Commit Graph

535 Commits

Author SHA1 Message Date
Ted Kremenek 2f5198b022 Added test case for <rdar://problem/7152418>.
llvm-svn: 82866
2009-09-26 17:18:44 +00:00
Ted Kremenek f694f421e1 Fix <rdar://problem/7249327> by allowing silent conversions between signed and unsigned integer values for symbolic values. This is an intermediate solution (i.e. hack) until we support extension/truncation of symbolic integers.
llvm-svn: 82737
2009-09-25 00:18:15 +00:00
Ted Kremenek 1b40e5978f Fix crash in RegionStoreManager::Bind() by using 'getAs<PointerType>()' instead of 'cast<PointerType>()' (to handle pointer typedefs).
llvm-svn: 82686
2009-09-24 06:24:32 +00:00
Ted Kremenek 267e45adab Fix: <rdar://problem/7249340> [RegionStore] model stores to symbolic parameter regions
The issue was a discrepancy between how RegionStoreManager::Bind() and
RegionStoreManager::Retrieve() derived the "key" for the first element
of a symbolic region.

llvm-svn: 82680
2009-09-24 04:11:44 +00:00
Ted Kremenek d9120d3575 Shorten the static analyzer diagnostic for 'use of garbage value'.
llvm-svn: 82672
2009-09-24 00:44:26 +00:00
Ted Kremenek 1624a4784a Fix PR 4988 by removing an invalid assertion (a function can be referenced in
GRExprEngine::VisitDeclRefExpr without 'asLValue' being true).

llvm-svn: 82598
2009-09-23 01:30:01 +00:00
Ted Kremenek 3003001a86 Fix: <rdar://problem/7242006> [RegionStore] compound literal assignment with floats not honored
llvm-svn: 82575
2009-09-22 21:19:14 +00:00
Ted Kremenek f9539d0c3f Fix: <rdar://problem/7242015> [RegionStore] variable passed-by-reference (via integer) to function call not invalidated
llvm-svn: 82523
2009-09-22 04:48:39 +00:00
Ted Kremenek fd68c7bdc0 Add test case for <rdar://problem/6829164>, which was implicitly fixed in r79694.
llvm-svn: 82495
2009-09-21 23:22:11 +00:00
Ted Kremenek 25c9c1427a Provide intermediate solution to handling assignments to structs via an
integer pointer.  For now just invalidate the fields of the struct.

This addresses: <rdar://problem/7185607> [RegionStore] support invalidation of bit fields using integer assignment

llvm-svn: 82492
2009-09-21 22:58:52 +00:00
Ted Kremenek 0ccd06c017 Re-introduce diagnostic caching in BugReporter that was originally added in
r82198 and then reverted. This is an intermediate solution, as diagnostic
caching should not rely on static variables.

llvm-svn: 82301
2009-09-18 22:37:37 +00:00
Ted Kremenek e3d209ff77 Revert most of r82198, which was causing a large number of crashes
when running the analyzer on real projects.  We'll keep the change to
AnalysisManager.cpp in r82198 so that -fobjc-gc analyzes code
correctly in both GC and non-GC modes, although this may emit two
diagnostics for each bug in some cases (a better solution will come
later).

llvm-svn: 82201
2009-09-18 07:31:15 +00:00
Ted Kremenek 82f7f9c080 Introduce caching of diagnostics in BugReporter. This provides extra
pruning of diagnostics that may be emitted multiple times.  This is
accomplished by adding FoldingSet profiling support to PathDiagnostic,
and then having BugReporter record what diagnostics have been issued.

This was motived to a serious bug introduced by moving the
'divide-by-zero' checking outside of GRExprEngine into a separate
'Checker' class.  When analyzing code using the '-fobjc-gc' option, a
given function would be analyzed twice, but the second time various
"internal checks" would be disabled to avoid emitting multiple
diagnostics (e.g., "null dereference") for the same issue.  The
problem is that such checks also effect path pruning and don't just
emit diagnostics.  This resulted in an assertion failure involving a
real divide-by-zero in some analyzed code where we would get an
assertion failure in APInt because the 'DivZero' check was disabled
and didn't prune the logic that resulted in the divide-by-zero in the
analyzer.

