Commit Graph

3909 Commits

Author SHA1 Message Date
Artem Dergachev 214f68e7a1 Revert "[analyzer] A speculative attempt to avoid gcc-7 crashes..."
This reverts commit r372940 which was an overreaction to a flaky buildbot.

llvm-svn: 373005
2019-09-26 18:52:00 +00:00
Artem Dergachev d9b477af8f [analyzer] A speculative attempt to avoid gcc-7 crashes caused by r372942.
llvm-svn: 372945
2019-09-26 07:01:31 +00:00
Artem Dergachev 4ed9793f98 [analyzer] Avoid small vectors of non-default-constructibles.
Unconfuses certain compilers.

llvm-svn: 372942
2019-09-26 06:33:21 +00:00
Alex Langford 86c3af9029 [NFCI] Return PathSensitiveBugReport where appropriate
Some compilers have trouble converting unique_ptr<PathSensitiveBugReport> to
unique_ptr<BugReport> causing some functions to fail to compile.
Changing the return type of the functions that fail to compile does not
appear to have any issues.
I ran into this issue building with clang 3.8 on Ubuntu 16.04.

llvm-svn: 372668
2019-09-23 22:24:47 +00:00
Benjamin Kramer 1b38002c7d Move classes into anonymous namespaces. NFC.
llvm-svn: 372495
2019-09-22 09:28:47 +00:00
Kristof Umann c90fda6abe Attempt to fix a windows buildbot failure
llvm-svn: 372462
2019-09-21 07:56:40 +00:00
Kristof Umann 96be6f485c Fix a documentation error
llvm-svn: 372419
2019-09-20 18:28:04 +00:00
Kristof Umann 951cd32f4b Reland '[analyzer][MallocChecker][NFC] Document and reorganize some functions'
Differential Revision: https://reviews.llvm.org/D54823

llvm-svn: 372414
2019-09-20 17:59:20 +00:00
Kristof Umann b8ac93c73b [analyzer] PR43102: Fix an assertion and an out-of-bounds error for diagnostic location construction
Summary:
https://bugs.llvm.org/show_bug.cgi?id=43102

In today's edition of "Is this any better now that it isn't crashing?", I'd like to show you a very interesting test case with loop widening.

Looking at the included test case, it's immediately obvious that this is not only a false positive, but also a very bad bug report in general. We can see how the analyzer mistakenly invalidated `b`, instead of its pointee, resulting in it reporting a null pointer dereference error. Not only that, the point at which this change of value is noted at is at the loop, rather then at the method call.

It turns out that `FindLastStoreVisitor` works correctly, rather the supplied explodedgraph is faulty, because `BlockEdge` really is the `ProgramPoint` where this happens.
{F9855739}
So it's fair to say that this needs improving on multiple fronts. In any case, at least the crash is gone.

Full ExplodedGraph: {F9855743}

Reviewers: NoQ, xazax.hun, baloghadamsoftware, Charusso, dcoughlin, rnkovacs, TWeaver

Subscribers: JesperAntonsson, uabelho, Ka-Ka, bjope, whisperity, szepet, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, gamesh411, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D66716

llvm-svn: 372269
2019-09-18 22:24:26 +00:00
Kristof Umann 72649423c0 [analyzer][NFC] Fix inconsistent references to checkers as "checks"
Traditionally, clang-tidy uses the term check, and the analyzer uses checker,
but in the very early years, this wasn't the case, and code originating from the
early 2010's still incorrectly refer to checkers as checks.

This patch attempts to hunt down most of these, aiming to refer to checkers as
checkers, but preserve references to callback functions (like checkPreCall) as
checks.

Differential Revision: https://reviews.llvm.org/D67140

llvm-svn: 371760
2019-09-12 19:09:24 +00:00
Artem Dergachev f0bb45fac3 [analyzer] NFC: Move PathDiagnostic classes to libAnalysis.
At this point the PathDiagnostic, PathDiagnosticLocation, PathDiagnosticPiece
structures no longer rely on anything specific to Static Analyzer, so we can
move them out of it for everybody to use.

PathDiagnosticConsumers are still to be handed off.

