Commit Graph

2670 Commits

Author SHA1 Message Date
Artem Dergachev e235bd1d03 [analyzer] Treat throws as sinks for suppress-on-sink purposes.
Because since r308957 the suppress-on-sink feature contains its own
mini-analysis, it also needs to become aware that C++ unhandled exceptions
cause sinks. Unfortunately, for now we treat all exceptions as unhandled in
the analyzer, so suppress-on-sink needs to do the same.

rdar://problem/28157554

Differential Revision: https://reviews.llvm.org/D35674

llvm-svn: 308961
2017-07-25 09:44:02 +00:00
Artem Dergachev 4e99426629 [analyzer] Further improve suppress-on-sink behavior in incomplete analyses.
If a certain memory leak (or other similar bug) found by the analyzer is known
to be happening only before abnormal termination of the program ("sink", eg.
assertion failure in the code under analysis, or another bug that introduces
undefined behavior), such leak warning is discarded. However, if the analysis
has never reaches completion (due to complexity of the code), it may be
failing to notice the sink.

This commit further extends the partial solution introduced in r290341 to cover
cases when a complicated control flow occurs before encountering a no-return
statement (which anyway inevitably leads to such statement(s)) by traversing
the respective section of the CFG in a depth-first manner. A complete solution
still seems elusive.

rdar://problem/28157554

Differential Revision: https://reviews.llvm.org/D35673

llvm-svn: 308957
2017-07-25 09:25:10 +00:00
Peter Szecsi 58a8b6b4af Revert "[StaticAnalyzer] Completely unrolling specific loops with known bound option"
Revert r308561 and r308558.

Clang-ppc64be-linux seems to crash while running the test cases.

llvm-svn: 308592
2017-07-20 07:35:11 +00:00
Peter Szecsi 251a611cd6 [StaticAnalyzer] Completely unrolling specific loops with known bound option
Missing files added to rL308558.

llvm-svn: 308561
2017-07-20 00:05:25 +00:00
Peter Szecsi cb387b11df This feature allows the analyzer to consider loops to completely unroll. New
requirements/rules (for unrolling) can be added easily via ASTMatchers.

The current implementation is hidden behind a flag.

Right now the blocks which belong to an unrolled loop are marked by the 
LoopVisitor which adds them to the ProgramState. Then whenever we encounter a
CFGBlock in the processCFGBlockEntrance which is marked then we skip its
investigating. That means, it won't be considered to be visited more than the
maximal bound for visiting since it won't be checked.

Differential Revision: https://reviews.llvm.org/D34260

llvm-svn: 308558
2017-07-19 23:50:00 +00:00
Devin Coughlin bac49e5764 [analyzer] Add annotation attribute to trust retain count implementation
Add support to the retain-count checker for an annotation indicating that a
function's implementation should be trusted by the retain count checker.
Functions with these attributes will not be inlined and the arguments will
be treating as escaping.

Adding this annotation avoids spurious diagnostics when the implementation of
a reference counting operation is visible but the analyzer can't reason
precisely about the ref count.

Patch by Malhar Thakkar!

Differential Revision: https://reviews.llvm.org/D34937

llvm-svn: 308416
2017-07-19 04:10:44 +00:00
John McCall 12251887bd Use ARC parsing rules for ns_returns_retained in MRC so that code can
be shared without warnings.  Build AttributedTypes to leave breadcrumbs
for tools like the static analyzer.  Warn about attempting to use the
attribute with incompatible return types.

llvm-svn: 308092
2017-07-15 11:06:46 +00:00
Erik Verbruggen 49db030626 [analyzer] Add annotation for functions taking user-facing strings
There was already a returns_localized_nsstring annotation to indicate
that the return value could be passed to UIKit methods that would
display them. However, those UIKit methods were hard-coded, and it was
not possible to indicate that other classes/methods in a code-base would
do the same.

