Commit Graph

48 Commits

Author SHA1 Message Date
Artem Dergachev 4b0d160a09 [analyzer] Add missing pre-post-statement callbacks for OffsetOfExpr.
This expression may or may not be evaluated in compile time, so tracking the
result symbol is of potential interest. However, run-time offsetof is not yet
supported by the analyzer, so for now this callback is only there to assist
future implementation.

Patch by Henry Wong!

Differential Revision: https://reviews.llvm.org/D42300

llvm-svn: 324790
2018-02-10 00:55:49 +00:00
Artem Dergachev d3c54313ab [analyzer] NFC: Run many existing C++ tests with a custom operator new().
In order to provide more test coverage for inlined operator new(), add more
run-lines to existing test cases, which would trigger our fake header
to provide a body for operator new(). Most of the code should still behave
reasonably. When behavior intentionally changes, #ifs are provided.

Differential Revision: https://reviews.llvm.org/D42221

llvm-svn: 323376
2018-01-24 21:24:10 +00:00
Devin Coughlin 2ff57bcd18 [analyzer] Provide a check name when MallocChecker enables CStringChecker
Fix an assertion failure caused by a missing CheckName. The malloc checker
enables "basic" support in the CStringChecker, which causes some CString
bounds checks to be enabled. In this case, make sure that we have a
valid CheckName for the BugType.

llvm-svn: 323052
2018-01-20 23:11:17 +00:00
Artem Dergachev 8fa639ecf0 [analyzer] Initial commit for the upcoming refactoring of the IteratorChecker.
The new checker currently contains the very core infrastructure for tracking
the state of iterator-type objects in the analyzer: relating iterators to
their containers, tracking symbolic begin and end iterator values for
containers, and solving simple equality-type constraints over iterators.
A single specific check over this infrastructure is capable of finding usage of
out-of-range iterators in some simple cases.

Patch by Ádám Balogh!

Differential revision: https://reviews.llvm.org/D32592

llvm-svn: 304160
2017-05-29 15:03:20 +00:00
Gabor Horvath 3d57457298 [analyzer] Add checker for iterators dereferenced beyond their range.
Patch by: Adam Balogh!

Differential Revision: https://reviews.llvm.org/D25660

llvm-svn: 291430
2017-01-09 09:52:32 +00:00
Artem Dergachev 85c9211043 [analyzer] Add another exception for Qt in MallocChecker
Treat pointers passed to QObject::connectImpl() as escaping.

rdar://problem/29550440

Differential Revision: https://reviews.llvm.org/D27717

llvm-svn: 289939
2016-12-16 12:21:55 +00:00
Anna Zaks 44cdeb1da2 [analyzer] Teach the analyzer that pointers can escape into __cxa_demangle
This fixes a reported false positive in the malloc checker.

Differential Revision: https://reviews.llvm.org/D27599

llvm-svn: 289886
2016-12-15 22:55:18 +00:00
Anna Zaks 40c74c6d22 [analyzer] Refer to macro names in diagnostics for macros representing a literal
When a macro expending to a literal is used in a comparison, use the macro name
in the diagnostic rather than the literal. This improves readability of path
notes.

Added tests for various macro literals that could occur. Only BOOl, Int, and
NULL tests have changed behavior with this patch.

Differential Revision: https://reviews.llvm.org/D27726

llvm-svn: 289884
2016-12-15 22:55:11 +00:00
Artem Dergachev 940c770d27 [analyzer] Add NumberObjectConversion checker.
When dealing with objects that represent numbers, such as Objective-C NSNumber,
the language provides little protection from accidentally interpreting
the value of a pointer to such object as the value of the number represented
by the object. Results of such mis-interpretation may be unexpected.

The checker attempts to fill this gap in cases when the code is obviously
incorrect.

With "Pedantic" option enabled, this checker enforces a coding style to
completely prevent errors of this kind (off by default).