Differential Revision: https://reviews.llvm.org/D67419

llvm-svn: 371661
2019-09-11 20:54:27 +00:00
Artem Dergachev 2bce23a4f8 [analyzer] NFC: Move resetDiagnosticLocationToMainFile() to BugReporter.
This method of PathDiagnostic is a part of Static Analyzer's particular
path diagnostic construction scheme. As such, it doesn't belong to
the PathDiagnostic class, but to the Analyzer.

Differential Revision: https://reviews.llvm.org/D67418

llvm-svn: 371660
2019-09-11 20:54:24 +00:00
Artem Dergachev 6b85f8e99b [analyzer] NFC: Move getStmt() and createEndOfPath() out of PathDiagnostic.
These static functions deal with ExplodedNodes which is something we don't want
the PathDiagnostic interface to know anything about, as it's planned to be
moved out of libStaticAnalyzerCore.

Differential Revision: https://reviews.llvm.org/D67382

llvm-svn: 371659
2019-09-11 20:54:21 +00:00
Artem Dergachev 8535b8ecf2 [analyzer] NFC: Re-implement stack hints as a side map in BugReport.
That's one of the few random entities in the PathDiagnostic interface that
are specific to the Static Analyzer. By moving them out we could let
everybody use path diagnostics without linking against Static Analyzer.

Differential Revision: https://reviews.llvm.org/D67381

llvm-svn: 371658
2019-09-11 20:54:17 +00:00
Artem Dergachev 589273bebd [analyzer] NFC: Simplify bug report equivalence classes to not be ilists.
Use a vector of unique pointers instead.

Differential Revision: https://reviews.llvm.org/D67024

llvm-svn: 371451
2019-09-09 20:34:44 +00:00
Artem Dergachev 2f169e7cdd [analyzer] NFC: Introduce sub-classes for path-sensitive and basic reports.
Checkers are now required to specify whether they're creating a
path-sensitive report or a path-insensitive report by constructing an
object of the respective type.

This makes BugReporter more independent from the rest of the Static Analyzer
because all Analyzer-specific code is now in sub-classes.

Differential Revision: https://reviews.llvm.org/D66572

llvm-svn: 371450
2019-09-09 20:34:40 +00:00
Gabor Borsik 080ecafdd8 Move prop-sink branch to monorepo.
llvm-svn: 371342
2019-09-08 19:23:43 +00:00
Artem Dergachev 6cee434ed1 [analyzer] Add minimal support for fix-it hints.
Allow attaching fixit hints to Static Analyzer BugReports.

Fixits are attached either to the bug report itself or to its notes
(path-sensitive event notes or path-insensitive extra notes).

Add support for fixits in text output (including the default text output that
goes without notes, as long as the fixit "belongs" to the warning).

Add support for fixits in the plist output mode.

Implement a fixit for the path-insensitive DeadStores checker. Only dead
initialization warning is currently covered.

Implement a fixit for the path-sensitive VirtualCall checker when the virtual
method is not pure virtual (in this case the "fix" is to suppress the warning
by qualifying the call).

Both fixits are under an off-by-default flag for now, because they
require more careful testing.

Differential Revision: https://reviews.llvm.org/D65182

llvm-svn: 371257
2019-09-06 20:55:29 +00:00
Artem Dergachev 2b1b4cab96 [analyzer] pr43179: Make CallDescription defensive against C variadic functions.
Most functions that our checkers react upon are not C-style variadic functions,
and therefore they have as many actual arguments as they have formal parameters.

However, it's not impossible to define a variadic function with the same name.
This will crash any checker that relies on CallDescription to check the number
of arguments but silently assumes that the number of parameters is the same.

Change CallDescription to check both the number of arguments and the number of
parameters by default.

If we're intentionally trying to match variadic functions, allow specifying
arguments and parameters separately (possibly omitting any of them).
For now we only have one CallDescription which would make use of those,
namely __builtin_va_start itself.

Differential Revision: https://reviews.llvm.org/D67019

llvm-svn: 371256
2019-09-06 20:55:24 +00:00
Benjamin Kramer 0581a44e02 Unbreak the build after r370798
llvm-svn: 370807
2019-09-03 18:24:56 +00:00
Kristof Umann 1b439659a8 [analyzer] NonNullParamChecker and CStringChecker parameter number in checker message
There are some functions which can't be given a null pointer as parameter either
because it has a nonnull attribute or it is declared to have undefined behavior
(e.g. strcmp()). Sometimes it is hard to determine from the checker message
which parameter is null at the invocation, so now this information is included
in the message.