The implemented solution is somewhat of a hack, and may not perform
extremely well.  This will need to be cleaned up over time.

As a regression test, 'misc-ps.m' has been modified so that its tests
are run using -fobjc-gc to test this diagnostic pruning behavior.

llvm-svn: 82198
2009-09-18 05:37:41 +00:00
Ted Kremenek 4f335c300a Have divide-by-zero checker not handled undefined denominators. This is handled by the generic checking for undefined operands for BinaryOperators.
llvm-svn: 82019
2009-09-16 06:04:26 +00:00
Ted Kremenek 27347135dd Add static analyzer transfer function support for __builtin_offsetof.
llvm-svn: 81820
2009-09-15 00:40:32 +00:00
Ted Kremenek 7020eae076 Introduce "DefinedOrUnknownSVal" into the SVal class hierarchy, providing a way
to statically type various methods in SValuator/GRState as required either a
defined value or a defined-but-possibly-unknown value. This leads to various
logic cleanups in GRExprEngine, and lets the compiler enforce via type checking
our assumptions about what symbolic values are possibly undefined and what are
not.

Along the way, clean up some of the static analyzer diagnostics regarding the uses of uninitialized values.

llvm-svn: 81579
2009-09-11 22:07:28 +00:00
Ted Kremenek 84c6f0a1e6 Implement: <rdar://problem/7185647> [RegionStore] 'self' cannot be NULL upon entry to a method
Here we implement this as a precondition within GRExprEngine, even though it is
related to how BasicStoreManager and RegionStoreManager model 'self'
differently. Putting this as a high-level precondition is more general, which is
why it isn't in RegionStore.cpp.

llvm-svn: 81378
2009-09-09 20:36:12 +00:00
Mike Stump 11289f4280 Remove tabs, and whitespace cleanups.
llvm-svn: 81346
2009-09-09 15:08:12 +00:00
Ted Kremenek ad5a600a24 Implement: <rdar://problem/6337100> CWE-338: Use of cryptographically weak prng
Patch by Geoff Keating!

llvm-svn: 80752
2009-09-02 02:47:41 +00:00
Ted Kremenek 745c0fa407 Add test case from <rdar://problem/7184450>.
llvm-svn: 80700
2009-09-01 18:33:16 +00:00
Ted Kremenek d65d22a0c5 Add uninitialized values test case.
llvm-svn: 80388
2009-08-28 20:25:33 +00:00
Ted Kremenek 52ac2b5735 retain/release checker: [CIContext createCGImage...] and friends returned CF
objects that are not automatically garbage collected. This fixes
<rdar://problem/7174400>.

llvm-svn: 80387
2009-08-28 19:52:12 +00:00
Ted Kremenek d032fcce5c Implement: <rdar://problem/6337132> CWE-273: Failure to Check Whether Privileges
Were Dropped Successfully

Patch by Geoff Keating!

llvm-svn: 80313
2009-08-28 00:08:09 +00:00
Ted Kremenek c4c48be88e Fix regression in BasicStoreManager caused by implicitly casting loaded values and trying to load/store from arrays. RegionStoreManager already properly handles these cases well; we just need to gracefully not handle this case in BasicStoreManager. This fixes PR 4781.
llvm-svn: 80051
2009-08-25 23:29:04 +00:00
Ted Kremenek d1d6066be8 Handle pointer arithmetic in RegionStoreManager involving Objective-C pointers
when using the non-fragile Objective-C ABI.  This fixes <rdar://problem/7168531>.

llvm-svn: 80047
2009-08-25 22:55:09 +00:00
Ted Kremenek 3ed9543ace Fix crash reported in <rdar://problem/7124210> by "back-porting" some of the
implicit cast logic in RegionStoreManager to BasicStoreManager. This involved
moving CastRetriedVal from RegionStoreManager to StoreManager.

