Commit Graph

3909 Commits

Author SHA1 Message Date
Artem Dergachev ceb639dbee [analyzer] Fix invalidation when returning into a ctor initializer.
Due to RVO the target region of a function that returns an object by
value isn't necessarily a temporary object region; it may be an
arbitrary memory region. In particular, it may be a field of a bigger
object.

Make sure we don't invalidate the bigger object when said function is
evaluated conservatively.

Differential Revision: https://reviews.llvm.org/D63968

llvm-svn: 364870
2019-07-01 23:02:18 +00:00
Artem Dergachev 512f4838c4 [analyzer] NonnullGlobalConstants: Don't be confused by a _Nonnull attribute.
The NonnullGlobalConstants checker models the rule "it doesn't make sense
to make a constant global pointer and initialize it to null"; it makes sure
that whatever it's initialized with is known to be non-null.

Ironically, annotating the type of the pointer as _Nonnull breaks the checker.

Fix handling of the _Nonnull annotation so that it was instead one more reason
to believe that the value is non-null.

Differential Revision: https://reviews.llvm.org/D63956

llvm-svn: 364869
2019-07-01 23:02:14 +00:00
Artem Dergachev 35fdec1b54 [analyzer] CStringChecker: Modernize to use CallDescriptions.
This patch uses the new CDF_MaybeBuiltin flag to handle C library functions.
It's mostly an NFC/refactoring pass, but it does fix a bug in handling memset()
when it expands to __builtin___memset_chk() because the latter has
one more argument and memset() handling code was trying to match
the exact number of arguments. Now the code is deduplicated and there's
less room for mistakes.

Differential Revision: https://reviews.llvm.org/D62557

llvm-svn: 364868
2019-07-01 23:02:10 +00:00
Artem Dergachev f301096f51 [analyzer] NFC: CallDescription: Implement describing C library functions.
When matching C standard library functions in the checker, it's easy to forget
that they are often implemented as macros that are expanded to builtins.

Such builtins would have a different name, so matching the callee identifier
would fail, or may sometimes have more arguments than expected, so matching
the exact number of arguments would fail, but this is fine as long as we have
all the arguments that we need in their respective places.

This patch adds a set of flags to the CallDescription class so that to handle
various special matching rules, and adds the first flag into this set,
which enables a more fuzzy matching for functions that
may be implemented as compiler builtins.

Differential Revision: https://reviews.llvm.org/D62556

llvm-svn: 364867
2019-07-01 23:02:07 +00:00
Artem Dergachev ec8e95640f [analyzer] NFC: Add a convenient CallDescriptionMap class.
It encapsulates the procedure of figuring out whether a call event
corresponds to a function that's modeled by a checker.

Checker developers no longer need to worry about performance of
lookups into their own custom maps.

Add unittests - which finally test CallDescription itself as well.

Differential Revision: https://reviews.llvm.org/D62441

llvm-svn: 364866
2019-07-01 23:02:03 +00:00
Nathan Huckleberry 13fde7a89a [analyzer] Fix clang-tidy crash on GCCAsmStmt
Summary:
Added entry in switch statement to recognize GCCAsmStmt
as a possible block terminator.

Handling to build CFG using GCCAsmStmt was already implemented.

Reviewers: nickdesaulniers, george.karpenkov, NoQ

Reviewed By: nickdesaulniers, NoQ

Subscribers: xbolva00, tmroeder, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D63533

llvm-svn: 364605
2019-06-27 22:46:40 +00:00
Csaba Dabis 0cdd13c05a [analyzer] print() JSONify: Create pointers
Summary: -

Reviewers: NoQ

Reviewed By: NoQ

Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin,
             mikhail.ramalho, Szelethus, donat.nagy, dkrupp, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D63726

llvm-svn: 364271
2019-06-25 03:17:55 +00:00
Artem Dergachev c48be7fc1c [analyzer] Add more timers for performance profiling.
The -analyzer-stats flag now allows you to find out how much time was spent
on AST-based analysis and on path-sensitive analysis and, separately,
on bug visitors, as they're occasionally a performance problem on their own.

The total timer wasn't useful because there's anyway a total time printed out.
Remove it.

Differential Revision: https://reviews.llvm.org/D63227

llvm-svn: 364266
2019-06-25 02:16:47 +00:00
Richard Smith 7939ba08ab [cxx2a] P1236R1: the validity of a left shift does not depend on the
value of the LHS operand.

llvm-svn: 364265
2019-06-25 01:45:26 +00:00
Csaba Dabis 49885b1245 [analyzer] ExprEngine: Escape pointers in bitwise operations
Summary:
After evaluation it would be an Unknown value and tracking would be lost.

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D63720

llvm-svn: 364259
2019-06-25 00:44:33 +00:00
Csaba Dabis 906d494b6e [analyzer] Fix JSON dumps for ExplodedNodes
Summary:
- Now we could see the `has_report` property in `trim-egraph` mode.
- This patch also removes the trailing comma after each node.

Reviewers: NoQ

Reviewed By: NoQ

Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin,
             mikhail.ramalho, Szelethus, donat.nagy, dkrupp, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D63436

llvm-svn: 364193
2019-06-24 16:06:44 +00:00
Artem Dergachev 5c287f751a [analyzer] DeadStores: Update the crude suppression for files generated by IIG.
They changed the comments that we were looking for.

llvm-svn: 363995
2019-06-20 22:29:40 +00:00
Artem Dergachev b50d167358 [analyzer] exploded-graph-rewriter: Fix escaping StringRegions.
Quotes around StringRegions are now escaped and unescaped correctly,
producing valid JSON.

Additionally, add a forgotten escape for Store values.

Differential Revision: https://reviews.llvm.org/D63519

llvm-svn: 363897
2019-06-19 23:33:55 +00:00
Artem Dergachev 064c8c689a [analyzer] Fix JSON dumps for store clusters.
Include a unique pointer so that it was possible to figure out if it's
the same cluster in different program states. This allows comparing
dumps of different states against each other.

Differential Revision: https://reviews.llvm.org/D63362

llvm-svn: 363896
2019-06-19 23:33:51 +00:00
Artem Dergachev f9f6cdb1a8 [analyzer] Fix JSON dumps for location contexts.
Location context ID is a property of the location context, not of an item
within it. It's useful to know the id even when there are no items
in the context, eg. for the purposes of figuring out how did contents
of the Environment for the same location context changed across states.

Differential Revision: https://reviews.llvm.org/D62754

llvm-svn: 363895
2019-06-19 23:33:48 +00:00
Artem Dergachev 3bb7b2ec7f [analyzer] Fix JSON dumps for dynamic type information.
They're now valid JSON.

Differential Revision: https://reviews.llvm.org/D62716

llvm-svn: 363894
2019-06-19 23:33:45 +00:00
Artem Dergachev 44820630df [analyzer] NFC: Change evalCall() to provide a CallEvent.
This changes the checker callback signature to use the modern, easy to
use interface. Additionally, this unblocks future work on allowing
checkers to implement evalCall() for calls that don't correspond to any
call-expression or require additional information that's only available
as part of the CallEvent, such as C++ constructors and destructors.

Differential Revision: https://reviews.llvm.org/D62440

llvm-svn: 363893
2019-06-19 23:33:42 +00:00
Artem Dergachev 3707b05211 [analyzer] DeadStores: Add a crude suppression files generated by DriverKit IIG.
IIG is a replacement for MIG in DriverKit: IIG is autogenerating C++ code.
Suppress dead store warnings on such code, as the tool seems to be producing
them regularly, and the users of IIG are not in position to address these
warnings, as they don't control the autogenerated code. IIG-generated code
is identified by looking at the comments at the top of the file.

Differential Revision: https://reviews.llvm.org/D63118

llvm-svn: 363892
2019-06-19 23:33:39 +00:00
Hubert Tong 64b60df99f [analyzer] SARIF: Add EOF newline; replace diff_sarif
Summary:
This patch applies a change similar to rC363069, but for SARIF files.

The `%diff_sarif` lit substitution invokes `diff` with a non-portable
`-I` option. The intended effect can be achieved by normalizing the
inputs to `diff` beforehand. Such normalization can be done with
`grep -Ev`, which is also used by other tests.

Additionally, this patch updates the SARIF output to have a newline at
the end of the file. This makes it so that the SARIF file qualifies as a
POSIX text file, which increases the consumability of the generated file
in relation to various tools.

Reviewers: NoQ, sfertile, xingxue, jasonliu, daltenty, aaron.ballman

Reviewed By: aaron.ballman

Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, Charusso, jsji, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62952

llvm-svn: 363822
2019-06-19 15:27:35 +00:00
Kristof Umann e20b388e2f [analyzer] Push correct version of 'Track indices of arrays'
Messed up the commit, oops.

llvm-svn: 363512
2019-06-16 15:41:25 +00:00
Kristof Umann 33b46a6df0 [analyzer] Track indices of arrays
Often times, when an ArraySubscriptExpr was reported as null or
undefined, the bug report was difficult to understand, because the
analyzer explained why arr[i] has that value, but didn't realize that in
fact i's value is very important as well. This patch fixes this by
tracking the indices of arrays.

Differential Revision: https://reviews.llvm.org/D63080

llvm-svn: 363510
2019-06-16 14:52:56 +00:00
Kristof Umann 9ff09d49da [analyzer][NFC] Tease apart and clang-format NoStoreFuncVisitor
Make several methods static functions
Move non-trivial methods out-of-line
Add a divider
Turn non-obvious autos into Optional<RegionVector>
clang-format affected lines

Differential Revision: https://reviews.llvm.org/D63086

llvm-svn: 363509
2019-06-16 14:09:11 +00:00
Csaba Dabis 077f13c612 [analyzer] ReturnVisitor: Bypass everything to see inlined calls
Summary:
When we traversed backwards on ExplodedNodes to see where processed the
given statement we `break` too early. With the current approach we do not
miss the CallExitEnd ProgramPoint which stands for an inlined call.

