Commit Graph

2805 Commits

Author SHA1 Message Date
Artem Dergachev e67a575dfb [analyzer] StackAddrEscape: For now, disable the new async escape checks.
The new check introduced in r318705 is useful, but suffers from a particular
class of false positives, namely, it does not account for
dispatch_barrier_sync() API which allows one to ensure that the asyncronously
executed block that captures a pointer to a local variable does not actually
outlive that variable.

The new check is split into a separate checker, under the name of
alpha.core.StackAddressAsyncEscape, which is likely to get enabled by default
again once these positives are fixed. The rest of the StackAddressEscapeChecker
is still enabled by default.

Differential Revision: https://reviews.llvm.org/D41042

llvm-svn: 320455
2017-12-12 02:59:09 +00:00
George Karpenkov 8d345cb8a5 [analyzer] do not crash on cases where an array subscript is an rvalue
Array subscript is almost always an lvalue, except for a few cases where
it is not, such as a subscript into an Objective-C property, or a
return from the function.
This commit prevents crashing in such cases.

Fixes rdar://34829842

Differential Revision: https://reviews.llvm.org/D40584

llvm-svn: 319834
2017-12-05 21:19:59 +00:00
Devin Coughlin a565a7b9b8 [analyzer] Don't treat lambda-captures float constexprs as undefined
RegionStore has special logic to evaluate captured constexpr variables.
However, if the constexpr initializer cannot be evaluated as an integer, the
value is treated as undefined. This leads to false positives when, for example,
a constexpr float is captured by a lambda.

To fix this, treat a constexpr capture that cannot be evaluated as unknown
rather than undefined.

rdar://problem/35784662

llvm-svn: 319638
2017-12-04 04:46:47 +00:00
Roman Lebedev 88b56caa0e [analyzer] Fix false negative on post-increment of uninitialized variable.
Summary:
Currently clang static analyzer does warn on:
```
int x;
x+=1;
x-=1;
x=x+1;
x=x-1;
```
But does warn on:
```
int x;
x++;
x--;
--x;
++x;
```

This differential should fix that.
Fixes https://bugs.llvm.org/show_bug.cgi?id=35419

Reviewers: dcoughlin, NoQ

Reviewed By: dcoughlin

Subscribers: NoQ, xazax.hun, szepet, cfe-commits, a.sidorin

Tags: #clang

Differential Revision: https://reviews.llvm.org/D40463

llvm-svn: 319411
2017-11-30 09:18:35 +00:00
Devin Coughlin 9a2c14a73a [analyzer] Fix unreachable creating PathDiagnosticLocation with widen-loops=true
In the original design of the analyzer, it was assumed that a BlockEntrance
doesn't create a new binding on the Store, but this assumption isn't true when
'widen-loops' is set to true. Fix this by finding an appropriate location
BlockEntrace program points.

Patch by Henry Wong!

Differential Revision: https://reviews.llvm.org/D37187

llvm-svn: 319333
2017-11-29 18:25:37 +00:00
Artem Dergachev 052436f768 [analyzer] pr34766: Fix a crash on explicit std::initializer_list constructor.
We didn't support the following syntax:

  (std::initializer_list<int>){12}

which suddenly produces CompoundLiteralExpr that contains
CXXStdInitializerListExpr.

Lift the assertion and instead pass the value through CompoundLiteralExpr
transparently, as it doesn't add much.

Differential Revision: https://reviews.llvm.org/D39803

llvm-svn: 319058
2017-11-27 17:37:09 +00:00
Artem Dergachev db9a5954d4 [analyzer] pr34404: Fix a crash on modeling pointers to indirect members.
We were crashing whenever a C++ pointer-to-member was taken, that was pointing
to a member of an anonymous structure field within a class, eg.

  struct A {
    struct {
     int x;
    };
  };
  // ...
  &A::x;

Differential Revision: https://reviews.llvm.org/D39800

llvm-svn: 319055
2017-11-27 17:31:16 +00:00
Devin Coughlin cc5915a5e1 [analyzer] Teach RetainCountChecker about CoreMedia APIs
Teach the retain-count checker that CoreMedia reference types use
CoreFoundation-style reference counting. This enables the checker
to catch leaks and over releases of those types.

rdar://problem/33599757

llvm-svn: 318979
2017-11-25 14:57:42 +00:00
Aleksei Sidorin 124f5de841 [Analyzer] Stable iteration on indirect goto LabelDecl's to avoid non-determinism (attempt 2)
CFG wass built in non-deterministic order due to the fact that indirect
goto labels' declarations (LabelDecl's) are stored in the llvm::SmallSet
container. LabelDecl's are pointers, whose order is not deterministic,
and llvm::SmallSet sorts them by their non-deterministic addresses after
"small" container is exceeded. This leads to non-deterministic processing
of the elements of the container.

The fix is to use llvm::SmallSetVector that was designed to have
deterministic iteration order.

Patch by Ilya Palachev!

Differential Revision: https://reviews.llvm.org/D40073

llvm-svn: 318754
2017-11-21 11:27:47 +00:00
Aleksei Sidorin 7ac9be1ab7 [Analyzer] Revert r318750 because incorrect files were added for commit.
Sorry for the noise.

llvm-svn: 318753
2017-11-21 11:20:07 +00:00
Aleksei Sidorin 3c3454b9d1 [Analyzer] Non-determinism: stable iteration on indirect goto LabelDecl's
CFG wass built in non-deterministic order due to the fact that indirect
goto labels' declarations (LabelDecl's) are stored in the llvm::SmallSet
container. LabelDecl's are pointers, whose order is not deterministic,
and llvm::SmallSet sorts them by their non-deterministic addresses after
"small" container is exceeded. This leads to non-deterministic processing
of the elements of the container.

The fix is to use llvm::SmallSetVector that was designed to have 
deterministic iteration order.

Patch by Ilya Palachev!

Differential Revision: https://reviews.llvm.org/D40073

llvm-svn: 318750
2017-11-21 11:05:28 +00:00
Alexander Shaposhnikov 8ee899d42e [analyzer] Diagnose stack leaks via block captures
This diff extends StackAddrEscapeChecker
to catch stack addresses leaks via block captures
if the block is executed asynchronously or
returned from a function.

