without defining them. This should be an error, but I'm paranoid about
"uses" that end up not actually requiring a definition. I'll revisit later.
Also, teach IR generation to not set internal linkage on variable
declarations, just for safety's sake. Doing so produces an invalid module
if the variable is not ultimately defined.
Also, fix several places in the test suite where we were using internal
functions without definitions.
llvm-svn: 126016
The relative checker package is 'debug':
'-dump-live-variables' is replaced by '-analyzer-checker=debug.DumpLiveVars'
'-cfg-view' is replaced by '-analyzer-checker=debug.ViewCFG'
'-cfg-dump' is replaced by '-analyzer-checker=debug.DumpCFG'
llvm-svn: 125780
especially C++ code, and generally expand the test coverage.
Logic adapted from a patch by Kaelyn Uhrain <rikka@google.com> and
another Googler.
llvm-svn: 125775
class and to bind the shared value using OpaqueValueExpr. This fixes an
unnoticed problem with deserialization of these expressions where the
deserialized form would lose the vital pointer-equality trait; or rather,
it fixes it because this patch also does the right thing for deserializing
OVEs.
Change OVEs to not be a "temporary object" in the sense that copy elision is
permitted.
This new representation is not totally unawkward to work with, but I think
that's really part and parcel with the semantics we're modelling here. In
particular, it's much easier to fix things like the copy elision bug and to
make the CFG look right.
I've tried to update the analyzer to deal with this in at least some
obvious cases, and I think we get a much better CFG out, but the printing
of OpaqueValueExprs probably needs some work.
llvm-svn: 125744
CStringChecker
ChrootChecker
MallocChecker
PthreadLockChecker
StreamChecker
UnreachableCodeChecker
MallocChecker creates implicit dependencies between checkers and needs to be handled differently.
llvm-svn: 125598
StackAddrLeakChecker
ObjCAtSyncChecker
UnixAPIChecker
MacOSXAPIChecker
The rest have/create implicit dependencies between checkers and need to be handled differently.
llvm-svn: 125559
-Checkers will be defined in the tablegen file 'Checkers.td'.
-Apart from checkers, we can define checker "packages" that will contain a collection of checkers.
-Checkers can be enabled with -analyzer-checker=<name> and disabled with -analyzer-disable-checker=<name> e.g:
Enable checkers from 'cocoa' and 'corefoundation' packages except the self-initialization checker:
-analyzer-checker=cocoa -analyzer-checker=corefoundation -analyzer-disable-checker=cocoa.SelfInit
-Introduces CheckerManager and CheckerProvider. CheckerProviders get the set of checker names to enable/disable and
register them with the CheckerManager which will be the entry point for all checker-related functionality.
Currently only the self-initialization checker takes advantage of the new mechanism.
llvm-svn: 125503
A common pattern in classes with multiple initializers is to put the
subclass's common initialization bits into a static function that receives
the value of 'self', e.g:
if (!(self = [super init]))
return nil;
if (!(self = _commonInit(self)))
return nil;
It was reported that 'self' was not set to the result of [super init].
Until we can use inter-procedural analysis, in such a call, transfer the
ObjCSelfInitChecker flags associated with 'self' to the result of the call.
Fixes rdar://8937441 & http://llvm.org/PR9094
llvm-svn: 124940
We translate property accesses to obj-c messages by simulating "loads" or "stores" to properties
using a pseudo-location SVal kind (ObjCPropRef).
Checkers can now reason about obj-c messages for both explicit message expressions and implicit
messages due to property accesses.
llvm-svn: 124161
the case where the called function has fewer
formal arguments than actual arguments. This
fixes a crash in the analyzer when doing
function call inlining.
Patch by Zhenbo Xu!
llvm-svn: 123458
dead stores within nested assignments. I have
never seen an actual bug found by this specific
warning, and it can lead to many false positives.
llvm-svn: 123394
a struct value to a symbolic index into array.
RegionStore can't actually reason about this,
so we were getting bogus warnings about loading
uninitialized values from the array. The solution
is invalidate the entire array when we cannot
represent the binding explicitly.
Fixes <rdar://problem/8848957>
llvm-svn: 123368
SimpleSValBuilder. This clears up some
false positives emitted by ArrayBoundCheckerV2
due to the lack of support for pointer arithmetic.
llvm-svn: 122546
set the RUN line correctly in a test file!
Mark a bunch of tests for ArrayBoundCheckerV2
as FIXME's, as our current lack of pointer
arithmetic handling causes these to be all
false positives/negatives.
llvm-svn: 122471
This change is necessary when the variable is a const reference and we need
the l-value of the construct expr. After that, when binding the variable,
recover the lazy compound value when the variable is not a reference.
