Subversion Repositories QNX 8.QNX8 LLVM/Clang compiler suite

//===- BugReporterVisitors.h - Generate PathDiagnostics ---------*- C++ -*-===//

//

// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.

// See https://llvm.org/LICENSE.txt for license information.

// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception

//

//===----------------------------------------------------------------------===//

//

//  This file declares BugReporterVisitors, which are used to generate enhanced

//  diagnostic traces.

//

//===----------------------------------------------------------------------===//

#ifndef LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H

#define LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H

#include "clang/Analysis/ProgramPoint.h"

#include "clang/Basic/LLVM.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/RangedConstraintManager.h"

#include "clang/StaticAnalyzer/Core/PathSensitive/SVals.h"

#include "llvm/ADT/FoldingSet.h"

#include "llvm/ADT/IntrusiveRefCntPtr.h"

#include "llvm/ADT/STLExtras.h"

#include "llvm/ADT/SmallPtrSet.h"

#include "llvm/ADT/StringRef.h"

#include <list>

#include <memory>

#include <optional>

#include <utility>

namespace clang {

class BinaryOperator;

class CFGBlock;

class DeclRefExpr;

class Expr;

class Stmt;

namespace ento {

class PathSensitiveBugReport;

class BugReporterContext;

class ExplodedNode;

class MemRegion;

class PathDiagnosticPiece;

using PathDiagnosticPieceRef = std::shared_ptr<PathDiagnosticPiece>;

/// BugReporterVisitors are used to add custom diagnostics along a path.

class BugReporterVisitor : public llvm::FoldingSetNode {

public:

  BugReporterVisitor() = default;

  BugReporterVisitor(const BugReporterVisitor &) = default;

  BugReporterVisitor(BugReporterVisitor &&) {}

  virtual ~BugReporterVisitor();

  /// Return a diagnostic piece which should be associated with the

  /// given node.

  /// Note that this function does *not* get run on the very last node

  /// of the report, as the PathDiagnosticPiece associated with the

  /// last node should be unique.

  /// Use \ref getEndPath to customize the note associated with the report

  /// end instead.

  ///

  /// The last parameter can be used to register a new visitor with the given

  /// BugReport while processing a node.

  virtual PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,

                                           BugReporterContext &BRC,

                                           PathSensitiveBugReport &BR) = 0;

  /// Last function called on the visitor, no further calls to VisitNode

  /// would follow.

  virtual void finalizeVisitor(BugReporterContext &BRC,

                               const ExplodedNode *EndPathNode,

                               PathSensitiveBugReport &BR);

  /// Provide custom definition for the final diagnostic piece on the

  /// path - the piece, which is displayed before the path is expanded.

  ///

  /// NOTE that this function can be implemented on at most one used visitor,

  /// and otherwise it crahes at runtime.

  virtual PathDiagnosticPieceRef getEndPath(BugReporterContext &BRC,

                                            const ExplodedNode *N,

                                            PathSensitiveBugReport &BR);

  virtual void Profile(llvm::FoldingSetNodeID &ID) const = 0;

  /// Generates the default final diagnostic piece.

  static PathDiagnosticPieceRef

  getDefaultEndPath(const BugReporterContext &BRC, const ExplodedNode *N,

                    const PathSensitiveBugReport &BR);

};

namespace bugreporter {

/// Specifies the type of tracking for an expression.

enum class TrackingKind {

  /// Default tracking kind -- specifies that as much information should be

  /// gathered about the tracked expression value as possible.

  Thorough,

  /// Specifies that a more moderate tracking should be used for the expression

  /// value. This will essentially make sure that functions relevant to it

  /// aren't pruned, but otherwise relies on the user reading the code or

  /// following the arrows.

  Condition

};

/// Defines a set of options altering tracking behavior.

struct TrackingOptions {

  /// Specifies the kind of tracking.