This commit fixes https://bugs.llvm.org/show_bug.cgi?id=39358

Reviewed By: NoQ, Szelethus, whisperity

Patch by Tibor Brunner!

Differential Revision: https://reviews.llvm.org/D66333

llvm-svn: 370798
2019-09-03 17:57:01 +00:00
Kristof Umann 3b18b050b8 [analyzer] Add a checker option to detect nested dead stores
Enables the users to specify an optional flag which would warn for more dead
stores.
Previously it ignored if the dead store happened e.g. in an if condition.

if ((X = generate())) { // dead store to X
}

This patch introduces the `WarnForDeadNestedAssignments` option to the checker,
which is `false` by default - so this change would not affect any previous
users.
I have updated the code, tests and the docs as well. If I missed something, tell
me.

I also ran the analysis on Clang which generated 14 more reports compared to the
unmodified version. All of them seemed reasonable for me.

Related previous patches:
rGf224820b45c6847b91071da8d7ade59f373b96f3

Reviewers: NoQ, krememek, Szelethus, baloghadamsoftware

Reviewed By: Szelethus

Patch by Balázs Benics!

Differential Revision: https://reviews.llvm.org/D66733

llvm-svn: 370767
2019-09-03 15:22:43 +00:00
Adam Balogh 12f5c7f0c3 [Analyzer] Iterator Checkers - Make range errors and invalidated access fatal
Range errors (dereferencing or incrementing the past-the-end iterator or
decrementing the iterator of the first element of the range) and access of
invalidated iterators lead to undefined behavior. There is no point to
continue the analysis after such an error on the same execution path, but
terminate it by a sink node (fatal error). This also improves the
performance and helps avoiding double reports (e.g. in case of nested
iterators).

Differential Revision: https://reviews.llvm.org/D62893

llvm-svn: 370314
2019-08-29 09:35:47 +00:00
Artem Dergachev 630f7daf80 [analyzer] Fix analyzer warnings on analyzer.
Write tests for the actual crash that was found. Write comments and refactor
code around 17 style bugs and suppress 3 false positives.

Differential Revision: https://reviews.llvm.org/D66847

llvm-svn: 370246
2019-08-28 18:44:38 +00:00
Artem Dergachev 0909a392f3 [analyzer] pr43036: Fix support for operator 'sizeof...'.
It was known to be a compile-time constant so it wasn't evaluated during
symbolic execution, but it wasn't evaluated as a compile-time constant either.

Differential Revision: https://reviews.llvm.org/D66565

llvm-svn: 370245
2019-08-28 18:44:35 +00:00
Artem Dergachev 8b2a39e937 [analyzer] Trust global initializers when analyzing main().
If the global variable has an initializer, we'll ignore it because we're usually
not analyzing the program from the beginning, which means that the global
variable may have changed before we start our analysis.

However when we're analyzing main() as the top-level function, we can rely
on global initializers to still be valid. At least in C; in C++ we have global
constructors that can still break this logic.

This patch allows the Static Analyzer to load constant initializers from
global variables if the top-level function of the current analysis is main().

Differential Revision: https://reviews.llvm.org/D65361

llvm-svn: 370244
2019-08-28 18:44:32 +00:00
Joe Ranieri fce4324f92 Update the SARIF exporter to SARIF 2.1
This updates the SARIF exporter to produce SARIF 2.1 output. The bulk of the diffs come from two changes to SARIF:
* https://github.com/oasis-tcs/sarif-spec/issues/309
* https://github.com/oasis-tcs/sarif-spec/issues/179

Differential Revision: https://reviews.llvm.org/D65211

llvm-svn: 370068
2019-08-27 14:43:54 +00:00
Joe Ranieri 3385c5cc4d Fix a SARIF exporter crash with macro expansions
Differential Revision: https://reviews.llvm.org/D65209

llvm-svn: 370061
2019-08-27 14:20:27 +00:00
Joe Ranieri 68a6a28ef8 Fix text range end columns in SARIF to be exclusive
According to the SARIF specification, "a text region does not include the character specified by endColumn".

