Commit Graph

189 Commits

Author SHA1 Message Date
Ted Kremenek 18fb1665bf Remove invalid assertion from CFG builder. When building the CFG pieces for a ternary '?' expression,
it is possible for the confluence block to only have a single predecessor due to calls to 'noreturn'
functions.  Fixes assertion failure reported in PR 8619.

llvm-svn: 119284
2010-11-15 22:59:22 +00:00
Ted Kremenek db73d599b7 Relax assertion in SValuator so that we don't crash when analyzing a call via a function pointer that
casts the return value to something completely different.  While we need better reasoning here,
we should definately not crash.

llvm-svn: 119177
2010-11-15 20:09:42 +00:00
Ted Kremenek 843c53828f RegionStore/BasicStore: do not return UndefinedVal for accesses to concrete addresses; instead return UnknownVal. This
leads it up to checkers (e.g., DereferenceChecker) to guard against illegal accesses (e.g., null dereferences).

Fixes PR 5272 and <rdar://problem/6839683>.

llvm-svn: 118852
2010-11-11 23:10:10 +00:00
Ted Kremenek 6348dac7a0 Fix lazy symbolication bug in RegionStore involving fields of global variables. When invalidated, the entire
globals memory space gets assigned a symbolic value, but that value was not being used for lazy symbolication
of fields of globals.  This could result in cases where bogus null dereferences were being reported.

Fixes PR 8440.

llvm-svn: 117336
2010-10-26 00:06:17 +00:00
Ted Kremenek c07d8353e1 Add check for UnknownVals for mutexes in ObjCAtSyncChecker. Fixes crash reported in PR 8458.
llvm-svn: 117300
2010-10-25 20:20:56 +00:00
Ted Kremenek c5644e1b97 Tweak the ObjCAtSyncChecker to assume that a mutex is non-nil after checking that it is
nil.  Otherwise we can get false paths where a second @synchronized using the mutex
can have a bogus warning.  Fixes <rdar://problem/8578650>.

llvm-svn: 117016
2010-10-21 15:38:55 +00:00
Argyrios Kyrtzidis 40cec8326c Revert r114316, -Wunused-value enabled by default was intended.
llvm-svn: 114318
2010-09-19 23:03:35 +00:00
Argyrios Kyrtzidis 3698bf1c6d Make -Wunused-value off by default, matching GCC. Fixes rdar://7126194.
llvm-svn: 114316
2010-09-19 21:21:44 +00:00
Ted Kremenek 7b31a61d10 Relax assertion in CFG builder when processing ForStmts. This fixes an assertion failure
on code containing GNU statement expressions reported in PR 8141.

llvm-svn: 113953
2010-09-15 07:01:20 +00:00
Ted Kremenek 0a3f523614 Polish diagnostics for null dereferences via ObjC ivar accesses. Finishes up <rdar://problem/6352035>.
llvm-svn: 113612
2010-09-10 20:20:49 +00:00
Ted Kremenek e495c99055 Implement: <rdar://problem/6351970> rule request: warn if @synchronized mutex can be nil
llvm-svn: 113573
2010-09-10 03:05:40 +00:00
Ted Kremenek 5cdaeaaa1d Clean up obtuse wording of checker diagnostic of using an uninitialized value in a function call.
Fixes: <rdar://problem/8409480> “warning: Pass-by-value argument in function call is undefined” message can be improved
llvm-svn: 113554
2010-09-09 22:51:55 +00:00
Ted Kremenek 5ebb6156d8 Include test case for <rdar://problem/5880430>.
llvm-svn: 113458
2010-09-09 00:40:43 +00:00
Anders Carlsson af7534f084 Get rid of the "functions declared 'noreturn' should have a 'void' result type" warning.
The rationale behind this is that it is normal for callback functions to have a non-void return type
and it should still be possible to mark them noreturn. (JavaScriptCore is a good example of this).

