Commit Graph

2536 Commits

Author SHA1 Message Date
Artem Dergachev 46209e1dd0 [analyzer] Re-apply r283093 "Add extra notes to ObjCDeallocChecker"
The parent commit (r283092) was reverted before and now finally landed.

llvm-svn: 283660
2016-10-08 10:53:00 +00:00
Daniel Marjamaki d99ebc03f4 [analyzer] Don't merge different return nodes in ExplodedGraph
Returns when calling an inline function should not be merged in the ExplodedGraph unless they are same.

Differential Revision: https://reviews.llvm.org/D25326

llvm-svn: 283554
2016-10-07 14:21:08 +00:00
Anton Yartsev 0509d047f4 [analyzer] Add explanation why analyzer report is not generated (fix for PR12421).
Currently if the path diagnostic consumer (e.g HTMLDiagnostics and PlistDiagnostics) do not support cross file diagnostics then the path diagnostic report is silently omitted in the case of cross file diagnostics. The patch adds a little verbosity to Clang in this case.
The patch also adds help entry for the "--analyzer-output" driver option.

llvm-svn: 283499
2016-10-06 21:42:21 +00:00
Richard Smith 0511d23aeb PR22924, PR22845, some of CWG1464: When checking the initializer for an array
new expression, distinguish between the case of a constant and non-constant
initializer. In the former case, if the bound is erroneous (too many
initializer elements, bound is negative, or allocated size overflows), reject,
and take the bound into account when determining whether we need to
default-construct any elements. In the remanining cases, move the logic to
check for default-constructibility of trailing elements into the initialization
code rather than inventing a bogus array bound, to cope with cases where the
number of initialized elements is not the same as the number of initializer
list elements (this can happen due to string literal initialization or brace
elision).

This also fixes rejects-valid and crash-on-valid errors when initializing a
new'd array of character type from a braced string literal.

llvm-svn: 283406
2016-10-05 22:41:02 +00:00
Artem Dergachev 9cb5614c29 [analyzer] Improve "Assuming..." diagnostic pieces for logical operators.
Logical short-circuit operators now act like other branch conditions.

If the symbolic value of the left-hand side is not known to be true or false
(based on the previous execution path), the "Assuming" event piece is added
in order to explain that the analyzer is adding a new assumption.

Additionally, when the assumption is made against the right-hand side of
the logical operator (i.e. when the operator itself acts as a condition
in another CFG terminator), the "Assuming..." piece is written out for the
right-hand side of the operator rather than for the whole operator.
This allows expression-specific diagnostic message text to be constructed.

Differential Revision: https://reviews.llvm.org/D25092

llvm-svn: 283302
2016-10-05 08:28:25 +00:00
Artem Dergachev 0c33406aaa [analyzer] Add "Assuming..." diagnostic pieces for unsupported conditions.
In the analyzer's path-sensitive reports, when a report goes through a branch
and the branch condition cannot be decided to be definitely true or false
(based on the previous execution path), an event piece is added that tells the
user that a new assumption is added upon the symbolic value of the branch
condition. For example, "Assuming 'a' is equal to 3".

The text of the assumption is hand-crafted in various manners depending on
the AST expression. If the AST expression is too complex and the text of
the assumption fails to be constructed, the event piece is omitted.
This causes loss of information and misunderstanding of the report.

Do not omit the event piece even if the expression is too complex;
add a piece with a generic text instead.

Differential Revision: https://reviews.llvm.org/D23300

llvm-svn: 283301
2016-10-05 08:19:49 +00:00
Vitaly Buka 1a8d52d1ae Revert "[analyzer] Improve CloneChecker diagnostics" as its depends on reverted r283092
This reverts commit r283094.

llvm-svn: 283182
2016-10-04 02:40:35 +00:00
Vitaly Buka b3814f6f38 Revert "[analyzer] Add extra notes to ObjCDeallocChecker" as its depends on reverted r283092
This reverts commit r283093.

llvm-svn: 283181
2016-10-04 02:36:58 +00:00
Daniel Marjamaki fd1b3814b3 [StaticAnalyser] Add test case to ensure that unreachable code is found.
https://reviews.llvm.org/D24905

llvm-svn: 283096
2016-10-03 09:45:35 +00:00
Daniel Marjamaki 042a3c5a2d [StaticAnalyzer] Fix UnreachableCode false positives.
When there is 'do { } while (0);' in the code the ExplodedGraph and UnoptimizedCFG did not match.