Differential revision: https://reviews.llvm.org/D39438

llvm-svn: 318705
2017-11-20 22:53:30 +00:00
Devin Coughlin 5df6b94381 [analyzer] ObjCGenerics: Don't warn on cast conversions involving explicit cast
The ObjCGenerics checker warns on a cast when there is no subtyping relationship
between the tracked type of the value and the destination type of the cast. It
does this even if the cast was explicitly written. This means the user can't
write an explicit cast to silence the diagnostic.

This commit treats explicit casts involving generic types as an indication from
the programmer that the Objective-C type system is not rich enough to express
the needed invariant. On explicit casts, the checker now removes any existing
information inferred about the type arguments. Further, it no longer assumes
the casted-to specialized type because the invariant the programmer specifies
in the cast may only hold at a particular program point and not later ones. This
prevents a suppressing cast from requiring a cascade of casts down the
line.

rdar://problem/33603303

Differential Revision: https://reviews.llvm.org/D39711

llvm-svn: 318054
2017-11-13 17:35:29 +00:00
George Karpenkov d860e7a6b8 [analyzer] do not crash when trying to convert an APSInt to an unexpected type
This is the issue breaking the postgresql bot, purely by chance exposed
through taint checker, somehow appearing after
https://reviews.llvm.org/D38358 got committed.

The backstory is that the taint checker requests SVal for the value of
the pointer, and analyzer has a "fast path" in the getter to return a
constant when we know that the value is constant.
Unfortunately, the getter requires a cast to get signedness correctly,
and for the pointer `void *` the cast crashes.

This is more of a band-aid patch, as I am not sure what could be done
here "correctly", but it should be applied in any case to avoid the
crash.

Differential Revision: https://reviews.llvm.org/D39862

llvm-svn: 317839
2017-11-09 21:49:38 +00:00
George Karpenkov bbb66ad7b2 [analyzer] assume bitwise arithmetic axioms
Patches the solver to assume that bitwise OR of an unsigned value with a
constant always produces a value larger-or-equal than the constant, and
bitwise AND with a constant always produces a value less-or-equal than
the constant.

This patch is especially useful in the context of using bitwise
arithmetic for error code encoding: the analyzer would be able to state
that the error code produced using a bitwise OR is non-zero.

Differential Revision: https://reviews.llvm.org/D39707

llvm-svn: 317820
2017-11-09 19:06:22 +00:00
Artem Dergachev 5904fba8c9 [analyzer] Fix a crash on logical operators with vectors.
Do not crash when trying to compute x && y or x || y where x and y are
of a vector type.

For now we do not seem to properly model operations with vectors. In particular,
operations && and || on a pair of vectors are not short-circuit, unlike regular
logical operators, so even our CFG is incorrect.

Avoid the crash, add respective FIXME tests for later.

Differential Revision: https://reviews.llvm.org/D39682

rdar://problem/34317663

llvm-svn: 317700
2017-11-08 17:27:58 +00:00
Artem Dergachev 0b5b1f14fd [analyzer] pr34779: CStringChecker: Accept non-standard headers.
Do not crash when trying to define and call a non-standard
strcpy(unsigned char *, unsigned char *) during analysis.

At the same time, do not try to actually evaluate the call.

Differential Revision: https://reviews.llvm.org/D39422

llvm-svn: 317565
2017-11-07 10:51:15 +00:00
Devin Coughlin 046833e5fb [analyzer] Model correct dispatch_once() 'done' value in BodyFarm
The analyzer's BodyFarm models dispatch_once() by comparing the passed-in
predicate against a known 'done' value. If the predicate does not have that
value, the model updates the predicate to have that value and executes the
passed in block.

Unfortunately, the current model uses the wrong 'done' value: 1 instead of ~0.
This interferes with libdispatch's static inline function _dispatch_once(),
which enables a fast path if the block has already been executed. That function
uses __builtin_assume() to tell the compiler that the done flag is set to ~0 on
exit. When r302880 added modeling of __builtin_assume(), this caused the
analyzer to assume 1 == ~0. This in turn caused the analyzer to never explore any code after a call to dispatch_once().

This patch regains the missing coverage by updating BodyFarm to use the correct
'done' value.

rdar://problem/34413048

Differential Revision: https://reviews.llvm.org/D39691

llvm-svn: 317516
2017-11-06 22:12:19 +00:00
George Karpenkov 0354483013 [analyzer] do not crash on libcxx03 call_once implementation
Addresses https://bugs.llvm.org/show_bug.cgi?id=35075, rdar://35230961

Differential Revision: https://reviews.llvm.org/D39518

llvm-svn: 317293
2017-11-03 00:36:03 +00:00
Gabor Horvath 4581f7497b [analyzer] Left shifting a negative value is undefined
The analyzer did not return an UndefVal in case a negative value was left
shifted. I also altered the UndefResultChecker to emit a clear warning in this
case.

Differential Revision: https://reviews.llvm.org/D39423

llvm-svn: 316924
2017-10-30 17:06:42 +00:00
Gabor Horvath 404fcd3069 [analyzer] Use the signature of the primary template for issue hash calculation
Now when a template is instantiated more times and there is a bug found in the
instantiations the issue hash will be different for each instantiation even if
every other property of the bug (path, message, location) is the same.

This patch aims to resolve this issue. Note that explicit specializations still
generate different hashes but that is intended.

Differential Revision: https://reviews.llvm.org/D38728

llvm-svn: 316900
2017-10-30 12:16:07 +00:00
Gabor Horvath 3bd24f9440 [analyzer] Make issue hash related tests more concise
Extend ExprInspection checker to make it possible to dump the issue hash of
arbitrary expressions. This change makes it possible to make issue hash related
tests more concise and also makes debugging issue hash related problems easier.

Differential Revision: https://reviews.llvm.org/D38844

llvm-svn: 316899
2017-10-30 12:02:23 +00:00
Gabor Horvath 9a8c8bf60d [analyzer] lock_guard and unique_lock extension for BlockInCriticalSection checker
A patch by zdtorok (Zoltán Dániel Török)!

