Commit Graph

3736 Commits

Author SHA1 Message Date
Adam Balogh a3f4d17a1a [Analyzer] Use note tags to track container begin and and changes
Container operations such as `push_back()`, `pop_front()`
etc. increment and decrement the abstract begin and end
symbols of containers. This patch introduces note tags
to `ContainerModeling` to track these changes. This helps
the user to better identify the source of errors related
to containers and iterators.

Differential Revision: https://reviews.llvm.org/D73720
2020-03-26 07:56:28 +01:00
Adam Balogh ccc0d35181 [Analyzer] IteratorRangeChecker verify `std::advance()`, `std::prev()` and `std::next()`
Upon calling one of the functions `std::advance()`, `std::prev()` and
`std::next()` iterators could get out of their valid range which leads
to undefined behavior. If all these funcions are inlined together with
the functions they call internally (e.g. `__advance()` called by
`std::advance()` in some implementations) the error is detected by
`IteratorRangeChecker` but the bug location is inside the STL
implementation. Even worse, if the budget runs out and one of the calls
is not inlined the bug remains undetected. This patch fixes this
behavior: all the bugs are detected at the point of the STL function
invocation.

Differential Revision: https://reviews.llvm.org/D76379
2020-03-23 17:33:26 +01:00
Adam Balogh 60bad941a1 [Analyzer] Iterator Modeling - Model `std::advance()`, `std::prev()` and `std::next()`
Whenever the analyzer budget runs out just at the point where
`std::advance()`, `std::prev()` or `std::next()` is invoked the function
are not inlined. This results in strange behavior such as
`std::prev(v.end())` equals `v.end()`. To prevent this model these
functions if they were not inlined. It may also happend that although
`std::advance()` is inlined but a function it calls inside (e.g.
`__advance()` in some implementations) is not. This case is also handled
in this patch.

Differential Revision: https://reviews.llvm.org/D76361
2020-03-23 15:29:55 +01:00
Gabor Marton ededa65d55 [analyzer] StdLibraryFunctionsChecker: Add NotNull Arg Constraint
Reviewers: NoQ, Szelethus, balazske, gamesh411, baloghadamsoftware, steakhal

Subscribers: whisperity, xazax.hun, szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, Charusso, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75063
2020-03-20 17:34:29 +01:00
Erich Keane ffcc076a2b [[Clang CallGraph]] CallGraph should still record calls to decls.
Discovered by a downstream user, we found that the CallGraph ignores
callees unless they are defined.  This seems foolish, and prevents
combining the report with other reports to create unified reports.
Additionally, declarations contain information that is likely useful to
consumers of the CallGraph.

This patch implements this by splitting the includeInGraph function into
two versions, the current one plus one that is for callees only.  The
only difference currently is that includeInGraph checks for a body, then
calls includeCalleeInGraph.

Differential Revision: https://reviews.llvm.org/D76435
2020-03-20 08:55:23 -07:00
Gabor Marton 94061df6e5 [analyzer] StdLibraryFunctionsChecker: Add argument constraints
Differential Revision:
https://reviews.llvm.org/D73898
2020-03-20 16:33:14 +01:00
Erich Keane a983562b23 Precommit test for clang::CallGraph declared functions.
https://reviews.llvm.org/D76435 fixes this problem, functions that are
being declared but ARE called aren't entered into the callgraph.
2020-03-19 12:00:30 -07:00
Bill Wendling 218dd33954 Add triple for non-x86 environments. 2020-03-10 15:26:03 -07:00
Bill Wendling 72aa619a7f Warn of uninitialized variables on asm goto's indirect branch
Summary:
Outputs from an asm goto block cannot be used on the indirect branch.
It's not supported and may result in invalid code generation.

Reviewers: jyknight, nickdesaulniers, hfinkel

Reviewed By: nickdesaulniers

Subscribers: martong, cfe-commits, rnk, craig.topper, hiraditya, rsmith

Tags: #clang

Differential Revision: https://reviews.llvm.org/D71314
2020-03-10 13:48:48 -07:00
Douglas Yung 54d82255fd Change tests to use -S instead of -c to work when an external assembler is used that is not present. NFCI.
Reviewed By: NoQ

Subscribers: Charusso, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D74104
2020-03-09 15:45:00 -07:00
Gabor Marton 59a960b83c [analyzer] Skip analysis of inherited ctor as top-level function
Summary:
This fixes a regression introduced in https://reviews.llvm.org/D74735

Reviewers: NoQ, Szelethus

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75678
2020-03-09 12:05:11 +01:00
Balázs Kéri ce1a86251b [Analyzer][StreamChecker] Check for opened stream before operations.
Summary:
According to documentations, after an `fclose` call any other stream
operations cause undefined behaviour, regardless if the close failed
or not.
This change adds the check for the opened state before all other
(applicable) operations.

Reviewers: Szelethus

Reviewed By: Szelethus

Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, gamesh411, Charusso, martong, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D75614
2020-03-09 11:00:03 +01:00
Jeremy Morse d4f9675b55 [analyzer] decode() a bytes object to make Python3 happy
The output of subprocess.check_output is decode()'d through the rest of
this python program, but one appears to have been missed for the output
of the call to "clang -print-file-name=include".

On Windows, with Python 3.6, this leads to the 'args' array being a mix of
bytes and strings, which causes exceptions later down the line.

I can't easily test with python2 on Windows, but python2 on Ubuntu 18.04
was happy with this change.
2020-03-04 17:12:48 +00:00
Charusso abdd33c86a [analyzer] AnalyzerOptions: Remove 'fixits-as-remarks'
Summary: The new way of checking fix-its is `%check_analyzer_fixit`.

Reviewed By: NoQ, Szelethus, xazax.hun

Differential Revision: https://reviews.llvm.org/D73729
2020-03-04 06:56:32 +01:00
Charusso f69c74db34 [analyzer] FixItHint: Apply and test hints with the Clang-Tidy's script
Summary:
This patch introduces a way to apply the fix-its by the Analyzer:
`-analyzer-config apply-fixits=true`.

The fix-its should be testable, therefore I have copied the well-tested
`check_clang_tidy.py` script. The idea is that the Analyzer's workflow
is different so it would be very difficult to use only one script for
both Tidy and the Analyzer, the script would diverge a lot.
Example test: `// RUN: %check-analyzer-fixit %s %t -analyzer-checker=core`

When the copy-paste happened the original authors were:
@alexfh, @zinovy.nis, @JonasToth, @hokein, @gribozavr, @lebedev.ri

Reviewed By: NoQ, alexfh, zinovy.nis

Differential Revision: https://reviews.llvm.org/D69746
2020-03-04 06:26:33 +01:00
Balazs Benics 859bcf4e3b [analyzer][taint] Add isTainted debug expression inspection check
Summary:
This patch introduces the `clang_analyzer_isTainted` expression inspection
check for checking taint.

Using this we could query the analyzer whether the expression used as the
argument is tainted or not. This would be useful in tests, where we don't want
to issue warning for all tainted expressions in a given file
(like the `debug.TaintTest` would do) but only for certain expressions.

Example usage:

```lang=c++
int read_integer() {
  int n;
  clang_analyzer_isTainted(n);     // expected-warning{{NO}}
  scanf("%d", &n);
  clang_analyzer_isTainted(n);     // expected-warning{{YES}}
  clang_analyzer_isTainted(n + 2); // expected-warning{{YES}}
  clang_analyzer_isTainted(n > 0); // expected-warning{{YES}}
  int next_tainted_value = n; // no-warning
  return n;
}
```

Reviewers: NoQ, Szelethus, baloghadamsoftware, xazax.hun, boga95

Reviewed By: Szelethus

Subscribers: martong, rnkovacs, whisperity, xazax.hun,
baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, donat.nagy,
Charusso, cfe-commits, boga95, dkrupp, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D74131
2020-03-03 14:40:23 +01:00
Roman Lebedev 3dd5a298bf
[clang] Annotating C++'s `operator new` with more attributes
Summary:
Right now we annotate C++'s `operator new` with `noalias` attribute,
which very much is healthy for optimizations.

However as per [[ http://eel.is/c++draft/basic.stc.dynamic.allocation | `[basic.stc.dynamic.allocation]` ]],
there are more promises on global `operator new`, namely:
* non-`std::nothrow_t` `operator new` *never* returns `nullptr`
* If `std::align_val_t align` parameter is taken, the pointer will also be `align`-aligned
* ~~global `operator new`-returned pointer is `__STDCPP_DEFAULT_NEW_ALIGNMENT__`-aligned ~~ It's more caveated than that.