Differential Revision: https://reviews.llvm.org/D24759

llvm-svn: 283095
2016-10-03 08:28:51 +00:00
Artem Dergachev c87d2a613e [analyzer] Improve CloneChecker diagnostics
Highlight code clones referenced by the warning message with the help of
the extra notes feature recently introduced in r283092.

Change warning text to more clang-ish. Remove suggestions from the copy-paste
error checker diagnostics, because currently our suggestions are strictly 50%
wrong (we do not know which of the two code clones contains the error), and
for that reason we should not sound as if we're actually suggesting this.
Hopefully a better solution would bring them back.

Make sure the suspicious clone pair structure always mentions
the correct variable for the second clone.

Differential Revision: https://reviews.llvm.org/D24916

llvm-svn: 283094
2016-10-03 08:11:50 +00:00
Artem Dergachev 918602df8d [analyzer] Add extra notes to ObjCDeallocChecker
The report is now highlighting instance variables and properties
referenced by the warning message with the help of the
extra notes feature recently introduced in r283092.

Differential Revision: https://reviews.llvm.org/D24915

llvm-svn: 283093
2016-10-03 08:03:51 +00:00
Daniel Marjamaki 2593b402ce [StaticAnalyzer] Fix false positives for vardecls that are technically unreachable but they are needed.
Example:

    switch (x) {
      int a;  // <- This is unreachable but needed
    case 1:
      a = ...

Differential Revision: https://reviews.llvm.org/D24905

llvm-svn: 282574
2016-09-28 10:39:53 +00:00
Daniel Marjamaki 13264ebea4 [analyzer] Improve CastToStruct checker so it can also detect widening casts of struct data
Example:

struct AB {
  int A;
  int B;
};

struct ABC {
  int A;
  int B;
  int C;
};

void f() {
  struct AB Data;
  struct ABC *P = (struct ABC *)&Data;
}

Differential Revision: https://reviews.llvm.org/D23508

llvm-svn: 282411
2016-09-26 15:17:18 +00:00
Alexander Shaposhnikov a1fead293f [analyzer] Fix crash in RetainCountChecker::checkEndFunction
The class BodyFarm creates bodies for
OSAtomicCompareAndSwap*, objc_atomicCompareAndSwap*, dispatch_sync*, dispatch_once*
and for them the flag isBodyAutosynthesized is set to true.

This diff
1. makes AnalysisConsumer::HandleCode skip the autosynthesized code
2. replaces assert(LCtx->getParent()) in RetainCountChecker::checkEndFunction
by assert(!LCtx->inTopFrame()) (minor cleanup)

Test plan: make -j8 check-clang-analysis

Differential revision: https://reviews.llvm.org/D24792

llvm-svn: 282293
2016-09-23 20:49:01 +00:00
Anna Zaks c154f7bc37 [analyzer] Add a checker that detects blocks in critical sections
This checker should find the calls to blocking functions (for example: sleep, getc, fgets,read,recv etc.) inside a critical section. When sleep(x) is called while a mutex is held, other threads cannot lock the same mutex. This might take some time, leading to bad performance or even deadlock.

Example:

mutex_t m;

void f() {
  sleep(1000); // Error: sleep() while m is locked! [f() is called from foobar() while m is locked]
  // do some work
}

void foobar() {
  lock(m);
  f();
  unlock(m);
}

A patch by zdtorok (Zoltán Dániel Török)!