Differential Revision: https://reviews.llvm.org/D33729

llvm-svn: 316892
2017-10-30 10:09:55 +00:00
Gabor Horvath bde3be43d7 Add missing expected-no-diagnostics comment to test.
llvm-svn: 316886
2017-10-30 09:01:48 +00:00
Gabor Horvath bb81bfb69c [analyzer] Handle ObjC messages conservatively in CallDescription
Differential Revision: https://reviews.llvm.org/D37470

llvm-svn: 316885
2017-10-30 08:47:13 +00:00
Peter Szecsi 07964fbdcb [analyzer] MisusedMovedObjectChecker: More precise warning message
Added new enum in order to differentiate the warning messages on "misusing" into
3 categories: function calls, moving an object, copying an object. (At the
moment the checker gives the same message in case of copying and moving.)

Additional test cases added as well.

Differential Revision: https://reviews.llvm.org/D38674

llvm-svn: 316852
2017-10-28 23:24:00 +00:00
Peter Szecsi 65f8f83a74 [analyzer] MisusedMovedObjectChecker: Fix false positive on state-resetting, handling method calls on base-class sub-objects
An earlier solution from Artem r315301 solves the reset problem, however, the
reports should be handled the same way in case of method calls. We should not
just report the base class of the object where the method was defined but the
whole object.

Fixed false positive which came from not removing the subobjects in case of a
state-resetting function. (Just replaced the State->remove(...) call to
removeFromState(..) which was defined exactly for that purpose.)

Some minor typos fixed in this patch as well which did not worth a whole new
patch in my opinion, so included them here.

Differential Revision: https://reviews.llvm.org/D31538

llvm-svn: 316850
2017-10-28 23:09:37 +00:00
Richard Smith 72db888389 PR35039: Materialize temporary objects before wrapping them in an
OpaqueValueExpr in a GNU binary conditional expression.

It's not meaningful for a non-materialized temporary object to be used as a
common subexpression of multiple expressions.

llvm-svn: 316836
2017-10-28 18:59:51 +00:00
Peter Szecsi 1496d188a0 [analyzer] LoopUnrolling: check the bitwidth of the used numbers (pr34943)
The loop unrolling feature aims to track the maximum possible steps a loop can
make. In order to implement this, it investigates the initial value of the 
counter variable and the bound number. (It has to be known.)
These numbers are used as llvm::APInts, however, it was not checked if their
bitwidths are the same which lead to some crashes.
This revision solves this problem by extending the "shorter" one (to the length
of the "longer" one).
For the detailed bug report, see: https://bugs.llvm.org/show_bug.cgi?id=34943

Differential Revision: https://reviews.llvm.org/D38922

llvm-svn: 316830
2017-10-28 12:19:08 +00:00
George Karpenkov f671bd26b7 [Analyzer] Remove unnecessary semicolon in analyzer tests.
llvm-svn: 316538
2017-10-25 00:03:45 +00:00
George Karpenkov 98e81cd3be [Analyzer] Handle implicit function reference in bodyfarming std::call_once
Differential Revision: https://reviews.llvm.org/D39201

llvm-svn: 316402
2017-10-24 00:13:18 +00:00
Alexander Shaposhnikov 9a21d28b5d [analyzer] Fix handling of labels in getLValueElement
In getLValueElement Base may represent the address of a label 
(as in the newly-added test case), in this case it's not a loc::MemRegionVal 
and Base.castAs<loc::MemRegionVal>() triggers an assert, this diff makes 
getLValueElement return UnknownVal instead.

Differential revision: https://reviews.llvm.org/D39174

llvm-svn: 316399
2017-10-23 23:46:06 +00:00
George Karpenkov bd4254c692 [Analyzer] Correctly handle parameters passed by reference when bodyfarming std::call_once
Explicitly not supporting functor objects.

Differential Revision: https://reviews.llvm.org/D39031

llvm-svn: 316249
2017-10-20 23:29:59 +00:00
Gabor Horvath d3a8570231 [analyzer] Dump signed integers in SymIntExpr and IntSymExpr correctly
Patch by: Adam Balogh!

Differential Revision: https://reviews.llvm.org/D39048

llvm-svn: 316157
2017-10-19 11:58:21 +00:00
George Karpenkov b2a60c6a9b [Analyzer] Always use non-reference types when creating expressions in BodyFarm.
Remove an option to use a reference type (on by default!) since a
non-reference type is always needed for creating expressions, functions
with multiple boolean parameters are very hard to use, and in general it
was just a booby trap for further crashes.
Furthermore, generalize call_once test case to fix some of the crashes mentioned
https://bugs.llvm.org/show_bug.cgi?id=34869
Also removes std::call_once crash.

Differential Revision: https://reviews.llvm.org/D39015

llvm-svn: 316041
2017-10-17 22:28:18 +00:00
Roman Lebedev 6de129e710 [Sema] Re-land: Diagnose tautological comparison with type's min/max values
The first attempt, rL315614 was reverted because one libcxx
test broke, and i did not know at the time how to deal with it.

Summary:
Currently, clang only diagnoses completely out-of-range comparisons (e.g. `char` and constant `300`),
and comparisons of unsigned and `0`. But gcc also does diagnose the comparisons with the
`std::numeric_limits<>::max()` / `std::numeric_limits<>::min()` so to speak

Finally Fixes https://bugs.llvm.org/show_bug.cgi?id=34147
Continuation of https://reviews.llvm.org/D37565

Reviewers: rjmccall, rsmith, aaron.ballman

Reviewed By: rsmith

Subscribers: rtrieu, jroelofs, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D38101

llvm-svn: 315875
2017-10-15 20:13:17 +00:00
Artem Dergachev cd25c38dc0 [analyzer] pr28449: Fix support for various array initializers.
In some cases the analyzer didn't expect an array-type variable to be
initialized with anything other than a string literal. The patch essentially
removes the assertion, and ensures relatively sane behavior.