  TrackingKind Kind = TrackingKind::Thorough;

  /// Specifies whether we should employ false positive suppression

  /// (inlined defensive checks, returned null).

  bool EnableNullFPSuppression = true;

};

/// Describes an event when the value got stored into a memory region.

///

/// As opposed to checker checkBind API, it reacts also to binds

/// generated by the checker as well.  It can be useful when the binding

/// happened as a result of evalCall, for example.

struct StoreInfo {

  enum Kind {

    /// The value got stored into the region during initialization:

    ///   int x = 42;

    Initialization,

    /// The value got stored into the region during assignment:

    ///   int x;

    ///   x = 42;

    Assignment,

    /// The value got stored into the parameter region as the result

    /// of a call.

    CallArgument,

    /// The value got stored into the region as block capture.

    /// Block data is modeled as a separate region, thus whenever

    /// the analyzer sees a captured variable, its value is copied

    /// into a special block region.

    BlockCapture

  };

  /// The type of store operation.

  Kind StoreKind;

  /// The node where the store happened.

  const ExplodedNode *StoreSite;

  /// The expression where the value comes from.

  /// NOTE: might be null.

  const Expr *SourceOfTheValue;

  /// Symbolic value that is being stored.

  SVal Value;

  /// Memory regions involved in the store operation.

  ///   Dest <- Origin

  /// NOTE: Origin might be null, when the stored value doesn't come

  ///       from another region.

  const MemRegion *Dest, *Origin;

};

class Tracker;

using TrackerRef = llvm::IntrusiveRefCntPtr<Tracker>;

class ExpressionHandler;

class StoreHandler;

/// A generalized component for tracking expressions, values, and stores.

///

/// Tracker aimes at providing a sensible set of default behaviors that can be

/// used by any checker, while providing mechanisms to hook into any part of the

/// tracking process and insert checker-specific logic.

class Tracker : public llvm::RefCountedBase<Tracker> {

private:

  using ExpressionHandlerPtr = std::unique_ptr<ExpressionHandler>;

  using StoreHandlerPtr = std::unique_ptr<StoreHandler>;

  PathSensitiveBugReport &Report;

  std::list<ExpressionHandlerPtr> ExpressionHandlers;

  std::list<StoreHandlerPtr> StoreHandlers;

protected:

  /// \param Report The bug report to which visitors should be attached.

  Tracker(PathSensitiveBugReport &Report);

public:

  virtual ~Tracker() = default;

  static TrackerRef create(PathSensitiveBugReport &Report) {

    return new Tracker(Report);

  }

  PathSensitiveBugReport &getReport() { return Report; }

  /// Describes a tracking result with the most basic information of what was

  /// actually done (or not done).

  struct Result {

    /// Usually it means that the tracker added visitors.

    bool FoundSomethingToTrack = false;

    /// Signifies that the tracking was interrupted at some point.

    /// Usually this information is important only for sub-trackers.

    bool WasInterrupted = false;

    /// Combines the current result with the given result.

    void combineWith(const Result &Other) {

      // If we found something in one of the cases, we can

      // say we found something overall.

      FoundSomethingToTrack |= Other.FoundSomethingToTrack;

      // The same goes to the interruption.

      WasInterrupted |= Other.WasInterrupted;

    }

  };

  /// Track expression value back to its point of origin.

  ///

  /// \param E The expression value which we are tracking

  /// \param N A node "downstream" from the evaluation of the statement.

  /// \param Opts Tracking options specifying how we want to track the value.

  virtual Result track(const Expr *E, const ExplodedNode *N,

                       TrackingOptions Opts = {});

  /// Track how the value got stored into the given region and where it came

  /// from.

  ///

  /// \param V We're searching for the store where \c R received this value.

  /// \param R The region we're tracking.

  /// \param Opts Tracking options specifying how we want to track the value.

  /// \param Origin Only adds notes when the last store happened in a

  ///        different stackframe to this one. Disregarded if the tracking kind

  ///        is thorough.