Differential Revision: https://reviews.llvm.org/D21506

llvm-svn: 282011
2016-09-20 20:28:50 +00:00
Gabor Horvath 7304027c6d [analyzer] Calculate extent size for memory regions allocated by new expression.
ArrayBoundChecker did not detect out of bounds memory access errors in case an
array was allocated by the new expression. This patch resolves this issue.

Patch by Daniel Krupp!

Differential Revision: https://reviews.llvm.org/D24307

llvm-svn: 281934
2016-09-19 20:39:52 +00:00
Alexander Shaposhnikov 6956d29034 [analyzer] Fix ExprEngine::VisitMemberExpr
AST may contain intermediate ParenExpr nodes
between MemberExpr and ArrayToPointerDecay.
This diff adjusts the check in ExprEngine::VisitMemberExpr accordingly.
Test plan: make -j8 check-clang-analysis

Differential revision: https://reviews.llvm.org/D24484

llvm-svn: 281373
2016-09-13 19:17:20 +00:00
Aleksei Sidorin 29afb1937b [analyzer] ExprEngine: remove second call to PreStmt<CastExpr>
This patch also introduces AnalysisOrderChecker which is intended for testing
of callback call correctness.

Differential Revision: https://reviews.llvm.org/D23804

llvm-svn: 280367
2016-09-01 13:55:38 +00:00
Aleksei Sidorin e1beaf1ee7 [analyzer] Add more FileIDs to PlistDiagnostic map to avoid assertion
Some FileIDs that may be used by PlistDiagnostics were not added while building
a list of pieces. This caused assertion violation in GetFID() function.
This patch adds some missing FileIDs to avoid the assertion. It also contains
small refactoring of PlistDiagnostics::FlushDiagnosticsImpl().

Patch by Aleksei Sidorin, Ilya Palachev.

Differential Revision: https://reviews.llvm.org/D22090

llvm-svn: 280360
2016-09-01 12:25:16 +00:00
Richard Smith 53851923d5 Fix all tests under test/CXX (and test/Analysis) to pass if clang's default
C++ language standard is not C++98.

llvm-svn: 280309
2016-08-31 23:24:08 +00:00
Devin Coughlin 184996bbb4 [analyzer] Use lazily created buffer in EmptyLocalizationContextChecker
Fix a crash when relexing the underlying memory buffer to find incorrect
arguments to NSLocalizedString(). With precompiled headers, the raw
buffer may be NULL. Instead, use the source manager to get the buffer,
which will lazily create the buffer for precompiled headers.

rdar://problem/27429091

llvm-svn: 280174
2016-08-30 23:07:14 +00:00
Artem Dergachev 5f94b089e9 [analyzer] Fix CloneDetector crash on calling methods of class templates.
If a call expression represents a method call of a class template,
and the method itself isn't templated, then the method may be considered
to be a template instantiation without template specialization arguments.

No longer crash when we could not find template specialization arguments.

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D23780

llvm-svn: 279529
2016-08-23 16:42:00 +00:00
Gabor Horvath b59b27040e Reapply "[analyzer] Added valist related checkers."
Differential Revision: https://reviews.llvm.org/D15227

llvm-svn: 279427
2016-08-22 11:21:30 +00:00
Gabor Horvath 855ad82e05 [analyzer] Correctly add assumptions based on array bounds.
Also simplify the constraints generated by the checker. 

Differential Revision: https://reviews.llvm.org/D23112

llvm-svn: 279425
2016-08-22 10:07:32 +00:00
Artem Dergachev 51b9a0e8e8 [analyzer] Make CloneDetector consider macro expansions.
So far macro-generated code was treated by the CloneDetector as normal code.
This caused that some macros where reported as false-positive clones because
large chunks of code coming from otherwise concise macro expansions were treated
as copy-pasted code.

This patch ensures that macros are treated in the same way as literals/function
calls. This prevents macros that expand into multiple statements
from being reported as clones.

