Commit Graph

1193 Commits

Author SHA1 Message Date
Anna Zaks ce519153fd [analyzer] Report the cumulative number of steps the analyzer performs.
llvm-svn: 159036
2012-06-22 22:08:06 +00:00
Jordan Rose ef1c7ae323 [analyzer] Check for +raise:format: on subclasses of NSException as well.
We don't handle exceptions yet, so we treat them as sinks. ExprEngine
hardcodes messages that are known to raise Objective-C exceptions like -raise,
but it was only checking for +raise:format: and +raise:format:arguments: on
NSException itself, not subclasses.

<rdar://problem/11724201>

llvm-svn: 159010
2012-06-22 17:15:58 +00:00
Anna Zaks 0d6989bd10 [analyzer] Malloc: Warn about use-after-free when memory ownership was
transfered with dataWithBytesNoCopy.

llvm-svn: 158958
2012-06-22 02:04:31 +00:00
Chandler Carruth 28969b4139 Remove a goofy CMake hack and use the standard CMake facilities to
express library-level dependencies within Clang.

This is no more verbose really, and plays nicer with the rest of the
CMake facilities. It should also have no change in functionality.

llvm-svn: 158888
2012-06-21 01:30:21 +00:00
Anna Zaks 886dfb8cfa [analyzer] Malloc leak false positive: Allow xpc context to escape.
llvm-svn: 158875
2012-06-20 23:35:57 +00:00
Anna Zaks 9050ffd57c [analyzer] Malloc: cleanup, disallow free on relinquished memory.
This commits sets the grounds for more aggressive use after free
checking. We will use the Relinquished sate to denote that someone
else is now responsible for releasing the memory.

llvm-svn: 158850
2012-06-20 20:57:46 +00:00
Jordan Rose 44320367ac [analyzer] Invalidate placement args; return the pointer given to placement new
The default global placement new just returns the pointer it is given.
Note that other custom 'new' implementations with placement args are not
guaranteed to do this.

In addition, we need to invalidate placement args, since they may be updated by
the allocator function. (Also, right now we don't properly handle the
constructor inside a CXXNewExpr, so we need to invalidate the placement args
just so that callers know something changed!)

This invalidation is not perfect because CallOrObjCMessage doesn't support
CXXNewExpr, and all of our invalidation callbacks expect that if there's no
CallOrObjCMessage, the invalidation is happening manually (e.g. by a direct
assignment) and shouldn't affect checker-specific metadata (like malloc state);
hence the malloc test case in new-fail.cpp. But region values are now
properly invalidated, at least.

The long-term solution to this problem is to rework CallOrObjCMessage into
something more general, rather than the morass of branches it is today.

<rdar://problem/11679031>

llvm-svn: 158784
2012-06-20 01:32:01 +00:00
Anna Zaks 42908c7ac9 [analyzer] Allow pointers to escape into NSPointerArray.
(Fixes radar://11691035 PR13140)

llvm-svn: 158703
2012-06-19 05:10:32 +00:00
Jordan Rose 832c2134a9 [analyzer] Add a comment: why we treat array compound literals as lvalues.
llvm-svn: 158681
2012-06-18 21:31:27 +00:00
Jordan Rose b4712d142a [analyzer] Array CompoundLiteralExprs need to be treated like lvalues.
llvm-svn: 158588
2012-06-16 01:28:03 +00:00
Jordan Rose e42412be39 [analyzer] Return an UnknownVal when we try to get the binding for a VLA.
This happens in C++ mode right at the declaration of a struct VLA;
MallocChecker sees a bind and tries to get see if it's an escaping bind.
It's likely that our handling of this is still incomplete, but it fixes a
crash on valid without disturbing anything else for now.

llvm-svn: 158587
2012-06-16 01:28:00 +00:00
Jordan Rose de409b6d5f [analyzer] Buffers passed to CGBitmapContextCreate can escape.
Specifically, although the bitmap context does not take ownership of the
buffer (unlike CGBitmapContextCreateWithData), the data buffer can be extracted
out of the created CGContextRef. Thus the buffer is not leaked even if its
original pointer goes out of scope, as long as
- the context escapes, or
- it is retrieved via CGBitmapContextGetData and freed.

Actually implementing that logic is beyond the current scope of MallocChecker,
so for now CGBitmapContextCreate goes on our system function exception list.

llvm-svn: 158579
2012-06-16 00:09:20 +00:00
James Dennett 1bc5f0c7ef Documentation cleanup: fix a type, LocatioinE -> LocationE
llvm-svn: 158566
2012-06-15 22:32:14 +00:00
Jordan Rose 95dfae824e [analyzer] RetainCount: don't track objects init'd with a delegate
We already didn't track objects that have delegates or callbacks or
objects that are passed through void * "context pointers". It's a
not-uncommon pattern to release the object in its callback, and so
the leak message we give is not very helpful.

llvm-svn: 158532
2012-06-15 18:19:52 +00:00
James Dennett 845619a285 Documentation cleanup:
* Add \brief to produce a summary in the Doxygen output;
* Add missing parameter names to \param commands;
* Fix mismatched parameter names for \param commands;
* Add a parameter name so that the \param has a target.

llvm-svn: 158503
2012-06-15 07:41:35 +00:00
Jordan Rose 2fdc07ee89 Revert "[analyzer] Treat LValueBitCasts like regular pointer bit casts."
This does not actually give us the right behavior for reinterpret_cast
of references. Reverting so I can think about it some more.

This reverts commit 50a75a6e26a49011150067adac556ef978639fe6.

llvm-svn: 158341
2012-06-12 00:20:22 +00:00
Jordan Rose ca00b28a47 [analyzer] Treat LValueBitCasts like regular pointer bit casts.
These casts only appear in very well-defined circumstances, in which the
target of a reinterpret_cast or a function formal parameter is an lvalue
reference. According to the C++ standard, the following are equivalent:

 reinterpret_cast<T&>( x)
*reinterpret_cast<T*>(&x)

[expr.reinterpret.cast]p11

llvm-svn: 158338
2012-06-11 23:20:52 +00:00
Chad Rosier 32503020a4 Etch out the code path for MS-style inline assembly.
llvm-svn: 158325
2012-06-11 20:47:18 +00:00
Jordan Rose efef760214 [analyzer] Add ObjCLoopChecker: objects from NSArray et al are non-nil.
While collections containing nil elements can still be iterated over in an
Objective-C for-in loop, the most common Cocoa collections -- NSArray,
NSDictionary, and NSSet -- cannot contain nil elements. This checker adds
that assumption to the analyzer state.

This was the cause of some minor false positives concerning CFRelease calls
on objects in an NSArray.

llvm-svn: 158319
2012-06-11 16:40:41 +00:00
Jordan Rose 3ba8ae3fd9 [analyzer] When looking for a known class, only traverse the hierarchy once.
This has a small hit in the case where only one class is interesting
(NilArgChecker) but is a big improvement when looking for one of several
interesting classes (VariadicMethodTypeChecker), in which the most common
case is that there is no match.

llvm-svn: 158318
2012-06-11 16:40:37 +00:00
Anna Zaks 528b14c5d9 [analyzer] MallocSizeofChecker false positive: when sizeof is argument
to addition.

We should not to warn in case the malloc size argument is an
addition containing 'sizeof' operator - it is common to use the pattern
to pack values of different sizes into a buffer. 

Ex:

uint8_t *buffer = (uint8_t*)malloc(dataSize + sizeof(length));

llvm-svn: 158219
2012-06-08 18:44:43 +00:00
Anna Zaks b60908db3a [analyzer] Add experimental "issue hash" to the plist diagnostic.
CmpRuns.py can be used to compare issues from different analyzer runs.
Since it uses the issue line number to unique 2 issues, adding a new
line to the beginning of a file makes all issues in the file reported as
new. 