Differential Revision: https://reviews.llvm.org/D65206

llvm-svn: 370060
2019-08-27 13:49:45 +00:00
Benjamin Kramer dc5f805d31 Do a sweep of symbol internalization. NFC.
llvm-svn: 369803
2019-08-23 19:59:23 +00:00
Kristof Umann 09ce8ec78a [analyzer] Avoid unnecessary enum range check on LValueToRValue casts
Summary: EnumCastOutOfRangeChecker should not perform enum range checks on LValueToRValue casts, since this type of cast does not actually change the underlying type.   Performing the unnecessary check actually triggered an assertion failure deeper in EnumCastOutOfRange for certain input (which is captured in the accompanying test code).

Reviewers: #clang, Szelethus, gamesh411, NoQ

Reviewed By: Szelethus, gamesh411, NoQ

Subscribers: NoQ, gamesh411, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, Charusso, bjope, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D66014

llvm-svn: 369760
2019-08-23 14:21:13 +00:00
Artem Dergachev 85f7294e5a [analyzer] CastValueChecker: Correctly model results of based-to-derived casts.
Our SVal hierarchy doesn't allow modeling pointer casts as no-op. The
pointer type is instead encoded into the pointer object. Defer to our
usual pointer casting facility, SValBuilder::evalBinOp().

Fixes a crash.

llvm-svn: 369729
2019-08-23 03:24:04 +00:00
Artem Dergachev 62a76d0ae3 [analyzer] CastValueChecker: Provide DynamicTypeMap with pointer types only.
The idea to drop this requirement is good, but for now every other user
of DynamicTypeInfo expects pointer types.

Fixes a crash.

llvm-svn: 369728
2019-08-23 03:24:01 +00:00
Artem Dergachev af992e6d01 [analyzer] CastValueChecker: Avoid modeling casts between objects.
Our method only works correctly when casting a pointer to a pointer
or a reference to a reference.

Fixes a crash.

llvm-svn: 369727
2019-08-23 03:23:58 +00:00
Artem Dergachev 0900b77db2 [analyzer] DynamicTypeInfo: Avoid putting null regions into dynamic typemap.
Fixes a crash.

llvm-svn: 369726
2019-08-23 03:23:55 +00:00
Haojian Wu fcedc6a61b Remove an unused function, suppress -Wunused-function warning.
llvm-svn: 369629
2019-08-22 08:49:41 +00:00
Csaba Dabis 4d71600c11 [analyzer] CastValueChecker: Model isa(), isa_and_nonnull()
Summary: -

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D66423

llvm-svn: 369615
2019-08-22 02:57:59 +00:00
Kristof Umann 58eb033a49 [analyzer] Don't track the condition of foreach loops
As discussed on the mailing list, notes originating from the tracking of foreach
loop conditions are always meaningless.

Differential Revision: https://reviews.llvm.org/D66131

llvm-svn: 369613
2019-08-22 02:44:19 +00:00
Csaba Dabis 22dc44ff89 [analyzer] CastValueChecker: Try to fix the buildbots
llvm-svn: 369609
2019-08-22 01:41:06 +00:00
Csaba Dabis e4bf456fce [analyzer] CastValueChecker: Rewrite dead header hotfix
llvm-svn: 369607
2019-08-22 00:36:42 +00:00
Csaba Dabis 0202c3596c [analyzer] CastValueChecker: Store the dynamic types and casts
Summary:
This patch introduces `DynamicCastInfo` similar to `DynamicTypeInfo` which
is stored in `CastSets` which are storing the dynamic cast informations of
objects based on memory regions. It could be used to store and check the
casts and prevent infeasible paths.

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D66325

llvm-svn: 369605
2019-08-22 00:20:36 +00:00
Csaba Dabis b73a5711f6 [analyzer] TrackConstraintBRVisitor: Do not track unknown values
Summary: -

Reviewers: NoQ, Szelethus

Reviewed By: NoQ, Szelethus

Differential Revision: https://reviews.llvm.org/D66267

llvm-svn: 369604
2019-08-22 00:06:58 +00:00
Kristof Umann d9a81ccf05 [analyzer] Mention whether an event is about a condition in a bug report part 2
In D65724, I do a pretty thorough explanation about how I'm solving this
problem, I think that summary nails whats happening here ;)

Differential Revision: https://reviews.llvm.org/D65725

llvm-svn: 369596
2019-08-21 22:38:00 +00:00
Kristof Umann 49ac7ece16 [analyzer] Don't make ConditionBRVisitor events prunable when the condition is an interesting field
Exactly what it says on the tin! Note that we're talking about interestingness
in general, hence this isn't a control-dependency-tracking specific patch.