The takes_localized_nsstring annotation can be put on function
parameters and selector parameters to indicate that those will also show
the string to the user.

Differential Revision: https://reviews.llvm.org/D35186

llvm-svn: 308012
2017-07-14 10:24:36 +00:00
Dominic Chen c0402c6916 Revert "[analyzer] Support generating and reasoning over more symbolic constraint types"
Assertion `Loc::isLocType(SSE->getLHS()->getType())' failed in Analysis/PR3991.m

This reverts commit e469ff2759275e67f9072b3d67fac90f647c0fe6.

llvm-svn: 307853
2017-07-12 21:43:42 +00:00
Dominic Chen 35610d21b2 [analyzer] Support generating and reasoning over more symbolic constraint types
Summary: Generate more IntSymExpr constraints, perform SVal simplification for IntSymExpr and SymbolCast constraints, and create fully symbolic SymExprs

Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun

Subscribers: mgorny, cfe-commits

Differential Revision: https://reviews.llvm.org/D28953

llvm-svn: 307833
2017-07-12 19:37:57 +00:00
Matthias Gehre 351c218d15 CFG: Add CFGElement for automatic variables that leave the scope
Summary:
This mimics the implementation for the implicit destructors. The
generation of this scope leaving elements is hidden behind
a flag to the CFGBuilder, thus it should not affect existing code.

Currently, I'm missing a test (it's implicitly tested by the clang-tidy
lifetime checker that I'm proposing).
I though about a test using debug.DumpCFG, but then I would
have to add an option to StaticAnalyzer/Core/AnalyzerOptions
to enable the scope leaving CFGElement,
which would only be useful to that particular test.

Any other ideas how I could make a test for this feature?

Reviewers: krememek, jordan_rose

Subscribers: cfe-commits

Differential Revision: http://reviews.llvm.org/D15031

llvm-svn: 307759
2017-07-12 07:04:19 +00:00
Alexander Shaposhnikov 59d10a4cbc [analyzer] Start fixing modeling of bool based types
This is a follow up for one of 
the previous diffs https://reviews.llvm.org/D32328.
getTypeSize and with getIntWidth are not equivalent for bool 
(see https://clang.llvm.org/doxygen/ASTContext_8cpp_source.html#l08444),
this causes a number of issues
(for instance, if APint X representing a bool is created 
with the wrong bit width then X is not comparable against Min/Max
(because of the different bit width), that results in crashes 
(triggered asserts) inside assume* methods), 
for examples see the newly added test cases.

Test plan: make check-all

Differential revision: https://reviews.llvm.org/D35041

llvm-svn: 307604
2017-07-11 00:30:14 +00:00
Artem Dergachev 7caff0e9e1 [analyzer] Move zero-size allocation checks to optin.portability.
This is a new checker package. It contains checkers that highlight
well-documented implementation-defined behavior. Such checkers are only useful
to developers that intend to write portable code. Code that is only compiled for
a single platform should be allowed to rely on this platform's specific
documented behavior.

rdar://problem/30545046

Differential Revision: https://reviews.llvm.org/D34102

llvm-svn: 306396
2017-06-27 11:14:39 +00:00
Gabor Horvath b3bcddf769 [analyzer] Do not continue to analyze a path if the constraints contradict with builtin assume
Differential Revision: https://reviews.llvm.org/D34502

llvm-svn: 305991
2017-06-22 10:09:40 +00:00
Artem Dergachev 4a084cfde7 [analyzer] Bump a few default performance thresholds.
This makes the analyzer around 10% slower by default,
allowing it to find deeper bugs.

