'BugReporterVisitor'. This simplifies callbacks from BugReporter to BugReports
(via VisitNode). It also lays the foundation for arbitrary visitor "call backs"
that can be registered to a BugReporterContext as a PathDiagnostic is
constructed. These call backs can help operate as separate "experts" that can
work on constructed pieces of a PathDiagnostic for which they possess special
knowledge.
llvm-svn: 71121
- Update the old StoreManager::CastRegion to strip off 'ElementRegions' when
casting to void* (Zhongxing: please validate)
- Pass-by-reference argument invalidation logic in CFRefCount.cpp:
- Strip ElementRegions when the ElementRegion is just a 'raw data' view
on top of the underlying typed region.
llvm-svn: 71094
- add a static function getTypeWidth(), which computes the width of a type
with the help of TargetInfo.
- no-outofbounds.c now passes for region store.
llvm-svn: 71080
'objc_ownership_cfretain' -> 'cf_ownership_retain'
'objc_ownership_cfrelease' -> 'cf_ownership_release'
Motivation: Core Foundation objects can be used in isolation from Objective-C,
and this forces users to reason about the separate semantics of CF objects. More
Sema support pending.
llvm-svn: 70884
'ElementRegion' on top of the VarRegion for 'x'. This causes the test
case xfail_wine_crash.c to now pass for BasicStoreManager. It doesn't
crash for RegionStoreManager either, but reports a bogus unintialized
value warning.
llvm-svn: 70832
ElementRegion. I also removed 'ElementRegion::getArrayRegion',
although we may need to add this back.
This breaks a few test cases with RegionStore:
- 'array-struct.c' triggers an infinite recursion in RegionStoreManager. Need to investigate.
- misc-ps.m triggers a failure with RegionStoreManager as we now get the diagnostic:
'Line 159: Uninitialized or undefined return value returned to caller.'
There were a bunch of places that needed to be edit
RegionStoreManager, and we may not be passing all the correct 'element
types' down from GRExprEngine.
Zhongxing: When you get a chance, could you review this? I could have
easily screwed up something basic in RegionStoreManager.
llvm-svn: 70830
- Don't layer TypedViewRegions on top of any region except
SymbolicRegions and AllocaRegions. This follows from my offline
discussion within Zhongxing about how TypedViewRegions really only
represent memory getting re-appropriated for a new purpose.
Fallout from this change:
- Move test case from xfail_rdar_6440393.m to misc-ps-64.m
(it now passes).
- test/Analysis/fields.c now fails for region store (crash).
Marking XFAIL.
- test/Analysis/rdar-6441136-region.c now fails (only runs with region store).
Marking XFAIL.
Diagnosis: The analyzer now correctly identifies an early out-of-bounds memory
access then the one flagged:
rdar-6541136-region.c:17:3: warning: Load or store into an out-of-bound memory position.
*p = 1;
^~
Changing the line:
char *p = (void*) &wonky[1];
to
char *p = (void*) &wonky[0];
(which should delay the buffer overrun) causes region store to crash, probably
because it expects a TypedViewRegion.
- test/Analysis/casts.c (region store) now fails (crash).
Marking XFAIL.
llvm-svn: 70565
location context. This allows us to postpone the decision of whether
or not a context should add a control-flow piece to the diagnostics
when inspecting its subexpressions.
llvm-svn: 70545
- Add an (optional) short description for BugReports for clients that want
to distinguish between long and short descriptions for bugs
- Make the bug report for VLA less obscene for Plist diagnostics by using
the short description
llvm-svn: 70415
reasoning about OSCompareAndSwap32Barrier/OSCompareAndSwap64Barrier. Essentially
the address of reference to a region (pointer-to-pointer) can be casted to
(int32_t*), and we need to handle the logic to convert the involved locations
back and forth from nonloc::LocAsInteger, nonloc::ConcreteInt, to Loc and
loc::ConcreteInt respectively. This adds some potentially suspect logic to
BasicStoreManager that allows the analyzer to reason about abuses of the C type
system. This should probably be refined, be ported over to RegionStoreManager,
and extended with "path-sensitive type checking" to flag bugs in clearly
incoherent code.
llvm-svn: 70382
as 'objc_ownership_cfretain' except that the method acts like a CFRetain instead
of a [... retain] (important in GC modes). Checker support is wired up, but
currently only for Objective-C message expressions (not function calls).
llvm-svn: 70218
- Fix summary lookup for class methods to now use the (optional)
ObjCInterfaceDecl associated with a message expression. This removes a
long-standing FIXME.
- Partial fix for <rdar://problem/6062730> by stop tracking objects that
are passed to [NSObject performSelector]. These methods are often used
for delegates, which the analyzer doesn't reason about well yet.
llvm-svn: 69982
extend the number of objects tracked by the retain/release checker by assuming
that all class and instance methods should follow Cocoa object "getter" and
"alloc/new" conventions.
llvm-svn: 69908
methods, class methods, and property implementations) and instead
place all of these entities into the DeclContext.