Supplying this information may not cause immediate landslide effects
on any specific benchmarks, but it for sure will be healthy for optimizer
in the sense that the IR will better reflect the guarantees provided in the source code.

The caveat is `-fno-assume-sane-operator-new`, which currently prevents emitting `noalias`
attribute, and is automatically passed by Sanitizers ([[ https://bugs.llvm.org/show_bug.cgi?id=16386 | PR16386 ]]) - should it also cover these attributes?
The problem is that the flag is back-end-specific, as seen in `test/Modules/explicit-build-flags.cpp`.
But while it is okay to add `noalias` metadata in backend, we really should be adding at least
the alignment metadata to the AST, since that allows us to perform sema checks on it.

Reviewers: erichkeane, rjmccall, jdoerfert, eugenis, rsmith

Reviewed By: rsmith

Subscribers: xbolva00, jrtc27, atanasyan, nlopes, cfe-commits

Tags: #llvm, #clang

Differential Revision: https://reviews.llvm.org/D73380
2020-02-26 01:37:17 +03:00
Bill Wendling 6d0d1a63f2 Use "nop" to avoid size warnings. 2020-02-25 12:31:53 -08:00
Bill Wendling e11f9fb450 Add 'l' constraint to goto label reference
A goto label uses the 'l' constraint, skipping it can cause unexpected
warnings.
2020-02-25 11:48:23 -08:00
Artem Dergachev a82ffe9d93 [analyzer] Add support for CXXInheritedCtorInitExpr.
So far we've been dropping coverage every time we've encountered
a CXXInheritedCtorInitExpr. This patch attempts to add some
initial support for it.

Constructors for arguments of a CXXInheritedCtorInitExpr are still
not fully supported.

Differential Revision: https://reviews.llvm.org/D74735
2020-02-25 18:37:23 +03:00
Kristóf Umann e5513336ae [analyzer][MallocChecker][NFC] Change the use of IdentifierInfo* to CallDescription
Exactly what it says on the tin! I decided not to merge this with the patch that
changes all these to a CallDescriptionMap object, so the patch is that much more
trivial.

Differential Revision: https://reviews.llvm.org/D68163
2020-02-25 15:43:33 +01:00
Adam Balogh 770ad9f55e [Analyzer] Fix for iterator modeling and checkers: handle negative numbers correctly
Currently, using negative numbers in iterator operations (additions and
subractions) results in advancements with huge positive numbers due to
an error. This patch fixes it.

Differential Revision: https://reviews.llvm.org/D74760
2020-02-25 14:57:34 +01:00
Bill Wendling 50cac24877 Support output constraints on "asm goto"
Summary:
Clang's "asm goto" feature didn't initially support outputs constraints. That
was the same behavior as gcc's implementation. The decision by gcc not to
support outputs was based on a restriction in their IR regarding terminators.
LLVM doesn't restrict terminators from returning values (e.g. 'invoke'), so
it made sense to support this feature.

Output values are valid only on the 'fallthrough' path. If an output value's used
on an indirect branch, then it's 'poisoned'.

In theory, outputs *could* be valid on the 'indirect' paths, but it's very
difficult to guarantee that the original semantics would be retained. E.g.
because indirect labels could be used as data, we wouldn't be able to split
critical edges in situations where two 'callbr' instructions have the same
indirect label, because the indirect branch's destination would no longer be
the same.

Reviewers: jyknight, nickdesaulniers, hfinkel

Reviewed By: jyknight, nickdesaulniers

Subscribers: MaskRay, rsmith, hiraditya, llvm-commits, cfe-commits, craig.topper, rnk

Tags: #clang, #llvm

Differential Revision: https://reviews.llvm.org/D69876
2020-02-24 18:51:29 -08:00
Zurab Tsinadze a54d81f597 [analyzer] CERT: POS34-C
Summary:
This patch introduces a new checker:
`alpha.security.cert.pos.34c`

This checker is implemented based on the following rule:
https://wiki.sei.cmu.edu/confluence/x/6NYxBQ
The check warns if  `putenv` function is
called with automatic storage variable as an argument.

Differential Revision: https://reviews.llvm.org/D71433
2020-02-19 18:12:19 +01:00
Artem Dergachev 21efb06f0a Revert "[analyzer] Teach scan-build how to rebuild index.html without analyzing."
This reverts commit a807a068e6.

Buildbot failures :)
2020-02-18 09:48:29 +03:00
Artem Dergachev a807a068e6 [analyzer] Teach scan-build how to rebuild index.html without analyzing.
This is useful for performing custom build system integration that works by appending '--analyze --analyzer-output html' to all clang build commands.
For such users there is now still a way to have the fancy index.html file
in the output.

Differential Revision: https://reviews.llvm.org/D74467
2020-02-18 09:19:29 +03:00
Artem Dergachev 5a11233a2f [analyzer] VforkChecker: allow execve after vfork.
In the path-sensitive vfork() checker that keeps a list of operations
allowed after a successful vfork(), unforget to include execve() in the list.

Patch by Jan Včelák!

Differential Revision: https://reviews.llvm.org/D73629
2020-02-18 09:19:29 +03:00
Mark de Wever af20211944 [Sema] Fix pointer-to-int-cast for MSVC build bot
Revision 9658d895c8 breaks the clang-x64-windows-msvc build bot [1].
This should fix the unit test using the same method as used in 9658d895c8.

Note I don't have access to a Windows system so the patch is based on the
errors generated by the bot.

[1] http://lab.llvm.org:8011/builders/clang-x64-windows-msvc/builds/14358

Differential Revision: https://reviews.llvm.org/D74694
2020-02-16 19:09:59 +01:00
Mark de Wever 9658d895c8 [Sema] Adds the pointer-to-int-cast diagnostic
Converting a pointer to an integer whose result cannot represented in the
integer type is undefined behavior is C and prohibited in C++. C++ already
has a diagnostic when casting. This adds a diagnostic for C.

Since this diagnostic uses the range of the conversion it also modifies
int-to-pointer-cast diagnostic to use a range.

Fixes PR8718: No warning on casting between pointer and non-pointer-sized int

Differential Revision: https://reviews.llvm.org/D72231
2020-02-16 15:38:25 +01:00
Gabor Marton 536456a7e9 [analyzer] StdLibraryFunctionsChecker: Use platform dependent EOF and UCharMax
Summary:
Both EOF and the max value of unsigned char is platform dependent. In this
patch we try our best to deduce the value of EOF from the Preprocessor,
if we can't we fall back to -1.

Reviewers: Szelethus, NoQ

Subscribers: whisperity, xazax.hun, kristof.beyls, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalh

Tags: #clang

Differential Revision: https://reviews.llvm.org/D74473
2020-02-13 13:51:51 +01:00
Richard Smith 7ae1b4a0ce Implement P1766R1: diagnose giving non-C-compatible classes a typedef name for linkage purposes.
Summary:
Due to a recent (but retroactive) C++ rule change, only sufficiently
C-compatible classes are permitted to be given a typedef name for
linkage purposes. Add an enabled-by-default warning for these cases, and
rephrase our existing error for the case where we encounter the typedef
name for linkage after we've already computed and used a wrong linkage
in terms of the new rule.

Reviewers: rjmccall

Subscribers: cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D74103
2020-02-07 11:47:37 -08:00
Gabor Horvath 643dee903c [analyzer] Move fuchsia.Lock checker to alpha
Differential Revision: https://reviews.llvm.org/D74004
2020-02-05 16:11:06 -08:00
Gabor Horvath e4f4a6c0f5 [analyzer] Prevent an assertion failure in PThreadLockChecker
When the implementations of the locking functions are available.

Differential Revision: https://reviews.llvm.org/D74003
2020-02-05 15:56:56 -08:00
Adam Balogh b198f16e1e [Analyzer] Model STL Algoirthms to improve the iterator checkers
STL Algorithms are usually implemented in a tricky for performance
reasons which is too complicated for the analyzer. Furthermore inlining
them is costly. Instead of inlining we should model their behavior
according to the specifications.