Differential Revision: https://reviews.llvm.org/D65724

llvm-svn: 369589
2019-08-21 21:59:22 +00:00
Kristof Umann fff01c8ec2 [analyzer][NFC] Add different interestingness kinds
We defined (on the mailing list and here on phabricator) 2 different cases where
retrieving information about a control dependency condition is very important:

* When the condition's last write happened in a different stack frame
* When the collapse point of the condition (when we can constrain it to be
true/false) didn't happen in the actual condition.

It seems like we solved this problem with the help of expression value tracking,
and have started working on better diagnostics notes about this process.

Expression value tracking is nothing more than registering a variety of visitors
to construct reports about it. Each of the registered visitors (ReturnVisitor,
FindLastStoreVisitor, NoStoreFuncVisitor, etc) have something to go by: a
MemRegion, an SVal, an ExplodedNode, etc. For this reason, better explaining a
last write is super simple, we can always just pass on some more information to
the visitor in question (as seen in D65575).

ConditionBRVisitor is a different beast, as it was built for a different
purpose. It is responsible for constructing events at, well, conditions, and is
registered only once, and isn't a part of the "expression value tracking
family". Unfortunately, it is also the visitor to tinker with for constructing
better diagnostics about the collapse point problem.

This creates a need for alternative way to communicate with ConditionBRVisitor
that a specific condition is being tracked for for the reason of being a control
dependency. Since at almost all PathDiagnosticEventPiece construction the
visitor checks interestingness, it makes sense to pair interestingness with a
reason as to why we marked an entity as such.

Differential Revision: https://reviews.llvm.org/D65723

llvm-svn: 369583
2019-08-21 21:33:25 +00:00
Kristof Umann da648ab8de [analyzer] Mention whether an event is about a condition in a bug report part 1
Can't add much more to the title! This is part 1, the case where the collapse
point isn't in the condition point is the responsibility of ConditionBRVisitor,
which I'm addressing in part 2.

Differential Revision: https://reviews.llvm.org/D65575

llvm-svn: 369574
2019-08-21 20:43:27 +00:00
Dmitri Gribenko 6b9d7c9da5 Removed some dead code in BugReporter and related files
Subscribers: cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D66473

llvm-svn: 369504
2019-08-21 08:48:24 +00:00
Artem Dergachev 3fdc427f0b [analyzer] NFC: Remove the BugTypes set from BugReporter.
Its only purpose was to avoid a bug that's caused by
making a virtual call in BugReporter's destructor.

llvm-svn: 369451
2019-08-20 21:41:20 +00:00
Artem Dergachev 8eb7a74b78 [analyzer] Fix a crash when destroying a non-region.
Add defensive check that prevents a crash when we try to evaluate a destructor
whose this-value is a concrete integer that isn't a null.

Differential Revision: https://reviews.llvm.org/D65349

llvm-svn: 369450
2019-08-20 21:41:17 +00:00
Artem Dergachev d3971fe97b [analyzer] Improve VirtualCallChecker and enable parts of it by default.
Calling a pure virtual method during construction or destruction
is undefined behavior. It's worth it to warn about it by default.
That part is now known as the cplusplus.PureVirtualCall checker.

Calling a normal virtual method during construction or destruction
may be fine, but does behave unexpectedly, as it skips virtual dispatch.
Do not warn about this by default, but let projects opt in into it
by enabling the optin.cplusplus.VirtualCall checker manually.

Give the two parts differentiated warning text:

  Before:

    Call to virtual function during construction or destruction:
    Call to pure virtual function during construction

    Call to virtual function during construction or destruction:
    Call to virtual function during destruction

  After:

    Pure virtual method call:
    Call to pure virtual method 'X::foo' during construction
        has undefined behavior

    Unexpected loss of virtual dispatch:
    Call to virtual method 'Y::bar' during construction
        bypasses virtual dispatch

Also fix checker names in consumers that support them (eg., clang-tidy)
because we now have different checker names for pure virtual calls and
regular virtual calls.

Also fix capitalization in the bug category.

Differential Revision: https://reviews.llvm.org/D64274

llvm-svn: 369449
2019-08-20 21:41:14 +00:00