llvm-svn: 112918
2010-09-03 00:25:02 +00:00
Ted Kremenek 026cb58a44 Don't assert in CastSizeChecker when the casted-to pointee is an incomplete type. Fixes PR 8050.
llvm-svn: 112738
2010-09-01 20:35:38 +00:00
Tom Care 9026d4b488 Adjusted the semantics of assign checking in IdempotentOperationChecker
- Fixed a regression where assigning '0' would be reported
- Changed the way self assignments are filtered to allow constant testing
- Added a test case for assign ops
- Fixed one test case where a function pointer was not considered constant
- Fixed test cases relating to 0 assignment

llvm-svn: 112501
2010-08-30 19:25:43 +00:00
Tom Care 71cc9d886a Added checking of (x == x) and (x != x) to IdempotentOperationChecker and updated test cases flagged by it.
llvm-svn: 112313
2010-08-27 22:50:47 +00:00
Tom Care 98e679508d Enabled relaxed LiveVariables analysis in the path-sensitive engine to increase the coverage of bugs. Primarily affects IdempotentOperationChecker.
- Migrated a temporarily separated test back to its original file (bug has been fixed, null-deref-ps-temp.c -> null-deref-ps.c)
- Changed SymbolManager to use relaxed LiveVariables
- Updated several test cases that the IdempotentOperationChecker class now flags
- Added test case to test relaxed LiveVariables use by the IdempotentOperationChecker

llvm-svn: 112312
2010-08-27 22:46:32 +00:00
Ted Kremenek 036223bdcf Fix horrible GRExprEngine bug where switch statements with no 'case:' statements would cause the path to get prematurely aborted. Fixes <rdar://problem/8360854>.
llvm-svn: 112233
2010-08-26 22:19:33 +00:00
Ted Kremenek 50e0105f1c Add warning for functions/blocks that have attribute 'noreturn' but return a non-void result. (<rdar://problem/7562925>)
llvm-svn: 111492
2010-08-19 00:52:13 +00:00
Jordy Rose c6c0fc9164 Allow EvalBinOpNN to handle expressions of the form $a+$b if $b can be reduced to a constant.
llvm-svn: 110592
2010-08-09 20:31:57 +00:00
John McCall a95172baa0 Only run the jump-checker if there's a branch-protected scope *and* there's
a switch or goto somewhere in the function.  Indirect gotos trigger the
jump-checker regardless, because the conditions there are slightly more
elaborate and it's too marginal a case to be worth optimizing.

Turns off the jump-checker in a lot of cases in C++.  rdar://problem/7702918

llvm-svn: 109962
2010-08-01 00:26:45 +00:00
Ted Kremenek 83b598c14f Finesse 'idempotent operations' analyzer issues to include the opcode of the binary operator for clearer error reporting. Also remove the 'Idempotent operation' prefix in messages; it's redundant since the bug type is the same.
llvm-svn: 109527
2010-07-27 18:49:08 +00:00
Ted Kremenek b32964d02d Fix '<rdar://problem/8202272> __imag passed non-complex should not crash' by removing a bogus assertion.
llvm-svn: 108602
2010-07-17 01:28:55 +00:00
Tom Care 826e6b4023 Improved false positive rate for the idempotent operations checker and moved it into the default path-sensitive analysis options.
- Added checks for static local variables, self assigned parameters, and truncating/extending self assignments
- Removed command line option (now default with --analyze)
- Updated test cases to pass with idempotent operation warnings

llvm-svn: 108550
2010-07-16 20:41:41 +00:00
Chris Lattner 3956106543 implement PR7569, warning about assignment to null, which
people seem to write when they want a deterministic trap.
Suggest instead that they use a volatile pointer or 
__builtin_trap.

llvm-svn: 107756
2010-07-07 06:14:23 +00:00
Ted Kremenek bd862711fd Fix PR 7475 by enhancing the static analyzer to also invalidate bindings for non-static global variables
when calling a function/method whose impact on global variables we cannot accurately estimate.
This change introduces two new MemSpaceRegions that divide up the memory space of globals, and causes
RegionStore and BasicStore to consult a binding to the NonStaticGlobalsMemSpaceRegion when lazily
determining the value of a global.

llvm-svn: 107423
2010-07-01 20:16:50 +00:00
Jordy Rose 7f8ea4d677 Implicitly compare symbolic expressions to zero when they're being used as constraints. Part of PR7491.
llvm-svn: 106972
2010-06-27 01:20:56 +00:00
Ted Kremenek 4c721bf892 Change AnalysisConsumer to analyze functions created by instantiantiating a macro. Fixes PR 7361.
llvm-svn: 105984
2010-06-15 00:55:40 +00:00
Ted Kremenek 34ddec630c Predefine the '__clang_analyzer__' macro when using '-analyze'.
llvm-svn: 104742
2010-05-26 21:36:54 +00:00
Ted Kremenek ecc31c93c2 Don't add a null successor to a CFGBlock when the contents of an @synchronized statement is empty.
Fixes <rdar://problem/7979430>.