This patch is the first step towards STL Algorithm modeling. It models
all the `find()`-like functions in a simple way: the result is either
found or not. In the future it can be extended to only return success if
container modeling is also extended in a way the it keeps track of
trivial insertions and deletions.

Differential Revision: https://reviews.llvm.org/D70818
2020-02-05 17:59:08 +01:00
Artem Dergachev 482e236e56 [analyzer] Fix a couple of bugs in HTML report generation.
It should now produce valid HTML again.

Differential Revision: https://reviews.llvm.org/D73993
2020-02-05 17:16:38 +03:00
Artem Dergachev 4b05fc248b [analyzer] Suppress linker invocation in scan-build tests.
This should fix PS4 buildbots.
2020-02-04 00:12:24 +03:00
Artem Dergachev 5521236a18 [analyzer] Re-land 0aba69e "Add test directory for scan-build."
The tool is now looked for in the source directory rather than in the
install directory, which should exclude the problems with not being able
to find it.

The tests still aren't being run on Windows, but they hopefully will run
on other platforms that have shell, which hopefully also means Perl.

Differential Revision: https://reviews.llvm.org/D69781
2020-02-03 23:59:57 +03:00
Adam Balogh 9a08a3fab9 [Analyzer] Split container modeling from iterator modeling
Iterator modeling depends on container modeling,
but not vice versa. This enables the possibility
to arrange these two modeling checkers into
separate layers.

There are several advantages for doing this: the
first one is that this way we can keep the
respective modeling checkers moderately simple
and small. Furthermore, this enables creation of
checkers on container operations which only
depend on the container modeling. Thus iterator
modeling can be disabled together with the
iterator checkers if they are not needed.

Since many container operations also affect
iterators, container modeling also uses the
iterator library: it creates iterator positions
upon calling the `begin()` or `end()` method of
a containter (but propagation of the abstract
position is left to the iterator modeling),
shifts or invalidates iterators according to the
rules upon calling a container modifier and
rebinds the iterator to a new container upon
`std::move()`.

Iterator modeling propagates the abstract
iterator position, handles the relations between
iterator positions and models iterator
operations such as increments and decrements.

Differential Revision: https://reviews.llvm.org/D73547
2020-01-29 16:10:45 +01:00
Gabor Horvath f4c26d993b [analyzer] Add FuchsiaLockChecker and C11LockChecker
These are mostly trivial additions as both of them are reusing existing
PThreadLockChecker logic. I only needed to add the list of functions to
check and do some plumbing to make sure that we display the right
checker name in the diagnostic.

Differential Revision: https://reviews.llvm.org/D73376
2020-01-27 13:55:56 -08:00
Gabor Horvath c98d98ba9b [analyzer] Fix handle leak false positive when the handle dies too early
Differential Revision: https://reviews.llvm.org/D73151
2020-01-27 09:52:06 -08:00
Artem Dergachev dd22be1e3d [analyzer] PthreadLock: Implement mutex escaping.
Differential Revision: https://reviews.llvm.org/D37812
2020-01-24 18:43:24 +03:00
Artem Dergachev 15624a7bda [analyzer] PthreadLock: Add more XNU rwlock unlock functions.
Differential Revision: https://reviews.llvm.org/D37807
2020-01-24 18:43:23 +03:00
Artem Dergachev 80fd37f9d6 [analyzer] PthreadLock: Fix return value modeling for XNU lock functions.
Differential Revision: https://reviews.llvm.org/D37806
2020-01-24 18:43:23 +03:00
Gabor Horvath 5911268e44 [analyzer] Improve FuchsiaHandleChecker's diagnostic messages
Differential Revision: https://reviews.llvm.org/D73229
2020-01-23 09:16:40 -08:00
Gabor Marton bc29069dc4 [analyzer] Enable PlacementNewChecker by default 2020-01-21 13:23:10 +01:00
Joe Ranieri 5ee616a710 [analyzer] Fix SARIF column locations
Differential revision: https://reviews.llvm.org/D70689
2020-01-14 15:38:30 -05:00
Gabor Marton 13ec473b9d [analyzer] Move PlacementNewChecker to alpha 2020-01-10 19:35:25 +01:00
Gabor Marton 5e7beb0a41 [analyzer] Add PlacementNewChecker
Summary:
This checker verifies if default placement new is provided with pointers
to sufficient storage capacity.

Noncompliant Code Example:
  #include <new>
  void f() {
    short s;
    long *lp = ::new (&s) long;
  }

Based on SEI CERT rule MEM54-CPP
https://wiki.sei.cmu.edu/confluence/display/cplusplus/MEM54-CPP.+Provide+placement+new+with+properly+aligned+pointe
This patch does not implement checking of the alignment.

Reviewers: NoQ, xazax.hun

Subscribers: mgorny, whisperity, xazax.hun, baloghadamsoftware, szepet,
rnkovacs, a.sidorin, mikhail.ramalho, donat

Tags: #clang

Differential Revision: https://reviews.llvm.org/D71612
2020-01-10 17:59:06 +01:00
serge-sans-paille cee4a1c957 Improve support of GNU mempcpy
- Lower to the memcpy intrinsic
- Raise warnings when size/bounds are known

Differential Revision: https://reviews.llvm.org/D71374
2020-01-09 17:31:00 +01:00
Gabor Horvath 59878ec809 [analyzer] Add path notes to FuchsiaHandleCheck.
Differential Revision: https://reviews.llvm.org/D70725
2019-12-20 12:40:41 -08:00
Gabor Horvath 82923c71ef [analyzer] Add Fuchsia Handle checker
The checker can diagnose handle use after releases, double releases, and
handle leaks.

Differential Revision: https://reviews.llvm.org/D70470
2019-12-20 12:33:16 -08:00
Artem Dergachev b284005072 [analyzer] Add a syntactic security check for ObjC NSCoder API.
Method '-[NSCoder decodeValueOfObjCType:at:]' is not only deprecated
but also a security hazard, hence a loud check.

Differential Revision: https://reviews.llvm.org/D71728
2019-12-19 14:54:29 -08:00
Artem Dergachev f0ced2ddb4 [analysis] Re-discard type sugar when casting values retrieved from the Store.
Canonicalization was accidentally omitted in 6d3f43ec.
2019-12-18 18:00:57 -08:00
Artem Dergachev bce1cce6bf [analyzer] Teach MismatchedDealloc about initWithBytesNoCopy with deallocator.
MallocChecker warns when memory is passed into -[NSData initWithBytesNoCopy]
but isn't allocated by malloc(), because it will be deallocated by free().
However, initWithBytesNoCopy has an overload that takes an arbitrary block
for deallocating the object. If such overload is used, it is no longer
necessary to make sure that the memory is allocated by malloc().
2019-12-18 14:19:17 -08:00
Artem Dergachev badba5118f [analyzer] NonnullGlobalConstants: Add support for kCFNull.
It's a singleton in CoreFoundation that always contains a non-null CFNullRef.
2019-12-18 12:08:15 -08:00
Gabor Horvath ea93d7d642 [CFG] Add an option to expand CXXDefaultInitExpr into aggregate initialization
This is useful for clients that are relying on linearized CFGs for evaluating
subexpressions and want the default initializer to be evaluated properly.

The upcoming lifetime analysis is using this but it might also be useful
for the static analyzer at some point.

Differential Revision: https://reviews.llvm.org/D71642
2019-12-17 17:56:06 -08:00
Artem Dergachev 6d3f43ec61 [analysis] Discard type qualifiers when casting values retrieved from the Store.
This canonicalizes the representation of unknown pointer symbols,
which reduces the overall confusion in pointer cast representation.

Patch by Vince Bridgers!

Differential Revision: https://reviews.llvm.org/D70836
2019-12-17 15:00:41 -08:00
Borsik Gabor 273e674252 [analyzer] Add support for namespaces to GenericTaintChecker
This patch introduces the namespaces for the configured functions and
also enables the use of the member functions.

I added an optional Scope field for every configured function. Functions
without Scope match for every function regardless of the namespace.
Functions with Scope will match if the full name of the function starts
with the Scope.
Multiple functions can exist with the same name.

Differential Revision: https://reviews.llvm.org/D70878
2019-12-15 12:11:22 +01:00
Artem Dergachev f450dd63a1 [analyzer] CStringChecker: Fix a crash on unknown value passed to strlcat.
Checkers should always account for unknown values.