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62926

llvm-svn: 363491
2019-06-15 10:05:49 +00:00
Richard Smith 27252a1f95 PR23833, DR2140: an lvalue-to-rvalue conversion on a glvalue of type
nullptr_t does not access memory.

We now reuse CK_NullToPointer to represent a conversion from a glvalue
of type nullptr_t to a prvalue of nullptr_t where necessary.

This reinstates r363337, reverted in r363352.

llvm-svn: 363429
2019-06-14 17:46:38 +00:00
Nico Weber 3d02b895ed Revert 363295, it caused PR42276. Also revert follow-ups 363337, 363340.
Revert 363340 "Remove unused SK_LValueToRValue initialization step."
Revert 363337 "PR23833, DR2140: an lvalue-to-rvalue conversion on a glvalue of type"
Revert 363295 "C++ DR712 and others: handle non-odr-use resulting from an lvalue-to-rvalue conversion applied to a member access or similar not-quite-trivial lvalue expression."

llvm-svn: 363352
2019-06-14 04:05:17 +00:00
Richard Smith 0476d069e3 PR23833, DR2140: an lvalue-to-rvalue conversion on a glvalue of type
nullptr_t does not access memory.

We now reuse CK_NullToPointer to represent a conversion from a glvalue
of type nullptr_t to a prvalue of nullptr_t where necessary.

This reinstates r345562, reverted in r346065, now that CodeGen's
handling of non-odr-used variables has been fixed.

llvm-svn: 363337
2019-06-13 23:31:04 +00:00
Hubert Tong 9df9cbafce [PlistSupport] Produce a newline to end plist output files
Summary:
As suggested in the review of D62949, this patch updates the plist
output to have a newline at the end of the file. This makes it so that
the plist output file qualifies as a POSIX text file, which increases
the consumability of the generated plist file in relation to various
tools.

Reviewers: NoQ, sfertile, xingxue, jasonliu, daltenty

Reviewed By: NoQ, xingxue

Subscribers: jsji, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D63041

llvm-svn: 362992
2019-06-10 22:30:57 +00:00
Kristof Umann 4cc6d72bb4 [analyzer][NFC] Add dividers to BugReporterVisitors.cpp
Some minor formatting to make the file more readable.
Added //===----------===// around the implementation of class methods
and divided anonymous namespaces as per
https://llvm.org/docs/CodingStandards.html#anonymous-namespaces

llvm-svn: 362887
2019-06-08 20:25:39 +00:00
Keno Fischer 6f48c07620 [analyzer] Add werror flag for analyzer warnings
Summary:
We're using the clang static analyzer together with a number of
custom analyses in our CI system to ensure that certain invariants
are statiesfied for by the code every commit. Unfortunately, there
currently doesn't seem to be a good way to determine whether any
analyzer warnings were emitted, other than parsing clang's output
(or using scan-build, which then in turn parses clang's output).
As a simpler mechanism, simply add a `-analyzer-werror` flag to CC1
that causes the analyzer to emit its warnings as errors instead.
I briefly tried to have this be `Werror=analyzer` and make it go
through that machinery instead, but that seemed more trouble than
it was worth in terms of conflicting with options to the actual build
and special cases that would be required to circumvent the analyzers
usual attempts to quiet non-analyzer warnings. This is simple and it
works well.

Reviewed-By: NoQ, Szelethusw
Differential Revision: https://reviews.llvm.org/D62885

llvm-svn: 362855
2019-06-07 23:34:00 +00:00
Csaba Dabis 84cfca0f2b [analyzer] PathDiagnosticPopUpPiece: working with CharSourceRange
Summary: Sometimes we are at character boundaries so past the token-range.
llvm-svn: 362632
2019-06-05 18:55:39 +00:00
Csaba Dabis 4595f01b06 [analyzer] print() JSONify: ExplodedNode revision
Summary: Revert node-ID removal.

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp,
             cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62658

llvm-svn: 362249
2019-05-31 17:54:12 +00:00
Csaba Dabis 74c5fac3bb [analyzer] Remove EndPath function as it is dead code
Summary: -

Reviewers: george.karpenkov

Reviewed By: george.karpenkov

Subscribers: baloghadamsoftware, cfe-commits, xazax.hun, szepet, a.sidorin,
             mikhail.ramalho, Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D53720

llvm-svn: 362030
2019-05-29 20:47:27 +00:00
Csaba Dabis 2e896b8b39 [analyzer] ConditionBRVisitor: Boolean support
Summary: -

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ, george.karpenkov

Subscribers: cfe-commits, xazax.hun, baloghadamsoftware, szepet, a.sidorin,
             mikhail.ramalho, Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D58207

llvm-svn: 362027
2019-05-29 20:34:29 +00:00
Csaba Dabis d1f0ec3f64 [analyzer] ConditionBRVisitor: MemberExpr support
Summary: -

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: cfe-commits, xazax.hun, baloghadamsoftware, szepet, a.sidorin,
             mikhail.ramalho, Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D58206

llvm-svn: 362026
2019-05-29 20:29:02 +00:00
Csaba Dabis 9942a996d9 [analyzer] ConditionBRVisitor: Remove duplicated code
Summary: -

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: cfe-commits, xazax.hun, baloghadamsoftware, szepet, a.sidorin,
             mikhail.ramalho, Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D58199

llvm-svn: 362025
2019-05-29 20:18:07 +00:00
Csaba Dabis 4b0184b2d3 [analyzer] ConditionBRVisitor: Enhance to write out more information
Summary:
Add extra messages to the bug report to inform the user why the analyzer
`Taking true/false branch`.

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: gerazo, gsd, dkrupp, whisperity, baloghadamsoftware, xazax.hun,
             eraman, szepet, a.sidorin, mikhail.ramalho, Szelethus,
             donat.nagy, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D53076

llvm-svn: 362020
2019-05-29 20:06:09 +00:00
Csaba Dabis 1d7ca67769 [analyzer] [NFC] PathDiagnostic: Create PathDiagnosticPopUpPiece
Summary:
This new piece is similar to our macro expansion printing in HTML reports:
On mouse-hover event it pops up on variables. Similar to note pieces it
supports `plist` diagnostics as well.

It is optional, on by default: `add-pop-up-notes=true`.

Extra: In HTML reports `background-color: LemonChiffon` was too light,
changed to `PaleGoldenRod`.

Reviewers: NoQ, alexfh

Reviewed By: NoQ

Subscribers: cfe-commits, gerazo, gsd, george.karpenkov, alexfh, xazax.hun,
             baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho,
             Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D60670

llvm-svn: 362014
2019-05-29 19:21:59 +00:00
Csaba Dabis 8a88d6aaaa [analyzer] print() JSONify: SVal implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: cfe-commits, szepet, rnkovacs, a.sidorin, mikhail.ramalho,
             Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62497

llvm-svn: 362008
2019-05-29 18:38:52 +00:00
Haojian Wu 5feead5752 Fix an unused-variable error.
llvm-svn: 362005
2019-05-29 18:36:54 +00:00
Csaba Dabis 9ee26c8d5f [analyzer][AST] print() JSONify: Stmt implementation
Summary:
This patch also adds a function called `JsonFormat()` which:
- Flattens the string so removes the new-lines.
- Escapes double quotes.

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: cfe-commits, szepet, rnkovacs, a.sidorin, mikhail.ramalho,
             donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62494

llvm-svn: 362000
2019-05-29 18:17:18 +00:00
Csaba Dabis 13e491cca5 [analyzer] print() JSONify: getNodeLabel implementation
Summary: This patch also rewrites the ProgramPoint printing.

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: cfe-commits, szepet, rnkovacs, a.sidorin, mikhail.ramalho,
             donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62346

llvm-svn: 361997
2019-05-29 18:05:53 +00:00
Csaba Dabis df0a42127c [analyzer] print() JSONify: Program state implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62087

llvm-svn: 361983
2019-05-29 16:22:21 +00:00
Csaba Dabis b7ca72a113 [analyzer] print() JSONify: Checker messages implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62086

llvm-svn: 361982
2019-05-29 16:02:33 +00:00
Csaba Dabis 35e54eb31e [analyzer] print() JSONify: Constructing objects implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62085

llvm-svn: 361980
2019-05-29 15:58:26 +00:00
Csaba Dabis 32981637ce [analyzer] print() JSONify: Type information implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62083

llvm-svn: 361979
2019-05-29 15:53:12 +00:00
Csaba Dabis 5df5eb8816 [analyzer] print() JSONify: Constraints implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62082

llvm-svn: 361978
2019-05-29 15:43:26 +00:00
Csaba Dabis 9ce3746604 [analyzer] print() JSONify: Environment implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D62081

llvm-svn: 361976
2019-05-29 15:36:58 +00:00
Csaba Dabis 124cba0b81 [analyzer] print() JSONify: Store implementation
Summary: -

Reviewers: NoQ, xazax.hun, ravikandhadai, baloghadamsoftware, Szelethus

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy,
             dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D61912

llvm-svn: 361972
2019-05-29 15:25:19 +00:00
Adam Balogh 9ed4b316d1 [Analyzer] Replace `CXXSelfAssignmentBRVisitor` with `NoteTags`
The `cplusplus.SelfAssignment` checker has a visitor that is added
to every `BugReport` to mark the to branch of the self assignment
operator with e.g. `rhs == *this` and `rhs != *this`. With the new
`NoteTag` feature this visitor is not needed anymore. Instead the
checker itself marks the two branches using the `NoteTag`s.