There is a bigger problem with these initializers. Currently our memory model
(RegionStore) is being ordered to initialize the array with a region that
is assumed to be storing the initializer rvalue, and it guesses to copy
the contents of that region to the array variable. However, it would make
more sense for RegionStore to receive the correct initializer in the first
place. This problem isn't addressed with this patch.

rdar://problem/27248428
Differential Revision: https://reviews.llvm.org/D23963

llvm-svn: 315750
2017-10-13 20:54:56 +00:00
Artem Dergachev db65f969f2 [analyzer] CStringChecker: pr34460: Avoid a crash when a cast is not modeled.
The checker used to crash when a mempcpy's length argument is symbolic. In this
case the cast from 'void *' to 'char *' failed because the respective
ElementRegion that represents cast is hard to add on top of the existing
ElementRegion that represents the offset to the last copied byte, while
preseving a sane memory region structure.

Additionally, a few test cases are added (to casts.c) which demonstrate problems
caused by existing sloppy work we do with multi-layer ElementRegions. If said
cast would be modeled properly in the future, these tests would need to be
taken into account.

Differential Revision: https://reviews.llvm.org/D38797

llvm-svn: 315742
2017-10-13 20:11:00 +00:00
Artem Dergachev 2041cbdcf5 [analyzer] RetainCount: Ignore annotations on user-made CFRetain wrappers.
It is not uncommon for the users to make their own wrappers around
CoreFoundation's CFRetain and CFRelease functions that are defensive
against null references. In such cases CFRetain is often incorrectly
marked as CF_RETURNS_RETAINED. Ignore said annotation and treat such
wrappers similarly to the regular CFRetain.

rdar://problem/31699502
Differential Revision: https://reviews.llvm.org/D38877

llvm-svn: 315736
2017-10-13 19:10:42 +00:00
George Karpenkov 9a542f7553 [Analyzer] Assume that CFBooleanRef const globals are non-null
Differential Revision: https://reviews.llvm.org/D38867

llvm-svn: 315655
2017-10-13 00:51:41 +00:00
Roman Lebedev 6f405dbe5c Revert "[Sema] Diagnose tautological comparison with type's min/max values"
This reverts r315614,r315615,r315621,r315622
Breaks http://bb9.pgr.jp/#/builders/20/builds/59

/home/bb9/bootstrap-clang-libcxx-lld-i686-linux/llvm-project/libcxx/test/std/experimental/filesystem/fs.op.funcs/fs.op.last_write_time/last_write_time.pass.cpp:95:17: error: comparison 'long long' > 9223372036854775807 is always false [-Werror,-Wtautological-constant-compare]
    if (max_sec > Lim::max()) return false;
        ~~~~~~~ ^ ~~~~~~~~~~
/home/bb9/bootstrap-clang-libcxx-lld-i686-linux/llvm-project/libcxx/test/std/experimental/filesystem/fs.op.funcs/fs.op.last_write_time/last_write_time.pass.cpp:124:13: error: comparison 'long long' < -9223372036854775808 is always false [-Werror,-Wtautological-constant-compare]
    if (sec < Lim::min() || sec > Lim::max())   return false;
        ~~~ ^ ~~~~~~~~~~
/home/bb9/bootstrap-clang-libcxx-lld-i686-linux/llvm-project/libcxx/test/std/experimental/filesystem/fs.op.funcs/fs.op.last_write_time/last_write_time.pass.cpp:124:33: error: comparison 'long long' > 9223372036854775807 is always false [-Werror,-Wtautological-constant-compare]
    if (sec < Lim::min() || sec > Lim::max())   return false;
                            ~~~ ^ ~~~~~~~~~~
3 errors generated.
--

I'm not yet sure what is the proper fix.

llvm-svn: 315631
2017-10-12 22:03:20 +00:00
Roman Lebedev e1449566c6 [Analysis] Un-silence -Wtautological-unsigned-zero-compare in null-deref-ps.c
Stage-2 builds failed:

error: 'warning' diagnostics expected but not seen:
  File /home/buildbot/modules-slave-2/clang-x86_64-linux-selfhost-modules-2/llvm.src/tools/clang/test/Analysis/null-deref-ps.c Line 238: always true
llvm-svn: 315622
2017-10-12 21:15:26 +00:00
Roman Lebedev b08021f5dd [Analysis] Silence -Wtautological-constant-compare in two tests
Yes, did not check that. Need to do better :(
I do not believe it makes sense to do expect that warning here.

llvm-svn: 315615
2017-10-12 20:27:41 +00:00
George Karpenkov c928e1f595 [Analyzer] Support bodyfarming libstdc++ implementation of std::call_once.
Differential Revision: https://reviews.llvm.org/D38810

llvm-svn: 315508
2017-10-11 20:53:01 +00:00
George Karpenkov ead0162801 [Analyzer] Assume that string-like const globals are non-nil.
Differential Revision: https://reviews.llvm.org/D38764

llvm-svn: 315488
2017-10-11 18:39:40 +00:00
Daniel Marjamaki d3d83681bc [Analyzer] Clarify error messages for undefined result
Differential Revision: https://reviews.llvm.org/D30295

llvm-svn: 315462
2017-10-11 14:49:35 +00:00
Artem Dergachev 0f22a06b4d [analyzer] MisusedMovedObject: Fix state-resetting a base-class sub-object.
If a method is resetting the state of an object that was moved from, it should
be safe to use this object again. However if the method was defined in a parent
class, but used in a child class, the reset didn't happen from the checker's
perspective.

Differential Revision: https://reviews.llvm.org/D31538

llvm-svn: 315301
2017-10-10 11:55:56 +00:00
Gabor Horvath 21524676a2 [analyzer] Implement pointer arithmetic on constants
Patch by: Rafael Stahl!

Differential Revision: https://reviews.llvm.org/D37478

llvm-svn: 315296
2017-10-10 11:01:49 +00:00
George Karpenkov 8b53f7ca6d [Analyzer] Do not segfault on unexpected call_once implementation
Fixes https://bugs.llvm.org/show_bug.cgi?id=34869

Differential Revision: https://reviews.llvm.org/D38702

llvm-svn: 315250
2017-10-09 23:20:46 +00:00
Artem Dergachev 59428d182f [analyzer] Fix leak false positives on stuff put in C++/ObjC initializer lists.
The analyzer now realizes that C++ std::initializer_list objects and
Objective-C boxed structure/array/dictionary expressions can potentially
maintain a reference to the objects that were put into them. This avoids
false memory leak posivites and a few other issues.

