Commit Graph

28 Commits

Author SHA1 Message Date
Artem Dergachev 733e71b73b [analyzer] Fix symbolic element index lifetime.
SymbolReaper was destroying the symbol too early when it was referenced only
from an index SVal of a live ElementRegion.

In order to test certain aspects of this patch, extend the debug.ExprInspection
checker to allow testing SymbolReaper in a direct manner.

Differential Revision: http://reviews.llvm.org/D12726

llvm-svn: 255236
2015-12-10 09:28:06 +00:00
Gabor Horvath 28690925ed [Static Analyzer] Checks to catch nullability related issues.
Differential Revision: http://reviews.llvm.org/D11468

llvm-svn: 246105
2015-08-26 23:17:43 +00:00
NAKAMURA Takumi d40d387fb1 Update the copyright credits -- Happy new year 2014!
FIXME: Dragonegg may be updated at non-trivial changes.
llvm-svn: 198274
2014-01-01 08:27:31 +00:00
Jordan Rose 9db2d9adef [analyzer] Add new debug helper clang_analyzer_warnIfReached.
This will emit a warning if a call to clang_analyzer_warnIfReached is
executed, printing REACHABLE. This is a more explicit way to declare
expected reachability than using clang_analyzer_eval or triggering
a bug (divide-by-zero or null dereference), and unlike the former will
work the same in inlined functions and top-level functions. Like the
other debug helpers, it is part of the debug.ExprInspection checker.

Patch by Jared Grubb!

llvm-svn: 191909
2013-10-03 16:57:03 +00:00
Jordan Rose 8dddf8ff20 [analyzer] Fix copy-paste error in internal docs.
Patch by Jared Grubb!

llvm-svn: 190651
2013-09-13 00:44:57 +00:00
Anna Zaks 7925e3db63 [analyzer] Add a debug checker that prints Exploded Graph
Add a debug checker that is useful to understand how the ExplodedGraph is
built; it can be triggered using the following command:

 clang -cc1 -analyze -analyzer-checker=debug.ViewExplodedGraph my_program.c

A patch by Béatrice Creusillet!

llvm-svn: 184768
2013-06-24 18:12:12 +00:00
Bill Wendling 3067ec8777 We're in 3.4 land now.
llvm-svn: 181351
2013-05-07 20:31:37 +00:00
Jordan Rose 2de3daa0a2 [analyzer] Enable destructor inlining by default (c++-inlining=destructors).
This turns on not only destructor inlining, but inlining of constructors
for types with non-trivial destructors. Per r178516, we will still not
inline the constructor or destructor of anything that looks like a
container unless the analyzer-config option 'c++-container-inlining' is
set to 'true'.

In addition to the more precise path-sensitive model, this allows us to
catch simple smart pointer issues:

  #include <memory>

  void test() {
    std::auto_ptr<int> releaser(new int[4]);
  } // memory allocated with 'new[]' should not be deleted with 'delete'

<rdar://problem/12295363>

llvm-svn: 178805
2013-04-04 23:10:29 +00:00
Jordan Rose 4587b28758 [analyzer] Turn on C++ constructor inlining by default.
This enables constructor inlining for types with non-trivial destructors.
The plan is to enable destructor inlining within the next month, but that
needs further verification.

<rdar://problem/12295329>

llvm-svn: 176200
2013-02-27 18:49:43 +00:00
Jordan Rose 1f25dcb167 [analyzer] Add a doc describing the internals of RegionStore.
This is a text file with Markdown-ish formatting because we haven't decided
where analyzer internal documents should go, but it's probably better to
have this in source control than sitting on my local drive forever.

llvm-svn: 174398
2013-02-05 17:31:34 +00:00
Anna Zaks 70aa53180d [analyzer] Remove further references to analyzer-ipa.
Thanks Jordan!

llvm-svn: 173955
2013-01-30 19:12:26 +00:00
Daniel Dunbar 5cfa4aeee5 [docs/analyzer] Test commit (for auto-update).
llvm-svn: 171788
2013-01-07 20:44:37 +00:00
Daniel Dunbar 48f8bc895b [docs/analyzer] Convert existing debug-checks document to Sphinx and link into doctree.
llvm-svn: 171786
2013-01-07 20:38:55 +00:00
Sean Silva cd61d28c4a analyzer: add initial Sphinx configuration
This is just the output of sphinx-quickstart. Now all that is needed
to begin converting the analyzer docs to reST is the server-side setup.

The analyzer folks have asked me to keep this segregated from the other
clang docs since the analyzer is a logically separate project (and has
its own separate web page) even though it resides in the clang tree.

llvm-svn: 171425
2013-01-02 23:07:22 +00:00
Sean Silva 62737b65b1 docs: Nuke AnalyzerRegions.rst.
As per Ted's advice. It can be brought back from version control if
needed.