In Environment, use the value of a no-op cast expression when it has one.
Otherwise, blast-through it.
llvm-svn: 122388
implicit lvalue-to-rvalue casts that John McCall
recently introduced. This causes a whole bunch
of logic in the analyzer for handling lvalues
to vanish. It does, however, raise a few issues
in the analyzer w.r.t to modeling various constructs
(e.g., field accesses to compound literals).
The .c/.m analysis test cases that fail are
due to a missing lvalue-to-rvalue cast that
will get introduced into the AST. The .cpp
failures were more than I could investigate in
one go, and the patch was already getting huge.
I have XFAILED some of these tests, and they
should obviously be further investigated.
Some highlights of this patch include:
- CFG no longer requires an lvalue bit for
CFGElements
- StackFrameContext doesn't need an 'asLValue'
flag
- The "VisitLValue" path from GRExprEngine has
been eliminated.
Besides the test case failures (XFAILed), there
are surely other bugs that are fallout from
this change.
llvm-svn: 121960
to be consistent with the type of 'this' expr in the method.
此行及以下内容将会被忽略--
M test/Analysis/method-call.cpp
M include/clang/Checker/PathSensitive/GRExprEngine.h
M lib/Checker/GRCXXExprEngine.cpp
llvm-svn: 120094
- Add a new Kind of ProgramPoint: PostInitializer.
- Still use GRStmtNodeBuilder. But special handling PostInitializer in
GRStmtNodeBuilder::GenerateAutoTransition().
- Someday we should clean up the interface of GRStmtNodeBuilder.
llvm-svn: 119335
it is possible for the confluence block to only have a single predecessor due to calls to 'noreturn'
functions. Fixes assertion failure reported in PR 8619.
llvm-svn: 119284
Elidable CXXConstructExpr should inhibit calling destructor for temporary
that is copied, not the one created. This is because eliding copy constructor
means that the object that was to be copied will be constructed directly in
memory the copy would be constructed in.
llvm-svn: 119044
leads it up to checkers (e.g., DereferenceChecker) to guard against illegal accesses (e.g., null dereferences).
Fixes PR 5272 and <rdar://problem/6839683>.
llvm-svn: 118852
1. For statement: const C& c = C(0) ?: C(1) destructors generated for condition will not differ from those generated for case without prolonged lifetime of temporary,
2. There will be no destructor for constant reference member bound to temporary at the exit from constructor.
llvm-svn: 118158
containing a DoStmt, and the LHS doesn't create a new block, then we should
return RBlock. Otherwise we'll incorrectly return NULL.
Also relax an assertion in VisitWhileStmt(). Reset 'Block' when it is finished.
llvm-svn: 117436
globals memory space gets assigned a symbolic value, but that value was not being used for lazy symbolication
of fields of globals. This could result in cases where bogus null dereferences were being reported.
Fixes PR 8440.
llvm-svn: 117336
We shouldn't recurse into CompoundStmts since they are already inlined in the CFG. This could result in
bogus dead stores warnings (among other things).
llvm-svn: 117162
nil. Otherwise we can get false paths where a second @synchronized using the mutex
can have a bogus warning. Fixes <rdar://problem/8578650>.
llvm-svn: 117016
doesn't hold. This fix is to increase the loop unrolling count to 4, which experiments show doesn't typically impact
analysis time. The real fix is to modify the IdempotentOperationsChecker to suppress warnings where an analysis point
could be preceded by a point where we gave up due to loop unrolling.
llvm-svn: 116769
- Fixed some iterator style issues
- Don't process blocks that have been visited already
- Fixed a case where a unreachable block cycle was not reported
- Minor test case changes
- Added one test case from flow-sensitive version of the check. More coming.
llvm-svn: 115861
- Adding LocalScope for CompoundStmt,
- Adding CFGAutomaticObjDtors for end of scope, return, goto, break, continue,
- Regression tests for above cases.
llvm-svn: 115252
the index when the value evaluation isn't powerful enough. By creating ElementRegions with
UnknownVals as the index, this gives the false impression that they are the same element, when
they really aren't. This becomes really problematic when deriving symbols from these regions
(e.g., those representing the initial value of the index), since two different indices will
get the same symbol for their binding.
This fixes an issue with the idempotent operations checker that would cause two indices that
are clearly not the same to make it appear as if they always had the same value.
Fixes <rdar://problem/8431728>.
llvm-svn: 113920
The end result is now we eagarly constant-fold symbols in the analyzer that are perfectly constrained
to be a constant value. This allows us to recover some path-sensitivity in some cases by lowering
the required level of reasoning power needed to evaluate some expressions.
