                int depth = 0);
 
   // Region of interest corresponds to an IVar, exiting a method
   // which could have written into that IVar, but did not.
   PathDiagnosticPieceRef maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,
                                                   const ObjCMethodCall &Call,
                                                   const ExplodedNode *N) final;
 
   PathDiagnosticPieceRef maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,
                                                  const CXXConstructorCall &Call,
                                                  const ExplodedNode *N) final;
 
   PathDiagnosticPieceRef
   maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,
                              const ExplodedNode *N) final;
 
   /// Consume the information on the no-store stack frame in order to
   /// either emit a note or suppress the report entirely.
   /// \return Diagnostics piece for region not modified in the current function,
   /// if it decides to emit one.
   PathDiagnosticPieceRef
   maybeEmitNote(PathSensitiveBugReport &R, const CallEvent &Call,
                 const ExplodedNode *N, const RegionVector &FieldChain,
                 const MemRegion *MatchedRegion, StringRef FirstElement,
                 bool FirstIsReferenceType, unsigned IndirectionLevel);
 
   bool prettyPrintRegionName(const RegionVector &FieldChain,
                              const MemRegion *MatchedRegion,
                              StringRef FirstElement, bool FirstIsReferenceType,
                              unsigned IndirectionLevel,
                              llvm::raw_svector_ostream &os);
 
   StringRef prettyPrintFirstElement(StringRef FirstElement,
                                     bool MoreItemsExpected,
                                     int IndirectionLevel,
                                     llvm::raw_svector_ostream &os);
 };
 
 } // namespace ento
 } // namespace clang
 
 #endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H

This page was automatically generated by the 2.3.7 LXR engine. The LXR team