This also fixes a Sphinx warning.

llvm-svn: 170401
2012-12-18 02:15:05 +00:00
Jordan Rose ba8307d2e5 Remove old description of analyzer internals from public docs.
The file still exists in docs/analyzer/, but it won't be linked to from
clang.llvm.org or processed as part of the default Sphinx doc-build.
RegionStore has changed a lot from what Ted and Zhongxing describe here!

llvm-svn: 170260
2012-12-15 00:36:53 +00:00
Jordan Rose c6fcbf06a6 [analyzer] Make the defaults explicit for each of the new config options.
Also, document both new inlining options in IPA.txt.

llvm-svn: 163551
2012-09-10 21:54:24 +00:00
Jordan Rose 219c9d0dd3 [analyzer] Though C++ inlining is enabled, don't inline ctors and dtors.
More generally, this adds a new configuration option 'c++-inlining', which
controls which C++ member functions can be considered for inlining. This
uses the new -analyzer-config table, so the cc1 arguments will look like this:

... -analyzer-config c++-inlining=[none|methods|constructors|destructors]

Note that each mode implies that all the previous member function kinds
will be inlined as well; it doesn't make sense to inline destructors
without inlining constructors, for example.

The default mode is 'methods'.

llvm-svn: 163004
2012-08-31 17:06:49 +00:00
Anna Zaks e9b0231152 [analyzer] Make analyzer-ipa=dynamic-bifurcate the default.
There are two tests regressions that come from the fact that the Retain
Count checker does not cancel out inlining of ObjC methods.

llvm-svn: 162950
2012-08-30 22:42:59 +00:00
Jordan Rose 561919e5bd [analyzer] Don't inline constructors for objects allocated with operator new.
Because the CXXNewExpr appears after the CXXConstructExpr in the CFG, we don't
actually have the correct region to construct into at the time we decide
whether or not to inline. The long-term fix (discussed in PR12014) might be to
introduce a new CFG node (CFGAllocator) that appears before the constructor.

Tracking the short-term fix in <rdar://problem/12180598>.

llvm-svn: 162689
2012-08-27 18:39:22 +00:00
Jordan Rose 39fbb023d3 [analyzer] Update inlining design notes for r162681.
llvm-svn: 162688
2012-08-27 18:39:16 +00:00
Jordan Rose 40dd4d9bf3 [analyzer] Restructure discussion of DynamicTypeInfo and RuntimeDefinition.
Since DynamicTypeInfo is not inherently related to inlining or to dynamic
calls, it makes more sense (to me) to discuss it first.

Also fix some typos, massage some grammar, and (hopefully) improve precision
and clarity.

llvm-svn: 162365
2012-08-22 17:13:27 +00:00
Jordan Rose d3d6ac65f8 [analyzer] Per feedback, re-structure the docs for ExprInspection checks.
Also, remove the FIXME about merging -analyzer-stats and the debug.Stats
checker. This would be a bad idea because simply running debug.Stats can
affect the output of -analyzer-stats.

llvm-svn: 162364
2012-08-22 17:13:22 +00:00
Anna Zaks 545588f9ed [analyzer] IPA document: address Ted's review comments (path
bifurcation)

llvm-svn: 162343
2012-08-22 05:38:38 +00:00
Ted Kremenek 98b771ecc2 Review, comment, and reformat IPA.txt, including feedback comments.
Formatting includes:

- removing line wraps (Emacs Cmd-Q), to make text easier to read
- provide useful indentation
- call out caveats and notes more explictly

Stylistically, I prefer the document talk in 3rd person instead of "we".  The
term "we" is unambiguous, and sometimes refers to different things.  I've passed
over the existing paragraphs and made them speak more about specific entities
that compose the analyzer and what they do (e.g., ExprEngine) instead of "we"
referring to the analyzer.

Further, I have substituted some vague concepts such as "state" or "program
state" and replaced them with their precise implementation counterparts (e.g.,
ProgramState).  This makes the document more technically precise throughout the
entire narrative, which would sometimes use vague terms and other times precise
terms.

I've placed several comments within the document, which can be seen with
***TMK/COMMENT***, which indicate places that need to be enhanced or clarified,
or called out as questions about intended bheavior.

llvm-svn: 162338
2012-08-22 01:20:05 +00:00
Jordan Rose 6faff2e7bd [analyzer] Document our debug checkers and ExprInspection's "builtins".
llvm-svn: 162336
2012-08-22 01:03:39 +00:00
Jordan Rose e3e95cdf27 [analyzer] Set the default IPA mode to 'basic-inlining', which excludes C++.
Under -analyzer-ipa=basic-inlining, only C functions, blocks, and C++ static
member functions are inlined -- essentially, the calls that behave like simple
C function calls. This is essentially the behavior in Xcode 4.4.

C++ support still has some rough edges, and we don't want users to be worried
about them if they download and run their own checker. (In particular, the
massive number of false positives for analyzing LLVM comes from inlining
defensively-written code in contexts where more aggressive assumptions are
implicitly made. This problem is not unique to C++, but it is exacerbated by
the higher proportion of code that lives in header files in C++.)

The eventual goal is to be comfortable enough with C++ support (and simple
Objective-C support) to advance to -analyzer-ipa=inlining as the default
behavior. See the IPA design notes for more details.

llvm-svn: 162318
2012-08-21 21:44:21 +00:00
Jordan Rose 0564c75e7b [analyzer] Add an internal reference document describing IPA and CallEvent.
This attempts to be a higher-level description of our inlining heuristics
and decision trees than the source, where the work is spread out between
ExprEngine (mostly in ExprEngineCallAndReturn.cpp) and CallEvent, with a
few other classes participating as well.

llvm-svn: 162073
2012-08-17 02:11:35 +00:00