Commit Graph

3441 Commits

Author SHA1 Message Date
Reka Kovacs a14a2fed38 [analyzer] Fix memory sanitizer error in MallocChecker.
StringRef's data() returns a string that may be non-null-terminated.
Switch to using StringRefs from const char pointers in visitor notes
to avoid problems.

llvm-svn: 337474
2018-07-19 17:43:09 +00:00
Mikhail R. Gadelha ddd4229cc4 [analyzer] Memoize complexity of SymExpr
Summary:
This patch introduces a new member to SymExpr, which stores the symbol complexity, avoiding recalculating it every time computeComplexity() is called.

Also, increase the complexity of conjured Symbols by one, so it's clear that it has a greater complexity than its underlying symbols.

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ, george.karpenkov

Subscribers: xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D49232

llvm-svn: 337472
2018-07-19 17:03:12 +00:00
Reka Kovacs 52dd98bd1e [analyzer] Fix disappearing notes in DanglingInternalBufferChecker tests
Correct a mistake of the exact same kind I am writing this checker for.

llvm-svn: 337466
2018-07-19 15:44:46 +00:00
Reka Kovacs c18ecc8489 [analyzer] Add support for more basic_string API in
DanglingInternalBufferChecker.

A pointer referring to the elements of a basic_string may be invalidated
by calling a non-const member function, except operator[], at, front,
back, begin, rbegin, end, and rend. The checker now warns if the pointer
is used after such operations.

Differential Revision: https://reviews.llvm.org/D49360

llvm-svn: 337463
2018-07-19 15:10:06 +00:00
Artem Dergachev 3a37cb54e0 [analyzer] Remove a debug print that was accidentally left around.
No functional change intended.

llvm-svn: 337417
2018-07-18 18:44:40 +00:00
Mikhail R. Gadelha 81943b805b [analyzer] Fix Z3 backend after D48205
Summary:
An assertion was added in D48205 to catch places where a `nonloc::SymbolVal` was wrapping a `loc` object.

This patch fixes that in the Z3 backend by making the `SValBuilder` object accessible from inherited instances of `SimpleConstraintManager` and calling `SVB.makeSymbolVal(foo)` instead of `nonloc::SymbolVal(foo)`.

Reviewers: NoQ, george.karpenkov

Reviewed By: NoQ

Subscribers: xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D49430

llvm-svn: 337304
2018-07-17 17:40:34 +00:00
Artem Dergachev 35dbd0b1ff [analyzer] pr37802: Fix symbolic-pointer-to-boolean casts during load.
The canonical representation of pointer &SymRegion{$x} casted to boolean is
"$x != 0", not "$x". Assertion added in r337227 catches that.

Differential Revision: https://reviews.llvm.org/D48232

llvm-svn: 337228
2018-07-17 00:42:35 +00:00
Artem Dergachev d1163790c3 [analyzer] Assert that nonloc::SymbolVal always wraps a non-Loc-type symbol.
In the current SVal hierarchy there are multiple ways of representing certain
values but few are actually used and expected to be seen by the code.

In particular, a value of a symbolic pointer is always represented by a
loc::MemRegionVal that wraps a SymbolicRegion that wraps the pointer symbol
and never by a nonloc::SymbolVal that wraps that symbol directly.

Assert the aforementioned fact. Fix one minor violation of it.

Differential Revision: https://reviews.llvm.org/D48205

llvm-svn: 337227
2018-07-17 00:22:27 +00:00
Reka Kovacs ed8c05cc99 [analyzer] Make checkEndFunction() give access to the return statement.
Differential Revision: https://reviews.llvm.org/D49387

llvm-svn: 337215
2018-07-16 20:47:45 +00:00
George Karpenkov bccd6ec351 [analyzer] Bugfix for an overly eager suppression for null pointer return from macros.
Only suppress those cases where the null which came from the macro is
relevant to the bug, and was not overwritten in between.

rdar://41497323

Differential Revision: https://reviews.llvm.org/D48856

llvm-svn: 337213
2018-07-16 20:33:25 +00:00
George Karpenkov 09885d05ce [analyzer] Fix GCDAntipatternChecker to only fire when the semaphore is initialized to zero
Initializing a semaphore with a different constant most likely signals a different intent

rdar://41802552

Differential Revision: https://reviews.llvm.org/D48911

llvm-svn: 337212
2018-07-16 20:32:57 +00:00
Mikhail R. Gadelha 07f6e8e3a5 [analyzer] Fix the Z3 backend always generating unsigned APSInt
Summary:
In `toAPSInt`, the Z3 backend was not checking the variable `Int`'s type and was always generating unsigned `APSInt`s.

This was found by accident when I removed:
```
    llvm::APSInt ConvertedLHS, ConvertedRHS;
    QualType LTy, RTy;
    std::tie(ConvertedLHS, LTy) = fixAPSInt(*LHS);
    std::tie(ConvertedRHS, RTy) = fixAPSInt(*RHS);
-    doIntTypePromotion<llvm::APSInt, Z3ConstraintManager::castAPSInt>(
-        ConvertedLHS, LTy, ConvertedRHS, RTy);
    return BVF.evalAPSInt(BSE->getOpcode(), ConvertedLHS, ConvertedRHS);
```

And the `BasicValueFactory` started to complain about different `signedness`.

Reviewers: george.karpenkov, NoQ, ddcc

Reviewed By: ddcc

Subscribers: xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D49305

llvm-svn: 337169
2018-07-16 13:32:22 +00:00
Mikhail R. Gadelha e254b0f8c7 [analyzer] Fix constraint being dropped when analyzing a program without taint tracking enabled
Summary:
This patch removes the constraint dropping when taint tracking is disabled.

It also voids the crash reported in D28953 by treating a SymSymExpr with non pointer symbols as an opaque expression.

Updated the regressions and verifying the big projects now; I'll update here when they're done.

Based on the discussion on the mailing list and the patches by @ddcc.

Reviewers: george.karpenkov, NoQ, ddcc, baloghadamsoftware

Reviewed By: george.karpenkov

Subscribers: delcypher, llvm-commits, rnkovacs, xazax.hun, szepet, a.sidorin, ddcc

Differential Revision: https://reviews.llvm.org/D48650

llvm-svn: 337167
2018-07-16 13:14:46 +00:00
Adam Balogh 0a7592b5e2 [Analyzer] Mark `SymbolData` parts of iterator position as live in program state maps
Marking a symbolic expression as live is non-recursive. In our checkers we
either use conjured symbols or conjured symbols plus/minus integers to
represent abstract position of iterators, so in this latter case we also
must mark the `SymbolData` part of these symbolic expressions as live to
prevent them from getting reaped.

Differential Revision: https://reviews.llvm.org/D48764

llvm-svn: 337151
2018-07-16 09:27:27 +00:00
Adam Balogh bf966f5237 [Analyzer] alpha.unix.cstring.OutOfBounds checker enable/disable fix
It was not possible to disable alpha.unix.cstring.OutOfBounds checker's reports
since unix.Malloc checker always implicitly enabled the filter. Moreover if the
checker was disabled from command line (-analyzer-disable-checker ..) the out
of bounds warnings were nevertheless emitted under different checker names such
as unix.cstring.NullArg, or unix.Malloc.

This patch fixes the case sot that Malloc checker only enables implicitly the
underlying modeling of strcpy, memcpy etc. but not the warning messages that
would have been emmitted by alpha.unix.cstring.OutOfBounds

Patch by: Dániel Krupp

Differential Revision: https://reviews.llvm.org/D48831

llvm-svn: 337000
2018-07-13 13:44:44 +00:00
Kristof Umann 8c11909826 [analyzer][UninitializedObjectChecker] Fixed captured lambda variable name
Differential Revision: https://reviews.llvm.org/D48291

llvm-svn: 336995
2018-07-13 12:54:47 +00:00
Kristof Umann 7212cc0e48 [analyzer][UninitializedObjectChecker] Support for MemberPointerTypes
Differential Revision: https://reviews.llvm.org/D48325

llvm-svn: 336994
2018-07-13 12:21:38 +00:00
Kristof Umann cc85244528 [analyzer][UninitializedObjectChecker] Moved non-member functions out of the anonymous namespace
As the code for the checker grew, it became increasinly difficult to see 
whether a function was global or statically defined. In this patch,
anything that isn't a type declaration or definition was moved out of the
anonymous namespace and is marked as static.

llvm-svn: 336901
2018-07-12 13:13:46 +00:00
Reka Kovacs 5f70d9b958 [analyzer] Track multiple raw pointer symbols in DanglingInternalBufferChecker.
Previously, the checker only tracked one raw pointer symbol for each
container object. But member functions returning a pointer to the
object's inner buffer may be called on the object several times. These
pointer symbols are now collected in a set inside the program state map
and thus all of them is checked for use-after-free problems.

Differential Revision: https://reviews.llvm.org/D49057

llvm-svn: 336835
2018-07-11 19:08:02 +00:00
George Karpenkov 0052744cc7 [analyzer] Partial revert of https://reviews.llvm.org/D49050
llvm-svn: 336755
2018-07-11 01:58:08 +00:00
George Karpenkov 95720c16b3 [analyzer] Pass through all arguments from the registerChecker() to the checker constructor
A lot of checkers could be cleaned up in a similar way

Differential Revision: https://reviews.llvm.org/D49050

llvm-svn: 336753
2018-07-11 01:23:27 +00:00
Richard Smith a3405ffcec DR330: look through array types when forming the cv-decomposition of a type.
This allows more qualification conversions, eg. conversion from
   'int *(*)[]' -> 'const int *const (*)[]'
is now permitted, along with all the consequences of that: more types
are similar, more cases are permitted by const_cast, and conversely,
fewer "casting away constness" cases are permitted by reinterpret_cast.

llvm-svn: 336745
2018-07-11 00:19:19 +00:00
Mikhail R. Gadelha 237d42bfa5 [analyzer] Add option to set maximum symbol complexity threshold
Summary:
This adds an option, max-symbol-complexity, so an user can set the maximum symbol complexity threshold.

Note that the current behaviour is equivalent to max complexity = 0, when taint analysis is not enabled and tests show that in a number of tests, having complexity = 25 yields the same results as complexity = 10000.

This patch was extracted and modified from Dominic Chen's patch, D35450.

Reviewers: george.karpenkov, NoQ, ddcc

Reviewed By: george.karpenkov

Subscribers: xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D49093

llvm-svn: 336671
2018-07-10 13:46:05 +00:00
Reka Kovacs bd516a61b4 [analyzer] Add support for data() in DanglingInternalBufferChecker.
DanglingInternalBufferChecker now tracks use-after-free problems related
to the incorrect usage of std::basic_string::data().

Differential Revision: https://reviews.llvm.org/D48532

llvm-svn: 336497
2018-07-07 20:29:24 +00:00
Reka Kovacs e453e60d08 [analyzer] Highlight c_str() call in DanglingInternalBufferChecker.
Add a bug visitor to DanglingInternalBufferChecker that places a note
at the point where the dangling pointer was obtained. The visitor is
handed over to MallocChecker and attached to the report there.

Differential Revision: https://reviews.llvm.org/D48522

llvm-svn: 336495
2018-07-07 19:27:18 +00:00
Reka Kovacs e0dae15d91 [analyzer] Fix -Wcovered-switch-default warning in MallocChecker.
Remove unnecessary default case that caused buildbot failures.

llvm-svn: 336493
2018-07-07 18:37:37 +00:00
Reka Kovacs 8707cd1d1b [analyzer] Highlight container object destruction in MallocChecker.
Extend MallocBugVisitor to place a note at the point where objects with
AF_InternalBuffer allocation family are destroyed.

Differential Revision: https://reviews.llvm.org/D48521

llvm-svn: 336489
2018-07-07 17:22:45 +00:00
Rafael Stahl 67676e9c99 [analyzer][ctu] fix unsortable diagnostics
Summary: In the provided test case the PathDiagnostic compare function was not able to find a difference.

Reviewers: xazax.hun, NoQ, dcoughlin, george.karpenkov

Reviewed By: george.karpenkov

Subscribers: a_sidorin, szepet, rnkovacs, a.sidorin, mikhail.ramalho, cfe-commits

Differential Revision: https://reviews.llvm.org/D48474

llvm-svn: 336275
2018-07-04 14:12:58 +00:00
Richard Smith 0a7b297d01 Factor out Clang's desired 8MB stack size constant from the various
places we hardcode it.

llvm-svn: 336231
2018-07-03 21:34:13 +00:00
Mikhail R. Gadelha 38049a51bd [analyzer] Replace the vector of ConstraintSets by a single ConstraintSet and a function to merge ConstraintSets
Now, instead of adding the constraints when they are removed, this patch adds them when they first appear and, since we walk the bug report backward, it should be the last set of ranges generated by the CSA for a given symbol.

These are the number before and after the patch:
```
Project    |  current |   patch  |
tmux       |  283.222 |  123.052 |
redis      |  614.858 |  400.347 |
openssl    |  308.292 |  307.149 |
twin       |  274.478 |  245.411 |
git        |  547.687 |  477.335 |
postgresql | 2927.495 | 2002.526 |
sqlite3    | 3264.305 | 1028.416 |
```

Major speedups in tmux and sqlite (less than half of the time), redis and postgresql were about 25% faster while the rest are basically the same.

Reviewers: NoQ, george.karpenkov

Reviewed By: george.karpenkov

Subscribers: rnkovacs, xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D48565

llvm-svn: 336002
2018-06-29 18:11:43 +00:00
Kristof Umann 9bd44390b4 [analyzer][UninitializedObjectChecker] Added a NotesAsWarnings flag
In order to better support consumers of the plist output that don't
parse note entries just yet, a 'NotesAsWarnings' flag was added.
If it's set to true, all notes will be converted to warnings.

Differential Revision: https://reviews.llvm.org/D48285

llvm-svn: 335964
2018-06-29 11:25:24 +00:00
Mikhail R. Gadelha 53ac1a2ed4 [analyzer] Fix wrong comparison generation of the ranges generated by the refutation manager
The refutation manager is removing a true bug from the test in this patch.

The problem is that the following constraint:
```
(conj_$1{struct o *}) - (reg_$3<int * r>): [-9223372036854775808, 0]
```
is encoded as:
```
(and (bvuge (bvsub $1 $3) #x8000000000000000)
     (bvule (bvsub $1 $3) #x0000000000000000))
```
The issue is that unsigned comparisons (bvuge and bvule) are being generated instead of signed comparisons (bvsge and bvsle).

When generating the expressions:
```
(conj_$1{p *}) - (reg_$3<int * r>) >= -9223372036854775808
```
and
```
(conj_$1{p *}) - (reg_$3<int * r>) <= 0
```
both -9223372036854775808 and 0 are casted to pointer type and `LTy->isSignedIntegerOrEnumerationType()` in `Z3ConstraintManager::getZ3BinExpr` only checks if the type is signed, not if it's a pointer.