The net win from this change is that the false positive in PR 8015 is fixed, and we also
find more idempotent operations bugs.
We do, however, regress with the BugReporterVisitors, which need to be modified to understand
this constant folding (and look past it). This causes some diagnostic regressions in plist-output.m
which will get addressed in a future patch. plist-output.m is now marked XFAIL, while
plist-output-alternate.m now tests that the plist output is working, but with the suboptimal
diagnostics. This second test file will eventually be removed.
llvm-svn: 113477
The rationale behind this is that it is normal for callback functions to have a non-void return type
and it should still be possible to mark them noreturn. (JavaScriptCore is a good example of this).
llvm-svn: 112918
- Fixed a regression where assigning '0' would be reported
- Changed the way self assignments are filtered to allow constant testing
- Added a test case for assign ops
- Fixed one test case where a function pointer was not considered constant
- Fixed test cases relating to 0 assignment
llvm-svn: 112501
- Migrated a temporarily separated test back to its original file (bug has been fixed, null-deref-ps-temp.c -> null-deref-ps.c)
- Changed SymbolManager to use relaxed LiveVariables
- Updated several test cases that the IdempotentOperationChecker class now flags
- Added test case to test relaxed LiveVariables use by the IdempotentOperationChecker
llvm-svn: 112312
- Removed the assumption that __block vars are all non-constant
- Simplified some repetitive code in RunAnalysis
- Added block walking support
- Code/comments cleanup
- Separated out test for block pseudoconstants
llvm-svn: 112098
- Added wasReferenced function to PseudoConstantAnalysis to determine if a variable was ever referenced in a function (outside of a self-assignment)
- BlockDeclRefExpr referenced variables are now explicitly added to the non-constant list
- Remove unnecessary ignore of implicit casts
- Generalized parameter self-assign detection to detect deliberate self-assigns of variables to avoid unused variable warnings
- Updated test cases with deliberate self-assignments
- Fixed bug with C++ references and pseudoconstants
- Added test case for C++ references and pseudoconstants
llvm-svn: 111965
- Psuedo -> Pseudo (doh...)
- C++ reference support
- Added pseudoconstant test case for __block vars
- Separated out static local checking from pseudoconstant analysis and generalized to non-local checking
- Added missing test cases for storage false positives
llvm-svn: 111832
- Renamed IdempotentOperationChecker::isConstant to isConstantOrPseudoConstant to better reflect the function
- Changed IdempotentOperationChecker::PreVisitBinaryOperator to only run 'CanVary' once on undefined assumptions
- Created new PsuedoConstantAnalysis class and added it to AnalysisContext
- Changed IdempotentOperationChecker to exploit the new analysis
- Updated tests with psuedo-constants
- Added check to IdempotentOperationChecker to see if a Decl is const qualified
llvm-svn: 111426
- Fix memcpy() and friends to actually invalidate the destination buffer.
- Emit a different message for out-of-bounds buffer accesses if the buffer is being written to.
- When conjuring symbols, let ValueManager figure out the type.
llvm-svn: 111120
- Rewrite GRState::AssumeInBound to actually do that checking, and to use the normal constraint path.
- Remove ConstraintManager::AssumeInBound.
- Teach RegionStore and FlatStore to ignore those regions for now.
llvm-svn: 111116
- Unfinished analysis may still report valid warnings if the path was completely analyzed
- New 'CanVary' heuristic to recursively determine if a subexpression has a varying element
- Updated test cases, including one known bug
- Exposed GRCoreEngine through GRExprEngine
llvm-svn: 110970
a switch or goto somewhere in the function. Indirect gotos trigger the
jump-checker regardless, because the conditions there are slightly more
elaborate and it's too marginal a case to be worth optimizing.
Turns off the jump-checker in a lot of cases in C++. rdar://problem/7702918
llvm-svn: 109962
- Allowed reporting of dead macros
- Added path walking function to search for false positives in conditional statements
- Updated some affected tests
- Added some false positive test cases
llvm-svn: 109561
- Created a new class to do post-analysis
- Updated several test cases with unreachable code to expect a warning
- Added some general tests
llvm-svn: 109286
- Added checks for static local variables, self assigned parameters, and truncating/extending self assignments
- Removed command line option (now default with --analyze)
- Updated test cases to pass with idempotent operation warnings
llvm-svn: 108550
Example:
{
int a = 1;
int b = 5;
int c = b / a; // a is 1 on all paths
}
- New IdempotentOperationChecker class
- Moved recursive Stmt functions in r107675 to IdempotentOperationChecker
- Minor refactoring of SVal to allow checking for any integer
- Added command line option for check
- Added basic test cases
llvm-svn: 107706
Also adds a getKnownValue() method to SValuator, which gets the integer value of an SVal if it is known to only have one possible value. There are more places in the code that could be using this, but in general we want to be dealing entirely in SVals, so its usefulness is limited.