Also use a slightly more high-level API that naturally avoids the problem.
2019-12-13 18:00:24 -08:00
Gabor Horvath 9fdcae7c81 [analyzer] Do not cache out on some shared implicit AST nodes
Some AST nodes which stands for implicit initialization is shared. The analyzer
will do the same evaluation on the same nodes resulting in the same state. The
analyzer will "cache out", i.e. it thinks that it visited an already existing
node in the exploded graph. This is not true in this case and we lose coverage.
Since these nodes do not really require any processing from the analyzer
we just omit them from the CFG.

Differential Revision: https://reviews.llvm.org/D71371
2019-12-11 17:15:12 -08:00
Gabor Horvath 5882e6f36f [analyzer] Escape symbols conjured into specific regions during a conservative EvalCall
This patch introduced additional PointerEscape callbacks after conservative
calls for output parameters. This should not really affect the current
checkers but the upcoming FuchsiaHandleChecker relies on this heavily.

Differential Revision: https://reviews.llvm.org/D71224
2019-12-11 11:44:10 -08:00
Artem Dergachev b01012b7c8 [analyzer] LocalizationChecker: Fix a crash on synthesized accessor stubs.
The checker was trying to analyze the body of every method in Objective-C
@implementation clause but the sythesized accessor stubs that were introduced
into it by 2073dd2d have no bodies.
2019-12-11 11:22:36 -08:00
Artem Dergachev 2b3f2071ec [analyzer] CStringChecker: Fix overly eager assumption that memcmp args overlap.
While analyzing code `memcmp(a, NULL, n);', where `a' has an unconstrained
symbolic value, the analyzer was emitting a warning about the *first* argument
being a null pointer, even though we'd rather have it warn about the *second*
argument.

This happens because CStringChecker first checks whether the two argument
buffers are in fact the same buffer, in order to take the fast path.
This boils down to assuming `a == NULL' to true. Then the subsequent check
for null pointer argument "discovers" that `a' is null.

Don't take the fast path unless we are *sure* that the buffers are the same.
Otherwise proceed as normal.

Differential Revision: https://reviews.llvm.org/D71322
2019-12-11 11:22:36 -08:00
Artem Dergachev 134faae042 [analyzer] CStringChecker: Improve warning messages.
Differential Revision: https://reviews.llvm.org/D71321
2019-12-11 11:22:36 -08:00
Adam Balogh 855d21a03a [Analyzer] Iterator Checkers: Replace `UnknownVal` in comparison result by a conjured value
Sometimes the return value of a comparison operator call is
`UnkownVal`. Since no assumptions can be made on `UnknownVal`,
this leeds to keeping impossible execution paths in the
exploded graph resulting in poor performance and false
positives. To overcome this we replace unknown results of
iterator comparisons by conjured symbols.

Differential Revision: https://reviews.llvm.org/D70244
2019-12-11 15:24:06 +01:00
Adam Balogh 6e9c58946e [Analyzer] Iterator Modeling: Print Container Data and Iterator Positions when printing the Program State
Debugging the Iterator Modeling checker or any of the iterator checkers
is difficult without being able to see the relations between the
iterator variables and their abstract positions, as well as the abstract
symbols denoting the begin and the end of the container.

This patch adds the checker-specific part of the Program State printing
to the Iterator Modeling checker.
2019-12-11 14:20:17 +01:00
Gabor Horvath 8434fbbee6 Revert "[analyzer] Keep track of escaped locals"
It was a step in the right direction but it is not clear how can this
fit into the checker API at this point. The pre-escape happens in the
analyzer core and the checker has no control over it. If the checker
is not interestd in a pre-escape it would need to do additional work
on each escape to check if the escaped symbol is originated from an
"uninteresting" pre-escaped memory region. In order to keep the
checker API simple we abandoned this solution for now.

We will reland this once we have a better answer for what to do on the
checker side.

This reverts commit f3a28202ef.
2019-12-10 16:42:03 -08:00
Gabor Horvath f3a28202ef [analyzer] Keep track of escaped locals
We want to escape all symbols that are stored into escaped regions.
The problem is, we did not know which local regions were escaped. Until now.
This should fix some false positives like the one in the tests.

Differential Revision: https://reviews.llvm.org/D71152
2019-12-10 08:51:33 -08:00
Artem Dergachev 040c39d50f [analyzer] Fix false positive on introspection of a block's internal layout.
When implementation of the block runtime is available, we should not
warn that block layout fields are uninitialized simply because they're
on the stack.
2019-12-06 13:24:20 -08:00
Balázs Kéri 7eafde981c [Checkers] Added support for freopen to StreamChecker.
Summary: Extend StreamChecker with a new evaluation function for API call 'freopen'.

Reviewers: NoQ, baloghadamsoftware, Szelethus, martong

Reviewed By: baloghadamsoftware, martong

Subscribers: martong, rnkovacs, dkrupp, Szelethus, gamesh411, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D69948
2019-12-05 11:08:44 +01:00
Artem Dergachev 3c50f2544f [analyzer] Fix more ObjC accessor body farms after 2073dd2d.
Fix a crash when constructing a body farm for accessors of a property
that is declared and @synthesize'd in different (but related) interfaces
with the explicit ivar syntax.

This is a follow-up for 0b58b80e.
2019-12-04 16:29:08 -08:00
Borsik Gabor 89bc4c662c [analyzer] Add custom filter functions for GenericTaintChecker
This patch is the last of the series of patches which allow the user to
annotate their functions with taint propagation rules.

I implemented the use of the configured filtering functions. These
functions can remove taintedness from the symbols which are passed at
the specified arguments to the filters.

Differential Revision: https://reviews.llvm.org/D59516
2019-11-23 20:12:15 +01:00
Artem Dergachev a3b22da4e0 [CFG] Fix a flaky crash in CFGBlock::getLastCondition().
Using an end iterator of an empty CFG block was causing
a garbage pointer dereference.

Differential Revision: https://reviews.llvm.org/D69962
2019-11-21 21:55:58 -08:00
Artem Dergachev 0b58b80edb [analyzer] Fix Objective-C accessor body farms after 2073dd2d.
Fix a canonicalization problem for the newly added property accessor stubs that
was causing a wrong decl to be used for 'self' in the accessor's body farm.

Fix a crash when constructing a body farm for accessors of a property
that is declared and @synthesize'd in different (but related) interfaces.

Differential Revision: https://reviews.llvm.org/D70158
2019-11-21 18:59:46 -08:00
Artem Dergachev 6bbca3411b [CFG] Add a test for a flaky crash in CFGBlock::getLastCondition().
Push the test separately ahead of time in order to find out whether
our Memory Sanitizer bots will be able to find the problem.

If not, I'll add a much more expensive test that repeats the current
test multiple times in order to show up on normal buildbots.
I really apologize for the potential temporary inconvenience!
I'll commit the fix as soon as I get the signal.

Differential Revision: https://reviews.llvm.org/D69962
2019-11-21 18:11:15 -08:00
Adam Balogh 23022b9329 [Analyzer][NFC] Separate white-box tests for iterator modelling from iterator checker tests
The recently committed debug.IteratorDebugging checker enables
standalone white-box testing of the modelling of containers and
iterators. For the three checkers based on iterator modelling only
simple tests are needed.

Differential Revision: https://reviews.llvm.org/D70123
2019-11-14 16:32:19 +01:00
Dávid Bolvanský 5c50109bb5 Fixed more -Wreturn-type tests 2019-11-09 18:13:51 +01:00
Dávid Bolvanský 1da13237a4 [Diagnostics] Try to improve warning message for -Wreturn-type
Summary: I agree with https://easyaspi314.github.io/gcc-vs-clang.html?fbclid=IwAR1VA0qxiWVUusOQUv5z7JESS7ZpeJy-UqAI5mnJscofGLqXcqeErIUB2gU, current warning message is not very good. We should try to improve it..

Reviewers: rsmith, aaron.ballman, easyaspi314

Reviewed By: aaron.ballman

Subscribers: arphaman, Quuxplusone, mehdi_amini, hiraditya, cfe-commits, llvm-commits

Tags: #clang, #llvm

Differential Revision: https://reviews.llvm.org/D69762
2019-11-09 17:54:58 +01:00
Artem Dergachev e4da37e8a0 [analyzer] Fix skipping the call during inlined defensive check suppression.
When bugreporter::trackExpressionValue() is invoked on a DeclRefExpr,
it tries to do most of its computations over the node in which
this DeclRefExpr is computed, rather than on the error node (or whatever node
is stuffed into it). One reason why we can't simply use the error node is
that the binding to that variable might have already disappeared from the state
by the time the bug is found.