Reviewers: NoQ, george.karpenkov, ddcc

Subscribers: rnkovacs, NoQ, george.karpenkov, ddcc, xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D48324

llvm-svn: 335926
2018-06-28 21:26:52 +00:00
Adam Balogh b03ed5e414 [Analyzer] Iterator Checker - Part 2: Increment, decrement operators and ahead-of-begin checks
Add handling of the begin() funcion of containers to the iterator checkers,
together with the pre- and postfix ++ and -- operators of the iterators. This
makes possible the checking of iterators dereferenced ahead of the begin of the
container.

Differential Revision: https://reviews.llvm.org/D32642

llvm-svn: 335835
2018-06-28 10:58:53 +00:00
Adam Balogh 77660ee89a [Analyzer] Constraint Manager Negates Difference
If range [m .. n] is stored for symbolic expression A - B, then we can deduce the range for B - A which is [-n .. -m]. This is only true for signed types, unless the range is [0 .. 0].

Differential Revision: https://reviews.llvm.org/D35110

llvm-svn: 335814
2018-06-28 07:35:23 +00:00
Artem Dergachev 4ba041fa25 [analyzer] Remove redundant ';'.
Fixes a compiler warning. No functionan change intended.

llvm-svn: 335808
2018-06-28 02:33:16 +00:00
Artem Dergachev 0bb974e3ee [analyzer] Use sufficiently large types for index bounds calculation.
The ProgramState::assumeInBound() API is used by checkers to make an assumption
that a certain array index is within the array's bounds (i.e. is greater than or
equal to 0 and is less than the length of the array). When the type of the
index was unspecified by the caller, it assumed that the type is 'int', which
caused some indices and sizes to truncate during calculations.

Use ArrayIndexTy by default instead, which is used by the analyzer to represent
index types and is currently hardcoded to long long.

Patch by Bevin Hansson!

Differential Revision: https://reviews.llvm.org/D46944

llvm-svn: 335803
2018-06-28 00:42:11 +00:00
Artem Dergachev 9a209ad1d8 [analyzer] Add support for pre-C++17 copy elision.
r335795 adds copy elision information to CFG. This commit allows static analyzer
to elide elidable copy constructors by constructing the objects that were
previously subject to elidable copy directly in the target region of the copy.

The chain of elided constructors may potentially be indefinitely long. This
only happens when the object is being returned from a function which in turn is
returned from another function, etc.

NRVO is not supported yet.

Differential Revision: https://reviews.llvm.org/D47671

llvm-svn: 335800
2018-06-28 00:30:18 +00:00
Artem Dergachev d18639bd13 [CFG] [analyzer] Simplify lifetime-extended temporary construction contexts.
When a temporary object is materialized and through that obtain lifetime that
is longer than the duration of the full-expression, it does not require a
temporary object destructor; it will be destroyed in a different manner.

Therefore it's not necessary to include CXXBindTemporaryExpr into the
construction context for such temporary in the CFG only to make clients
throw it away.

Differential Revision: https://reviews.llvm.org/D47667

llvm-svn: 335798
2018-06-28 00:18:52 +00:00
Artem Dergachev 4fb586c349 [analyzer] Re-enable lifetime extension for temporaries without destructors.
When an object's class provides no destructor, it's less important to
materialize that object properly because we don't have to model the destructor
correctly, so previously we skipped the support for these syntax patterns.

Additionally, fix support for construction contexts of "static temporaries"
(temporaries that are lifetime-extended by static references) because
it turned out that we only had tests for them without destructors, which caused
us to regress when we re-introduced the construction context for such
temporaries.

Differential Revision: https://reviews.llvm.org/D47658

llvm-svn: 335796
2018-06-28 00:11:42 +00:00
Artem Dergachev ff267df0de [CFG] [analyzer] Add construction contexts that explain pre-C++17 copy elision.
Before C++17 copy elision was optional, even if the elidable copy/move
constructor had arbitrary side effects. The elidable constructor is present
in the AST, but marked as elidable.

In these cases CFG now contains additional information that allows its clients
to figure out if a temporary object is only being constructed so that to pass
it to an elidable constructor. If so, it includes a reference to the elidable
constructor's construction context, so that the client could elide the
elidable constructor and construct the object directly at its final destination.

Differential Revision: https://reviews.llvm.org/D47616

llvm-svn: 335795
2018-06-28 00:04:54 +00:00
Mikhail R. Gadelha c607a9f6b8 Revert "[Analyzer] Moved RangeConstraintManager to header. NFC."
This broke a number of bots.

This reverts commit 5e1a89912d37a21c3b49ccf30600d7f498dffa9c.

llvm-svn: 335752
2018-06-27 16:45:58 +00:00
Alexander Kornienko d00ed8e2c2 [analyzer] Allow registering custom statically-linked analyzer checkers
Summary:
Add an extension point to allow registration of statically-linked Clang Static
Analyzer checkers that are not a part of the Clang tree. This extension point
employs the mechanism used when checkers are registered from dynamically loaded
plugins.

Reviewers: george.karpenkov, NoQ, xazax.hun, dcoughlin

Reviewed By: george.karpenkov

Subscribers: mgorny, mikhail.ramalho, rnkovacs, xazax.hun, szepet, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D45718

llvm-svn: 335740
2018-06-27 14:56:12 +00:00
Mikhail R. Gadelha 996965d67a [Analyzer] Moved RangeConstraintManager to header. NFC.
Summary: While at it, added a dump method to RangeSet.

Reviewers: george.karpenkov, NoQ

Reviewed By: george.karpenkov

Subscribers: xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D48561

llvm-svn: 335726
2018-06-27 12:42:48 +00:00
George Karpenkov dd18b11b8e [analyzer] [NFC] A convenient getter for getting a current stack frame
Differential Revision: https://reviews.llvm.org/D44756

llvm-svn: 335701
2018-06-27 01:51:55 +00:00
George Karpenkov 32919a5861 [analyzer] Minor cleanups for BugReporter, expose a getter for AnalyzerOptions.
llvm-svn: 335683
2018-06-26 23:10:05 +00:00
George Karpenkov 70ec1dd14d [analyzer] Do not run visitors until the fixpoint, run only once.
In the current implementation, we run visitors until the fixed point is
reached.
That is, if a visitor adds another visitor, the currently processed path
is destroyed, all diagnostics is discarded, and it is regenerated again,
until it's no longer modified.
This pattern has a few negative implications:

 - This loop does not even guarantee to terminate.
   E.g. just imagine two visitors bouncing a diagnostics around.
 - Performance-wise, e.g. for sqlite3 all visitors are being re-run at
   least 10 times for some bugs.
   We have already seen a few reports where it leads to timeouts.
 - If we want to add more computationally intense visitors, this will
   become worse.
 - From architectural standpoint, the current layout requires copying
   visitors, which is conceptually wrong, and can be annoying (e.g. no
   unique_ptr on visitors allowed).

The proposed change is a much simpler architecture: the outer loop
processes nodes upwards, and whenever the visitor is added it only
processes current nodes and above, thus guaranteeing termination.

Differential Revision: https://reviews.llvm.org/D47856

llvm-svn: 335666
2018-06-26 21:12:08 +00:00
Artem Dergachev 57790c5685 [analyzer] Track null and undef values through expressions with cleanups.
ExprWithCleanups wraps full-expressions that require temporary destructors
and highlights the moment of time in which these destructors need to be called
(i.e., "at the end of the full-expression...").

Such expressions don't necessarily return an object; they may return anything,
including a null or undefined value.

When the analyzer tries to understand where the null or undefined value came
from in order to present better diagnostics to the user, it will now skip
any ExprWithCleanups it encounters and look into the expression itself.

Differential Revision: https://reviews.llvm.org/D48204

llvm-svn: 335559
2018-06-25 23:55:07 +00:00
Artem Dergachev f74ef4b1e6 [analyzer] Fix invalidation on C++ const methods with arrow syntax.
Conservative evaluation of a C++ method call would invalidate the object,
as long as the method is not const or the object has mutable fields.

When checking for mutable fields, we need to scan the type of the object on
which the method is called, which may be more specific than the type of the
object on which the method is defined, hence we look up the type from the
this-argument expression.

If arrow syntax or implicit-this syntax is used, this-argument expression
has pointer type, not record type, and lookup accidentally failed for that
reason. Obtain object type correctly.

Differential Revision: https://reviews.llvm.org/D48460

llvm-svn: 335555
2018-06-25 23:43:45 +00:00
Steven Wu b3684db431 Add const qualifier on FieldChainInfoComparator::operator()
libcxx has user defined warning to check for non const call operator.
Silence the warning by adding the const on operator().

llvm-svn: 335366
2018-06-22 16:51:17 +00:00
Leonard Chan db01c3adc6 [Fixed Point Arithmetic] Fixed Point Precision Bits and Fixed Point Literals
This diff includes the logic for setting the precision bits for each primary fixed point type in the target info and logic for initializing a fixed point literal.

Fixed point literals are declared using the suffixes

```
hr: short _Fract
uhr: unsigned short _Fract
r: _Fract
ur: unsigned _Fract
lr: long _Fract
ulr: unsigned long _Fract
hk: short _Accum
uhk: unsigned short _Accum
k: _Accum
uk: unsigned _Accum
```
Errors are also thrown for illegal literal values

```
unsigned short _Accum u_short_accum = 256.0uhk;   // expected-error{{the integral part of this literal is too large for this unsigned _Accum type}}
```

Differential Revision: https://reviews.llvm.org/D46915

llvm-svn: 335148
2018-06-20 17:19:40 +00:00
Mikhail R. Gadelha bd1077e2bc [analyzer] Optimize constraint generation when the range is a concrete value
Summary:
If a constraint is something like:
```
$0 = [1,1]
```
it'll now be created as:
```
assert($0 == 1)
```
instead of:
```
assert($0 >= 1 && $0 <= 1)
```

In general, ~3% speedup when solving per query in my machine. Biggest improvement was when verifying sqlite3, total time went down from 3000s to 2200s.

I couldn't create a test for this as there is no way to dump the formula yet. D48221 adds a method to dump the formula but there is no way to do it from the command line.

Also, a test that prints the formula will most likely fail in the future, as different solvers print the formula in different formats.

Reviewers: NoQ, george.karpenkov, ddcc

Reviewed By: george.karpenkov

Subscribers: xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D48227

llvm-svn: 335116
2018-06-20 11:42:12 +00:00
Kristof Umann 20e85ba854 [analyzer] Made a buildbot happy.
Since `isPrimitiveType` was only used in an assert, a builbot with `-Werror`
and no asserts enabled failed to build it as it was unused.

llvm-svn: 335030
2018-06-19 08:35:02 +00:00
George Karpenkov fdbc1bf62e [analyzer] Remove accidentally committed lines.
llvm-svn: 334965
2018-06-18 17:59:03 +00:00
Kristof Umann 30f086565c [analyzer] Checker for uninitialized C++ objects
This checker analyzes C++ constructor calls, and reports uninitialized fields.

Due to the nature of this problem (uninitialized fields after an object
construction), this checker doesn't search for bugs, but rather is a tool to
enforce a specific programming model where every field needs to be initialized.

This checker lands in alpha for now, and a number of followup patches will be
made to reduce false negatives and to make it easier for the user to understand
what rules the checker relies on, eg. whether a derived class' constructor is
responsible for initializing inherited data members or whether it should be
handled in the base class' constructor.

Differential Revision: https://reviews.llvm.org/D45532

llvm-svn: 334935
2018-06-18 11:50:17 +00:00
Mikhail R. Gadelha e7f703804d [analyzer] Add method to the generic SMT API to dump the SMT formula
Summary:
New method dump the SMT formula and the Z3 implementation.

There is no test because I only used it for debugging.

However, if requested, I can add an option to the static analyzer to dump the formula (whole program? per path?), maybe something like the trimmed graph but for SMT formulas.

Reviewers: NoQ, george.karpenkov, ddcc

Reviewed By: george.karpenkov

Subscribers: xazax.hun, szepet, a.sidorin

Differential Revision: https://reviews.llvm.org/D48221

llvm-svn: 334891
2018-06-16 14:36:17 +00:00
Artem Dergachev f28d7f1721 [analyzer] Re-enable C++17-specific RVO construction contexts.
Not contexts themselves, but rather support for them in the analyzer.

Such construction contexts appear when C++17 mandatory copy elision occurs
while returning an object from a function, and presence of a destructor causes
a CXXBindTemporaryExpr to appear in the AST.

Additionally, such construction contexts may be chained, because a return-value
construction context doesn't really explain where the object is being returned
into, but only points to the parent stack frame, where the object may be
consumed by literally anything including another return statement. This
behavior is now modeled correctly by the analyzer as long as the object is not
returned beyond the boundaries of the analysis.

Differential Revision: https://reviews.llvm.org/D47405

llvm-svn: 334684
2018-06-14 01:59:35 +00:00
Artem Dergachev 53b8ce0edb [analyzer] Re-enable C++17-specific variable and member construction contexts.
Not contexts themselves, but rather support for them in the analyzer.

Such construction contexts appear when C++17 mandatory copy elision occurs
during initialization, and presence of a destructor causes a
CXXBindTemporaryExpr to appear in the AST.

Similar C++17-specific constructors for return values are still to be supported.

Differential Revision: https://reviews.llvm.org/D47351

llvm-svn: 334683
2018-06-14 01:54:21 +00:00
Artem Dergachev a84374dc0e [analyzer] Track class member initializer constructors path-sensitively.
The reasoning behind this change is similar to the previous commit, r334681.
Because members are already in scope when construction occurs, we are not
suffering from liveness problems, but we still want to figure out if the object
was constructed with construction context, because in this case we'll be able
to avoid trivial copy, which we don't always model perfectly. It'd also have
more importance when copy elision is implemented.

This also gets rid of the old CFG look-behind mechanism.

Differential Revision: https://reviews.llvm.org/D47350

llvm-svn: 334682
2018-06-14 01:40:49 +00:00
Artem Dergachev 1fe52474d2 [analyzer] pr37270: Track constructor target region, even if just a variable.
The very idea of construction context implies that first the object is
constructed, and then later, in a separate moment of time, the constructed
object goes into scope, i.e. becomes "live".

Most construction contexts require path-sensitive tracking of the constructed
object region in order to compute the outer expressions accordingly before
the object becomes live.

Semantics of simple variable construction contexts don't immediately require
that such tracking happens in path-sensitive manner, but shortcomings of the
analyzer force us to track it path-sensitively as well. Namely, whether
construction context was available at all during construction is a
path-sensitive information. Additionally, path-sensitive tracking takes care of
our liveness problems that kick in as the temporal gap between construction and
going-into-scope becomes larger (eg., due to copy elision).