Differential Revision: https://reviews.llvm.org/D62479

llvm-svn: 361818
2019-05-28 13:07:09 +00:00
Artem Dergachev ef0aab3138 [analyzer] Add a prunable note for skipping vbase inits in subclasses.
When initialization of virtual base classes is skipped, we now tell the user
about it, because this aspect of C++ isn't very well-known.

The implementation is based on the new "note tags" feature (r358781).
In order to make use of it, allow note tags to produce prunable notes,
and move the note tag factory to CoreEngine.

Differential Revision: https://reviews.llvm.org/D61817

llvm-svn: 361682
2019-05-24 23:37:11 +00:00
Artem Dergachev 192a7474d6 [CFG] Add branch to skip vbase inits when they're handled by superclass.
This patch adds the run-time CFG branch that would skip initialization of
virtual base classes depending on whether the constructor is called from a
superclass constructor or not. Previously the Static Analyzer was already
skipping virtual base-class initializers in such constructors, but it wasn't
skipping their arguments and their potential side effects, which was causing
pr41300 (and was generally incorrect). The previous skipping behavior is
now replaced with a hard assertion that we're not even getting there due
to how our CFG works.

The new CFG element is under a CFG build option so that not to break other
consumers of the CFG by this change. Static Analyzer support for this change
is implemented.

Differential Revision: https://reviews.llvm.org/D61816

llvm-svn: 361681
2019-05-24 23:37:08 +00:00
Mandeep Singh Grang 0cdc5dddca [Analyzer] Checker for non-determinism caused by iteration of unordered container of pointers
Summary: Added a checker for non-determinism caused by iterating unordered containers like std::unordered_set containing pointer elements.

Reviewers: NoQ, george.karpenkov, whisperity, Szelethus, baloghadamsoftware

Reviewed By: Szelethus

Subscribers: mgorny, xazax.hun, baloghadamsoftware, szepet, rnkovacs, a.sidorin, mikhail.ramalho, donat.nagy, dkrupp, jdoerfert, Charusso, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D59279

llvm-svn: 361664
2019-05-24 19:24:08 +00:00
Artem Dergachev 4e53032d9b [CFG] NFC: Remove implicit conversion from CFGTerminator to Stmt *.
Turn it into a variant class instead. This conversion does indeed save some code
but there's a plan to add support for more kinds of terminators that aren't
necessarily based on statements, and with those in mind it becomes more and more
confusing to have CFGTerminators implicitly convertible to a Stmt *.

Differential Revision: https://reviews.llvm.org/D61814

llvm-svn: 361586
2019-05-24 01:34:22 +00:00
Kristof Umann ac95c86511 [analyzer] List checker/plugin options in 3 categories: released, alpha, developer
Same patch as D62093, but for checker/plugin options, the only
difference being that options for alpha checkers are implicitly marked
as alpha.

Differential Revision: https://reviews.llvm.org/D62093

llvm-svn: 361566
2019-05-23 22:52:09 +00:00
Kristof Umann 7e55ed84d0 [analyzer] Hide developer-only checker/package options by default
These options are now only visible under
-analyzer-checker-option-help-developer.

Differential Revision: https://reviews.llvm.org/D61839

llvm-svn: 361561
2019-05-23 22:07:16 +00:00
Kristof Umann 5bc40d9b18 [analyzer] List checkers in 3 categories: released, alpha, developer
Previously, the only way to display the list of available checkers was
to invoke the analyzer with -analyzer-checker-help frontend flag. This
however wasn't really great from a maintainer standpoint: users came
across checkers meant strictly for development purposes that weren't to
be tinkered with, or those that were still in development. This patch
creates a clearer division in between these categories.

From now on, we'll have 3 flags to display the list checkers. These
lists are mutually exclusive and can be used in any combination (for
example to display both stable and alpha checkers).

-analyzer-checker-help: Displays the list for stable, production ready
                        checkers.

-analyzer-checker-help-alpha: Displays the list for in development
                              checkers. Enabling is discouraged
                              for non-development purposes.

-analyzer-checker-help-developer: Modeling and debug checkers. Modeling
                                  checkers shouldn't be enabled/disabled
                                  by hand, and debug checkers shouldn't
                                  be touched by users.

Differential Revision: https://reviews.llvm.org/D62093

llvm-svn: 361558
2019-05-23 21:46:51 +00:00
Kristof Umann e8df27d925 [analyzer] Add a new frontend flag to display all checker options
Add the new frontend flag -analyzer-checker-option-help to display all
checker/package options.

Differential Revision: https://reviews.llvm.org/D57858

llvm-svn: 361552
2019-05-23 20:47:28 +00:00
Adam Balogh 33160c4424 [Analyzer] Refactor begin and end symbol creation
This patch refactors begin and end symbol creation by moving symbol
conjuration into the `create...` functions. This way the functions'
responsibilities are clearer and makes possible to add more functions
handling these symbols (e.g. functions for handling the container's
size) without code multiplication.

Differential Revision: https://reviews.llvm.org/D61136

llvm-svn: 361141
2019-05-20 11:04:27 +00:00
Simon Pilgrim 3e95568dcf MIGChecker - assert we have a non-null LocationContext. NFCI.
Fixes scan-build warning.

llvm-svn: 361097
2019-05-18 11:42:19 +00:00
Kristof Umann 83cc1b35d1 [analyzer] Remove the default value arg from getChecker*Option
Since D57922, the config table contains every checker option, and it's default
value, so having it as an argument for getChecker*Option is redundant.

By the time any of the getChecker*Option function is called, we verified the
value in CheckerRegistry (after D57860), so we can confidently assert here, as
any irregularities detected at this point must be a programmer error. However,
in compatibility mode, verification won't happen, so the default value must be
restored.

This implies something else, other than adding removing one more potential point
of failure -- debug.ConfigDumper will always contain valid values for
checker/package options!

Differential Revision: https://reviews.llvm.org/D59195

llvm-svn: 361042
2019-05-17 15:52:13 +00:00
Kristof Umann 85cf76e783 [analyzer] Validate checker option names and values
Validate whether the option exists, and also whether the supplied value is of
the correct type. With this patch, invoking the analyzer should be, at least
in the frontend mode, a lot safer.

Differential Revision: https://reviews.llvm.org/D57860

llvm-svn: 361011
2019-05-17 09:51:59 +00:00
Kristof Umann 30b2307da8 [analyzer] Insert checker options into AnalyzerOption::ConfigTable
The more entries we have in AnalyzerOptions::ConfigTable, the more helpful
debug.ConfigDumper is. With this patch, I'm pretty confident that it'll now emit
the entire state of the analyzer, minus the frontend flags.

It would be nice to reserve the config table specifically to checker options
only, as storing the regular analyzer configs is kinda redundant.

Differential Revision: https://reviews.llvm.org/D57922

llvm-svn: 361006
2019-05-17 09:29:44 +00:00
Eric Fiselier 708afb56c1 Implement __builtin_LINE() et. al. to support source location capture.
Summary:
This patch implements the source location builtins `__builtin_LINE(), `__builtin_FUNCTION()`, `__builtin_FILE()` and `__builtin_COLUMN()`. These builtins are needed to implement [`std::experimental::source_location`](https://rawgit.com/cplusplus/fundamentals-ts/v2/main.html#reflection.src_loc.creation).

With the exception of `__builtin_COLUMN`, GCC also implements these builtins, and Clangs behavior is intended to match as closely as possible. 

Reviewers: rsmith, joerg, aaron.ballman, bogner, majnemer, shafik, martong

Reviewed By: rsmith

Subscribers: rnkovacs, loskutov, riccibruno, mgorny, kunitoki, alexr, majnemer, hfinkel, cfe-commits

Differential Revision: https://reviews.llvm.org/D37035

llvm-svn: 360937
2019-05-16 21:04:15 +00:00
Artem Dergachev 07c7257cdc [analyzer] RetainCount: Fix os_returns_retained_on_zero with weird return types.
The checker was crashing when it was trying to assume a structure
to be null or non-null so that to evaluate the effect of the annotation.

Differential Revision: https://reviews.llvm.org/D61958

llvm-svn: 360790
2019-05-15 18:41:32 +00:00
Artem Dergachev e41ae14581 [analyzer] MIGChecker: Fix redundant semicolon.
llvm-svn: 360739
2019-05-15 01:36:41 +00:00
Artem Dergachev 70b654fa9b [analyzer] MIGChecker: Add support for os_ref_retain().
Suppress MIG checker false positives that occur when the programmer increments
the reference count before calling a MIG destructor, and the MIG destructor
literally boils down to decrementing the reference count.

Differential Revision: https://reviews.llvm.org/D61925

llvm-svn: 360737
2019-05-15 01:19:19 +00:00
Artem Dergachev b3fc9df481 [analyzer] Fix a crash when doing RVO from within blocks.
When looking for the location context of the call site, unwrap block invocation
contexts because they are attached to the current AnalysisDeclContext
while what we need is the previous AnalysisDeclContext.

Differential Revision: https://reviews.llvm.org/D61545

llvm-svn: 360202
2019-05-07 22:33:13 +00:00
Richard Smith b9fb121a62 [c++20] Implement P1009R2: allow omitting the array bound in an array
new expression.