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D23316

llvm-svn: 279367
2016-08-20 10:06:59 +00:00
Artem Dergachev 5183888813 [analyzer] Make CloneDetector consider template arguments.
For example, code samples `isa<Stmt>(S)' and `isa<Expr>(S)'
are no longer considered to be clones.

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D23555

llvm-svn: 279366
2016-08-20 09:57:21 +00:00
Devin Coughlin 719238b7d3 [analyzer] Weaken assertion in trackNullOrUndefValue()
We should ignore paren casts when making sure that the semantic expression
in a PseudoObjectExpr for an ObjC getter is a message send.

This has no other intended functionality change.

Adding a test for this exposed an interesting issue in another test case
that only manifests under ARC. trackNullOrUndefValue() is not properly
suppressing for nil values that are the result of nil propagation from a nil
receiver when the nil is returned from a function. I've added a FIXME for that
missing suppression.

rdar://problem/27290568

llvm-svn: 279181
2016-08-19 01:05:31 +00:00
Artem Dergachev 2fc1985db3 [analyzer] Teach CloneDetector to find clones that look like copy-paste errors.
The original clone checker tries to find copy-pasted code that is exactly
identical to the original code, up to minor details.

As an example, if the copy-pasted code has all references to variable 'a'
replaced with references to variable 'b', it is still considered to be
an exact clone.

The new check finds copy-pasted code in which exactly one variable seems
out of place compared to the original code, which likely indicates
a copy-paste error (a variable was forgotten to be renamed in one place).

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D23314

llvm-svn: 279056
2016-08-18 12:29:41 +00:00
Gabor Horvath 2402dd1e82 revert [analyzer] Added valist related checkers.
llvm-svn: 279043
2016-08-18 09:13:37 +00:00
Gabor Horvath 56e8aa535b [analyzer] Added valist related checkers.
Differential Revision: https://reviews.llvm.org/D15227

llvm-svn: 279041
2016-08-18 08:43:26 +00:00
Artem Dergachev 002981baca [analyzer] Add a checker for loss of sign or precision in integral casts.
This new checker tries to find execution paths on which implicit integral casts
cause definite loss of information: a certainly-negative integer is converted
to an unsigned integer, or an integer is definitely truncated to fit into
a smaller type.

Being implicit, such casts are likely to produce unexpected results.

Patch by Daniel Marjamäki!

Differential Revision: https://reviews.llvm.org/D13126

llvm-svn: 278941
2016-08-17 16:02:45 +00:00
Artem Dergachev cbce96c3af [analyzer] Add LocationContext information to SymbolMetadata.
Like SymbolConjured, SymbolMetadata also needs to be uniquely
identified by the moment of its birth.

Such moments are coded by the (Statement, LocationContext, Block count) triples.
Each such triple represents the moment of analyzing a statement with a certain
call backtrace, with corresponding CFG block having been entered a given amount
of times during analysis of the current code body.

The LocationContext information was accidentally omitted for SymbolMetadata,
which leads to reincarnation of SymbolMetadata upon re-entering a code body
with a different backtrace; the new symbol is incorrectly unified with
the old symbol, which leads to unsound assumptions.

Patch by Alexey Sidorin!

Differential Revision: https://reviews.llvm.org/D21978

llvm-svn: 278937
2016-08-17 15:37:52 +00:00
Saleem Abdulrasool b9250475ea StaticAnalyzer: Report found fields order in PaddingChecker
Report the found fields order in PaddingChecker.

Patch by Alexander Shaposhnikov!

llvm-svn: 278730
2016-08-15 20:16:13 +00:00
Devin Coughlin 81cc38cf9a [analyzer] Teach RetainCountChecker about CVFooRetain
Change the retain count checker to treat CoreFoundation-style "CV"-prefixed
reference types from CoreVideo similarly to CoreGraphics types. With this
change, we treat CVFooRetain() on a CVFooRef type as a retain. CVFooRelease()
APIs are annotated as consuming their parameter, so this change prevents false
positives about incorrect decrements of reference counts.