llvm-svn: 103717
2010-05-13 16:38:08 +00:00
Ted Kremenek 989da5eeff Fix CFG crasher involving statement expressions reported in PR 6938.
llvm-svn: 102576
2010-04-29 01:10:26 +00:00
Ted Kremenek 499b4e3387 Fix lookup of fields from lazy bindings to check if the region is
NULL, not the store, to determine if a lookup succeeded.  The store
can be null if it contained no bindings.  This fixes a false positive
reported to me by a user of the analyzer.

llvm-svn: 95679
2010-02-09 19:11:53 +00:00
Ted Kremenek bdfcacbe8f Also teach RegionStore::RetrieveVar() to handle 'static' pointers that are implicitly initialized to NULL.
llvm-svn: 95479
2010-02-06 04:04:46 +00:00
Ted Kremenek 30fe9ecac2 Fix regression in RegionStore (from BasicStore) where static variables were not treated as being implicitly initialized to 0 (and instead were getting symbolicated).
llvm-svn: 95478
2010-02-06 03:57:59 +00:00
Ted Kremenek 2f2692f8ca Rename -cc1 option '-checker-cfref' to '-analyzer-check-objc-mem'.
llvm-svn: 95348
2010-02-05 02:06:54 +00:00
Ted Kremenek 49f878524c Specially handle casts to 'void' in AdjustedReturnValueChecker.
llvm-svn: 95287
2010-02-04 04:18:55 +00:00
Ted Kremenek 1e3b95580c static analyzer: handle casts of a function to a function pointer with
a different return type.  While we don't emit any errors (yet), at
least we avoid cases where we might crash because of an assertion
failure later on (when the return type differs from what is expected).

llvm-svn: 95268
2010-02-04 00:47:48 +00:00
Ted Kremenek d960564b76 Fix regression in RegionStore due to recent changes in
RegionStoreManager::InvalidateRegions() by adjusting the worklist to
iterate over BindingKeys instead of MemRegions.  We also only need to
do the actual invalidation work on base regions, and for non-base
regions just blow away their bindings.

llvm-svn: 95200
2010-02-03 04:16:00 +00:00
Ted Kremenek 416b923786 Explicitly check for casts to double or complex types instead of possibly asserting in SValuator.
llvm-svn: 95128
2010-02-02 21:11:40 +00:00
Ted Kremenek fab459fc95 Fix bug in GRExprEngine::VisitSizeOfAlignOfExpr() where we do not add
'Pred' to 'Dst' for cases we currently don't handle.  This fixes
<rdar://problem/7593875>.

llvm-svn: 95048
2010-02-02 02:01:51 +00:00
Mike Stump 0978af83b3 Insulate these from changes to the default for -Wunreachable-code.
llvm-svn: 94326
2010-01-23 20:12:18 +00:00
Zhongxing Xu 7872d4df93 Add test case.
llvm-svn: 93874
2010-01-19 12:11:55 +00:00
Ted Kremenek d74cc397c8 Teach BugReporter to "escape" the occurance of '%' characters in diagnostic messages when emitted results to the standard Diagnostics output. Fixes PR 6033.
llvm-svn: 93507
2010-01-15 07:56:51 +00:00
Chris Lattner faa5417264 implement PR6004, warning about divide and remainder by zero.
llvm-svn: 93256
2010-01-12 21:23:57 +00:00
Ted Kremenek ec144538ae Make sure this test case tests analyzing both x86_64 and i386 archs.
llvm-svn: 93133
2010-01-10 22:31:25 +00:00
Chris Lattner f9895c48fd add a bunch of missing prototypes to tests
llvm-svn: 93072
2010-01-09 20:43:19 +00:00
Zhongxing Xu f22afe32f9 Move test case to a more appropriate file.
llvm-svn: 92725
2010-01-05 11:49:21 +00:00
Zhongxing Xu e6a238b1df Add test case.
llvm-svn: 92724
2010-01-05 11:47:58 +00:00
Daniel Dunbar 8fbe78f6fc Update tests to use %clang_cc1 instead of 'clang-cc' or 'clang -cc1'.
- This is designed to make it obvious that %clang_cc1 is a "test variable"
   which is substituted. It is '%clang_cc1' instead of '%clang -cc1' because it
   can be useful to redefine what gets run as 'clang -cc1' (for example, to set
   a default target).