  ///        This is useful, because for non-tracked regions, notes about

  ///        changes to its value in a nested stackframe could be pruned, and

  ///        this visitor can prevent that without polluting the bugpath too

  ///        much.

  virtual Result track(SVal V, const MemRegion *R, TrackingOptions Opts = {},

                       const StackFrameContext *Origin = nullptr);

  /// Handle the store operation and produce the note.

  ///

  /// \param SI The information fully describing the store.

  /// \param Opts Tracking options specifying how we got to it.

  ///

  /// NOTE: this method is designed for sub-trackers and visitors.

  virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC,

                                        TrackingOptions Opts);

  /// Add custom expression handler with the highest priority.

  ///

  /// It means that it will be asked for handling first, and can prevent

  /// other handlers from running if decides to interrupt.

  void addHighPriorityHandler(ExpressionHandlerPtr SH) {

    ExpressionHandlers.push_front(std::move(SH));

  }

  /// Add custom expression handler with the lowest priority.

  ///

  /// It means that it will be asked for handling last, and other handlers can

  /// prevent it from running if any of them decides to interrupt.

  void addLowPriorityHandler(ExpressionHandlerPtr SH) {

    ExpressionHandlers.push_back(std::move(SH));

  }

  /// Add custom store handler with the highest priority.

  ///

  /// It means that it will be asked for handling first, and will prevent

  /// other handlers from running if it produces non-null note.

  void addHighPriorityHandler(StoreHandlerPtr SH) {

    StoreHandlers.push_front(std::move(SH));

  }

  /// Add custom store handler with the lowest priority.

  ///

  /// It means that it will be asked for handling last, only

  /// if all other handlers failed to produce the note.

  void addLowPriorityHandler(StoreHandlerPtr SH) {

    StoreHandlers.push_back(std::move(SH));

  }

  /// Add custom expression/store handler with the highest priority

  ///

  /// See other overloads for explanation.

  template <class HandlerType, class... Args>

  void addHighPriorityHandler(Args &&... ConstructorArgs) {

    addHighPriorityHandler(std::make_unique<HandlerType>(

        *this, std::forward<Args>(ConstructorArgs)...));

  }

  /// Add custom expression/store handler with the lowest priority

  ///

  /// See other overloads for explanation.

  template <class HandlerType, class... Args>

  void addLowPriorityHandler(Args &&... ConstructorArgs) {

    addLowPriorityHandler(std::make_unique<HandlerType>(

        *this, std::forward<Args>(ConstructorArgs)...));

  }

};

/// Handles expressions during the tracking.

class ExpressionHandler {

private:

  Tracker &ParentTracker;

public:

  ExpressionHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {}

  virtual ~ExpressionHandler() {}

  /// Handle the given expression from the given node.

  ///

  /// \param E The expression value which we are tracking

  /// \param Original A node "downstream" where the tracking started.

  /// \param ExprNode A node where the evaluation of \c E actually happens.

  /// \param Opts Tracking options specifying how we are tracking the value.

  virtual Tracker::Result handle(const Expr *E, const ExplodedNode *Original,

                                 const ExplodedNode *ExprNode,

                                 TrackingOptions Opts) = 0;

  /// \Return the tracker that initiated the process.

  Tracker &getParentTracker() { return ParentTracker; }

};

/// Handles stores during the tracking.

class StoreHandler {

private:

  Tracker &ParentTracker;

public:

  StoreHandler(Tracker &ParentTracker) : ParentTracker(ParentTracker) {}

  virtual ~StoreHandler() {}

  /// Handle the given store and produce the node.

  ///

  /// \param SI The information fully describing the store.

  /// \param Opts Tracking options specifying how we are tracking the value.