The hash will be an opaque value which could be used (along with the
function name) by CmpRuns to identify the same issues. This way, we only
fail to identify the same issue from two runs if the function it appears
in changes (not perfect, but much better than nothing).

llvm-svn: 158180
2012-06-08 00:04:43 +00:00
Anna Zaks a7dcc996a9 [analyzer] Fixit for r158136.
I falsely assumed that the memory spaces are equal when we reach this
point, they might not be when memory space of one or more is stack or
Unknown. We don't want a region from Heap space alias something with
another memory space.

llvm-svn: 158165
2012-06-07 20:18:08 +00:00
Anna Zaks 3563fde6a0 [analyzer] Anti-aliasing: different heap allocations do not alias
Add a concept of symbolic memory region belonging to heap memory space.
When comparing symbolic regions allocated on the heap, assume that they
do not alias. 

Use symbolic heap region to suppress a common false positive pattern in
the malloc checker, in code that relies on malloc not returning the
memory aliased to other malloc allocations, stack.

llvm-svn: 158136
2012-06-07 03:57:32 +00:00
Jordan Rose 0da4e77880 [analyzer] Provide debug descriptions for all memory space regions.
Patch by Guillem Marpons!

llvm-svn: 158106
2012-06-06 20:47:00 +00:00
David Blaikie 40ed29730b Revert Decl's iterators back to pointer value_type rather than reference value_type
In addition, I've made the pointer and reference typedef 'void' rather than T*
just so they can't get misused. I would've omitted them entirely but
std::distance likes them to be there even if it doesn't use them.

This rolls back r155808 and r155869.

Review by Doug Gregor incorporating feedback from Chandler Carruth.

llvm-svn: 158104
2012-06-06 20:45:41 +00:00
Benjamin Kramer d1d76b2da7 Remove unused private member variables found by clang's new -Wunused-private-field.
llvm-svn: 158086
2012-06-06 17:32:50 +00:00
Ted Kremenek f470a4c2ca Disable path pruning for UndefResultChecker. It turns out we usually want to see more of the path
to discover how a value was used uninitialized.

llvm-svn: 158048
2012-06-06 06:25:37 +00:00
Ted Kremenek 54baf2e57d PlistDiagnostics: force the ranges for control-flow edges to be single locations, forcing
adjacent edges to have compatible ranges.  This simplifies the layout logic for some clients.

llvm-svn: 158028
2012-06-05 22:00:52 +00:00
Anna Zaks 4ff9097fcc [analyzer] Fix a diagnostics bug which lead to a crash on the buildbot.
This bug was triggered by r157851. It only happens in the case where we
don't perform optimal diagnostic pruning.

llvm-svn: 157950
2012-06-04 21:03:31 +00:00
Benjamin Kramer 474261af7b Fix typos found by http://github.com/lyda/misspell-check
llvm-svn: 157886
2012-06-02 10:20:41 +00:00
Anna Zaks 7ba2615047 [analyzer] Rely on canBeInlined utility instead of checking CallExpr
explicitly.

This will make it easier to add inlining support to more expressions.

llvm-svn: 157870
2012-06-02 00:40:52 +00:00
Anna Zaks bec49efdf2 [analyzer] Fix a spurious undef value warning.
When we timeout or exceed a max number of blocks within an inlined
function, we retry with no inlining starting from a node right before
the CallEnter node. We assume the state of that node is the state of the
program before we start evaluating the call. However, the node pruning
removes this node as unimportant. 

Teach the node pruning to keep the predecessors of the call enter nodes.

llvm-svn: 157860
2012-06-01 23:48:44 +00:00
Anna Zaks 1b37ea0a5f [analyzer] Fix lack of coverage after empty inlined function.
We should not stop exploring the path after we return from an empty
function.

llvm-svn: 157859
2012-06-01 23:48:40 +00:00
Ted Kremenek 5d6e7c3351 Disable diagnosic path pruning for ReturnUndefChecker.
llvm-svn: 157851
2012-06-01 23:04:04 +00:00
Ted Kremenek c3da376fbc static analyzer: add inlining support for directly called blocks.
llvm-svn: 157833
2012-06-01 20:04:04 +00:00
Tom Care 698daefb58 [analyzer] Fix BugType memory leak in IdempotentOperationChecker.
llvm-svn: 157772
2012-05-31 21:24:58 +00:00
Anna Zaks 2774f99913 [analyzer] Cleanup for r157721.
We should lock the number of elements after the initial parsing is
complete. Recursive AST visitors in AnalyzesConsumer and CallGarph can
trigger lazy pch deserialization resulting in more calls to
HandleTopLevelDecl and appending to the LocalTUDecls list. We should
ignore those.

llvm-svn: 157762
2012-05-31 18:07:55 +00:00
Ted Kremenek 16704bb15b Allow some BugReports to opt-out of PathDiagnostic callstack pruning until we have significantly
improved the pruning heuristics.  The current heuristics are pretty good, but they make diagnostics
for uninitialized variables warnings particularly useless in some cases.

llvm-svn: 157734
2012-05-31 06:03:17 +00:00
Anna Zaks 34d89b7ddc [analyzer]Fix another occurrence of iterator invalidation (LocalTUDecls)
Follow up in r155693, r155680.

Prevents a hard to reproduce crash with the following stack trace:
3  libsystem_c.dylib 0x00007ff55a835050 _sigtramp + 18446744029881443184
4  clang             0x0000000106218e97 (anonymous
namespace)::AnalysisConsumer::HandleTranslationUnit(clang::ASTContext&)
+ 519
5  clang             0x0000000105cf3002 clang::ParseAST(clang::Sema&,
bool, bool) + 690
6  clang             0x00000001059a41d8
clang::ASTFrontendAction::ExecuteAction() + 312
7  clang             0x00000001059a3df7 clang::FrontendAction::Execute()
+ 231
8  clang             0x00000001059b0ecc
clang::CompilerInstance::ExecuteAction(clang::FrontendAction&) + 860
9  clang             0x000000010595e451
clang::ExecuteCompilerInvocation(clang::CompilerInstance*) + 961
10 clang             0x0000000105947f29 cc1_main(char const**, char
const**, char const*, void*) + 969
11 clang             0x0000000105958259 main + 473
12 clang             0x0000000105947b34 start + 52

llvm-svn: 157721
2012-05-30 23:14:48 +00:00
Benjamin Kramer 69b5a60d96 Replace some custom hash combines with the standard stuff from DenseMapInfo.
llvm-svn: 157531
2012-05-27 13:28:44 +00:00
Anna Zaks 6a65819ba3 [analyzer] Don't crash on LValBitCast
llvm-svn: 157478
2012-05-25 16:02:16 +00:00
Anna Zaks 6b7b7e66d1 [analyzer] Minor cleanup to checkers' help text.
llvm-svn: 157402
2012-05-24 17:31:59 +00:00
Anna Zaks d0867105f4 [analyzer] Treat cast of array to reference in the same way as array to
pointer.