Differential Revision: https://reviews.llvm.org/D47305

llvm-svn: 334681
2018-06-14 01:32:46 +00:00
Artem Dergachev 239452ca3e [analyzer] NFC: Merge code for finding and tracking construction target.
When analyzing C++ code, a common operation in the analyzer is to discover
target region for object construction by looking at CFG metadata ("construction
contexts"), and then track the region path-sensitively until object construction
is resolved, where the amount of information, again, depends on construction
context.

Scan construction context only once for both purposes.

Differential Revision: https://reviews.llvm.org/D47304

llvm-svn: 334678
2018-06-14 01:20:12 +00:00
George Karpenkov 0cba5549ef [analyzer] Fix offset overflow check in MemRegion
rdar://39593879
https://bugs.llvm.org/show_bug.cgi?id=37142

Differential Revision: https://reviews.llvm.org/D48139

llvm-svn: 334636
2018-06-13 18:32:19 +00:00
Bill Wendling 744c48a146 Remove extraneous semicolon.
llvm-svn: 334573
2018-06-13 06:33:59 +00:00
George Karpenkov e6fdb6a28c [analyzer] Do not crash in the visitor when the function is given more arguments than it has parameters
rdar://40335545

Differential Revision: https://reviews.llvm.org/D48107

llvm-svn: 334560
2018-06-12 23:53:54 +00:00
Matthew Voss 6b9359509c [analyzer] Ensure that loop widening does not invalidate references
Loop widening can invalidate a reference. If the analyzer attempts to visit the
destructor to a non-existent reference, it will crash. This patch ensures that
the reference is preserved.

https://reviews.llvm.org/D47044

llvm-svn: 334554
2018-06-12 22:22:35 +00:00
George Karpenkov cd45bef232 [analyzer] [NFC] Remove "removeInvalidation" from visitor API
removeInvalidation is a very problematic API, as it makes suppression
order-dependent.
Moreover, it was used only once, and could be rewritten in a much
cleaner way.

Differential Revision: https://reviews.llvm.org/D48045

llvm-svn: 334542
2018-06-12 20:51:19 +00:00
George Karpenkov 1cf8cdc687 [analyzer] [NFC] Move ::dump methods from BugReporter.cpp to PathDiagnostics.cpp
BugReporter.cpp is already severely overloaded, and those dump methods
are on PathDiagnostics and should belong in the corresponding
implementation file.

Differential Revision: https://reviews.llvm.org/D48035

llvm-svn: 334541
2018-06-12 20:51:01 +00:00
George Karpenkov 5ec0a2613f [analyzer] [NFC] Remove most usages of getEndPath
getEndPath is a problematic API, because it's not clear when it's called
(hint: not always at the end of the path), it crashes at runtime with
more than one non-nullptr returning implementation, and diagnostics
internal depend on it being called at some exact place.

However, most visitors don't actually need that: all they want is a
function consistently called after all nodes are traversed, to perform
finalization and to decide whether invalidation is needed.

Differential Revision: https://reviews.llvm.org/D48042

llvm-svn: 334540
2018-06-12 20:50:44 +00:00
Fangrui Song 8b4b82eed4 Work around false -Wmissing-braces warning from old clang which has been fixed in r314838
llvm-svn: 334539
2018-06-12 20:44:11 +00:00
George Karpenkov 4872750dd3 [analyzer] [NFC] Now let's have only one place for diagnostics generation
Differential Revision: https://reviews.llvm.org/D47808

llvm-svn: 334526
2018-06-12 19:08:17 +00:00
George Karpenkov 8ade563870 [analyzer] [NFC] Unify Minimal and Extensive diagnostics.
Once we removed AlternateExtensive, I've looked closer into the
difference between Minimal and Extensive, and turns out, the difference
was not that large.

Differential Revision: https://reviews.llvm.org/D47756

llvm-svn: 334525
2018-06-12 19:08:00 +00:00
George Karpenkov 391650912a [analyzer] [NFC] Remove unused Extensive diagnostic setting,
Rename AlternateExtensive to Extensive.
In 2013, five years ago, we have switched to AlternateExtensive
diagnostics by default, and Extensive was available under unused,
undocumented flag.
This change remove the flag, renames the Alternate
diagnostic to Extensive (as it's no longer Alternate), and ports the
test.

Differential Revision: https://reviews.llvm.org/D47670

llvm-svn: 334524
2018-06-12 19:07:41 +00:00
Zachary Turner 08426e1f9f Refactor ExecuteAndWait to take StringRefs.
This simplifies some code which had StringRefs to begin with, and
makes other code more complicated which had const char* to begin
with.

In the end, I think this makes for a more idiomatic and platform
agnostic API.  Not all platforms launch process with null terminated
c-string arrays for the environment pointer and argv, but the api
was designed that way because it allowed easy pass-through for
posix-based platforms.  There's a little additional overhead now
since on posix based platforms we'll be takign StringRefs which
were constructed from null terminated strings and then copying
them to null terminate them again, but from a readability and
usability standpoint of the API user, I think this API signature
is strictly better.

llvm-svn: 334518
2018-06-12 17:43:52 +00:00
Reka Kovacs 7ff6a8a316 [analyzer] Clean up the program state map of DanglingInternalBufferChecker.
Symbols are cleaned up from the program state map when they go out of scope.
Memory regions are cleaned up when the corresponding object is destroyed, and
additionally in 'checkDeadSymbols' in case destructor modeling was incomplete.

Differential Revision: https://reviews.llvm.org/D47416

llvm-svn: 334352
2018-06-09 21:08:27 +00:00
Reka Kovacs 18775fc9b7 [analyzer] Add dangling internal buffer check.
This check will mark raw pointers to C++ standard library container internal
buffers 'released' when the objects themselves are destroyed. Such information
can be used by MallocChecker to warn about use-after-free problems.

In this first version, 'std::basic_string's are supported.

Differential Revision: https://reviews.llvm.org/D47135

llvm-svn: 334348
2018-06-09 13:03:49 +00:00
Zachary Turner 1f67a3cba9 [FileSystem] Split up the OpenFlags enumeration.
This breaks the OpenFlags enumeration into two separate
enumerations: OpenFlags and CreationDisposition.  The first
controls the behavior of the API depending on whether or not
the target file already exists, and is not a flags-based
enum.  The second controls more flags-like values.

This yields a more easy to understand API, while also allowing
flags to be passed to the openForRead api, where most of the
values didn't make sense before.  This also makes the apis more
testable as it becomes easy to enumerate all the configurations
which make sense, so I've added many new tests to exercise all
the different values.

llvm-svn: 334221
2018-06-07 19:58:58 +00:00
Vlad Tsyrklevich 6f8f15fa72 [Analyzer] Fix Z3ConstraintManager crash (PR37646)
Summary:
Fix another Z3ConstraintManager crash, use fixAPSInt() to extend a
boolean APSInt.

Reviewers: george.karpenkov, NoQ, ddcc

Reviewed By: george.karpenkov

Subscribers: xazax.hun, szepet, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D47617

llvm-svn: 334065
2018-06-06 06:09:02 +00:00
Artem Dergachev 643102dfce [analyzer] Re-enable constructors when lifetime extension through fields occurs.
Temporary object constructor inlining was disabled in r326240 for code like

    const int &x = A().x;

because automatic destructor for the lifetime-extended object A() was not
working correctly in CFG.

CFG was fixed in r333941, so inlining can be re-enabled. CFG for lifetime
extension through aggregates still needs to be fixed.

Differential Revision: https://reviews.llvm.org/D44239

llvm-svn: 333946
2018-06-04 20:18:37 +00:00
Mikhail R. Gadelha 8cd2ee1f24 [analyzer] False positive refutation with Z3
Summary: This is a prototype of a bug reporter visitor that invalidates bug reports by re-checking constraints of certain states on the bug path using the Z3 constraint manager backend. The functionality is available under the `crosscheck-with-z3` analyzer config flag.

Reviewers: george.karpenkov, NoQ, dcoughlin, rnkovacs

Reviewed By: george.karpenkov

Subscribers: rnkovacs, NoQ, george.karpenkov, dcoughlin, xbolva00, ddcc, mikhail.ramalho, MTC, fhahn, whisperity, baloghadamsoftware, szepet, a.sidorin, gsd, dkrupp, xazax.hun, cfe-commits

Differential Revision: https://reviews.llvm.org/D45517

llvm-svn: 333903
2018-06-04 14:40:44 +00:00
Mikhail R. Gadelha 735d8ea0d4 Created a tiny SMT interface and make Z3ConstraintManager implement it
Summary:
This patch implements a simple SMTConstraintManager API, and requires the implementation of two methods for now: `addRangeConstraints` and `isModelFeasible`.

Update Z3ConstraintManager to inherit it and implement required methods.

I also moved the method to dump the SMT formula from D45517 to this patch.

This patch was created based on the reviews from D47640.

Reviewers: george.karpenkov, NoQ, ddcc, dcoughlin

Reviewed By: george.karpenkov

Differential Revision: https://reviews.llvm.org/D47689

llvm-svn: 333899
2018-06-04 14:25:58 +00:00
Mikhail R. Gadelha c10f611522 Moved RangedConstraintManager header to the StaticAnalyser include dir
Summary:
Moved `RangedConstraintManager` header from  `lib/StaticAnalyzer/Core/` to `clang/StaticAnalyzer/Core/PathSensitive/`. No changes to the code.

Reviewers: NoQ, george.karpenkov, dcoughlin

Reviewed By: george.karpenkov

Subscribers: NoQ, george.karpenkov, dcoughlin, ddcc

Differential Revision: https://reviews.llvm.org/D47640

llvm-svn: 333862
2018-06-04 00:23:01 +00:00
Artem Dergachev f83d547989 [analyzer] NFC: Track all constructed objects in a single state trait.
ExprEngine already maintains three internal program state traits to track
path-sensitive information related to object construction: pointer returned by
operator new, and pointer to temporary object for two different purposes - for
destruction and for lifetime extension. We'll need to add 2-3 more in a few
follow-up commits.

Merge these traits into one because they all essentially serve one purpose and
work similarly.

Differential Revision: https://reviews.llvm.org/D47303

llvm-svn: 333719
2018-06-01 01:59:48 +00:00
Dominic Chen cd81614e8b [analyzer] fix bug with 1-bit APSInt types in Z3ConstraintManager
Summary: Clang does not have a corresponding QualType for a 1-bit APSInt, so use the BoolTy and extend the APSInt. Split from D35450. Fixes PR37622.

Reviewers: george.karpenkov, NoQ

Subscribers: mikhail.ramalho, xazax.hun, szepet, rnkovacs, cfe-commits, a.sidorin

Differential Revision: https://reviews.llvm.org/D47603

llvm-svn: 333704
2018-05-31 22:23:07 +00:00
Artem Dergachev 22746d7df3 [analyzer] Improve performance of the SVal simplification mechanism further.
Memoize simplification so that we didn't need to simplify the same symbolic
expression twice within the same program state.

Gives ~25% performance boost on the artificial test in test/Analysis/hangs.c.

Differential Revision: https://reviews.llvm.org/D47402

llvm-svn: 333671
2018-05-31 17:27:28 +00:00
Artem Dergachev 16a1f64ccf [analyzer] Improve performance of the SVal simplification mechanism.
When neither LHS nor RHS of a binary operator expression can be simplified,
return the original expression instead of re-evaluating the binary operator.

Such re-evaluation was causing recusrive re-simplification which caused
the algorithmic complexity to explode.

Differential Revision: https://reviews.llvm.org/D47155

llvm-svn: 333670
2018-05-31 17:22:38 +00:00
George Karpenkov 7744c7f137 [analyzer] Trust _Nonnull annotations, and trust analyzer knowledge about receiver nullability
Previously, the checker was using the nullability of the expression,
which is nonnull IFF both receiver and method are annotated as _Nonnull.
However, the receiver could be known to the analyzer to be nonnull
without being explicitly marked as _Nonnull.

rdar://40635584

Differential Revision: https://reviews.llvm.org/D47510

llvm-svn: 333612
2018-05-31 00:28:13 +00:00
Henry Wong 716515a51e [analyzer] Remove the redundant check about same state transition in `ArrayBoundCheckerV2.cpp`.
Summary: Since the `addTransitionImpl()` has a check about same state transition, there is no need to check it in `ArrayBoundCheckerV2.cpp`.

Reviewers: NoQ, xazax.hun, george.karpenkov

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D47451

llvm-svn: 333531
2018-05-30 11:46:45 +00:00
Rafael Stahl 0137aa8679 [analyzer] const init: handle non-explicit cases more accurately
Summary: If the access is out of bounds, return UndefinedVal. If it is missing an explicit init, return the implicit zero value it must have.

Reviewers: NoQ, xazax.hun, george.karpenkov

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D46823

llvm-svn: 333417
2018-05-29 14:14:22 +00:00
Artem Dergachev 8419cf307e [analyzer] Add security checks for bcmp(), bcopy(), bzero().
These functions are obsolete. The analyzer would advice to replace them with
memcmp(), memcpy() or memmove(), or memset().

Patch by Tom Rix!

Differential Revision: https://reviews.llvm.org/D41881

llvm-svn: 333326
2018-05-26 00:04:26 +00:00
Kristof Umann 3ea7442bd6 [analyzer] Added template argument lists to the Pathdiagnostic output
Because template parameter lists were not displayed
in the plist output, it was difficult to decide in
some cases whether a given checker found a true or a
false positive. This patch aims to correct this.

Differential Revision: https://reviews.llvm.org/D46933

llvm-svn: 333275
2018-05-25 13:18:38 +00:00
Mikhail R. Gadelha 6c4c55ce9e [analyzer] Move RangeSet related declarations into the RangedConstraintManager header.
Summary: I could also move `RangedConstraintManager.h` under `include/` if you agree as it seems slightly out of place under `lib/`.

Patch by Réka Kovács

Reviewers: NoQ, george.karpenkov, dcoughlin, rnkovacs

Reviewed By: NoQ

Subscribers: mikhail.ramalho, whisperity, xazax.hun, baloghadamsoftware, szepet, a.sidorin, dkrupp, cfe-commits

Differential Revision: https://reviews.llvm.org/D45920

llvm-svn: 333179
2018-05-24 12:16:35 +00:00
David Carlier 3c90fcebd4 [analyzer] CStringChecker fix for strlcpy when no bytes are copied to the dest buffer
Again, strlc* does not return a pointer so the zero size case doest not fit.