The only visible functionality change is that extents are now honored for any DeclRegion, such as fields and Objective-C ivars, rather than just variables. This shows up in bounds-checking and cast-size-checking.
llvm-svn: 107577
when calling a function/method whose impact on global variables we cannot accurately estimate.
This change introduces two new MemSpaceRegions that divide up the memory space of globals, and causes
RegionStore and BasicStore to consult a binding to the NonStaticGlobalsMemSpaceRegion when lazily
determining the value of a global.
llvm-svn: 107423
As a bonus, fix the warning for || and && operators; it was emitted even if one of the operands had side effects, e.g:
x || test_logical_foo1();
emitted a bogus "expression result unused" for 'x'.
llvm-svn: 107274
by inspecting the Store bindings instead of iterating over all the global variables
in a translation unit. By looking at the store directly, we avoid cases where we cannot
directly load from the global variable, such as an array (which can result in an assertion failure)
and it also catches cases where we store stack addresses to non-scalar globals.
Also, but not iterating over all the globals in the translation unit, we maintain cache
locality, and the complexity of the checker becomes restricted to the complexity of the
analyzed function, and doesn't scale with the size of the translation unit.
This fixes PR 7383.
llvm-svn: 106184
RegionStoreManager::RetrieveElement() that handles indexing into a larger scalar
object to only consult the direct binding of a super region if it is a scalar.
This isn't perfect yet, and a big FIXME is attached to the code. This causes
the test case for PR 7218 now to pass.
llvm-svn: 105195
translation unit is parsed. This enables us to inline some calls when still
analyzing one function at a time.
Actions are classified into Function, CXXMethod, ObjCMethod,
ObjCImplementation.
This does not hurt performance much. The analysis time for sqlite3.c:
before:
real 17m52.440s
user 17m49.460s
sys 0m2.010s
after:
real 18m0.500s
user 17m56.900s
sys 0m2.330s
DisplayProgress option is broken now. -inine-call action is removed. It
will be reenabled in another form, perhaps as an indenpendant option.
llvm-svn: 102689
case in GRExprEngine::Visit (in r101129). Instead, enumerate all Stmt cases and have
no 'default' case in the switch statement. When we encounter a Stmt we don't handle,
we should explicitly add it to the switch statement.
llvm-svn: 101378
destination type for initialization, assignment, parameter-passing,
etc. The main issue fixed here is that we used rather confusing
wording for diagnostics such as
t.c:2:9: warning: initializing 'char const [2]' discards qualifiers,
expected 'char *' [-pedantic]
char *name = __func__;
^ ~~~~~~~~
We're not initializing a 'char const [2]', we're initializing a 'char
*' with an expression of type 'char const [2]'. Similar problems
existed for other diagnostics in this area, so I've normalized them all
with more precise descriptive text to say what we're
initializing/converting/assigning/etc. from and to. The warning for
the code above is now:
t.c:2:9: warning: initializing 'char *' from an expression of type
'char const [2]' discards qualifiers [-pedantic]
char *name = __func__;
^ ~~~~~~~~
Fixes <rdar://problem/7447179>.
llvm-svn: 100832
of errors and warnings. This allows us to emit something like this:
2 warnings and 1 error generated.
instead of:
3 diagnostics generated.
This also stops counting 'notes' because they are just follow-on information
about the previous diag, not a diagnostic in themselves.
llvm-svn: 100675
them the same way as fields. This fixes a regression in RegionStore::RemoveDeadbindings()
that emerged from going to the cluster-based analysis.
llvm-svn: 100570
a scalar variable with a scalar parameter. This is a
form of defensive programming. If the variable is unused,
it will be caused by -Wunused-variable.
llvm-svn: 98795
we now may have identical states with different analysis context.
Set the right AnalysisContext in state when entering and leaving a callee.
With both of the above changes, we can pass the test case.
llvm-svn: 97724
to various unix/posix functions, e.g. 'open()'.
As a first check, check that when 'open()' is passed 'O_CREAT' that it has
a third argument.
llvm-svn: 97086
pointer (for defensive programming). This matches the behavior with
assigning NULL to a regular pointer. Fixes <rdar://problem/7631278>.
llvm-svn: 96985
NULL, not the store, to determine if a lookup succeeded. The store
can be null if it contained no bindings. This fixes a false positive
reported to me by a user of the analyzer.
llvm-svn: 95679
Argyrios Kyrtzidis