In case of the inlined defensive checks visitor, the DeclRefExpr node
is in fact sometimes too *early*: the call in which the inlined defensive check
has happened might have not been entered yet.

Change the visitor to be fine with tracking dead symbols (which it is totally
capable of - the collapse point for the symbol is still well-defined), and fire
it up directly on the error node. Keep using "LVState" to find out which value
should we be tracking, so that there weren't any problems with accidentally
loading an ill-formed value from a dead variable.

Differential Revision: https://reviews.llvm.org/D67932
2019-11-08 18:27:14 -08:00
Artem Dergachev 57adc37fe5 [analyzer] Nullability: Don't infer nullable when passing as nullable parameter.
You can't really infer anything from that.
2019-11-08 18:27:14 -08:00
Adrian Prantl 2073dd2da7 Redeclare Objective-C property accessors inside the ObjCImplDecl in which they are synthesized.
This patch is motivated by (and factored out from)
https://reviews.llvm.org/D66121 which is a debug info bugfix. Starting
with DWARF 5 all Objective-C methods are nested inside their
containing type, and that patch implements this for synthesized
Objective-C properties.

1. SemaObjCProperty populates a list of synthesized accessors that may
   need to inserted into an ObjCImplDecl.

2. SemaDeclObjC::ActOnEnd inserts forward-declarations for all
   accessors for which no override was provided into their
   ObjCImplDecl. This patch does *not* synthesize AST function
   *bodies*. Moving that code from the static analyzer into Sema may
   be a good idea though.

3. Places that expect all methods to have bodies have been updated.

I did not update the static analyzer's inliner for synthesized
properties to point back to the property declaration (see
test/Analysis/Inputs/expected-plists/nullability-notes.m.plist), which
I believed to be more bug than a feature.

Differential Revision: https://reviews.llvm.org/D68108

rdar://problem/53782400
2019-11-08 08:23:22 -08:00
Adam Balogh 0f88caeef8 [Analyzer] Checker for Debugging Iterator Checkers
For white-box testing correct container and iterator modelling it is essential
to access the internal data structures stored for container and iterators. This
patch introduces a simple debug checkers called debug.IteratorDebugging to
achieve this.

Differential Revision: https://reviews.llvm.org/D67156
2019-11-08 08:59:50 +01:00
Artem Dergachev 5e0fb64842 [analyzer] Add test cases for the unsupported C++ constructor modeling.
Namely, for the following items:
- Handle constructors within new[];
- Handle constructors for default arguments.

Update the open projects page with a link to the newly added tests
and more hints for potential contributors.

Patch by Daniel Krupp!

Differential Revision: https://reviews.llvm.org/D69308
2019-11-07 17:15:53 -08:00
Artem Dergachev acac540422 [analyzer] PR41729: CStringChecker: Improve strlcat and strlcpy modeling.
- Fix false positive reports of strlcat.
- The return value of strlcat and strlcpy is now correctly calculated.
- The resulting string length of strlcat and strlcpy is now correctly
  calculated.

Patch by Daniel Krupp!

Differential Revision: https://reviews.llvm.org/D66049
2019-11-07 17:15:53 -08:00
Volodymyr Sapsai 39573daa76 Revert "[analyzer] Add test directory for scan-build."
This reverts commit 0aba69eb1a with
subsequent changes to test files.

It caused test failures on GreenDragon, e.g.,
http://green.lab.llvm.org/green/job/clang-stage1-cmake-RA-incremental/
2019-11-05 14:03:36 -08:00
Devin Coughlin abc04ff401 [analyzer] Require darwin for scan-build tests
Let's at least get some coverage from these tests. We can generalize to
other platforms later.
2019-11-04 21:17:55 -08:00
Devin Coughlin 48223d92a9 [analyzer] Fixup scan-build tests for non-Darwin platforms.
This is a fix to 0aba69eb1a to
address failing bots.
2019-11-04 21:12:11 -08:00
Devin Coughlin 0aba69eb1a [analyzer] Add test directory for scan-build.
The static analyzer's scan-build script is critical infrastructure but
is not well tested. To start to address this, add a new test directory under
tests/Analysis for scan-build lit tests and seed it with several tests. The
goal is that future scan-build changes will be accompanied by corresponding
tests.

Differential Revision: https://reviews.llvm.org/D69781
2019-11-04 20:26:35 -08:00
Balázs Kéri 4980c1333f [clang][analyzer] Using CallDescription in StreamChecker.
Summary:
Recognization of function names is done now with the CallDescription
class instead of using IdentifierInfo. This means function name and
argument count is compared too.
A new check for filtering not global-C-functions was added.
Test was updated.

Reviewers: Szelethus, NoQ, baloghadamsoftware, Charusso

Reviewed By: Szelethus, NoQ, Charusso

Subscribers: rnkovacs, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, donat.nagy, Charusso, dkrupp, Szelethus, gamesh411, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D67706
2019-10-31 12:38:50 +01:00
Artem Dergachev be86fdb86e [analyzer] Fix off-by-one in operator call parameter binding.
Member operator declarations and member operator expressions
have different numbering of parameters and arguments respectively:
one of them includes "this", the other does not.

Account for this inconsistency when figuring out whether
the parameter needs to be manually rebound from the Environment
to the Store when entering a stack frame of an operator call,
as opposed to being constructed with a constructor and as such
already having the necessary Store bindings.

Differential Revision: https://reviews.llvm.org/D69155
2019-10-23 08:17:02 -07:00
Artem Dergachev 4a5df7312e [analyzer] PR43551: Do not dereferce void* in UndefOrNullArgVisitor.
Patch by Kristóf Umann!

Differential Revision: https://reviews.llvm.org/D68591

llvm-svn: 375329
2019-10-19 01:50:46 +00:00
Artem Dergachev ab2cec8b85 [analyzer] Fix a crash on tracking Objective-C 'self' as a control dependency.
'self' was previously never tracked, but now it can be tracked
because it may be part of a condition.

llvm-svn: 375328
2019-10-19 01:50:43 +00:00
Artem Dergachev b0914e7276 [analyzer] Specify the C++ standard in more tests.
Makes life easier for downstream developers with different default standard.

llvm-svn: 375308
2019-10-19 00:08:17 +00:00
Artem Dergachev 3ff26e27d9 [analyzer] exploded-graph-rewriter: Unforget to censor stmt_ids in the test.
They're not stable across machines.

Fixes buildbots after r375278.

llvm-svn: 375286
2019-10-18 20:48:21 +00:00
Artem Dergachev c6921379f5 [analyzer] exploded-graph-rewriter: Rename Environment to Expressions.
It's less confusing for newcomers.

llvm-svn: 375282
2019-10-18 20:15:41 +00:00
Artem Dergachev 2b4f6df917 [analyzer] Fix FieldRegion dumps.
The '->' thing has always been confusing; the actual operation '->'
translates to a pointer dereference together with adding a FieldRegion,
but FieldRegion on its own doesn't imply an additional pointer
dereference.

llvm-svn: 375281
2019-10-18 20:15:39 +00:00
Artem Dergachev b3e34e043c [analyzer] Drop the logic for collapsing the state if it's same as in preds.
One of the first attempts to reduce the size of the exploded graph dumps
was to skip the state dump as long as the state is the same as in all of
the predecessor nodes. With all the new facilities in place (node joining,
diff dumps), this feature doesn't do much, and when it does,
it's more harmful than useful. Let's remove it.

llvm-svn: 375280
2019-10-18 20:15:35 +00:00
Artem Dergachev d93b810cd6 [analyzer] exploded-graph-rewriter: Fix dump for state 0.
It shouldn't say "unspecified" when the state is specified to be empty.

llvm-svn: 375279
2019-10-18 20:15:32 +00:00
Artem Dergachev 7a17f19709 [analyzer] Fix hidden node traversal in exploded graph dumps.
The joined nodes now actually have the same state. That was intended
from the start but the original implementation turned out to be buggy.