Fixes one of the crashes reported in PR12874.

llvm-svn: 157401
2012-05-24 17:31:57 +00:00
Anna Zaks fc1d4bdc4f [analyzer] Bind UnknownVal to InitListExpr for unsupported types
(ex: float).

llvm-svn: 157211
2012-05-21 22:07:00 +00:00
Benjamin Kramer 9bbf481f02 Analyzer: Fix PR12905, a crash when encountering a call to a function named "C".
While there clean up indentation.

llvm-svn: 157204
2012-05-21 19:40:38 +00:00
Anna Zaks 94a7b849a2 [analyzer] For locations, use isGLValue() instead of isLValue().
llvm-svn: 157088
2012-05-19 00:22:07 +00:00
Anna Zaks 457ace7611 [analyzer] Fix a c++11 crash: xvalues can be locations (VisitMemberExpr)
llvm-svn: 157082
2012-05-18 22:47:43 +00:00
Anna Zaks b343660914 [analyzer] Malloc checker: remove unnecessary comparisons.
llvm-svn: 157081
2012-05-18 22:47:40 +00:00
Anna Zaks 46d01605ee [analyzer]Malloc: refactor and report use after free by memory
allocating functions.

llvm-svn: 157037
2012-05-18 01:16:10 +00:00
Jordy Rose 31ae259a41 [analyzer] Introduce clang_analyzer_eval for regression test constraint checks.
The new debug.ExprInspection checker looks for calls to clang_analyzer_eval,
and emits a warning of TRUE, FALSE, or UNKNOWN (or UNDEFINED) based on the
constrained value of its (boolean) argument. It does not modify the analysis
state though the conditions tested can result in branches (e.g. through the
use of short-circuit operators).

llvm-svn: 156919
2012-05-16 16:01:07 +00:00
Anna Zaks 58d986c866 [analyzer] Fix a regression in ObjCUnusedIVars checker.
We can no longer rely on children iterator to visit all the AST
tree children of an expression (OpaqueValueExpr has no children).

llvm-svn: 156870
2012-05-15 22:31:56 +00:00
Jordy Rose 459d5f62c2 [analyzer] strncpy: Special-case a length of 0 to avoid an incorrect warning.
We check the address of the last element accessed, but with 0 calculating that
address results in element -1. This patch bails out early (and avoids a bunch
of other work at that).

Fixes PR12807.

llvm-svn: 156769
2012-05-14 17:58:35 +00:00
Jordy Rose 6393f82b5b [analyzer] RetainCountChecker: track ObjC boxed expression objects.
llvm-svn: 156699
2012-05-12 05:10:43 +00:00
Anna Zaks e7e7c9ebf9 [analyzer] Do not walk the types for call graph construction.
llvm-svn: 156661
2012-05-11 23:15:18 +00:00
Argyrios Kyrtzidis 45f5118248 The Lexer constructor expects a source location at the start of the
file buffer, not at the start of lexing.

Fixes assertion hit in format diagnostics. rdar://11418366

llvm-svn: 156647
2012-05-11 21:39:18 +00:00
Ted Kremenek 2342067c6e Include line that was meant to be in my last commit.
llvm-svn: 156582
2012-05-10 22:49:10 +00:00
Ted Kremenek 77cbb8481b Fix insidious RegionStore bug where we (a) didn't handle vector types and (b) had
a horrible bug in GetLazyBindings where we falsely appended a field suffix when traversing 3 or more
layers of lazy bindings.  I don't have a reduced test case yet; but I have added the original source
to an internal regression test suite.  I'll see about coming up with a reduced test case.

Fixes <rdar://problem/11405978> (for real).

llvm-svn: 156580
2012-05-10 22:02:39 +00:00
Anna Zaks fe1ccee0f5 [analyzer] Exit early if constraint solver is given a non-integer symbol
to reason about.

As part of taint propagation, we now allow creation of non-integer
symbolic expressions like a cast from int to float.

Addresses PR12511 (radar://11215362).

llvm-svn: 156578
2012-05-10 21:49:52 +00:00
Anna Zaks 62cce9e47d [analyzer] Do not highlight the range of the statement in case of leak.
We report a leak at a point a leaked variable is no longer accessible.
The statement that happens to be at that point is not relevant to the
leak diagnostic and, thus, should not be highlighted.

radar://11178519

llvm-svn: 156530
2012-05-10 01:37:40 +00:00
Anna Zaks d60f4c8fef [analyzer] Simplify r156446, as per Ted's review.
llvm-svn: 156482
2012-05-09 17:23:15 +00:00
Anna Zaks 325520a7b8 [analyzer] Allow pointers to escape through selector callbacks.
llvm-svn: 156481
2012-05-09 17:23:11 +00:00
Anna Zaks d0f89283cf [analyzer] We currently do not fully support CompoundLiterals in
RegionStore, so be explicit about it and generate UnknownVal().

This is a hack to ensure we never produce undefined values for a value
coming from a compound value. (The undefined values can lead to
false positives.) 

radar://10127782

llvm-svn: 156446
2012-05-08 23:40:38 +00:00
Ted Kremenek f534e91882 Having RegionStore lower field bindings to raw offsets, just like ElementRegions. This is a bit
disruptive, but it allows RegionStore to better "see" through casts that reinterpret arrays of values
as structs.  Fixes <rdar://problem/11405978>.

llvm-svn: 156428
2012-05-08 21:49:54 +00:00
Ted Kremenek b4235b48ca When creating lazy bindings in RegionStore, propagate existing lazy bindings instead of creating new ones.
This is a functionality optimization.

llvm-svn: 156427
2012-05-08 21:49:51 +00:00
Ted Kremenek 228571b69b Include address of Store in graphviz output of ExplodedGraph.
llvm-svn: 156426
2012-05-08 21:49:47 +00:00
Anna Zaks 66843480a6 [analyzer] SelfInit: Stop tracking self if it's assigned a value we
don't reason about.

Self is just like a local variable in init methods, so it can be
assigned anything like result of static functions, other methods ... So
to suppress false positives that result in such cases, stop tracking the
checker-specific state after self is being assigned to (unless the
value is't being assigned to is either self or conforms to our rules).

This change does not invalidate any existing regression tests.

llvm-svn: 156420
2012-05-08 21:19:21 +00:00
Ted Kremenek e87b55214b Teach the analyzer about CXXScaleValueInitExpr.
llvm-svn: 156369
2012-05-08 05:13:40 +00:00
Jordy Rose 675d541ab6 [analyzer] BasicConstraintManager: drop NE-constraints once we have a value.
This could conceivably cut down on state proliferation, although we don't
use BasicConstraintManager by default anymore. No functionality change.

llvm-svn: 156362
2012-05-08 03:27:20 +00:00
Jordy Rose 728be7f6ac [analyzer] Rework both constraint managers to handle mixed-type comparisons.
This involves keeping track of three separate types: the symbol type, the
adjustment type, and the comparison type. For example, in "$x + 5 > 0ULL",
if the type of $x is 'signed char', the adjustment type is 'int' and the
comparison type is 'unsigned long long'. Most of the time these three types
will be the same, but we should still do the right thing when the
comparison value is out of range, and wraparound should be calculated in
the adjustment type.

This also re-disables an out-of-bounds test; we were extracting the symbol
from non-additive SymIntExprs, but then throwing away the integer.

Sorry for the large patch; both the basic and range constraint managers needed
to be updated together, since they share code in SimpleConstraintManager.

llvm-svn: 156361
2012-05-08 03:27:16 +00:00
Jordy Rose 7e3c3ea341 [analyzer] Add an abstraction for the bit width and signedness of an APSInt. No functionality change.
There are more parts of the analyzer that could use the convenience of APSIntType, particularly the constraint engine, but that needs a fair amount of rewriting to handle mixed-type constraints anyway.

llvm-svn: 156360
2012-05-08 03:26:58 +00:00
Ted Kremenek ececf9f0ae Teach the static analyzer that NSLog() and friends do not hold on to object references (thus extending their lifetime).
llvm-svn: 156346
2012-05-08 00:12:09 +00:00
Anna Zaks 590c7bc12e [analyzer]Turn on MallocSizeOfChecker by default; shorten the diagnostic
llvm-svn: 156341
2012-05-07 23:30:29 +00:00
Anna Zaks 386e832c07 [analyzer] Fix a crash in triggered by OSAtomicChecker.
SValBuilder should return an UnknownVal() when comparison of int and ptr
fails. Previous to this commit, it went on assuming that we are dealing
with pointer arithmetic.