This was voted into C++20 as a defect report resolution, so we
retroactively apply it to all prior language modes (though it can never
actually be used before C++11 mode).

llvm-svn: 360006
2019-05-06 03:47:15 +00:00
Kristof Umann aa9d2623a0 [analyzer][UninitializedObjectChecker] PR41741: Regard all scalar types as primitive.
https://bugs.llvm.org/show_bug.cgi?id=41741

Pretty much the same as D61246 and D61106, this time for __complex__ types. Upon
further investigation, I realized that we should regard all types
Type::isScalarType returns true for as primitive, so I merged 
isMemberPointerType(), isBlockPointerType() and isAnyComplexType()` into that
instead.

I also stumbled across yet another bug,
https://bugs.llvm.org/show_bug.cgi?id=41753, but it seems to be unrelated to
this checker.

Differential Revision: https://reviews.llvm.org/D61569

llvm-svn: 359998
2019-05-05 19:42:33 +00:00
Kristof Umann 9f7fc9838a [analyzer] Don't display implementation checkers under -analyzer-checker-help, but do under the new flag -analyzer-checker-help-hidden
During my work on analyzer dependencies, I created a great amount of new
checkers that emitted no diagnostics at all, and were purely modeling some
function or another.

However, the user shouldn't really disable/enable these by hand, hence this
patch, which hides these by default. I intentionally chose not to hide alpha
checkers, because they have a scary enough name, in my opinion, to cause no
surprise when they emit false positives or cause crashes.

The patch introduces the Hidden bit into the TableGen files (you may remember
it before I removed it in D53995), and checkers that are either marked as
hidden, or are in a package that is marked hidden won't be displayed under
-analyzer-checker-help. -analyzer-checker-help-hidden, a new flag meant for
developers only, displays the full list.

Differential Revision: https://reviews.llvm.org/D60925

llvm-svn: 359720
2019-05-01 19:56:47 +00:00
Kristof Umann c21ec00d28 [analyzer][UninitializedObjectChecker] PR41611: Regard vector types as primitive
https://bugs.llvm.org/show_bug.cgi?id=41611

Similarly to D61106, the checker ran over an llvm_unreachable for vector types:

struct VectorSizeLong {
  VectorSizeLong() {}
  __attribute__((__vector_size__(16))) long x;
};

void __vector_size__LongTest() {
  VectorSizeLong v;
}
Since, according to my short research,

"The vector_size attribute is only applicable to integral and float scalars,
although arrays, pointers, and function return values are allowed in conjunction
with this construct."
[src: https://gcc.gnu.org/onlinedocs/gcc-4.6.1/gcc/Vector-Extensions.html#Vector-Extensions]

vector types are safe to regard as primitive.

Differential Revision: https://reviews.llvm.org/D61246

llvm-svn: 359539
2019-04-30 08:47:56 +00:00
Artem Dergachev ab7747b727 [analyzer] Treat functions without run-time branches as "small".
Currently we always inline functions that have no branches, i.e. have exactly
three CFG blocks: ENTRY, some code, EXIT. This makes sense because when there
are no branches, it means that there's no exponential complexity introduced
by inlining such function. Such functions also don't trigger various fundamental
problems with our inlining mechanism, such as the problem of inlined
defensive checks.

Sometimes the CFG may contain more blocks, but in practice it still has
linear structure because all directions (except, at most, one) of all branches
turned out to be unreachable. When this happens, still treat the function
as "small". This is useful, in particular, for dealing with C++17 if constexpr.

Differential Revision: https://reviews.llvm.org/D61051

llvm-svn: 359531
2019-04-30 03:01:02 +00:00
Artem Dergachev eb71c0c961 [analyzer] SmartPtrModeling: Fix a null dereference.
Don't crash when trying to model a call in which the callee is unknown
in compile time, eg. a pointer-to-member call.

Differential Revision: https://reviews.llvm.org/D61285

llvm-svn: 359530
2019-04-30 03:00:57 +00:00
Adam Balogh d538b70b44 [Analyzer] Iterator Checkers - Do an early return after handling calls
This patch is more of a fix than a real improvement: in checkPostCall()
we should return immediately after finding the right call and handling
it. This both saves unnecessary processing and double-handling calls by
mistake.

Differential Revision: https://reviews.llvm.org/D61134

llvm-svn: 359283
2019-04-26 07:30:07 +00:00
Artem Dergachev e264ac6ae1 [analyzer] RetainCount: Allow offsets in return values.
Because RetainCountChecker has custom "local" reasoning about escapes,
it has a separate facility to deal with tracked symbols at end of analysis
and check them for leaks regardless of whether they're dead or not.
This facility iterates over the list of tracked symbols and reports
them as leaks, but it needs to treat the return value specially.

Some custom allocators tend to return the value with an offset, storing
extra metadata at the beginning of the buffer. In this case the return value
would be a non-base region. In order to avoid false positives, we still need to
find the original symbol within the return value, otherwise it'll be unable
to match it to the item in the list of tracked symbols.

Differential Revision: https://reviews.llvm.org/D60991

llvm-svn: 359263
2019-04-26 02:05:15 +00:00
Artem Dergachev b591845f4b [analyzer] Fix crash when returning C++ objects from ObjC messages-to-nil.
the assertion is in fact incorrect: there is a cornercase in Objective-C++
in which a C++ object is not constructed with a constructor, but merely
zero-initialized. Namely, this happens when an Objective-C message is sent
to a nil and it is supposed to return a C++ object.

Differential Revision: https://reviews.llvm.org/D60988

llvm-svn: 359262
2019-04-26 02:05:12 +00:00
Artem Dergachev ecefce6a49 [analyzer] Add FIXMEs for alpha.unix.cstring.OutOfBounds false positives.
Caused by incorrect strlcat() modeling in r332303,
cf. https://bugs.llvm.org/show_bug.cgi?id=37687#c8

llvm-svn: 359237
2019-04-25 20:30:14 +00:00
Kristof Umann f46c58e0c6 [analyzer][UninitializedObjectChecker] PR41590: Regard _Atomic types as primitive
https://bugs.llvm.org/show_bug.cgi?id=41590

For the following code snippet, UninitializedObjectChecker crashed:

struct MyAtomicInt {
  _Atomic(int) x;
  MyAtomicInt() {}
};

void entry() {
  MyAtomicInt b;
}

The problem was that _Atomic types were not regular records, unions,
dereferencable or primitive, making the checker hit the llvm_unreachable at
lib/StaticAnalyzer/Checkers/UninitializedObject/UninitializedObjectChecker.cpp:347.
The solution is to regard these types as primitive as well. The test case shows
that with this addition, not only are we able to get rid of the crash, but we
can identify x as uninitialized.

Differential Revision: https://reviews.llvm.org/D61106

llvm-svn: 359230
2019-04-25 20:00:51 +00:00
Artem Dergachev a746f2b73c [analyzer] Fix macro names in diagnostics within bigger macros.
If macro "CHECK_X(x)" expands to something like "if (x != NULL) ...",
the "Assuming..." note no longer says "Assuming 'x' is equal to CHECK_X".

Differential Revision: https://reviews.llvm.org/D59121

llvm-svn: 359037
2019-04-23 21:30:30 +00:00
Adam Balogh d2e2e20de3 [Analyzer] Second fix for last commit for IteratorChecker
A variable was redeclared instead of assigned in an internal
block, leaving the original uninitialized. This is fixed now.

llvm-svn: 358971
2019-04-23 11:18:50 +00:00
Rafael Stahl 850361f6c1 [analyzer][CrossTU] Extend CTU to VarDecls with initializer
Summary:
The existing CTU mechanism imports `FunctionDecl`s where the definition is available in another TU. This patch extends that to VarDecls, to bind more constants.

- Add VarDecl importing functionality to CrossTranslationUnitContext
- Import Decls while traversing them in AnalysisConsumer
- Add VarDecls to CTU external mappings generator
- Name changes from "external function map" to "external definition map"

Reviewers: NoQ, dcoughlin, xazax.hun, george.karpenkov, martong

Reviewed By: xazax.hun

Subscribers: Charusso, baloghadamsoftware, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, george.karpenkov, mgorny, whisperity, szepet, rnkovacs, a.sidorin, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D46421

llvm-svn: 358968
2019-04-23 11:04:41 +00:00
Adam Balogh 8f8827014d [Analyzer] Fix for previous commit
A compilation warning was in my previous commit which broke the buildbot
because it is using `-Werror` for compilation. This patch fixes this
issue.

llvm-svn: 358955
2019-04-23 07:45:10 +00:00
Adam Balogh 54976e76e6 [Analyzer] Instead of recording comparisons in interator checkers do an eager state split
Currently iterator checkers record comparison of iterator positions
and process them for keeping track the distance between them (e.g.
whether a position is the same as the end position). However this
makes some processing unnecessarily complex and it is not needed at
all: we only need to keep track between the abstract symbols stored
in these iterator positions. This patch changes this and opens the
path to comparisons to the begin() and end() symbols between the
container (e.g. size, emptiness) which are stored as symbols, not
iterator positions. The functionality of the checker is unchanged.

Differential Revision: https://reviews.llvm.org/D53701

llvm-svn: 358951
2019-04-23 07:15:55 +00:00
Artem Dergachev 727d6ca3f0 [analyzer] Unbreak body farms in presence of multiple declarations.
When growing a body on a body farm, it's essential to use the same redeclaration
of the function that's going to be used during analysis. Otherwise our
ParmVarDecls won't match the ones that are used to identify argument regions.