<rdar://problem/27116090>

llvm-svn: 278382
2016-08-11 18:41:29 +00:00
Artem Dergachev cad151491e [analyzer] Fix a crash in CloneDetector when calling functions by pointers.
CallExpr may have a null direct callee when the callee function is not
known in compile-time. Do not try to take callee name in this case.

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D23320

llvm-svn: 278238
2016-08-10 16:25:16 +00:00
Artem Dergachev 6a76a1639f [analyzer] Change -analyze-function to accept qualified names.
Both -analyze-function and -analyzer-display-progress now share the same
convention for naming functions, which allows discriminating between
methods with the same name in different classes, C++ overloads, and also
presents Objective-C instance and class methods in the convenient notation.

This also allows looking up the name for the particular function you're trying
to restrict analysis to in the -analyzer-display-progress output,
in case it was not instantly obvious.

Differential Revision: https://reviews.llvm.org/D22856

llvm-svn: 278018
2016-08-08 16:01:02 +00:00
Gabor Horvath c430990d0b [analyzer] Command line option to show enabled checker list.
This patch adds a command line option to list the checkers that were enabled
by analyzer-checker and not disabled by -analyzer-disable-checker.

It can be very useful to debug long command lines when it is not immediately
apparent which checkers are turned on and which checkers are turned off.

Differential Revision: https://reviews.llvm.org/D23060

llvm-svn: 278006
2016-08-08 13:41:04 +00:00
Gabor Horvath 44583ce65a [analyzer] Model base to derived casts more precisely.
Dynamic casts are handled relatively well by the static analyzer.
BaseToDerived casts however are treated conservatively. This can cause some
false positives with the NewDeleteLeaks checker.

This patch alters the behavior of BaseToDerived casts. In case a dynamic cast
would succeed use the same semantics. Otherwise fall back to the conservative
approach.

Differential Revision: https://reviews.llvm.org/D23014

llvm-svn: 277989
2016-08-08 09:22:59 +00:00
Artem Dergachev 7a0088bbae [analyzer] Make CloneDetector recognize different variable patterns.
CloneDetector should be able to detect clones with renamed variables.
However, if variables are referenced multiple times around the code sample,
the usage patterns need to be recognized.

For example, (x < y ? y : x) and (y < x ? y : x) are no longer clones,
however (a < b ? b : a) is still a clone of the former.

Variable patterns are computed and compared during a separate filtering pass.

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D22982

llvm-svn: 277757
2016-08-04 19:37:00 +00:00
Artem Dergachev 7a7004a999 [analyzer] Hotfix for buildbot failure due to unspecified triple in r277449
If a target triple is not specified, the default host triple is used,
which is not good for compiling inline assembler code.

Patch by Raphael Isemann!

llvm-svn: 277473
2016-08-02 15:16:06 +00:00
Artem Dergachev 78692ea590 [analyzer] Respect statement-specific data in CloneDetection.
So far the CloneDetector only respected the kind of each statement when
searching for clones. This patch refines the way the CloneDetector collects data
from each statement by providing methods for each statement kind,
that will read the kind-specific attributes.

For example, statements 'a < b' and 'a > b' are no longer considered to be
clones, because they are different in operation code, which is an attribute
specific to the BinaryOperator statement kind.

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D22514

llvm-svn: 277449
2016-08-02 12:21:09 +00:00
Artem Dergachev ba816326f3 [analyzer] Add basic capabilities to detect source code clones.
This patch adds the CloneDetector class which allows searching source code
for clones.

For every statement or group of statements within a compound statement,
CloneDetector computes a hash value, and finds clones by detecting
identical hash values.

This initial patch only provides a simple hashing mechanism
that hashes the kind of each sub-statement.

This patch also adds CloneChecker - a simple static analyzer checker
that uses CloneDetector to report copy-pasted code.