This eliminates more linear walks when looking for class or instance
methods and should make PCH (de-)serialization of ObjCDecls trivial
(and lazy).
llvm-svn: 69849
- Remove stale assertion that was breaking the test suite.
- When popping location contexts, only add a control-flow piece for fileID
locations.
llvm-svn: 69814
character instead of the entire range for the IfStmt, ForStmt, etc. We may
gradually refine these ranges later, but basically terminator ranges just refer
to the first keyword.
llvm-svn: 69812
When the StoreManager doesn't reason well about pointer-arithmetic, propagate
the non-nullness constraint on a pointer value when performing pointer
arithmetic uisng ++/--.
llvm-svn: 69741
into StoreManager::CastRegion. Both methods were practically identical, and this
is core logic that is common to all StoreManagers since it defines the basic
invariants of the abstract memory model.
llvm-svn: 69730
lazy PCH deserialization. Propagate that argument wherever it needs to
be. No functionality change, except that I've tightened up a few PCH
tests in preparation.
llvm-svn: 69406
ProgramPoints all the way through to GRCoreEngine.
NSString.m now fails with RegionStoreManager because of the void** cast.
Disabling use of region store for that test for now.
llvm-svn: 68845
A CodeTextRegion wraps two kinds of data: FunctionDecl* or SymbolRef.
The latter comes from the symbolic function pointer that are generated from
function calls or input data.
llvm-svn: 68777
clients of the analyzer to designate custom assertion routines as "noreturn"
functions from the analyzer's perspective but not the compiler's.
llvm-svn: 68746
"manager of symbolic values", wrapping BasicValueFactory, SymbolManager, and
MemRegionManager. While these individual managers nicely separate functionality
in the analyzer, constructing symbolic values can sometimes be cumbersome
because it requires using multiple managers at once. The goal of this class is
to create some factory methods to create SVals that require the use of these
different managers, thus (hopefully) simplifying the analyzer API for clients.
llvm-svn: 68709
"The attached patch generates warnings of cases where an ObjC message is sent to
a nil object and the size of return type of that message is larger than the size
of void pointer. This may result in undefined return values as described in PR
2718. The patch also includes test cases."
llvm-svn: 68585
are considered 'live'. This hack isn't needed anymore because we have a
separation in the path-sensitive analyzer between variable names and bindings;
the analyzer can continue to reason about the storage of a variable after its
name is no longer directly referenced. Now the live variables analysis literally means "is this name live".
Along this line, update the dead stores checker to explicitly look for variables
whose values have escaped.
llvm-svn: 68504
contexts". This allows us to use a stack of contexts to keep track of what control-flow pieces to include when exiting blocks like 'if', 'for', etc.
llvm-svn: 68473
when creating symbolic values, we distinguish between location and non-location
values. For location values, we create a symbolic region instead of a
loc::SymbolVal.
llvm-svn: 68373
- When processing BlockEdges with terminators, using the condition as the
control-flow point for terminators that are expressions (e.g., '&&', '?')
- When processing events, allow intra-compound statement "jumping"
llvm-svn: 68228
instead of a FullSourceLoc. This resulted in a bunch of small edits in various
clients.
- Updated BugReporter to include an alternate PathDiagnostic generation
algorithm for PathDiagnosticClients desiring more control-flow pieces.
llvm-svn: 68193
LHS type and the computation result type; this encodes information into
the AST which is otherwise non-obvious. Fix Sema to always come up with the
right answer for both of these types. Fix IRGen and the analyzer to
account for these changes. This fixes PR2601. The approach is inspired
by PR2601 comment 2.
Note that this changes real *= complex in CodeGen from a silent
miscompilation to an explicit error.
I'm not really sure that the analyzer changes are correct, or how to
test them... someone more familiar with the analyzer should check those
changes.
llvm-svn: 67889
- Added an internal helper class 'PathDiagnosticBuilder' which now bundles the
'ExecutionContinues' methods.
- Added preliminary diagnostics for short-circuit '&&' and '||'
llvm-svn: 67822
- Added a new class, 'PathDiagnosticLocation', that is a variant for
SourceLocation, SourceRange, or Stmt*. This will be used soon by
PathDiagnosticPieces to describe locations for targets of branches, locations
of events, etc.
- Did some prep. refactoring of PathDiagnosticPieces to prepare them for
adopting the new PathDiagnosticLocation
llvm-svn: 67767
Zhongxing and I discussed by email.
