pointers.
Enhanced RegionStoreManager::Retrieve() to handle automatic casts when the
loaded value is different from the requested value. This should be refined over
time, but essentially we should always symbolicate locations as locations, and
convert them to non-locations on demand.
These changes now cause 'misc-ps.m' to pass again.
llvm-svn: 76497
ValueManager::makeArrayIndex()/convertArrayIndex() methods. This
handles yet another crash case when reasoning about array indices of
different bitwidth and signedness.
llvm-svn: 75884
This patch causes:
- StoreManager::InvalidateRegion() to not used the casted type of a region if
it would cause a pointer type to be invalidated as a non-pointer type.
- Pushes RegionStore::RetrieveElement() further by handling retrievals from
symbolic arrays that have been invalidated. This uses the new SymbolDerived
construct that was recently introduced.
The result is that the failing test in misc-ps-region-store-x86_64.m now passes.
Both misc-ps-region-store-x86_64.m and misc-ps-region-store-i386.m contain a
test case that motivated this change.
llvm-svn: 75730
are not explicitly marked as not accepting NULL pointers. This check illustrates
how we need more refactoring in the custom-check logic.
llvm-svn: 75570
where we are comparing a symbolic value against itself, regardless of
the nature of that symbolic value.
This enhancement identified a case where RegionStoreManager is not
correctly symbolicating the values of the pointees of parameters. The
failing test is now in 'test/Analysis/misc-ps-region-store.m', with
that test file now (temporarily) marked XFAIL.
llvm-svn: 75521
CodeTextRegions can only be casted to FunctionPointer or BlockPointerTypes. This
simply isn't true. We can handle bogus operations on CodeTextRegions (e.g, an
array access) elsewhere.
llvm-svn: 75285
and replace the 'clang-cc' option '-analyzer-store=basic-new-cast' with
'-analyzer-store=basic-old-cast'. We'll keep the old CastRegion implementation
around for a little while for regression testing.
llvm-svn: 75209
- Refactor logic that creates ElementRegions into a help method 'MakeElementRegion'.
- Fix crash due to not handling StringRegions. Casts of StringRegions now
result in a new ElementRegion layered on the original StringRegion.
llvm-svn: 74867
pass misc-ps.m. Currently RegionStore/BasicStore don't do any special reasoning
about clang-style vectors, so we should return UnknownVal (in all cases) when
accessing their values via an array.
llvm-svn: 74660
unknown for it.
Mark the super region of a live region as live, if the live region is pointed
to by a live pointer variable.
These fixes xfail_regionstore_wine_crash.c.
llvm-svn: 74524
GRTransferFuncs had the conflated role of both constructing SVals (symbolic
expressions) as well as handling checker-specific logic. Now SValuator has the
role of constructing SVals from expressions and GRTransferFuncs just handles
checker-specific logic. The motivation is by separating these two concepts we
will be able to much more easily create richer constraint-generating logic
without coupling it to the main checker transfer function logic.
We now have one implementation of SValuator: SimpleSValuator.
SimpleSValuator is essentially the SVal-related logic that was in GRSimpleVals
(which is removed in this patch). This includes the logic for EvalBinOp,
EvalCast, etc. Because SValuator has a narrower role than the old
GRTransferFuncs, the interfaces are much simpler, and so is the implementation
of SimpleSValuator compared to GRSimpleVals. I also did a line-by-line review of
SVal-related logic in GRSimpleVals and cleaned it up while moving it over to
SimpleSValuator.
As a consequence of removing GRSimpleVals, there is no longer a
'-checker-simple' option. The '-checker-cfref' did everything that option did
but also ran the retain/release checker. Of course a user may not always wish to
run the retain/release checker, nor do we wish core analysis logic buried in the
checker-specific logic. The next step is to refactor the logic in CFRefCount.cpp
to separate out these pieces into the core analysis engine.
llvm-svn: 74229
RegionStore needs to know the type of alloca region.
* RegionStoreManager::EvalBinOp() now converts the alloca region to its first
element region, as what is done to symbolic region.
llvm-svn: 72164
This patch isn't quite ideal in that it eliminates the warning for
constructs like "int a = {1};", where the braces are in fact redundant.
However, that would have required a bunch of refactoring, and it's
much less likely to cause confusion compared to redundant nested braces.
llvm-svn: 71939
cf_returns_retained. Currently this attribute can now be applied to any
Objective-C method or C function that returns a pointer or Objective-C object
type.