Reviewers: NoQ, george.karpenkov

Reviewed by: NoQ

Differential Revision: https://reviews.llvm.org/D47007

llvm-svn: 333060
2018-05-23 04:38:25 +00:00
George Karpenkov 04951d4fc3 [analyzer] Extend ObjCAutoreleaseWriteChecker to catch block declarations with autoreleasing variables
Differential Revision: https://reviews.llvm.org/D46984

llvm-svn: 332546
2018-05-16 22:47:05 +00:00
George Karpenkov 47bb3f7033 [analyzer] Change the warning message for GCD antipattern checker
llvm-svn: 332544
2018-05-16 22:46:47 +00:00
Henry Wong afe62cdc4e [analyzer] Improve the modeling of memset().
Since there is no perfect way bind the non-zero value with the default binding, this patch only considers the case where buffer's offset is zero and the char value is 0. And according to the value for overwriting, decide how to update the string length.

Reviewers: dcoughlin, NoQ, xazax.hun, a.sidorin, george.karpenkov

Reviewed By: NoQ

Differential Revision: https://reviews.llvm.org/D44934

llvm-svn: 332463
2018-05-16 12:37:53 +00:00
Artem Dergachev 21948346b3 [analyzer] Make plist-html diagnostic consumer produce multi-file reports.
Previously plist-html output produced multi-file HTML reports
but only single-file Plist reports.

Change plist-html output to produce multi-file Plist reports as well.

Differential Revision: https://reviews.llvm.org/D46902

llvm-svn: 332417
2018-05-16 00:11:24 +00:00
Nicola Zaghen 3538b39ed5 [clang] Update uses of DEBUG macro to LLVM_DEBUG.
The DEBUG() macro is very generic so it might clash with other projects.
The renaming was done as follows:
- git grep -l 'DEBUG' | xargs sed -i 's/\bDEBUG\s\?(/LLVM_DEBUG(/g'
- git diff -U0 master | ../clang/tools/clang-format/clang-format-diff.py -i -p1 -style LLVM

Explicitly avoided changing the strings in the clang-format tests.

Differential Revision: https://reviews.llvm.org/D44975

llvm-svn: 332350
2018-05-15 13:30:56 +00:00
Artem Dergachev c19843714c [analyzer] Re-apply r331096 "CStringChecker: Add support for BSD strlcpy()...".
Fixed after revert in r331401.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D45177

llvm-svn: 332303
2018-05-14 22:32:24 +00:00
George Karpenkov 434019a617 [analyzer] Extend the ObjCAutoreleaseWriteChecker to warn on captures as well
A common pattern is that the code in the block does not write into the
variable explicitly, but instead passes it to a helper function which
performs the write.

Differential Revision: https://reviews.llvm.org/D46772

llvm-svn: 332300
2018-05-14 21:39:54 +00:00
George Karpenkov 3ee2a6bd5c [analyzer] Ignore the nullability quantifiers for autoreleasewritechecker
llvm-svn: 332136
2018-05-11 20:39:19 +00:00
Alexander Kornienko 48fcfc3274 Fixes issue introduced by r331556.
Closes bug: https://bugs.llvm.org/show_bug.cgi?id=37357

Patch by Rafael Stahl!

Differential revision: https://reviews.llvm.org/D46633

llvm-svn: 331870
2018-05-09 12:27:21 +00:00
Adrian Prantl 9fc8faf9e6 Remove \brief commands from doxygen comments.
This is similar to the LLVM change https://reviews.llvm.org/D46290.

We've been running doxygen with the autobrief option for a couple of
years now. This makes the \brief markers into our comments
redundant. Since they are a visual distraction and we don't want to
encourage more \brief markers in new code either, this patch removes
them all.

Patch produced by

for i in $(git grep -l '\@brief'); do perl -pi -e 's/\@brief //g' $i & done
for i in $(git grep -l '\\brief'); do perl -pi -e 's/\\brief //g' $i & done

Differential Revision: https://reviews.llvm.org/D46320

llvm-svn: 331834
2018-05-09 01:00:01 +00:00
Craig Topper 294016b826 Fix a couple places that immediately called operator-> on the result of dyn_cast.
It looks like it safe to just use cast for both cases.

llvm-svn: 331578
2018-05-05 01:58:26 +00:00
Artem Dergachev e0fb481cc5 [analyzer] Remove untested code in evalLoad.
No functional change intended.

llvm-svn: 331565
2018-05-04 23:01:10 +00:00
Artem Dergachev 394588a1a6 [analyzer] Invalidate union regions properly. Don't hesitate to load later.
We weren't invalidating our unions correctly. The previous behavior in
invalidateRegionsWorker::VisitCluster() was to direct-bind an UnknownVal
to the union (at offset 0).

For that reason we were never actually loading default bindings from our unions,
because there never was any default binding to load, and the value
that is presumed when there's no default binding to load
is usually completely incorrect (eg. UndefinedVal for stack unions).

The new behavior is to default-bind a conjured symbol (of irrelevant type)
to the union that's being invalidated, similarly to what we do for structures
and classes. Then it becomes safe to load the value properly.

Differential Revision: https://reviews.llvm.org/D45241

llvm-svn: 331563
2018-05-04 22:19:32 +00:00
Artem Dergachev e603e076f5 [analyzer] pr36458: Fix retrieved value cast for symbolic void pointers.
C allows us to write any bytes into any memory region. When loading weird bytes
from memory regions of known types, the analyzer is required to make sure that
the loaded value makes sense by casting it to an appropriate type.

Fix such cast for loading values that represent void pointers from non-void
pointer type places.

Differential Revision: https://reviews.llvm.org/D46415

llvm-svn: 331562
2018-05-04 22:11:12 +00:00
Artem Dergachev 806486c781 [analyzer] pr18953: Split C++ zero-initialization from default initialization.
The bindDefault() API of the ProgramState allows setting a default value
for reads from memory regions that were not preceded by writes.

It was used for implementing C++ zeroing constructors (i.e. default constructors
that boil down to setting all fields of the object to 0).

Because differences between zeroing consturctors and other forms of default
initialization have been piling up (in particular, zeroing constructors can be
called multiple times over the same object, probably even at the same offset,
requiring a careful and potentially slow cleanup of previous bindings in the
RegionStore), we split the API in two: bindDefaultInitial() for modeling
initial values and bindDefaultZero() for modeling zeroing constructors.

This fixes a few assertion failures from which the investigation originated.

The imperfect protection from both inability of the RegionStore to support
binding extents and lack of information in ASTRecordLayout has been loosened
because it's, well, imperfect, and it is unclear if it fixing more than it
was breaking.

Differential Revision: https://reviews.llvm.org/D46368

llvm-svn: 331561
2018-05-04 21:56:51 +00:00
Artem Dergachev 2fd6aa7d56 [analyzer] pr37209: Fix casts of glvalues to references.
Many glvalue expressions aren't of their respective reference type -
they are simply glvalues of their value type.

This was causing problems when we were trying to obtain type of the original
expression while evaluating certain glvalue bit-casts.

Fixed by artificially forging a reference type to provide to the casting
procedure.

Differential Revision: https://reviews.llvm.org/D46224

llvm-svn: 331558
2018-05-04 21:39:25 +00:00
Artem Dergachev a2e053638b [analyzer] Treat more const variables and fields as known contants.
When loading from a variable or a field that is declared as constant,
the analyzer will try to inspect its initializer and constant-fold it.
Upon success, the analyzer would skip normal load and return the respective
constant.

The new behavior also applies to fields/elements of brace-initialized structures
and arrays.

Patch by Rafael Stahl!

Differential Revision: https://reviews.llvm.org/D45774

llvm-svn: 331556
2018-05-04 20:52:39 +00:00
Artem Dergachev 4cc0d4e823 [analyzer] NFC: Remove unused parameteer of StoreManager::CastRetrievedVal().
llvm-svn: 331496
2018-05-04 00:53:41 +00:00
Richard Smith eaf11ad709 Track the result of evaluating a computed noexcept specification on the
FunctionProtoType.

We previously re-evaluated the expression each time we wanted to know whether
the type is noexcept or not. We now evaluate the expression exactly once.

This is not quite "no functional change": it fixes a crasher bug during AST
deserialization where we would try to evaluate the noexcept specification in a
situation where we have not deserialized sufficient portions of the AST to
permit such evaluation.

llvm-svn: 331428
2018-05-03 03:58:32 +00:00
Artem Dergachev 1aaf402530 [analyzer] Revert r331096 "CStringChecker: Add support for BSD strlcpy()...".
The return values of the newly supported functions were not handled correctly:
strlcpy()/strlcat() return string sizes rather than pointers.

Differential Revision: https://reviews.llvm.org/D45177

llvm-svn: 331401
2018-05-02 20:33:17 +00:00
Malcolm Parsons 099e4b2a92 [analyzer] Fix filename in cross-file HTML report
Summary:
The filename is currently taken from the start of the path, while the
line and column are taken from the end of the path.
This didn't matter until cross-file path reporting was added.

Reviewers: george.karpenkov, dcoughlin, vlad.tsyrklevich

Reviewed By: george.karpenkov, vlad.tsyrklevich

Subscribers: xazax.hun, szepet, a.sidorin, cfe-commits

Differential Revision: https://reviews.llvm.org/D45611

llvm-svn: 331361
2018-05-02 14:26:12 +00:00
Henry Wong e14e591c93 [analyzer] Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero and VLASize.
Summary: Add `TaintBugVisitor` to the ArrayBoundV2, DivideZero, VLASize to be able to indicate where the taint information originated from.

Reviewers: NoQ, george.karpenkov, xazax.hun, a.sidorin

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D46007

llvm-svn: 331345
2018-05-02 12:11:22 +00:00
Richard Smith b5f8171a1b PR37189 Fix incorrect end source location and spelling for a split '>>' token.
When a '>>' token is split into two '>' tokens (in C++11 onwards), or (as an
extension) when we do the same for other tokens starting with a '>', we can't
just use a location pointing to the first '>' as the location of the split
token, because that would result in our miscomputing the length and spelling
for the token. As a consequence, for example, a refactoring replacing 'A<X>'
with something else would sometimes replace one character too many, and
similarly diagnostics highlighting a template-id source range would highlight
one character too many.

Fix this by creating an expansion range covering the first character of the
'>>' token, whose spelling is '>'. For this to work, we generalize the
expansion range of a macro FileID to be either a token range (the common case)
or a character range (used in this new case).

llvm-svn: 331155
2018-04-30 05:25:48 +00:00
Artem Dergachev 03283ae9b7 [analyzer] CStringChecker: Add support for BSD strlcpy() and strlcat().
Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D45177

llvm-svn: 331096
2018-04-27 23:50:55 +00:00
Artem Dergachev befce13328 [analyzer] ObjCAutoreleaseWrite: Support a few more APIs and fix warning text.
API list and improved warning text composed by Devin Coughlin.

llvm-svn: 331089
2018-04-27 22:00:51 +00:00
Artem Dergachev 4fbd97e183 [analyzer] Fix operator delete[] array-type-sub-expression handling.
Avoid crash when the sub-expression of operator delete[] is of array type.

This is not the same as simply using a delete[] syntax.

We're still not properly calling destructors in this case in the analyzer.

Differential Revision: https://reviews.llvm.org/D46146

llvm-svn: 331014
2018-04-27 02:16:03 +00:00
Artem Dergachev 310bca0178 [analyzer] Fix a crash on lifetime extension through aggregate initialization.
If 'A' is a C++ aggregate with a reference field of type 'C', in code like
  A a = { C() };
C() is lifetime-extended by 'a'. The analyzer wasn't expecting this pattern and
crashing. Additionally, destructors aren't added in the CFG for this case,
so for now we shouldn't be inlining the constructor for C().

Differential Revision: https://reviews.llvm.org/D46037

llvm-svn: 330882
2018-04-25 23:02:06 +00:00
Artem Dergachev 516837f2a1 [analyzer] Enable analysis of WebKit "unified sources".
Normally the analyzer begins path-sensitive analysis from functions within
the main file, even though the path is allowed to go through any functions
within the translation unit.

When a recent version of WebKit is compiled, the "unified sources" technique
is used, that assumes #including multiple code files into a single main file.
Such file would have no functions defined in it, so the analyzer wouldn't be
able to find any entry points for path-sensitive analysis.

This patch pattern-matches unified file names that are similar to those
used by WebKit and allows the analyzer to find entry points in the included
code files. A more aggressive/generic approach is being planned as well.

Differential Revision: https://reviews.llvm.org/D45839

llvm-svn: 330876
2018-04-25 21:51:26 +00:00
Artem Dergachev a4e557f908 [analyzer] Add support for the note diagnostic pieces to plist output format.
Note diagnostic pieces are an additional way of highlighting code sections to
the user. They aren't part of the normal path diagnostic sequence. They can
also be attached to path-insensitive reports.

Notes are already supported by the text output and scan-build.

Expanding our machine-readable plist output format to be able to represent notes
opens up the possibility for various analyzer GUIs to pick them up.

Patch by Umann Kristóf!

Differential Revision: https://reviews.llvm.org/D45407

llvm-svn: 330766
2018-04-24 20:45:48 +00:00
Aleksei Sidorin b659dd3a45 [analyzer] Don't crash on printing ConcreteInt of size >64 bits
Printing of ConcreteInts with size >64 bits resulted in assertion failure
in get[Z|S]ExtValue() because these methods are only allowed to be used
with integers of 64 max bit width. This patch fixes the issue.

llvm-svn: 330605
2018-04-23 15:41:44 +00:00
Henry Wong 29204c2dfa [analyzer] Move `TaintBugVisitor` from `GenericTaintChecker.cpp` to `BugReporterVisitors.h`.
Summary: `TaintBugVisitor` is a universal visitor, and many checkers rely on it, such as `ArrayBoundCheckerV2.cpp`, `DivZeroChecker.cpp` and `VLASizeChecker.cpp`. Moving `TaintBugVisitor` to `BugReporterVisitors.h` enables other checker can also track where `tainted` value came from.

Reviewers: NoQ, george.karpenkov, xazax.hun

Reviewed By: george.karpenkov

Subscribers: szepet, rnkovacs, a.sidorin, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D45682

llvm-svn: 330596
2018-04-23 14:41:17 +00:00
Henry Wong 7af1c99024 [analyzer] CStringChecker.cpp - Code refactoring on bug report.
Reviewers: NoQ, george.karpenkov, xazax.hun

Reviewed By: george.karpenkov	

Differential Revision: https://reviews.llvm.org/D44557

llvm-svn: 330589
2018-04-23 13:36:51 +00:00
Artem Dergachev 468bc0d8b9 [analyzer] When we fail to evaluate a pointer cast, escape the pointer.
If a pointer cast fails (evaluates to an UnknownVal, i.e. not implemented in the
analyzer) and such cast is in fact the last use of the pointer, the pointer
symbol is no longer referenced by the program state and a leak is
(mis-)diagnosed.

"Escape" the pointer upon a failed cast, i.e. inform the checker that we can no
longer reliably track it.

