Commit Graph

657 Commits

Author SHA1 Message Date
Ted Kremenek 09bc3b7df6 Teach GRExprEngine to handle the initialization of the condition variable of a WhileStmt.
llvm-svn: 92106
2009-12-24 00:54:56 +00:00
Ted Kremenek 284d764418 Add test case for PR 4358.
llvm-svn: 92103
2009-12-24 00:48:11 +00:00
Ted Kremenek 589493227b Teach GRExprEngine to handle the initialization of the condition variable of a SwitchStmt.
llvm-svn: 92102
2009-12-24 00:40:03 +00:00
Ted Kremenek a7bcbde814 Add CFG support for the condition variable that can appear in IfStmts in C++ mode.
Add transfer function support in GRExprEngine for IfStmts with initialized condition variables.

llvm-svn: 91987
2009-12-23 04:49:01 +00:00
Ted Kremenek 857f41c650 Suppress dead store warnings involving objects initialized with CXXExprTemporaries.
llvm-svn: 91986
2009-12-23 04:11:44 +00:00
Ted Kremenek 25e280bf02 Fix PR 5857. When casting from a symbolic region to an integer back to a pointer value, we were not correctly layering the correct ElementRegion on the original SymbolicRegion.
llvm-svn: 91981
2009-12-23 02:52:14 +00:00
Ted Kremenek 343b51271d Also treat the type of the subexpression as a pointer in GRExprEngine::VisitCast when the expression is handled as an lvalue.
llvm-svn: 91969
2009-12-23 01:19:20 +00:00
Ted Kremenek 22cc1a8438 Add basic support for analyzing CastExprs as lvalues.
llvm-svn: 91952
2009-12-23 00:26:16 +00:00
Ted Kremenek e19711d223 Add transfer functions support for visiting an Objective-C message expression as an lvalue when the return type is a C++ reference.
llvm-svn: 91926
2009-12-22 22:13:46 +00:00
Zhongxing Xu 4794801e27 Use the FunctionDecl's result type to know exactly if it returns a reference.
llvm-svn: 91751
2009-12-19 03:17:55 +00:00
Ted Kremenek af1bdd71af Enhance GRExprEngine::VisitCallExpr() to be used in an lvalue context. Uncovered a new failing test case along the way, but we're making progress on handling C++ references in the analyzer.
llvm-svn: 91710
2009-12-18 20:13:39 +00:00
Ted Kremenek 85bcc986d6 Add failing test case for C++ static analysis.
llvm-svn: 91578
2009-12-17 01:44:13 +00:00
Eli Friedman 53b3cde60f Add abort() as a builtin. This has two effects: one, we warn for incorrect
declarations of abort(), and two, we mark it noreturn.  Missing the latter
shows up in one of the "embarassing" tests (from the thread on llvmdev
"detailed comparison of generated code size for LLVM and other compilers").

llvm-svn: 91515
2009-12-16 06:28:21 +00:00
Ted Kremenek 4cad5fc035 Add (initial?) static analyzer support for handling C++ references.
This change was a lot bigger than I originally anticipated; among
other things it requires us storing more information in the CFG to
record what block-level expressions need to be evaluated as lvalues.

The big change is that CFGBlocks no longer contain Stmt*'s by
CFGElements.  Currently CFGElements just wrap Stmt*, but they also
store a bit indicating whether the block-level expression should be
evalauted as an lvalue.  DeclStmts involving the initialization of a
reference require us treating the initialization expression as an
lvalue, even though that information isn't recorded in the AST.
Conceptually this change isn't that complicated, but it required
bubbling up the data through the CFGBuilder, to GRCoreEngine, and
eventually to GRExprEngine.

The addition of CFGElement is also useful for when we want to handle
more control-flow constructs or other data we want to keep in the CFG
that isn't represented well with just a block of statements.

In GRExprEngine, this patch introduces logic for evaluating the
lvalues of references, which currently retrieves the internal "pointer
value" that the reference represents.  EvalLoad does a two stage load
to catch null dereferences involving an invalid reference (although
this could possibly be caught earlier during the initialization of a
reference).

Symbols are currently symbolicated using the reference type, instead
of a pointer type, and special handling is required creating
ElementRegions that layer on SymbolicRegions (see the changes to
RegionStoreManager).