Default values for the following -analyzer-config change:
max-nodes: 150000 -> 225000;
max-inlinable-size: 50 -> 100.

rdar://problem/32539666
Differential Revision: https://reviews.llvm.org/D34277

llvm-svn: 305900
2017-06-21 11:29:35 +00:00
Leslie Zhai 4dfcec6b62 [analyzer] Check NULL pointer dereference issue for memset function
Reviewers: dcoughlin, zaks.anna, NoQ, danielmarjamaki

Reviewed By: NoQ, danielmarjamaki

Differential Revision: https://reviews.llvm.org/D31868

llvm-svn: 305773
2017-06-20 06:41:06 +00:00
Leslie Zhai d91d19e6dc [analyzer] Teach CloneDetection about Qt Meta-Object Compiler
Reviewers: v.g.vassilev, zaks.anna, NoQ, teemperor

Reviewed By: v.g.vassilev, zaks.anna, NoQ, teemperor

Differential Revision: https://reviews.llvm.org/D31320

llvm-svn: 305659
2017-06-19 01:55:50 +00:00
Dominic Chen f94c108395 [analyzer]: Improve test handling with multiple constraint managers
Summary: Modify the test infrastructure to properly handle tests that require z3, and merge together the output of all tests on success. This is required for D28954.

Reviewers: dcoughlin, zaks.anna, NoQ, xazax.hun

Subscribers: cfe-commits

Differential Revision: https://reviews.llvm.org/D33308

llvm-svn: 305480
2017-06-15 17:05:07 +00:00
Artem Dergachev 11150c009a [analyzer] Fix a crash when an ObjC object is constructed in AllocaRegion.
Memory region allocated by alloca() carries no implicit type information.
Don't crash when resolving the init message for an Objective-C object
that is being constructed in such region.

rdar://problem/32517077

Differential Revision: https://reviews.llvm.org/D33828

llvm-svn: 305211
2017-06-12 17:59:50 +00:00
Artem Dergachev 7c0ab86932 [analyzer] Don't add arrow to the inlined function's decl when it has no body.
In plist output mode with alternate path diagnostics, when entering a function,
we draw an arrow from the caller to the beginning of the callee's declaration.
Upon exiting, however, we draw the arrow from the last statement in the
callee function. The former makes little sense when the declaration is
not a definition, i.e. has no body, which may happen in case the body
is coming from a body farm, eg. Objective-C autosynthesized property accessor.

Differential Revision: https://reviews.llvm.org/D33671

llvm-svn: 304713
2017-06-05 13:36:28 +00:00
Artem Dergachev fbe891ee05 [analyzer] Nullability: fix notes around synthesized ObjC property accessors.
Nullable-to-nonnull checks used to crash when the custom bug visitor was trying
to add its notes to autosynthesized accessors of Objective-C properties.

Now we avoid this, mostly automatically outside of checker control, by
moving the diagnostic to the parent stack frame where the accessor has been
called.

Differential revision: https://reviews.llvm.org/D32437

llvm-svn: 304710
2017-06-05 12:40:03 +00:00
Artem Dergachev eed7a3102c [analyzer] Support partially tainted records.
The analyzer's taint analysis can now reason about structures or arrays
originating from taint sources in which only certain sections are tainted.

In particular, it also benefits modeling functions like read(), which may
read tainted data into a section of a structure, but RegionStore is incapable of
expressing the fact that the rest of the structure remains intact, even if we
try to model read() directly.

Patch by Vlad Tsyrklevich!

Differential revision: https://reviews.llvm.org/D28445

llvm-svn: 304162
2017-05-29 15:42:56 +00:00
Artem Dergachev 8fa639ecf0 [analyzer] Initial commit for the upcoming refactoring of the IteratorChecker.
The new checker currently contains the very core infrastructure for tracking
the state of iterator-type objects in the analyzer: relating iterators to
their containers, tracking symbolic begin and end iterator values for
containers, and solving simple equality-type constraints over iterators.
A single specific check over this infrastructure is capable of finding usage of
out-of-range iterators in some simple cases.

Patch by Ádám Balogh!