llvm-svn: 91446
2009-12-15 20:14:24 +00:00
Zhongxing Xu 27f686f8ec Replace clang-cc with clang -cc1.
llvm-svn: 91272
2009-12-14 06:34:20 +00:00
Daniel Dunbar 4e7596cc3a Normalize options to use '-FOO' instead of '--FOO'.
llvm-svn: 90071
2009-11-29 09:33:10 +00:00
Ted Kremenek 02d6aca867 Tweak UndefBranchChecker to register the most nested "undefined" expression with bugreporter::registerTrackNullOrUndefValue instead of the condition itself.
llvm-svn: 89682
2009-11-23 18:12:03 +00:00
Ted Kremenek d4dca6fde6 Cleanup title/description of "undefined branch" BugType and add some test cases for this check.
llvm-svn: 89679
2009-11-23 17:58:48 +00:00
Ted Kremenek f7adea43b4 More checker refactoring. Passing undefined values in a message expression is now handled by UndefinedArgChecker.
llvm-svn: 89519
2009-11-21 00:49:41 +00:00
Fariborz Jahanian 9290ede494 Handle case of missing '@end' in implementation context
gracefully, on par with gcc, by: Issuing a warning,
doing final sematinc check of its definitions and generating
its meta-data.

llvm-svn: 88934
2009-11-16 18:57:01 +00:00
Ted Kremenek 4ef13f8ac9 Add clang-cc option "--analyzer-experimental-internal-checks". This
option enables new "internal" checks that will eventually be turned on
by default but still require broader testing.

llvm-svn: 88671
2009-11-13 18:46:29 +00:00
Zhongxing Xu b166712d02 Add undefined array subscript checker.
llvm-svn: 86837
2009-11-11 13:42:54 +00:00
Ted Kremenek 04552cbef0 CastToStructChecker: use 'isStructureType()' instead of 'isRecordType()' to determine if a pointer is casted to a struct pointer. This fixes an observed false positive when a value is casted to a union.
llvm-svn: 86813
2009-11-11 06:43:42 +00:00
Daniel Dunbar 8b57697954 Eliminate &&s in tests.
- 'for i in $(find . -type f); do sed -e 's#\(RUN:.*[^ ]\) *&& *$#\1#g' $i | FileUpdate $i; done', for the curious.

llvm-svn: 86430
2009-11-08 01:45:36 +00:00
Ted Kremenek c92ff053e9 Tweak wording and classifications of analyzer diagnostics.
llvm-svn: 86127
2009-11-05 08:30:12 +00:00
Zhongxing Xu 27fee83ec4 Pull VLA size checker into its own files.
Split it to two checkers, one for undefined size, 
the other for zero size, so that we don't need to query the size
when emitting the bug report.

llvm-svn: 85895
2009-11-03 12:13:38 +00:00
Ted Kremenek 1dbdbcc04c Fix accidental use of CheckSVal instead of CheckLocation, and add a
small test case to show we handle dereferences of undefined values.

llvm-svn: 85492
2009-10-29 05:33:39 +00:00
Ted Kremenek 1baf407fbc Fix another static analyzer crash due to a corner case in "folding" symbolic values that are constrained to be a constant.
llvm-svn: 84320
2009-10-17 07:39:35 +00:00
Ted Kremenek 70bf6d6102 Fix static analyzer crash due to recently add symbolic-value constant folding. The issue was falsely
converting the constant value of the LHS of a '<<'/'>>' operation to the same APSInt value of the
RHS.

llvm-svn: 84269
2009-10-16 20:46:24 +00:00
Ted Kremenek 2f935535b1 Fix crash introduced by r83358 where a symbol could be eagerly
evaluated to an APSInt with a different bitwidth than the other
operand in a binary expression.

llvm-svn: 83368
2009-10-06 03:44:49 +00:00
Ted Kremenek 2f5198b022 Added test case for <rdar://problem/7152418>.
llvm-svn: 82866
2009-09-26 17:18:44 +00:00
Ted Kremenek 1624a4784a Fix PR 4988 by removing an invalid assertion (a function can be referenced in
GRExprEngine::VisitDeclRefExpr without 'asLValue' being true).