  ///

  /// \return the produced note, null if the handler doesn't support this kind

  ///         of stores.

  virtual PathDiagnosticPieceRef handle(StoreInfo SI, BugReporterContext &BRC,

                                        TrackingOptions Opts) = 0;

  Tracker &getParentTracker() { return ParentTracker; }

protected:

  PathDiagnosticPieceRef constructNote(StoreInfo SI, BugReporterContext &BRC,

                                       StringRef NodeText);

};

/// Visitor that tracks expressions and values.

class TrackingBugReporterVisitor : public BugReporterVisitor {

private:

  TrackerRef ParentTracker;

public:

  TrackingBugReporterVisitor(TrackerRef ParentTracker)

      : ParentTracker(ParentTracker) {}

  Tracker &getParentTracker() { return *ParentTracker; }

};

/// Attempts to add visitors to track expression value back to its point of

/// origin.

///

/// \param N A node "downstream" from the evaluation of the statement.

/// \param E The expression value which we are tracking

/// \param R The bug report to which visitors should be attached.

/// \param Opts Tracking options specifying how we are tracking the value.

///

/// \return Whether or not the function was able to add visitors for this

///         statement. Note that returning \c true does not actually imply

///         that any visitors were added.

bool trackExpressionValue(const ExplodedNode *N, const Expr *E,

                          PathSensitiveBugReport &R, TrackingOptions Opts = {});

/// Track how the value got stored into the given region and where it came

/// from.

///

/// \param V We're searching for the store where \c R received this value.

/// \param R The region we're tracking.

/// \param Opts Tracking options specifying how we want to track the value.

/// \param Origin Only adds notes when the last store happened in a

///        different stackframe to this one. Disregarded if the tracking kind

///        is thorough.

///        This is useful, because for non-tracked regions, notes about

///        changes to its value in a nested stackframe could be pruned, and

///        this visitor can prevent that without polluting the bugpath too

///        much.

void trackStoredValue(KnownSVal V, const MemRegion *R,

                      PathSensitiveBugReport &Report, TrackingOptions Opts = {},

                      const StackFrameContext *Origin = nullptr);

const Expr *getDerefExpr(const Stmt *S);

} // namespace bugreporter

class TrackConstraintBRVisitor final : public BugReporterVisitor {

  DefinedSVal Constraint;

  bool Assumption;

  bool IsSatisfied = false;

  bool IsZeroCheck;

  /// We should start tracking from the last node along the path in which the

  /// value is constrained.

  bool IsTrackingTurnedOn = false;

public:

  TrackConstraintBRVisitor(DefinedSVal constraint, bool assumption)

      : Constraint(constraint), Assumption(assumption),

        IsZeroCheck(!Assumption && isa<Loc>(Constraint)) {}

  void Profile(llvm::FoldingSetNodeID &ID) const override;

  /// Return the tag associated with this visitor.  This tag will be used

  /// to make all PathDiagnosticPieces created by this visitor.

  static const char *getTag();

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                   BugReporterContext &BRC,

                                   PathSensitiveBugReport &BR) override;

private:

  /// Checks if the constraint is valid in the current state.

  bool isUnderconstrained(const ExplodedNode *N) const;

};

/// \class NilReceiverBRVisitor

/// Prints path notes when a message is sent to a nil receiver.

class NilReceiverBRVisitor final : public BugReporterVisitor {

public:

  void Profile(llvm::FoldingSetNodeID &ID) const override {

    static int x = 0;

    ID.AddPointer(&x);

  }

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                   BugReporterContext &BRC,

                                   PathSensitiveBugReport &BR) override;

  /// If the statement is a message send expression with nil receiver, returns

  /// the receiver expression. Returns NULL otherwise.

  static const Expr *getNilReceiver(const Stmt *S, const ExplodedNode *N);

};

/// Visitor that tries to report interesting diagnostics from conditions.

class ConditionBRVisitor final : public BugReporterVisitor {

  // FIXME: constexpr initialization isn't supported by MSVC2013.