This boils down to trusting the reasoning in AnalysisDeclContext. We shouldn't
canonicalize the declaration before farming the body because it makes us not
obey the sophisticated decision-making process of AnalysisDeclContext.

Differential Revision: https://reviews.llvm.org/D60899

llvm-svn: 358946
2019-04-23 02:56:00 +00:00
Artem Dergachev e2a8e43160 [analyzer] PR41335: Fix crash when no-store event is in a body-farmed function.
Stuffing invalid source locations (such as those in functions produced by
body farms) into path diagnostics causes crashes.

Fix a typo in a nearby function name.

Differential Revision: https://reviews.llvm.org/D60808

llvm-svn: 358945
2019-04-23 02:50:38 +00:00
Artem Dergachev 8c6119a442 [analyzer] PR41269: Add a bit of C++ smart pointer modeling.
Implement cplusplus.SmartPtrModeling, a new checker that doesn't
emit any warnings but models methods of smart pointers more precisely.

For now the only thing it does is make `(bool) P` return false when `P`
is a freshly moved pointer. This addresses a false positive in the
use-after-move-checker.

Differential Revision: https://reviews.llvm.org/D60796

llvm-svn: 358944
2019-04-23 02:45:42 +00:00
Kristof Umann 85e0ff752c [analyzer] Move UninitializedObjectChecker out of alpha
Moved UninitializedObjectChecker from the 'alpha.cplusplus' to the
'optin.cplusplus' package.

Differential Revision: https://reviews.llvm.org/D58573

llvm-svn: 358797
2019-04-19 23:33:50 +00:00
Artem Dergachev 0a7dd5a2a4 Reapply "[analyzer] Introduce a simplified API for adding custom path notes."
This reapplies commit r357323, fixing memory leak found by LSan.

Differential Revision: https://reviews.llvm.org/D58367

llvm-svn: 358781
2019-04-19 20:23:29 +00:00
Kristof Umann b4788b26e2 [analyzer][NFC] Reimplement checker options
TL;DR:

* Add checker and package options to the TableGen files
* Added a new class called CmdLineOption, and both Package and Checker recieved
   a list<CmdLineOption> field.
* Added every existing checker and package option to Checkers.td.
* The CheckerRegistry class
  * Received some comments to most of it's inline classes
  * Received the CmdLineOption and PackageInfo inline classes, a list of
     CmdLineOption was added to CheckerInfo and PackageInfo
  * Added addCheckerOption and addPackageOption
  * Added a new field called Packages, used in addPackageOptions, filled up in
     addPackage

Detailed description:

In the last couple months, a lot of effort was put into tightening the
analyzer's command line interface. The main issue is that it's spectacularly
easy to mess up a lenghty enough invocation of the analyzer, and the user was
given no warnings or errors at all in that case.

We can divide the effort of resolving this into several chapters:

* Non-checker analyzer configurations:
    Gather every analyzer configuration into a dedicated file. Emit errors for
    non-existent configurations or incorrect values. Be able to list these
    configurations. Tighten AnalyzerOptions interface to disallow making such
    a mistake in the future.

* Fix the "Checker Naming Bug" by reimplementing checker dependencies:
    When cplusplus.InnerPointer was enabled, it implicitly registered
    unix.Malloc, which implicitly registered some sort of a modeling checker
    from the CStringChecker family. This resulted in all of these checker
    objects recieving the name "cplusplus.InnerPointer", making AnalyzerOptions
    asking for the wrong checker options from the command line:
      cplusplus.InnerPointer:Optimisic
    istead of
      unix.Malloc:Optimistic.
    This was resolved by making CheckerRegistry responsible for checker
    dependency handling, instead of checkers themselves.

* Checker options: (this patch included!)
    Same as the first item, but for checkers.

(+ minor fixes here and there, and everything else that is yet to come)

There were several issues regarding checker options, that non-checker
configurations didn't suffer from: checker plugins are loaded runtime, and they
could add new checkers and new options, meaning that unlike for non-checker
configurations, we can't collect every checker option purely by generating code.
Also, as seen from the "Checker Naming Bug" issue raised above, they are very
rarely used in practice, and all sorts of skeletons fell out of the closet while
working on this project.

They were extremely problematic for users as well, purely because of how long
they were. Consider the following monster of a checker option:

  alpha.cplusplus.UninitializedObject:CheckPointeeInitialization=false

While we were able to verify whether the checker itself (the part before the
colon) existed, any errors past that point were unreported, easily resulting
in 7+ hours of analyses going to waste.

This patch, similarly to how dependencies were reimplemented, uses TableGen to
register checker options into Checkers.td, so that Checkers.inc now contains
entries for both checker and package options. Using the preprocessor,
Checkers.inc is converted into code in CheckerRegistry, adding every builtin
(checkers and packages that have an entry in the Checkers.td file) checker and
package option to the registry. The new addPackageOption and addCheckerOption
functions expose the same functionality to statically-linked non-builtin and
plugin checkers and packages as well.

Emitting errors for incorrect user input, being able to list these options, and
some other functionalies will land in later patches.

Differential Revision: https://reviews.llvm.org/D57855

llvm-svn: 358752
2019-04-19 12:32:10 +00:00
Kristof Umann cd3f147439 [analyzer] Fix an assertion failure if plugins added dependencies
Ideally, there is no reason behind not being able to depend on checkers that
come from a different plugin (or on builtin checkers) -- however, this is only
possible if all checkers are added to the registry before resolving checker
dependencies. Since I used a binary search in my addDependency method, this also
resulted in an assertion failure (due to CheckerRegistry::Checkers not being
sorted), since the function used by plugins to register their checkers
(clang_registerCheckers) calls addDependency.

This patch resolves this issue by only noting which dependencies have to
established when addDependency is called, and resolves them at a later stage
when no more checkers are added to the registry, by which point
CheckerRegistry::Checkers is already sorted.

Differential Revision: https://reviews.llvm.org/D59461

llvm-svn: 358750
2019-04-19 11:01:35 +00:00
Fangrui Song 9206335e9d [analyzer] Fix -Wunused-local-typedef after rC358695
llvm-svn: 358729
2019-04-19 01:54:36 +00:00
Artem Dergachev 9b02a9b401 [analyzer] Make default bindings to variables actually work.
Default RegionStore bindings represent values that can be obtained by loading
from anywhere within the region, not just the specific offset within the region
that they are said to be bound to. For example, default-binding a character \0
to an int (eg., via memset()) means that the whole int is 0, not just
that its lower byte is 0.

Even though memset and bzero were modeled this way, it didn't work correctly
when applied to simple variables. Eg., in

  int x;
  memset(x, 0, sizeof(x));

we did produce a default binding, but were unable to read it later, and 'x'
was perceived as an uninitialized variable even after memset.

At the same time, if we replace 'x' with a variable of a structure or array
type, accessing fields or elements of such variable was working correctly,
which was enough for most cases. So this was only a problem for variables of
simple integer/enumeration/floating-point/pointer types.

Fix loading default bindings from RegionStore for regions of simple variables.

Add a unit test to document the API contract as well.

Differential Revision: https://reviews.llvm.org/D60742

llvm-svn: 358722
2019-04-18 23:35:56 +00:00
Kristof Umann 640f7b5875 [analyzer][NFC] Prefer binary searches in CheckerRegistry
Differential Revision: https://reviews.llvm.org/D59459

llvm-svn: 358695
2019-04-18 17:34:45 +00:00
Kristof Umann a57d4ea33f [analyzer][NFC] Clang-format CheckerRegistry
Differential Revision: https://reviews.llvm.org/D59458

llvm-svn: 358694
2019-04-18 17:32:51 +00:00
Kristof Umann b9bc7ec304 [analyzer][NFC] Use capital variable names, move methods out-of-line, rename some in CheckerRegistry
There are barely any lines I haven't changed in these files, so I think I could
might as well leave it in an LLVM coding style conforming state. I also renamed
2 functions and moved addDependency out of line to ease on followup patches.

Differential Revision: https://reviews.llvm.org/D59457

llvm-svn: 358676
2019-04-18 15:19:16 +00:00
Kristof Umann 25e592e522 [analyzer] PR41185: Fix regression where __builtin_* functions weren't recognized
For the following code snippet:

void builtin_function_call_crash_fixes(char *c) {
  __builtin_strncpy(c, "", 6);
  __builtin_memset(c, '\0', (0));
  __builtin_memcpy(c, c, 0);
}
security.insecureAPI.DeprecatedOrUnsafeBufferHandling caused a regression, as it
didn't recognize functions starting with __builtin_. Fixed exactly that.

I wanted to modify an existing test file, but the two I found didn't seem like
perfect candidates. While I was there, I prettified their RUN: lines.

Differential Revision: https://reviews.llvm.org/D59812

llvm-svn: 358609
2019-04-17 19:56:40 +00:00
Artem Dergachev 7d4694547a [analyzer] Escape pointers stored into top-level parameters with destructors.
Writing stuff into an argument variable is usually equivalent to writing stuff
to a local variable: it will have no effect outside of the function.
There's an important exception from this rule: if the argument variable has
a non-trivial destructor, the destructor would be invoked on
the parent stack frame, exposing contents of the otherwise dead
argument variable to the caller.

If such argument is the last place where a pointer is stored before the function
exits and the function is the one we've started our analysis from (i.e., we have
no caller context for it), we currently diagnose a leak. This is incorrect
because the destructor of the argument still has access to the pointer.
The destructor may deallocate the pointer or even pass it further.

Treat writes into such argument regions as "escapes" instead, suppressing
spurious memory leak reports but not messing with dead symbol removal.