Differential Revision: https://reviews.llvm.org/D45698

llvm-svn: 330380
2018-04-19 23:24:32 +00:00
Artem Dergachev f7281b4752 [analyzer] RetainCount: Accept more "safe" CFRetain wrappers.
r315736 added support for the misplaced CF_RETURNS_RETAINED annotation on
CFRetain() wrappers. It works by trusting the function's name (seeing if it
confirms to the CoreFoundation naming convention) rather than the annotation.

There are more false positives caused by users using a different naming
convention, namely starting the function name with "retain" or "release"
rather than suffixing it with "retain" or "release" respectively.

Because this isn't according to the naming convention, these functions
are usually inlined and the annotation is therefore ignored, which is correct.
But sometimes we run out of inlining stack depth and the function is
evaluated conservatively and then the annotation is trusted.

Add support for the "alternative" naming convention and test the situation when
we're running out of inlining stack depth.

rdar://problem/18270122

Differential Revision: https://reviews.llvm.org/D45117

llvm-svn: 330375
2018-04-19 23:00:22 +00:00
Malcolm Parsons fab3680990 Clean carriage returns from lib/ and include/. NFC.
Summary:
Clean carriage returns from lib/ and include/. NFC.
(I have to make this change locally in order for `git diff` to show sane output after I edit a file, so I might as well ask for it to be committed. I don't have commit privs myself.)
(Without this patch, `git rebase`ing any change involving SemaDeclCXX.cpp is a real nightmare. :( So while I have no right to ask for this to be committed, geez would it make my workflow easier if it were.)

Here's the command I used to reformat things. (Requires bash and OSX/FreeBSD sed.)

    git grep -l $'\r' lib include | xargs sed -i -e $'s/\r//'
    find lib include -name '*-e' -delete

Reviewers: malcolm.parsons

Reviewed By: malcolm.parsons

Subscribers: emaste, krytarowski, cfe-commits

Differential Revision: https://reviews.llvm.org/D45591

Patch by Arthur O'Dwyer.

llvm-svn: 330112
2018-04-16 08:31:08 +00:00
Henry Wong 525d4122c9 [analyzer] Do not invalidate the `this` pointer.
Summary:
`this` pointer is not an l-value, although we have modeled `CXXThisRegion` for `this` pointer, we can only bind it once, which is when we start to inline method. And this patch fixes https://bugs.llvm.org/show_bug.cgi?id=35506.

In addition, I didn't find any other cases other than loop-widen that could invalidate `this` pointer.

Reviewers: NoQ, george.karpenkov, a.sidorin, seaneveson, szepet

Reviewed By: NoQ

Subscribers: xazax.hun, rnkovacs, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D45491

llvm-svn: 330095
2018-04-15 10:34:06 +00:00
Adam Balogh 13e186c088 [Analyzer] Fix for SValBuilder expressions rearrangement
Expression rearrangement in SValBuilder (see rL329780) crashes with an assert if the type of the integer is different from the type of the symbol. This fix adds a check that prevents rearrangement in such cases.

Differential Revision: https://reviews.llvm.org/D45557

llvm-svn: 330064
2018-04-13 20:23:02 +00:00
Gabor Horvath ca7923ab00 [analyzer] Fix null deref in AnyFunctionCall::getRuntimeDefinition
Patch by: Rafael Stahl!

Differential Revision: https://reviews.llvm.org/D45564

llvm-svn: 330009
2018-04-13 12:36:08 +00:00
Adam Balogh 2bbccca9f7 [Analyzer] SValBuilder Comparison Rearrangement (with Restrictions and Analyzer Option)
Since the range-based constraint manager (default) is weak in handling comparisons where symbols are on both sides it is wise to rearrange them to have symbols only on the left side. Thus e.g. A + n >= B + m becomes A - B >= m - n which enables the constraint manager to store a range m - n .. MAX_VALUE for the symbolic expression A - B. This can be used later to check whether e.g. A + k == B + l can be true, which is also rearranged to A - B == l - k so the constraint manager can check whether l - k is in the range (thus greater than or equal to m - n).

The restriction in this version is the the rearrangement happens only if both the symbols and the concrete integers are within the range [min/4 .. max/4] where min and max are the minimal and maximal values of their type.

The rearrangement is not enabled by default. It has to be enabled by using -analyzer-config aggressive-relational-comparison-simplification=true.

Co-author of this patch is Artem Dergachev (NoQ).

Differential Revision: https://reviews.llvm.org/D41938

llvm-svn: 329780
2018-04-11 06:21:12 +00:00
Nico Weber 4c28cfea78 Sort source lists in lib/StaticAnalyzer.
llvm-svn: 329481
2018-04-07 04:25:01 +00:00
Alexander Kornienko 2a8c18d991 Fix typos in clang
Found via codespell -q 3 -I ../clang-whitelist.txt
Where whitelist consists of:

  archtype
  cas
  classs
  checkk
  compres
  definit
  frome
  iff
  inteval
  ith
  lod
  methode
  nd
  optin
  ot
  pres
  statics
  te
  thru

Patch by luzpaz! (This is a subset of D44188 that applies cleanly with a few
files that have dubious fixes reverted.)

Differential revision: https://reviews.llvm.org/D44188

llvm-svn: 329399
2018-04-06 15:14:32 +00:00
Benjamin Kramer 1fc0da4849 Make helpers static. NFC.
llvm-svn: 329170
2018-04-04 11:45:11 +00:00
Eugene Zelenko 88f40cf303 [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 329115
2018-04-03 21:31:50 +00:00
Artem Dergachev c8b1d5f329 [analyzer] Fix diagnostics in callees of interesting callees.
removeUnneededCalls() is responsible for removing path diagnostic pieces within
functions that don't contain "interesting" events. It makes bug reports
much tidier.

When a stack frame is known to be interesting, the function doesn't descend
into it to prune anything within it, even other callees that are totally boring.

Fix the function to prune boring callees in interesting stack frames.

Differential Revision: https://reviews.llvm.org/D45117

llvm-svn: 329102
2018-04-03 18:52:30 +00:00
Joel E. Denny a6555114c8 [Attr] [NFC] Revert accidental change from r327405
llvm-svn: 329005
2018-04-02 19:43:34 +00:00
Henry Wong f717d4795a [analyzer] Unroll the loop when it has a unsigned counter.
Summary:
The original implementation in the `LoopUnrolling.cpp` didn't consider the case where the counter is unsigned. This case is only handled in `simpleCondition()`, but this is not enough, we also need to deal with the unsinged counter with the counter initialization.

Since `IntegerLiteral` is `signed`, there is a `ImplicitCastExpr<IntegralCast>` in `unsigned counter = IntergerLiteral`. This patch add the `ignoringParenImpCasts()` in the `IntegerLiteral` matcher.

Reviewers: szepet, a.sidorin, NoQ, george.karpenkov

Reviewed By: szepet, george.karpenkov

Subscribers: xazax.hun, rnkovacs, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D45086

llvm-svn: 328919
2018-03-31 12:46:46 +00:00
George Karpenkov 6fe0f035bd [analyzer] Fix assertion crash in CStringChecker
An offset might be unknown.

rdar://39054939

Differential Revision: https://reviews.llvm.org/D45115

llvm-svn: 328912
2018-03-31 01:20:08 +00:00
George Karpenkov fa4d18c7e3 [analyzer] Cache offset computation for MemRegion
Achieves almost a 200% speedup on the example where the performance of
visitors was problematic.

Performance on sqlite3 is unaffected.

rdar://38818362

Differential Revision: https://reviews.llvm.org/D45113

llvm-svn: 328911
2018-03-31 01:20:07 +00:00
Artem Dergachev 95f9a68b1f [analyzer] Track null or undef values through pointer arithmetic.
Pointer arithmetic on null or undefined pointers results in null or undefined
pointers. This is obvious for undefined pointers; for null pointers it follows
from our incorrect-but-somehow-working approach that declares that 0 (Loc)
doesn't necessarily represent a pointer of numeric address value 0, but instead
it represents any pointer that will cause a valid "null pointer dereference"
issue when dereferenced.

For now we've been seeing through pointer arithmetic at the original dereference
expression, i.e. in bugreporter::getDerefExpr(), but not during further
investigation of the value's origins in bugreporter::trackNullOrUndefValue().
The patch fixes it.

Differential Revision: https://reviews.llvm.org/D45071

llvm-svn: 328896
2018-03-30 19:27:42 +00:00
Artem Dergachev 9d3a7d8b2b [CFG] [analyzer] Avoid modeling C++17 constructors that aren't fully supported.
Not enough work has been done so far to ensure correctness of construction
contexts in the CFG when C++17 copy elision is in effect, so for now we
should drop construction contexts in the CFG and in the analyzer when
they seem different from what we support anyway.

This includes initializations with conditional operators and return values
across multiple stack frames.

Differential Revision: https://reviews.llvm.org/D44854

llvm-svn: 328893
2018-03-30 19:21:18 +00:00
Henry Wong f1a0ff755a [analyzer] Remove the unused method declaration in `ValistChecker.cpp`.
Summary: `getVariableNameFromRegion()` seems useless.

Reviewers: xazax.hun, george.karpenkov

Reviewed By: xazax.hun

Subscribers: szepet, rnkovacs, a.sidorin, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D45081

llvm-svn: 328860
2018-03-30 13:37:50 +00:00
George Karpenkov 2b1e6196e1 [analyzer] Better pretty-printing of regions in exploded graph
Differential Revision: https://reviews.llvm.org/D45010

llvm-svn: 328835
2018-03-29 22:07:58 +00:00
George Karpenkov d676ba0f28 [analyzer] Path-insensitive checker for writes into an auto-releasing pointer
from the wrong auto-releasing pool, as such writes may crash.

rdar://25301111

Differential Revision: https://reviews.llvm.org/D44722

llvm-svn: 328827
2018-03-29 20:55:34 +00:00
Mandeep Singh Grang c205d8cc8d [clang] Change std::sort to llvm::sort in response to r327219
r327219 added wrappers to std::sort which randomly shuffle the container before
sorting.  This will help in uncovering non-determinism caused due to undefined
sorting order of objects having the same key.

To make use of that infrastructure we need to invoke llvm::sort instead of
std::sort.

llvm-svn: 328636
2018-03-27 16:50:00 +00:00
Peter Szecsi 4c87d233b0 [analyzer] LoopUnrolling: update the matched assignment operators
Extended the matched assignment operators when checking for bound changes in a body of the loop by using the freshly added isAssignmentOperator matcher.
This covers all the (current) possible assignments, tests added as well.

Differential Revision: https://reviews.llvm.org/D38921

llvm-svn: 328619
2018-03-27 12:16:56 +00:00
George Karpenkov 405fdfc34c [analyzer] Do not crash in CallEvent.getReturnType()
When the call expression is not available.

llvm-svn: 328406
2018-03-24 01:53:12 +00:00
George Karpenkov 2301c5ab4d [analyzer] Trust _Nonnull annotations for system framework
Changes the analyzer to believe that methods annotated with _Nonnull
from system frameworks indeed return non null objects.
Local methods with such annotation are still distrusted.
rdar://24291919

Differential Revision: https://reviews.llvm.org/D44341

llvm-svn: 328282
2018-03-23 00:16:03 +00:00
George Karpenkov 628920b460 [analyzer] Extend GCDAntipatternChecker to match group_enter/group_leave pattern
rdar://38480416

Differential Revision: https://reviews.llvm.org/D44653

llvm-svn: 328281
2018-03-23 00:16:02 +00:00
George Karpenkov 40b42a3ad8 [analyzer] [NFC] Move worklist implementation to WorkList.cpp
Current location is very confusing, especially because there is already
WorkList.h, and other code in CoreEngine.cpp is not related to work list
implementation.

Differential Revision: https://reviews.llvm.org/D44759

llvm-svn: 328280
2018-03-23 00:16:01 +00:00
Artem Dergachev 3761e7a4be [analyzer] Enable temporary object destructor inlining by default.
When a temporary is constructed with a proper construction context, it should
be safe to inline the destructor. We have added suppressions for some of the
common false positives caused by such inlining, so there should be - and from my
observations there indeed is - more benefit than harm from enabling destructor
inlining.

Differential Revision: https://reviews.llvm.org/D44721

llvm-svn: 328258
2018-03-22 22:05:53 +00:00
Artem Dergachev 922455fe62 [CFG] [analyzer] Add C++17-specific ctor-initializer construction contexts.
CXXCtorInitializer-based constructors are also affected by the C++17 mandatory
copy elision, like variable constructors and return value constructors.
Extend r328248 to support those.

Differential Revision: https://reviews.llvm.org/D44763

llvm-svn: 328255
2018-03-22 22:02:38 +00:00
Artem Dergachev b9d3d30e22 [analyzer] Remove an assertion that doesn't hold in C++17.
Function return values can be constructed directly in variables or passed
directly into return statements, without even an elidable copy in between.
This is how the C++17 mandatory copy elision AST behaves. The behavior we'll
have in such cases is the "old" behavior that we've had before we've
implemented destructor inlining and proper lifetime extension support.

Differential Revision: https://reviews.llvm.org/D44755

llvm-svn: 328253
2018-03-22 21:54:48 +00:00
Artem Dergachev 317291e340 [CFG] [analyzer] Add C++17-specific variable and return construction contexts.
In C++17 copy elision is mandatory for variable and return value constructors
(as long as it doesn't involve type conversion) which results in AST that does
not contain elidable constructors in their usual places. In order to provide
construction contexts in this scenario we need to cover more AST patterns.

This patch makes the CFG prepared for these scenarios by:

- Fork VariableConstructionContext and ReturnedValueConstructionContext into
  two different sub-classes (each) one of which indicates the C++17 case and
  contains a reference to an extra CXXBindTemporaryExpr.
- Allow CFGCXXRecordTypedCall element to accept VariableConstructionContext and
  ReturnedValueConstructionContext as its context.

Differential Revision: https://reviews.llvm.org/D44597

llvm-svn: 328248
2018-03-22 21:37:39 +00:00
Artem Dergachev 69949d0b5a Revert r326782 "[analyzer] CStringChecker.cpp: Remove the duplicated check...".
It seems that the refactoring was causing a functional change and some warnings
have disappeared.

llvm-svn: 328067
2018-03-21 00:57:37 +00:00
Artem Dergachev ff1fc21e8a [analyzer] Suppress more MallocChecker positives in smart pointer destructors.
r326249 wasn't quite enough because we often run out of inlining stack depth
limit and for that reason fail to see the atomics we're looking for.