Patch by Raphael Isemann!

Differential Revision: https://reviews.llvm.org/D20795

llvm-svn: 276782
2016-07-26 18:13:12 +00:00
Devin Coughlin f57f90dfd1 [analyzer] Add checker modeling potential C++ self-assignment
This checker checks copy and move assignment operators whether they are
protected against self-assignment. Since C++ core guidelines discourages
explicit checking for `&rhs==this` in general we take a different approach: in
top-frame analysis we branch the exploded graph for two cases, where &rhs==this
and &rhs!=this and let existing checkers (e.g. unix.Malloc) do the rest of the
work. It is important that we check all copy and move assignment operator in top
frame even if we checked them already since self-assignments may happen
undetected even in the same translation unit (e.g. using random indices for an
array what may or may not be the same).

This reapplies r275820 after fixing a string-lifetime issue discovered by the
bots.

A patch by Ádám Balogh!

Differential Revision: https://reviews.llvm.org/D19311

llvm-svn: 276365
2016-07-21 23:42:31 +00:00
Devin Coughlin d2387432bb Revert "[analyzer] Add checker modeling potential C++ self-assignment"
This reverts commit r275820. It is failing on the bots.

llvm-svn: 275880
2016-07-18 18:57:50 +00:00
Devin Coughlin eea0737a34 [analyzer] Add checker modeling potential C++ self-assignment
This checker checks copy and move assignment operators whether they are
protected against self-assignment. Since C++ core guidelines discourages
explicit checking for `&rhs==this` in general we take a different approach: in
top-frame analysis we branch the exploded graph for two cases, where &rhs==this
and &rhs!=this and let existing checkers (e.g. unix.Malloc) do the rest of the
work. It is important that we check all copy and move assignment operator in top
frame even if we checked them already since self-assignments may happen
undetected even in the same translation unit (e.g. using random indices for an
array what may or may not be the same).

A patch by Ádám Balogh!

Differential Revision: https://reviews.llvm.org/D19311

llvm-svn: 275820
2016-07-18 17:23:30 +00:00
Devin Coughlin cad622742e [analyzer] Add rudimentary handling of AtomicExpr.
This proposed patch adds crude handling of atomics to the static analyzer.
Rather than ignore AtomicExprs, as we now do, this patch causes the analyzer
to escape the arguments. This is imprecise -- and we should model the
expressions fully in the future -- but it is less wrong than ignoring their
effects altogether.

This is rdar://problem/25353187

Differential Revision: http://reviews.llvm.org/D21667

llvm-svn: 274816
2016-07-08 00:53:18 +00:00
Devin Coughlin 0a53fdf00c [analyzer] Suppress false positives in std::shared_ptr
The analyzer does not model C++ temporary destructors completely and so
reports false alarms about leaks of memory allocated by the internals of
shared_ptr:

  std::shared_ptr<int> p(new int(1));
  p = nullptr; // 'Potential leak of memory pointed to by field __cntrl_'

This patch suppresses all diagnostics where the end of the path is inside
a method in std::shared_ptr.

It also reorganizes the tests for suppressions in the C++ standard library
to use a separate simulated header for library functions with bugs
that were deliberately inserted to test suppression. This will prevent
other tests from using these as models.

rdar://problem/23652766

llvm-svn: 274691
2016-07-06 21:52:55 +00:00
Stephan Bergmann bf95fff9bd DeadStoresChecker: Don't warn about dead stores into volatile variables
llvm-svn: 273689
2016-06-24 16:26:43 +00:00
Devin Coughlin 9d5057cce5 [analyzer] Teach ObjCDeallocChecker about XCTestCase
Like with SenTestCase, subclasses of XCTestCase follow a "tear down" idiom to
release instance variables and so typically do not release ivars in -dealloc.
This commit applies the existing special casing for SenTestCase to XCTestCase
as well.

rdar://problem/25884696

llvm-svn: 273441
2016-06-22 17:03:10 +00:00