Differential Revision: https://reviews.llvm.org/D60112

llvm-svn: 358321
2019-04-13 02:01:45 +00:00
Artem Dergachev 5c6fc36de8 [analyzer] NoStoreFuncVisitor: Suppress reports with no-store in system headers.
The idea behind this heuristic is that normally the visitor is there to
inform the user that a certain function may fail to initialize a certain
out-parameter. For system header functions this is usually dictated by the
contract, and it's unlikely that the header function has accidentally
forgot to put the value into the out-parameter; it's more likely
that the user has intentionally skipped the error check.

Warnings on skipped error checks are more like security warnings;
they aren't necessarily useful for all users, and they should instead
be introduced on a per-API basis.

Differential Revision: https://reviews.llvm.org/D60107

llvm-svn: 357810
2019-04-05 20:18:53 +00:00
Nico Weber 04347d848d Make SourceManager::createFileID(UnownedTag, ...) take a const llvm::MemoryBuffer*
Requires making the llvm::MemoryBuffer* stored by SourceManager const,
which in turn requires making the accessors for that return const
llvm::MemoryBuffer*s and updating all call sites.

The original motivation for this was to use it and fix the TODO in
CodeGenAction.cpp's ConvertBackendLocation() by using the UnownedTag
version of createFileID, and since llvm::SourceMgr* hands out a const
llvm::MemoryBuffer* this is required. I'm not sure if fixing the TODO
this way actually works, but this seems like a good change on its own
anyways.

No intended behavior change.

Differential Revision: https://reviews.llvm.org/D60247

llvm-svn: 357724
2019-04-04 21:06:41 +00:00
Artem Dergachev 3d90e7e8db Revert "[analyzer] Toning down invalidation a bit".
This reverts commit r352473.

The overall idea is great, but it seems to cause unintented consequences
when not only Region Store invalidation but also pointer escape mechanism
was accidentally affected.

Based on discussions in https://reviews.llvm.org/D58121#1452483
and https://reviews.llvm.org/D57230#1434161

Differential Revision: https://reviews.llvm.org/D57230

llvm-svn: 357620
2019-04-03 18:21:16 +00:00
Artem Dergachev f7887d41cb [analyzer] When failing to evaluate a __builtin_constant_p, presume it's false.
__builtin_constant_p(x) is a compiler builtin that evaluates to 1 when
its argument x is a compile-time constant and to 0 otherwise. In CodeGen
it is simply lowered to the respective LLVM intrinsic. In the Analyzer
we've been trying to delegate modeling to Expr::EvaluateAsInt, which is
allowed to sometimes fail for no apparent reason.

When it fails, let's conservatively return false. Modeling it as false
is pretty much never wrong, and it is only required to return true
on a best-effort basis, which every user should expect.

Fixes VLAChecker false positives on code that tries to emulate
static asserts in C by constructing a VLA of dynamic size -1 under the
assumption that this dynamic size is actually a constant
in the sense of __builtin_constant_p.

Differential Revision: https://reviews.llvm.org/D60110

llvm-svn: 357557
2019-04-03 01:53:40 +00:00
Mikael Holmen 4ec931714d Fix compiler warning, remove extra ";" [NFC]
At least gcc 7.4 complained with
../tools/clang/lib/StaticAnalyzer/Checkers/Taint.cpp:26:53: warning: extra ';' [-Wpedantic]
                                        TaintTagType);
                                                     ^

llvm-svn: 357461
2019-04-02 10:01:09 +00:00
Fangrui Song 75e74e077c Range-style std::find{,_if} -> llvm::find{,_if}. NFC
llvm-svn: 357359
2019-03-31 08:48:19 +00:00
Artem Dergachev a3c9d88233 [analyzer] MIGChecker: Add support for more deallocator APIs.
Differential Revision: https://reviews.llvm.org/D59914

llvm-svn: 357335
2019-03-29 23:56:53 +00:00
Artem Dergachev 4d6fb5789f Revert "[analyzer] Introduce a simplified API for adding custom path notes."
This reverts commit r357323.

ASan leaks found by a buildbot :)

Differential Revision: https://reviews.llvm.org/D58367

llvm-svn: 357332
2019-03-29 23:11:10 +00:00
Artem Dergachev 388e19ff1f [analyzer] PR41239: Fix a crash on invalid source location in NoStoreFuncVisitor.
It turns out that SourceManager::isInSystemHeader() crashes when an invalid
source location is passed into it. Invalid source locations are relatively
common: not only they come from body farms, but also, say, any function in C
that didn't come with a forward declaration would have an implicit
forward declaration with invalid source locations.

There's a more comfy API for us to use in the Static Analyzer:
CallEvent::isInSystemHeader(), so just use that.

Differential Revision: https://reviews.llvm.org/D59901

llvm-svn: 357329
2019-03-29 22:57:49 +00:00
Artem Dergachev 44551cf693 [analyzer] Move taint API from ProgramState to a separate header. NFC.
It is now an inter-checker communication API, similar to the one that
connects MallocChecker/CStringChecker/InnerPointerChecker: simply a set of
setters and getters for a state trait.

Differential Revision: https://reviews.llvm.org/D59861

llvm-svn: 357326
2019-03-29 22:49:30 +00:00
Artem Dergachev 60cde76f70 [analyzer] PR37501: Disable assertion for logical op short circuit evaluation.
The transfer function for the CFG element that represents a logical operation
computes the value of the operation and does nothing else. The element
appears after all the short circuit decisions were made, so they don't need
to be made again at this point.

Because our expression evaluation is imprecise, it is often hard to
discriminate between:

  (1) we don't know the value of the RHS because we failed to evaluate it

and

  (2) we don't know the value of the RHS because it didn't need to be evaluated.

This is hard because it depends on our knowledge about the value of the LHS
(eg., if LHS is true, then RHS in (LHS || RHS) doesn't need to be computed)
but LHS itself may have been evaluated imprecisely and we don't know whether
it is true or not. Additionally, the Analyzer wouldn't necessarily even remember
what the value of the LHS was because theoretically it's not really necessary
to know it for any future evaluations.

In order to work around these issues, the transfer function for logical
operations consists in looking at the ExplodedGraph we've constructed so far
in order to figure out from which CFG direction did we arrive here.
Such post-factum backtracking that doesn't involve looking up LHS and RHS values
is usually possible. However sometimes it fails because when we deduplicate
exploded nodes with the same program point and the same program state we may end
up in a situation when we reached the same program point from two or more
different directions.

By removing the assertion, we admit that the procedure indeed sometimes fails to
work. When it fails, we also admit that we don't know the value of the logical
operator.

Differential Revision: https://reviews.llvm.org/D59857

llvm-svn: 357325
2019-03-29 22:43:34 +00:00
Artem Dergachev 6b39f10a00 [analyzer] Introduce a simplified API for adding custom path notes.
Almost all path-sensitive checkers need to tell the user when something specific
to that checker happens along the execution path but does not constitute a bug
on its own. For instance, a call to operator delete in C++ has consequences
that are specific to a use-after-free bug. Deleting an object is not a bug
on its own, but when the Analyzer finds an execution path on which a deleted
object is used, it'll have to explain to the user when exactly during that path
did the deallocation take place.

Historically such custom notes were added by implementing "bug report visitors".
These visitors were post-processing bug reports by visiting every ExplodedNode
along the path and emitting path notes whenever they noticed that a change that
is relevant to a bug report occurs within the program state. For example,
it emits a "memory is deallocated" note when it notices that a pointer changes
its state from "allocated" to "deleted".

The "visitor" approach is powerful and efficient but hard to use because
such preprocessing implies that the developer first models the effects
of the event (say, changes the pointer's state from "allocated" to "deleted"
as part of operator delete()'s transfer function) and then forgets what happened
and later tries to reverse-engineer itself and figure out what did it do
by looking at the report.

The proposed approach tries to avoid discarding the information that was
available when the transfer function was evaluated. Instead, it allows the
developer to capture all the necessary information into a closure that
will be automatically invoked later in order to produce the actual note.

This should reduce boilerplate and avoid very painful logic duplication.

On the technical side, the closure is a lambda that's put into a special kind of
a program point tag, and a special bug report visitor visits all nodes in the
report and invokes all note-producing closures it finds along the path.

For now it is up to the lambda to make sure that the note is actually relevant
to the report. For instance, a memory deallocation note would be irrelevant when
we're reporting a division by zero bug or if we're reporting a use-after-free
of a different, unrelated chunk of memory. The lambda can figure these thing out
by looking at the bug report object that's passed into it.

A single checker is refactored to make use of the new functionality: MIGChecker.
Its program state is trivial, making it an easy testing ground for the first
version of the API.

Differential Revision: https://reviews.llvm.org/D58367

llvm-svn: 357323
2019-03-29 22:21:00 +00:00
Benjamin Kramer ba2ea93ad1 Make helper functions static. NFC.
llvm-svn: 357187
2019-03-28 17:18:42 +00:00
Adam Balogh a19c985f8a [Analyzer] Constraint Manager - Calculate Effective Range for Differences
Since rL335814, if the constraint manager cannot find a range set for `A - B`
(where `A` and `B` are symbols) it looks for a range for `B - A` and returns
it negated if it exists. However, if a range set for both `A - B` and `B - A`
is stored then it only returns the first one. If we both use `A - B` and
`B - A`, these expressions behave as two totally unrelated symbols. This way
we miss some useful deductions which may lead to false negatives or false
positives.