Along the way, the DeadStoresChecker also silences warnings involving
dead stores to references.  This was the original change I introduced
(which I wrote test cases for) that I realized caused GRExprEngine to
crash.

llvm-svn: 91501
2009-12-16 03:18:58 +00:00
Daniel Dunbar 8fbe78f6fc Update tests to use %clang_cc1 instead of 'clang-cc' or 'clang -cc1'.
- This is designed to make it obvious that %clang_cc1 is a "test variable"
   which is substituted. It is '%clang_cc1' instead of '%clang -cc1' because it
   can be useful to redefine what gets run as 'clang -cc1' (for example, to set
   a default target).

llvm-svn: 91446
2009-12-15 20:14:24 +00:00
Ted Kremenek 29f3808667 Until we can make the dead stores checker smarter, dont' emit dead store warnings for C++ objects (whose constructors/destructors have possible side-effects).
llvm-svn: 91412
2009-12-15 04:12:12 +00:00
Ted Kremenek 814c416636 Fix: <rdar://problem/7468209> SymbolManager::isLive() should not crash on captured block variables that are passed by reference
llvm-svn: 91348
2009-12-14 22:15:06 +00:00
Zhongxing Xu 27f686f8ec Replace clang-cc with clang -cc1.
llvm-svn: 91272
2009-12-14 06:34:20 +00:00
Zhongxing Xu c0484fa611 Add initial support for realloc() in MallocChecker.
llvm-svn: 91216
2009-12-12 12:29:38 +00:00
Ted Kremenek f6d9cebafd Enhance understanding of VarRegions referenced by a block whose declarations are outside the current stack frame. Fixes <rdar://problem/7462324>.
llvm-svn: 91107
2009-12-11 06:43:27 +00:00
Ted Kremenek 8573913760 Fix null dereference in OSAtomicChecker and special case SymbolicRegions. We still aren't handling them correctly; I've added to failing test cases to test/Analysis/NSString-failed-cases.m that should pass and then be merged in to test/Analysis/NSString.m.
llvm-svn: 90993
2009-12-09 23:29:55 +00:00
Zhongxing Xu 1d153328be OSAtomic simulation: use the original region as the location to load from,
instead of the ElementRegion obtained from casts.

Test cast: the leak cannot occur bacause the true branch cannot be taken.

llvm-svn: 90964
2009-12-09 08:32:57 +00:00
Zhongxing Xu 39644a62f9 Add notes to a test case.
llvm-svn: 90947
2009-12-09 04:22:30 +00:00
Ted Kremenek 32c32892f7 Fix a horrid bug in GRExprEngine::CheckerVisit() that was identified
by the test case in PR 5627.  Essentially we shouldn't clear the
ExplodedNodeSet where we deposit newly constructed nodes if that set
is the 'Dst' set passed in.  It is not okay to clear that set because
it may already contain nodes.

llvm-svn: 90931
2009-12-09 02:45:41 +00:00
Zhongxing Xu efd9ae8a85 Add test case for mktemp. Patch by Lei Zhang.
llvm-svn: 90706
2009-12-06 12:45:46 +00:00
Ted Kremenek 2a3dbb5749 Add another blocks test case illustrating how parameters passed-by-reference in block invocations are invalidated (just like function calls).
llvm-svn: 90466
2009-12-03 18:29:20 +00:00
Ted Kremenek 5bee5c4ff0 Add value invalidation logic for block-captured variables. Conceptually invoking a block (without specific reasoning of what the block does) can invalidate any value to it by reference when the block was created.
llvm-svn: 90431
2009-12-03 08:25:47 +00:00
Ted Kremenek f66b72094a Add a heuristic to the dead stores checker to prune dead stores for variables annotated with '__block'. This is overly conservative, but now the analyzer doesn't report dead stores for variables that can be updated by a block call.
llvm-svn: 90364
2009-12-03 00:46:16 +00:00
Ted Kremenek 733a3e6104 Added dead-stores test cases that involve the use of blocks.
llvm-svn: 90277
2009-12-01 23:04:14 +00:00
Ted Kremenek b2dc72d2d0 Add new test case file that focuses on testing analyzer support for blocks.
llvm-svn: 90274
2009-12-01 22:47:46 +00:00
Daniel Dunbar 4e7596cc3a Normalize options to use '-FOO' instead of '--FOO'.
llvm-svn: 90071
2009-11-29 09:33:10 +00:00
Ted Kremenek 2350e0c3ba Improve diagnostics in ReturnStackAddressChecker for returning a stack-allocated block. Implements the rest of <rdar://problem/7387385>.
llvm-svn: 89940
2009-11-26 07:14:50 +00:00
Ted Kremenek e5d8dd808e Add test case that shows that dead stores checking now works in the presence of blocks.
llvm-svn: 89939
2009-11-26 06:55:36 +00:00
Ted Kremenek f89dcdaf19 Add a PostVisitBlockExpr() method to RetainReleaseChecker to query for
the set of variables "captured" by a block.  Until the analysis gets
more sophisticated, for now we stop the retain count tracking of any
objects (transitively) referenced by these variables.

llvm-svn: 89929
2009-11-26 02:38:19 +00:00
Ted Kremenek e6a2780c96 Add really basic support for blocks in the retain/release checker. For now, anytime we pass a tracked object to a block call we stop tracking it.
llvm-svn: 89831
2009-11-25 01:35:18 +00:00
Ted Kremenek 239b930ae1 Convert test case to FileCheck to test the behavior of the nil-receiver checker when the code is targetted for either Tiger or Leopard.
llvm-svn: 89810
2009-11-24 22:56:53 +00:00
Ted Kremenek 1fc1f20efd For the nil-receiver checker, take into account the behavioral changes that got introduced in Mac OS X 10.5 and later, notably return values of double, float, etc., will not be garbage. Fixes <rdar://problem/6829160>.
llvm-svn: 89809
2009-11-24 22:48:18 +00:00
Ted Kremenek 005e8a06f2 Cleanups and fixes to the nil-receiver checker, some of it fallout the
initial transition of the nil-receiver checker to the Checker
interface as done in r89745.  Some important changes include:

1) We consolidate the BugType object used for nil receiver bug
reports, and don't include the type of the returned value in the
BugType (which would be wrong if a nil receiver bug was reported more
than once)

2) Added a new (temporary) flag to CheckerContext: DoneEvauating.
This is used by GRExprEngine when evaluating message expressions to
not continue evaluating the message expression if this flag is set.
This flag is currently set by the nil receiver checker.  This is an
intermediate solution to allow the nil-receiver checker to properly
work as a plug-in outside of GRExprEngine.  Basically, this flag
indicates that the entire message expression has been evaluated, not
just a precondition (which is what the nil-receiver checker does).
This flag *should not* be repurposed for general use, but just to pull
more things out of GRExprEngine that already in there as we devise a
better interface in the Checker class.

3) Cleaned up the logic in the nil-receiver checker, making the
control-flow a lot easier to read.

llvm-svn: 89804
2009-11-24 21:41:28 +00:00
Ted Kremenek c0229557dd Enhance null dereference diagnostics by indicating what variable (if any) was dereferenced. Addresses <rdar://problem/7039161>.
llvm-svn: 89726
2009-11-24 01:33:10 +00:00
Ted Kremenek 02d6aca867 Tweak UndefBranchChecker to register the most nested "undefined" expression with bugreporter::registerTrackNullOrUndefValue instead of the condition itself.
llvm-svn: 89682
2009-11-23 18:12:03 +00:00
Fariborz Jahanian 0afc555196 Make 'SEL' pointer to a builtin type and not an
objective-c pointer type. This was a serious mishap and
luckily, Ted's test caught that (and patch fixes the test case).

llvm-svn: 89680
2009-11-23 18:04:25 +00:00
Ted Kremenek d4dca6fde6 Cleanup title/description of "undefined branch" BugType and add some test cases for this check.
llvm-svn: 89679
2009-11-23 17:58:48 +00:00
Ted Kremenek 12b64959ce Change CheckDeadStores to use Expr::isNullPointerConstant, which will correctly determine whether an expression is a null pointer constant.
Patch by Kovarththanan Rajaratnam!

llvm-svn: 89621
2009-11-22 20:26:21 +00:00
Fariborz Jahanian 252ba5fb6f This patch implements objective-c's 'SEL' type as a built-in
type and fixes a long-standing code gen. crash reported in
at least two PRs and a radar. (radar 7405040 and pr5025). 
There are couple of remaining issues that I would like for
Ted. and Doug to look at:

Ted, please look at failure in Analysis/MissingDealloc.m.
I have temporarily added an expected-warning to make the
test pass. This tests has a declaration of 'SEL' type which
may not co-exist with the new changes.

Doug, please look at a FIXME in PCHWriter.cpp/PCHReader.cpp.
I think the changes which I have ifdef'ed out are correct. They
need be considered for in a few Indexer/PCH test cases.

llvm-svn: 89561
2009-11-21 19:53:08 +00:00
Ted Kremenek 775d9c149d Add RegionStore test case that shows that floating point values are also implicitly tracked for undefined values. (test case for <rdar://problem/6811085>).
llvm-svn: 89538
2009-11-21 02:52:12 +00:00
Ted Kremenek f3febe4bdc Add another test case to show the precision of RegionStore over
BasicStore.  In this example, BasicStore would lose information about
the pointer in path after '*path++', causing the analyzer to falsely
flag a null dereference.  This addresses <rdar://problem/7191542>.

llvm-svn: 89533
2009-11-21 02:17:47 +00:00
Ted Kremenek caf2c51fad Pull BadCallChecker int UndefinedArgChecker, and have UndefinedArgChecker also handled undefined receivers in message expressions.
llvm-svn: 89524
2009-11-21 01:25:37 +00:00
Ted Kremenek f7adea43b4 More checker refactoring. Passing undefined values in a message expression is now handled by UndefinedArgChecker.
llvm-svn: 89519
2009-11-21 00:49:41 +00:00
Ted Kremenek a4f7c180ae Add simple static analyzer checker to check for sending 'release', 'retain', etc. directly to a class. Fixes <rdar://problem/7252064>.
llvm-svn: 89449
2009-11-20 05:27:05 +00:00
Ted Kremenek c1f161c012 Unused ivar checker: ivars referenced by lexically nested functions should not be flagged as unused. Fixes <rdar://problem/7254495>.
llvm-svn: 89448
2009-11-20 04:31:57 +00:00