PR12509, radar://11390991

llvm-svn: 156320
2012-05-07 19:40:49 +00:00
Anna Zaks 41e7ab8f81 [analyzer]Fixup r156215: use StopTracking summary instead of ScratchArgs
As per Jordy's and Ted's comment, use the default StopTracking summary
instead of adding all arguments to ScratchArs.

llvm-svn: 156310
2012-05-07 17:47:09 +00:00
David Blaikie 0f09df1f52 Remove variable made unused by r156270.
llvm-svn: 156273
2012-05-07 00:53:51 +00:00
Jordy Rose 54569448f8 [analyzer] Reduce parallel code paths in SimpleSValBuilder::evalBinOpNN, and handle mixed-type operations more generally.
The logical change is that the integers in SymIntExprs may not have the same type as the symbols they are paired with. This was already the case with taint-propagation expressions created by SValBuilder::makeSymExprValNN, but I think those integers may never have been used. SimpleSValBuilder should be able to handle mixed-integer-type SymIntExprs fine now, though, and the constraint managers were already being defensive (though not entirely correct). All existing tests pass.

The logic in evalBinOpNN has been simplified so that conversion is done as late as possible. As a result, most of the switch cases have been reduced to do the minimal amount of work, delegating to another case when they can by substituting ConcreteInts and (as before) reversing the left and right arguments when useful.

Comparisons require special handling in two places (building SymIntExprs and evaluating constant-constant operations) because we don't /know/ the best type for comparing the two values. I've approximated the rules in Sema [C99 6.3.1.8]  but it'd be nice to refactor Sema's actual algorithm into ASTContext.

This is also groundwork for handling mixed-type constraints better than we do now.

llvm-svn: 156270
2012-05-06 23:40:02 +00:00
Anna Zaks f4c5ea515f [analyzer] RetainCountChecker: Allow objects to escape through callbacks
Fixes radar://10973977.

llvm-svn: 156215
2012-05-04 22:18:39 +00:00
Ted Kremenek fd727748bd Explicitly model capturing variables for blocks in the static analyzer. Fixes <rdar://problem/11125868>.
llvm-svn: 156211
2012-05-04 21:48:42 +00:00
Anna Zaks 63509fbacc [analyzer]Fixup r156134: Handle the case when FunctionDecl isn't avail.
llvm-svn: 156183
2012-05-04 17:37:16 +00:00
Anna Zaks 6ccfcf346d [analyzer] Assume pointer escapes when a callback is passed inside
a struct.

llvm-svn: 156135
2012-05-03 23:50:33 +00:00
Anna Zaks 228f9c7b68 [analyzer] Allow pointers escape through calls containing callback args.
(Since we don't have a generic pointer escape callback, modify
ExprEngineCallAndReturn as well as the malloc checker.)

llvm-svn: 156134
2012-05-03 23:50:28 +00:00
Jordy Rose 1d4660bc51 [analyzer] When promoting constant integers in a comparison, use the larger width of the two to avoid truncation.
llvm-svn: 156089
2012-05-03 19:05:48 +00:00
Anna Zaks b3b56bb960 [analyzer] CString Checker: Do not split the path unless the user
specifically checks for equality to null.

Enforcing this general practice, which keeps the analyzer less
noisy, in the CString Checker. This change suppresses "Assigned value is
garbage or undefined" warning in the added test case.

llvm-svn: 156085
2012-05-03 18:21:28 +00:00
Jordy Rose d23232975f [analyzer] Equality ops are like relational ops in that the arguments shouldn't be converted to the result type. Fixes PR12206 and dupe PR12510.
This was probably the original intent of r133041 (also me, a year ago).

llvm-svn: 156062
2012-05-03 07:34:01 +00:00
Anna Zaks 1655aee1e3 [analyzer] Conjure a symbol to ensure we can identify pointer arithmetic
We need to identify the value of ptr as
ElementRegion (result of pointer arithmetic) in the following code.
However, before this commit '(2-x)' evaluated to Unknown value, and as
the result, 'p + (2-x)' evaluated to Unknown value as well.

int *p = malloc(sizeof(int));
ptr = p + (2-x);

llvm-svn: 156052
2012-05-03 02:13:56 +00:00
Anna Zaks f0e9ca8604 [analyzer] Do not assert on constructing SymSymExpr with diff types.
The resulting type info is stored in the SymSymExpr, so no reason not to
support construction of expression with different subexpression types.

llvm-svn: 156051
2012-05-03 02:13:53 +00:00
Anna Zaks 1d3d51a6e6 [analyzer] Add a complexity bound on history tracking.
(Currently, this is only relevant for tainted data.)

llvm-svn: 156050
2012-05-03 02:13:50 +00:00
Anna Zaks 7124b4b124 [analyzer] Revert the functional part of r155944.
The change resulted in multiple issues on the buildbot, so it's not
ready for prime time. Only enable history tracking for tainted
data(which is experimental) for now.

llvm-svn: 156049
2012-05-03 02:13:46 +00:00
Ted Kremenek 170641b0e0 Refine analyzer diagnostics by adding an expression "cone-of-influence" to reverse track interesting
values through interesting expressions.  This allows us to map from interesting values in a caller
to interesting values in a caller, thus recovering some precision in diagnostics lost from IPA.

Fixes <rdar://problem/11327497>

llvm-svn: 155971
2012-05-02 00:31:29 +00:00
Anna Zaks 70de772d45 [analyzer] RetainRelease: Self assignment should not suppress a leak
warning.

llvm-svn: 155966
2012-05-02 00:15:40 +00:00
Anna Zaks 06be9117bf [analyzer] Fix an assertion failure triggered by the analyzer buildbot.
llvm-svn: 155964
2012-05-02 00:05:23 +00:00
Anna Zaks 263b7e016e [analyzer] Fix the 'ptr = ptr' false negative in the Malloc checker.
llvm-svn: 155963
2012-05-02 00:05:20 +00:00
Ted Kremenek f56d4f2991 Teach SValBuilder to handle casts of symbolic pointer values to an integer twice. Fixes <rdar://problem/11212866>.
llvm-svn: 155950
2012-05-01 21:58:29 +00:00
Anna Zaks b35437a85e [analyzer] Construct a SymExpr even when the constraint solver cannot
reason about the expression.

This essentially keeps more history about how symbolic values were
constructed. As an optimization, previous to this commit, we only kept
the history if one of the symbols was tainted, but it's valuable keep
the history around for other purposes as well: it allows us to avoid
constructing conjured symbols.

Specifically, we need to identify the value of ptr as
ElementRegion (result of pointer arithmetic) in the following code.
However, before this commit '(2-x)' evaluated to Unknown value, and as
the result, 'p + (2-x)' evaluated to Unknown value as well.

int *p = malloc(sizeof(int));
ptr = p + (2-x);

This change brings 2% slowdown on sqlite. Fixes radar://11329382.

llvm-svn: 155944
2012-05-01 21:10:26 +00:00
Ted Kremenek 555560c490 Teach RetainCountchecker about IORegistryEntrySearchCFProperty returning retained objects. I know there is an SDK enhancement request for this to have the cf_returns_retained annotation, so this is just a stop gap.
llvm-svn: 155887
2012-05-01 05:28:27 +00:00
Ted Kremenek ad8cd30095 malloc size checker: Ignore const'ness of pointer types when determining of a sizeof() type is compatible with a pointed type.
Fixes <rdar://problem/11292586>.

llvm-svn: 155864
2012-05-01 00:10:19 +00:00
David Blaikie 2d7c57ec1d Remove the ref/value inconsistency in filter_decl_iterator.
filter_decl_iterator had a weird mismatch where both op* and op-> returned T*
making it difficult to generalize this filtering behavior into a reusable
library of any kind.

This change errs on the side of value, making op-> return T* and op* return
T&.