This tiny patch changes this behavior: if the symbolic expression the
constraint manager is looking for is a difference `A - B`, it tries to
retrieve the range for both `A - B` and `B - A` and if both exists it returns
the intersection of range `A - B` and the negated range of `B - A`. This way
every time a checker applies new constraints to the symbolic difference or to
its negated it always affects both the original difference and its negated.

Differential Revision: https://reviews.llvm.org/D55007

llvm-svn: 357167
2019-03-28 13:05:59 +00:00
Duncan P. N. Exon Smith 1da7eac87c Frontend: Remove CompilerInstance::VirtualFileSystem, NFC
Remove CompilerInstance::VirtualFileSystem and
CompilerInstance::setVirtualFileSystem, instead relying on the VFS in
the FileManager.  CompilerInstance and its clients already went to some
trouble to make these match.  Now they are guaranteed to match.

As part of this, I added a VFS parameter (defaults to nullptr) to
CompilerInstance::createFileManager, to avoid repeating construction
logic in clients that just wanted to customize the VFS.

https://reviews.llvm.org/D59377

llvm-svn: 357037
2019-03-26 22:18:52 +00:00
Artem Dergachev bef9f8aac3 [CFG] [analyzer] pr41142: C++17: Skip transparent InitListExprs in ExprEngine.
r356634 didn't fix all the problems caused by r356222 - even though simple
constructors involving transparent init-list expressions are now evaluated
precisely, many more complicated constructors aren't, for other reasons.

The attached test case is an example of a constructor that will never be
evaluated precisely - simply because there isn't a constructor there (instead,
the program invokes run-time undefined behavior by returning without a return
statement that should have constructed the return value).

Fix another part of the problem for such situations: evaluate transparent
init-list expressions transparently, so that to avoid creating ill-formed
"transparent" nonloc::CompoundVals.

Differential Revision: https://reviews.llvm.org/D59622

llvm-svn: 356969
2019-03-26 00:36:53 +00:00
Mikhail R. Gadelha db695c834f Moved everything SMT-related to LLVM and updated the cmake scripts.
Differential Revision: https://reviews.llvm.org/D54978

llvm-svn: 356929
2019-03-25 17:47:45 +00:00
Csaba Dabis 9ea2f9079d [analyzer] ConditionBRVisitor: Unknown condition evaluation support
Summary:
If the constraint information is not changed between two program states the
analyzer has not learnt new information and made no report. But it is
possible to happen because we have no information at all. The new approach
evaluates the condition to determine if that is the case and let the user
know we just `Assuming...` some value.

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: llvm-commits, xazax.hun, baloghadamsoftware, szepet, a.sidorin,
mikhail.ramalho, Szelethus, donat.nagy, dkrupp, gsd, gerazo

Tags: #clang, #llvm

Differential Revision: https://reviews.llvm.org/D57410

llvm-svn: 356323
2019-03-16 13:47:55 +00:00
Csaba Dabis cf0b4e32eb [analyzer] ConditionBRVisitor: Remove GDM checking
Summary:
Removed the `GDM` checking what could prevent reports made by this visitor.
Now we rely on constraint changes instead.
(It reapplies 356318 with a feature from 356319 because build-bot failure.)

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: cfe-commits, jdoerfert, gerazo, xazax.hun, baloghadamsoftware,
szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D54811

llvm-svn: 356322
2019-03-16 11:55:07 +00:00
Csaba Dabis 17c8ca8f1f Revert "[analyzer] ConditionBRVisitor: Remove GDM checking"
This reverts commit f962485ada.

llvm-svn: 356321
2019-03-16 10:44:49 +00:00
Csaba Dabis e282b30c58 Revert "[analyzer] ConditionBRVisitor: Unknown condition evaluation support"
This reverts commit 0fe67a61cd.

llvm-svn: 356320
2019-03-16 10:06:06 +00:00
Csaba Dabis 0fe67a61cd [analyzer] ConditionBRVisitor: Unknown condition evaluation support
Summary: If the constraint information is not changed between two program states the analyzer has not learnt new information and made no report. But it is possible to happen because we have no information at all. The new approach evaluates the condition to determine if that is the case and let the user know we just 'Assuming...' some value.

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, gsd, gerazo

Tags: #clang

Differential Revision: https://reviews.llvm.org/D57410

llvm-svn: 356319
2019-03-16 09:24:30 +00:00
Csaba Dabis f962485ada [analyzer] ConditionBRVisitor: Remove GDM checking
Summary: Removed the `GDM` checking what could prevent reports made by this visitor. Now we rely on constraint changes instead.

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: jdoerfert, gerazo, xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp

Tags: #clang

Differential Revision: https://reviews.llvm.org/D54811

llvm-svn: 356318
2019-03-16 09:16:16 +00:00
Aaron Puchert 2f741868ed Add missing override specifier [NFC]
This should fix a -Winconsistent-missing-override warning that is only
visible when Z3 is enabled.

llvm-svn: 356228
2019-03-15 02:30:07 +00:00
Artem Dergachev 06451368d2 [analyzer] Support C++17 aggregates with bases without constructors.
RegionStore now knows how to bind a nonloc::CompoundVal that represents the
value of an aggregate initializer when it has its initial segment of sub-values
correspond to base classes.

Additionally, fixes the crash from pr40022.

Differential Revision: https://reviews.llvm.org/D59054

llvm-svn: 356222
2019-03-15 00:22:59 +00:00
Kristof Umann 4962816e72 [analyzer] Fix an assertation failure for invalid sourcelocation, add a new debug checker
For a rather short code snippet, if debug.ReportStmts (added in this patch) was
enabled, a bug reporter visitor crashed:

struct h {
  operator int();
};

int k() {
  return h();
}

Ultimately, this originated from PathDiagnosticLocation::createMemberLoc, as it
didn't handle the case where it's MemberExpr typed parameter returned and
invalid SourceLocation for MemberExpr::getMemberLoc. The solution was to find
any related valid SourceLocaion, and Stmt::getBeginLoc happens to be just that.

Differential Revision: https://reviews.llvm.org/D58777

llvm-svn: 356161
2019-03-14 16:10:29 +00:00
Mikael Holmen f5fe2974cf Remove unused variable to silence compiler warning [NFC]
The only use of MI was removed in r356142.

llvm-svn: 356152
2019-03-14 14:20:50 +00:00
Kristof Umann 7b907bed3c [analyzer] Fix function macro crash
Re-commit D57893.

Differential Revision: https://reviews.llvm.org/D57893

llvm-svn: 356142
2019-03-14 13:38:16 +00:00
Mandeep Singh Grang cf7d9f9090 [Analyzer] Update the LLVM license in PointerSortingChecker.cpp
llvm-svn: 356086
2019-03-13 19:09:48 +00:00
Adam Balogh d703305e40 [Analyzer] Skip symbolic regions based on conjured symbols in comparison of the containers of iterators
Checking whether two regions are the same is a partially decidable problem:
either we know for sure that they are the same or we cannot decide. A typical
case for this are the symbolic regions based on conjured symbols. Two
different conjured symbols are either the same or they are different. Since
we cannot decide this and want to reduce false positives as much as possible
we exclude these regions whenever checking whether two containers are the
same at iterator mismatch check.

Differential Revision: https://reviews.llvm.org/D53754

llvm-svn: 356049
2019-03-13 13:55:11 +00:00
Kristof Umann e58dde2a80 Revert "[analyzer] Fix function macro crash"
Buildbot breaks when LLVm is compiled with memory sanitizer.

WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xa3d16d8 in getMacroNameAndPrintExpansion(blahblah)
                             lib/StaticAnalyzer/Core/PlistDiagnostics.cpp:903:11
llvm-svn: 355911
2019-03-12 11:22:30 +00:00
Kristof Umann 9f92b3d081 [analyzer] Fix function macro crash
When there is a functor-like macro which is passed as parameter to another
"function" macro then its parameters are not listed at the place of expansion:

#define foo(x) int bar() { return x; }
#define hello(fvar) fvar(0)
hello(foo)
int main() { 1 / bar(); }

Expansion of hello(foo) asserted Clang, because it expected an l_paren token in
the 3rd line after "foo", since it is a function-like token.

Patch by Tibor Brunner!

Differential Revision: https://reviews.llvm.org/D57893

llvm-svn: 355903
2019-03-12 10:03:32 +00:00
Mandeep Singh Grang c0773ab6a1 [Analyzer] Checker for non-determinism caused by sorting of pointer-like elements
Summary:
Added a new category of checkers for non-determinism. Added a checker for non-determinism
caused due to sorting containers with pointer-like elements.

Reviewers: NoQ, george.karpenkov, whisperity, Szelethus

Reviewed By: NoQ, Szelethus

Subscribers: Charusso, baloghadamsoftware, jdoerfert, donat.nagy, dkrupp, martong, dblaikie, MTC, Szelethus, mgorny, xazax.hun, szepet, rnkovacs, a.sidorin, mikhail.ramalho, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D50488

llvm-svn: 355720
2019-03-08 20:13:53 +00:00
Kristof Umann b4cdfe8e7f [analyzer] Fix infinite recursion in printing macros
In the commited testfile, macro expansion (the one implemented for the plist
output) runs into an infinite recursion. The issue originates from the algorithm
being faulty, as in

#define value REC_MACRO_FUNC(value)

the "value" is being (or at least attempted) expanded from the same macro.

The solved this issue by gathering already visited macros in a set, which does
resolve the crash, but will result in an incorrect macro expansion, that would
preferably be fixed down the line.

Patch by Tibor Brunner!

Differential Revision: https://reviews.llvm.org/D57891

llvm-svn: 355705
2019-03-08 16:26:29 +00:00
Kristof Umann 748c139ade [analyzer] Emit an error rather than assert on invalid checker option input
Asserting on invalid input isn't very nice, hence the patch to emit an error
instead.