Differential Revision: https://reviews.llvm.org/D22968

llvm-svn: 284473
2016-10-18 11:06:28 +00:00
Devin Coughlin 184996bbb4 [analyzer] Use lazily created buffer in EmptyLocalizationContextChecker
Fix a crash when relexing the underlying memory buffer to find incorrect
arguments to NSLocalizedString(). With precompiled headers, the raw
buffer may be NULL. Instead, use the source manager to get the buffer,
which will lazily create the buffer for precompiled headers.

rdar://problem/27429091

llvm-svn: 280174
2016-08-30 23:07:14 +00:00
Gabor Horvath b59b27040e Reapply "[analyzer] Added valist related checkers."
Differential Revision: https://reviews.llvm.org/D15227

llvm-svn: 279427
2016-08-22 11:21:30 +00:00
Gabor Horvath 2402dd1e82 revert [analyzer] Added valist related checkers.
llvm-svn: 279043
2016-08-18 09:13:37 +00:00
Gabor Horvath 56e8aa535b [analyzer] Added valist related checkers.
Differential Revision: https://reviews.llvm.org/D15227

llvm-svn: 279041
2016-08-18 08:43:26 +00:00
Devin Coughlin 0a53fdf00c [analyzer] Suppress false positives in std::shared_ptr
The analyzer does not model C++ temporary destructors completely and so
reports false alarms about leaks of memory allocated by the internals of
shared_ptr:

  std::shared_ptr<int> p(new int(1));
  p = nullptr; // 'Potential leak of memory pointed to by field __cntrl_'

This patch suppresses all diagnostics where the end of the path is inside
a method in std::shared_ptr.

It also reorganizes the tests for suppressions in the C++ standard library
to use a separate simulated header for library functions with bugs
that were deliberately inserted to test suppression. This will prevent
other tests from using these as models.

rdar://problem/23652766

llvm-svn: 274691
2016-07-06 21:52:55 +00:00
Devin Coughlin 77942db0b8 [analyzer] Nullability: Don't warn along paths where null returned from non-null.
Change the nullability checker to not warn along paths where null is returned from
a method with a non-null return type, even when the diagnostic for this return
has been suppressed. This prevents warning from methods with non-null return types
that inline methods that themselves return nil but that suppressed the diagnostic.

Also change the PreconditionViolated state component to be called "InvariantViolated"
because it is set when a post-condition is violated, as well.

rdar://problem/25393539

llvm-svn: 264647
2016-03-28 20:30:25 +00:00
Devin Coughlin b8076292ab [analyzer] Add CIFIlter modeling to DeallocChecker.
The -dealloc method in CIFilter is highly unusual in that it will release
instance variables belonging to its *subclasses* if the variable name
starts with "input" or backs a property whose name starts with "input".
Subclasses should not release these ivars in their own -dealloc method --
doing so could result in an over release.

Before this commit, the DeallocChecker would warn about missing releases for
such "input" properties -- which could cause users of the analyzer to add
over releases to silence the warning.

To avoid this, DeallocChecker now treats CIFilter "input-prefixed" ivars
as MustNotReleaseDirectly and so will not require a release. Further, it
will now warn when such an ivar is directly released in -dealloc.

rdar://problem/25364901

llvm-svn: 264463
2016-03-25 21:18:22 +00:00
Devin Coughlin a1d9d75a88 [analyzer] Nullability: add option to not report on calls to system headers.
Add an -analyzer-config 'nullability:NoDiagnoseCallsToSystemHeaders' option to
the nullability checker. When enabled, this option causes the analyzer to not
report about passing null/nullable values to functions and methods declared
in system headers.

This option is motivated by the observation that large projects may have many
nullability warnings. These projects may find warnings about nullability
annotations that they have explicitly added themselves higher priority to fix
than warnings on calls to system libraries.

llvm-svn: 262763
2016-03-05 01:32:43 +00:00
Devin Coughlin 093594938b [analyzer] Teach CheckObjCDealloc about Block_release().
It now treats Block_release(b) as a release in addition to [b release].

llvm-svn: 262272
2016-02-29 23:57:10 +00:00
Devin Coughlin 3fc67e47e5 [analyzer] Don't treat calls to system headers as escaping in CheckObjCDealloc.
This prevents false negatives when a -dealloc method, for example, removes itself as
as an observer with [[NSNotificationCenter defaultCenter] removeObserver:self]. It is
unlikely that passing 'self' to a system header method will release 'self''s instance
variables, so this is unlikely to produce false positives.