Modify the tablegen definition of diagnostic 'warn_attribute_wrong_decl_type' to
expect that the diagnostics infrastructure will add quotes around the attribute
name when appropriate. Alonq with this change, I modified the places where this
warning is issued to passed the attribute's IdentifierInfo* instead of having a
hard-coded C constant string.
llvm-svn: 71718
generation when EvalObjCMessageExpr() did not resolve the
ObjCInterfaceDecl* for a receiver when the receiver's symbolic value
wasn't being explicitly tracked.
llvm-svn: 71685
array region, set its default value to conjured symbol. When retrieving its
element, create new region value symbol for the element.
Also fix some 80 columns violations.
llvm-svn: 71548
where an owned one is expected. Also add preliminary checking for
returning a positive retain count object in GC mode where an owned GC
object is expected.
llvm-svn: 71388
implicitly be changed to unsigned values in GRSimpleVals.cpp. This can happen
when the comparison involves logic in specialized transfer functions (e.g.,
OSAtomicCompareAndSwap).
llvm-svn: 71200
- Update the old StoreManager::CastRegion to strip off 'ElementRegions' when
casting to void* (Zhongxing: please validate)
- Pass-by-reference argument invalidation logic in CFRefCount.cpp:
- Strip ElementRegions when the ElementRegion is just a 'raw data' view
on top of the underlying typed region.
llvm-svn: 71094
- add a static function getTypeWidth(), which computes the width of a type
with the help of TargetInfo.
- no-outofbounds.c now passes for region store.
llvm-svn: 71080
'objc_ownership_cfretain' -> 'cf_ownership_retain'
'objc_ownership_cfrelease' -> 'cf_ownership_release'
Motivation: Core Foundation objects can be used in isolation from Objective-C,
and this forces users to reason about the separate semantics of CF objects. More
Sema support pending.
llvm-svn: 70884
return type and the selector. This is inconsistent with C functions
(where such attributes would be placed on the return type, not the the
FunctionDecl), and is inconsistent with what people are use to seeing.
llvm-svn: 70878
'ElementRegion' on top of the VarRegion for 'x'. This causes the test
case xfail_wine_crash.c to now pass for BasicStoreManager. It doesn't
crash for RegionStoreManager either, but reports a bogus unintialized
value warning.
llvm-svn: 70832
ElementRegion. I also removed 'ElementRegion::getArrayRegion',
although we may need to add this back.
This breaks a few test cases with RegionStore:
- 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate.
- misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic:
'Line 159: Uninitialized or undefined return value returned to caller.'
There were a bunch of places that needed to be edit
RegionStoreManager, and we may not be passing all the correct 'element
types' down from GRExprEngine.
Zhongxing: When you get a chance, could you review this? I could have
easily screwed up something basic in RegionStoreManager.
llvm-svn: 70830
- Don't layer TypedViewRegions on top of any region except
SymbolicRegions and AllocaRegions. This follows from my offline
discussion within Zhongxing about how TypedViewRegions really only
represent memory getting re-appropriated for a new purpose.
Fallout from this change:
- Move test case from xfail_rdar_6440393.m to misc-ps-64.m
(it now passes).
- test/Analysis/fields.c now fails for region store (crash).
Marking XFAIL.
- test/Analysis/rdar-6441136-region.c now fails (only runs with region store).
Marking XFAIL.
Diagnosis: The analyzer now correctly identifies an early out-of-bounds memory
access then the one flagged:
rdar-6541136-region.c:17:3: warning: Load or store into an out-of-bound memory position.
*p = 1;
^~
Changing the line:
char *p = (void*) &wonky[1];
to
char *p = (void*) &wonky[0];
(which should delay the buffer overrun) causes region store to crash, probably
because it expects a TypedViewRegion.
- test/Analysis/casts.c (region store) now fails (crash).
Marking XFAIL.
llvm-svn: 70565
applied to ObjCMethodDecls, not just parameters. This allows one to specific
side-effects on the receiver of a message expression. No checker support yet.
llvm-svn: 70505
appear between the return type and the selector. This is a separate code path
from regular attribute processing, as we only want to (a) accept only a specific
set of attributes in this place and (b) want to distinguish to clients the
context in which an attribute was added to an ObjCMethodDecl.