This is the first of many patches to overhaul the way we handle checker options.

Differential Revision: https://reviews.llvm.org/D57850

llvm-svn: 355704
2019-03-08 16:00:42 +00:00
Kristof Umann 2827349c9d [analyzer] Use the new infrastructure of expressing taint propagation, NFC
In D55734, we implemented a far more general way of describing taint propagation
rules for functions, like being able to specify an unlimited amount of
source and destination parameters. Previously, we didn't have a particularly
elegant way of expressing the propagation rules for functions that always return
(either through an out-param or return value) a tainted value. In this patch,
we model these functions similarly to other ones, by assigning them a
TaintPropagationRule that describes that they "create a tainted value out of
nothing".

The socket C function is somewhat special, because for certain parameters (for
example, if we supply localhost as parameter), none of the out-params should
be tainted. For this, we added a general solution of being able to specify
custom taint propagation rules through function pointers.

Patch by Gábor Borsik!

Differential Revision: https://reviews.llvm.org/D59055

llvm-svn: 355703
2019-03-08 15:47:56 +00:00
David Stenberg 27ed855a6e [analyzer] Handle comparison between non-default AS symbol and constant
Summary:
When comparing a symbolic region and a constant, the constant would be
widened or truncated to the width of a void pointer, meaning that the
constant could be incorrectly truncated when handling symbols for
non-default address spaces. In the attached test case this resulted in a
false positive since the constant was truncated to zero. To fix this,
widen/truncate the constant to the width of the symbol expression's
type.

This commit does not consider non-symbolic regions as I'm not sure how
to generalize getting the type there.

This fixes PR40814.

Reviewers: NoQ, zaks.anna, george.karpenkov

Reviewed By: NoQ

Subscribers: xazax.hun, baloghadamsoftware, szepet, a.sidorin, mikhail.ramalho, Szelethus, donat.nagy, dkrupp, jdoerfert, Charusso, cfe-commits

Tags: #clang

Differential Revision: https://reviews.llvm.org/D58665

llvm-svn: 355592
2019-03-07 13:01:17 +00:00
Leonard Chan 8f7caae00a [Fixed Point Arithmetic] Fixed Point and Integer Conversions
This patch includes the necessary code for converting between a fixed point type and integer.
This also includes constant expression evaluation for conversions with these types.

Differential Revision: https://reviews.llvm.org/D56900

llvm-svn: 355462
2019-03-06 00:28:43 +00:00
Kristof Umann 855478328b [analyzer] Fix taint propagation in GenericTaintChecker
The gets function has no SrcArgs. Because the default value for isTainted was
false, it didn't mark its DstArgs as tainted.

Patch by Gábor Borsik!

Differential Revision: https://reviews.llvm.org/D58828

llvm-svn: 355396
2019-03-05 12:42:59 +00:00
Kristof Umann 088b1c9cdc [analyzer] Enable subcheckers to possess checker options
Under the term "subchecker", I mean checkers that do not have a checker class on
their own, like unix.MallocChecker to unix.DynamicMemoryModeling.

Since a checker object was required in order to retrieve checker options,
subcheckers couldn't possess options on their own.

This patch is also an excuse to change the argument order of getChecker*Option,
it always bothered me, now it resembles the actual command line argument
(checkername:option=value).

Differential Revision: https://reviews.llvm.org/D57579

llvm-svn: 355297
2019-03-04 00:28:16 +00:00
Fangrui Song 524b3c1810 Fix file headers. NFC
llvm-svn: 355176
2019-03-01 06:49:51 +00:00
Kristof Umann cd8c438086 [analyzer] Fix infinite recursion in printing macros
#define f(y) x
#define x f(x)
int main() { x; }

This example results a compilation error since "x" in the first line was not
defined earlier. However, the macro expression printer goes to an infinite
recursion on this example.

Patch by Tibor Brunner!

Differential Revision: https://reviews.llvm.org/D57892

llvm-svn: 354806
2019-02-25 18:49:42 +00:00
Artem Dergachev 7bc7d0441c [analyzer] MIGChecker: Add support for more APIs.
Add more "consuming" functions. For now only vm_deallocate() was supported.

Add a non-zero value that isn't an error; this value is -305 ("MIG_NO_REPLY")
and it's fine to deallocate data when you are returning this error.

Make sure that the mig_server_routine annotation is inherited.

rdar://problem/35380337

Differential Revision: https://reviews.llvm.org/D58397

llvm-svn: 354643
2019-02-22 00:15:14 +00:00
Artem Dergachev 10dd123609 [analyzer] MIGChecker: Fix an FN when the object is released in a destructor.
When a MIG server routine argument is released in an automatic destructor,
the Static Analyzer thinks that this happens after the return statement, and so
the violation of the MIG convention doesn't happen.

Of course, it doesn't quite work that way, so this is a false negative.

Add a hack that makes the checker double-check at the end of function
that no argument was released when the routine fails with an error.

rdar://problem/35380337

Differential Revision: https://reviews.llvm.org/D58392

llvm-svn: 354642
2019-02-22 00:09:56 +00:00
Artem Dergachev 7479b3dd20 [analyzer] MIGChecker: Improve intermediate diagnostic notes.
Add a BugReporterVisitor for highlighting the events of deallocating a
parameter. All such events are relevant to the emitted report (as long as the
report is indeed emitted), so all of them will get highlighted.

Add a trackExpressionValue visitor for highlighting where does the error return
code come from.

Do not add a trackExpressionValue visitor for highlighting how the deallocated
argument(s) was(were) copied around. This still remains to be implemented.

rdar://problem/35380337

Differential Revision: https://reviews.llvm.org/D58368

llvm-svn: 354641
2019-02-22 00:06:30 +00:00
Artem Dergachev 95a3537cde [analyzer] MIGChecker: Take advantage of the mig_server_routine annotation.
r354530 has added a new function/block/message attribute "mig_server_routine"
that attracts compiler's attention to functions that need to follow the MIG
server routine convention with respect to deallocating out-of-line data that
was passed to them as an argument.

Teach the checker to identify MIG routines by looking at this attribute,
rather than by making heuristic-based guesses.

rdar://problem/35380337

Differential Revision: https://reviews.llvm.org/58366

llvm-svn: 354638
2019-02-22 00:02:47 +00:00
Artem Dergachev 32531b25df [analyzer] MIGChecker: A checker for Mach Interface Generator conventions.
This checker detects use-after-free bugs in (various forks of) the Mach kernel
that are caused by errors in MIG server routines - functions called remotely by
MIG clients. The MIG convention forces the server to only deallocate objects
it receives from the client when the routine is executed successfully.
Otherwise, if the server routine exits with an error, the client assumes that
it needs to deallocate the out-of-line data it passed to the server manually.
This means that deallocating such data within the MIG routine and then returning
a non-zero error code is always a dangerous use-after-free bug.

rdar://problem/35380337

Differential Revision: https://reviews.llvm.org/D57558

llvm-svn: 354635
2019-02-21 23:55:28 +00:00
Adam Balogh 3bd63ae381 [Analyzer] Crash fix for FindLastStoreBRVisitor
FindLastStoreBRVisitor tries to find the first node in the exploded graph where
the current value was assigned to a region. This node is called the "store
site". It is identified by a pair of Pred and Succ nodes where Succ already has
the binding for the value while Pred does not have it. However the visitor
mistakenly identifies a node pair as the store site where the value is a
`LazyCompoundVal` and `Pred` does not have a store yet but `Succ` has it. In
this case the `LazyCompoundVal` is different in the `Pred` node because it also
contains the store which is different in the two nodes. This error may lead to
crashes (a declaration is cast to a parameter declaration without check) or
misleading bug path notes.

In this patch we fix this problem by checking for unequal `LazyCompoundVals`: if
their region is equal, and their store is the same as the store of their nodes
we consider them as equal when looking for the "store site". This is an
approximation because we do not check for differences of the subvalues
(structure members or array elements) in the stores.

Differential Revision: https://reviews.llvm.org/D58067

llvm-svn: 353943
2019-02-13 12:25:47 +00:00
Benjamin Kramer 756ecb8e44 Make some helper functions static. NFC.
llvm-svn: 353705
2019-02-11 14:52:15 +00:00
Kristof Umann 8d23999639 [analyzer] New checker for detecting usages of unsafe I/O functions
There are certain unsafe or deprecated (since C11) buffer handling
functions which should be avoided in safety critical code. They
could cause buffer overflows. A new checker,
'security.insecureAPI.DeprecatedOrUnsafeBufferHandling' warns for
every occurrence of such functions (unsafe or deprecated printf,
scanf family, and other buffer handling functions, which now have
a secure variant).

Patch by Dániel Kolozsvári!

Differential Revision: https://reviews.llvm.org/D35068

llvm-svn: 353698
2019-02-11 13:46:43 +00:00
Fangrui Song 9ac13a1244 Use llvm::is_contained. NFC
llvm-svn: 353635
2019-02-10 05:54:57 +00:00
Artem Dergachev 37625f3485 [analyzer] Add a comment that FunctionCodeRegions may also need canonicalization
llvm-svn: 353592
2019-02-09 01:00:32 +00:00
Mikhail R. Gadelha 3289ccd848 This reverts commit 1440a848a635849b97f7a5cfa0ecc40d37451f5b.
and commit a1853e834c65751f92521f7481b15cf0365e796b.

They broke arm and aarch64

llvm-svn: 353590
2019-02-09 00:46:12 +00:00