Add a more straightforward false positive suppression that is based on the name
of the class. I.e. if we're releasing a pointer in a destructor of a "something
shared/intrusive/reference/counting something ptr/pointer something", then any
use-after-free or double-free that occurs later would likely be a false
positive.

rdar://problem/38013606

Differential Revision: https://reviews.llvm.org/D44281

llvm-svn: 328066
2018-03-21 00:49:47 +00:00
Henry Wong 073d5f023c [analyzer] Fix the crash in IteratorChecker.cpp when 'SymbolConjured' has a null Stmt.
When the loop has a null terminator statement and sets 'widen-loops=true', 'invalidateRegions' will constructs the 'SymbolConjured' with null 'Stmt'. And this will lead to a crash in 'IteratorChecker.cpp'. This patch use 'dyn_cast_or_null<>' instead of 'dyn_cast<>' in IteratorChecker.cpp.

Differential Revision: https://reviews.llvm.org/D44606

llvm-svn: 327962
2018-03-20 09:27:02 +00:00
George Karpenkov 9e72c541f6 [analyzer] Improve performance of NoStoreFuncVisitor
Compute modifying frames lazily on demand.

Differential Revision: https://reviews.llvm.org/D44503

llvm-svn: 327935
2018-03-20 01:16:46 +00:00
George Karpenkov 5ffe52395a [analyzer] Fix the assertion failure when static globals are used in lambda by reference
Also use the opportunity to clean up the code and remove unnecessary duplication.

rdar://37625895

Differential Revision: https://reviews.llvm.org/D44594

llvm-svn: 327926
2018-03-20 00:20:58 +00:00
Bjorn Pettersson fe3578650c Resolve unused variable 'VR' warning in RetainCountChecker.cpp
Getting rid of
  error: unused variable 'VR' [-Werror,-Wunused-variable]
warning/error at
  lib/StaticAnalyzer/Checkers/RetainCountChecker.cpp:1933

llvm-svn: 327802
2018-03-18 16:07:20 +00:00
George Karpenkov ff4b55949a [analyzer] Fix crashes in RetainCountChecker when underlying region is not a var
For other regions, the error message contains a good indication of the
problem, and there, in general, nothing helpful we can print.
Error pointer to the problematic expression seems enough.

rdar://37323555

Differential Revision: https://reviews.llvm.org/D44409

llvm-svn: 327727
2018-03-16 18:16:47 +00:00
Pavel Labath 3a17e75be9 StaticAnalyzer: fix compiler warning. NFC
My compiler (clang-3.8) complains that the RCC variable is unused.
That's not really true, as it's checked by the if-declaration, but it's
also kinda true, because we don't need to declaration if we only check
it in the if statement.

In reality, all this means that the dyn_cast<> can be replaced by isa<>,
so that's what I do here.

llvm-svn: 327491
2018-03-14 10:16:40 +00:00
George Karpenkov 460675eba4 [analyzer] Fix the matcher for GCDAntipattern to look for "signal" call in all parameters
rdar://38405904

llvm-svn: 327426
2018-03-13 17:27:01 +00:00
Joel E. Denny 8150810556 Reland "[Attr] Fix parameter indexing for several attributes"
Relands r326602 (reverted in r326862) with new test and fix for
PR36620.

Differential Revision: https://reviews.llvm.org/D43248

llvm-svn: 327405
2018-03-13 14:51:22 +00:00
Artem Dergachev 09a7c0c77d [analyzer] Support temporaries conjured by conservatively evaluated functions.
Properly perform destruction and lifetime extension of such temporaries.

C++ object-type return values of conservatively evaluated functions are now
represented as compound values of well-defined temporary object regions. The
function creates a region that represents the temporary object and will later
be used for destruction or materialization, invalidates it, and returns the
invalidated compound value of the object.

Differential Revision: https://reviews.llvm.org/D44131

llvm-svn: 327348
2018-03-12 23:36:12 +00:00
Artem Dergachev 98a24bf76d [analyzer] NFC: Move the code for setting temp object lifetime into method.
Differential Revision: https://reviews.llvm.org/D44129

llvm-svn: 327347
2018-03-12 23:27:52 +00:00
Artem Dergachev e078967879 [analyzer] Destroy and lifetime-extend inlined function return values properly.
This patch uses the newly added CFGCXXRecordTypedCall element at the call site
of the caller to construct the return value within the callee directly into the
caller's stack frame. This way it is also capable of populating the temporary
destructor and lifetime extension maps for the temporary, which allows
temporary destructors and lifetime extension to work correctly.

This patch does not affect temporaries that were returned from conservatively
evaluated functions.

Differential Revision: https://reviews.llvm.org/D44124

llvm-svn: 327345
2018-03-12 23:22:35 +00:00
Artem Dergachev 1527dec139 [CFG] [analyzer] Add construction context to C++ return-by-value call elements.
This patch adds a new CFGStmt sub-class, CFGCXXRecordTypedCall, which replaces
the regular CFGStmt for the respective CallExpr whenever the CFG has additional
information to provide regarding the lifetime of the returned value.

This additional call site information is represented by a ConstructionContext
(which was previously used for CFGConstructor elements) that provides references
to CXXBindTemporaryExpr and MaterializeTemporaryExpr that surround the call.

This corresponds to the common C++ calling convention solution of providing
the target address for constructing the return value as an auxiliary implicit
argument during function call.

One of the use cases for such extra context at the call site would be to perform
any sort of inter-procedural analysis over the CFG that involves functions
returning objects by value. In this case the elidable constructor at the return
site would construct the object explained by the context at the call site, and
its lifetime would also be managed by the caller, not the callee.

The extra context would also be useful for properly handling the return-value
temporary at the call site, even if the callee is not being analyzed
inter-procedurally.

Differential Revision: https://reviews.llvm.org/D44120

llvm-svn: 327343
2018-03-12 23:12:40 +00:00
George Karpenkov 44a3b7c130 [analyzer] Move the GCDAsyncSemaphoreChecker to optin.performance
rdar://38383753

Differential Revision: https://reviews.llvm.org/D44228

llvm-svn: 327309
2018-03-12 18:27:36 +00:00
Maxim Ostapenko debca45e45 [analyzer] Add scope information to CFG
This patch adds two new CFG elements CFGScopeBegin and CFGScopeEnd that indicate
when a local scope begins and ends respectively. We use first VarDecl declared
in a scope to uniquely identify it and add CFGScopeBegin and CFGScopeEnd elements
into corresponding basic blocks.

Differential Revision: https://reviews.llvm.org/D16403

llvm-svn: 327258
2018-03-12 12:26:15 +00:00
Artem Dergachev ce5f2d3d42 [analyzer] MmapWriteExecChecker: Add support for mprotect().
mprotect() allows setting memory access flags similarly to mmap(),
causing similar security issues if these flags are needlessly broad.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D44250

llvm-svn: 327098
2018-03-09 01:47:24 +00:00
Eugene Zelenko 9f103a1a27 [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 327074
2018-03-08 22:45:13 +00:00
George Karpenkov 04b9dc58b8 [analyzer] Correctly model iteration through "nil" objects
Previously, iteration through nil objects which resulted from
objc-messages being set to nil were modeled incorrectly.

There are a couple of notes about this patch:

In principle, ExprEngineObjC might be left untouched IFF osx.loops
checker is enabled.
I however think that we should not do something
completely incorrect depending on what checkers are left on.
We should evaluate and potentially remove altogether the isConsumedExpr
performance heuristic, as it seems very fragile.

rdar://22205149

Differential Revision: https://reviews.llvm.org/D44178

llvm-svn: 326982
2018-03-08 02:53:39 +00:00
George Burgess IV e4f47b4c63 Fix an unused variable warning; NFC
llvm-svn: 326980
2018-03-08 02:15:12 +00:00
George Karpenkov 8e3a659105 [analyzer] [PointerArithChecker] do not warn on indexes into vector types
rdar://35041502

Differential Revision: https://reviews.llvm.org/D44172

llvm-svn: 326952
2018-03-07 22:20:39 +00:00
George Karpenkov 065962375d [analyzer] Don't crash with assertion failure on structured bindings
Proper modeling still remains to be done.
Note that BindingDecl#getHoldingVar() is almost always null, and this
should probably be handled by dealing with DecompositionDecl beforehand.

rdar://36852163

Differential Revision: https://reviews.llvm.org/D44183

llvm-svn: 326951
2018-03-07 22:20:35 +00:00
George Karpenkov 65e64917e3 [analyzer] [NFC] Minor refactoring of NonNullParamChecker
Differential Revision: https://reviews.llvm.org/D43917

llvm-svn: 326935
2018-03-07 19:27:32 +00:00
George Karpenkov 4cbeeb1695 [analyzer] Fix the checker for the performance anti-pattern to accept messages
send to ObjC objects.

Differential Revision: https://reviews.llvm.org/D44170

llvm-svn: 326868
2018-03-07 02:54:01 +00:00
Nico Weber bbf648253d Revert r326602, it caused PR36620.
llvm-svn: 326862
2018-03-07 02:22:41 +00:00
Eugene Zelenko 6a58efdf76 [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 326856
2018-03-07 00:17:48 +00:00
Henry Wong 945a84a03c [analyzer] CStringChecker.cpp: Remove the duplicated check about null dereference on dest-buffer or src-buffer.
Summary: `CheckBufferAccess()` calls `CheckNonNull()`, so there are some calls to `CheckNonNull()` that are useless.

Reviewers: dcoughlin, NoQ, xazax.hun, cfe-commits, george.karpenkov

Reviewed By: NoQ

Subscribers: szepet, rnkovacs, MTC, a.sidorin

Differential Revision: https://reviews.llvm.org/D44075

llvm-svn: 326782
2018-03-06 13:38:42 +00:00
Henry Wong e47b89d1f8 [Analyzer] More accurate modeling about the increment operator of the operand with type bool.
Summary:
There is a problem with analyzer that a wrong value is given when modeling the increment operator of the operand with type bool. After `rL307604` is applied, a unsigned overflow may occur.

Example:
```
void func() {
  bool b = true;
  // unsigned overflow occur, 2 -> 0 U1b
  b++;
}
``` 

The use of an operand of type bool with the ++ operators is deprecated but valid untill C++17. And if the operand of the increment operator is of type bool, it is set to true.

This patch includes two parts:

  - If the operand of the increment operator is of type bool or type _Bool, set to true.
  - Modify `BasicValueFactory::getTruthValue()`, use `getIntWidth()` instead `getTypeSize()` and use `unsigned` instead `signed`.

Reviewers: alexshap, NoQ, dcoughlin, george.karpenkov

Reviewed By: NoQ

Subscribers: xazax.hun, szepet, a.sidorin, cfe-commits, MTC

Differential Revision: https://reviews.llvm.org/D43741

llvm-svn: 326776
2018-03-06 12:29:09 +00:00
Eugene Zelenko b8b9af2ad4 [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 326757
2018-03-06 00:47:41 +00:00
George Karpenkov 15e814f687 [analyzer] [quickfix] Prevent a crash in NamedDecl::getName()
llvm-svn: 326755
2018-03-06 00:18:21 +00:00
George Karpenkov 436d5cc7ee [analyzer] AST-matching checker to detect global central dispatch performance anti-pattern
rdar://37312818

NB: The checker does not care about the ordering of callbacks, see the
relevant FIXME in tests.

Differential Revision: https://reviews.llvm.org/D44059

llvm-svn: 326746
2018-03-05 22:03:32 +00:00
Henry Wong cb2ad24c5c [analyzer] Improves the logic of GenericTaintChecker identifying stdin.
Summary:
GenericTaintChecker can't recognize stdin in some cases. The reason is that `if (PtrTy->getPointeeType() == C.getASTContext().getFILEType()` does not hold when stdin is encountered.

My platform is ubuntu16.04 64bit, gcc 5.4.0, glibc 2.23. The definition of stdin is as follows:
```
__BEGIN_NAMESPACE_STD
/* The opaque type of streams.  This is the definition used elsewhere.  */
typedef struct _IO_FILE FILE;
___END_NAMESPACE_STD

  ...

/* The opaque type of streams.  This is the definition used elsewhere.  */
typedef struct _IO_FILE __FILE;   

  ...

/* Standard streams.  */
extern struct _IO_FILE *stdin;      /* Standard input stream.  */
extern struct _IO_FILE *stdout;     /* Standard output stream.  */
extern struct _IO_FILE *stderr;     /* Standard error output stream.  */
```

The type of stdin is as follows AST:
```
ElaboratedType 0xc911170'struct _IO_FILE'sugar
`-RecordType 0xc911150'struct _IO_FILE'
 `-CXXRecord 0xc923ff0'_IO_FILE'
```

`C.getASTContext().GetFILEType()` is as follows AST:
```
TypedefType 0xc932710 'FILE' sugar
|-Typedef 0xc9111c0 'FILE'
`-ElaboratedType 0xc911170 'struct _IO_FILE' sugar
  `-RecordType 0xc911150 'struct _IO_FILE'
      `-CXXRecord 0xc923ff0 '_IO_FILE'
```

So I think it's better to use `getCanonicalType()`.

Reviewers: zaks.anna, NoQ, george.karpenkov, a.sidorin

Reviewed By: zaks.anna, a.sidorin

Subscribers: a.sidorin, cfe-commits, xazax.hun, szepet, MTC

Differential Revision: https://reviews.llvm.org/D39159

llvm-svn: 326709
2018-03-05 15:41:15 +00:00
Eugene Zelenko e029a2ff23 [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 326633
2018-03-02 23:11:49 +00:00
George Karpenkov 8dad0e6cce [analyzer] Don't throw NSNumberObjectConversion warning on object initialization in if-expression
```
if (NSNumber* x = ...)
```
is a reasonable pattern in objc++, we should not warn on it.

rdar://35152234

Differential Revision: https://reviews.llvm.org/D44044

llvm-svn: 326619
2018-03-02 21:34:24 +00:00
Joel E. Denny 4925445958 [Attr] Fix parameter indexing for several attributes
The patch fixes a number of bugs related to parameter indexing in
attributes:

* Parameter indices in some attributes (argument_with_type_tag,
  pointer_with_type_tag, nonnull, ownership_takes, ownership_holds,
  and ownership_returns) are specified in source as one-origin
  including any C++ implicit this parameter, were stored as
  zero-origin excluding any this parameter, and were erroneously
  printing (-ast-print) and confusingly dumping (-ast-dump) as the
  stored values.

* For alloc_size, the C++ implicit this parameter was not subtracted
  correctly in Sema, leading to assert failures or to silent failures
  of __builtin_object_size to compute a value.

* For argument_with_type_tag, pointer_with_type_tag, and
  ownership_returns, the C++ implicit this parameter was not added
  back to parameter indices in some diagnostics.