(reviewed by Richard Smith)

llvm-svn: 155808
2012-04-30 02:36:29 +00:00
Jordy Rose 4f8198e788 [analyzer] Remove references to idx::TranslationUnit. Index is dead, cross-TU inlining never panned out.
llvm-svn: 155751
2012-04-28 01:58:08 +00:00
Ted Kremenek 2964aac03b Use a deque instead of an ImmutableList in AnalysisConsumer to preserve the file order that functions are visited. Should fix the buildbots.
llvm-svn: 155693
2012-04-27 04:54:28 +00:00
Ted Kremenek b2a470646a Change FunctionSummary.h's definition of SetOfDecls to be an ImmutableList instead
of a mutable SmallPtrSet.  While iterating over LocalTUDecls, there were cases
where we could modify LocalTUDecls, which could result in invalidating an iterator
and an analyzer crash.  Along the way, switch some uses of std::queue to std::dequeue,
which should be slightly more efficient.

Unfortunately, this is a difficult case to create a test case for.

llvm-svn: 155680
2012-04-27 00:38:33 +00:00
Ted Kremenek 468365b6be [analyzer] check lazy bindings in RegionStore first before looking for default values. Fixes <rdar://problem/11269741>.
llvm-svn: 155615
2012-04-26 05:08:26 +00:00
Ted Kremenek 01d152f43f Teach RetainCountChecker that it doesn't quite understand pthread_setspecific and it should just give up when it sees it. Fixes <rdar://problem/11282706>.
llvm-svn: 155613
2012-04-26 04:32:23 +00:00
Anna Zaks 7e53bd6fb0 [analyzer] Run remove dead bindings right before leaving a function.
This is needed to ensure that we always report issues in the correct
function. For example, leaks are identified when we call remove dead
bindings. In order to make sure we report a callee's leak in the callee,
we have to run the operation in the callee's context.

This change required quite a bit of infrastructure work since:
 - We used to only run remove dead bindings before a given statement;
here we need to run it after the last statement in the function. For
this, we added additional Program Point and special mode in the
SymbolReaper to remove all symbols in context lower than the current
one.
 - The call exit operation turned into a sequence of nodes, which are
now guarded by CallExitBegin and CallExitEnd nodes for clarity and
convenience.

(Sorry for the long diff.)

llvm-svn: 155244
2012-04-20 21:59:08 +00:00
Patrick Beard 0caa39474b Implements boxed expressions for Objective-C. <rdar://problem/10194391>
llvm-svn: 155082
2012-04-19 00:25:12 +00:00
Ted Kremenek 92e27e0900 Change ExprEngine::shouldInlineDecl() to be defensive in checking if the CFG of the callee is valid. Fixes <rdar://problem/11257631>.
llvm-svn: 154896
2012-04-17 01:36:03 +00:00
Anna Zaks 51244c22be [analyzer] Fix a false alarm in SelfInitChecker (radar://11235991).
Along with it, fix a couple of other corner cases and add more tests.

llvm-svn: 154866
2012-04-16 21:51:09 +00:00
Richard Smith c202b2809a Add an AttributedStmt type to represent a statement with C++11 attributes
attached. Since we do not support any attributes which appertain to a statement
(yet), testing of this is necessarily quite minimal.

Patch by Alexander Kornienko!

llvm-svn: 154723
2012-04-14 00:33:13 +00:00
Douglas Gregor 0481c8f206 Remove the unused, unmaintained, incomplete 'Index' library.
llvm-svn: 154672
2012-04-13 16:31:46 +00:00
Anna Zaks 8e0785286a [analyzer] PCH deserialization optimization.
We should not deserialize unused declarations from the PCH file. Achieve
this by storing the top level declarations during parsing
(HandleTopLevelDecl ASTConsumer callback) and analyzing/building a call
graph only for those.

Tested the patch on a sample ObjC file that uses PCH. With the patch, 
 the analyzes is 17.5% faster and clang consumes 40% less memory.
Got about 10% overall build/analyzes time decrease on a large Objective
C project.

A bit of CallGraph refactoring/cleanup as well..

llvm-svn: 154625
2012-04-12 22:36:48 +00:00
Anna Zaks f36a6f54ae [analyzer] dynamic_cast Simplify null value generation.
As per Jordy's review. Creating a symbol here is more flexible; however
I could not come up with an example where it was needed. (What
constrains can be added on of the symbol constrained to 0?)

llvm-svn: 154542
2012-04-11 22:20:07 +00:00
Anna Zaks b508d29b78 [analyzer] Don't crash even when the system functions are redefined.
(Applied changes to CStringAPI, Malloc, and Taint.)

This might almost never happen, but we should not crash even if it does.
This fixes a crash on the internal analyzer buildbot, where postgresql's
configure was redefining memmove (radar://11219852).

llvm-svn: 154451
2012-04-10 23:41:11 +00:00
Anna Zaks 02ecae9282 [analyzer] dynamic_cast: Better model cast from a reference.
Generate a sink when the dynamic_cast from a reference fails to
represent a thrown exception.

llvm-svn: 154438
2012-04-10 21:29:03 +00:00
Anna Zaks 3bc6809ecb [analyzer] Add support for C++ dynamic_cast.
Simulate the C++ dynamic_cast in the analyzer.

llvm-svn: 154434
2012-04-10 20:59:00 +00:00
Ted Kremenek a85f38ba3a Rework ExprEngine::evalLoad and clients (e.g. VisitBinaryOperator) so that when we generate a new ExplodedNode
we use the same Expr* as the one being currently visited.  This is preparation for transitioning to having
ProgramPoints refer to CFGStmts.

This required a bit of trickery.  We wish to keep the old Expr* bindings in the Environment intact,
as plenty of logic relies on it and there is no reason to change it, but we sometimes want the Stmt* for
the ProgramPoint to be different than the Expr* being used for bindings.  This requires adding an extra
argument for some functions (e.g., evalLocation).  This looks a bit strange for some clients, but
it will look a lot cleaner when were start using CFGStmt* in the appropriate places.

As some fallout, the diagnostics arrows are a bit difference, since some of the node locations have changed.
I have audited these, and they look reasonable.

llvm-svn: 154214
2012-04-06 22:10:18 +00:00
Jordy Rose c0230d7a35 [analyzer] Check that the arguments to NSOrderedSet creation methods are valid ObjC objects.
Patch by Sean McBride!

llvm-svn: 154194
2012-04-06 19:06:01 +00:00
Ted Kremenek b45d198b6f Require that all static analyzer issues have a category. As part of this change,
consolidate some commonly used category strings into global references (more of this can be done, I just did a few).

Fixes <rdar://problem/11191537>.

llvm-svn: 154121
2012-04-05 20:43:28 +00:00
Ted Kremenek 34ac1cf3cd Handle symbolicating a reference in an initializer expression that we don't understand.
llvm-svn: 154084
2012-04-05 05:56:31 +00:00
Ted Kremenek 00fa5968cb Teach ObjCContainersChecker that the array passed to CFArrayGetValueAtIndex might not be a symbolic value.
llvm-svn: 154083
2012-04-05 05:18:05 +00:00
Anna Zaks 8382e4547f [analyzer] Move stats calculation out of AnalysisConsumer destructor.
The ASTConsumer does not get deleted with clang --analyze (for
performance reasons), we still want the diagnostics to work.

llvm-svn: 154078
2012-04-05 02:10:21 +00:00
Anna Zaks 67c83d247e [analyzer] Change warding in a path diagnostic:
"No method actually called because receiver is nil" ->
"No method is called because receiver is nil"

llvm-svn: 154077
2012-04-05 02:10:19 +00:00
Anna Zaks e70eea0234 [analyzer] Remove redundant if statement (pointed out by Ted).
llvm-svn: 154075
2012-04-05 02:10:14 +00:00
Ted Kremenek dc53f0094b Look through chains of 'x = y = z' when employing silencing heuristics in the DeadStoresChecker.
Fixes <rdar://problem/11185138>.