A challenge here is that while CheckObjCDealloc no longer treats these calls as
escaping, the rest of the analyzer still does. In particular, this means that loads
from the same instance variable before and after a call to a system header will
result in different symbols being loaded by the region store. To account for this,
the checker now treats different ivar symbols with the same instance and ivar decl as
the same for the purpose of release checking and more eagerly removes a release
requirement when an instance variable is assumed to be nil. This was not needed before
because when an ivar escaped its release requirement was always removed -- now the
requirement is not removed for calls to system headers.

llvm-svn: 262261
2016-02-29 21:44:08 +00:00
Devin Coughlin 9165df129e [analyzer] Invalidate destination of std::copy() and std::copy_backward().
Now that the libcpp implementations of these methods has a branch that doesn't call
memmove(), the analyzer needs to invalidate the destination for these methods explicitly.

rdar://problem/23575656

llvm-svn: 260043
2016-02-07 16:55:44 +00:00
Anna Zaks 03f483353c [analyzer] Fix false warning about memory leak for QApplication::postEvent
According to Qt documentation Qt takes care of memory allocated for QEvent:
http://doc.qt.io/qt-4.8/qcoreapplication.html#postEvent

A patch by Evgeniy Dushistov!

Differential Revision: http://reviews.llvm.org/D14170

llvm-svn: 256887
2016-01-06 00:32:56 +00:00
Anna Zaks ac4c8a639c [analyzer] Suppress reports coming from std::__independent_bits_engine
The analyzer reports a shift by a negative value in the constructor. The bug can
be easily triggered by calling std::random_shuffle on a vector
(<rdar://problem/19658126>).

(The shift by a negative value is reported because __w0_ gets constrained to
63 by the conditions along the path:__w0_ < _WDt && __w0_ >= _WDt-1,
where _WDt is 64. In normal execution, __w0_ is not 63, it is 1 and there is
no overflow. The path is infeasible, but the analyzer does not know about that.)

llvm-svn: 256886
2016-01-06 00:32:52 +00:00
Yury Gribov 22b4164e7d [analyzer] Add VforkChecker to find unsafe code in vforked process.
This checker looks for unsafe constructs in vforked process:
function calls (excluding whitelist), memory write and returns.
This was originally motivated by a vfork-related bug in xtables package.

Patch by Yury Gribov.

Differential revision: http://reviews.llvm.org/D14014

llvm-svn: 252285
2015-11-06 11:16:31 +00:00
Anna Zaks fe1eca5169 [analyzer] Assume escape is possible through system functions taking void*
The analyzer assumes that system functions will not free memory or modify the
arguments in other ways, so we assume that arguments do not escape when
those are called. However, this may lead to false positive leak errors. For
example, in code like this where the pointers added to the rb_tree are freed
later on:

		struct alarm_event *e = calloc(1, sizeof(*e));
<snip>

		rb_tree_insert_node(&alarm_tree, e);

Add a heuristic to assume that calls to system functions taking void*
arguments allow for pointer escape.

llvm-svn: 251449
2015-10-27 20:19:45 +00:00
Jordan Rose 59801406ca [analyzer] Fix pthread lock tests so that the API comes from a system header.
...and verify that a global mutex in user code can be used without warnings.

Patch by Aleksei Sidorin!

llvm-svn: 217515
2014-09-10 16:17:42 +00:00
Ted Kremenek eeccb30b94 Add support for the static analyzer to synthesize function implementations from external model files.
Currently the analyzer lazily models some functions using 'BodyFarm',
which constructs a fake function implementation that the analyzer
can simulate that approximates the semantics of the function when
it is called.  BodyFarm does this by constructing the AST for
such definitions on-the-fly.  One strength of BodyFarm
is that all symbols and types referenced by synthesized function
bodies are contextual adapted to the containing translation unit.
The downside is that these ASTs are hardcoded in Clang's own
source code.

A more scalable model is to allow these models to be defined as source
code in separate "model" files and have the analyzer use those
definitions lazily when a function body is needed.  Among other things,
it will allow more customization of the analyzer for specific APIs
and platforms.

This patch provides the initial infrastructure for this feature.
It extends BodyFarm to use an abstract API 'CodeInjector' that can be
used to synthesize function bodies.  That 'CodeInjector' is
implemented using a new 'ModelInjector' in libFrontend, which lazily
parses a model file and injects the ASTs into the current translation
unit.  