Differential Revision: https://reviews.llvm.org/D69150

llvm-svn: 375278
2019-10-18 20:15:29 +00:00
Artem Dergachev 8b3ef1e45b [analyzer] exploded-graph-rewriter: Fix typo in r375186. Unbreaks tests.
llvm-svn: 375189
2019-10-17 23:27:35 +00:00
Artem Dergachev 14e9eb3d7c [analyzer] Assign truly stable identifiers to exploded nodes.
ExplodedGraph nodes will now have a numeric identifier stored in them
which will keep track of the order in which the nodes were created
and it will be fully deterministic both accross runs and across machines.

This is extremely useful for debugging as it allows reliably setting
conditional breakpoints by node IDs.

llvm-svn: 375186
2019-10-17 23:10:09 +00:00
Artem Dergachev d325196f19 [analyzer] Display cast kinds in program point dumps.
Because cast expressions have their own hierarchy, it's extremely useful
to have some information about what kind of casts are we dealing with.

llvm-svn: 375185
2019-10-17 23:10:05 +00:00
Artem Dergachev 73b67f0b1a [analyzer] exploded-graph-rewriter: Make node headers a bit lighter.
The 50% grey color is too dark on some monitors.

llvm-svn: 375184
2019-10-17 23:10:02 +00:00
Alexey Bataev 9c5d76ff4d [OPENMP]Dow not emit warnings for uninitialized loop counters.
In OpenMP constructs all counters are initialized and we should not emit
warnings about uninitialized privatized loop control variables.

llvm-svn: 375167
2019-10-17 20:35:08 +00:00
Jan Korous c5d14b5c6f [clang-scan-deps] Support for clang --analyze in clang-scan-deps
The goal is to have 100% fidelity in clang-scan-deps behavior when
--analyze is present in compilation command.

At the same time I don't want to break clang-tidy which expects
__static_analyzer__ macro defined as built-in.

I introduce new cc1 options (-setup-static-analyzer) that controls
the macro definition and is conditionally set in driver.

Differential Revision: https://reviews.llvm.org/D68093

llvm-svn: 374815
2019-10-14 20:15:01 +00:00
Erich Keane 5c2c60d2fc Teach CallGraph to look into Generic Lambdas.
CallGraph visited LambdaExpr by getting the Call Operator from
CXXRecordDecl (LambdaExpr::getCallOperator calls
CXXRecordDecl::getLambdaCallOperator), which replaced generic lambda
call operators with the non-instantiated FunctionDecl.  The result was
that the CallGraph would only pick up non-dependent calls.

This patch does a few things:
1- Extend CXXRecordDecl to have a getDependentLambdaCallOperator, which
will get the FunctionTemplateDecl, rather than immediately getting the
TemplateDecl.
2- Define getLambdaCallOperator and getDependentLambdaCallOperator in
terms of a common function.
3- Extend LambdaExpr with a getDependentCallOperator, which just calls
the above function.
4- Changes CallGraph to handle Generic LambdaExprs.

llvm-svn: 373247
2019-09-30 19:12:29 +00:00
Jan Korous b26e9e2a8f Revert "[static analyzer] Define __clang_analyzer__ macro in driver"
This reverts commit fbd13570b0.

llvm-svn: 372687
2019-09-24 03:21:22 +00:00
Jan Korous 5199aa88fe Revert "[static analyzer][test] Test directly that driver sets D__clang_analyzer__"
This reverts commit c7541903d7.

llvm-svn: 372685
2019-09-24 03:19:20 +00:00
Jan Korous c7541903d7 [static analyzer][test] Test directly that driver sets D__clang_analyzer__
Follow-up to fbd13570b0

llvm-svn: 372683
2019-09-24 02:06:59 +00:00
Jan Korous fbd13570b0 [static analyzer] Define __clang_analyzer__ macro in driver
Differential Revision: https://reviews.llvm.org/D67938

llvm-svn: 372679
2019-09-24 00:33:47 +00:00
Richard Trieu 4c05de8c1d Merge and improve code that detects same value in comparisons.
-Wtautological-overlap-compare and self-comparison from -Wtautological-compare
relay on detecting the same operand in different locations.  Previously, each
warning had it's own operand checker.  Now, both are merged together into
one function that each can call.  The function also now looks through member
access and array accesses.

Differential Revision: https://reviews.llvm.org/D66045

llvm-svn: 372453
2019-09-21 03:02:26 +00:00
Richard Trieu 6541c7988b Improve -Wtautological-overlap-compare
Allow this warning to detect a larger number of constant values, including
negative numbers, and handle non-int types better.

Differential Revision: https://reviews.llvm.org/D66044

llvm-svn: 372448
2019-09-21 02:37:10 +00:00
Kristof Umann b8ac93c73b [analyzer] PR43102: Fix an assertion and an out-of-bounds error for diagnostic location construction
Summary:
https://bugs.llvm.org/show_bug.cgi?id=43102

In today's edition of "Is this any better now that it isn't crashing?", I'd like to show you a very interesting test case with loop widening.

Looking at the included test case, it's immediately obvious that this is not only a false positive, but also a very bad bug report in general. We can see how the analyzer mistakenly invalidated `b`, instead of its pointee, resulting in it reporting a null pointer dereference error. Not only that, the point at which this change of value is noted at is at the loop, rather then at the method call.

It turns out that `FindLastStoreVisitor` works correctly, rather the supplied explodedgraph is faulty, because `BlockEdge` really is the `ProgramPoint` where this happens.
{F9855739}
So it's fair to say that this needs improving on multiple fronts. In any case, at least the crash is gone.

Full ExplodedGraph: {F9855743}

Reviewers: NoQ, xazax.hun, baloghadamsoftware, Charusso, dcoughlin, rnkovacs, TWeaver

Subscribers: JesperAntonsson, uabelho, Ka-Ka, bjope, whisperity, szepet, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, gamesh411, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D66716

llvm-svn: 372269
2019-09-18 22:24:26 +00:00
Artem Dergachev 851e95c1c1 [analyzer] Fix the 'analyzer-enabled-checkers.c' test on non-linux machines.
'-Xclang -triple' doesn't seem to override the default target triple
as reliably as '--target'. This leads to test failing due to
platform-specific checks getting unexpectedly enabled.

llvm-svn: 371781
2019-09-12 22:11:15 +00:00
Kristof Umann d977b67ed6 [analyzer] Don't run the analyzer for -analyzer-list-enabled-checkers
Short and sweet. Whenever I use -analyzer-list-enabled-checkers, I'm only
interested about the configuration, not about the analysis.

Differential Revision: https://reviews.llvm.org/D66714

llvm-svn: 371756
2019-09-12 18:53:48 +00:00
Reid Kleckner 38e033bf33 Re-land Remove REQUIRES:shell from tests that pass for me on Windows
This reverts r371497 (git commit 3d7e9ab7b9)

Reorder `not` with `env` in these two tests so they pass:
  Driver/rewrite-map-in-diagnostics.c
  Index/crash-recovery-modules.m.

This will not be necessary after D66531 lands.

llvm-svn: 371552
2019-09-10 20:15:45 +00:00
James Henderson 3d7e9ab7b9 Revert Remove REQUIRES:shell from tests that pass for me on Windows
This reverts r371478 (git commit a9980f60ce)

llvm-svn: 371497
2019-09-10 08:48:33 +00:00
Reid Kleckner a9980f60ce Remove REQUIRES:shell from tests that pass for me on Windows
I see in the history for some of these tests REQUIRES:shell was used as
a way to disable tests on Windows because they are flaky there. I tried
not to re-enable such tests, but it's possible that I missed some and
this will re-enable flaky tests on Windows. If so, we should disable
them with UNSUPPORTED:system-windows and add a comment that they are
flaky there. So far as I can tell, the lit internal shell is capable of
running all of these tests, and we shouldn't use REQUIRES:shell as a
proxy for Windows.

llvm-svn: 371478
2019-09-10 00:50:32 +00:00
Gabor Borsik 080ecafdd8 Move prop-sink branch to monorepo.
llvm-svn: 371342
2019-09-08 19:23:43 +00:00
Artem Dergachev 6cee434ed1 [analyzer] Add minimal support for fix-it hints.
Allow attaching fixit hints to Static Analyzer BugReports.

Fixits are attached either to the bug report itself or to its notes
(path-sensitive event notes or path-insensitive extra notes).

Add support for fixits in text output (including the default text output that
goes without notes, as long as the fixit "belongs" to the warning).