  constexpr static llvm::StringLiteral GenericTrueMessage =

      "Assuming the condition is true";

  constexpr static llvm::StringLiteral GenericFalseMessage =

      "Assuming the condition is false";

public:

  void Profile(llvm::FoldingSetNodeID &ID) const override {

    static int x = 0;

    ID.AddPointer(&x);

  }

  /// Return the tag associated with this visitor.  This tag will be used

  /// to make all PathDiagnosticPieces created by this visitor.

  static const char *getTag();

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                   BugReporterContext &BRC,

                                   PathSensitiveBugReport &BR) override;

  PathDiagnosticPieceRef VisitNodeImpl(const ExplodedNode *N,

                                       BugReporterContext &BRC,

                                       PathSensitiveBugReport &BR);

  PathDiagnosticPieceRef

  VisitTerminator(const Stmt *Term, const ExplodedNode *N,

                  const CFGBlock *SrcBlk, const CFGBlock *DstBlk,

                  PathSensitiveBugReport &R, BugReporterContext &BRC);

  PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond,

                                       BugReporterContext &BRC,

                                       PathSensitiveBugReport &R,

                                       const ExplodedNode *N, bool TookTrue);

  PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const DeclRefExpr *DR,

                                       BugReporterContext &BRC,

                                       PathSensitiveBugReport &R,

                                       const ExplodedNode *N, bool TookTrue,

                                       bool IsAssuming);

  PathDiagnosticPieceRef

  VisitTrueTest(const Expr *Cond, const BinaryOperator *BExpr,

                BugReporterContext &BRC, PathSensitiveBugReport &R,

                const ExplodedNode *N, bool TookTrue, bool IsAssuming);

  PathDiagnosticPieceRef VisitTrueTest(const Expr *Cond, const MemberExpr *ME,

                                       BugReporterContext &BRC,

                                       PathSensitiveBugReport &R,

                                       const ExplodedNode *N, bool TookTrue,

                                       bool IsAssuming);

  PathDiagnosticPieceRef

  VisitConditionVariable(StringRef LhsString, const Expr *CondVarExpr,

                         BugReporterContext &BRC, PathSensitiveBugReport &R,

                         const ExplodedNode *N, bool TookTrue);

  /// Tries to print the value of the given expression.

  ///

  /// \param CondVarExpr The expression to print its value.

  /// \param Out The stream to print.

  /// \param N The node where we encountered the condition.

  /// \param TookTrue Whether we took the \c true branch of the condition.

  ///

  /// \return Whether the print was successful. (The printing is successful if

  ///         we model the value and we could obtain it.)

  bool printValue(const Expr *CondVarExpr, raw_ostream &Out,

                  const ExplodedNode *N, bool TookTrue, bool IsAssuming);

  bool patternMatch(const Expr *Ex, const Expr *ParentEx, raw_ostream &Out,

                    BugReporterContext &BRC, PathSensitiveBugReport &R,

                    const ExplodedNode *N, std::optional<bool> &prunable,

                    bool IsSameFieldName);

  static bool isPieceMessageGeneric(const PathDiagnosticPiece *Piece);

};

/// Suppress reports that might lead to known false positives.

///

/// Currently this suppresses reports based on locations of bugs.

class LikelyFalsePositiveSuppressionBRVisitor final

    : public BugReporterVisitor {

public:

  static void *getTag() {

    static int Tag = 0;

    return static_cast<void *>(&Tag);

  }

  void Profile(llvm::FoldingSetNodeID &ID) const override {

    ID.AddPointer(getTag());

  }

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *, BugReporterContext &,

                                   PathSensitiveBugReport &) override {

    return nullptr;

  }

  void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *N,

                       PathSensitiveBugReport &BR) override;

};

/// When a region containing undefined value or '0' value is passed

/// as an argument in a call, marks the call as interesting.