Differential revision: https://reviews.llvm.org/D32592

llvm-svn: 304160
2017-05-29 15:03:20 +00:00
Artem Dergachev 7791593138 [analyzer] PthreadLockChecker: model failed pthread_mutex_destroy() calls.
pthread_mutex_destroy() may fail, returning a non-zero error number, and
keeping the mutex untouched. The mutex can be used on the execution branch
that follows such failure, so the analyzer shouldn't warn on using
a mutex that was previously destroyed, when in fact the destroy call has failed.

Patch by Malhar Thakkar!

Differential revision: https://reviews.llvm.org/D32449

llvm-svn: 304159
2017-05-29 14:51:39 +00:00
Gabor Horvath 3a00b41e43 [analyzer] Add modelling of __builtin_assume
Differential Revision: https://reviews.llvm.org/D33092

llvm-svn: 302880
2017-05-12 07:02:54 +00:00
Artem Dergachev b6a513d1b2 [analyzer] Fix memory error bug category capitalization.
It was written as "Memory Error" in most places and as "Memory error" in a few
other places, however it is the latter that is more consistent with
other categories (such as "Logic error").

rdar://problem/31718115

Differential Revision: https://reviews.llvm.org/D32702

llvm-svn: 302016
2017-05-03 11:47:13 +00:00
Daniel Marjamaki a43a8f5c5e [analyzer] Detect bad free of function pointers
Differential Revision: https://reviews.llvm.org/D31650

llvm-svn: 301913
2017-05-02 11:46:12 +00:00
Leslie Zhai e3986c544d [analyzer] Teach the MallocChecker about Glib API for two arguments
Reviewers: zaks.anna, NoQ, danielmarjamaki

Reviewed By: zaks.anna, NoQ, danielmarjamaki

Subscribers: cfe-commits, kalev, pwithnall

Differential Revision: https://reviews.llvm.org/D30771

llvm-svn: 301384
2017-04-26 05:33:14 +00:00
Artem Dergachev cbd7cd8360 [analyzer] Improve subscripting null arrays for catching null dereferences.
Array-to-pointer cast now works correctly when the pointer to the array
is concrete, eg. null, which allows further symbolic calculations involving
such values.

Inlined defensive checks are now detected correctly when the resulting null
symbol is being array-subscripted before dereference.

Differential Revision: https://reviews.llvm.org/D32291

llvm-svn: 301251
2017-04-24 20:55:07 +00:00
Artem Dergachev 37de888867 [analyzer] Improve suppression for inlined defensive checks before operator &.
Null dereferences are suppressed if the lvalue was constrained to 0 for the
first time inside a sub-function that was inlined during analysis, because
such constraint is a valid defensive check that does not, by itself,
indicate that null pointer case is anyhow special for the caller.

If further operations on the lvalue are performed, the symbolic lvalue is
collapsed to concrete null pointer, and we need to track where does the null
pointer come from.

Improve such tracking for lvalue operations involving operator &.

rdar://problem/27876009

Differential Revision: https://reviews.llvm.org/D31982

llvm-svn: 301224
2017-04-24 19:30:33 +00:00
Alexander Shaposhnikov 015da3534a [analyzer] Fix assert in ExprEngine::processSwitch
This diff replaces getTypeSize(CondE->getType())) 
with getIntWidth(CondE->getType())) in ExprEngine::processSwitch.
These calls are not equivalent for bool, see ASTContext.cpp
Add a test case.

Test plan:
make check-clang-analysis
make check-clang

Differential revision: https://reviews.llvm.org/D32328

llvm-svn: 300936
2017-04-21 01:05:26 +00:00
Artem Dergachev 12294f8d2e [analyzer] Simplify values in binary operations a bit more aggressively.
SValBuilder tries to constant-fold symbols in the left-hand side of the symbolic
expression whenever it fails to evaluate the expression directly. However, it
only constant-folds them when they are atomic expressions, not when they are
complicated expressions themselves. This patch adds recursive constant-folding
to the left-hand side subexpression (there's a lack of symmetry because we're
trying to have symbols on the left and constants on the right). As an example,
we'd now be able to handle operations similar to "$x + 1 < $y", when $x is
constrained to a constant.

rdar://problem/31354676

Differential Revision: https://reviews.llvm.org/D31886

llvm-svn: 300178
2017-04-13 07:20:04 +00:00
Alexander Shaposhnikov 5f24c12dc4 [analyzer] Add a check for IvarRegion in getExtraInvalidatedValues
This diff adds a defensive check in getExtraInvalidatedValues
for the case when there are no regions for the ivar associated with
a property. Corresponding test case added.