This patch fixes the above bugs and aims to prevent similar bugs in
the future by introducing careful mechanisms for handling parameter
indices in attributes.  ParamIdx stores a parameter index and is
designed to hide the stored encoding while providing accessors that
require each use (such as printing) to make explicit the encoding that
is needed.  Attribute declarations declare parameter index arguments
as [Variadic]ParamIdxArgument, which are exposed as ParamIdx[*].  This
patch rewrites all attribute arguments that are processed by
checkFunctionOrMethodParameterIndex in SemaDeclAttr.cpp to be declared
as [Variadic]ParamIdxArgument.  The only exception is xray_log_args's
argument, which is encoded as a count not an index.

Differential Revision: https://reviews.llvm.org/D43248

llvm-svn: 326602
2018-03-02 19:03:22 +00:00
George Karpenkov 0ffcaf7437 [analyzer] Prevent crashing in NonNullParamChecker
https://bugs.llvm.org/show_bug.cgi?id=36381
rdar://37543426

Turns out, the type passed for the lambda capture was incorrect.
One more argument to abandon the getSVal overload which does not require the
type information.

Differential Revision: https://reviews.llvm.org/D43925

llvm-svn: 326520
2018-03-02 00:55:59 +00:00
Eugene Zelenko 534673a560 [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 326519
2018-03-02 00:54:51 +00:00
Artem Dergachev 61199443fe [analyzer] Enable cfg-temporary-dtors by default.
Don't enable c++-temp-dtor-inlining by default yet, due to this reference
counting pointe problem.

Otherwise the new mode seems stable and allows us to incrementally fix C++
problems in much less hacky ways.

Differential Revision: https://reviews.llvm.org/D43804

llvm-svn: 326461
2018-03-01 18:53:13 +00:00
Ilya Biryukov 8b9b3bd07c Resubmit [analyzer] Support for naive cross translation unit analysis
Originally submitted as r326323 and r326324.
Reverted in r326432.

Reverting the commit was a mistake.
The breakage was due to invalid build files in our internal buildsystem,
CMakeLists did not have any cyclic dependencies.

llvm-svn: 326439
2018-03-01 14:54:16 +00:00
Ilya Biryukov d49e75afbd Revert "[analyzer] Support for naive cross translation unit analysis"
Also revert "[analyzer] Fix a compiler warning"
This reverts commits r326323 and r326324.

Reason: the commits introduced a cyclic dependency in the build graph.
This happens to work with cmake, but breaks out internal integrate.

llvm-svn: 326432
2018-03-01 12:43:39 +00:00
George Burgess IV 00f70bd933 Remove redundant casts. NFC
So I wrote a clang-tidy check to lint out redundant `isa`, `cast`, and
`dyn_cast`s for fun. This is a portion of what it found for clang; I
plan to do similar cleanups in LLVM and other subprojects when I find
time.

Because of the volume of changes, I explicitly avoided making any change
that wasn't highly local and obviously correct to me (e.g. we still have
a number of foo(cast<Bar>(baz)) that I didn't touch, since overloading
is a thing and the cast<Bar> did actually change the type -- just up the
class hierarchy).

I also tried to leave the types we were cast<>ing to somewhere nearby,
in cases where it wasn't locally obvious what we were dealing with
before.

llvm-svn: 326416
2018-03-01 05:43:23 +00:00
Artem Dergachev 4579bad86c [analyzer] Add a checker for mmap()s which are both writable and executable.
This is a security check that warns when both PROT_WRITE and PROT_EXEC are
set during mmap(). If mmap()ed memory is both writable and executable, it makes
it easier for the attacker to execute arbitrary code when contents of this
memory are compromised. Some applications require such mmap()s though, such as
different sorts of JIT.

Re-applied after a revert in r324167.

Temporarily stays in the alpha package because it needs a better way of
determining macro values that are not immediately available in the AST.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D42645

llvm-svn: 326405
2018-03-01 01:27:46 +00:00
Gabor Horvath eb0584bee4 [analyzer] Support for naive cross translation unit analysis
The aim of this patch is to be minimal to enable incremental development of
the feature on the top of the tree. This patch should be an NFC when the
feature is turned off. It is turned off by default and still considered as
experimental.

Technical details are available in the EuroLLVM Talk: 
http://llvm.org/devmtg/2017-03//2017/02/20/accepted-sessions.html#7

Note that the initial prototype was done by A. Sidorin et al.: http://lists.llvm.org/pipermail/cfe-dev/2015-October/045730.html

Contributions to the measurements and the new version of the code: Peter Szecsi, Zoltan Gera, Daniel Krupp, Kareem Khazem.

Differential Revision: https://reviews.llvm.org/D30691

llvm-svn: 326323
2018-02-28 13:23:10 +00:00
Eugene Zelenko 5bc81eb980 [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 326292
2018-02-28 01:10:04 +00:00
Artem Dergachev f119bf99e5 [analyzer] UndefinedAssignmentChecker: Better warning message in implicit ctors.
When a class forgets to initialize a field in the constructor, and then gets
copied around, a warning is emitted that the value assigned to a specific field
is undefined.

When the copy/move constructor is implicit (not written out in the code) but not
trivial (is not a trivial memory copy, eg. because members have an explicit copy
constructor), the body of such constructor is auto-generated in the AST.
In this case the checker's warning message is squeezed at the top of
the class declaration, and it gets hard to guess which field is at fault.

Fix the warning message to include the name of the field.

Differential Revision: https://reviews.llvm.org/D43798

llvm-svn: 326258
2018-02-27 22:05:55 +00:00
Artem Dergachev 5337efc69c [analyzer] MallocChecker: Suppress false positives in shared pointers.
Throw away MallocChecker warnings that occur after releasing a pointer within a
destructor (or its callees) after performing C11 atomic fetch_add or fetch_sub
within that destructor (or its callees).

This is an indication that the destructor's class is likely a
reference-counting pointer. The analyzer is not able to understand that the
original reference count is usually large enough to avoid most use-after-frees.

Even when the smart pointer is a local variable, we still have these false
positives that this patch suppresses, because the analyzer doesn't currently
support atomics well enough.

Differential Revision: https://reviews.llvm.org/D43791

llvm-svn: 326249
2018-02-27 21:19:33 +00:00
Artem Dergachev 4449e7f008 [analyzer] Fix trivial copy for empty objects.
The SVal for any empty C++ object is an UnknownVal. Because RegionStore does
not have binding extents, binding an empty object to an UnknownVal may
potentially overwrite existing bindings at the same offset.

Therefore, when performing a trivial copy of an empty object, don't try to
take the value of the object and bind it to the copy. Doing nothing is accurate
enough, and it doesn't screw any existing bindings.

Differential Revision: https://reviews.llvm.org/D43714

llvm-svn: 326247
2018-02-27 21:10:08 +00:00
Artem Dergachev 1e3dbd7a17 [analyzer] Track temporaries without construction contexts for destruction.
Sometimes it is not known at compile time which temporary objects will be
constructed, eg. 'x ? A() : B()' or 'C() || D()'. In this case we track which
temporary was constructed to know how to properly call the destructor.

Once the construction context for temporaries was introduced, we moved the
tracking code to the code that investigates the construction context.

Bring back the old mechanism because construction contexts are not always
available yet - eg. in the case where a temporary is constructed without a
constructor expression, eg. returned from a function by value. The mechanism
should still go away eventually.

Additionally, fix a bug in the temporary cleanup code for the case when
construction contexts are not available, which could lead to temporaries
staying in the program state and increasing memory consumption.

Differential Revision: https://reviews.llvm.org/D43666

llvm-svn: 326246
2018-02-27 21:02:58 +00:00
Artem Dergachev f01831ebe9 [analyzer] Don't crash when dynamic type of a variable is set via placement new.
If a variable or an otherwise a concrete typed-value region is being
placement-new'ed into, its dynamic type may change in arbitrary manners. And
when the region is used, there may be a third type that's different from both
the static and the dynamic type. It cannot be *completely* different from the
dynamic type, but it may be a base class of the dynamic type - and in this case
there isn't (and shouldn't be) any indication anywhere in the AST that there is
a derived-to-base cast from the dynamic type to the third type.

Perform a generic cast (evalCast()) from the third type to the dynamic type
in this case. From the point of view of the SVal hierarchy, this would have
produced non-canonical SVals if we used such generic cast in the normal case,
but in this case there doesn't seem to be a better option.

Differential Revision: https://reviews.llvm.org/D43659

llvm-svn: 326245
2018-02-27 20:54:40 +00:00
Artem Dergachev 8cd7961a0a [analyzer] Disable constructor inlining when lifetime extending through a field.
Automatic destructors are missing in the CFG in situations like

  const int &x = C().x;

For now it's better to disable construction inlining, because inlining
constructors while doing nothing on destructors is very bad.

Differential Revision: https://reviews.llvm.org/D43689

llvm-svn: 326240
2018-02-27 20:14:06 +00:00
Artem Dergachev b7f53df0c2 [analyzer] Self-debug: Dump dynamic type info and taint with the program state.
Useful for debugging problems with dynamic type info and taint.

Differential Revision: https://reviews.llvm.org/D43657

llvm-svn: 326239
2018-02-27 20:06:20 +00:00
Artem Dergachev 4068481bdb [CFG] NFC: Refactor ConstructionContext into a finite set of cases.
ConstructionContext is moved into a separate translation unit and is separated
into multiple classes. The "old" "raw" ConstructionContext is renamed into
ConstructionContextLayer - which corresponds to the idea of building the context
gradually layer-by-layer, but it isn't easy to use in the clients. Once
CXXConstructExpr is reached, layers that we've gathered so far are transformed
into the actual, "new-style" "flat" ConstructionContext, which is put into the
CFGConstructor element and has no layers whatsoever (until it actually needs
them, eg. aggregate initialization). The new-style ConstructionContext is
instead presented as a variety of sub-classes that enumerate different ways of
constructing an object in C++. There are 5 of these supported for now,
which is around a half of what needs to be supported.

The layer-by-layer buildup process is still a little bit weird, but it hides
all the weirdness in one place, that sounds like a good thing.

Differential Revision: https://reviews.llvm.org/D43533

llvm-svn: 326238
2018-02-27 20:03:35 +00:00
Artem Dergachev 308e27ee9d [analyzer] Introduce correct lifetime extension behavior in simple cases.
This patch uses the reference to MaterializeTemporaryExpr stored in the
construction context since r326014 in order to model that expression correctly.

When modeling MaterializeTemporaryExpr, instead of copying the raw memory
contents from the sub-expression's rvalue to a completely new temporary region,
that we conjure up for the lack of better options, we now have the better
option to recall the region into which the object was originally constructed
and declare that region to be the value of the expression, which is semantically
correct.

This only works when the construction context is available, which is worked on
independently.

The temporary region's liveness (in the sense of removeDeadBindings) is extended
until the MaterializeTemporaryExpr is resolved, in order to keep the store
bindings around, because it wouldn't be referenced from anywhere else in the
program state.

Differential Revision: https://reviews.llvm.org/D43497

llvm-svn: 326236
2018-02-27 19:47:49 +00:00
George Karpenkov d1400213f5 [analyzer] Remove redundant check
There is no point in assigning void just to crash on it in the next line

Differential Revision: https://reviews.llvm.org/D43802

llvm-svn: 326234
2018-02-27 19:28:52 +00:00
George Karpenkov 53c1c10beb [analyzer] Only attempt to get the value of locations of known type
Fixes https://bugs.llvm.org/show_bug.cgi?id=36474

In general, getSVal API should be changed so that it does not crash on
some non-obvious conditions.
It should either be updated to require a type, or to return Optional<SVal>.

Differential Revision: https://reviews.llvm.org/D43801

llvm-svn: 326233
2018-02-27 19:28:52 +00:00
George Karpenkov 482bf0f531 [analyzer] Quickfix: don't crash when runtime definition is not available.
llvm-svn: 326230
2018-02-27 19:19:49 +00:00
George Karpenkov 06b7bd61f4 [analyzer] Switch the default exploration strategy to priority queue based on coverage
After the investigation it seems safe to flip the switch.

Differential Revision: https://reviews.llvm.org/D43782

llvm-svn: 326157
2018-02-27 01:31:56 +00:00
George Karpenkov 50339a2e84 Revert "Revert "[analyzer] Quickfix: do not overflow in calculating offset in RegionManager""
This reverts commit c4cc41166d93178a3ddd4b2b5a685cf74a459247.

Revert and fix uninitialized read.

llvm-svn: 326152
2018-02-27 00:05:04 +00:00
Eugene Zelenko e580d8317e [StaticAnalyzer] Fix some Clang-tidy modernize and Include What You Use warnings; other minor fixes (NFC).
llvm-svn: 326146
2018-02-26 23:15:52 +00:00
George Karpenkov 6dcbc1dbb3 [analyzer] Exploration strategy prioritizing unexplored nodes first
See D42775 for discussion.  Turns out, just exploring nodes which
weren't explored first is not quite enough, as e.g. the first quick
traversal resulting in a report can mark everything as "visited", and
then subsequent traversals of the same region will get all the pitfalls
of DFS.
Priority queue-based approach in comparison shows much greater
increase in coverage and even performance, without sacrificing memory.

Differential Revision: https://reviews.llvm.org/D43354

llvm-svn: 326136
2018-02-26 22:14:18 +00:00
George Karpenkov 1d3e49e781 [analyzer] Do not analyze bison-generated files
Bison/YACC generated files result in a very large number of (presumably)
false positives from the analyzer.
These false positives are "true" in a sense of the information analyzer
sees: assuming that the lexer can return any token at any point a number
of uninitialized reads does occur.
(naturally, the analyzer can not capture a complex invariant that
certain tokens can only occur under certain conditions).

Current fix simply stops analysis on those files.
I have examined a very large number of such auto-generated files, and
they do all start with such a comment.
Conversely, user code is very unlikely to contain such a comment.

rdar://33608161

Differential Revision: https://reviews.llvm.org/D43421

llvm-svn: 326135
2018-02-26 22:14:16 +00:00
George Karpenkov 5d3b0e38d6 Revert "[analyzer] Quickfix: do not overflow in calculating offset in RegionManager"
This reverts commit df306c4c5ab4a6b8d3c47432346d1f9b90c328b4.

Reverting until I can figured out the reasons for failures.

llvm-svn: 326131
2018-02-26 21:32:57 +00:00
George Karpenkov 585dc5db13 [analyzer] Quickfix: do not overflow in calculating offset in RegionManager
Addresses https://bugs.llvm.org/show_bug.cgi?id=36206

rdar://37159026

A proper fix would be much harder, and would involve changing the
appropriate code in ExprEngine to be aware of the size limitations of
the type used for addressing.