///

/// As a result, BugReporter will not prune the path through the function even

/// if the region's contents are not modified/accessed by the call.

class UndefOrNullArgVisitor final : public BugReporterVisitor {

  /// The interesting memory region this visitor is tracking.

  const MemRegion *R;

public:

  UndefOrNullArgVisitor(const MemRegion *InR) : R(InR) {}

  void Profile(llvm::FoldingSetNodeID &ID) const override {

    static int Tag = 0;

    ID.AddPointer(&Tag);

    ID.AddPointer(R);

  }

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                   BugReporterContext &BRC,

                                   PathSensitiveBugReport &BR) override;

};

class SuppressInlineDefensiveChecksVisitor final : public BugReporterVisitor {

  /// The symbolic value for which we are tracking constraints.

  /// This value is constrained to null in the end of path.

  DefinedSVal V;

  /// Track if we found the node where the constraint was first added.

  bool IsSatisfied = false;

  /// Since the visitors can be registered on nodes previous to the last

  /// node in the BugReport, but the path traversal always starts with the last

  /// node, the visitor invariant (that we start with a node in which V is null)

  /// might not hold when node visitation starts. We are going to start tracking

  /// from the last node in which the value is null.

  bool IsTrackingTurnedOn = false;

public:

  SuppressInlineDefensiveChecksVisitor(DefinedSVal Val, const ExplodedNode *N);

  void Profile(llvm::FoldingSetNodeID &ID) const override;

  /// Return the tag associated with this visitor.  This tag will be used

  /// to make all PathDiagnosticPieces created by this visitor.

  static const char *getTag();

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *Succ,

                                   BugReporterContext &BRC,

                                   PathSensitiveBugReport &BR) override;

};

/// The bug visitor will walk all the nodes in a path and collect all the

/// constraints. When it reaches the root node, will create a refutation

/// manager and check if the constraints are satisfiable

class FalsePositiveRefutationBRVisitor final : public BugReporterVisitor {

private:

  /// Holds the constraints in a given path

  ConstraintMap Constraints;

public:

  FalsePositiveRefutationBRVisitor();

  void Profile(llvm::FoldingSetNodeID &ID) const override;

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                   BugReporterContext &BRC,

                                   PathSensitiveBugReport &BR) override;

  void finalizeVisitor(BugReporterContext &BRC, const ExplodedNode *EndPathNode,

                       PathSensitiveBugReport &BR) override;

  void addConstraints(const ExplodedNode *N,

                      bool OverwriteConstraintsOnExistingSyms);

};

/// The visitor detects NoteTags and displays the event notes they contain.

class TagVisitor : public BugReporterVisitor {

public:

  void Profile(llvm::FoldingSetNodeID &ID) const override;

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                   BugReporterContext &BRC,

                                   PathSensitiveBugReport &R) override;

};

class ObjCMethodCall;

class CXXConstructorCall;

/// Put a diagnostic on return statement (or on } in its absence) of all inlined

/// functions for which some property remained unchanged.

/// Resulting diagnostics may read such as "Returning without writing to X".

///

/// Descendants can define what a "state change is", like a change of value

/// to a memory region, liveness, etc. For function calls where the state did

/// not change as defined, a custom note may be constructed.

///

/// For a minimal example, check out

/// clang/unittests/StaticAnalyzer/NoStateChangeFuncVisitorTest.cpp.

class NoStateChangeFuncVisitor : public BugReporterVisitor {

private:

  /// Frames modifying the state as defined in \c wasModifiedBeforeCallExit.

  /// This visitor generates a note only if a function does *not* change the

  /// state that way. This information is not immediately available

  /// by looking at the node associated with the exit from the function

  /// (usually the return statement). To avoid recomputing the same information

  /// many times (going up the path for each node and checking whether the

  /// region was written into) we instead lazily compute the stack frames

  /// along the path.

  // TODO: Can't we just use a map instead? This is likely not as cheap as it

  // makes the code difficult to read.

  llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifying;

  llvm::SmallPtrSet<const StackFrameContext *, 32> FramesModifyingCalculated;

  /// Check and lazily calculate whether the state is modified in the stack

  /// frame to which \p CallExitBeginN belongs.