Currently, the attribute 'objc_ownership_returns' is the only attribute that
uses this new feature. Shortly I will add a warning for 'objc_ownership_returns'
to be placed at the end of a method declaration.
llvm-svn: 70504
This fixes <rdar://problem/6839489> 10A345: Clang does not warm about mismatched returns (void return from a bool function)
Will implement -Wreturn-type, -Wno-return-type in another commit.
llvm-svn: 70492
as 'objc_ownership_cfretain' except that the method acts like a CFRetain instead
of a [... retain] (important in GC modes). Checker support is wired up, but
currently only for Objective-C message expressions (not function calls).
llvm-svn: 70218
to the checker yet, but essentially it allows a user to specify that an
Objective-C method or C function increments the reference count of a passed
object.
llvm-svn: 70005
up to the checker yet, but essentially it allows a user to specify that an
Objective-C method or C function returns an owned an Objective-C object.
llvm-svn: 70001
- Fix summary lookup for class methods to now use the (optional)
ObjCInterfaceDecl associated with a message expression. This removes a
long-standing FIXME.
- Partial fix for <rdar://problem/6062730> by stop tracking objects that
are passed to [NSObject performSelector]. These methods are often used
for delegates, which the analyzer doesn't reason about well yet.
llvm-svn: 69982
extend the number of objects tracked by the retain/release checker by assuming
that all class and instance methods should follow Cocoa object "getter" and
"alloc/new" conventions.
llvm-svn: 69908
When the StoreManager doesn't reason well about pointer-arithmetic, propagate
the non-nullness constraint on a pointer value when performing pointer
arithmetic uisng ++/--.
llvm-svn: 69741
ProgramPoints all the way through to GRCoreEngine.
NSString.m now fails with RegionStoreManager because of the void** cast.
Disabling use of region store for that test for now.
llvm-svn: 68845
clients of the analyzer to designate custom assertion routines as "noreturn"
functions from the analyzer's perspective but not the compiler's.
llvm-svn: 68746
"The attached patch generates warnings of cases where an ObjC message is sent to
a nil object and the size of return type of that message is larger than the size
of void pointer. This may result in undefined return values as described in PR
2718. The patch also includes test cases."
llvm-svn: 68585
<rdar://problem/6704930> involving SimpleConstraintManager not reasoning well
about symbolic constraint values involving arithmetic operators.
llvm-svn: 67534
SVal::GetRValueSymbolVal do the checking if we can symbolicate a type instead of
having BasicStoreManager do it (which wasn't always doing the check
consistently). Having this check in SVal::GetRValueSymbolVal keeps the check in
one centralized place.
llvm-svn: 67245
conditions. Currently the analyzer does not reason well about
promotions/truncations of symbolic values, so at branch conditions when we see:
if (condition)
and condition is something like a 'short' or 'char', essentially ignore the
promotion to 'int' so that we track constraints on the original symbolic value.
We only ignore the casts if the underlying type has the same or fewer bits as
the converted type.
This fixes:
<rdar://problem/6619921>
llvm-svn: 66899
expressions of the form: 'short x = (y != 10);' While we handle 'int x = (y !=
10)' lazily, the cast to another integer type currently loses the symbolic
constraint. Eager evaluation of the constraint causes the paths to bifurcate and
eagerly evaluate 'y != 10' to a constant of 1 or 0. This should address
<rdar://problem/6619921> until we have a better (more lazy approach) for
handling promotions/truncations of symbolic integer values.
llvm-svn: 65480
analyzer for array subscript expressions involving bases that are vectors. This
solution is probably a hack: it gets the lvalue of the vector instead of an
rvalue like all other types. This should be reviewed (big FIXME in
GRExprEngine).
llvm-svn: 65366
handle method names that contain 'new', 'copy', etc., but those words might be
the substring of larger words such as 'newsgroup' and 'photocopy' that do not
indicate the allocation of objects. This should address the issues discussed in
<rdar://problem/6552389>.
llvm-svn: 65224
- Move all analyzer options logic to AnalysisConsumer.cpp.
- Unified specification of stores/constraints/output to be:
-analyzer-output=...
-analyzer-store=...
-analyzer-constraints=...
instead of -analyzer-range-constraints, -analyzer-store-basic, etc.
- Updated drivers (ccc-analyzer, scan-builds, new ccc) to obey this new
interface
- Updated test cases to conform to new driver options
llvm-svn: 64737
symbols from an SVal.