llvm-svn: 154040
2012-04-04 19:58:03 +00:00
Ted Kremenek 5a10f08b52 Include the "issue context" (e.g. function or method) where a static analyzer issue occurred in the plist output.
Fixes <rdar://problem/11004527>

llvm-svn: 154030
2012-04-04 18:11:35 +00:00
Ted Kremenek 56458cab04 Change BugReporter's usage of IsCachedDiagnostic to only impact pruning diagnostics emitted to the
console, and leave it up to PathDiagnosticConsumer to unique reports with the shortest path.

llvm-svn: 153987
2012-04-04 00:55:29 +00:00
Anna Zaks cc24e45e27 [analyzer] Record the basic blocks covered by the analyzes run.
Store this info inside the function summary generated for all analyzed
functions. This is useful for coverage stats and can be helpful for
analyzer state space search strategies.

llvm-svn: 153923
2012-04-03 02:05:47 +00:00
Ted Kremenek b75f4e5e9b Fix another false positive in RegionStore involving doing loads from symbolic offsets. We still don't
properly reason about such accesses, but we shouldn't emit bogus "uninitialized value" warnings
either.  Fixes <rdar://problem/11127008>.

llvm-svn: 153913
2012-04-03 00:03:34 +00:00
Ted Kremenek 3b008eecf4 Fix potential null dereference in the static analyzer when inlining a call that has already been inlined. Unfortunately I have no test case.
llvm-svn: 153900
2012-04-02 21:55:06 +00:00
Benjamin Kramer ac19edd2b0 Analyzer: Store BugReports directly in a ilist instead of adding another layer of inderection with std::list
llvm-svn: 153847
2012-04-01 19:30:51 +00:00
Anna Zaks 90ab9bfa11 [analyzer]Malloc,RetainRelease: Allow pointer to escape via NSMapInsert.
Fixes a false positive (radar://11152419). The current solution of
adding the info into 3 places is quite ugly. Pending a generic pointer
escapes callback.

llvm-svn: 153731
2012-03-30 05:48:16 +00:00
Anna Zaks 54fd4a0766 [analyzer] Do not inline functions which previously reached max block
count.

This is an optimization for "retry without inlining" option. Here, if we
failed to inline a function due to reaching the basic block max count,
we are going to store this information and not try to inline it
again in the translation unit. This can be viewed as a function summary.

On sqlite, with this optimization, we are 30% faster then before and
cover 10% more basic blocks (partially because the number of times we
reach timeout is decreased by 20%).

llvm-svn: 153730
2012-03-30 05:48:10 +00:00
Anna Zaks 72eee39df7 [analyzer] Enable retry exhausted without inlining by default.
llvm-svn: 153591
2012-03-28 19:59:16 +00:00
Anna Zaks 850d2dea82 [analyser] Stats checker: do not mark a node as exhausted if we will
retry without inlining.

(+ other minor cleanups)

llvm-svn: 153581
2012-03-28 17:05:50 +00:00
Anna Zaks 8293bae850 [analyzer] Refactor: Use Decl when determining if the Block belongs to
the root function.

(This is a bit cleaner then using the StackFrame.)

llvm-svn: 153580
2012-03-28 17:05:46 +00:00
Ted Kremenek 41daf12e2c Fix suspicious comparison reported by PVS-Studio!
llvm-svn: 153568
2012-03-28 05:24:50 +00:00
Anna Zaks 5b3939fae6 [analyzer] Add an option to re-analyze a dead-end path without inlining.
The analyzer gives up path exploration under certain conditions. For
example, when the same basic block has been visited more than 4 times.
With inlining turned on, this could lead to decrease in code coverage.
Specifically, if we give up inside the inlined function, the rest of
parent's basic blocks will not get analyzed.

This commit introduces an option to enable re-run along the failed path,
in which we do not inline the last inlined call site. This is done by
enqueueing the node before the processing of the inlined call site
with a special policy encoded in the state. The policy tells us not to
inline the call site along the path.

This lead to ~10% increase in the number of paths analyzed. Even though
we expected a much greater coverage improvement. 

The option is turned off by default for now.

llvm-svn: 153534
2012-03-27 20:02:53 +00:00
Anna Zaks dc36e616a4 [analyzer] Stats checker: minor interprocedural tweaks.
Report root function name with exhausted block diagnostic.

Also, use stack frames, not just any location context when checking if
the basic block is in the same context.

llvm-svn: 153532
2012-03-27 20:02:44 +00:00
Anna Zaks 23df6bb18f [analyzer] Stats: Only count the number of times we run path sensitive
analyzes.

(This method can be called twice on the same function.)

llvm-svn: 153531
2012-03-27 20:02:41 +00:00
Ted Kremenek e9a5bcf17e Change RetainCountChecker to eagerly "escape" retained objects when they are
assigned to a struct.  This is fallout from inlining results, which expose
far more patterns where people stuff CF objects into structs and pass them
around (and we can reason about it).  The problem is that we don't have
a general way to detect when values have escaped, so as an intermediate step
we need to eagerly prune out such tracking.

Fixes <rdar://problem/11104566>.

llvm-svn: 153489
2012-03-27 01:12:45 +00:00
Anna Zaks a651c4099d [analyzer] Malloc: Allow a pointer to escape through OSAtomicEnqueue.
llvm-svn: 153453
2012-03-26 18:18:39 +00:00
Jordy Rose 21ff76e916 [analyzer] Tighten up the realloc() failure path note generation...make sure we get the right realloc()!
llvm-svn: 153370
2012-03-24 03:15:09 +00:00
Jordy Rose 43a9af7352 [analyzer] Restart path diagnostic generation if any of the visitors change the report configuration while walking the path.
This required adding a change count token to BugReport, but also allowed us to ditch ImmutableList as the BugReporterVisitor data type.

Also, remove the hack from MallocChecker, now that visitors appear in the opposite order. This is not exactly a fix, but the common case -- custom diagnostics after generic ones -- is now the default behavior.

llvm-svn: 153369
2012-03-24 03:03:29 +00:00
Jordy Rose f78877e99a [analyzer] Add a clone() method to BugReporterVisitor, so that we'll be able to reset diagnostic generation.
llvm-svn: 153368
2012-03-24 02:45:35 +00:00
Ted Kremenek 161046edab Avoid applying retain/release effects twice in RetainCountChecker when a function call was inlined (i.e., we do not need to apply summaries in such cases).
llvm-svn: 153309
2012-03-23 06:26:56 +00:00
Anton Yartsev edb062887f corrected check::EndOfTranslationUnit checker name and added 'const' to declaration
llvm-svn: 153302
2012-03-23 02:43:24 +00:00
Ted Kremenek 30de950bba Fix static analyzer crash on code taking the address of a field. Fixes PR 11146.
llvm-svn: 153283
2012-03-22 21:42:31 +00:00
Anna Zaks a407b59ce8 [analyzer] Add the stat for the number of successfully explored paths.
llvm-svn: 153281
2012-03-22 21:06:06 +00:00
Anna Zaks 06bf78c242 [analyzer] Add stats useful for coverage investigations.
llvm-svn: 153280
2012-03-22 21:06:03 +00:00
Anna Zaks 395c0dd70e [analyzer] Add inlining awareness to the block coverage computation
(Stats Checker).

llvm-svn: 153279
2012-03-22 21:05:57 +00:00
Ted Kremenek 40c13431aa "Teach" RetainCountChecker about dispatch_set_context, which can indirectly free its argument later. Fixes <rdar://problem/11059275>.
llvm-svn: 153244
2012-03-22 06:29:41 +00:00
Anna Zaks 9fe8098e29 [analyzer] Malloc: drop symbols captured by blocks.
llvm-svn: 153232
2012-03-22 00:57:20 +00:00
Benjamin Kramer c25c5e0ba2 Remove unused variable, fix indentation.
llvm-svn: 153220
2012-03-21 21:03:48 +00:00
Anna Zaks fc2e153444 [analyzer] Malloc: Utter the name of the leaked variable.
Specifically, we use the last store of the leaked symbol in the leak diagnostic.
(No support for struct fields since the malloc checker doesn't track those
yet.)