Models are currently found by specifying a 'model-path' as an
analyzer option; if no path is specified the CodeInjector is not
used, thus defaulting to the current behavior in the analyzer.

Models currently contain a single function definition, and can
be found by finding the file <function name>.model.  This is an
initial starting point for something more rich, but it bootstraps
this feature for future evolution.

This patch was contributed by Gábor Horváth as part of his
Google Summer of Code project.

Some notes:

- This introduces the notion of a "model file" into
  FrontendAction and the Preprocessor.  This nomenclature
  is specific to the static analyzer, but possibly could be
  generalized.  Essentially these are sources pulled in
  exogenously from the principal translation.

  Preprocessor gets a 'InitializeForModelFile' and
  'FinalizeForModelFile' which could possibly be hoisted out
  of Preprocessor if Preprocessor exposed a new API to
  change the PragmaHandlers and some other internal pieces.  This
  can be revisited.

  FrontendAction gets a 'isModelParsingAction()' predicate function
  used to allow a new FrontendAction to recycle the Preprocessor
  and ASTContext.  This name could probably be made something
  more general (i.e., not tied to 'model files') at the expense
  of losing the intent of why it exists.  This can be revisited.

- This is a moderate sized patch; it has gone through some amount of
  offline code review.  Most of the changes to the non-analyzer
  parts are fairly small, and would make little sense without
  the analyzer changes.

- Most of the analyzer changes are plumbing, with the interesting
  behavior being introduced by ModelInjector.cpp and
  ModelConsumer.cpp.

- The new functionality introduced by this change is off-by-default.
  It requires an analyzer config option to enable.

llvm-svn: 216550
2014-08-27 15:14:15 +00:00
Jordan Rose c7d0acaf34 [analyzer] Just silence all warnings coming out of std::basic_string.
This means always walking the whole call stack for the end path node, but
we'll assume that's always fairly tractable.

<rdar://problem/15952973>

llvm-svn: 200980
2014-02-07 17:35:04 +00:00
Jordan Rose 514f935411 [analyzer] Pointers escape into +[NSValue valueWithPointer:]...
...even though the argument is declared "const void *", because this is
just a way to pass pointers around as objects. (Though NSData is often
a better one.)

PR18262

llvm-svn: 198710
2014-01-07 21:39:48 +00:00
Alp Toker f6a24ce40f Fix a tranche of comment, test and doc typos
llvm-svn: 196510
2013-12-05 16:25:25 +00:00
Anton Yartsev 968c60a554 [analyzer] Better modeling of memcpy by the CStringChecker (PR16731).
New rules of invalidation/escape of the source buffer of memcpy: the source buffer contents is invalidated and escape while the source buffer region itself is neither invalidated, nor escape.
In the current modeling of memcpy the information about allocation state of regions, accessible through the source buffer, is not copied to the destination buffer and we can not track the allocation state of those regions anymore. So we invalidate/escape the source buffer indirect regions in anticipation of their being invalidated for real later. This eliminates false-positive leaks reported by the unix.Malloc and alpha.cplusplus.NewDeleteLeaks checkers for the cases like

char *f() {
  void *x = malloc(47);
  char *a;
  memcpy(&a, &x, sizeof a);
  return a;
}

llvm-svn: 194953
2013-11-17 09:18:48 +00:00
Jordan Rose 4c56c22634 [analyzer] Silence warnings coming from allocators used by std::basic_string.
This is similar to r194004: because we can't reason about the data structure
invariants of std::basic_string, the analyzer decides it's possible for an
allocator to be used to deallocate the string's inline storage. Just ignore
this by walking up the stack, skipping past methods in classes with
"allocator" in the name, and seeing if we reach std::basic_string that way.

PR17866

llvm-svn: 194764
2013-11-15 02:11:19 +00:00
Anna Zaks 830d2f7701 [analyzer] Suppress warnings coming out of std::basic_string.
The analyzer cannot reason about the internal invariances of the data structure (radar://15194597).

llvm-svn: 194004
2013-11-04 19:13:03 +00:00
Jordan Rose 05b2f98d89 [analyzer] Treat std::initializer_list as opaque rather than aborting.
Previously, the use of a std::initializer_list (actually, a
CXXStdInitializerListExpr) would cause the analyzer to give up on the rest
of the path. Now, it just uses an opaque symbolic value for the
initializer_list and continues on.