llvm-svn: 80026
2009-08-25 20:51:30 +00:00
Ted Kremenek 6bc04bca68 Add test case for PR 4759.
llvm-svn: 79954
2009-08-24 22:56:32 +00:00
Ted Kremenek 815fbb6026 retain/release checker: Treat NSObject method '-awakeAfterUsingCoder:'
just as if it behaved like an init function.  This fixes <rdar://problem/7129086>.

llvm-svn: 79515
2009-08-20 05:13:36 +00:00
Ted Kremenek e95b439cc3 Make this test case more portable by removing its dependency on system header files.
llvm-svn: 79511
2009-08-20 04:48:23 +00:00
Ted Kremenek d982f001c9 retain/release checker: Special case handling of CFAttributedStringSetAttribute,
fixing <rdar://problem/7152619>. Along the way, merge test cases in
'test/Analysis/rdar-6539791.c' into 'test/Analysis/retain-release.m'.

llvm-svn: 79499
2009-08-20 00:57:22 +00:00
Ted Kremenek 0e8e1fde25 Fix: <rdar://problem/7075531> static analyzer wrongly detects unused ivars used in blocks
llvm-svn: 78409
2009-08-07 21:13:23 +00:00
Ted Kremenek 040e3b91da Fix a few more false positives involving RegionStore and unions, but this time
with array accesses. In the process, refactor some common logic in
RetrieveElement() and RetrieveField() into RetrieveFieldOrElementCommon().

llvm-svn: 78349
2009-08-06 22:33:36 +00:00
Ted Kremenek 2f6eb14af4 Fix a couple false positive "uninitialized value" warnings with RegionStore
involving reasoning about unions (which we don't handle yet).

llvm-svn: 78342
2009-08-06 21:43:54 +00:00
Ted Kremenek f368fa6728 Update test case.
llvm-svn: 78290
2009-08-06 06:26:40 +00:00
Ted Kremenek 68c1f010d2 Fix a bug in RegionStoreSubRegionManager::add() where multiple subregions wouldn't correctly get registered in the SubRegion map.
llvm-svn: 78162
2009-08-05 05:31:02 +00:00
Zhongxing Xu 13ee441874 Add test case.
llvm-svn: 78150
2009-08-05 03:45:09 +00:00
Ted Kremenek 1624df626d Adjust test case.
llvm-svn: 78028
2009-08-04 00:58:45 +00:00
Ted Kremenek d673098480 Add a pass-by-value test for the analyzer.
llvm-svn: 78018
2009-08-03 23:22:53 +00:00
Ted Kremenek d7e467f39c Add test case testing field sensitivity. Reduced from <rdar://problem/7114618>.
llvm-svn: 78008
2009-08-03 22:23:24 +00:00
Ted Kremenek 0bb32e3e5d Handle disgusting corner case where a byte is loaded from the address of a function.
llvm-svn: 78000
2009-08-03 21:41:46 +00:00
Ted Kremenek 9419876e59 Fix regression in StoreManager::CastRegion() to always treat casts to
'void*' (or 'const void*') as an identity transformation.

llvm-svn: 77860
2009-08-02 04:12:53 +00:00
Ted Kremenek 1f22aa7433 This is a fairly large patch, which resulted from a cascade of changes
made to RegionStore (and related classes) in order to handle some
analyzer failures involving casts and manipulation of symbolic memory.

The root of the change is in StoreManager::CastRegion().  Instead of
using ad hoc heuristics to decide when to layer an ElementRegion on a
casted MemRegion, we now always layer an ElementRegion when the cast
type is different than the original type of the region.  This carries
the current cast information associated with a region around without
resorting to the error prone recording of "casted types" in GRState.

Along with this new policy of layering ElementRegions, I added a new
algorithm to strip away existing ElementRegions when they simply
represented casts of a base memory object.  This algorithm computes
the raw "byte offset" that an ElementRegion represents from the base
region, and allows the new ElementRegion to be based off that offset.
The added benefit is that this naturally handles a series of casts of
a MemRegion without building up a set of redundant ElementRegions
(thus canonicalizing the region view).