+ Infrastructure to track the regions used in store evaluations.
This approach is more precise than iterating the store to
obtain the region bound to the symbol, which is used in RetainCount
checker. The region corresponds to what is uttered in the code in the
last store and we do not rely on the store implementation to support
this functionality.

llvm-svn: 153212
2012-03-21 19:45:08 +00:00
Anna Zaks 6797d6ee23 [analyser] Factor out FindUniqueBinding from RetainCount checker.
So that others could use it as well. No functionality change.

llvm-svn: 153211
2012-03-21 19:45:01 +00:00
Jordy Rose bf38f20e79 [analyzer] Mark a failed-realloc's result as an interesting symbol between the realloc call and the null check, so we get nicer path notes. Fixes a regression introduced by the diagnostic pruning added in r152361.
This is accomplished by calling markInteresting /during/ path diagnostic generation, and as such relies on deterministic ordering of BugReporterVisitors -- namely, that BugReporterVisitors are run in /reverse/ order from how they are added. (Right now that's a consequence of storing visitors in an ImmutableList, where new items are added to the front.) It's a little hacky, but it works for now.

I think this is the best we can do without storing the relation between the old and new symbols, and that would be a hit whether or not there ends up being an error.

llvm-svn: 153010
2012-03-18 07:43:35 +00:00
Jordy Rose 61c974b492 [analyzer] Use a FoldingSet to cache simple RetainSummary instances, rather than explicitly keeping DoNothing and StopTracking summaries and nothing else.
I tried to test the effects of this change on memory usage and run time, but what I saw on retain-release.m was indistinguishable from noise (debug and release builds). Even so, some caveman profiling showed 101 cache hits that we would have generated new summaries for before (i.e. not default or stop summaries), and the more code we analyze, the more memory we should save.

Maybe we should have a standard project for benchmarking the retain count checker's memory and time?

llvm-svn: 153007
2012-03-18 01:26:10 +00:00
Jordy Rose 35e71c771d [analyzer] Unify retain-count summary generation for class and instance methods. No functionality change.
llvm-svn: 153001
2012-03-17 21:13:07 +00:00
Jordy Rose 7063883e8c [analyzer] Remove duplicate work on deriving method behavior. No functionality change.
The cocoa::deriveNamingConventions helper is just using method families anyway now, and the way RetainSummaryTemplate works means we're allocating an extra summary for every method with a relevant family.

Also, fix RetainSummaryTemplate to do the right thing w/r/t annotating an /existing/ summary. This was probably the real cause of <rdar://problem/10824732> and the fix in r152448.

llvm-svn: 152998
2012-03-17 19:53:04 +00:00
NAKAMURA Takumi 3ec7c4574f StaticAnalyzer: Fix abuse of StringRef in r152962.
llvm-svn: 152982
2012-03-17 13:06:05 +00:00
Jordy Rose 78373e505d [analyzer] Don't claim an object was returned with +1 retain count before counting autoreleases. Fixes PR10376.
(Also, 80-column violations.)

llvm-svn: 152976
2012-03-17 05:49:15 +00:00
Anna Zaks a7f457a5ea [analyzer] Shorten the stack hint diagnostic.
Do not display the standard "Returning from 'foo'", when a stack hint is
available.

llvm-svn: 152964
2012-03-16 23:44:28 +00:00
Anna Zaks cba4f298c6 [analyzer] Create symbol-aware stack hints (building upon r152837).
The symbol-aware stack hint combines the checker-provided message
with the information about how the symbol was passed to the callee: as
a parameter or a return value.

For malloc, the generated messages look like this :
"Returning from 'foo'; released memory via 1st parameter"
"Returning from 'foo'; allocated memory via 1st parameter"
"Returning from 'foo'; allocated memory returned"
"Returning from 'foo'; reallocation of 1st parameter failed"


(We are yet to handle cases when the symbol is a field in a struct or
an array element.)

llvm-svn: 152962
2012-03-16 23:24:20 +00:00
Anna Zaks 180e4aa246 [analyzer] +Comments
llvm-svn: 152961
2012-03-16 23:24:16 +00:00
Anna Zaks bbea3e7780 [analyzer] Add a statistic for the number of times we reach the max
number of steps in the work list.

llvm-svn: 152960
2012-03-16 23:24:13 +00:00
Ted Kremenek b1279b5c47 Fix analyzer crash on analyzing 'catch' with no condition variable.
llvm-svn: 152900
2012-03-16 05:58:15 +00:00
Jordy Rose 735724fb1e [analyzer] If a metadata symbol is interesting, its region is interesting as well.
llvm-svn: 152868
2012-03-15 22:45:29 +00:00
Jordy Rose 01b59cd87a [analyzer] Remove AggExprVisitor, a dead class that assisted in visiting C++ expressions with a "base object", because the CFG is now linearized.
The only use of AggExprVisitor was in #if 0 code (the analyzer's incomplete C++ support), so there is no actual behavioral change anyway.

llvm-svn: 152856
2012-03-15 21:46:47 +00:00
Anna Zaks 1ff57d57e8 [analyzer] Allow checkers to supply call stack diagnostic hints for the
BugVisitor DiagnosticPieces.

When checkers create a DiagnosticPieceEvent, they can supply an extra
string, which will be concatenated with the call exit message for every
call on the stack between the diagnostic event and the final bug report.
(This is a simple version, which could be/will be further enhanced.)

For example, this is used in Malloc checker to produce the ",
which allocated memory" in the following example:

static char *malloc_wrapper() { // 2. Entered call from 'use'
    return malloc(12);    // 3. Memory is allocated
}

void use() {
    char *v;
    v = malloc_wrapper(); // 1. Calling 'malloc_wrappers'
        // 4. Returning from 'malloc_wrapper', which allocated memory
}                         // 5. Memory is never released; potential
memory leak

llvm-svn: 152837
2012-03-15 21:13:02 +00:00
Matt Beaumont-Gay be84d85905 '#if 0' out a variable that's only used in other preprocessor-disabled code.
(Why are we keeping all of this code around anyway? Say the word and I'll
start swinging the delete hammer.)

llvm-svn: 152749
2012-03-14 23:12:42 +00:00
Anna Zaks d4e9059fe0 [analyzer] Diagnostics: Supply Caller information even if the bug occurs
in the callee.

llvm-svn: 152734
2012-03-14 18:58:28 +00:00
Erik Verbruggen 5923cbd27b [Analyser] Remove unnecessary recursive visits for ExprWithCleanups and
MaterializeTemporaryExpr.

llvm-svn: 152730
2012-03-14 18:01:43 +00:00
Erik Verbruggen fe66dd624d [Analyser] Removes more recursive visitations in ExprEngine that are no
longer needed as the CFG is fully linearized.

llvm-svn: 152720
2012-03-14 15:38:55 +00:00
Anna Zaks 9ff686239a [analyser] Refactor shouldInline logic into a helper.
llvm-svn: 152677
2012-03-13 22:15:58 +00:00
Anna Zaks 6e5b48a6b4 [analyzer] Call enter/exit diagnostic should refer to caller/callee,
respectively.

llvm-svn: 152676
2012-03-13 22:15:55 +00:00
Anna Zaks 943c680605 [analyzer] Change the order in which we analyze the functions under
inlining to be the reverse of their declaration.