At some point in the future we can add proper support for initializer_list,
with access to the elements in the InitListExpr.

<rdar://problem/14340207>

llvm-svn: 186519
2013-07-17 17:16:33 +00:00
Anna Zaks e0ad10404d [analyzer] Fixup for r185609: actually do suppress warnings coming out of std::list.
list is the name of a class, not a namespace. Change the test as well - the previous
version did not test properly.

Fixes radar://14317928.

llvm-svn: 185898
2013-07-09 01:55:00 +00:00
Anna Zaks a42fb525e4 [analyzer] Suppress reports reported in std::list
The motivation is to suppresses false use-after-free reports that occur when calling
std::list::pop_front() or std::list::pop_back() twice. The analyzer does not
reason about the internal invariants of the list implementation, so just do not report
any of warnings in std::list.

Fixes radar://14317928.

llvm-svn: 185609
2013-07-04 02:38:10 +00:00
Anna Zaks a4bc5e1201 [analyzer] Malloc checker should only escape the receiver when “[O init..]” is called.
Jordan has pointed out that it is valuable to warn in cases when the arguments to init escape.
For example, NSData initWithBytes id not going to free the memory.

llvm-svn: 183062
2013-05-31 23:47:32 +00:00
Jordan Rose 757fbb0b14 [analyzer] Indirect invalidation counts as an escape for leak checkers.
Consider this example:

  char *p = malloc(sizeof(char));
  systemFunction(&p);
  free(p);

In this case, when we call systemFunction, we know (because it's a system
function) that it won't free 'p'. However, we /don't/ know whether or not
it will /change/ 'p', so the analyzer is forced to invalidate 'p', wiping
out any bindings it contains. But now the malloc'd region looks like a
leak, since there are no more bindings pointing to it, and we'll get a
spurious leak warning.

The fix for this is to notice when something is becoming inaccessible due
to invalidation (i.e. an imperfect model, as opposed to being explicitly
overwritten) and stop tracking it at that point. Currently, the best way
to determine this for a call is the "indirect escape" pointer-escape kind.

In practice, all the patch does is take the "system functions don't free
memory" special case and limit it to direct parameters, i.e. just the
arguments to a call and not other regions accessible to them. This is a
conservative change that should only cause us to escape regions more
eagerly, which means fewer leak warnings.

This isn't perfect for several reasons, the main one being that this
example is treated the same as the one above:

  char **p = malloc(sizeof(char *));
  systemFunction(p + 1);
  // leak

Currently, "addresses accessible by offsets of the starting region" and
"addresses accessible through bindings of the starting region" are both
considered "indirect" regions, hence this uniform treatment.

Another issue is our longstanding problem of not distinguishing const and
non-const bindings; if in the first example systemFunction's parameter were
a char * const *, we should know that the function will not overwrite 'p',
and thus we can safely report the leak.

<rdar://problem/13758386>

llvm-svn: 181607
2013-05-10 17:07:16 +00:00
Jordan Rose 7023a90378 [analyzer] Don't inline the [cd]tors of C++ iterators.
This goes with r178516, which instructed the analyzer not to inline the
constructors and destructors of C++ container classes. This goes a step
further and does the same thing for iterators, so that the analyzer won't
falsely decide we're trying to construct an iterator pointing to a
nonexistent element.

The heuristic for determining whether something is an iterator is the
presence of an 'iterator_category' member. This is controlled under the
same -analyzer-config option as container constructor/destructor inlining:
'c++-container-inlining'.

<rdar://problem/13770187>

llvm-svn: 180890
2013-05-01 22:39:31 +00:00
Jordan Rose fa80736bca [analyzer] Re-enable using global regions as a symbolic base.
Now that we're invalidating global regions properly, we want to continue
taking advantage of a particular optimization: if all global regions are
invalidated together, we can represent the bindings of each region with
a "derived region value" symbol. Essentially, this lazily links each
global region with a single symbol created at invalidation time, rather
than binding each region with a new symbolic value.

We used to do this, but haven't been for a while; the previous commit
re-enabled this code path, and this handles the fallout.

<rdar://problem/13464044>

llvm-svn: 179554
2013-04-15 20:39:45 +00:00
Jordan Rose d02adbf03c [analyzer] Tests: move system functions into system header simulator files.
Some checkers ascribe different behavior to functions declared in system
headers, so when working with standard library functions it's probably best
to always have them in a standard location.