Other related changes that cascaded from this one (as tests were
failing in RegionStore):

- Revamped RegionStoreManager::InvalidateRegion() to completely remove
  all bindings and default values from a region and all subregions.
  Now invalidated fields are not bound directly to new symbolic
  values; instead the base region has a "default" symbol value from
  which "derived symbols" can be created.  The main advantage of this
  approach is that it allows us to invalidate a region hierarchy and
  then lazily instantiate new values no matter how deep the hierarchy
  went (i.e., regardless of the number of field accesses,
  e.g. x->f->y->z->...).  The previous approach did not do this.

- Slightly reworked RegionStoreManager::RemoveDeadBindings() to also
  incorporate live symbols and live regions that do not have direct
  bindings but also have "default values" used for lazy instantiation.
  The changes to 'InvalidateRegion' revealed that these were necessary
  in order to achieve lazy instantiation of values in the region store
  with those bindings being removed too early.

- The changes to InvalidateRegion() and RemoveDeadBindings() revealed
  a serious bug in 'getSubRegionMap()' where not all region -> subregion
  relationships involved in actually bindings (explicit and implicit)
  were being recorded.  This has been fixed by using a worklist algorithm
  to iteratively fill in the region map.

- Added special support to RegionStoreManager::Bind()/Retrieve() to handle
  OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the
  layering of ElementRegions.

- Fixed a bug in SymbolReaper::isLive() where derived symbols were not
  being marked live if the symbol they were derived from was also live.
  This fix was critical for getting lazy instantiation in RegionStore
  to work.

- Tidied up the implementation of ValueManager::getXXXSymbolVal() methods
  to use SymbolManager::canSymbolicate() to decide whether or not a
  symbol should be symbolicated.

- 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been
  moved to 'test/Analysis/misc-ps.m'.

- Tweaked some pretty-printing of MemRegions, and implemented
  'ElementRegion::getRawOffset()' for use with the CastRegion changes.

llvm-svn: 77782
2009-08-01 06:17:29 +00:00
Ted Kremenek eb01ba670e Temporarily disable out-of-bounds checking. The current checking logic will not work quite right with the changes I'm about to commit.
llvm-svn: 77779
2009-08-01 05:59:39 +00:00
Anders Carlsson 499de4252d Add casts to avoid a bunch of unused expr warnings. (They aren't reported right now due to a bug that I intend to fix). Ted, please review.
llvm-svn: 77630
2009-07-30 22:37:41 +00:00
Ted Kremenek 4301526e8d Remove 'StoreManager::OldCastRegion()', TypedViewRegion (which only
OldCastRegion used), and the associated command line option
'-analyzer-store=old-basic-cast'.

llvm-svn: 77509
2009-07-29 21:43:22 +00:00
Ted Kremenek 3c6764cd3e Add an XFAILed test case that currently crashes for RegionStore. This case will
be moved to misc-ps.m when it passes.

llvm-svn: 77486
2009-07-29 18:19:16 +00:00
Ted Kremenek 70b943f206 Add another analyzer test case involving an OSAtomic function.
llvm-svn: 77485
2009-07-29 18:18:25 +00:00
Ted Kremenek a41d9dd1f1 Fix PR 4631. The compound initializers of unions were not being evaluated, which
could cause false positives if any the subexpressions had side-effects. These
initializers weren't evaluated because the StoreManager would need to handle
them, but that's an orthogonal problem of whether or not the StoreManager can
handle the binding.

llvm-svn: 77361
2009-07-28 20:46:55 +00:00
Ted Kremenek faf0c64d9d Fix regression in attribute 'nonnull' checking when a transition node
was created but not added to the destination NodeSet.  This fixes PR 4630.

llvm-svn: 77353
2009-07-28 19:24:31 +00:00
Ted Kremenek 6610c0326b Implement: <rdar://problem/6335715> rule request: gets() buffer overflow
llvm-svn: 76905
2009-07-23 22:29:41 +00:00