This optimizes running time under inlining up to 20% since we do not
re-analyze the utility functions which are usually defined first in the
translation unit if they have already been analyzed while inlined into
the root functions.

llvm-svn: 152653
2012-03-13 19:32:19 +00:00
Anna Zaks ca70ed53da [analyzer] Use BFS over call graph when analysing functions.
BFS should give slightly better performance. Ex: Suppose, we have two
roots R1 and R2. A callee function C is reachable through both. However,
C is not inlined when analyzing R1 due to inline stack depth limit. With
DFS, C will be analyzed as top level even though it would be analyzed as
inlined through R2. On the other hand, BFS could avoid analyzing C as
top level.

llvm-svn: 152652
2012-03-13 19:32:13 +00:00
Anna Zaks 32da47b9a1 [analyzer] Refactor CallGraph to use Recursive AST visitor when
collecting function Decls.

llvm-svn: 152651
2012-03-13 19:32:08 +00:00
Anna Zaks 1418951405 [analyzer] Use recursive AST visitor to drive simple visitation order in
AnalysisConsumer.

As a result:
 - We now analyze the C++ methods which are defined within the
class body. These were completely skipped before.

- Ensure that AST checkers are called on functions in the
order they are defined in the Translation unit.

llvm-svn: 152650
2012-03-13 19:32:00 +00:00
Anna Zaks aa19abe978 [analyzer] Minor: factor out logic for determining if we should skip a
function.

llvm-svn: 152649
2012-03-13 19:31:54 +00:00
Anna Zaks e756ce0c5d [analyzer] Move the check for parser errors out of the loop over Decls.
llvm-svn: 152648
2012-03-13 19:31:47 +00:00
Ted Kremenek e6aac4e888 Add new analyzer diagnostic mode where plists can have bugs that span multiple files.
llvm-svn: 152586
2012-03-12 23:14:53 +00:00
Ted Kremenek 487cdbfdb0 [analyzer] Include inlining call stack depth in plist output.
llvm-svn: 152584
2012-03-12 22:10:57 +00:00
David Blaikie bbafb8a745 Unify naming of LangOptions variable/get function across the Clang stack (Lex to AST).
The member variable is always "LangOpts" and the member function is always "getLangOpts".

Reviewed by Chris Lattner

llvm-svn: 152536
2012-03-11 07:00:24 +00:00
Jordy Rose f80b2cced7 [analyzer] Replace a static helper with existing logic. No functionality change.
llvm-svn: 152521
2012-03-11 00:08:24 +00:00
John McCall 113bee0536 Remove BlockDeclRefExpr and introduce a bit on DeclRefExpr to
track whether the referenced declaration comes from an enclosing
local context.  I'm amenable to suggestions about the exact meaning
of this bit.

llvm-svn: 152491
2012-03-10 09:33:50 +00:00
Ted Kremenek 8fdb59f979 [analyzer] fix regression in analyzer of NOT actually aborting on Stmts it doesn't understand. We registered
as aborted, but didn't treat such cases as sinks in the ExplodedGraph.

Along the way, add basic support for CXXCatchStmt, expanding the set of code we actually analyze (hopefully correctly).

Fixes: <rdar://problem/10892489>
llvm-svn: 152468
2012-03-10 01:34:17 +00:00
Ted Kremenek 33be12003f Teach RetainCountChecker about mixing method families with explicit annotations. Fixes <rdar://problem/10824732>.
llvm-svn: 152448
2012-03-09 23:34:08 +00:00
Anna Zaks 394d07ea88 [analyzer] Add support for NoRedundancy inlining mode.
We do not reanalyze a function, which has already been analyzed as an
inlined callee. As per PRELIMINARY testing, this gives over
50% run time reduction on some benchmarks without decreasing of the
number of bugs found.

Turning the mode on by default.

llvm-svn: 152440
2012-03-09 21:14:01 +00:00
Ted Kremenek 1e809b4c4c [analyzer] Implement basic path diagnostic pruning based on "interesting" symbols and regions.
Essentially, a bug centers around a story for various symbols and regions.  We should only include
the path diagnostic events that relate to those symbols and regions.

The pruning is done by associating a set of interesting symbols and regions with a BugReporter, which
can be modified at BugReport creation or by BugReporterVisitors.

This patch reduces the diagnostics emitted in several of our test cases.  I've vetted these as
having desired behavior.  The only regression is a missing null check diagnostic for the return
value of realloc() in test/Analysis/malloc-plist.c.  This will require some investigation to fix,
and I have added a FIXME to the test case.

llvm-svn: 152361
2012-03-09 01:13:14 +00:00
Anna Zaks eee9110721 [analyzer] Use call graph to determine order in which functions are
analyzed.

The CallGraph is used when inlining is on, which is the current default.

This alone does not bring any performance improvement. It's a
stepping stone for the upcoming optimization in which we do not
re-analyze a function that has already been analyzed while inlined in
other functions. Using the call graph makes it easier to play with
the order of functions to minimize redundant analyzes.

llvm-svn: 152352
2012-03-08 23:16:38 +00:00
Anna Zaks 0af3e06ff6 [analyzer] Rework inlining related command line options.
- Remove -analyzer-inline-call.
 - Add -analyzer-ipa=[none|inlining]
 - Add -analyzer-inlining-mode to allow experimentation for
different performance tuning methods.

llvm-svn: 152351
2012-03-08 23:16:35 +00:00
Anna Zaks c000e7ed3d Add a basic CallGraph to Analysis.
The final graph contains a single root node, which is a parent of all externally available functions(and 'main'). As well as a list of Parentless/Unreachable functions, which are either truly unreachable or are unreachable due to our analyses imprecision.

The analyzer checkers debug.DumpCallGraph or debug.ViewGraph can be used to look at the produced graph.

Currently, the graph is not very precise, for example, it entirely skips edges resulted from ObjC method calls.

llvm-svn: 152272
2012-03-08 00:42:23 +00:00
Richard Smith c67fdd4eb9 AST representation for user-defined literals, plus just enough of semantic
analysis to make the AST representation testable. They are represented by a
new UserDefinedLiteral AST node, which is a sugared CallExpr. All semantic
properties, including full CodeGen support, are achieved for free by this
representation.

UserDefinedLiterals can never be dependent, so no custom instantiation
behavior is required. They are mangled as if they were direct calls to the
underlying literal operator. This matches g++'s apparent behavior (but not its
actual mangling, which is broken for literal-operator-ids).

User-defined *string* literals are now fully-operational, but the semantic
analysis is quite hacky and needs more work. No other forms of user-defined
literal are created yet, but the AST support for them is present.

This patch committed after midnight because we had already hit the quota for
new kinds of literal yesterday.

llvm-svn: 152211
2012-03-07 08:35:16 +00:00
Ted Kremenek 415287d943 Add static analyzer support for new NSArray/NSDictionary/NSNumber literals.
llvm-svn: 152139
2012-03-06 20:06:12 +00:00
Ted Kremenek 04e860df2c [analyzer] add a diagnostic event when entering a call via inlining, within the callee, and add an edge.
llvm-svn: 152086
2012-03-06 01:25:01 +00:00
Ted Kremenek 024ba20bef [analyzer] 'Looping back to the head of the loop' diagnostics are prunable.
llvm-svn: 152083
2012-03-06 01:00:36 +00:00
Jordy Rose 330de22fe0 [analyzer] Remove now-unused constant. No functionality change.
llvm-svn: 152080
2012-03-06 00:33:35 +00:00
Jordy Rose 0accc6ae7b [analyzer] Fix unnecessary dyn_cast_or_null. No functionality change.
llvm-svn: 152078
2012-03-06 00:28:20 +00:00
Ted Kremenek 6762a94040 Teak CallAndMessageChecker to only warn about uninitialized struct fields in call arguments
when the called function is never inlined.

Fixes <rdar://problem/10977037>.

llvm-svn: 152073
2012-03-05 23:57:14 +00:00
Ted Kremenek 9d96f843b8 Teach SimpleSValBuilder that (in the absence of more information) stack memory doesn't alias symbolic memory. This is a heuristic/hack, but works well in practice. Fixes <rdar://problem/10978247>.
llvm-svn: 152065
2012-03-05 23:06:19 +00:00