llvm-svn: 82598
2009-09-23 01:30:01 +00:00
Ted Kremenek 3003001a86 Fix: <rdar://problem/7242006> [RegionStore] compound literal assignment with floats not honored
llvm-svn: 82575
2009-09-22 21:19:14 +00:00
Ted Kremenek f9539d0c3f Fix: <rdar://problem/7242015> [RegionStore] variable passed-by-reference (via integer) to function call not invalidated
llvm-svn: 82523
2009-09-22 04:48:39 +00:00
Ted Kremenek fd68c7bdc0 Add test case for <rdar://problem/6829164>, which was implicitly fixed in r79694.
llvm-svn: 82495
2009-09-21 23:22:11 +00:00
Ted Kremenek 0ccd06c017 Re-introduce diagnostic caching in BugReporter that was originally added in
r82198 and then reverted. This is an intermediate solution, as diagnostic
caching should not rely on static variables.

llvm-svn: 82301
2009-09-18 22:37:37 +00:00
Ted Kremenek e3d209ff77 Revert most of r82198, which was causing a large number of crashes
when running the analyzer on real projects.  We'll keep the change to
AnalysisManager.cpp in r82198 so that -fobjc-gc analyzes code
correctly in both GC and non-GC modes, although this may emit two
diagnostics for each bug in some cases (a better solution will come
later).

llvm-svn: 82201
2009-09-18 07:31:15 +00:00
Ted Kremenek 82f7f9c080 Introduce caching of diagnostics in BugReporter. This provides extra
pruning of diagnostics that may be emitted multiple times.  This is
accomplished by adding FoldingSet profiling support to PathDiagnostic,
and then having BugReporter record what diagnostics have been issued.

This was motived to a serious bug introduced by moving the
'divide-by-zero' checking outside of GRExprEngine into a separate
'Checker' class.  When analyzing code using the '-fobjc-gc' option, a
given function would be analyzed twice, but the second time various
"internal checks" would be disabled to avoid emitting multiple
diagnostics (e.g., "null dereference") for the same issue.  The
problem is that such checks also effect path pruning and don't just
emit diagnostics.  This resulted in an assertion failure involving a
real divide-by-zero in some analyzed code where we would get an
assertion failure in APInt because the 'DivZero' check was disabled
and didn't prune the logic that resulted in the divide-by-zero in the
analyzer.

The implemented solution is somewhat of a hack, and may not perform
extremely well.  This will need to be cleaned up over time.

As a regression test, 'misc-ps.m' has been modified so that its tests
are run using -fobjc-gc to test this diagnostic pruning behavior.

llvm-svn: 82198
2009-09-18 05:37:41 +00:00
Ted Kremenek 27347135dd Add static analyzer transfer function support for __builtin_offsetof.
llvm-svn: 81820
2009-09-15 00:40:32 +00:00
Ted Kremenek 84c6f0a1e6 Implement: <rdar://problem/7185647> [RegionStore] 'self' cannot be NULL upon entry to a method
Here we implement this as a precondition within GRExprEngine, even though it is
related to how BasicStoreManager and RegionStoreManager model 'self'
differently. Putting this as a high-level precondition is more general, which is
why it isn't in RegionStore.cpp.

llvm-svn: 81378
2009-09-09 20:36:12 +00:00
Ted Kremenek c4c48be88e Fix regression in BasicStoreManager caused by implicitly casting loaded values and trying to load/store from arrays. RegionStoreManager already properly handles these cases well; we just need to gracefully not handle this case in BasicStoreManager. This fixes PR 4781.
llvm-svn: 80051
2009-08-25 23:29:04 +00:00
Ted Kremenek 3ed9543ace Fix crash reported in <rdar://problem/7124210> by "back-porting" some of the
implicit cast logic in RegionStoreManager to BasicStoreManager. This involved
moving CastRetriedVal from RegionStoreManager to StoreManager.