Test plan:
make check-clang
make check-clang-analysis

llvm-svn: 300114
2017-04-12 22:00:13 +00:00
Reid Kleckner 2ae37c15c3 [lit] Fix Analysis test format pickling error
Move the test format into a standalone .py file and add it to the site
module search path. This allows us to run the test on Windows, and it
makes it compatible with the multiprocessing.Pool lit test execution
strategy.

I think this test was only passing everywhere else because
multiprocessing uses 'fork' to spawn workers, so the test format never
needs to be pickled.

llvm-svn: 299577
2017-04-05 18:56:48 +00:00
Daniel Marjamaki 2641a52ee4 [analyzer] alpha.core.Conversion - Fix false positive for 'U32 += S16;' expression, that is not unsafe
Summary:
The alpha.core.Conversion was too strict about compound assignments and could warn even though there is no problem.

Differential Revision: https://reviews.llvm.org/D25596

llvm-svn: 299523
2017-04-05 08:57:04 +00:00
Dominic Chen 08f943c563 [analyzer] Add new Z3 constraint manager backend
Summary: Implement new Z3 constraint manager backend.

Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun

Subscribers: mgorny, cfe-commits

Differential Revision: https://reviews.llvm.org/D28952

llvm-svn: 299463
2017-04-04 19:52:25 +00:00
Aaron Ballman 4d3355a21c Correcting a typo; NFC.
llvm-svn: 299094
2017-03-30 18:11:20 +00:00
Artem Dergachev 7333a9ea11 [analyzer] Fix symbolication for unknown unary increment/decrement results.
If the value is known, but we cannot increment it, conjure a symbol to
represent the result of the operation based on the operator expression,
not on the sub-expression.

In particular, no longer crash on comparing a result of a LocAsInteger increment
to a constant integer.

rdar://problem/31067356

Differential Revision: https://reviews.llvm.org/D31289

llvm-svn: 298927
2017-03-28 15:57:12 +00:00
Artem Dergachev 647804a84a [analyzer] When creating a temporary object, properly copy the value into it.
Adjustments should be considered properly; we should copy the unadjusted object
over the whole temporary base region. If the unadjusted object is no longer
available in the Environment, invalidate the temporary base region, and then
copy the adjusted object into the adjusted sub-region of the temporary region.

This fixes a regression introduced by r288263, that caused various
false positives, due to copying only adjusted object into the adjusted region;
the rest of the base region therefore remained undefined.
Before r288263, the adjusted value was copied over the unadjusted region,
which is incorrect, but accidentally worked better due to how region store
disregards compound value bindings to non-base regions.

An additional test machinery is introduced to make sure that despite making
two binds, we only notify checkers once for both of them, without exposing
the partially copied objects.

This fix is a hack over a hack. The proper fix would be to model C++ temporaries
in the CFG, and after that dealing with adjustments would no longer be
necessary, and the values we need would no longer disappear from the
Environment.

rdar://problem/30658168

Differential Revision: https://reviews.llvm.org/D30534

llvm-svn: 298924
2017-03-28 15:43:26 +00:00
Artem Dergachev 356151ff5f [analyzer] Add MisusedMovedObjectChecker for detecting use-after-move errors.
The checker currently warns on copying, moving, or calling methods on an object
that was recently std::move'd from. It understands a set of "state reset"
methods that bring a moved-from object back to a well-specified state.

Patch by Peter Szecsi!