Test change only (no functionality change), but necessary for the next commit.

llvm-svn: 179552
2013-04-15 20:39:37 +00:00
Jordan Rose d11ef1aaf7 [analyzer] Allow suppressing diagnostics reported within the 'std' namespace
This is controlled by the 'suppress-c++-stdlib' analyzer-config flag.
It is currently off by default.

This is more suppression than we'd like to do, since obviously there can
be user-caused issues within 'std', but it gives us the option to wield
a large hammer to suppress false positives the user likely can't work
around.

llvm-svn: 178513
2013-04-02 00:26:15 +00:00
Anton Yartsev 13df03624b [analyzer] Adds cplusplus.NewDelete checker that check for memory leaks, double free, and use-after-free problems of memory managed by new/delete.
llvm-svn: 177849
2013-03-25 01:35:45 +00:00
Jordan Rose 613f3c0022 [analyzer] Be more consistent about Objective-C methods that free memory.
Previously, MallocChecker's pointer escape check and its post-call state
update for Objective-C method calls had a fair amount duplicated logic
and not-entirely-consistent checks. This commit restructures all this to
be more consistent and possibly allow us to be more aggressive in warning
about double-frees.

New policy (applies to system header methods only):
(1) If this is a method we know about, model it as taking/holding ownership
    of the passed-in buffer.
  (1a) ...unless there's a "freeWhenDone:" parameter with a zero (NO) value.
(2) If there's a "freeWhenDone:" parameter (but it's not a method we know
    about), treat the buffer as escaping if the value is non-zero (YES) and
    non-escaping if it's zero (NO).
(3) If the first selector piece ends with "NoCopy" (but it's not a method we
    know about and there's no "freeWhenDone:" parameter), treat the buffer
    as escaping.

The reason that (2) and (3) don't explicitly model the ownership transfer is
because we can't be sure that they will actually free the memory using free(),
and we wouldn't want to emit a spurious "mismatched allocator" warning
(coming in Anton's upcoming patch). In the future, we may have an idea of a
"generic deallocation", i.e. we assume that the deallocator is correct but
still continue tracking the region so that we can warn about double-frees.

Patch by Anton Yartsev, with modifications from me.

llvm-svn: 176744
2013-03-09 00:59:10 +00:00
Anna Zaks acdc13cb00 [analyzer] Add pointer escape type param to checkPointerEscape callback
The checkPointerEscape callback previously did not specify how a
pointer escaped. This change includes an enum which describes the
different ways a pointer may escape. This enum is passed to the
checkPointerEscape callback when a pointer escapes. If the escape
is due to a function call, the call is passed. This changes
previous behavior where the call is passed as NULL if the escape
was due to indirectly invalidating the region the pointer referenced.

A patch by Branden Archer!

llvm-svn: 174677
2013-02-07 23:05:43 +00:00
Jordan Rose b54cfa310a [analyzer] Explain why we have system-header-simulator*.h files.
Suggested by Csaba. Text based on an e-mail of mine on cfe-dev.

llvm-svn: 174213
2013-02-01 19:50:01 +00:00
Anna Zaks 2ed5125502 [analyzer] Add symbol escapes logic to the SimpleStreamChecker.
llvm-svn: 167439
2012-11-06 04:20:57 +00:00
NAKAMURA Takumi 77369457e0 clang/test/Analysis: Fix the declaration of strlen() for 32 bit targets.
- Inputs/system-header-simulator.h: Declare strlen() with size_t.

  - malloc-interprocedural.c: Move the definition of size_t into the header above.

Then XFAIL can be pruned.

llvm-svn: 164300
2012-09-20 11:03:56 +00:00
Chandler Carruth 66a34a6a45 Adjust some analyzer tests to place widely shared inputs inside of an
'Inputs' subdirectory.

The general desire has been to have essentially all of the non-test
input files live in such directories, with some exceptions for obvious
and common patterns like 'foo.c' using 'foo.h'.

This came up because our distributed test runner couldn't find some of
the headers, for example with stl.cpp.

No functionality changed, just shuffling around here.

llvm-svn: 163674
2012-09-12 01:11:10 +00:00