This is a conservative behavior; for now, we do not model what actually happens
to the objects after being passed into such initializer lists.

rdar://problem/32918288
Differential Revision: https://reviews.llvm.org/D35216

llvm-svn: 314975
2017-10-05 08:43:32 +00:00
Artem Dergachev 9445b89c49 [analyzer] Fix autodetection of binding types.
In ProgramState::getSVal(Location, Type) API which dereferences a pointer value,
when the optional Type parameter is not supplied and the Location is not typed,
type should have been guessed on a best-effort basis by inspecting the Location
more deeply. However, this never worked; the auto-detected type was instead
a pointer type to the correct type.

Fixed the issue and added various test cases to demonstrate which parts of the
analyzer were affected (uninitialized pointer argument checker, C++ trivial copy
modeling, Google test API modeling checker).

Additionally, autodetected void types are automatically replaced with char,
in order to simplify checker APIs. Which means that if the location is a void
pointer, getSVal() would read the first byte through this pointer
and return its symbolic value.

Fixes pr34305.

Differential Revision: https://reviews.llvm.org/D38358

llvm-svn: 314910
2017-10-04 15:59:40 +00:00
George Karpenkov 367fbfcc20 [Analyzer] Re-apply r314820 with a fix for StringRef lifetime.
Fixes the test failure: temporary is now bound to std::string, tests
fully pass on Linux.

This reverts commit b36ee0924038e1d95ea74230c62d46e05f80587e.

llvm-svn: 314859
2017-10-03 23:15:35 +00:00
Tim Shen 77886fc0f0 Revert r314820 "[Analyzer] More granular special casing in RetainCountChecker"
The test retain-release.m fails with this patch.

Differential Revision: https://reviews.llvm.org/D38487

llvm-svn: 314831
2017-10-03 19:39:02 +00:00
George Karpenkov fec6b1afe6 [Analyzer] More granular special casing in RetainCountChecker
Only assume that IOBSDNameMatching and friends increment a reference counter
if their return type is a CFMutableDictionaryRef.

Differential Revision: https://reviews.llvm.org/D38487

llvm-svn: 314820
2017-10-03 18:12:15 +00:00
George Karpenkov 305ee8e5f8 [Analyzer] Add dummy implementation to call_once to avoid linkage warnings in tests.
llvm-svn: 314580
2017-09-30 01:15:35 +00:00
George Karpenkov 657a5896b1 [Analyzer] Synthesize function body for std::call_once
Differential Revision: https://reviews.llvm.org/D37840

llvm-svn: 314571
2017-09-30 00:03:22 +00:00
Artem Dergachev d85a994ca6 [analyzer] Fix an outdated comment in a test. NFC.
llvm-svn: 314298
2017-09-27 10:59:06 +00:00
Artem Dergachev 8c80061535 [analyzer] Match more patterns in bugreporter::getDerefExpr() API.
This function can now track null pointer through simple pointer arithmetic,
such as '*&*(p + 2)' => 'p' and so on, displaying intermediate diagnostic pieces
for the user to understand where the null pointer is coming from.

Differential Revision: https://reviews.llvm.org/D37025

llvm-svn: 314290
2017-09-27 09:50:45 +00:00
Artem Dergachev 2064e82277 [analyzer] Fix and refactor bugreporter::getDerefExpr() API.
This API is used by checkers (and other entities) in order to track where does
a value originate from, by jumping from an expression value of which is equal
to that value to the expression from which this value has "appeared". For
example, it may be an lvalue from which the rvalue was loaded, or a function
call from which the dereferenced pointer was returned.

The function now avoids incorrectly unwrapping implicit lvalue-to-rvalue casts,
which caused crashes and incorrect intermediate diagnostic pieces. It also no
longer relies on how the expression is written when guessing what it means.

Fixes pr34373 and pr34731.

rdar://problem/33594502

Differential Revision: https://reviews.llvm.org/D37023

llvm-svn: 314287
2017-09-27 09:33:37 +00:00
Alexander Shaposhnikov f4963ff162 [analyzer] Fix crash on modeling of pointer arithmetic
This patch fixes analyzer's crash on the newly added test case 
(see also https://bugs.llvm.org/show_bug.cgi?id=34374).
Pointers subtraction appears to be modeled incorrectly 
in the following example:
  char* p;
  auto n = p - reinterpret_cast<char*>((unsigned long)1);
In this case the analyzer (built without this patch) 
tries to create a symbolic value for the difference 
treating reinterpret_cast<char*>((unsigned long)1) 
as an integer, that is not correct.

Differential revision: https://reviews.llvm.org/D38214

Test plan: make check-all

llvm-svn: 314141
2017-09-25 19:32:33 +00:00
Gabor Horvath e350b0a196 Add Cross Translation Unit support library
This patch introduces a class that can help to build tools that require cross
translation unit facilities. This class allows function definitions to be loaded
from external AST files based on an index. In order to use this functionality an
index is required. The index format is a flat text file but it might be
replaced with a different solution in the near future. USRs are used as names to
look up the functions definitions. This class also does caching to avoid
redundant loading of AST files.

Right now only function defnitions can be loaded using this API because this is
what the in progress cross translation unit feature of the Static Analyzer
requires. In to future this might be extended to classes, types etc.

Differential Revision: https://reviews.llvm.org/D34512

llvm-svn: 313975
2017-09-22 11:11:01 +00:00
Gabor Horvath 61e7adef42 [analyzer] Add new delete with non-virtual destructor check
Patch by: Reka Nikolett Kovacs

Differential Revision: https://reviews.llvm.org/D35796

llvm-svn: 313973
2017-09-22 10:16:33 +00:00
Gabor Horvath 5536a01ad2 [analyzer] Fix an assertion fail in VirtualCallChecker
Differential Revision: https://reviews.llvm.org/D37978

llvm-svn: 313866
2017-09-21 08:18:59 +00:00
Richard Smith 405e2dbf37 Implement C++ [basic.link]p8.
If a function or variable has a type with no linkage (and is not extern "C"),
any use of it requires a definition within the same translation unit; the idea
is that it is not possible to define the entity elsewhere, so any such use is
necessarily an error.