Add support for fixits in the plist output mode.

Implement a fixit for the path-insensitive DeadStores checker. Only dead
initialization warning is currently covered.

Implement a fixit for the path-sensitive VirtualCall checker when the virtual
method is not pure virtual (in this case the "fix" is to suppress the warning
by qualifying the call).

Both fixits are under an off-by-default flag for now, because they
require more careful testing.

Differential Revision: https://reviews.llvm.org/D65182

llvm-svn: 371257
2019-09-06 20:55:29 +00:00
Artem Dergachev 2b1b4cab96 [analyzer] pr43179: Make CallDescription defensive against C variadic functions.
Most functions that our checkers react upon are not C-style variadic functions,
and therefore they have as many actual arguments as they have formal parameters.

However, it's not impossible to define a variadic function with the same name.
This will crash any checker that relies on CallDescription to check the number
of arguments but silently assumes that the number of parameters is the same.

Change CallDescription to check both the number of arguments and the number of
parameters by default.

If we're intentionally trying to match variadic functions, allow specifying
arguments and parameters separately (possibly omitting any of them).
For now we only have one CallDescription which would make use of those,
namely __builtin_va_start itself.

Differential Revision: https://reviews.llvm.org/D67019

llvm-svn: 371256
2019-09-06 20:55:24 +00:00
Kristof Umann 1b439659a8 [analyzer] NonNullParamChecker and CStringChecker parameter number in checker message
There are some functions which can't be given a null pointer as parameter either
because it has a nonnull attribute or it is declared to have undefined behavior
(e.g. strcmp()). Sometimes it is hard to determine from the checker message
which parameter is null at the invocation, so now this information is included
in the message.

This commit fixes https://bugs.llvm.org/show_bug.cgi?id=39358

Reviewed By: NoQ, Szelethus, whisperity

Patch by Tibor Brunner!

Differential Revision: https://reviews.llvm.org/D66333

llvm-svn: 370798
2019-09-03 17:57:01 +00:00
Kristof Umann 3b18b050b8 [analyzer] Add a checker option to detect nested dead stores
Enables the users to specify an optional flag which would warn for more dead
stores.
Previously it ignored if the dead store happened e.g. in an if condition.

if ((X = generate())) { // dead store to X
}

This patch introduces the `WarnForDeadNestedAssignments` option to the checker,
which is `false` by default - so this change would not affect any previous
users.
I have updated the code, tests and the docs as well. If I missed something, tell
me.

I also ran the analysis on Clang which generated 14 more reports compared to the
unmodified version. All of them seemed reasonable for me.

Related previous patches:
rGf224820b45c6847b91071da8d7ade59f373b96f3

Reviewers: NoQ, krememek, Szelethus, baloghadamsoftware

Reviewed By: Szelethus

Patch by Balázs Benics!

Differential Revision: https://reviews.llvm.org/D66733

llvm-svn: 370767
2019-09-03 15:22:43 +00:00
Richard Smith 5030928d60 [c++20] Implement semantic restrictions for C++20 designated
initializers.

This has some interesting interactions with our existing extensions to
support C99 designated initializers as an extension in C++. Those are
resolved as follows:

 * We continue to permit the full breadth of C99 designated initializers
   in C++, with the exception that we disallow a partial overwrite of an
   initializer with a non-trivially-destructible type. (Full overwrite
   is OK, because we won't run the first initializer at all.)

 * The C99 extensions are disallowed in SFINAE contexts and during
   overload resolution, where they could change the meaning of valid
   programs.

 * C++20 disallows reordering of initializers. We only check for that for
   the simple cases that the C++20 rules permit (designators of the form
   '.field_name =' and continue to allow reordering in other cases).
   It would be nice to improve this behavior in future.

 * All C99 designated initializer extensions produce a warning by
   default in C++20 mode. People are going to learn the C++ rules based
   on what Clang diagnoses, so it's important we diagnose these properly
   by default.

 * In C++ <= 17, we apply the C++20 rules rather than the C99 rules, and
   so still diagnose C99 extensions as described above. We continue to
   accept designated C++20-compatible initializers in C++ <= 17 silently
   by default (but naturally still reject under -pedantic-errors).

This is not a complete implementation of P0329R4. In particular, that
paper introduces new non-C99-compatible syntax { .field { init } }, and
we do not support that yet.

This is based on a previous patch by Don Hinton, though I've made
substantial changes when addressing the above interactions.

Differential Revision: https://reviews.llvm.org/D59754

llvm-svn: 370544
2019-08-30 22:52:55 +00:00
Artem Dergachev e5c0994ddf [CFG] Fix CFG for statement-expressions in return values.
We're building the CFG from bottom to top, so when the return-value expression
has a non-trivial CFG on its own, we need to continue building from the entry
to the return-value expression CFG rather than from the block to which
we've just appended the return statement.

Fixes a false positive warning "control may reach end of non-void function".

llvm-svn: 370406
2019-08-29 20:37:28 +00:00
Adam Balogh 12f5c7f0c3 [Analyzer] Iterator Checkers - Make range errors and invalidated access fatal
Range errors (dereferencing or incrementing the past-the-end iterator or
decrementing the iterator of the first element of the range) and access of
invalidated iterators lead to undefined behavior. There is no point to
continue the analysis after such an error on the same execution path, but
terminate it by a sink node (fatal error). This also improves the
performance and helps avoiding double reports (e.g. in case of nested
iterators).

Differential Revision: https://reviews.llvm.org/D62893

llvm-svn: 370314
2019-08-29 09:35:47 +00:00
Artem Dergachev ead98ea3eb [CFG] Make representation of destructor calls more accurate.
Respect C++17 copy elision; previously it would generate destructor calls
for elided temporaries, including in initialization and return statements.

Don't generate duplicate destructor calls for statement expressions.

Fix destructors in initialization lists and comma operators.

Improve printing of implicit destructors.

Patch by Nicholas Allegra!

Differential Revision: https://reviews.llvm.org/D66404

llvm-svn: 370247
2019-08-28 18:44:42 +00:00
Artem Dergachev 630f7daf80 [analyzer] Fix analyzer warnings on analyzer.
Write tests for the actual crash that was found. Write comments and refactor
code around 17 style bugs and suppress 3 false positives.

Differential Revision: https://reviews.llvm.org/D66847

llvm-svn: 370246
2019-08-28 18:44:38 +00:00
Artem Dergachev 0909a392f3 [analyzer] pr43036: Fix support for operator 'sizeof...'.
It was known to be a compile-time constant so it wasn't evaluated during
symbolic execution, but it wasn't evaluated as a compile-time constant either.

Differential Revision: https://reviews.llvm.org/D66565

llvm-svn: 370245
2019-08-28 18:44:35 +00:00
Artem Dergachev 8b2a39e937 [analyzer] Trust global initializers when analyzing main().
If the global variable has an initializer, we'll ignore it because we're usually
not analyzing the program from the beginning, which means that the global
variable may have changed before we start our analysis.

However when we're analyzing main() as the top-level function, we can rely
on global initializers to still be valid. At least in C; in C++ we have global
constructors that can still break this logic.

This patch allows the Static Analyzer to load constant initializers from
global variables if the top-level function of the current analysis is main().

Differential Revision: https://reviews.llvm.org/D65361

llvm-svn: 370244
2019-08-28 18:44:32 +00:00
Alexey Bataev 94a170f811 [OPENMP][Analysis] Add analysis of the map clauses.
Summary:
Added basic analysis of map clauses. Only map clauses with to and tofrom
map type must be analyzed since all other map types (alloc, delete, etc.) do not require to use the value of the initial variable, instead they create the new copy of the variable.

Reviewers: NoQ

Subscribers: guansong, cfe-commits, kkwli0, caomhin

Tags: #clang

Differential Revision: https://reviews.llvm.org/D66668

llvm-svn: 370214
2019-08-28 14:55:08 +00:00
Joe Ranieri fce4324f92 Update the SARIF exporter to SARIF 2.1
This updates the SARIF exporter to produce SARIF 2.1 output. The bulk of the diffs come from two changes to SARIF:
* https://github.com/oasis-tcs/sarif-spec/issues/309
* https://github.com/oasis-tcs/sarif-spec/issues/179

Differential Revision: https://reviews.llvm.org/D65211

llvm-svn: 370068
2019-08-27 14:43:54 +00:00
Joe Ranieri 3385c5cc4d Fix a SARIF exporter crash with macro expansions
Differential Revision: https://reviews.llvm.org/D65209

llvm-svn: 370061
2019-08-27 14:20:27 +00:00
Joe Ranieri 68a6a28ef8 Fix text range end columns in SARIF to be exclusive
According to the SARIF specification, "a text region does not include the character specified by endColumn".

