of operating on each code decl. This exposes two flaws in AnalysisConsumer
that should eventually be fixed:
(1) It is not possible to associate multiple "actions" with a single
command line argument. This will require the notion of an
"analysis" group, and possibly tablegen support. (although eventually
we want to support dynamically loading analyses as well)
(2) AnalysisConsumer may not actually be scanning the declarations in namespaces.
We'll experiment first in LLVMConventionsChecker before changing the
behavior in AnalysisConsumer.
llvm-svn: 96183
Currently these checks are intended to be largely syntactical, but may get more
sophisticated over time.
As an initial foray into this brave new world, emit a static analyzer warning
when binding a temporary 'std::string' to an 'llvm::StringRef' where the
lifetime of the 'std::string' does not outlive the 'llvm::StringRef'.
llvm-svn: 96147
(1) Since CXXMethodDecl subclasses FunctionDecl (and CXXDestructorDecl
and CXXConversion subclass CXXMethodDecl), refactor switch statement
to handle them all in one spot.
(2) Use 'DeclarationName::getAsString()' to handle all functions that
don't have simple identifiers (fixing a null dereference when scanning
for specific functions).
llvm-svn: 96146
(1) libAnalysis is a generic analysis library that can be used by
Sema. It defines the CFG, basic dataflow analysis primitives, and
inexpensive flow-sensitive analyses (e.g. LiveVariables).
(2) libChecker contains the guts of the static analyzer, incuding the
path-sensitive analysis engine and domain-specific checks.
Now any clients that want to use the frontend to build their own tools
don't need to link in the entire static analyzer.
This change exposes various obvious cleanups that can be made to the
layout of files and headers in libChecker. More changes pending. :)
This change also exposed a layering violation between AnalysisContext
and MemRegion. BlockInvocationContext shouldn't explicitly know about
BlockDataRegions. For now I've removed the BlockDataRegion* from
BlockInvocationContext (removing context-sensitivity; although this
wasn't used yet). We need to have a better way to extend
BlockInvocationContext (and any LocationContext) to add
context-sensitivty.
llvm-svn: 94406
GRStateManager. Having these references was an abstraction violation,
as they really should only be known about GRExprEngine.
This change required adding a new 'ProcessAssume' callback in
GRSubEngine. GRExprEngine implements this callback by calling
'EvalAssume' on all registered Checker objects as well as the
registered GRTransferFunc object.
llvm-svn: 92549
Add new states for symbolic regions tracked by malloc checker. This enables us
to do malloc checking more accurately. See test case.
Based on Lei Zhang's patch and discussion.
llvm-svn: 92342
migrate work in the destructors of PathDiagnosticClients from their
destructors to FlushReports(). The destructors now currently call
FlushReports(); this will be fixed in a subsequent patch.
llvm-svn: 86108
AnalysisManager periodically cleanup its AnalysisContextManager and LocationContextManager objects,
as they don't need to forever retain all the CFGs ever created when analyzing a file.
llvm-svn: 84684
avoid scanning for an "entry point" FunctionDecl if we (a) have no
translation unit actions and (b) no entry point function has been
specified.
llvm-svn: 82846
pruning of diagnostics that may be emitted multiple times. This is
accomplished by adding FoldingSet profiling support to PathDiagnostic,
and then having BugReporter record what diagnostics have been issued.
This was motived to a serious bug introduced by moving the
'divide-by-zero' checking outside of GRExprEngine into a separate
'Checker' class. When analyzing code using the '-fobjc-gc' option, a
given function would be analyzed twice, but the second time various
"internal checks" would be disabled to avoid emitting multiple
diagnostics (e.g., "null dereference") for the same issue. The
problem is that such checks also effect path pruning and don't just
emit diagnostics. This resulted in an assertion failure involving a
real divide-by-zero in some analyzed code where we would get an
assertion failure in APInt because the 'DivZero' check was disabled
and didn't prune the logic that resulted in the divide-by-zero in the
analyzer.
The implemented solution is somewhat of a hack, and may not perform
extremely well. This will need to be cleaned up over time.
As a regression test, 'misc-ps.m' has been modified so that its tests
are run using -fobjc-gc to test this diagnostic pruning behavior.
llvm-svn: 82198
Now AnalysisManager is the only place we can get CodeDecl.
This leads to an API change: GRState::bindExpr() now takes the CFG argument.
llvm-svn: 79980