There is an exception, though: some types formally have no linkage but
nonetheless can be referenced from other translation units (for example, this
happens to anonymous structures defined within inline functions). For entities
with those types, we suppress the diagnostic except under -pedantic.

llvm-svn: 313729
2017-09-20 07:22:00 +00:00
Akira Hatanaka 7d85b8f6f6 [Sema][ObjC] Warn about mismatches in attributes between overriding and
overridden methods when compiling for non-ARC.

Previously, clang would error out when compiling for ARC, but didn't
print any diagnostics when compiling for non-ARC.

This was pointed out in the patch review for attribute noescape:

https://reviews.llvm.org/D32210

llvm-svn: 313717
2017-09-20 05:39:18 +00:00
George Karpenkov e28adb4fb2 [Analyzer] Check function name size before indexing.
https://reviews.llvm.org/D37908

llvm-svn: 313385
2017-09-15 19:51:26 +00:00
Raphael Isemann 561f0de6d9 [analyzer] Increase minimum complexity filter of the CloneChecker.
Summary:
So far we used a value of 10 which was useful for testing but produces many false-positives in real programs. The usual suspicious clones we find seem to be at around a complexity value of 70 and for normal clone-reporting everything above 50 seems to be a valid normal clone for users, so let's just go with 50 for now and set this as the new default value.

This patch also explicitly sets the complexity value for the regression tests as they serve more of a regression testing/debugging purpose and shouldn't really be reported by default in real programs. I'll add more tests that reflect actual found bugs that then need to pass with the default setting in the future.

Reviewers: NoQ

Subscribers: cfe-commits, javed.absar, xazax.hun, v.g.vassilev

Differential Revision: https://reviews.llvm.org/D34178

llvm-svn: 312468
2017-09-04 05:56:36 +00:00
Alexander Shaposhnikov f1cfa039ae [analyzer] Adjust ptr arithmetic test
Replace "long" with __UINTPTR_TYPE__
to make the test added in rL311935 Windows-friendly.
Caught by the buildbot llvm-clang-x86_64-expensive-checks-win.

llvm-svn: 311947
2017-08-28 22:58:54 +00:00
Alexander Shaposhnikov 18d77984fb [analyzer] Fix crash in modeling arithmetic
This diff fixes modeling of arithmetic 
expressions where pointers are treated as integers 
(i.e. via C-style / reinterpret casts).
For now we return UnknownVal unless the operation is a comparison.

Test plan: make check-all

Differential revision: https://reviews.llvm.org/D37120

llvm-svn: 311935
2017-08-28 21:15:21 +00:00
Peter Szecsi 0db84863d0 [StaticAnalyzer] LoopUnrolling: Keep track the maximum number of steps for each loop
This way the unrolling can be restricted for loops which will take at most a
given number of steps. It is defined as 128 in this patch and it seems to have
a good number for that purpose.

Differential Revision: https://reviews.llvm.org/D37181

llvm-svn: 311883
2017-08-28 10:50:28 +00:00
Peter Szecsi d0604acd8e [StaticAnalyzer] LoopUnrolling: Excluding loops which splits the state
Added check if the execution of the last step of the given unrolled loop has
generated more branches. If yes, than treat it as a normal (non-unrolled) loop
in the remaining part of the analysis.

Differential Revision: https://reviews.llvm.org/D36962

llvm-svn: 311881
2017-08-28 10:34:50 +00:00
Peter Szecsi d91554bc91 [StaticAnalyzer] LoopUnrolling fixes
1. The LoopUnrolling feature needs the LoopExit included in the CFG so added this
dependency via the config options
2. The LoopExit element can be encountered even if we haven't encountered the 
block of the corresponding LoopStmt. So the asserts were not right.
3. If we are caching out the Node then we get a nullptr from generateNode which
case was not handled.


Differential Revision: https://reviews.llvm.org/D37103

llvm-svn: 311880
2017-08-28 10:21:24 +00:00
Gabor Horvath 857ccd2919 [analyzer][GSoC] Re-implemente current virtual calls checker in a path-sensitive way
Patch by: Xin Wang

Differential Revision: https://reviews.llvm.org/D34275

llvm-svn: 311877
2017-08-28 08:44:43 +00:00
Peter Szecsi 3c3e1b0b54 [StaticAnalyzer] LoopUnrolling: Track a LoopStack in order to completely unroll specific loops
The LoopExit CFG information provides the opportunity to not mark the loops but
having a stack which tracks if a loop is unrolled or not. So in case of
simulating a loop we just add it and the information if it meets the
requirements to be unrolled to the top of the stack.

Differential Revision: https://reviews.llvm.org/D35684

llvm-svn: 311346
2017-08-21 16:32:57 +00:00
Peter Szecsi 999a25ff72 [CFG] Add LoopExit information to CFG
This patch introduces a new CFG element CFGLoopExit that indicate when a loop
ends. It does not deal with returnStmts yet (left it as a TODO).
It hidden behind a new analyzer-config flag called cfg-loopexit (false by
default).
Test cases added.

The main purpose of this patch right know is to make loop unrolling and loop
widening easier and more efficient. However, this information can be useful for
future improvements in the StaticAnalyzer core too.

Differential Revision: https://reviews.llvm.org/D35668

llvm-svn: 311235
2017-08-19 11:19:16 +00:00
Peter Szecsi 8de103f2f0 [StaticAnalyzer] LoopUnrolling: Exclude cases where the counter is escaped before the loop
Adding escape check for the counter variable of the loop.
It is achieved by jumping back on the ExplodedGraph to its declStmt.