  /// The calculation is cached in FramesModifying.

  bool isModifiedInFrame(const ExplodedNode *CallExitBeginN);

  void markFrameAsModifying(const StackFrameContext *SCtx);

  /// Write to \c FramesModifying all stack frames along the path in the current

  /// stack frame which modifies the state.

  void findModifyingFrames(const ExplodedNode *const CallExitBeginN);

protected:

  bugreporter::TrackingKind TKind;

  /// \return Whether the state was modified from the current node, \p CurrN, to

  /// the end of the stack frame, at \p CallExitBeginN. \p CurrN and

  /// \p CallExitBeginN are always in the same stack frame.

  /// Clients should override this callback when a state change is important

  /// not only on the entire function call, but inside of it as well.

  /// Example: we may want to leave a note about the lack of locking/unlocking

  /// on a particular mutex, but not if inside the function its state was

  /// changed, but also restored. wasModifiedInFunction() wouldn't know of this

  /// change.

  virtual bool wasModifiedBeforeCallExit(const ExplodedNode *CurrN,

                                         const ExplodedNode *CallExitBeginN) {

    return false;

  }

  /// \return Whether the state was modified in the inlined function call in

  /// between \p CallEnterN and \p CallExitEndN. Mind that the stack frame

  /// retrieved from a CallEnterN and CallExitEndN is the *caller's* stack

  /// frame! The inlined function's stack should be retrieved from either the

  /// immediate successor to \p CallEnterN or immediate predecessor to

  /// \p CallExitEndN.

  /// Clients should override this function if a state changes local to the

  /// inlined function are not interesting, only the change occuring as a

  /// result of it.

  /// Example: we want to leave a not about a leaked resource object not being

  /// deallocated / its ownership changed inside a function, and we don't care

  /// if it was assigned to a local variable (its change in ownership is

  /// inconsequential).

  virtual bool wasModifiedInFunction(const ExplodedNode *CallEnterN,

                                     const ExplodedNode *CallExitEndN) {

    return false;

  }

  /// Consume the information on the non-modifying stack frame in order to

  /// either emit a note or not. May suppress the report entirely.

  /// \return Diagnostics piece for the unmodified state in the current

  /// function, if it decides to emit one. A good description might start with

  /// "Returning without...".

  virtual PathDiagnosticPieceRef

  maybeEmitNoteForObjCSelf(PathSensitiveBugReport &R,

                           const ObjCMethodCall &Call,

                           const ExplodedNode *N) = 0;

  /// Consume the information on the non-modifying stack frame in order to

  /// either emit a note or not. May suppress the report entirely.

  /// \return Diagnostics piece for the unmodified state in the current

  /// function, if it decides to emit one. A good description might start with

  /// "Returning without...".

  virtual PathDiagnosticPieceRef

  maybeEmitNoteForCXXThis(PathSensitiveBugReport &R,

                          const CXXConstructorCall &Call,

                          const ExplodedNode *N) = 0;

  /// Consume the information on the non-modifying stack frame in order to

  /// either emit a note or not. May suppress the report entirely.

  /// \return Diagnostics piece for the unmodified state in the current

  /// function, if it decides to emit one. A good description might start with

  /// "Returning without...".

  virtual PathDiagnosticPieceRef

  maybeEmitNoteForParameters(PathSensitiveBugReport &R, const CallEvent &Call,

                             const ExplodedNode *N) = 0;

public:

  NoStateChangeFuncVisitor(bugreporter::TrackingKind TKind) : TKind(TKind) {}

  PathDiagnosticPieceRef VisitNode(const ExplodedNode *N,

                                   BugReporterContext &BR,

                                   PathSensitiveBugReport &R) final;

};

} // namespace ento

} // namespace clang

#endif // LLVM_CLANG_STATICANALYZER_CORE_BUGREPORTER_BUGREPORTERVISITORS_H