Differential Revision: https://reviews.llvm.org/D65206

llvm-svn: 370060
2019-08-27 13:49:45 +00:00
Gabor Marton f035b75d8f [ASTImporter] Fix name conflict handling with different strategies
There are numorous flaws about the name conflict handling, this patch
attempts fixes them. Changes in details:

* HandleNameConflict return with a false DeclarationName

Hitherto we effectively never returned with a NameConflict error, even
if the preceding StructuralMatch indicated a conflict.
Because we just simply returned with the parameter `Name` in
HandleNameConflict and that name is almost always `true` when converted to
`bool`.

* Add tests which indicate wrong NameConflict handling

* Add to ConflictingDecls only if decl kind is different

Note, we might not indicate an ODR error when there is an existing record decl
and a enum is imported with same name.  But there are other cases. E.g. think
about the case when we import a FunctionTemplateDecl with name f and we found a
simple FunctionDecl with name f. They overload.  Or in case of a
ClassTemplateDecl and CXXRecordDecl, the CXXRecordDecl could be the 'templated'
class, so it would be false to report error.  So I think we should report a
name conflict error only when we are 100% sure of that.  That is why I think it
should be a general pattern to report the error only if the kind is the same.

* Fix failing ctu test with EnumConstandDecl

In ctu-main.c we have the enum class 'A' which brings in the enum
constant 'x' with value 0 into the global namespace.
In ctu-other.c we had the enum class 'B' which brought in the same name
('x') as an enum constant but with a different enum value (42). This is clearly
an ODR violation in the global namespace. The solution was to rename the
second enum constant.

 * Introduce ODR handling strategies

Reviewers: a_sidorin, shafik

Differential Revision: https://reviews.llvm.org/D59692

llvm-svn: 370045
2019-08-27 11:36:10 +00:00
Kristof Umann 09ce8ec78a [analyzer] Avoid unnecessary enum range check on LValueToRValue casts
Summary: EnumCastOutOfRangeChecker should not perform enum range checks on LValueToRValue casts, since this type of cast does not actually change the underlying type.   Performing the unnecessary check actually triggered an assertion failure deeper in EnumCastOutOfRange for certain input (which is captured in the accompanying test code).

Reviewers: #clang, Szelethus, gamesh411, NoQ

Reviewed By: Szelethus, gamesh411, NoQ

Subscribers: NoQ, gamesh411, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, Charusso, bjope, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D66014

llvm-svn: 369760
2019-08-23 14:21:13 +00:00
Artem Dergachev 85f7294e5a [analyzer] CastValueChecker: Correctly model results of based-to-derived casts.
Our SVal hierarchy doesn't allow modeling pointer casts as no-op. The
pointer type is instead encoded into the pointer object. Defer to our
usual pointer casting facility, SValBuilder::evalBinOp().

Fixes a crash.

llvm-svn: 369729
2019-08-23 03:24:04 +00:00
Artem Dergachev 62a76d0ae3 [analyzer] CastValueChecker: Provide DynamicTypeMap with pointer types only.
The idea to drop this requirement is good, but for now every other user
of DynamicTypeInfo expects pointer types.

Fixes a crash.

llvm-svn: 369728
2019-08-23 03:24:01 +00:00
Artem Dergachev af992e6d01 [analyzer] CastValueChecker: Avoid modeling casts between objects.
Our method only works correctly when casting a pointer to a pointer
or a reference to a reference.

Fixes a crash.

llvm-svn: 369727
2019-08-23 03:23:58 +00:00
Artem Dergachev 0900b77db2 [analyzer] DynamicTypeInfo: Avoid putting null regions into dynamic typemap.
Fixes a crash.

llvm-svn: 369726
2019-08-23 03:23:55 +00:00
Kristof Umann 0f9e530c0f [analyzer] Enable control dependency condition tracking by default
This patch concludes my GSoC'19 project by enabling track-conditions by default.

Differential Revision: https://reviews.llvm.org/D66381

llvm-svn: 369616
2019-08-22 03:08:48 +00:00
Csaba Dabis 4d71600c11 [analyzer] CastValueChecker: Model isa(), isa_and_nonnull()
Summary: -

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D66423

llvm-svn: 369615
2019-08-22 02:57:59 +00:00
Kristof Umann 58eb033a49 [analyzer] Don't track the condition of foreach loops
As discussed on the mailing list, notes originating from the tracking of foreach
loop conditions are always meaningless.

Differential Revision: https://reviews.llvm.org/D66131

llvm-svn: 369613
2019-08-22 02:44:19 +00:00
Csaba Dabis 0202c3596c [analyzer] CastValueChecker: Store the dynamic types and casts
Summary:
This patch introduces `DynamicCastInfo` similar to `DynamicTypeInfo` which
is stored in `CastSets` which are storing the dynamic cast informations of
objects based on memory regions. It could be used to store and check the
casts and prevent infeasible paths.

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D66325

llvm-svn: 369605
2019-08-22 00:20:36 +00:00
Csaba Dabis b73a5711f6 [analyzer] TrackConstraintBRVisitor: Do not track unknown values
Summary: -

Reviewers: NoQ, Szelethus

Reviewed By: NoQ, Szelethus

Differential Revision: https://reviews.llvm.org/D66267

llvm-svn: 369604
2019-08-22 00:06:58 +00:00
Kristof Umann d9a81ccf05 [analyzer] Mention whether an event is about a condition in a bug report part 2
In D65724, I do a pretty thorough explanation about how I'm solving this
problem, I think that summary nails whats happening here ;)

Differential Revision: https://reviews.llvm.org/D65725

llvm-svn: 369596
2019-08-21 22:38:00 +00:00
Kristof Umann 49ac7ece16 [analyzer] Don't make ConditionBRVisitor events prunable when the condition is an interesting field
Exactly what it says on the tin! Note that we're talking about interestingness
in general, hence this isn't a control-dependency-tracking specific patch.

Differential Revision: https://reviews.llvm.org/D65724

llvm-svn: 369589
2019-08-21 21:59:22 +00:00
Kristof Umann da648ab8de [analyzer] Mention whether an event is about a condition in a bug report part 1
Can't add much more to the title! This is part 1, the case where the collapse
point isn't in the condition point is the responsibility of ConditionBRVisitor,
which I'm addressing in part 2.

Differential Revision: https://reviews.llvm.org/D65575

llvm-svn: 369574
2019-08-21 20:43:27 +00:00
Artem Dergachev 8eb7a74b78 [analyzer] Fix a crash when destroying a non-region.
Add defensive check that prevents a crash when we try to evaluate a destructor
whose this-value is a concrete integer that isn't a null.

Differential Revision: https://reviews.llvm.org/D65349

llvm-svn: 369450
2019-08-20 21:41:17 +00:00
Artem Dergachev d3971fe97b [analyzer] Improve VirtualCallChecker and enable parts of it by default.
Calling a pure virtual method during construction or destruction
is undefined behavior. It's worth it to warn about it by default.
That part is now known as the cplusplus.PureVirtualCall checker.

Calling a normal virtual method during construction or destruction
may be fine, but does behave unexpectedly, as it skips virtual dispatch.
Do not warn about this by default, but let projects opt in into it
by enabling the optin.cplusplus.VirtualCall checker manually.

Give the two parts differentiated warning text:

  Before:

    Call to virtual function during construction or destruction:
    Call to pure virtual function during construction

    Call to virtual function during construction or destruction:
    Call to virtual function during destruction

  After:

    Pure virtual method call:
    Call to pure virtual method 'X::foo' during construction
        has undefined behavior

    Unexpected loss of virtual dispatch:
    Call to virtual method 'Y::bar' during construction
        bypasses virtual dispatch

Also fix checker names in consumers that support them (eg., clang-tidy)
because we now have different checker names for pure virtual calls and
regular virtual calls.

Also fix capitalization in the bug category.

Differential Revision: https://reviews.llvm.org/D64274

llvm-svn: 369449
2019-08-20 21:41:14 +00:00