Differential Revision: https://reviews.llvm.org/D43218

llvm-svn: 326122
2018-02-26 21:03:06 +00:00
Daniel Jasper d8cea35360 Remove unused variable. We should be warning-free.
llvm-svn: 326024
2018-02-24 06:57:47 +00:00
George Karpenkov 60c206e0bd [analyzer] Relax the assert used when traversing the node graph.
The assertion gets exposed when changing the exploration order.
This is a quick hacky fix, but the intention is that if the nodes do
merge, it should not matter which predecessor should be traverse.
A proper fix would be not to traverse predecessors at all, as all
information relevant for any decision should be avilable locally.

rdar://37540480

Differential Revision: https://reviews.llvm.org/D42773

llvm-svn: 325977
2018-02-23 23:26:57 +00:00
George Karpenkov e15451a9c0 [analyzer] mark returns of functions where the region passed as parameter was not initialized
In the wild, many cases of null pointer dereference, or uninitialized
value read occur because the value was meant to be initialized by the
inlined function, but did not, most often due to error condition in the
inlined function.
This change highlights the return branch taken by the inlined function,
in order to help user understand the error report and see why the value
was uninitialized.

rdar://36287652

Differential Revision: https://reviews.llvm.org/D41848

llvm-svn: 325976
2018-02-23 23:26:56 +00:00
George Karpenkov 80e4ba24b9 [analyzer] Consider switch- and goto- labels when constructing the set of executed lines
When viewing the report in the collapsed mode the label signifying where
did the execution go is often necessary for properly understanding the
context.

Differential Revision: https://reviews.llvm.org/D43145

llvm-svn: 325975
2018-02-23 23:26:54 +00:00
Peter Szecsi 5184fae04e [analyzer] Prevent AnalyzerStatsChecker from crash
The checker marks the locations where the analyzer creates sinks. However, it
can happen that the sink was created because of a loop which does not contain
condition statement, only breaks in the body. The exhausted block is the block
which should contain the condition but empty, in this case.
This change only emits this marking in order to avoid the undefined behavior.

Differential Revision: https://reviews.llvm.org/D42266

llvm-svn: 325693
2018-02-21 16:06:56 +00:00
Benjamin Kramer 690ac0f3e0 [Analyzer] Move UnexploredFirstStack into an anonymous namespace.
No functionality change intended.

llvm-svn: 325468
2018-02-18 19:08:27 +00:00
Aaron Ballman f884cd42cc Silence a -Wparentheses warning; NFC.
llvm-svn: 325293
2018-02-15 21:03:39 +00:00
Aaron Ballman 6f20dc8988 Silence some -Wunused-variable warnings; NFC.
llvm-svn: 325292
2018-02-15 20:56:19 +00:00
Artem Dergachev 543e8af99d [analyzer] Suppress temporary destructors for temporary arrays.
Array destructors, like constructors, need to be called for each element of the
array separately. We do not have any mechanisms to do this in the analyzer,
so for now all we do is evaluate a single constructor or destructor
conservatively and give up. It automatically causes the necessary invalidation
and pointer escape for the whole array, because this is how RegionStore works.

Implement this conservative behavior for temporary destructors. This fixes the
crash on the provided test.

Differential Revision: https://reviews.llvm.org/D43149

llvm-svn: 325286
2018-02-15 19:34:19 +00:00
Artem Dergachev 60f5aabc64 [analyzer] Implement path notes for temporary destructors.
Temporary destructors fire at the end of the full-expression. It is reasonable
to attach the path note for entering/leaving the temporary destructor to its
CXXBindTemporaryExpr. This would not affect lifetime-extended temporaries with
their automatic destructors which aren't temporary destructors.

The path note may be confusing in the case of destructors after elidable copy
constructors.

Differential Revision: https://reviews.llvm.org/D43144

llvm-svn: 325284
2018-02-15 19:28:21 +00:00
Artem Dergachev 661ab34a31 [analyzer] Compute the correct this-region for temporary destructors.
Inline them if possible - a separate flag is added to control this.
The whole thing is under the cfg-temporary-dtors flag, off by default so far.

Temporary destructors are called at the end of full-expression. If the
temporary is lifetime-extended, automatic destructors kick in instead,
which are not addressed in this patch, and normally already work well
modulo the overally broken support for lifetime extension.

The patch operates by attaching the this-region to the CXXBindTemporaryExpr in
the program state, and then recalling it during destruction that was triggered
by that CXXBindTemporaryExpr. It has become possible because
CXXBindTemporaryExpr is part of the construction context since r325210.

Differential revision: https://reviews.llvm.org/D43104

llvm-svn: 325282
2018-02-15 19:17:44 +00:00
Artem Dergachev 5bb02f3c02 [analyzer] NFC: Eliminate ParentMap lookup in mayInlineCallKind().
Don't look at the parent statement to figure out if the cxx-allocator-inlining
flag should kick in and prevent us from inlining the constructor within
a new-expression. We now have construction contexts for that purpose.

llvm-svn: 325278
2018-02-15 19:01:55 +00:00
Artem Dergachev 9af0ed4aeb [analyzer] Inline constructors for destroyable temporaries.
Since r325210, in cfg-temporary-dtors mode, we can rely on the CFG to tell us
that we're indeed constructing a temporary, so we can trivially construct a
temporary region and inline the constructor.

Much like r325202, this is only done under the off-by-default
cfg-temporary-dtors flag because the temporary destructor, even if available,
will not be inlined and won't have the correct object value (target region).
Unless this is fixed, it is quite unsafe to inline the constructor.

If the temporary is lifetime-extended, the destructor would be an automatic
destructor, which would be evaluated with a "correct" target region - modulo
the series of incorrect relocations performed during the lifetime extension.
It means that at least, values within the object are guaranteed to be properly
escaped or invalidated.

Differential Revision: https://reviews.llvm.org/D43062

llvm-svn: 325211
2018-02-15 03:26:43 +00:00
Artem Dergachev 168e29f6af [analyzer] Decide on inlining destructors via EvalCallOptions.
EvalCallOptions were introduced in r324018 for allowing various parts of
ExprEngine to notify the inlining mechanism, while preparing for evaluating a
function call, of possible difficulties with evaluating the call that they
foresee. Then mayInlineCall() would still be a single place for making the
decision.

Use that mechanism for destructors as well - pass the necessary flags from the
CFG-element-specific destructor handlers.

Part of this patch accidentally leaked into r324018, which led into a change in
tests; this change is reverted now, because even though the change looked
correct, the underlying behavior wasn't. Both of these commits were not intended
to introduce any function changes otherwise.

Differential Revision: https://reviews.llvm.org/D42991

llvm-svn: 325209
2018-02-15 02:51:58 +00:00
Artem Dergachev 94020268fe [analyzer] Allow inlining constructors into return values.
This only affects the cfg-temporary-dtors mode - in this mode we begin inlining
constructors that are constructing function return values. These constructors
have a correct construction context since r324952.

Because temporary destructors are not only never inlined, but also don't have
the correct target region yet, this change is not entirely safe. But this
will be fixed in the subsequent commits, while this stays off behind the
cfg-temporary-dtors flag.

Lifetime extension for return values is still not modeled correctly.

Differential Revision: https://reviews.llvm.org/D42875

llvm-svn: 325202
2018-02-15 02:32:32 +00:00
Artem Dergachev e231bd342e [analyzer] NFC: Remove dead checks when computing DeclStmt construction region.
In CFG, every DeclStmt has exactly one decl, which is always a variable.

It is also pointless to check that the initializer is the constructor because
that's how construction contexts work now.

llvm-svn: 325201
2018-02-15 02:30:20 +00:00
Nico Weber 758fbacea5 Teach Wreturn-type, Wunreachable-code, and alpha.deadcode.UnreachableCode to treat __assume(0) like __builtin_unreachable.
Fixes PR29134.
https://reviews.llvm.org/D43221

llvm-svn: 325052
2018-02-13 21:31:47 +00:00
George Karpenkov 1235a63df5 [analyzer] Exploration strategy prioritizing unexplored coverage first
See reviews.llvm.org/M1 for evaluation, and
lists.llvm.org/pipermail/cfe-dev/2018-January/056718.html for
discussion.

Differential Revision: https://reviews.llvm.org/D42775

llvm-svn: 324956
2018-02-12 22:39:57 +00:00
Artem Dergachev 3da7205114 [analyzer] NFC: Assert that our fix for noreturn destructors keeps working.
Massive false positives were known to be caused by continuing the analysis
after a destructor with a noreturn attribute has been executed in the program
but not modeled in the analyzer due to being missing in the CFG.

Now that work is being done on enabling the modeling of temporary constructors
and destructors in the CFG, we need to make sure that the heuristic that
suppresses these false positives keeps working when such modeling is disabled.
In particular, different code paths open up when the corresponding constructor
is being inlined during analysis.

Differential Revision: https://reviews.llvm.org/D42779

llvm-svn: 324802
2018-02-10 03:14:22 +00:00
Artem Dergachev afb158c207 [analyzer] NFC: Use CFG construction contexts instead of homemade lookahead.
The analyzer was relying on peeking the next CFG element during analysis
whenever it was trying to figure out what object is being constructed
by a given constructor. This information is now available in the current CFG
element in all cases that were previously supported by the analyzer,
so no complicated lookahead is necessary anymore.

No functional change intended - the context in the CFG should for now be
available if and only if it was previously discoverable via CFG lookahead.

Differential Revision: https://reviews.llvm.org/D42721

llvm-svn: 324800
2018-02-10 02:55:08 +00:00
George Karpenkov 5a755b333d [analyzer] Serialize statistics to plist when serialize-stats=true is set
Differential Revision: https://reviews.llvm.org/D43131

llvm-svn: 324793
2018-02-10 01:49:20 +00:00
Artem Dergachev 4b0d160a09 [analyzer] Add missing pre-post-statement callbacks for OffsetOfExpr.
This expression may or may not be evaluated in compile time, so tracking the
result symbol is of potential interest. However, run-time offsetof is not yet
supported by the analyzer, so for now this callback is only there to assist
future implementation.

Patch by Henry Wong!

Differential Revision: https://reviews.llvm.org/D42300

llvm-svn: 324790
2018-02-10 00:55:49 +00:00
Artem Dergachev f3e09bdaee [analyzer] Add support for __builtin_constant_p.
This builtin is evaluated in compile time. But in the analyzer we don't yet
automagically evaluate all calls that can be evaluated in compile time.

Patch by Felix Kostenzer!

Differential Revision: https://reviews.llvm.org/D42745

llvm-svn: 324789
2018-02-10 00:51:47 +00:00
George Karpenkov 2a639858be [analyzer] Introduce statistics for the total number of visited basic blocks
Differential Revision: https://reviews.llvm.org/D43133

llvm-svn: 324785
2018-02-09 23:37:47 +00:00
Artem Dergachev 9849f595b9 [analyzer] MallocChecker: Fix one more bug category.
Even though most of the inconsistencies in MallocChecker's bug categories were
fixed in r302016, one more was introduced in r301913 which was later missed.

Patch by Henry Wong!

Differential Revision: https://reviews.llvm.org/D43074

llvm-svn: 324680
2018-02-08 23:28:29 +00:00
Artem Dergachev 41ffb30716 [CFG] Add extra context to C++ constructor statement elements.
This patch adds a new CFGStmt sub-class, CFGConstructor, which replaces
the regular CFGStmt with CXXConstructExpr in it whenever the CFG has additional
information to provide regarding what sort of object is being constructed.

It is useful for figuring out what memory is initialized in client of the
CFG such as the Static Analyzer, which do not operate by recursive AST
traversal, but instead rely on the CFG to provide all the information when they
need it. Otherwise, the statement that triggers the construction and defines
what memory is being initialized would normally occur after the
construct-expression, and the client would need to peek to the next CFG element
or use statement parent map to understand the necessary facts about
the construct-expression.

As a proof of concept, CFGConstructors are added for new-expressions
and the respective test cases are provided to demonstrate how it works.

For now, the only additional data contained in the CFGConstructor element is
the "trigger statement", such as new-expression, which is the parent of the
constructor. It will be significantly expanded in later commits. The additional
data is organized as an auxiliary structure - the "construction context",
which is allocated separately from the CFGElement.

Differential Revision: https://reviews.llvm.org/D42672

llvm-svn: 324668
2018-02-08 22:58:15 +00:00
Artem Dergachev af84ce162c [analyzer] Self-debug: Dump the core's internal state traits to the egraph.
It is useful for debugging problems with C++ operator new() or temporaries.

Differential Revision: https://reviews.llvm.org/D42560

llvm-svn: 324663
2018-02-08 22:32:38 +00:00
Artem Dergachev be07303569 [analyzer] Self-debug: Dump environment frame-by-frame.
It makes it easier to discriminate between values of similar expressions
in different stack frames.

It also makes the separate backtrace section in ExplodedGraph dumps redundant.

Differential Revision: https://reviews.llvm.org/D42552

llvm-svn: 324660
2018-02-08 22:24:38 +00:00
George Karpenkov 46163786e5 [analyzer] [NFC] Factor out generating path diagnostics for a statement into a function
Differential Revision: https://reviews.llvm.org/D42558

llvm-svn: 324507
2018-02-07 19:56:52 +00:00
Artem Dergachev 393dfc468d Revert r324166 "[analyzer] Add a checker for mmap()...".
Due to Buildbot failures - most likely that's because target triples were not
specified in the tests, even though the checker behaves differently with
different target triples.

llvm-svn: 324167
2018-02-03 03:57:32 +00:00
Artem Dergachev d8b6fbc0d0 [analyzer] Add a checker for mmap()s which are both writable and executable.
This is a security check which is disabled by default but will be enabled
whenever the user consciously enables the security package. If mmap()ed memory
is both writable and executable, it makes it easier for the attacker to execute
arbitrary code when contents of this memory are compromised. Some applications
require such mmap()s though, such as different sorts of JIT.

Patch by David Carlier!

Differential Revision: https://reviews.llvm.org/D42645

llvm-svn: 324166
2018-02-03 02:33:42 +00:00
George Karpenkov 4316afbb44 [analyzer] Do not infer nullability inside function-like macros, even when macro is explicitly returning NULL
We already suppress such reports for inlined functions, we should then
get the same behavior for macros.
The underlying reason is that the same macro, can be called from many
different contexts, and nullability can only be expected in _some_ of
them.
Assuming that the macro can return null in _all_ of them sometimes leads
to a large number of false positives.

E.g. consider the test case for the dynamic cast implementation in
macro: in such cases, the bug report is unwanted.

Tracked in rdar://36304776

Differential Revision: https://reviews.llvm.org/D42404

llvm-svn: 324161
2018-02-03 00:55:21 +00:00
Artem Dergachev 74db26ff14 [analyzer] Fix transitions in check::PreStmt<MemberExpr> checker callback.
No in-tree checkers use this callback so far, hence no tests. But better fix
this now than remember to fix this when the checkers actually appear.

Patch by Henry Wong!

Differential Revision: https://reviews.llvm.org/D42785

llvm-svn: 324053
2018-02-02 02:23:37 +00:00