llvm-svn: 80026
2009-08-25 20:51:30 +00:00
Ted Kremenek 68c1f010d2 Fix a bug in RegionStoreSubRegionManager::add() where multiple subregions wouldn't correctly get registered in the SubRegion map.
llvm-svn: 78162
2009-08-05 05:31:02 +00:00
Ted Kremenek 1624df626d Adjust test case.
llvm-svn: 78028
2009-08-04 00:58:45 +00:00
Ted Kremenek d673098480 Add a pass-by-value test for the analyzer.
llvm-svn: 78018
2009-08-03 23:22:53 +00:00
Ted Kremenek 0bb32e3e5d Handle disgusting corner case where a byte is loaded from the address of a function.
llvm-svn: 78000
2009-08-03 21:41:46 +00:00
Ted Kremenek 9419876e59 Fix regression in StoreManager::CastRegion() to always treat casts to
'void*' (or 'const void*') as an identity transformation.

llvm-svn: 77860
2009-08-02 04:12:53 +00:00
Ted Kremenek 1f22aa7433 This is a fairly large patch, which resulted from a cascade of changes
made to RegionStore (and related classes) in order to handle some
analyzer failures involving casts and manipulation of symbolic memory.

The root of the change is in StoreManager::CastRegion().  Instead of
using ad hoc heuristics to decide when to layer an ElementRegion on a
casted MemRegion, we now always layer an ElementRegion when the cast
type is different than the original type of the region.  This carries
the current cast information associated with a region around without
resorting to the error prone recording of "casted types" in GRState.

Along with this new policy of layering ElementRegions, I added a new
algorithm to strip away existing ElementRegions when they simply
represented casts of a base memory object.  This algorithm computes
the raw "byte offset" that an ElementRegion represents from the base
region, and allows the new ElementRegion to be based off that offset.
The added benefit is that this naturally handles a series of casts of
a MemRegion without building up a set of redundant ElementRegions
(thus canonicalizing the region view).

Other related changes that cascaded from this one (as tests were
failing in RegionStore):

- Revamped RegionStoreManager::InvalidateRegion() to completely remove
  all bindings and default values from a region and all subregions.
  Now invalidated fields are not bound directly to new symbolic
  values; instead the base region has a "default" symbol value from
  which "derived symbols" can be created.  The main advantage of this
  approach is that it allows us to invalidate a region hierarchy and
  then lazily instantiate new values no matter how deep the hierarchy
  went (i.e., regardless of the number of field accesses,
  e.g. x->f->y->z->...).  The previous approach did not do this.

- Slightly reworked RegionStoreManager::RemoveDeadBindings() to also
  incorporate live symbols and live regions that do not have direct
  bindings but also have "default values" used for lazy instantiation.
  The changes to 'InvalidateRegion' revealed that these were necessary
  in order to achieve lazy instantiation of values in the region store
  with those bindings being removed too early.

- The changes to InvalidateRegion() and RemoveDeadBindings() revealed
  a serious bug in 'getSubRegionMap()' where not all region -> subregion
  relationships involved in actually bindings (explicit and implicit)
  were being recorded.  This has been fixed by using a worklist algorithm
  to iteratively fill in the region map.

- Added special support to RegionStoreManager::Bind()/Retrieve() to handle
  OSAtomicCompareAndSwap in light of the new 'CastRegion' changes and the
  layering of ElementRegions.

- Fixed a bug in SymbolReaper::isLive() where derived symbols were not
  being marked live if the symbol they were derived from was also live.
  This fix was critical for getting lazy instantiation in RegionStore
  to work.

- Tidied up the implementation of ValueManager::getXXXSymbolVal() methods
  to use SymbolManager::canSymbolicate() to decide whether or not a
  symbol should be symbolicated.

- 'test/Analysis/misc-ps-xfail.m' now passes; that test case has been
  moved to 'test/Analysis/misc-ps.m'.

- Tweaked some pretty-printing of MemRegions, and implemented
  'ElementRegion::getRawOffset()' for use with the CastRegion changes.

llvm-svn: 77782
2009-08-01 06:17:29 +00:00
Ted Kremenek 4301526e8d Remove 'StoreManager::OldCastRegion()', TypedViewRegion (which only
OldCastRegion used), and the associated command line option
'-analyzer-store=old-basic-cast'.

llvm-svn: 77509
2009-07-29 21:43:22 +00:00
Ted Kremenek b2d0409d50 Fix a crasher in StoreManager::InvalidateRegion() caused by using the
'cast type' of a region to invalidate its binding.  This only occurs
when using RegionStoreManager, as it records the cast type.  I'm
currently considering removing the notion of a cast type (see
comments in code).