Differential Revision: https://reviews.llvm.org/D35657

llvm-svn: 311234
2017-08-19 10:24:52 +00:00
Alexander Shaposhnikov 291d658e19 [analyzer] Fix modeling of constructors
This diff fixes analyzer's crash (triggered assert) on the newly added test case.
The assert being discussed is assert(!B.lookup(R, BindingKey::Direct))
in lib/StaticAnalyzer/Core/RegionStore.cpp, however the root cause is different.
For classes with empty bases the offsets might be tricky.
For example, let's assume we have
 struct S: NonEmptyBase, EmptyBase {
     ...
 };
In this case Clang applies empty base class optimization and 
the offset of EmptyBase will be 0, it can be verified via
clang -cc1 -x c++ -v -fdump-record-layouts main.cpp -emit-llvm -o /dev/null.
When the analyzer tries to perform zero initialization of EmptyBase
it will hit the assert because that region
has already been "written" by the constructor of NonEmptyBase.

Test plan:
make check-all

Differential revision: https://reviews.llvm.org/D36851

llvm-svn: 311182
2017-08-18 18:20:43 +00:00
Devin Coughlin a179e171dc [analyzer] Add support for reference counting of parameters on the callee side
This commit adds the functionality of performing reference counting on the
callee side for Integer Set Library (ISL) to Clang Static Analyzer's
RetainCountChecker.

Reference counting on the callee side can be extensively used to perform
debugging within a function (For example: Finding leaks on error paths).

Patch by Malhar Thakkar!

Differential Revision: https://reviews.llvm.org/D36441

llvm-svn: 311063
2017-08-17 04:19:07 +00:00
Kuba Mracek cea6267cc6 Fixup for r310950: Also remove the new instance of %T from html-diags.c
llvm-svn: 310952
2017-08-15 19:54:04 +00:00
Kuba Mracek 5b57633a45 [clang] Get rid of "%T" expansions
The %T lit expansion expands to a common directory shared between all the tests in the same directory, which is unexpected and unintuitive, and more importantly, it's been a source of subtle race conditions and flaky tests. In https://reviews.llvm.org/D35396, it was agreed that it would be best to simply ban %T and only keep %t, which is unique to each test. When a test needs a temporary directory, it can just create one using mkdir %t.

This patch removes %T in clang.

Differential Revision: https://reviews.llvm.org/D36437

llvm-svn: 310950
2017-08-15 19:47:06 +00:00
Alexander Shaposhnikov 901d61561c [analyzer] Fix SimpleSValBuilder::simplifySVal
This diff fixes a crash (triggered assert) on the newly added test case.
In the method Simplifier::VisitSymbolData we check the type of S and return
Loc/NonLoc accordingly.

Differential revision: https://reviews.llvm.org/D36564

llvm-svn: 310887
2017-08-14 21:23:08 +00:00
Devin Coughlin f0cadcd9f3 [Analyzer] Add support for displaying cross-file diagnostic paths in HTML output
This change adds support for cross-file diagnostic paths in html output. If the
diagnostic path is not cross-file, there is no change in the output.

Patch by Vlad Tsyrklevich!

Differential Revision: https://reviews.llvm.org/D30406

llvm-svn: 309968
2017-08-03 18:12:22 +00:00
Daniel Marjamaki fabe840e75 [StaticAnalyzer] Fix false positives for unreachable code in macros.
Example:

#define MACRO(C)   if (C) { static int x; .. }
void foo() {
	MACRO(0);
}

Differential Revision: https://reviews.llvm.org/D36141

llvm-svn: 309799
2017-08-02 08:26:56 +00:00
Peter Szecsi 657ac14816 [StaticAnalyzer] Completely unrolling specific loops with known bound option
This feature allows the analyzer to consider loops to completely unroll.
New requirements/rules (for unrolling) can be added easily via ASTMatchers.

Right now it is hidden behind a flag, the aim is to find the correct heuristic
and create a solution which results higher coverage % and more precise
analysis, thus can be enabled by default.

Right now the blocks which belong to an unrolled loop are marked by the
LoopVisitor which adds them to the ProgramState.
Then whenever we encounter a CFGBlock in the processCFGBlockEntrance which is
marked then we skip its investigating. That means, it won't be considered to
be visited more than the maximal bound for visiting since it won't be checked.

llvm-svn: 309006
2017-07-25 19:23:23 +00:00
Devin Coughlin b2d825528d [analyzer] Add diagnostic text for generalized refcount annotations.
Add a 'Generalized' object kind to the retain-count checker and suitable
generic diagnostic text for retain-count diagnostics involving those objects.

For now the object kind is introduced in summaries by 'annotate' attributes.
Once we have more experience with these annotations we will propose explicit
attributes.

Patch by Malhar Thakkar!

Differential Revision: https://reviews.llvm.org/D35613

llvm-svn: 308990
2017-07-25 17:17:09 +00:00
Artem Dergachev e235bd1d03 [analyzer] Treat throws as sinks for suppress-on-sink purposes.
Because since r308957 the suppress-on-sink feature contains its own
mini-analysis, it also needs to become aware that C++ unhandled exceptions
cause sinks. Unfortunately, for now we treat all exceptions as unhandled in
the analyzer, so suppress-on-sink needs to do the same.

rdar://problem/28157554

Differential Revision: https://reviews.llvm.org/D35674

llvm-svn: 308961
2017-07-25 09:44:02 +00:00
Artem Dergachev 4e99426629 [analyzer] Further improve suppress-on-sink behavior in incomplete analyses.
If a certain memory leak (or other similar bug) found by the analyzer is known
to be happening only before abnormal termination of the program ("sink", eg.
assertion failure in the code under analysis, or another bug that introduces
undefined behavior), such leak warning is discarded. However, if the analysis
has never reaches completion (due to complexity of the code), it may be
failing to notice the sink.

This commit further extends the partial solution introduced in r290341 to cover
cases when a complicated control flow occurs before encountering a no-return
statement (which anyway inevitably leads to such statement(s)) by traversing
the respective section of the CFG in a depth-first manner. A complete solution
still seems elusive.

rdar://problem/28157554

Differential Revision: https://reviews.llvm.org/D35673

llvm-svn: 308957
2017-07-25 09:25:10 +00:00
Peter Szecsi 58a8b6b4af Revert "[StaticAnalyzer] Completely unrolling specific loops with known bound option"
Revert r308561 and r308558.