Differential Revision: https://reviews.llvm.org/D24246

llvm-svn: 298698
2017-03-24 09:52:30 +00:00
Gabor Horvath 60eec1ac1b [analyzer] Fix a rare crash for valist check.
It looks like on some host-triples the result of a valist related expr can be
a LazyCompoundVal. Handle that case in the check.

Patch by Abramo Bagnara!

llvm-svn: 297619
2017-03-13 12:48:26 +00:00
Gabor Horvath 829c6bc04a [analyzer] Extend block in critical section check with C11 and Pthread APIs.
Patch by Zoltan Daniel Torok!

Differential Revision: https://reviews.llvm.org/D29567

llvm-svn: 297461
2017-03-10 14:50:12 +00:00
Anna Zaks ae4772140f [analyzer] Turn suppress-c++-stdlib on by default
We have several reports of false positives coming from libc++. For example,
there are reports of false positives in std::regex, std::wcout, and also
a bunch of issues are reported in https://reviews.llvm.org/D30593. In many
cases, the analyzer trips over the complex libc++ code invariants. Let's turn
off the reports coming from these headers until we can re-evalate the support.

We can turn this back on once we individually suppress all known false
positives and perform deeper evaluation on large codebases that use libc++.
We'd also need to commit to doing these evaluations regularly as libc++
headers change.

Differential Revision: https://reviews.llvm.org/D30798

llvm-svn: 297429
2017-03-10 00:33:19 +00:00
Anna Zaks 12d0c8d662 [analyzer] Extend taint propagation and checking to support LazyCompoundVal
A patch by Vlad Tsyrklevich!

Differential Revision: https://reviews.llvm.org/D28445

llvm-svn: 297326
2017-03-09 00:01:16 +00:00
Anna Zaks 37faed97c1 [analyzer] Improve usability of ExprInspectionChecker
Some of the magic functions take arguments of arbitrary type. However,
for semantic correctness, the compiler still requires a declaration
of these functions with the correct type. Since C does not have
argument-type-overloaded function, this made those functions hard to
use in C code. Improve this situation by allowing arbitrary suffixes
in the affected magic functions' names, thus allowing the user to
create different declarations for different types.

A patch by Keno Fischer!

Differential Revision: https://reviews.llvm.org/D30589

llvm-svn: 297325
2017-03-09 00:01:10 +00:00
Anna Zaks d4e43ae22a [analyzer] Add bug visitor for taint checker.
Add a bug visitor to the taint checker to make it easy to distinguish where
the tainted value originated. This is especially useful when the original
taint source is obscured by complex data flow.

A patch by Vlad Tsyrklevich!

Differential Revision: https://reviews.llvm.org/D30289

llvm-svn: 297324
2017-03-09 00:01:07 +00:00
Anna Zaks bbec97ca2c [analyzer] Teach the MallocChecker about about Glib API
A patch by Leslie Zhai!

Differential Revision: https://reviews.llvm.org/D28348

llvm-svn: 297323
2017-03-09 00:01:01 +00:00
Daniel Marjamaki 3d8d6ed01f [analyzer] Clarify 'uninitialized function argument' messages
Differential Revision: https://reviews.llvm.org/D30341

llvm-svn: 297283
2017-03-08 15:22:24 +00:00
Daniel Marjamaki cf715bd330 [analyzer] Fix crashes in CastToStruct checker for undefined structs
This crash was reported in https://bugs.llvm.org//show_bug.cgi?id=31173

Differential Revision: https://reviews.llvm.org/D28297

llvm-svn: 297187
2017-03-07 19:20:48 +00:00
Gabor Horvath dbf2790a1f [analyzer] Improve valist checks and move it out from alpha state.
This patch makes the valist check more robust to the different AST variants on
different platforms and also fixes a FIXME.

Differential Revision: https://reviews.llvm.org/D30157

llvm-svn: 297153
2017-03-07 16:04:23 +00:00