Main changes:
- Removed SymIntConstraintVal and SymIntConstraint
- Added SymExpr as a parent class to SymbolData, SymSymExpr, SymIntExpr
- Added nonloc::SymExprVal to wrap SymExpr
- SymbolRef is now just a typedef of 'const SymbolData*'
- Bunch of minor code cleanups in how some methods were invoked (no functionality change)
This changes are part of a long-term plan to have full symbolic expression
trees. This will be useful for lazily evaluating complicated expressions.
llvm-svn: 67731
representing symbolic expressions like 'x'+3 and 'x'+'y'. The design is
subjected to change later when we fix the class hierarchy of symbolic
expressions.
llvm-svn: 67678
<rdar://problem/6704930> involving SimpleConstraintManager not reasoning well
about symbolic constraint values involving arithmetic operators.
llvm-svn: 67534
- Conjure symbols at '--' and '++' unary operations
- Add utility method SVal::GetConjuredSymbolVal() and constify some arguments
along the way.
llvm-svn: 67395
SVal::GetRValueSymbolVal do the checking if we can symbolicate a type instead of
having BasicStoreManager do it (which wasn't always doing the check
consistently). Having this check in SVal::GetRValueSymbolVal keeps the check in
one centralized place.
llvm-svn: 67245
diagnostics. This builds on the patch that Sebastian committed and
then revert. Major differences are:
- We don't remove or use the current ".def" files. Instead, for now,
we just make sure that we're building the ".inc" files.
- Fixed CMake makefiles to run TableGen and build the ".inc" files
when needed. Tested with both the Xcode and Makefile generators
provided by CMake, so it should be solid.
- Fixed normal makefiles to handle out-of-source builds that involve
the ".inc" files.
I'll send a separate patch to the list with Sebastian's changes that
eliminate the use of the .def files.
llvm-svn: 67058
conditions. Currently the analyzer does not reason well about
promotions/truncations of symbolic values, so at branch conditions when we see:
if (condition)
and condition is something like a 'short' or 'char', essentially ignore the
promotion to 'int' so that we track constraints on the original symbolic value.
We only ignore the casts if the underlying type has the same or fewer bits as
the converted type.
This fixes:
<rdar://problem/6619921>
llvm-svn: 66899
ExplodedGraph::TrimGraph:
- Just do a DFS both ways instead of BFS-DFS. We're just determining what subset
of the nodes are reachable from the root and reverse-reachable from the bug
nodes. DFS is more efficient for this task.
BugReporter:
- MakeReportGraph: Do a reverse-BFS instead of a reverse-DFS to determine the
approximate shortest path through the simulation graph. We were seeing some
weird cases where too many loops were being reported for simple bugs. Possibly
we will need to replace this with actually computing the shortest path in
terms of line numbers.
llvm-svn: 66842
- PathDiagnosticControlFlowPiece now consists of a "start" and "end" location
to indicating the branch location and where the branch goes.
BugReporter:
- Updated BugReporter to construct PathDiagnosticControlFlowPiece objects with
"end" locations.
PlistDiagnostics:
- Plists now contain the bug "type" (not just bug "category")
- Plists now encode control-flow pieces differently than events; now the
"start" and "end" locations are recorded
llvm-svn: 66818
TypedViewRegion has a valid rvalue type. Also renamed instance variable 'T' to
'LvalueType' to make it unambiguous of its purpose.
This fixes some crashes I was seeing after:
http://lists.cs.uiuc.edu/pipermail/cfe-commits/Week-of-Mon-20090309/013771.html
This is because 'isBoundable()' is defined in TypedRegion (the parent class) in
terms of the rvalue type (which could be null), while for TypedViewRegion it
should be defined in terms of the lvalue type.
llvm-svn: 66712
offset may be different that the base. Ultimately we need a better solution for
these issues, but this point-by-point fixes are gradually outlining the scope of
the problem.
llvm-svn: 66638
path-sensitivity, beyond checking to see if the value is "unknown" also check if
the ConstraintManager can handle the SVal. This allows us to recover some
path-sensitivity by actually discarding some information.
llvm-svn: 66627
- Group control flow and event PathDiagnosticPieces into PathDiagnosticMacroPieces.
- Afterwards, eliminate any PathDiagnosticMacroPieces from a PathDiagnostic that
contain no informative events.
HTMLDiagnostics:
- Use new information about PathDiagnosticMacroPieces to specially format
message bubbles for macro expansions containing interesting events.
llvm-svn: 66524
PathDiagnosticControlFlowPiece to distinguish (in the class hierarchy) between
events and control-flow diagnostic pieces. Clients must now use these directly
when constructing PathDiagnosticPieces.
llvm-svn: 66310
- Store bindings using a MemRegion -> SVal binding instead of VarDecl -> SVal
binding. This mirrors some of the idea of RegionStore, but is far simpler and
not nearly as functional. This leads to some code simplification and
some potential for some minor precision hacks.
Along the way...
- constify the use of MemRegion* in a few places
- add operator<<(llvm::raw_ostream, const MemRegion*)
llvm-svn: 66163
Ted Kremenek