llvm-svn: 76719
2009-07-22 04:23:20 +00:00
Ted Kremenek ac7c7240f0 Fix PR 4594 by refactoring almost all casting logic from GRExprEngine::VisitCast
to SValuator::EvalCast. In the process, the StoreManagers now use this new cast
machinery, and the hack in GRExprEngine::EvalBind to handle implicit casts
involving OSAtomicCompareAndSwap and friends has been removed (and replaced with
logic closer to the logic specific to those functions).

llvm-svn: 76641
2009-07-21 21:03:30 +00:00
Mike Stump 3fe60b2118 Prep for new warning.
llvm-svn: 76621
2009-07-21 18:59:16 +00:00
Ted Kremenek 834e2f69da Enhanced IsReinterpreted() (RegionStore.cpp) to reason about higher-order
pointers.

Enhanced RegionStoreManager::Retrieve() to handle automatic casts when the
loaded value is different from the requested value. This should be refined over
time, but essentially we should always symbolicate locations as locations, and
convert them to non-locations on demand.

These changes now cause 'misc-ps.m' to pass again.

llvm-svn: 76497
2009-07-20 22:58:02 +00:00
Ted Kremenek bf04f98c1f Add XFAILED test.
llvm-svn: 76469
2009-07-20 21:00:55 +00:00
Ted Kremenek e9812bdac5 Fix crash in StoreManager::NewCastRegion() when handling casts from 'id' (or whatever) to a BlockPointerType.
llvm-svn: 76288
2009-07-18 06:27:51 +00:00
Ted Kremenek c7b1dade86 Move RegionStoreManager over to using new
ValueManager::makeArrayIndex()/convertArrayIndex() methods.  This
handles yet another crash case when reasoning about array indices of
different bitwidth and signedness.

llvm-svn: 75884
2009-07-16 01:33:37 +00:00
Ted Kremenek f3e1e4d9a1 Fix <rdar://problem/7062158> by having BasicStoreManager model values for 'static' global variables.
llvm-svn: 75844
2009-07-15 22:09:25 +00:00
Ted Kremenek b63f71528e Enhance SimpleSValuator::EvalBinOpNN to recognize the trivial case
where we are comparing a symbolic value against itself, regardless of
the nature of that symbolic value.

This enhancement identified a case where RegionStoreManager is not
correctly symbolicating the values of the pointees of parameters.  The
failing test is now in 'test/Analysis/misc-ps-region-store.m', with
that test file now (temporarily) marked XFAIL.

llvm-svn: 75521
2009-07-13 21:55:12 +00:00
Ted Kremenek da03e8443e Handle insidious corner case exposed by RegionStoreManager when handling void* values that are bound
to symbolic regions and then treated like integers.

llvm-svn: 75356
2009-07-11 04:38:49 +00:00
Ted Kremenek 6cb2a34e3c Test case in test/Analysis/xfail_regionstore_wine_crash.c no longer fails, so
move this case to 'test/Analysis/misc-ps.m' to test with both BasicStoreManager
and RegionStoreManager.

llvm-svn: 75294
2009-07-10 21:43:30 +00:00
Ted Kremenek bf73ad47a8 Revert r75281 and simply remove the assertion in NewCastRegion that
CodeTextRegions can only be casted to FunctionPointer or BlockPointerTypes. This
simply isn't true. We can handle bogus operations on CodeTextRegions (e.g, an
array access) elsewhere.

llvm-svn: 75285
2009-07-10 21:24:45 +00:00
Ted Kremenek 6c94771a0b Fix crash in StoreManager::NewCastRegion regarding handling casts to void*,
void**, void***, etc.  Such casts should just pass the region through.

llvm-svn: 75281
2009-07-10 21:11:16 +00:00
Ted Kremenek f66557978e Switch BasicStoreManager to use the new CastRegion implementation by default,
and replace the 'clang-cc' option '-analyzer-store=basic-new-cast' with
'-analyzer-store=basic-old-cast'. We'll keep the old CastRegion implementation
around for a little while for regression testing.

llvm-svn: 75209
2009-07-10 00:41:58 +00:00
Ted Kremenek 8ee3dd7cc5 Fix: <rdar://problem/7034511> ValueManager::makeIntVal(uint64_t X, QualType T) should return a 'Loc' when 'T' is a pointer
llvm-svn: 75062
2009-07-08 22:42:46 +00:00