Clang-ppc64be-linux seems to crash while running the test cases.

llvm-svn: 308592
2017-07-20 07:35:11 +00:00
Peter Szecsi 251a611cd6 [StaticAnalyzer] Completely unrolling specific loops with known bound option
Missing files added to rL308558.

llvm-svn: 308561
2017-07-20 00:05:25 +00:00
Peter Szecsi cb387b11df This feature allows the analyzer to consider loops to completely unroll. New
requirements/rules (for unrolling) can be added easily via ASTMatchers.

The current implementation is hidden behind a flag.

Right now the blocks which belong to an unrolled loop are marked by the 
LoopVisitor which adds them to the ProgramState. Then whenever we encounter a
CFGBlock in the processCFGBlockEntrance which is marked then we skip its
investigating. That means, it won't be considered to be visited more than the
maximal bound for visiting since it won't be checked.

Differential Revision: https://reviews.llvm.org/D34260

llvm-svn: 308558
2017-07-19 23:50:00 +00:00
Devin Coughlin bac49e5764 [analyzer] Add annotation attribute to trust retain count implementation
Add support to the retain-count checker for an annotation indicating that a
function's implementation should be trusted by the retain count checker.
Functions with these attributes will not be inlined and the arguments will
be treating as escaping.

Adding this annotation avoids spurious diagnostics when the implementation of
a reference counting operation is visible but the analyzer can't reason
precisely about the ref count.

Patch by Malhar Thakkar!

Differential Revision: https://reviews.llvm.org/D34937

llvm-svn: 308416
2017-07-19 04:10:44 +00:00
John McCall 12251887bd Use ARC parsing rules for ns_returns_retained in MRC so that code can
be shared without warnings.  Build AttributedTypes to leave breadcrumbs
for tools like the static analyzer.  Warn about attempting to use the
attribute with incompatible return types.

llvm-svn: 308092
2017-07-15 11:06:46 +00:00
Erik Verbruggen 49db030626 [analyzer] Add annotation for functions taking user-facing strings
There was already a returns_localized_nsstring annotation to indicate
that the return value could be passed to UIKit methods that would
display them. However, those UIKit methods were hard-coded, and it was
not possible to indicate that other classes/methods in a code-base would
do the same.

The takes_localized_nsstring annotation can be put on function
parameters and selector parameters to indicate that those will also show
the string to the user.

Differential Revision: https://reviews.llvm.org/D35186

llvm-svn: 308012
2017-07-14 10:24:36 +00:00
Dominic Chen c0402c6916 Revert "[analyzer] Support generating and reasoning over more symbolic constraint types"
Assertion `Loc::isLocType(SSE->getLHS()->getType())' failed in Analysis/PR3991.m

This reverts commit e469ff2759275e67f9072b3d67fac90f647c0fe6.

llvm-svn: 307853
2017-07-12 21:43:42 +00:00
Dominic Chen 35610d21b2 [analyzer] Support generating and reasoning over more symbolic constraint types
Summary: Generate more IntSymExpr constraints, perform SVal simplification for IntSymExpr and SymbolCast constraints, and create fully symbolic SymExprs

Reviewers: zaks.anna, dcoughlin, NoQ, xazax.hun

Subscribers: mgorny, cfe-commits

Differential Revision: https://reviews.llvm.org/D28953

llvm-svn: 307833
2017-07-12 19:37:57 +00:00
Matthias Gehre 351c218d15 CFG: Add CFGElement for automatic variables that leave the scope
Summary:
This mimics the implementation for the implicit destructors. The
generation of this scope leaving elements is hidden behind
a flag to the CFGBuilder, thus it should not affect existing code.

Currently, I'm missing a test (it's implicitly tested by the clang-tidy
lifetime checker that I'm proposing).
I though about a test using debug.DumpCFG, but then I would
have to add an option to StaticAnalyzer/Core/AnalyzerOptions
to enable the scope leaving CFGElement,
which would only be useful to that particular test.

Any other ideas how I could make a test for this feature?

Reviewers: krememek, jordan_rose

Subscribers: cfe-commits

Differential Revision: http://reviews.llvm.org/D15031

llvm-svn: 307759
2017-07-12 07:04:19 +00:00
Alexander Shaposhnikov 59d10a4cbc [analyzer] Start fixing modeling of bool based types
This is a follow up for one of 
the previous diffs https://reviews.llvm.org/D32328.
getTypeSize and with getIntWidth are not equivalent for bool 
(see https://clang.llvm.org/doxygen/ASTContext_8cpp_source.html#l08444),
this causes a number of issues
(for instance, if APint X representing a bool is created 
with the wrong bit width then X is not comparable against Min/Max
(because of the different bit width), that results in crashes 
(triggered asserts) inside assume* methods), 
for examples see the newly added test cases.

Test plan: make check-all

Differential revision: https://reviews.llvm.org/D35041

llvm-svn: 307604
2017-07-11 00:30:14 +00:00
Artem Dergachev 7caff0e9e1 [analyzer] Move zero-size allocation checks to optin.portability.
This is a new checker package. It contains checkers that highlight
well-documented implementation-defined behavior. Such checkers are only useful
to developers that intend to write portable code. Code that is only compiled for
a single platform should be allowed to rely on this platform's specific
documented behavior.

rdar://problem/30545046

Differential Revision: https://reviews.llvm.org/D34102

llvm-svn: 306396
2017-06-27 11:14:39 +00:00
Gabor Horvath b3bcddf769 [analyzer] Do not continue to analyze a path if the constraints contradict with builtin assume
Differential Revision: https://reviews.llvm.org/D34502

llvm-svn: 305991
2017-06-22 10:09:40 +00:00
Artem Dergachev 4a084cfde7 [analyzer] Bump a few default performance thresholds.
This makes the analyzer around 10% slower by default,
allowing it to find deeper bugs.

Default values for the following -analyzer-config change:
max-nodes: 150000 -> 225000;
max-inlinable-size: 50 -> 100.

rdar://problem/32539666
Differential Revision: https://reviews.llvm.org/D34277

llvm-svn: 305900
2017-06-21 11:29:35 +00:00