- Fixed a bug in EnvironmentManager::RemoveDeadBindings() where it did not mark
live all the symbols reachable from a live block-level expression.
- Fixed a bug in the retain/release checker where it did not stop tracking
symbols that 'escaped' via compound literals being assigned to something the
BasicStoreManager didn't reason about.
llvm-svn: 64534
printf-like functions, both builtin functions and those in the
C library. The function-call checker now queries this attribute do
determine if we have a printf-like function, rather than scanning
through the list of "known functions IDs". However, there are 5
functions they are not yet "builtins", so the function-call checker
handles them specifically still:
- fprintf and vfprintf: the builtins mechanism cannot (yet)
express FILE* arguments, so these can't be encoded.
- NSLog: the builtins mechanism cannot (yet) express NSString*
arguments, so this (and NSLogv) can't be encoded.
- asprintf and vasprintf: these aren't part of the C99 standard
library, so we really shouldn't be defining them as builtins in
the general case (and we don't seem to have the machinery to make
them builtins only on certain targets and depending on whether
extensions are enabled).
llvm-svn: 64512
etc.) when we perform name lookup on them. This ensures that we
produce the correct signature for these functions, which has two
practical impacts:
1) When we're supporting the "implicit function declaration" feature
of C99, these functions will be implicitly declared with the right
signature rather than as a function returning "int" with no
prototype. See PR3541 for the reason why this is important (hint:
GCC always predeclares these functions).
2) If users attempt to redeclare one of these library functions with
an incompatible signature, we produce a hard error.
This patch does a little bit of work to give reasonable error
messages. For example, when we hit case #1 we complain that we're
implicitly declaring this function with a specific signature, and then
we give a note that asks the user to include the appropriate header
(e.g., "please include <stdlib.h> or explicitly declare 'malloc'"). In
case #2, we show the type of the implicit builtin that was incorrectly
declared, so the user can see the problem. We could do better here:
for example, when displaying this latter error message we say
something like:
'strcpy' was implicitly declared here with type 'char *(char *, char
const *)'
but we should really print out a fake code line showing the
declaration, like this:
'strcpy' was implicitly declared here as:
char *strcpy(char *, char const *)
This would also be good for printing built-in candidates with C++
operator overloading.
The set of C library functions supported by this patch includes all
functions from the C99 specification's <stdlib.h> and <string.h> that
(a) are predefined by GCC and (b) have signatures that could cause
codegen issues if they are treated as functions with no prototype
returning and int. Future work could extend this set of functions to
other C library functions that we know about.
llvm-svn: 64504
for FieldRegion. This enables us to track more values.
Simplify SymbolicRegion::getRValueType(). We assume the symbol always has
pointer type.
llvm-svn: 63928
the ownership of BugTypes and BugReports. Now BugReports are owned by BugTypes,
and BugTypes are owned by the BugReporter object.
The major functionality change in this patch is that reports are not immediately
emitted by a call to BugReporter::EmitWarning (now called EmitReport), but
instead of queued up in report "equivalence classes". When
BugReporter::FlushReports() is called, it emits one diagnostic per report
equivalence class. This provides a nice cleanup with the caching of reports as
well as enables the BugReporter engine to select the "best" path for reporting a
path-sensitive bug based on all the locations in the ExplodedGraph that the same
bug could occur.
Along with this patch, Leaks are now coalesced into a common equivalence class
by their allocation site, and the "summary" diagnostic for leaks now reports the
allocation site as the location of the bug (this may later be augmented to also
provide an example location where the leak occurs).
llvm-svn: 63796
the liveness state of block-level expressions could oscillate because
of two issues:
- The initial value before a merge was not always set to "Top"
- The set of live block-level expressions is a union, not an intersection
This fixes <rdar://problem/650084>.
llvm-svn: 63421
- NonLoc::MakeVal() would use sizeof(unsigned) (literally) instead of consulting
ASTContext for the size (in bits) of 'int'. While it worked, it was a
conflation of concepts and using ASTContext.IntTy is 100% correct.
- RegionStore::getSizeInElements() no longer assumes that a VarRegion has the
type "ConstantArray", and handles the case when uses use ordinary variables
as if they were arrays.
- Fixed ElementRegion::getRValueType() to just return the rvalue type of its
"array region" in the case the array didn't have ArrayType.
- All of this fixes <rdar://problem/6541136>
llvm-svn: 63347